Pocket Prep 9

Question 1

Silas is the new information security manager working with a multinational corporation’s Disaster Recovery (DR) team. They are working on gaining a better understanding of this business and its requirements in the face of disasters. They have been able to determine that a critical database server must be back online within five hours of failure. If it is offline for longer than that, the cost to the business would be extreme. The next step is to determine the cost of a server failing by performing a quantitative assessment. What is the name of that next value?

A. Annualized Loss Expectancy (ALE)
B. Recovery Time Objective (RTO)
C. Single Loss Expectancy (SLE)
D. Maximum Tolerable Downtime (MTD)

Answer 1

C. Single Loss Expectancy (SLE)

Explanation:
The Single Loss Expectancy (SLE) is calculated by multiplying the asset’s value with the Exposure Factor (EF). The EF is the expected percentage of loss of the asset. It may be 100% in extreme conditions, but it may be only a fraction of that for many of the incidents that could occur.

Annualized Loss Expectancy (ALE) is a risk management metric that helps organizations estimate the financial impact of a specific risk over a one-year period. It is calculated by multiplying the Single Loss Expectancy (SLE) by the Annualized Rate of Occurrence (ARO).

Maximum Tolerable Downtime (MTD) is a business continuity metric that quantifies the maximum acceptable duration of a service or system outage without causing significant harm to an organization’s operations, reputation, or financial viability. It represents the time limit within which an organization must recover its critical functions or systems to avoid severe consequences. This value is in the question; the value is five hours.

Recovery Time Objective (RTO) is a critical metric used in business continuity planning to define the maximum acceptable downtime or duration within which a system, process, or service must be restored after an incident or disruption. RTO represents the target timeframe for recovery activities to be completed and operations to resume at an acceptable level.

Question 2

An information security manager works at a hospital, and she is responsible for the upcoming audit. The hospital must be in compliance with the Health Insurance Portability and Accountability Act (HIPAA). So she has been working hard to ensure that the audit will go smoothly. Which of the following is the first step she started with?

A. Define audit program objectives
B. Gap analysis
C. Audit fieldwork
D. Identify scope and restrictions

Answer 2

A. Define audit program objectives

Explanation:
Audit planning is made up of the following main steps, which occur in the following order:

Define audit program objectives
Gap analysis
Define audit objective and deliverables
Identify auditor and qualifications
Identify scope and restrictions
Audit fieldwork
Audit reporting
Audit follow-up

Defining the objectives must be the first step in the audit plan because it will lay the groundwork for the rest of the plan.

Question 3

Padma has been working with her corporation to determine how to address the risk that they have uncovered in their annual review of the Business Continuity/Disaster Recovery (BC/DR) plan. Is there a scenario where it makes sense to simply accept the risk that has been discovered?

A. When there is a low chance the risk will actually occur, but if it did occur, it would be devastating to the organization
B. When the cost to mitigate the risk outweighs the cost to simply deal with the risk if it were to occur
C. When there is a low risk but moderate impact, and there are no protection measures in place
D. When the cost of mitigating the risk and the cost of dealing with the risk when it occurs are about the same

Answer 3

B. When the cost to mitigate the risk outweighs the cost to simply deal with the risk if it were to occur

Explanation:
There are some instances where organizations will choose to accept risk rather than to do anything to deal with it. This is typically done whenever the cost to mitigate the risk outweighs the cost to simply deal with the risk when or if it were to occur.

It is unlikely that a corporation would simply accept a risk if it could be overwhelming for an organization. That would be a low likelihood but high impact.

If there is a low risk and moderate impact, it is possible that the risk will just be accepted, but it is much more likely that some kind of control would be put in place.

If the cost of mitigation and the cost of the impact are about the same, this too may just be accepted, but it is more likely that some kind of control would be put in place.

So, out of all these scenarios, the most likely answer is a risk that costs much more to mitigate than to experience.

Question 4

Raj is working on configuring the Infrastructure as a Service (IaaS) deployment for his corporation. He is looking for a virtual device that will be able to detect the presence of malicious actors within the virtual network. He also needs the virtual device to log the event and send alerts about the malicious activity as well as drop the packets that contain the malicious activity.

What type of virtual device would best meet these needs?

A. Database Activity Monitor (DAM)
B. Intrusion Detection System (IDS)
C. eXtensible Markup Language (XML) firewall
D. Intrusion Prevention System (IPS)

Answer 4

D. Intrusion Prevention System (IPS)

Explanation:
An IPS can perform all those operations, including the critical action of dropping the packets that contain malicious activity. An Intrusion Detection System (IDS) detects malicious traffic and potential intrusions. It can alert about the possible intrusion, but it isn’t able to block the intrusion.

An XML firewall is a firewall that focuses on XML traffic. A firewall has the ability to allow or block traffic. However, the focus of the device is different because it is looking for traffic to allow while blocking other traffic. It could be blocking specific traffic such as a specific protocol (e.g., telnet). It does not focus on looking for malicious actors. So, it is close to the right answer. However, IPS is a better fit for the scenario in the question.

A DAM sits in front of the database and monitors the users’ activities. It has become necessary to monitor the users’ activities inside the database, but there are many malicious actors that know about the internal log that is created, so they will work to destroy it. Therefore, another device is used in front of the database to monitor the users’ activities from the outside so that there is less of a chance a malicious actor will be able to destroy these logs. The DAM does not block activity, yet.

Question 5

A cloud administrator needs to rapidly deploy an application package throughout a large cloud environment. Which of the following could this engineer use to accomplish this easily?

A. Key management
B. Hypervisor
C. Containers
D. Mobile Device Management (MDM)

Answer 5

C. Containers

Explanation:
A wrapper that contains all the configuration, code, and libraries needed for an application, which can be rapidly deployed across a cloud environment, is known as a container.

Virtual Machines (VMs) can be built on a hypervisor. On the virtual machine, the software can be loaded. This is not the best answer because of the word rapidly in the question. VMs are not as fast and easy to manage as containers.

Key management is for storing and protecting cryptographic keys. They are likely used somewhere in the application, but that is not the focus of the question. Deployment is the question.

MDM software is used to manage mobile devices. It gives the administrators the ability to contain corporate data on a personal phone. Data can be deleted and the phone can be wiped when needed, among other features

Question 6

The storage technique that disperses data across multiple drives on different servers and then adds parity information that allows lost data to be recovered is referred to as which of the following?

A. Data encryption
B. Hashing
C. RAID
D. Redundant Array of Independent Drive (RAID)

Answer 6

D. Redundant Array of Independent Drive (RAID)

Explanation:
Erasure encoding is a technique employed by data dispersion to disperse data across many servers and then add parity information in a way that is similar to RAID 5. The main difference is that the drives are not within a single server as they are with RAID. On the chunks of data that are dispersed, a mathematical calculation is performed and the results are stored with the data. If chunks are lost, the parity bit enables the data to be reconstructed.

Hashing is a mathematical calculation that allows the integrity of data to be proven. Algorithms include MD5 and SHA 1/2/3.

Data encryption is the mathematical process that converts data from a readable format to unreadable but is reversible with decryption. The purpose is to protect the confidentiality of the data.

Question 7

Samuel has been leading the incident response team in response to a bad actor’s actions within their network. They have started the investigation, and so far they have come to understand that they are missing a security control at the specific point of compromise. At which point during the incident response process are new security controls implemented?

A. Detect
B. Recover
C. Respond
D. Prepare

Answer 7

B. Recover

Explanation:
During the recovery phase of an incident response, the teams work to return everything to a normal status. This includes adding new countermeasures as needed based on the investigation of the incident. You must restore regular operation to your organization’s impacted systems.

The prepare phase is all the work done long before an incident occurs. It is necessary to prepare for many different incidents. Preparation is critical to being able to perform the right actions, in the right order, with the right team when needed.

Detection is arguably the first step in managing an actual incident. It is not possible to put any of those plans into use unless there is knowledge that something is actually happening.

The response phase includes containment of any ongoing incident. It also includes investigations and notifications to necessary parties.
Reference:

Question 8

A cloud administrator is building the network in their company’s Infrastructure as a Service (IaaS) deployment. Currently, they are configuring the switches with their Virtual Local Area Networks (VLANs). The VLANs that they are constructing are for the different departments within the organization. There is one for marketing, one for Research and Development (R&D), and many more.

Which of the following statements regarding VLANs is TRUE?

A. VLANs work the best if implemented in the same geographical location
B. VLANs are used to allow remote access for employees working outside the office
C. VLANs can be used across multiple data centers without concern for geographical location
D. VLANs are dependent on the physical wiring and cabling infrastructure

Answer 8

C. VLANs can be used across multiple data centers without concern for geographical location

Explanation:
VLANs are not dependent on the physical infrastructure at all, so this makes them ideal for network segmentation across multiple data centers without the need to worry about the geographical location. Vendors offer a variety of different VLAN options today, such as Private VLAN (PVLAN), Private eXtensible VLAN (PXVLAN), and so on.

Virtual Private Networks (VPN) are used to allow users remote access if they are out of the office or connecting to the cloud resources.

Fundamentally, CCSP is a data center exam. It is highly recommended that you understand networking basics and then the virtualized options in the cloud.

Question 9

Which of the following cloud service offerings has the most potential exposure to virtualization-related security risks?

A. FaaS
B. IaaS
C. PaaS
D. SaaS

Answer 9

D. SaaS

Explanation:
A Software as a Service (SaaS) environment has all of the risks that IaaS and PaaS environments have, as well as new risks of its own. Some risks unique to SaaS include:

Proprietary Formats: With SaaS, a customer is using a vendor-provided solution. This may use proprietary formats that are incompatible with other software or create a risk of vendor lock-in if the organization’s systems are built around these formats.
Virtualization: SaaS uses even more virtualized environments than PaaS, increasing the potential for VM escapes, information bleed, and similar threats.
Web Application Security: Most SaaS offerings are web applications with a provided application programming interface (API). Both web apps and APIs have potential vulnerabilities and security risks that could exist in these solutions.

Question 10

Which of the following network security controls might require access to mirroring services provided by the cloud provider?

A. Geofencing
B. Zero Trust Network
C. Traffic Inspection
D. Network Security Groups

Answer 10

C. Traffic Inspection

Explanation:
Network security controls that are common in cloud environments include:

Network Security Groups: Network security groups (NSGs) limit access to certain resources, such as firewalls or sensitive VMs or databases. This makes it more difficult for an attacker to access these resources during their attacks.
Traffic Inspection: In the cloud, traffic monitoring can be complex since traffic is often sent directly to virtual interfaces. Many cloud environments have traffic mirroring solutions that allow an organization to see and analyze all traffic to its cloud-based resources.
Geofencing: Geofencing limits the locations from which a resource can be accessed. This is a helpful security control in the cloud, which is accessible from anywhere.
Zero Trust Network: Zero trust networks apply the principle of least privilege, where users, applications, systems, etc., are only granted the access and permissions that they need for their jobs. All requests for access to resources are individually evaluated, so an entity can only access those resources for which they have the proper permissions.

Question 11

An engineer needs to provision a new cloud service and is able to do so without ever interacting with the cloud provider. What is this known as?

A. On-demand self-service
B. Resource pooling
C. Interoperability
D. Reversibility

Answer 11

A. On-demand self-service

Explanation:
In cloud computing, on-demand self-service is the ability for cloud customers to add, configure, and provision a new cloud service without ever needing to interact with the cloud provider. This is usually done through a web portal and is an integral component of the pay-as-you-go cloud billing model.

Resource pooling is a part of the virtualization capability created by hypervisors. The hypervisor abstracts the hardware capabilities of the physical server so that it can be dynamically allocated to virtual machines. This includes CPU, memory, storage, and network capability.

Interoperability is defined in ISO 17788 as the ability for two different systems to exchange and then use a piece of data.

Reversibility is defined in ISO 17788 as the ability to retrieve all artifacts from the cloud provider and have them properly remove them from the cloud provider systems.

Question 12

Amanda is working with the software development team as they build their software for their customers’ use. They will be using an Application Programming Interface (API) to enable communication from the client to the server. They have decided they want to use the API that relies on the Hyper Text Transfer Protocol (HTTP) protocol to support data formats such as eXtensible Markup Language (XML) or Java Script Object Notation (JSON)?

Which API did they choose?

A. SOAP
B. XML-RPC (Remote Procedure Call)
C. REpresentational State Transfer (ReST
D. JSON-RPC

Answer 12

C. REpresentational State Transfer (ReST

Explanation:
The REpresentational State Transfer (REST) API relies on the HTTP protocol and supports a variety of data formats, including both XML and JSON. It allows for caching, which increases performance and scalability.

SOAP is an XML-based API.

XML-RPC is an XML-based API.

JSON-RPC is a JSON-based API.

Only ReST offers both JSON and XML options.

Question 13

A cloud provider would like to use information on one of their cloud customers for advertising purposes. Before they can do this, they must get explicit permission from the cloud customer to do so. Which key principle of International Standards Organization/International Electrotechnical Committee (ISO/IEC) 27018 does this scenario fall into?

A. Disclosure to Third Parties
B. Purpoes Limitation
C. Consent
D. Transparency

Answer 13

C. Consent

Explanation:
The ISO/IEC 27018 is a standard that is focused on the security of cloud computing. The five key principles of ISO/IEC 27018 include communication, consent, control, transparency, and independent and yearly audits. Consent refers to cloud providers getting explicit permission from a cloud customer before they can use their data or information in any way.

Purpose Limitation refers to personal information that should only be collected and used for specified purposes, and organizations should communicate these purposes to individuals.

Transparency refers to organizations that must provide clear and understandable information about their privacy practices, including how personal information is collected, used, and disclosed in the cloud environment.

Organizations that should have controls and agreements in place to ensure that personal information is not disclosed to third parties without the individual’s consent unless required by law is Disclosure to Third Parties.

Question 14

AWS Lambda is BEST described by which of the following cloud service models?

A. PaaS
B. FaaS
C. SaaS
D. IaaS

Answer 14

B. FaaS

Explanation:
Cloud services are typically provided under three main service models:

Software as a Service (SaaS): Under the SaaS model, the cloud provider offers the customer access to a complete application developed by the cloud provider. Webmail services like Google Workspace and Microsoft 365 are examples of SaaS offerings.
Platform as a Service (PaaS): In a PaaS model, the cloud provider offers the customer a managed environment where they can build and deploy applications. The cloud provider manages compute, data storage, and other services for the application.
Infrastructure as a Service (IaaS): In IaaS, the cloud provider offers an environment where the customer has access to various infrastructure building blocks. AWS, which allows customers to deploy virtual machines (VMs) or use block data storage in the cloud, is an example of an IaaS platform.

Function as a Service (FaaS) is a form of PaaS in which the customer creates individual functions that can run in the cloud. Examples include AWS Lambda, Microsoft Azure Functions, and Google Cloud Functions.

Question 15

Violet is working with the Incident Response Teams (IRT) as they build and test their Incident Response Plans (IRP). As the teams are building out their plans, they are determining the steps they need to take when an incident does occur—for example, if there is an Indication of Compromise (IoC) that causes the Security Operations Center (SOC) to initiate the response by the team.

If the team were to go through the analysis of the IoC and believe that it is a true IoC, what would be the next step?

A. Containment
B. Investigation
C. Triage
D. Recovery

Answer 15

C. Triage

Explanation:
Incident management exists to help organizations plan for incidents, identify when they occur, and restore normal operations as quickly as possible with minimum adverse impact. This is referred to as a capability, or the combination of procedures and resources needed to respond to incidents. It generally comprises of three key elements: Incident Response Plan (IRP), Incident Response Team (IRT), and root-cause analysis.

Triage ensures an incident is dealt with correctly. It is important to determine how critical an incident is and prioritize the response appropriately.

We may wish that as soon as we see an IoC that we could take steps to contain the incident, but triage must come first. It is necessary to prioritize the responses that we will take. In reality, if there is a trained team and SOC, then it is possible that the amount of time between IoC and containment could be mere minutes.

Once the incident is contained and it is no longer causing damage, the investigation can occur. Here it is necessary to capture snapshots of Virtual Machines (VM) by capturing the contents of memory in the VM using Virtual Machine Introspection (VMI) tools and so on.

With full knowledge of the incident, it is now possible to recover and return systems to full, normal functioning levels.

If your knowledge is weak in this area, a good book from (ISC)2’s list of reference books is Incident Response in the Age of Cloud by Dr. Erdal Ozkaya. One thing to know about their recommended reading list is that these books are likely the source books for many of the exam questions. (For it to be on the exam, the question must be backed up by two reputable references.)

Question 16

A cloud architect is designing the connection between the public cloud Infrastructure as a Service (IaaS) that they are building and their existing data center. They need to ensure that the traffic that flows across the cloud carrier is protected for confidentiality purposes. Which protocol can be used to accomplish this?

A. Domain Name System Security (DNSSec)
B. Secure Shell (SSH)
C. Internet Protocol (IPsec)
D. Transport Layer Security (TLS)

Answer 16

C. Internet Protocol (IPsec)

Explanation:
IPsec is a protocol for encrypting and authenticating packets between two parties. Examples of this include a pair of servers, a pair of network devices, or between network devices and servers. This is a great protocol to connect from the edge router at the data center that is connected to the cloud carrier [Internet Service Provider (ISP)] to the edge router within the cloud.

TLS is great for user traffic. It was originally designed by Netscape, the browser company. It can be used for user Virtual Private Networks (VPN) as well.

Secure Shell is commonly used by administrators to remotely connect to operating systems, appliances, and servers. There are other protocols that could be used, such as Remote Desktop Protocol (RDP), but SSH is great for administrators, as opposed to encrypting router-to-router traffic.

One trick to picking the right protocol is the OSI model. The question is talking about router-to-router connections. A router functions at layer 3 of the OSI model. So does IPSec. TLS is layer 4 and SSH is layer 5. So, IPSec could be picked just by thinking about that.

DNSSec is a security extension of the DNS protocol and couldn’t be used in the described scenario

Question 17

Which of the following storage types mimics RAM on a traditional computer?

A. Long-Term
B. Raw
C. Ephemeral
D. Volume

Answer 17

C. Ephemeral

Explanation:
Cloud-based infrastructure can use a few different forms of data storage, including:

Ephemeral: Ephemeral storage mimics RAM on a computer. It is intended for short-term storage that will be deleted when an instance is deleted.
Long-Term: Long-term storage solutions like Amazon Glacier, Azure Archive Storage, and Google Coldline and Archive are designed for long-term data storage. Often, these provide durable, resilient storage with integrity protection.
Raw: Raw storage provides direct access to the underlying storage of the server rather than a storage service.
Volume: Volume storage behaves like a physical hard drive connected to the cloud customer’s virtual machine. It can either be file storage, which formats the space like a traditional file system, or block storage, which simply provides space for the user to store anything.
Object: Object storage stores data as objects with unique identifiers associated with metadata, which can be used for data labeling.

Question 18

In an Infrastructure as a Service (IaaS) environment, the cloud customer will likely NOT have access to logs stemming from which of the following?

A. Hypervisor
B. Applications
C. Virtual server
D. Operating system

Answer 18

A. Hypervisor

Explanation:
In an IaaS environment, the cloud customer will likely have access to logs from the operating system, the virtual devices, and the applications that they are using. They would have this access because the virtual devices and their operating systems as well as the applications are owned by the cloud service customer. However, it’s unlikely that the cloud customer will have access to any logs from the hypervisor itself. If the cloud customer wanted logs from the hypervisor, they would need to work with the cloud provider and have something written into their contract.

Even though the cloud customer has access to the logs from the operating systems, virtual servers and devices, and the applications, they will still likely need some method to aggregate all these logs.

Question 19

A university is interested in forming a research cooperative with other universities and some local pharmaceutical companies. They want to be able to share information as they research viruses and their transmissions. Which cloud deployment model would be MOST appropriate for this workload?

A. Private cloud
B. Community cloud
C. Public cloud
D. Hybrid cloud

Answer 19

B. Community cloud

Explanation:
The community cloud was designed to meet the requirements of multiple organizations operating in the same industry that want to be able to share services or data. Universities frequently form research consortiums, which can be supported by a community cloud.

A public cloud could be used for this, but a community cloud is designed for multiple companies to actually share.

A private cloud could also be used for this. The fact that they want to share makes the community cloud the best choice because the community will be working together. Public and private clouds are not meant to have corporations sharing data. They are designed for corporations to be separated and isolated from each other.

A hybrid cloud is not the best choice here because the only thing that exists in the question is corporations sharing.

Question 20

Shai is the information security manager responsible for the build and deployment of a particular server into a server-based Platform as a Service (PaaS). This particular server handles very specialized data and has a requirement for security, isolation, and specialized configurations. What deployment option would be best for this situation?

A. Redundant servers with Dynamic Resource Scheduling (DRS)
B. A server cluster with Dynamic Optimization (DO)
C. Standalone host
D. Load balanced server cluster

Answer 20

C. Standalone host

Explanation:
A cloud standalone host refers to a Virtual Machine (VM) or physical server that operates independently in a cloud computing environment without being part of a larger cluster or infrastructure. It is a single, self-contained computing instance that functions as a standalone entity within the cloud infrastructure. Standalone hosts are particularly useful when there is a need for dedicated and independent computing resources for specific workloads or applications that require high performance, isolation, or specialized configurations. They provide a flexible and customizable environment within the cloud infrastructure, allowing organizations to meet their unique computing requirements.

Redundant servers and server clusters do not isolate systems. The systems/servers/VMs work together to ensure continued function. Load balancing, server clusters, redundant servers, and DO and DRS all have the prime goal of ensuring availability. A standalone host has more of a confidentiality intention.