Siedel Chapter 3 Review Questions Flashcards
Naomi is working on a list that will include data obfuscation options for her organization. Which of the following is not a type of data obfuscation technique?
A. Tokenization
B. Data hiding
C. Anonymization
D. Masking
B. Data hiding
Explanation:
Data hiding is not a data obfuscation technique. It is used in programming to restrict data class access. Tokenization, masking and anonymization are all obfuscation techniques
The goals of SIEM solution implementations include all of the following except _____
A. Centralization of log streams
B. Trend analysis
C. Dashboarding
D. Performance enhancement
D. Performance enhancement
Explanation:
SIEM is not intended to provide any enhancement of performance; in fact a SIEM solution may decrease performance because of additional overhead. All the rest are goals of SIEM implementations
Wei’s organization uses Lambda functions as part of a serverless application inside of its Amazon hosted environment. What storage type should Wei consider the storage associated with the instances to be?
A. Long term
B. Medium term
C. Ephemeral
D. Instantaneous
C. Ephemeral
Explanation:
Lambda functions use storage that will be destroyed when they are re-instantiated, masking this storage ephemeral storage
Selah wants to securely store her organizations encryption keys. What solution should she ask her cloud service provider about?
A. A PKI
B. A DLP
C. A cloud HSM
D. A CRL
C. A cloud HSM
Explanation:
Cloud hardware security modules, or HSMs, are used to create, store, and manage encryption keys and other secrets. Selah should ask her cloud service provider if they have an HSM service or capability that suits her organization’s needs. A PKI is a public key infrastructure and is used to create and manage certificates, a DLP is a data loss prevention tool, and a CRL is a certificate revocation list.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 339). Wiley. Kindle Edition.
Jim’s organization wants to ensure that it has the right information available in case of an attack against its web server. Which of the following data elements is not commonly used and thus shouldn’t be expected to be logged?
A. The version of the executable run
B. The service name
C. The source IP address of the traffic
D. The destination IP address of the traffic
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 89). Wiley. Kindle Edition.
A. The version of the executable run
Explanation:
Versions of executables for a service are not typically logged. While it may be useful to track patch status, versions of applications and services are not tracked via event logs. IP addresses for both source and destination for events and queries and the service name itself are often logged to identify what happened and where traffic was going.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (pp. 339-340). Wiley. Kindle Edition.
Susan wants to ensure that files containing credit card numbers are not stored in her organization’s cloud-based file storage. If she deploys a DLP system, what method should she use to identify files with credit card numbers to have the best chance of finding them, even if she may encounter some false positives?
A. Manually tag files with credit card numbers at creation.
B. Require users to save files containing credit card numbers with specific file-naming conventions.
C. Scan for credit card numbers based on a pattern match or algorithm.
D. Tag files with credit card numbers at destruction.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 89). Wiley. Kindle Edition.
C. Scan for credit card numbers based on a pattern match or algorithm.
Explanation:
Scanning for credit card numbers using the DLP tool and a pattern match or algorithm is most likely to find all occurrences of credit card numbers, despite some false positives. Tagging files that have credit card numbers manually is likely to be error prone, finding them at destruction or deletion won’t help during the rest of the lifecycle, and of course requiring users to use specific filenames is likely to lead to mistakes as well.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 340). Wiley. Kindle Edition.
Rhonda is outlining the threats to her cloud storage environment. Which of the following is not a common threat to cloud storage?
A. Credential theft or compromise
B. Infection with malware or ransomware
C. Privilege reuse
D. Human error
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 89). Wiley. Kindle Edition.
C. Privilege reuse
Explanation:
While privilege escalation is a concern, privilege reuse is not a typical threat. Privileged users will use their credentials as appropriate or necessary. Credential theft or compromise, infection with malware, and human error are all common threats to both cloud and on-premises storage.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 340). Wiley. Kindle Edition.
Ben wants to implement tokenization for his organization’s data. What will he need to be able to implement it?
A. Authentication factors
B. Databases
C. Encryption keys
D. Personnel
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 89). Wiley. Kindle Edition.
B. Databases
Explanation:
In order to implement tokenization, there will need to be two databases: the database containing the raw, original data and the token database containing tokens that map to original data. Having two-factor authentication is nice but certainly not required. Encryption keys are not necessary for tokenization. Two-person integrity does not have anything to do with tokenization.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 340). Wiley. Kindle Edition.
Yasmine’s organization has identified data masking as a key security control. Which of the following functions will it provide?
A. Secure remote access
B. Enforcing least privilege
C. Testing data in sandboxed environments
D. Authentication of privileged users
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 89). Wiley. Kindle Edition.
C. Testing data in sandboxed environments
Explanation:
Data masking is very useful when testing. It doesn’t provide features that help with remote access, least privilege, or authentication.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 340). Wiley. Kindle Edition.
Megan wants to improve the controls provided by her organization’s data loss prevention (DLP) tool. What additional tool can be combined with her DLP to most effectively enhance data controls?
A. IRM
B. SIEM
C. Kerberos
D. Hypervisors
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 89). Wiley. Kindle Edition.
A. IRM
Explanation:
DLP can be combined with IRM tools to protect intellectual property; both are designed to deal with data that falls into special categories. SIEMs are used for monitoring event logs, not live data movement. Kerberos is an authentication mechanism. Hypervisors are used for virtualization.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 340). Wiley. Kindle Edition.
What phase of the cloud data lifecycle involves data labeling?
A. Create
B. Store
C. Use
D. Archive
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 89). Wiley. Kindle Edition.
A. Create
Explanation:
Data labeling should be done when data is created to ensure that it receives the proper labels and can immediately be processed and handled according to security rules for data with that label. Labels may be modified during the Use, Store, and Archive phases to assist with lifecycle management.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 340). Wiley. Kindle Edition.
Charles wants to ensure that files in his cloud file system have not been changed. What technique can he use to compare files to determine if changes have been made?
A. Obfuscation
B. Masking
C. Tokenization
D. Hashing
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 89). Wiley. Kindle Edition.
D. Hashing
Explanation:
Hashes can be created for both original copies and current copies and can be compared. If the hashes are different, the file has changed. Obfuscation, masking, and tokenization all describe methods of concealing data to prevent misuse.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 340). Wiley. Kindle Edition.
Liam wants to store the private keys used to generate certificates for his organization. What security level should he apply to those keys?
A. The highest level of security possible.
B. The same or lower than the data the certificates protect.
C. The same or greater than the data that the certificates protect.
D. Private keys can be shared without issues.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 89). Wiley. Kindle Edition.
C. The same or greater than the data that the certificates protect.
Explanation:
Private keys used for certificates should be stored at the same or greater level of protection than that of the data that they’re used to protect. Private keys should not be shared; public keys are intended to be shared. The highest level of security possible may be greater than the needed level of security depending on the organization’s practices and needs.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 340). Wiley. Kindle Edition.
Best practices for key management include all of the following except___________________.
A. Having key recovery processes
B. Maintaining key security
C. Passing keys out of band
D. Ensuring multifactor authentication
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 89). Wiley. Kindle Edition.
D. Ensuring multifactor authentication
Explanation:
All of these are key management best practices except for requiring multifactor authentication. Multifactor authentication might be an element of access control for keys, but it is not specifically an element of key management.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 340). Wiley. Kindle Edition.
Valerie wants to be able to refer to data contained in a database without having the actual values in use. What obfuscation technique should she select?
A. Masking
B. Tokenization
C. Anonymization
D. Randomization
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (p. 89). Wiley. Kindle Edition.
B. Tokenization
Explanation:
Tokenization replaces data with tokens, allowing referential integrity while removing the actual sensitive data. Masking replaces digits with meaningless characters. Randomization replaces data with randomized information with similar characteristics, preserving the ability to test with the data while attempting to remove any sensitivity, and anonymization removes potentially identifying data.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide (pp. 340-341). Wiley. Kindle Edition.
