(ISC)² Certified Cloud Security Professional Exam 5 (CCSP) Practice (Aris Athanasiou) Flashcards

1
Q

Which of the following is not a responsibility of the cloud service provider (CSP) in IaaS?

A. Patching the hypervisor
B. Ensure the data center temperature does not exceed 30 degrees C
C. Patching the web/application servers
D. Limiting access in the data center to authorized personnel

A

C. Patching the web/application servers

Explanation:
Patching the web/application servers would fall under the responsibilities of the customer in an IaaS deployment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following cloud service models is likely to have higher portability?

A. IaaS
B. PaaS
C. SaaS
D. CaaS

A

A. IaaS

Explanation:
Infrastructure as a Service (IaaS) is likely to have higher portability compared to PaaS or SaaS. The abstraction and hiding of underlying complexities offered by PaaS and SaaS have also the result of reducing flexibility and customisation options.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the full name of Uptime Institute’s Data Center Site Infrastructure for a Tier V data center?

A. Basic Site Infrastructure
B. Parallel Site Infrastructure
C. Concurrently Maintainable Site Infrastructure
D. The Uptime Institute does not specify a Tier V Data Center

A

D. The Uptime Institute does not specify a Tier V Data Center

Explanation:
The Uptime Institute specifies only 4 Tiers for data centres, namely:

Basic Site Infrastructure

Parallel Site Infrastructure

Concurrently Maintainable Site Infrastructure

Fault-Tolerant Site Infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is not part of the Organization for Economic Co-operation and Development (OECD) privacy principles?

A. Security Safeguards Principle
B. Openess Principle
C. Individual Participant Principle
D. Lawfulness, fainrness and transparency Principle

A

D. Lawfulness, fainrness and transparency Principle

Explanation:
Lawfulness, fairness, and transparency is a principle of GDPR not OECD. The full list of OECD principles include:

Collection Limitation Principle

Data Quality Principle

Purpose Specification Principle

Use Limitation Principle

Security Safeguards Principle

Openness Principle

Individual Participation Principle

Accountability Principle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is not part of the CSA date lifecycle stages?

A. Share
B. Store
C. Process
D. Archive

A

C. Process

Explanation:
The CSA data lifecycle stages in order are:

Create

Store

Use

Share

Archive

Destroy

You can read more about the specific data lifecycle model, here.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which is not included in the OWASP Top 10?

A. Broken Access Control
B. Insufficient Physical Access Control
C. Security Misconfiguration
D. Sensitive Data Exposure

A

B. Insufficient Physical Access Control

Explanation:
“Insufficient physical access control” is not part of the OWASP Top 10 (2021). The full list includes:

Broken Access Control

Cryptographic Failures

Sensitive Data Exposure

Injection

Insecure Design

Security Misconfiguration

Vulnerable and Outdated Components

Identification and Authentication Failures

Software and Data Integrity Failures

Security Logging and Monitoring Failures

Server-Side Request Forgery

Remember OWASP stands for Open Web Application Security Project and as the name implies they focus on web technologies. Physical access control, although quite important, is not related to web technologies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The risk management process includes framing, assessing, responding, and monitoring risk. In which of those steps would a qualitative estimation of the risk take place?

A. Framing
B. Monitoring
C. Assessing
D. Responding

A

C. Assessing

Explanation:
During a risk assessment, the organisation identifies, estimates, and prioritises information security risks. Risks can be assessed following either a quantitative or qualitative approach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A medium-sized pharmaceutical company that has been traditionally using on-premise infrastructure has recently put in production a new ERP platform. The deployment of the new platform has gone through several stages of risk assessment and the organization has reached a sufficient residual risk in line with their appetite. The organisation has the policy to conduct annual risk assessments for all their platforms. The newly appointed CIO has decided to move the aforementioned ERP system in the cloud to cut down on infrastructure costs, when would the next risk assessment for the application take place?

A. The application has recently gone through risk assessment and the stakeholders are happy with residual risk. The application can be migrated to the cloud and the assessment can take place in the next scheduled annual review.
B. A risk assessment should take place immediately after the application has been successfully migrated to the cloud and its new environment is sufficiently understood.
C. A risk assessment should take place before migrating the application to the cloud
D. The organization should not migrate the ERP platform in the cloud as it is a core system to their business and they should retain tight control over it

A

C. A risk assessment should take place before migrating the application to the cloud

Explanation:
A risk assessment should take place before migrating the application to the cloud. The current risk assessment assumed hosting the application on-premise. The migration of the application to the cloud completely changes the risk landscape and invalidates the current estimations/computations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is not typically found in a Service Level Agreement (SLA)?

A. Service Availability
B. Patching frequency of the cloud infrastructure
C. Penalties should the agreed-on service levels not be achieved
D. The process of adding or removing metrics.

A

B. Patching frequency of the cloud infrastructure

Explanation:
Patching frequency of the cloud infrastructure would not typically be included in the SLA between the cloud provider and the customer. A service-level agreement (SLA) defines the level of service you expect from a cloud provider, laying out the metrics by which service is measured as well as remedies or penalties should agreed-on service levels not be achieved. SLAs focus on the service quality and not on the technicalities of how that is achieved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The Federal Information Processing Standard is a U.S. government computer security standard used to approve cryptographic modules. The standard defines different levels of security for cryptographic components. What is the highest level of security described in FIPS?

A. Security Level 0
B. Security Level 1
C. Security Level 4
D. Security Level 5

A

C. Security Level 4

Explanation:
Security Level 4 is the highest level of security in FIPS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An LDAP administrator has configured a directory server and is considering different schemes for password storage. Which of the following would be the best option in terms of security?

A. Encrypt all passwords using the same key and Triple DES
B. Encrypt all passwords using a unique key for each entry and Triple DES
C. Hash the password without any key using SHA-512
D. Hash the password using a fixed key using SHA-512

A

C. Hash the password without any key using SHA-512

Explanation:
The best option for the above scenario would be to hash the password without any key using SHA-512. Hashing is considered a better option for handling passwords since it is a one-way operation that can not be reversed (unlike encryption). SHA-512 does not require a key to compute the digest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Financial penalties for not complying with the General Data Protection Regulation (GDPR) can range up to?

A. 20,000,000 Euros
B. 50,000,000 Euros
C. 70,000,000 Euros
D. 100,000,000 Euros

A

A. 20,000,000 Euros

Explanation:
The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An LDAP administrator has configured a directory server and is considering different schemes for password storage. Which of the following would be the best option in terms of security?

A. Encrypt all passwords using the same key and Triple DES
B. Store the password in plaintext
C. Hash the password using SHA-512
D. Hash the password using PBKDF2

A

D. Hash the password using PBKDF2

Explanation:
The best option for the above scenario would be to hash the password without any key using PBKDF2. Hashing is considered a better option for handling passwords since it is a one-way operation that can not be reversed (unlike encryption). That leaves us with SHA-512 and PBKDF2 as candidate options. PBKDF2 is slow by design and was created specifically for handling passwords. Generic cryptographic hashing algorithms like SHA-256 are fast. Slowing down the algorithm (usually by iteration) makes the attacker’s job much harder in case of a rainbow table attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following is a valid cloud storage type?

A. Elastic Disc
B. Context Delivery Network (CDN)
C. Content Delivery Network (CDN)
D. Cloud Box

A

C. Content Delivery Network (CDN)

Explanation:
Content delivery network (CDN) is the only valid cloud storage type among the above options.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A database administrator looks to migrate his on-premise hosted database to the cloud. They are going through the documentation trying to find whether the cloud database of their provide satisfies ACID properties. What does ACID stand for?

A. Atomicity, Consistency, Isolation, Durability
B. Agile, Concurrency, Input, Defragment
C. Auhmentation, Concurrency, Indivisibility, Data
D. Automation, Cache, Integration, Denary

A

A. Atomicity, Consistency, Isolation, Durability

Explanation:
ACID stands for Atomicity, Consistency, Isolation, Durability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Two organisations agree to provide federated access to each other employees by using OpenID Connect (OIDC). What is the data format of the identity token issued as part of the OIDC flow?

A. XML
B. YAML
C. ISON
D. SAML

A

C. ISON

Explanation:
Identity tokens issued as part of the OIDC flow follow the JSON data format. They are also known as “JSON Web Token (JWT)”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following is a value included in the Agile manifesto?

A. Processes and tools over individuals
B. Detailed planning over ad-hoc changes
C. Upfront design over multiple iterations
D. Customer collaboration over contract negotiations

A

D. Customer collaboration over contract negotiations

Explanation:
The Agile Manifesto is a brief document built on 4 values and 12 principles for software development. The 4 values are:

Individuals and interactions over processes and tools

Working software over comprehensive documentation

Customer collaboration over contract negotiation

Responding to change over following a plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A medium-sized retailer is going through the risk management process to ascertain threats to its e-shop. According to the statistics, they are subject to 100 cyber-attacks per year. Only 10% of the attacks are successful with each attack costing an average of $10,000. The annual revenue of the shop alone is $500,000 with a net profit of $250,000. Which of the following controls would be the best option for the company?

A. Hire an insurance company for $150,000 per year which will fully cover any associated cost with cyber attacks
B. Accept the risk since all the identified potential risk responses would cost more
C. Shut down the e-shop and focus on their high-street shops
D. Deploy a next generation Web Application Firewall (WAF) for $50,000/year which wouldnt prevent 75% of the currently successful attacks on average

A

D. Deploy a next generation Web Application Firewall (WAF) for $50,000/year which wouldnt prevent 75% of the currently successful attacks on average

Explanation:
Let’s analyse the above 4 options. The company suffers 10 successful attacks per year with an average cost of $10,000 for an Annualised Loss Expectancy (ALE) of $100,000.

The net profit of the e-shop is higher than the ALE which means, shutting down the e-shop would not be a good option.

Hiring the insurance company would cost more than the ALE which means it is not a good option either.

Accepting the risk would leave the company with a net profit of $150,000 ($250,000 - $100,000) after subtracting the ALE.

The WAF would reduce the ALE to $25,000 while costing $50,000, bringing the total cost to $75,000, which is lower than the net profit of the e-shop and the ALE before the controls. This is the best option.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the key considerations for determining controls for securing data?

A. Functions, Locations, Actors
B. Methods, Locations, Users
C. Methods, Context, Users
D. Methods, Context, Actors

A

A. Functions, Locations, Actors

Explanation:
According to the CCSP CBK the key considerations for determining controls for securing data are:

Functions, Locations and Actors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which risk is not mitigated from full disk encryption in a cloud environment?

A. Physical theft of hardware
B. Attacks through the application container
C. Malicious CSP employees
D. Not effective hard disk destruction

A

B. Attacks through the application container

Explanation:
Attacks through the application container would still be able to read the data encrypted on the disk level. The OS and the application container in particular need access to the plaintext data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A database administrator wants to use a database as a service that has an embedded encryption engine. This type of encryption can provide effective protection from physical media theft. What is the name of the above encryption mechanism?

A. Hard-disk encryption
B. Application level encryption
C. Transparent encryption
D. Customer Key Managed (CKM) encryption

A

C. Transparent encryption

Explanation:
That is a typical use case of transparent database encryption. This type of encryption is transparent to any application relying on the database.

22
Q

The CIO of a regulated organisation is informed by its database vendor about a serious vulnerability that they have just discovered and that they should patch their production instances as soon as possible. The internal policy of the company regarding patching mandates that patches are installed only every 1st of each month. This means that the company will install the patch in 10 days. Which of the following approaches would demonstrate due diligence?

A. Follow the internal policy and patch the system in 10 days according to the well known business process
B. Ask the database administrator to make a decision, as they know the system better
C. Follow the vendor guidelines and install the patch as soon as possible
D. Ask the regulator for guidance

A

C. Follow the vendor guidelines and install the patch as soon as possible

Explanation:
The CIO should follow the guidelines/recommendations from the database vendor. Vendors have a better understanding of the criticality of the vulnerability and the potential impact. Choosing to ignore the vendor guidelines and sticking to the internal policy would mean the CIO did not perform the necessary due diligence in case of a breach because of the vulnerability. Database administrators are not necessarily familiar with the underlying software implementation of a database, particularly closed source products. Regulators might be able to provide high-level guidance and best practices but they would not be able to help in this instance.

23
Q

A medium-size retailer that has been using on-premise infrastructure recently acquired an e-shop which hosts its infrastructure in a public cloud. In an attempt to integrate their platforms they decided to adopt a hybrid cloud approach. They currently have a flat network topology with a subnet 10.1.0.0/21 while the e-shop has deployed a VPC with a range of 10.1.0.0/24. Can this create problems for the organisation?

A. No, there is no overlap between IP ranges, the integration between the two networks can be seamless
B. No, this is not an issue as long as the routers in the data center have a different MAC address from the ones in the public cloud
C. Yes, this is an issue, overlapping IP ranges between a VPC subnet and an on-premise network can make the integration complex
D. Yes, this is an issue, modern public cloud infrastructure can not be integrated directly with traditional on-premise infrastructure

A

C. Yes, this is an issue, overlapping IP ranges between a VPC subnet and an on-premise network can make the integration complex

Explanation:
Overlapping IP ranges between a VPC subnet and the on-premise network can create serious complexities. It is important that the organisation plans carefully before starting migrating services to a cloud environment.

24
Q

Which of the following is not a container orchestration system?

A. Kubernetes
B.OpenShift
C. Apache Mesos
D. Jenkins

A

D. Jenkins

Explanation:
Jenkins is not a container orchestration system, it open source automation platform

25
Q

Which of the following IP ranges are not reserved for private networks?

A. 10.0.0.0/8
B. 169.4.0.0/10
C. 172.16.0.0/12
D. 192.168.0.0/16

A

B. 169.4.0.0/10

Explanation:
The 169.4.0.0/10 range is not reserved for private networks, all the other IP ranges are.

You can read more about private networks here.

26
Q

Which of the following is not usually included in the service level agreement between the cloud service provider and the customer?

A. Service Availability
B. Maximum capacity of cloud storage per region
C. Background check results for the providers personnel
D. Service quotas

A

C. Background check results for the providers personnel

Explanation:
The results of background checks conducted from the cloud provider on their staff are not typically shared with customers.

27
Q

A public cloud service provider is trying to streamline their compliance reporting. Which of the following tools could help them achieve that?

A. IDS
B. IRM
C. IPS
D. SIEM

A

D. SIEM

Explanation:
Security information and event management systems (SIEM) collect security log events from multiple systems within the enterprise and provide central storage and analysis. By collating these log streams, SIEM products enable streamlining the reporting process on an organization’s security events. Compliance mandates are placing more stress on detecting and reporting breaches as well as log retention for multiple months or years. SIEM tools are the only ones in the above list that can help an organisation meet their regulatory compliance requirements and prove they are operating lawfully.

28
Q

The newly appointed CISO of a medium-sized pharmaceutical company has been granted $4,000,000 to modernise its security arsenal. The CIO sent a request for proposal (RFP) to several security vendors and received multiple offers with different approaches ranging between $500,000 and $3,000,000. Which vendor offer should the CIO go with?

A. They should go with the $3,000,000 offer, as their budget is $4,000,000 and they can afford it
B. They should go with the $500,000 offer, as this is the cheapest option and they would save the organization $3,500,000
C. They should first conduct a risk assessment in order to understand the value of their assets and decide on their risk appetite. Then they should evaluate the offers from the vendors and choose the one that aligns the best with their strategy
D. Given that the organization has $4,000,000 and the most expensive offer is $3,000,000; they can afford to hire multiple vendors. This way, they will achieve the maximum possible level of security for the enterprise.

A

C. They should first conduct a risk assessment in order to understand the value of their assets and decide on their risk appetite. Then they should evaluate the offers from the vendors and choose the one that aligns the best with their strategy

Explanation:
You can not protect assets that you don’t know the value of. The organisation should conduct a risk assessment and an impact analysis first before deciding on any potential risk responses (e.g. hiring security vendors).

29
Q

Which of the following technology concepts has its dedicated domain assigned in ISO/IEC 27001?

A. IPS
B. Firewalls
C. Cryptography
D. Honeypots

A

C. Cryptography

Explanation:
Cryptography is the only of the above concepts which has its own dedicated domain in ISO 27000

30
Q

A large size retailer is considering using a managed cloud service provider for hosting its e-shop. The retailer has clients all over the world, but the majority of its customers reside in EU countries. The retailer collects personal data from its customers in order to offer a more personalised experience and show them relevant advertisements. The cloud provider has multiple data centres across the world. Which of the following data centres would not be a suitable option for the retailer?

A. The data center in Belgium
B. The data center in Japan
C. The data center in New Zealand
D. The data center in Chile

A

D. The data center in Chile

Explanation:
As pers the European data protection regulations, the personal information of EU citizens should not be transferred to countries which do not offer an adequate level of data protection.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection.

You can read more about the adequacy decisions, here.

31
Q

Which of the following is the correct definition of a problem?

A. An unplanned interruption to a service, or the failure of a component of a service that hasnt yet impacted service
B. The unknown cause of one or more incidents, often identified as a result of multiple similar incidents
C. Any placed or unplanned interruption to a service, including scheduled maintenance
D. Any event which would result in a reduction in a services quality without fully interrupting it

A

B. The unknown cause of one or more incidents, often identified as a result of multiple similar incidents

Explanation:
According to ITIL, a problem is defined as a condition from a number of incidents that are related or have common issues. This means that it is more serious than an Incident and needs separate follow up at a deeper level to avoid future Incidents

32
Q

Which of the following functions aims to identify an organisation’s key assets and the most urgent activities that underpin them, and then, devise plans and strategies that will enable them to continue the business operations and enable them to recover quickly and effectively in the event of a disruption.

A. Change Management
B. Incident Management
C. Problem Management
D. Continuity Management

A

D. Continuity Management

Explanation:
This is the definition of continuity management.

33
Q

Which of the following is not a typical capability of a CASB?

A. DLP
B. Policy Control
C. SIEM Integration
D. Meet-in-the-middle Attack Prevention

A

D. Meet-in-the-middle Attack Prevention

Explanation:
Meet-in-the-middle is a cryptographic attack against encryption schemes that rely on performing multiple encryption operations in sequence, including DES. All the other answers are standard offerings of most CASBs.

34
Q

The PCI DSS (Payment Card Industry Data Security Standard) merchant levels are rankings of merchant transactions per year. How many merchant levels does the standard specify?

A. 3
B. 4
C. 5
D. 6

A

B. 4

Explanation:
PCI DSS specifies 4 distinct merchant levels based on their transactions per year.

35
Q

Which of the following is not an attack on SSL/TLS?

A. POODLE
B. BEAST
C. CRIME
D. SPECTRE

A

D. SPECTRE

Explanation:
SPECTRE is not an SSL/TLS attack. SPECTRE is a vulnerability that affects modern microprocessors that perform branch prediction.

36
Q

Bob is joining a new company as a Java developer next Monday. As part of the onboarding process, several accounts are created in different systems. Which account is most likely to be created first?

A. Active Directory
B. Github
C. HR System
D. Payroll

A

C. HR System

Explanation:
The first account is most likely to be created in the Human Resources system. The HR department typically carries out all the background checks and is heavily involved in the onboarding process. The identity management system periodically checks the HR system for new entries and provisions accounts to relevant systems based on the employee’s role.

37
Q

The Cloud Security Alliance (CSA) published the Treacherous 12 which expounds on 12 categories of security issues that are relevant to cloud environments. Which of the following is not one of the 12 categories?

A. Advanced Persistent Threat (APTs)
B. Nefarious Use of Cloud Services
C. Weak Identity, Credential and Access Management
D. Database Injection

A

D. Database Injection

Explanation:
Database Injection is not included in the Treacherous 12, the rest of the options are all on CSA’s list.

38
Q

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. It is one of the most common web vulnerabilities according to OWASP. If a web application is vulnerable to XSS, where is the malicious code being executed?

A. The malicious code is executed on the machine of the attacker exploiting the vulnerable application
B. The malicious code is executed on the server hosting the web application
C. The malicious code is executed on the computer of people visiting the exploited webpage
D. XSS does not involve the execution of malicious code

A

C. The malicious code is executed on the computer of people visiting the exploited webpage

Explanation:
XSS allows the attacker to store arbitrary code on a vulnerable web application. The malicious code gets executed on the computer of people visiting the exploited webpage.

You can read more about XSS, here.

39
Q

Cloud storage often uses a technique known as data dispersion. Each storage block is fragmented and the storage application writes each bit into different storage containers in order to increase assurance. Which legacy is data dispersion most similar to?

A. FAT32
B. NTFS
C. BitLocker
D. RAID

A

D. RAID

Explanation:
Data dispersion resembles the traditional RAID technology. Both of the technologies break down the data and store them in multiple locations/devices instead of a single disk.

40
Q

How are egress monitor solutions also known as?

A. Web Application Firewalls
B. Data Loss Protection Tools
C. Outbound Policies
D. NAT devices

A

B. Data Loss Protection Tools

Explanation:
Egress monitor solutions are also known as DLP tools and their aim is to monitor and restrict the data leaving the corporate network.

41
Q

The cloud security alliance has defined a model for the cloud data lifecycle which consists of 6 phases. In which does crypto-shredding belong?

A. Store
B. Destroy
C. Use
D. Erase

A

B. Destroy

Explanation:
Crypto-shredding is the practice of deleting data by deliberately deleting or overwriting the encryption keys which have encrypted the data. “Erase” does not constitute an actual phase in CSA’s model. The correct answer is the “Destroy” phase.

42
Q

A medium-size insurance company has just implemented a security information and event management platform and has integrated it with several applications. Which of the following is not a capability of a SIEM?

A. Log Files Compression
B. Alert Correlation
C. Reporting and Dashboards
D. SSL/TLS Offboarding

A

D. SSL/TLS Offboarding

Explanation:
SSL/TLS offloading is not a feature of SIEM platforms. SSL offloading is the process of removing the SSL-based encryption from incoming traffic to relieve a web server of the processing burden of decrypting and/or encrypting traffic sent via SSL. It is typically implemented on load balancers.

43
Q

A large online retailer is in the process of modernising their IT infrastructure. Currently, the call center personnel have access to all the private information of the customers in cleartext. The information stored includes the customer’s name, address, date of birth, social security number, and credit card number. Which of the above data should be protected by using static masking?

A. Name
B. Address
C. Social Security Number
D. Credit Card Number

A

C. Social Security Number

Explanation:
The best use case for using static masking is the social security number. In static masking, specific characters are replaced before storing the data. The retailer needs the full credit card number of the customers in order to process payments hence static masking would not be a suitable solution. A partial (masked) version of the customer’s social security number can be used by the agents to authenticate the customers over the phone.

44
Q

Which of the following is not provided from DNSSEC?

A. Confidentiality
B. Origin Authentication
C. Authenticated Denial of Existence
D. Data Integrity

A

A. Confidentiality

Explanation:
DNSSEC does not provide confidentiality instead it provides:

Origin authentication

Authenticated denial of existence

Data integrity

Read more about DNSSEC here.

45
Q

Which is the most challenging aspect of encryption in the cloud?

A. Key Size
B. Key Storage
C. Limited Computational Power
D. Cipher Strength

A

B. Key Storage

Explanation:
The biggest challenge with cryptography is key storage. In a cloud setup, it is recommended that the keys are not stored in the cloud service provider whether the encrypted data resides.

46
Q

What does homomorphic encryption refer to?

A. A form of encryption that allows the processing of encrypted data without having to decrypt it first
B. A form of encryption that allows different public keys to decrypt a ciphertext encrypted with a single private key
C. A form of encryption that allows a single private key to decrypt a ciphertext encrypted with a single public key
D. A form of encryption in which the secret key of a user and the ciphertext are dependent upon their attributes (ie the country they leave, their age, their role in a company etc)

A

A. A form of encryption that allows the processing of encrypted data without having to decrypt it first

Explanation:
Homomorphic encryption is a form of encryption that allows computation on ciphertexts, generating an encrypted result which, when decrypted, matches the result of the operations as if they had been performed on the plaintext.

47
Q

Which of the following cryptographic algorithms/schemes can provide non-repudiation?

A. SHA-256
B. AES
C. DSA
D. DES

A

C. DSA

Explanation:
The Digital Signature Algorithm (DSA) algorithm works in the framework of public-key cryptosystems and is based on the algebraic properties of modular exponentiation, together with the discrete logarithm problem, which is considered to be computationally intractable.

Digital signatures provide integrity and non-repudiation.

DES and AES are symmetric encryption algorithms while SHA-256 is a hashing algorithm, none of them provide non-repudiation.

48
Q

E-Discovery refers to any process in which electronic data is sought and searched in order to
be used as evidence in a legal case. Which of the following data of an organisation is not in scope for eDiscovery?

A. Data in the organizations control
B. Data in the organizations possession
C. Data in the organizations custody
D. Data in the organizations supervision

A

D. Data in the organizations supervision

Explanation:
Under the Federal Rules of Civil Procedure, a party to litigation is expected to preserve and be able to produce electronically stored information that is in its possession, custody, or control.

49
Q

A customer has informed their cloud provider that they are planning to conduct a penetration testing exercise against their application which is deployed in the public cloud. Which of the following would the provider typically not require before giving their approval for the pentest?

A. The list with vulnerability scanning tools used
B. The scope of the exercise
C. Advance Notice
D. The duration of the exercise

A

A. The list with vulnerability scanning tools used

Explanation:
Typically a cloud service provider would require to be notified few weeks in advance for any pentest activity against applications deployed in the cloud infrastructure. They would typically ask the customer for the services in scope as well as the duration of the exercise.

Typically, the cloud service provider does not need to know about the specific vulnerability scanning tools used in the exercise.

50
Q

Which risk is not mitigated from full disk encryption in a cloud environment?

A. Physical theft of hardware
B. Attacks through the application container
C. Malicious CSP employees
D. Not effective hard disk destruction

A

B. Attacks through the application container

Explanation:
Attacks through the application container would still be able to read the data encrypted on the disk level. The OS and the application container in particular need access to the plaintext data.