CCSK EXAM SIMULATOR 3 · CCSK CLOUD SECURITY

CCSK EXAM SIMULATOR

1. which action is part of the containement phase of the incident response lifecycle?

analyzing what happened

planning notification and coordination of activities

evaluating infrastructure by proactive scanning and network monitoring, vulnerability assessments and performing risk assessments

making considerations for data loss versus service availability

Configuring and validating alerts

2. Which attack surfaces, if any, does virtualization technology introduce?

The hypervisor

Virtualization management components apart from the hypervisor

Configuration and VM sprawl issues

All the above

3. What item below allows disparate directory services and independent security domain to be interconnected?

Cloud

Coalition

Intersection

Union

Federation

4. Which of the following statements best defines the potential advantages of security as a service SecaaS?

Many areas of security as a service are ripe for adoption with the notable exceptions of anti-malware and anti-spam programs.

The advantage may include flexible offering of services, greater security domain knowledge and efficiency of SecaaS providers

The standardization of security softwares makes the outsourcing of security as a service nearly obsolete

The advantages are not realized until a security breach actually occurs. At that time the greater response of the security team should be obvious

The higher costs and reduced flexibility are more than compensated for by the ability to pass the security responsibilities to another firm.

5. If in certain litigations and investigations, the actual cloud application or environment itself is relevant to resolving the dispute in the litigation or the investigation, how is likely the information to be obtained?

It would never be obtained in this situation

It would require an act of war

It would require a previous contractual agreement to obtain the application or access to the environment

It would require a previous access agreement

It may require a subpoena of the provider directly

6. If the management plane has been breached, you should confirm the templates/configurations for your infrastructure or applications have not also been compromised

False

TRUE

7. Compute virtualization abstracts the running of code, not including the operating systems, from the underlying hardware

FALSE

TRUE

8. CCM: the following list of control belong to which domain of the CCM:
GRM 06 -Policy
GRM 07 -Policy enforcement
GRM 08 Policy impact on risk assessment
GRM 09 -Policy reviews
GRM 10 -Risk assessments
GRM 11 -Risk management framework?

Governance and retention management

Governance and risk management

Governing and risk metrics

Governance and risk appetite

9. Immutable workloads make it faster to roll out updates versions because applications must be designed to handle individual nodes going down?

FALSE

TRUE

10. The key concern of data backup and recovery schemes is

They must prevent data loss, unwanted data overwrite and destruction

Assurance that deleted data is in fact unrecoverable

Assurance that cloud provider has multiple data centers for disaster recovery

Data aggregation should not causes breaches

Data should not be commingled with other customers

11. What are major factor to building and managing secure management plane?

Device patching and maintenance; internal authentication and credential passing; access management and logging; monitoring and alerting

API management ; endpoint security; logging; and authentication and authorization

Perimeter security; customer authentication; internal authentication and credential passing; authorizations and entitlements; and governance auditing

Permeter patching; log authentication; external entitlement passing; credential alerting and customer security

Perimeter security; customer authentication; internal authentication and credential passing ; authorization and entitlements; and logging, monitoring and alerting

12. Vulnerabilities assessments cannot be easily integrated into CI/CD pipelines because of provider restrictions

TRUE

FALSE

13. You have a business relationship with a cloud provider for all sales management functionalities. Through the API and SDK, you have customized the interface and some functionality, but the back end service is done through the cloud provider. In this relationship, which service is completed by the cloud provider?

Desktop as a service DaaS

Platform as a service PaaS

Infrastructure as a service IaaS

Identity as a service IDaaS

Software as a service SaaS

14. You should disable remote access when working with immutable workloads?

TRUE

FALSE

15. While the cloud consumer is responsible for implementing the security controls, the cloud provider implements the security of the workloads

False

TRUE

16. Database activity monitoring and file activity monitoring are specifically recommended for what type of data migrations into the cloud?

Large, internal data migrations

Complex, long-term migrations

Small sthealthy data migrations

Small external data migrations

Simple, homogenous migrations

17. Which facet is focused on protecting the management plane components, such as web and API servers from attacks?

Logging and alerting

Perimeter security

Customer authentication

Authorization and entitlements

External authentication

18. If a provider’s infrastructure is not in scope, who is responsible for building compliant applications and services?

The provider must create a separate tenant for each customer based on the various compliance regulations

The provider must update or fix whatever is not in compliance

No one. It is an accepted risk that is written into the terms and conditions with customers

It is up to the customer and provider to negotiate the solution

The customer is responsible for compliant applications and services

19. APIs and services requires extensive hardening and must assume attacks for authenticated and unauthenticated adversaries

FALSE

TRUE

20. When designing an encryption system, you should start with a threat model

FALSE

TRUE

21. What is a potential benefit of using a security as a service SecaaS?

Changing providers

Staffing and expertise

Regulations differences

Handling of regulated data

Full visibility

22. CCM: a compagny wants to use IaaS offering of some CSP. Which of the following options for using CCM is NOT suitable for the compagny as a cloud customer?

Submit the CCM on behalf of the CSP to CSA security, Trust & Assurance Registry STAR, a free, publicly accessible registry that document the security controls provided by CSPs

Use CCM to build a detailed list of requirements and controls that they want their CSP to implement

Use CCM to help assess the risk associated with the CSP

None of the above

23. ENISA: an example of a user provisioning vulnerability is:

FIPS 140-2 cryptographic implementations

Poorly managed backups or archival systems

Credential are vulnerable to interception and relay

Remote access to management interface

Government access to biometrics information

24. How can virtual machine communications bypass network security controls?

The guest OS can invoke stealth mode

VM communications may use a virtual network on the same hardware host

Hypervisors depend on multiple network interfaces VM images can contain rootkits programmed to bypass firewall most network security systems do not recognize encrypted VM traffic

Use a VPN

25. Which common components of big data is focused on the mechanisms used to ingest large volumes of data, often of a streaming nature?

Distributed information

Distributed storage

Distributed processing

Distributed attribution

Distributed data collection

26. What is resource pooling?

The provider’s computing resources are pooled to serve multiple consumers

Internet-based CPUs are pooled to enable multi-threading

The dedicated computing resources of each client are pooled together in a colocation facility

Placing internet “cloud” data-centers near multiple source of energy such hydroelectric dams

None of the above

27. ENISA: in infrastructure as as service IaaS, who is responsible for guest system monitoring?

Data commissioner

Cloud provider

Customer

Shared responsibility

Internet service provider ISP

28. Which action is part of the preparation phase of the incident response lifecycle?

Analyzing what happened

Planning notification and coordination of activities

evaluating infrastructure by proactive scanning and network monitoring, vulnerability assessments and performing risk assessments

Making considerations for data loss versus service availability

Configuring and validating alerts

29. What factor should you understand about the data specifically due to legal, regulatory, and jurisdictional factors?

The fragmentation and encryption algorithms employed

The physical location of the data and how it is accessed

The language of the data and how it affects the user

The implication of storing complex information on simple storage systems

The actual size of the data and the storage format

30. What can be implemented to help with account granularity and limit blast radius with IaaS and PaaS?

Configure role based authentication

Configure secondary authentication

Maintaining tight control of the primary account holder credentials

Implement least privilege account

Establishing multiple accounts

31. In a cloud environment, how can you best determine data/information security risks and potential controls?

Run a search on user data files

Identify the major operating systems

Encrypt everything

Understand the cloud storage architecture in use

Understand the related regulatory requirements

32. What is true of cloud built-in firewalls?

Whichever features are not provided in the firewall, the cloud provider has an alternative

They typically offer fewer features than newer physical firewalls

They operate exclusively outside of the SDN

They operate exclusively outside of the hypervisor

They provide identical configurations to physical firewalls

33. Virtual appliances can become bottleneck because they cannot fail open and must intercept all traffic

FALSE

TRUE

34. How does running applications on distinct virtual networks and only connecting networks as needed help?

It provides dynamic and granular policies with less management overhead

It reduces hardware costs

It locks down access and provides stronger data security

It reduces blast radius of compromised system

It enables you to configure applications around business groups

35. When the applications components communicate directly with the cloud service, the management and metastructure might fall within the application security scope

False

TRUE

36. Which type of application security testing involves manual testing activity that is not necessarily integrated into automated testing

DAST – dynamic application security testing

Unit testing

Functional testing SAST – static application security testing

Code review

37. CCM: which of the following statements about CCM v3.0.1 is NOT true?

The CCM offers a controls framework and all CCM domains are directly mapped to the domains in the CSA security guidance

The CCM provides a control framework that gives a detailed understanding of security concepts and principles that are aligned to the CSA security guidance

The CCM outlines who is responsible for the implementation of security controls and whether or not a given control has relevance for a corporate governance

The CCM is designed to provide fundamentals security principles to guide CSPs and to assist prospective cloud customers in assessing overall security risk of cloud provider

38. Which of the following statements best defines the “authorization” as a component of identity , entitlement and access management

Enforcing the roles by which access is granted to the resources

Giving a third party vendor permission to work on your cloud solution

Establishing/asserting the identity to the application

Checking data storage to make sure it meets compliance requirements

The process of specifying and maintaining access policies

39. What is true of workload?

It must be containerized

It is always a virtual machine

It configured for a specific, established tasks

It does not required a hardware stack

It is a unit of processing that consumes memory

40. Which tools discover internal uses of cloud services through various mechanisms such as network monitoring, integration with existing gateways or monitoring tools, or by monitoring DNS queries?

Any packets sniffing tool

URL filtering

Data loss prevention DLP

Any database monitoring tool

Cloud access gateway broker CASB

41. How can key management be leveraged to prevent cloud providers from inappropriately accessing customer data?

Select cloud providers within the same country as customer

Segregate keys from the provider hosting data

Stipulate encryption in contract language

Secure backup process for key management systems

Use strong multi-factor authentication

42. Which type of cloud service provider would you contact to SSO-enable your customers and employees for access all corporate applications?

Desktop as a service DaaS

Platform as a service PaaS

Infrastructure as a service IaaS

Identity as a service IDaaS

Software as a service SaaS

43. Which deployment model is commonly used to describe a non-cloud data center bridged directly to a cloud provider?

Hybrid cloud

Private cloud

Community cloud

Hosted cloud

Public cloud

44. Which regulations affect data controllers with business in japan?

GDPR

Privacy act 1988

1995 dta protection directive

Personal information protection and electronic documents act PIPEDA

Act on the protection of personal information

45. What is a core tenant of risk management?

Risk insurance covers all financial losses, including loss of customers

The provider is accountable for all risk management

The consumer are completely responsible for all risks

If there is still residual risk after assessments and controls are in place, you must accept the risk

You can manage, transfer, accept or avoid the risks

46. What method can be utilized along with data fragmentation to enhance security?

Insulation

Knowledge management

IDS

Organization

Encryption

47. The software defined perimeter SDP includes which components?

Client, controler, firewall

Client, firewall, gateway

Controller, firewall, gateway

Client , controller, firewall, gateway

Client, controller, gateway

48. What is the audit related implications of the outsourced cloud services?

Third party vendor need to make sure that the organization they work for is responsible for all the regulatory requirements

Organizations should appreciate the fact that they don’t have to track their outsourced information for regulatory purposes

Organization need to understand which of their cloud partners are processing regulated information and whether they should be within scope of the audit

Regulators will tend to overlook information that has been outsourced, knowing that organizations cannot control everything that happens in the cloud

Organizations need to be prepared to share the burden of blame with their outsourced partners

49. Highly regulated industries such as finance and health care should consider the impact of cloud providers operating in diverse geographic locations and ………..

Virtual environments

Sparsely populated areas

Without licenses

Legal jurisdictions

None of the above

50. ENISA: which is not one of the following key legal issues common across all scenarios?

Outsourcing services and changes in control

Globalization

Intellectual property

Professional negligence

Data protection

51. CCM: in the CCM tool (encryption and key management) is an example of which of the following?

Risk impact

Domain

Control specification

None of the above

52. What makes the metastructure layer of cloud computing so different from traditional computing?

It includes the data and information components

It is automatically patch and Scalable

It includes the underlying applications services

It eliminates the need for the infostructure layer

It includes the management plane components, which are network enabled and remotely accessible

53. Which phase of incident response life cycle includes creating and validating alerts?

Post-mortem

detection and analysis

Auditing and logging

Containment, eradication and recovery

Preparation

54. What is the order of the main phases of secure applications design and development?

Train, analyze, develop, test, implement

Analyze, define, design, develop, test

Analyze, design, develop, test, implement

Train, define, develop, test, implement

Train, define, design, develop, test

55. When mapping functions to lifecycle phases, which functions are required to successfully process data?

Create, use, store, delete

Create and use

Create, store and use

Create and store

Create, store, use and share

56. Which tool is the primary tool between the cloud provider and customer that extends governance into business partners and providers

Service level agreements SLA

Supplier assessments

Compliance reporting

Consumer assessments

Contracts

57. Of the choices below, which option allows for the most interoperability in security authentication in a cloud environment?

SAML

WEP

SCORM

XHTML

58. What is true of data collection forensics?

Forensics is not allowed in private or hybrid cloud configurations due to the sensitive nature of the data

Providers allow access to the hardware upon request because of the multitenant division of data

In a private cloud setting, forensics analysis is allowed and covered through the contracts of the provider and clients in the private cloud

Bit-by-bit imaging of a cloud data source is typically difficult or impossible

If the data is hosted by the same provider , it is easy to conduct a thorough analysis

59. When configuring properly, logs can track every code, infrastructure and configuration change and connect it back to the submitter and approver, including the tests results

FALSE

TRUE

60. What are the NIST defined essential characteristics for cloud computing?

Broad network access, measured service, multi-factor configuration, resource pooling

Broad network access, rapid elasticity, measured service, on-demand self-service, resource pooling

Broad network access, automatic patching, compliance readiness, resource pooling

Rapid elasticity, compliance readiness, resource pooling

Broad network access, rapid elasticity, automatic patching, resource pooling

Question 1 of 60