CCSK EXAM SIMULATOR 4 · CCSK CLOUD SECURITY

CCSK EXAM SIMULATOR

1. Cloud based Web Application Firewalls (WAFs) also include anti-DDoS capabilities.

True

False

2. Which of the following is a permission to do something like access a file, network, or perform a certain function like an API call on a particular resource?

Entitlement

Access Control

Authentication

Authorization

Identification

3. CSA’s Software Defined Perimeter includes:

SDP node, SDP controller, SDP gateway

SDP node, SDP handler, SDP gateway

SDP client, SDP handler, SDP gateway

SDP client, SDP controller, SDP gateway

4. Exiting from an activity giving rise to more risk is called as?

Ignoring the risk

Avoiding the risk

Transferring the risk

Reducing the risk

Accepting the risk

5. How can you prevent cloud providers from inappropriately accessing customer data?

Use strong contractual controls to prevent unauthorized access

Disable the root user access and delete the access keys

Wherever possible, do not store the keys in the cloud

Implement strong access controls on your data

Encrypt your data at rest and implement multi-factor authentication

6. Which of the following is the most important aspects of incident response for cloud-based resources?

Expectations around what the customer does versus what the provider does

Service Level Agreement

Non-Disclosure Agreement

B & C

E. A & B

7. Resource pooling practiced by the cloud services may especially complicate which part of the IR process?

Detection

Prevention

Monitoring

Recovery

Forensics

8. Which of the following encryption will be used when object storage is used as the back-end for an application?

Object encryption

Client-side encryption

Server-side encryption

Proxy encryption

Data encryption

9. Customers should view cloud services and security as –

Service provider security issue

Third-party security issue

Technology security issue

Supply chain security issue

Enterprise security strategy

10. Why Hardware Security Modules (HSM) are difficult to distribute in multiple locations used in cloud architectures?

HSMs are by necessity strongly physically protected from theft, eavesdrop and tampering.

HSMs are typically clustered for high availability and performance.

Many HSM systems have means to securely back up the keys they handle outside of the HSM.

HSM module contains one or more secure cryptoprocessor chips to prevent tampering.

11. ENISA: Password-based authentication should be sufficient for accessing cloud resources.

True

False

12. Which of the following frameworks is used in the industry to describe a series of security activities during all phases of application development, deployment, and operations?

FIPS

OWASP

ISO27001

ITIL

SOC 2

13. Which of the following is the most obvious form of provider lock-in?

Data Lock-in

Application Lock-in

Infrastructure Lock-in

Metadata Lock-in

14. Which of the following gives the customers ability to audit the cloud provider?

State Laws

Right to audit clause

Right to transparency clause

Customer can not gain the rights to audit

ISO 27001

15. Which of the following statements regarding cloud platform architecture is true?

Single cloud assets are typically less resilient than the traditional infrastructure.

Single cloud assets are typically more resilient than the traditional infrastructure.

Single cloud assets are equally resilient as traditional infrastructure.

Single cloud assets and traditional infrastructure should be combined together to provide a more resilient infrastructure.

16. The most fundamental security control for any multi-tenant network is-

Hypervisor security

Segregation and isolation of network traffic

Logging and monitoring controls

Secure image creation process

17. ENISA: The lack of use of standards technologies and solutions by the cloud provider may lead to-

Isolation failure

Resource exhaustion

Loss of governance

Lock-in

Data leakage

18. Installing traditional agents designed for physical servers will not result in the same amount of efficiency and performance on a virtualized server.

True

False

19. Which of the following comes immediately after the data creation in the data security lifecycle?

Save

Store

Use

Provide

20. Which of the following are the most commonly seen networks that are isolated onto dedicated hardware since there is no functional or traffic overlap?

Management, service, storage

Management, server, application

Server, application, storage

Server, network, storage

21. Which of the following characteristics of cloud allows a consumer to unilaterally provision computing capabilities such server time and network storage as needed?

Resource pooling

On-demand self-service

Broad network access

Rapid elasticity

Measured service

22. Which of the following statements regarding SDN (Software Defined Networking) is not true?

Segregates and isolates the traffic properly.

Supports orchestration and agility.

Does not overlay the overlapping addresses.

Is defined using software settings and API calls.

Abstracts the network management plane from physical infrastructure.

23. ENISA: The risks identified can be classified into which of the following three categories?

Technical, Commercial, Operational

Technical, Commercial, Legal

Technical, Operational, Legal

Technical, Operational, Policy and Organizational

Technical, Legal, Policy and Organizational

24. Which of the following provides “Storage as a Service” as a sub-offering?

IaaS

PaaS

SaaS

SECaaS

25. Private Cloud operated solely for a single organization can be located at-

Only On-premise

Only Off-premise

Both On-premise and Off-premise

Trusted third party

26. Which of the following regarding customer managed keys is true?

Cloud customer manages the encryption key and the provider manages the encryption engine.

Provider manages the encryption key and cloud customer manages the encryption engine.

Cloud customer manages both the encryption key and the encryption engine.

Cloud customer and provider jointly manage the encryption key and encryption engine.

Cloud customer and provider jointly manage the encryption engine and cloud customer manages their own encryption key.

27. Which of the following is one of the challenges of application security in a cloud environment?

Responsiveness

Isolated environments

Elasticity

Devops

Limited detailed visibility

28. Which of the following encryption methods is utilized when object storage is used as the back-end for an application?

Client/ application encryption

Symmetric encryption

Database encryption

D. Asymmetric encryption

Object encryption

29. ENISA: Lock-in is under which category of risk?

Technical

Legal

Policy and Organizational

Operational

30. Containers provide full security isolation and task segregation.

True.

False.

31. Point-in-time activities like compliance, audit, and assurance should be conducted by cloud providers to avoid creating any gaps, and thus exposures, for their customers.

True

False

32. Which of the following includes all the documentation on a provider’s internal and external compliance assessments?

Contract

Supplier (cloud provider) assessment

Compliance reporting

Audit report

Cloud Security Alliance STAR Registry

33. Which of the following best describes the data protection when it moves to the cloud?

Encrypt the data only when it is stored in the cloud

Ensure that a secure transfer channel is used

Encrypting the data when it leaves the cloud should be sufficient

Data should remain protected both at rest and in use

B & D

34. ENISA: Whose responsibility is it to choose a data processor that provides sufficient guarantees with respect to the technical security measures and organisational measures governing the processing to be carried out, and ensuring compliance with those measures?

Subject

Keeper

Coordinator

Processor

Controller

35. Infrastructure in the cloud cannot be defined and implemented through templates and automation.

True

False

36. Which of the following ensures that the consumers only use what they are allotted, and are charged for it?

Rapid Elasticity

Broad Network Access

On-demand service

Measured service

Metered service

37. Which of the following will not prevent you from moving unapproved data to cloud services?

Database Activity Monitoring (DAM)

File Activity Monitoring (FAM)

URL Filtering

Intrusion Detection System (IDS)

Data Loss Prevention

38. For which of the following SecaaS concerns, providers should be held to the highest standards of multi-tenant isolation and segregation?

Requirement to handle regulated data

Global regulatory differences

Fear of data leakage

Lack of sufficient visibility

39. You do not trust your SaaS provider and have chosen to encrypt all of your data. Which of the following is true is this situation?

You have ensured the security of your data by encrypting it.

Encrypting everything may lead to false sense of security.

You don’t have to ensure the security of the device if you have encrypted the data.

You can continue with the provider as encrypting all the data will take care of trust issues.

40. In addition to providing better server utilization, and data center consolidation, virtualization also reduces the security threats significantly.

True

False

41. Which of the following clauses in the agreement between customer and cloud provider can provide customers in highly regulated industries with the required information?

Right to information clause

Right to audit clause

Right to transparency clause

Right to access clause

Customer can not gain the access to required information

42. As per GDPR company must report the breach in what amount of time?

As soon as the breach is identified

You can report the breach any time after the breach is identified

Within 24 hours of the company becoming aware of the breach

Within 72 hours of the company becoming aware of the breach

There is no restriction on the reporting of data breach

43. Inability to provide sufficient capacity to a customer can lead to which of the following?

Isolation failure

Abuse of high privileged roles

Resource exhaustion

Denial of service (DOS)

Data leakage

44. Which of the following is one of the most common open standards to enable federation in the cloud?

SOAP

X.509

SAML

Kerberos

XML

45. Which of the following encrypts and prevents the unauthorized copying or changing of the content?

Data Hashing

Data Encryption

Digital rights management (DRM)

Digital certificates

Public key cryptography

46. Virtualization security in cloud computing is the responsibility of cloud provider.

True

False

47. In Federation which party makes assertions to which party?

Identity provider makes assertions to a relying party after building a trust relationship

Relying party makes assertions to Identity provider after building a trust relationship

Relying party makes assertions to Identity broker

Identity broker makes assertions to Identity provider

48. CI/CD pipelines can enhance security through support of which of the following?

Restricted logging on application

Restricted logging on Infrastructure

Manual security testing

Immutable infrastructure

49. Which of the following statement related to direct “lift and shift” of existing application to a cloud environment is true?

Direct “lift and shift” of existing applications to cloud without architectural changes are more likely to account for failures and will take advantage of potential improvements from leveraging platform.

Direct “lift and shift” of existing applications to cloud without architectural changes are less likely to account for failures and will not take advantage of potential improvements from leveraging platform.

Direct “lift and shift” of existing applications to cloud with or without architectural changes will take the same advantage of potential improvements from leveraging platform.

Direct “lift and shift” of existing applications to cloud without architectural changes is not possible.

50. If a cloud service provider receives a request to provide client information in the form of a subpoena or a court order, how can client have the ability to fight the request?

The cloud service agreement can have a clause to notify the customer and give time to fight the request for access.

There is no option; cloud service provider will have to provide the requested data to the third party.

The cloud service provider can ignore the request and let the client handle the court order.

The cloud service provider can work with the third party and negotiate the terms of data disclosure without informing the client.

51. In a multi-tenant environment, if customers can access and modify each other’s assets which of the following has caused this issue?

Segregation failure

Isolation failure

Breach of trust

Data breach

Information leakage

52. ENISA: Which of the following is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data?

Subject

Keeper

Controller

Processor

Selector

53. “Cloud Provider Acquisition” is which form of risk?

Legal Risk

Technical Risk

Policy and Organization Risk

Compliance Risk

54. ENISA: Which of the following statement is true regarding the risk of natural disasters in cloud?

Risk of natural disasters in cloud is higher as compared to a traditional infrastructure.

Risk of natural disasters in cloud is lesser as compared to a traditional infrastructure.

Risk of natural disasters in cloud is same as in traditional infrastructure.

There is no risk of natural disasters in cloud as the providers offer multiple redundant sites and network

55. Which of the following essential characteristics of a cloud allows customers to closely match resource consumption with demand?

Resource Pooling

On-demand self-service

Broad network access

Rapid elasticity

Measured service

56. Which of the following is a responsibility of a cloud user?

Hypervisor security

Physical security

Isolation

Image asset management

Securing Virtualization Infrastructure

57. Which of the following is a preferred model for cloud-based access management?

Role based

Identity based

Access Based

Attribute based

58. Which technique is used in the cloud to coordinate carving out and delivering a set of resources from the pools to the consumers?

Abstraction

Orchestration

Virtualization

Multi-tenanting

59. Which of the following defines the amount of risk that the leadership and stakeholders of an organization are willing to accept?

Risk Acceptance

Risk Tolerance

Residual Risk

Risk Target

60. Role-Based Access Control (RBAC) model for IAM offers greater flexibility and security than the Attribute-Based Access Control (ABAC) model.

True

False

Question 1 of 60