Pocket Prep 4 Flashcards

1
Q

Which of the following ways is how a business addresses regulatory compliance challenges in the cloud?

A. Security policies, annual audits, Cloud Service Customer (CSC) defined service level agreements, containers
B. Security policies, golden images, Cloud Service Customer (CSC) defined service level agreements, contracts
C. Security policies, annual audits, Cloud Service Customer (CSC) defined service level agreements, contracts
D. Security policies, annual audits, Cloud Service Provider (CSP) defined service level agreements, contracts

A

C. Security policies, annual audits, Cloud Service Customer (CSC) defined service level agreements, contracts

Explanation:
Correct answer: Security policies, annual audits, Cloud Service Customer (CSC) defined service level agreements, contracts

There are many things that a business should do to address regulatory compliance challenges in the cloud or simply secure the corporation’s information and information systems. It begins with having security policies. The process is first governance and board of directors oversight. Then risk management must be done to understand the threat environment more completely. Then we can create security policies.

One of the things the policies should specify is that audits should be performed. The customer might need to be audited by a third party if there is a legal compliance requirement. Otherwise, knowing that the CSP has been audited by a third party and what the results of that audit are would be beneficial to know (SOC reports and such). Depending on the customer and the provider, it is possible that the customer could be involved in the actual audit of the cloud service provider.

Side note: A third party audit is an audit done by an external company such as Deloitte or pwc. It is now third because first, there is the CSC. Second, there is the CSP. So, adding an external auditor brings the count to three. It is possible to go to a fourth party if the audit company hires contractors to do some of the work.

The CSC should define the Service Level Agreements (SLA) that they require. The CSP may need to help them work this out, but the customer should specify what they need.

The SLAs are part of the contracts that need to be established with the CSP.

What is not part of this is golden images or containers. The golden image is our stable virtual machine image that should be used to deploy a specific virtual machine. Containers are a contained environment that is portable to run specific code. Having golden images certainly can help with compliance, but it would not be in the same category as the rest of these options.
Reference:

(ISC)² CCSP Certified Cloud Security Professional Official Study Guide, 3rd Edition. Pg 272.

The Official (ISC)² CCSP CBK Reference, 4th Edition. Pg 297-298.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

An attacker deleting log files maps to which letter of the STRIDE acronym for cybersecurity threat modeling?

A. E
B. I
C. D
D. R

A

D. R

Explanation:
Microsoft’s STRIDE threat model defines threats based on their effects, including:

Spoofing: The attacker pretends to be someone else
Tampering: The attacker damages data integrity
Repudiation: The attacker can deny that they took some action that they did take
Information Disclosure: The attacker gains unauthorized access to sensitive data
Denial of Service: The attacker can harm the availability of a service
Elevation of Privilege: The attacker can access resources that they shouldn’t be able to access

Deleting log files is likely an effort to cover the attacker’s tracks and is related to repudiation (R).
Reference:

(ISC)2 CCSP Certified Cloud Security Professional Official Study Guide, 3rd Edition. Pg 172-173.

The Official (ISC)² CCSP CBK Reference, 4th Edition. Pg 153-156.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Federation is a term MOST closely associated with which of the following concepts?

A. Multivendor Pathway Connectivity
B. Tenant Partitioning
C. HVAC
D. Access Control

A

D. Access Control

Explanation:
Correct answer: Access Control

Cloud customers have various options for securing access to their systems, including using federation or SAML to control cloud access from the customer’s IAM system or using identity as a Service (IDaaS) offerings provided by the CSP.
Tenant partitioning involves keeping tenants from affecting one another in multitenant environments, multivendor pathway connectivity improves network resiliency by using multiple ISPs and cable paths, and HVAC stands for heating, ventilation, and air conditioning.
Reference:

(ISC)2 CCSP Certified Cloud Security Professional Official Study Guide, 3rd Edition. Pg 193-197, 201-202.

The Official (ISC)² CCSP CBK Reference, 4th Edition. Pg 114-119.
D. Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A corporation is using both the storage and processing capabilities of a cloud Platform as a Service (PaaS) provider. The data that they possess contains personally identifiable information (PII). It is essential to protect this data throughout its lifecycle.

When the customer support team is working to resolve a customer’s issue and they log in to a database to search for information regarding a customer’s purchase, which phase of the lifecycle are they in?

A. Archive phase
B. Store phase
C. Use phase
D. Create phase

A

C. Use phase

Explanation:
Correct answer: Use phase

When data is being looked at by the customer support team, it is in the use phase.

The create phase is the initial creation point of the data. The Cloud Security Alliance (CSA) says in their guidance 4.0 document that the create phase also includes modification and alteration of the data. It is not necessary to agree, many do not. However, this exam is a joint venture between the CSA and ISC2, so it could be useful to know.

The store phase should be entered into as soon as the data is created. If the data needs to be stored for years into the future in case of need, then that storage is referred to as archival, or the archive phase.
Reference:

(ISC)² CCSP Certified Cloud Security Professional Official Study Guide, 3rd Edition. Pg 67.

The Official (ISC)² CCSP CBK Reference, 4th Edition. Pg 59-60.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Marsha works for a large automobile manufacturer. They have experienced a data breach that has resulted in names, addresses, Vehicle Identification Numbers (VINs), model, year, and color as well as other information being in the hands of a bad actor. This occurred because of another corporation’s mishandling of the data. This other corporation handles part of the operations for the manufacturing company. This other corporation left it exposed on an internet-accessible site.

What security issue is this?

A. Accidental cloud data disclosure
B. System vulnerabilities
C. Cloud storage data exfiltration
D. Unsecured third-party resources

A

D. Unsecured third-party resources

Explanation:
This is a third party issue. The third party, the other corporation, mishandled the data. They left it unsecured on a third-party site. This is the best answer because of the other corporation’s involvement.

This could be considered accidental cloud data disclosure. However, the Cloud Security Alliance (CSA), in their Pandemic 11 list, has cloud data disclosure as a problem from within a corporation. If the original company had left the data on the internet unsecured, then they are at fault.

This is not cloud storage data exfiltration because the CSA looks at that as simply a company mishandling data that leads to the exposure of storage resources. Again, the big distinction is actually the handling of the data by another corporation.

System vulnerabilities include issues within the software, the code, the library, the binaries, etc. There is no problem like that in this scenario. This is an unsecured issue from the third party’s handling of the data.
Reference:

(ISC)² CCSP Certified Cloud Security Professional Official Study Guide, 3rd Edition. Pg 105-106.

The Official (ISC)² CCSP CBK Reference, 4th Edition. Pg 142.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

At which stage of the incident response process will the IRT work to bring the organization back to a secure state, including fixing the underlying cause of the incident?

A. Detect
B. Recover
C. Respond
D. Post-Incident

A

B. Recover

Explanation:
An incident response plan (IRP) should lay out the steps that the incident response team (IRT) should carry out during each step of the incident management process. This process is commonly broken up into several steps, including:

Prepare: During the preparation stage, the organization develops and tests the IRP and forms the IRT.
Detect: Often, detection is performed by the security operations center (SOC), which performs ongoing security monitoring and alerts the IRT if an issue is discovered. Issues may also be raised by users, security researchers, or other third parties.
Respond: At this point, the IRT investigates the incident and develops a remediation strategy. This phase will also involve containing the incident and notifying relevant stakeholders.
Recover: During the recovery phase, the IRT takes steps to restore the organization to a secure state. This could include changing compromised passwords and similar steps. Additionally, the IRT works to address and remediate the underlying cause of the incident to ensure that it is completely fixed.
Post-Incident: After the incident, the IRT should document everything and perform a retrospective to identify potential room for improvement and try to identify and remediate the root cause to stop future incidents from happening.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A cloud services provider may be classified as which of the following roles?

A. Data Processor
B. Data Owner
C. Data Owner
D. Data Custodian

A

A. Data Processor

Explanation:
There are several roles and responsibilities related to data ownership, including:

Data Owner: The data owner creates or collects the data and is responsible for it.
Data Custodian: A data custodian is responsible for maintaining or administrating the data. This includes securing the data based on instructions from the data owner.
Data Steward: The data steward ensures that the data’s context and meaning are understood and that it is used properly.
Data Processor: A data processor uses the data, including manipulating, storing, or moving it. Cloud providers are data processors.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An organization implemented new system and communication protections that prevents users from altering and misconfiguring systems and communication processes. What type of protection did the organization implement?

A. Separation of system and user functionality
B. Boundary protection
C. Security function isolation
D. Denial of Service (DoS) protection

A

A. Separation of system and user functionality

Explanation:
Separating system and user functions is critical for system and communication security. This is separation of duties and is a key security concept that protects users from modifying or incorrectly configuring systems and communication processes.

In a way, this is security function isolation, but the proper security term is “separation of duty.”

Boundary protection would be a firewall, or something of that sort, at the edge of the network, Local Area Network (LAN), or subnet. In the cloud, they also exist on the edge of micro segments or security groups.

DoS protection is a good thing to have, but that is firewalls or Intrusion Prevention Systems (IPS) or other products that have the ability to recognize the packets that are involved in a DoS attack and can trash those packets to stop the attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In the cloud, there is a sharing of systems between all the tenants on a physical server. It is possible to allocate space within the Central Processing Unit (CPU) and memory for specific virtual machines and applications. If a virtual machine requires a certain minimum amount of space, it is necessary to create which of the following?

A. Pooling
B. Reservations
C. Shares
D. Limits

A

B. Reservations

Explanation:
If a certain Virtual Machine (VM) requires a certain amount of capability at all times, it is critical to allocate that to the VM. This is done though reservations.

Hypervisors allow for the creation of virtual machines within a server. They do that by creating pools (pooling) of resources. It is the abstraction of the physical capability of the machines (the CPU, memory, network, and so on). These pools are shared (shares) among the tenants within a server.

A limit can be placed on the VM so that it will not expand beyond a certain point. This is great to control costs so that there is not a surprise bill at the end of the month.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Nica has been hired by a law firm to manage their information security department. It has been determined that they will be closing down their on-premises data center after they complete their move to the cloud. This law firm handles legal affairs for a hospital located in the USA. Which laws are most relevant to this client?

A. The Health Information Portability and Accountability Act (HIPAA) and the Personal Information Protection and Electronic Act (PIPEDA)
B. The California Consumer Privacy Act (CCPA) and the Health Information Portability and Accountability Act (HIPAA)
C. Sarbanes Oxley (SOX) and the Gramm Leach and Bliley Act (GLBA)
D. The Personal Information Protection and Electronic Act (PIPEDA) and Sarbanes Oxley (SOX)

A

B. The California Consumer Privacy Act (CCPA) and the Health Information Portability and Accountability Act (HIPAA)

Explanation:
Correct answer: The California Consumer Privacy Act (CCPA) and the Health Information Portability and Accountability Act (HIPAA)

CCPA and HIPAA are the best match to a hospital in the US. The assumption is that the hospital is in California, so it is unlikely to be the other combination of laws. PIPEDA is from Canada.

SOX relates to US businesses, but it is related to financial integrity. GLBA is from the US as well, but it is about protecting the personal information of customers from financial services companies. A hospital could be a financial services company if it sets up payment plans for its customers. It is arguable that SOX does apply to a hospital, but HIPAA absolutely matches the hospital.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Habib has been configuring their Infrastructure as a Service (IaaS) virtual servers. He has connected these servers in a way that the traffic will be distributed evenly between them when they are in production. What is he configuring?

A. High performance
B. Resilience
C. Clustering
D. Load balancing

A

D. Load balancing

Explanation:
A load-balanced cluster, also known as a load-balanced cluster environment, is a configuration that distributes incoming network traffic across multiple servers or nodes to achieve improved performance, scalability, and availability. In this setup, the cluster operates as a single logical unit, with each server or node sharing the workload and responding to client requests.

Having the servers sharing the load of traffic does provide resilience to the environment. However, what Habib is configuring is load balancing.

With load balancing in place, there can be a higher level of performance, but what Habib is configuring is load balancing.

A cluster is at least two servers working together, but what Habib is configuring is load balancing. The focus of the question is traffic will be distributed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following is MOST relevant to an organization’s network of applications and APIs in the cloud?

A. Physical Access
B. User Access
C. Service Access
D. Privilege Access

A

C. Service Access

Explanation:
Key components of an identity and access management (IAM) policy in the cloud include:

User Access: User access refers to managing the access and permissions that individual users have within a cloud environment. This can use the cloud provider’s IAM system or a federated system that uses the customer’s IAM system to manage access to cloud services, systems, and other resources.
Privilege Access: Privileged accounts have more access and control in the cloud, potentially including management of cloud security controls. These can be controlled in the same way as user accounts but should also include stronger access security controls, such as mandatory multi-factor authentication (MFA) and greater monitoring.
Service Access: Service accounts are used by applications that need access to various resources. Cloud environments commonly rely heavily on microservices and APIs, making managing service access essential in the cloud.

Physical access to cloud servers is the responsibility of the cloud service provider, not the customer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which regulation would be used to build a risk-based policy for cost-effective security for government agencies?

A. Gramm-Leach-Bliley Act (GLBA)
B. Federal Information Security Management Act (FISMA)
C. Health Information Portability Accountability Act (HIPAA)
D. Protected Health Information (PHI)

A

B. Federal Information Security Management Act (FISMA)

Explanation:
US government agencies must build risk-based policies for cost-effective security. Government agencies are not immune to bad actors attacking them. In the past, the security within government agencies was not very good, so this regulation demands that they do better.

GLBA is an extension to Sarbanes-Oxley that demands that personal data be protected with the financial data. The HIPAA requires that Protected Health Information (PHI) be protected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

An organization is building a new data center. They need to ensure that proper heating and cooling are implemented. What is the recommended minimum and maximum temperature for a data center?

A. 64.4-80.6 degrees F/18-27 degrees C
B. 60.1-75.2 degrees F/15-24 degrees C
C. 62.2-81.0 degrees F/16-27 degrees C
D. 59.5-79.5 degrees F/15-26 degrees C

A

A. 64.4-80.6 degrees F/18-27 degrees C

Explanation:
Correct answer: 64.4-80.6 degrees F/18-27 degrees C

According to ASHRAE (American Society of Heating, Refrigeration, and Air Conditioning Engineers), the recommended temperature for a data center is a minimum of 64.4 degrees F, and a maximum of 80.6 degrees F. This is 18 - 27 degrees C.

It is possible that you need this for the test. A common question is “Do I need to learn the other measurement standards?” (If I know Fahrenheit, do I have to learn Celsius and vice versa?) If it is on the test, you’ll want to know both measurements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

In the shared responsibility model, the consumer will always be responsible for what in the following service models: Infrastructure as a Service (IaaS), Software as a Service (SaaS,) and Platform as a Service (PaaS) models?

A. Platform security
B. Governance, Risk management, and Complicance (GRC)
C. Identity and access management
D. Application security

A

B. Governance, Risk management, and Complicance (GRC)

Explanation:
Correct answer: Governance, Risk management, and Complicance (GRC)

In any cloud deployment model, IaaS, PaaS, or SaaS, the cloud consumer will be responsible for any control over the data they store in the cloud. This requires that they do their Governance, Risk management, and Compliance (GRC).

Application security is shared between the customer and the cloud provider and includes setting up and managing identity and access management.

Platform security is the responsibility of the provider in SaaS. It is a shared responsibility in PaaS and the customer’s responsibility in IaaS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What type of testing is performed during the maintenance phase of software development to guarantee that changes to the software program do NOT destroy existing functionality, introduce new vulnerabilities, or resurface previously resolved vulnerabilities?

A. Regression testing
B. Useability testing
C. Integration testing
D. Unit testing

A

A. Regression testing

Explanation:
This is a good definition of regression testing. Regression testing is responsible for ensuring that the functionality of the existing features remains when software is being updated.

Unit testing focuses on individual units or components of the software.

Integration testing is when individual software modules are combined and tested as a group.

Useability testing is done to determine how the user experience is with the software.

17
Q

Paricia works for a manufacturing company as their primary information security manager. They are now planning their move into the cloud to take advantage of the new technologies that are easy to implement into a virtual data center. One of the most important elements for them is the change in the responsibility model. If they build their own data center, there are many responsibilities that are now the cloud provider’s responsibility.

What is the breakdown of who is responsible for what?

A. The customer is responsible for the virtual switches and servers, the cloud provider is responsible for the physical storage and virtual routers
B. The customer is responsible for configuring the virtual routers and switches, the cloud provider is responsible for the physical routers and switches
C. The customer is responsible for the virtual routers and physical switches, the cloud provider is responsible for the physical routers and virtual switches
D. The customer is responsible for the virtual servers and databases, the cloud provider is responsible for physical and virtual network devices

A

B. The customer is responsible for configuring the virtual routers and switches, the cloud provider is responsible for the physical routers and switches

Explanation:
The shared responsibility model for the IaaS environment allows the customer to build a virtual data center, which means that the customer brings the operating systems with them that create the virtual routers, switches, servers, and all the security appliances, firewalls, intrusion detection systems, and so on. The cloud provider is responsible for the physical network, including the routers, switches, security appliances, and the servers with the hypervisors.

With IaaS, the customer determines their data storage systems or Storage Area Networks (SAN) as well as the data structures of databases or data lakes and so on. Everything virtual is the customer’s responsibility and the physical is the provider’s responsibility.

18
Q

Leonidas has been working through the process of assessing and evaluating potential cloud providers to host their needs within the Platform as a Service (PaaS) cloud model. One of the critical aspects that he has been trying to determine is if they will be able to remove their data from the cloud provider in the future should they determine that the cloud is not the right solution for them or if they need to change service providers.

What term matches their concern of removing their data from the cloud provider?

A. Availability
B. Portability
C. Reversibility
D. Interoperability

A

C. Reversibility

Explanation:
Reversibility is the ability to retrieve their data and artifacts and ensure the complete removal of that data and artifacts from the cloud provider.

Portability is the ability to move all data from one cloud provider to another without having to reenter that data.

Interoperability is the ability of two different systems to share and use a piece of data.

Availability means that the data and systems are there and usable when the user requires access.

19
Q

Of the following types of cloud deployments, which is MOST susceptible to virtual machine and virtual switch attacks?

A. Platform as a Service (PaaS)
B. Infrastructure as a Service (IaaS)
C. Database as a Service (DBaaS)
D. Software as a Service (SaaS)

A

B. Infrastructure as a Service (IaaS)

Explanation:
Two special security considerations that are applicable to IaaS cloud environments are virtual switch attacks and virtual machine attacks. In an IaaS deployment, the customer has the ability to load all the Operating Systems (OS). These include the OS that is the virtual router, switch, firewall, Intrusion Detection System (IDS), and so on that actually created a virtual data center. This is Infrastructure as Code (IaC). The infrastructure is not real; it is virtual. This includes those virtual switches.

PaaS is effectively the next level up. The customer does not need to worry about the infrastructure. There is no concern over switches or virtual switches. The construction of the cloud environment begins with the virtual server in a server-based PaaS and even higher if it is a serverless deployment. DBaaS is a PaaS deployment.

SaaS is the highest, where the customer does not even see the server. The only visibility is the software, not the server or switch.

20
Q

Recently, your organization has decided it will be using a third party for its cloud migration. This third-party organization requires access to numerous of your organization’s file servers. You must ensure that the third party has access to the necessary resources. What is the FIRST action your organization should take?

A. Conduct vendor due diligence on the third party
B. Monitor third-party access to resources
C. Establish a written IT security policy for the third party
D. Provide minimal access for the third party

A

A. Conduct vendor due diligence on the third party

Explanation:
Before granting access to any resource, you should conduct vendor due diligence for the third-party organization. This diligence is very similar to a risk assessment, but it is usually in the form of a questionnaire completed by the vendor and analyzed by the organization.

The question implies that the business has been in existence, so the IT security policy for third-party vendors should already exist. That policy should include requirements that the third party will only be given minimal access. This is the logic of least privilege and is part of the zero trust architecture. Those vendors should be monitored at all times as well.

The other answer options should occur after the due diligence has been conducted on the vendor.