CCSP study1
Which of the following BEST describes the Application Normative Framework (ANF)? A. ANF creates norms and frameworks for application security operations. B. ANF acts as a framework for all components of application security best practices C. ANF is an international standard for application security policies D. ANF enables a specific application to achieve a required level of security or the targeted level of trust
A. ANF creates norms and frameworks for application security operations. The correct answer is A. ANF is a subset of the ONF (Organization Normative Framework) that will contain only the information required for a specific business application to reach the targeted level of trust.
Gas suppression systems operate to starve the fire of oxygen. What system uses multiple fire detectors and will not release until a fire is "confirmed" by two or more detectors (limiting accidental discharge)? A. Aero-K B. FM-200 C. Halon D. Proton
A. Aero-K The correct answer is A. Aero-K uses an aerosol of microscopic potassium compounds in a carrier gas released from small canisters mounted on walls near the ceiling. The Aero-K generators are not pressurized until fire is detected. The Aero-K system uses multiple fire detectors and will not release until a fire is "confirmed" by two or more detectors (limiting accidental discharge). The gas is noncorrosive, so it does not damage metals or other materials. It does not harm electronic devices or media. More important, Aero-K is nontoxic and does not injure personnel.
What is one of the main benefits of using FaaS (function as a service) in cloud environments? A. Allows application development teams to focus on core business outcomes rather than on building and maintaining guest-operating systems runtime, patching, provisioning, and management B. Allows application development teams to focus on building and maintaining guest operating systems runtime, patching, provisioning, and management while keeping control of the application development C. Allows application development teams to isolate and utilize only the intended components while having appropriate separation from the remaining components D. Allows application development teams to sequence the application, a method that enables each application to run in its own self-contained virtual environment on the client computer
A. Allows application development teams to focus on core business outcomes rather than on building and maintaining guest-operating systems runtime, patching, provisioning, and management The correct answer is A. Function as a service (FaaS) or serverless architecture is native to the cloud and allows application development-laden environments to focus on core business outcomes rather than on building and maintaining guest-operating systems runtime, patching, provisioning, and management.
What are the five rules of evidence A. Be authentic, accurate, complete, convincing, and admissible in court B. Be authentic, appropriate, complete, convincing, and admissible in court C. Be trustworthy, accurate, complete, convincing, and admissible in court D. Be trustworthy, appropriate, complete, convincing, and admissible in court
A. Be authentic, accurate, complete, convincing, and admissible in court The correct answer is A. The five rules of evidence are to be authentic (evidence needs to be tied back to the scene to be used), to be accurate (using collection processes, your evidence must maintain authenticity and veracity), to be complete (all evidence should be collected, including evidence that supports and that can diminish the reliability of other incriminating evidence), to be convincing (the evidence should be clear and easy to understand, and believable to a jury), and to be admissible (the evidence must be able to be used in a court of law).
What is the correct order of the data security lifecycle phases? A. Create, store, use, share, archive, and destroy B. Create, use, store, share, archive, and sanitize C. Classify, store, use, share, archive, and destroy D. Classify, use, store, share, archive, and sanitize
A. Create, store, use, share, archive, and destroy
ISO/IEC 27018 is the first international code of practice that focuses on protection of personal data in the cloud. Cloud service providers adopting this standard must operate under the following five key principles: consent, control, transparency, communication, and yearly audits. Please select the answer that best describes the principle of control. A. Customers have explicit control of how their information is used B. Cloud service providers have no control over how the customer data is used C. Customers have no control over how their information is protected D. Cloud service providers enforce controls on customers' data to protect it
A. Customers have explicit control of how their information is used As per the shared responsibility model, the customer has explicit control of how their information is used.
A default installation of the MongoDB database could be accessed without any authentication or access control when browsing the open MongoDB 27017 port issue. As a CCSP you have found data from your company stored in an Amazon Web Services (AWS) MongoDB database—including personally identifiable information (PII) that is at risk. What security threat from the CSA Treacherous 12 have you identified? A. Data breach B. Data loss C. System vulnerabilities D. Malicious insiders
A. Data breach The correct answer is A. A data breach is an incident in which sensitive, protected, or confidential information is released, viewed, stolen, or used by an individual who is not authorized to do so.
What is the main objective of network function virtualization (NFV)? A. Decouple functions, such as firewall management, intrusion detection, network address translation, and name service resolution, apart from specific hardware implementation B. Couple functions, such as firewall management, intrusion detection, network address translation, and name service resolution with specific hardware implementation C. Limit functions, such as firewall management, intrusion detection, network address translation, and name service resolution utilizing specific hardware implementation D. Expand functions, such as firewall management, intrusion detection, network address translation, and name service resolution, using specific hardware implementation
A. Decouple functions, such as firewall management, intrusion detection, network address translation, and name service resolution, apart from specific hardware implementation The correct answer is A. The objective of NFV is to decouple functions, such as firewall management, intrusion detection, network address translation, and name service resolution, apart from specific hardware implementation. NFV's focus is to optimize distinct network services.
What is the correct order for an audit plan? A. Define audit objectives, define audit scope, refine audit processes based on lessons learned, fieldwork, analysis, reporting B. Define audit scope, define audit objectives, refine audit processes based on lessons learned, analysis, fieldwork, reporting C. Define audit objectives, define audit scope, fieldwork, analysis, reporting, refine audit processes based on lessons learned D. Define audit scope, define audit objectives, fieldwork, analysis, reporting, refine audit processes based on lessons learned
A. Define audit objectives, define audit scope, refine audit processes based on lessons learned, fieldwork, analysis, reporting An audit plan encompasses the following activities (in this order): define audit objectives, define audit scope, refine audit processes based on lessons learned, fieldwork, analysis, reporting.
The cloud further heightens the need for applications to go through a software development lifecycle (SDLC) process. All SDLC process models include the following phases (in the right order). A. Define, design, develop, test, deployment, maintenance, and disposal B. Design, define, develop, deployment, test, maintenance, and disposal C. Define, design, develop, deployment, test, operations, and maintenance D. Design, develop, deployment, test, operations, maintenance, and disposal
A. Define, design, develop, test, deployment, maintenance, and disposal The correct answer is A. The SDLC process model includes the following phases: define, design, develop, test, deployment, maintenance, and disposal.
You are the security officer of a heavily regulated organization and are concerned that data currently stored in the public cloud can be leaked to the public due to a misconfiguration or malicious insider. How can you reduce the likelihood of this happening while fulfilling your regulatory requirements? A. Deploy a data leakage prevention tool B. Deploy a data encryption engine tool C. Deploy a data anonymization tool D. Deploy a data tokenization tool
A. Deploy a data leakage prevention tool The correct answer is A. The appropriate implementation and use of DLP will reduce both security and regulatory risks for the organization.
Which of the following statements is a benefit of the General Data Protection Regulation (GDPR)? A. It harmonizes data privacy laws across Europe B. It protects and empowers all citizens' data privacy C. It reshapes the way organizations across the world approach data privacy D. All the above
A. It harmonizes data privacy laws across Europe The correct answer is A. The EU General Data Protection Regulation (GDPR) is designed to harmonize data privacy laws across Europe, protect and empower all EU citizens' data privacy, and reshape the way organizations across the region approach data privacy.
What do you call the ability of an air-conditioning system to remove moisture? A. Latent cooling B. Sensible cooling C. Heat cooling D. Moisture cooling
A. Latent cooling The correct answer is A. Latent cooling is the ability of the air-conditioning systems to remove moisture. Latent cooling load refers to the wet bulb temperature. It specifies the cooling capacity a cooling system needs to be able to dehumidify a building to a desired humidity, even when external factors that create humidity are calculated in.
A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff. This is an example of a: A. Management control B. Technical control C. Operational control D. Cloud control
A. Management control The correct answer is A. Policies, standards, processes, procedures, and guidelines set by corporate administrative entities (e.g., executive- and/or mid-level management) are management/administrative controls.
The purpose of a digital signature is to provide the same level of accountability for electronic transactions where a handwritten signature is not possible. What properties are fulfilled when a sender digitally signs a message and sends it to a receiver? A. Message integrity and nonrepudiation of the sender B. Message integrity and nonrepudiation of the receiver C. Confidentiality and nonrepudiation of the sender D. Confidentiality and nonrepudiation of the receiver
A. Message integrity and nonrepudiation of the sender The correct answer is A. A digital signature only provides message integrity and nonrepudiation of the sender. It does not encrypt the original message. Therefore, there is no message confidentiality.
An important but often overlooked aspect of secure application is the management of third-party applications and software. This represents a major security flaw in cloud operations because every cloud service and function are accessed, configured, and operated using third-party software, the service provider's APIs. What open- source tool can you use to identify and reduce risk from the use of third-party and open-source components? A. OWASP Dependency-Track B. OWASP Dependency-Check C. OWASP Top 10 D. OpenAPI Check Tool
A. OWASP Dependency-Track The correct answer is A. OWASP Dependency-Track is an intelligent software supply chain component analysis platform that allows organizations to identify and reduce risk from the use of third-party and open-source components.
If an organization transmits, processes, or stores payment card data, it comes under a contractual obligation with its acquiring banks or others in the ecosystem to protect that data in accordance with applicable security standards. Which of the following is an industry-accepted security standard adopted by the payment card brands for all entities that process, store, or transmit cardholder data and/or sensitive authentication data? A. Payment Card Industry Data Security Standard (PCI DSS) B. Processing Card Integrity and Data Security Standard (PCI DSS) C. Processing Card Integrity and Data Encryption Standard (PCI DES) D. Payment Card Integrity and Data Encryption Standard (PCI DES)
A. Payment Card Industry Data Security Standard (PCI DSS) The PCI Security Standards Council is responsible for the promulgation of the Payment Card Industry Data Security Standard (PCI DSS), which has been described as "the global industry standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices."
Among other benefits, one goal of caching is never having to generate the same response twice. Cache-Control is a powerful HTTP header to manage your caching directives and strategies. What is the BEST architectural style to use when dealing with HTTP cache headers? A. Representational State Transfer (REST) B. Simple Object Access Protocol (SOAP) C. Extensible Markup Language (XML) D. Common Object Request Broker Architecture (CORBA)
A. Representational State Transfer (REST) The correct answer is A. The REST architectural style supports caching by default.
Federation enables you to manage access to your cloud resources centrally. With federation, you can use single sign-on (SSO) to access your cloud accounts using credentials from your corporate directory. What is an example of an open standard to exchange identity and security information between an identity provider (IdP) and an application? A. Security Assertion Markup Language (SAML) B. Open Security Standard (OSS) C. Open Web Application Security Project (OWASP) D. Open Supervised Device Protocol (OSDP)
A. Security Assertion Markup Language (SAML) The correct answer is A. Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). A Service Provider (SP) is the entity providing the service - typically in the form of an application. An Identity Provider (IDP) is the entity providing the identities, including the ability to authenticate a user.
What are the "Trust Services Principles" in a SOC 2 report? A. Security, availability, processing integrity, confidentiality, and privacy B. Confidentiality, processing integrity, and availability C. Trust, security, and privacy D. Trust and security principles
A. Security, availability, processing integrity, confidentiality, and privacy The correct answer is A. SOC 2, Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy, is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users' data and the confidentiality and privacy of the information processed by these systems.
Please select the main key driver for cloud computing. A. Shift from CapEx (capital expenditure) to OpEx (operational expenditure) B. Scalability C. Elasticity D. Collaboration
A. Shift from CapEx (capital expenditure) to OpEx (operational expenditure) The correct answer is A. The main key driver for cloud computing is the shift from capital expenditure (CapEx), where organizations had to invest large sums of money, to operational expenditure (OpEx), which now enables companies to pay per use and avail themselves of pricing structures similar to monthly or quarterly leasing agreements.
A large financial organization is using public cloud services to host and process the credit card applications of millions of customers. While performing a threat model of some new functionality to be incorporated into this application, it has been identified that a threat actor can impersonate a victim by changing the session identifier and assume a different identity. What threat would BEST describe the potential attack? A. Spoofing B. Tampering C. Information disclosure D. Elevation of privilege
A. Spoofing The correct answer is A. In spoofing the attacker assumes the identity of the subject.
STRIDE is a well-known threat modelling methodology. What six threats does STRIDE stand for? A. Spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege B. Spoofing, tampering, redirection, information disclosure, disclosure of secrets, and elevation of privilege C. Stealing, tampering, redirecting, intruding, disclosing, elevation of privilege D. Stealing, tampering, repudiating, informing, denying, escalation of privilege
A. Spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege The correct answer is A. STRIDE stands for spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
A database administrator has been tasked to remove sensitive details from a production database so it can be used in a test environment. This recommendation comes from the security officer due to concerns about data leakage. What technique would you recommend? A. Static masking B. Dynamic masking C. Random substitution D. Algorithmic substitution
A. Static masking The correct answer is A. In static masking, a new copy of the data is created with the masked values. Static masking is typically efficient when creating clean, nonproduction environments.
What data storage types are commonly used in a PaaS environment? A. Structured and unstructured B. Protected and unprotected C. Shielded and unshielded D. Local and remote
A. Structured and unstructured The correct answer is A. PaaS utilizes the following data storage types: Structured: Information organized in accordance with a defined schema that aligns with its expected use. This is typically used in relational databases. Unstructured: Information not aligned or organized along any schema or in any repeatable fashion. Examples include email messages, videos, and audio files.
What is the definition of cloud computing according to NIST? A. Cloud computing is a model for enabling ubiquitous, convenient, on- demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction B. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a dedicated pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction C. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released by the service provider D. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be provisioned depending on the available resources by the service provider
A. The correct answer is A. As per NIST SP 800-45, cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
As part of data discovery implementation, who has full responsibility for fulfilling the obligations of privacy and data protection laws? A. The customer as data controller B. The cloud service provider as data processor C. The customer as data processor D. The cloud service provider as data controller
A. The customer as data controller The correct answer is A. The customers, in the role of data controllers, have full responsibility for compliance with the P&DP laws' obligations. The implementation of data discovery solutions and data classification techniques allow customers to specify to the cloud service provider the requirements to be fulfilled, to perform effective periodic audits according to the applicable P&DP laws, and to demonstrate to the competent privacy authorities their due accountability according to the applicable P&DP laws.
An e-commerce store is collecting personal data from customers purchasing items, including details such as full name, address, items purchased, quantities, etc. The e- commerce store is managed and hosted by a managed cloud service provider. Additionally, all data is copied offsite to a backup service provider in case of a disaster recovery. Which entity is the data controller in this scenario? A. The e-commerce store B. The managed service provider C. The backup service provider D. The customer
A. The e-commerce store The data controller determines the purposes for which and the means by which personal data is processed. If your company/organization decides why and how the personal data should be processed, it is the data controller. Employees processing personal data within your organization do so to fulfil your tasks as data controller.
Micro-segmentation is a principal design and activity of the Zero Trust Model, which aids in protecting against dynamic threats. What is a fundamental design requirement of micro-segmentation? A. Understand the protection requirements for east-west (traffic within a data center) and north-south (traffic to and from the internet) traffic flows B. Understand the protection requirements for zones of defense that assume all traffic types and threats will be contained in their appropriate zones C. Understand the protection requirements for the hypervisor D. Understand the protection requirements for the virtual machines
A. Understand the protection requirements for east-west (traffic within a data center) and north-south (traffic to and from the internet) traffic flows The correct answer is A. Micro-segmentation pays close attention to traffic types (east- west, north-south) and creates policies that address specific protection surfaces.
A cloud access security broker (CASB) is a software tool or service that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure. A CASB acts as a gatekeeper, allowing the organization to extend the reach of their security policies beyond their own infrastructure. By using a CASB, which of the following security functions would be possible by organizations? A. Visibility into application usage B. Detect malware being copied to/from the cloud provider's infrastructure C. Encrypt data at rest and in-transit in the cloud provider's infrastructure D. All the above
A. Visibility into application usage The correct answer is A. By using a CASB, organizations can analyze application usage at the firewall or proxy and control usage of unmanaged applications. Block, coach, and control unmanaged cloud applications on any managed device.
What storage types can be used in an IaaS environment? A. Volume and object storage B. Volume and disk storage C. Raw and object storage D. Raw and disk storage
A. Volume and object storage The correct answer is A. Volume storage is a virtual hard drive that can be attached to a virtual machine instance and be used to host data within a file system. Volumes attached to IaaS instances behave just like a physical drive or an array does. Examples include VMware VMFS, Amazon EBS, Rackspace RAID, and OpenStack Cinder. Object storage is like a file share accessed via APIs or a web interface. Examples include Amazon S3 and Rackspace cloud files.
Developers have two general approaches from which to choose when developing cloud applications. One option is a "web app," which is an internet-enabled application accessible via a mobile device web browser. Another option is "native app," in which the application is developed to operate on a specific mobile device. What would be the BEST reason for choosing to develop a "web app" instead of a "native app"? A. When there is an emphasis on the user-centric interface B. When there is an emphasis on the platform interface C. When there is a specific requirement about the programming language D. When there is a specific requirement about the application performance
A. When there is an emphasis on the user-centric interface The correct answer is A. A "web app" does not need to be downloaded onto the user's mobile device for access.
Developers must consider that in virtually all cloud environments, access to cloud services is acquired through the means of an application programming interface (API). These APIs consume tokens rather than traditional usernames and passwords. APIs can be developed using multiple formats, but one of the most common is Representational State Transfer (REST), which is best described as: A. A protocol specification for exchanging information in the implementation of web services B. A software architecture style consisting of guidelines and best practices for creating scalable web services C. The change control process used to implement a new version of code in a cloud environment D. A business continuity strategy that ensures availability of cloud services
B. A software architecture style consisting of guidelines and best practices for creating scalable web services The correct answer is B. Representational State Transfer (REST) is a software architecture style consisting of guidelines and best practices for creating scalable web services. A RESTful web application exposes information about itself in the form of information about its resources. It also enables the client to take actions on those resources, such as create new resources
You want to guarantee the integrity of an encrypted file received from a colleague. How would you achieve that? A. Ask your colleague for the encryption key of the file B. Ask your colleague for the hash of the file and compare it with the hash you produced C. Perform a hash of the file and compare it with the encryption key D. Perform encryption of the file and compare it with the hashed file
B. Ask your colleague for the hash of the file and compare it with the hash you produced The correct answer is B. In order to guarantee integrity of a file, you need to compare the hash values of the origin and recipient file.
Cloud orchestration is the end-to-end automation workflow, or process, that coordinates multiple lower-level automations to deliver a resource or set of resources "as a service." How are the various services managed? A. Cloud management console B. Cloud management platform C. Cloud management plane D. Cloud management service provider
B. Cloud management platform The correct answer is B. Cloud orchestration is typically delivered by a cloud management platform (CMP) that includes several layers of functionality.
In a cloud environment, who is responsible for the management plane? A. Cloud consumer B. Cloud service provider C. Cloud service broker D. Cloud carrier
B. Cloud service provider The correct answer is B. The cloud provider is solely responsible for ensuring the management plane is secure and necessary security features are exposed to the cloud consumer, such as granular entitlements to control what someone can or cannot do.
Your organization is planning to move to the cloud and is evaluating various cloud services providers. One of the main factors for selection is their security posture. What industry standard tool can you utilize to assess the overall security capabilities of a cloud provider? A. Cloud Assessment Questionnaire B. Consensus Assessment Initiative Questionnaire C. Cloud Security Assessment Checklist D. Cloud Security Risk Checklist
B. Consensus Assessment Initiative Questionnaire The correct answer is B. The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider.
An attacker is trying to break into a software-as-a-service (SaaS) environment of a consumer by brute-forcing user credentials obtained on the dark web. Due to this behavior, the cloud service provider issues an alert to the consumer indicating possible breach attempts and temporarily blocks the attacker from logging in. What sort of control is this? A. Detective B. Corrective C. Compensating D. Preventive
B. Corrective The correct answer is B.Corrective controls involve physical, administrative, and technical measures designed to react to the detection of an incident in order to reduce or eliminate the opportunity for the unwanted event to occur.
Digital rights management (DRM) is a technology aimed at controlling the use of digital content. DRM technology was originally invented by publishers to control media such as audio and video rights. How does DRM work when applied to a file? A. DRM encrypts and digitally signs the file B. DRM adds an extra layer of access controls on top of the file C. DRM performs hashing of the file and stores it in a database D. DRM utilizes a public-key infrastructure to store the keys to the files
B. DRM adds an extra layer of access controls on top of the file The correct answer is B. DRM adds an extra layer of access controls on top of the data object or document. The access control list (ACL) determines who can open the document and what they can do with it, and provides granularity that flows down to printing, copying, saving, and similar options.
Global cloud service providers are generally organized in a three-level structure. Please select the correct structure from one of the options below. A. Data centers, services, customers B. Data centers, availability zones, regions C. Infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) D. Cloud service provider (CSP), managed service provider (MSP), consumer
B. Data centers, availability zones, regions The correct answer is B. Individual physical data centers house physical computers, storage, data center networking, environmental management equipment, and electrical power. An availability zone (AZ) consists of two or more geographically local data centers. The AZ data centers will normally have independent sources of power and data connectivity. A region typically consists of two or more availability zones. To ensure operational geographical redundancy, cloud-based solutions should deploy redundant infrastructures in two or more regions with mutual data backup capability.
When considering an application for cloud deployment, one must recognize that applications should be broken down into: A. People, processes, and technology B. Data, functions, and processes C. People, functions, and technology D. Data, processes, and technology
B. Data, functions, and processes The correct answer is B. These components can be divided when in operation so that portions that have sensitive data can be processed and/or stored in specified locations to comply with enterprise policies, standards, and applicable laws and regulations.
What is it called when an organization performs background checks of its potential employees? A. Due care B. Due diligence C. Due attention D. Due background check
B. Due diligence Due diligence is the act of investigating and understanding the risks a company faces. Maintaining due diligence in daily practice should be a core tenet of a security professional.
A public-key infrastructure (PKI) is a set of system, software, and communication protocols required to use, manage, and control public-key cryptography. As part of the PKI the registration authority is responsible for what? A. Signing an entity's digital certificate to certify that the certificate content accurately represents the certificate owner B. Ensuring the accuracy of certificate request content C. Revoking certificates and provide an update service to the other members of the PKI via a certificate revocation list (CRL) D. Verifying the validity of a digital certificate
B. Ensuring the accuracy of certificate request content The correct answer is B. The registration authority (RA) servers provide the facility for entities to submit requests for certificate generation. The RA service is also responsible for ensuring the accuracy of certificate request content.
A flawed hypervisor could facilitate inter-VM attacks. One of those attacks involves installing a malicious, fake hypervisor that can manage the entire server system, allowing malicious actors to stealthily peek into virtual machines. What is the name of that type of attack? A. Hyperstealth B. Hyperjacking C. HyperVM D. Hyperjumping
B. Hyperjacking The correct answer is B. A flawed hypervisor could facilitate inter-VM attacks (also known as VM hopping through guest escape and leading to hyperjacking)
An attacker managed to infect a hypervisor with a rootkit virus and now can control all virtual machines hosted in that environment. What is this type of attack called? A. VM attack B. Hyperjacking C. VM takeover D. Ransomware
B. Hyperjacking The correct answer is B. Hyperjacking involves installing a rogue hypervisor that can take complete control of a host. This may be accomplished using a VM-based rootkit that attacks the original hypervisor, inserting a modified rogue hypervisor in its place.
Software-defined networks (SDN) are defined by three separate planes or layers. Please select the correct planes from the options below. A. Orchestration, control, and data planes B. Management, control, and data planes C. Management, forwarding, and data planes D. Management, control, and database planes
B. Management, control, and data planes The correct answer is B. At the management plane all the business applications that manage the underlying control plane are exposed with northbound interfaces. Control of network functionality and programmability is directly made to devices at the control plane. OpenFlow was the original framework/protocol specified to interface with devices through southbound interfaces.
You want to create your personal cloud at home to store and share your pictures, music, and other sensitive documents with other family members. At the moment you are deciding the best storage configuration for your solution taking into consideration costs. What storage configuration would you choose? A. SAN (storage area network) B. NAS (network-attached storage) C. SD-WAN (software-defined wide area network) D. SDN (software-defined network)
B. NAS (network-attached storage) The correct answer is B. Network-attached storage (NAS) is a file-level computer data storage server connected to a computer network providing data access to a heterogeneous group of clients. NAS is often manufactured as a computer appliance, a purpose-built specialized computer that serves files using its hardware, software, or configuration.
You are a European citizen and created an account with one of the major public cloud service providers headquartered in the U.S. Your data is stored with the EU affiliate and no data access from the non-EU corporate parents is possible. Can U.S. authorities access your data using the U.S. CLOUD Act? A. No, the data is protected through GDPR B. No, the affiliate is a separate entity from the parent and there is no technical possibility to access data from the affiliate in the EU C. Yes, the U.S. CLOUD Act is stronger legislation than GDPR D. Yes, through a formal request to the cloud service provider
B. No, the affiliate is a separate entity from the parent and there is no technical possibility to access data from the affiliate in the EU The correct answer is B. The data held at the EU affiliate would not likely be accessible to U.S. authorities under the CLOUD Act if it is not possible for personnel of the corporate parent to reach remotely into the telecommunication infrastructure of the EU affiliate to obtain data.
As a CCSP, what cloud BCDR strategy would you recommend if your organization wants to host data in the cloud but is concerned about the service availability of the cloud provider? A. On-premises, private cloud as BCDR B. On-premises, public cloud as BCDR C. Cloud consumer, primary provider BCDR D. Cloud consumer, alternative provider BCDR
B. On-premises, public cloud as BCDR The correct answer is B. On-premises infrastructure, which may or may not have a BCDR plan already, could alleviate the concern about service availability. And then having a public cloud provider as BCDR which is considered an alternative facility in case a disaster strikes at the on-premises infrastructure.
Please fill in the blanks using the terms below. ___________ are the foundation of corporate governance. ___________ are the result of either a regulation, which is a legislative requirement, or a contractual requirement such as a contract agreement or industry requirement such as a Payment Card Industry Data Security Standard (PCI DSS). A. Standards, policies B. Policies, standards C. Standards, procedures D. Policies, procedures
B. Policies, standards The correct answer is B. Policies are the foundation of corporate governance. They require penalties as well as senior management sponsorship to be effective. Policies are created in response to a requirement such as a standard or requirement benchmark. A policy is a high-level statement of management intent that formally establishes requirements to guide decisions and achieve rational outcomes.
What EU-U.S. privacy framework has been established to enable the compliant transfer of personal data from data controllers in the EU to data controllers (or processors) in the U.S.? A. GDPR B. Privacy Shield C. Safe Harbor D. Safe Transfer Framework (STF)
B. Privacy Shield The European Commission and the U.S. government agreed on a new framework called the EU-U.S. Privacy Shield to enable the compliant transfer of personal data from data controllers in the EU to data controllers (or processors) in the U.S. The EU-U.S. Privacy Shield replaces Safe Harbor.
Lockheed Martin developed a cyber kill chain methodology that helps to distinguish correlation from causation. The methodology can provide a framework for intuiting threat behaviors, actors, and tools. If the defender disrupts any of the first six steps of the cyber kill chain, they can prevent the success of the attack. Please select the correct steps of the cyber kill chain from the list below. A. Discovery, delivery, exploitation, installation, and command and control (C2) B. Reconnaissance, weaponization, delivery, exploitation, installation, and command and control (C2) C. Information gathering, testing, exploitation, exfiltration, and command and control (C2) D. Information gathering, delivery, installation, exfiltration, and command and control (C2)
B. Reconnaissance, weaponization, delivery, exploitation, installation, and command and control (C2) The correct answer is B. The first six steps of the cyber kill chain are reconnaissance, weaponization, delivery, exploitation, installation, and command and control (C2).
What is the name of the transport mechanism in web services that is based on simple URLs and uses the HTTP methods GET, POST, PUT, and DELETE? A.Simple Object Transport Protocol (SOAP) B. Representational State Transfer (REST) C. Extensible Markup Language (XML) D. Distributed Component Object Model (DCOM)
B. Representational State Transfer (REST) The correct answer is B. REST is broadly used as an alternative to SOAP because a URL can be used for making requests.
You work in a service organization and recently received an audit report from external auditors involving your organization's financial statements. This report was on the fairness of the presentation of management's description of the service organization's system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. What type of report have you received? A. SOC 1, Type 1 B. SOC 1, Type 2 C. SOC 2, Type 1 D. SOC 2, Type 2
B. SOC 1, Type 2 The correct answer is B. There are two types of reports for these engagements: SOC 1, Type 1: Report on the fairness of the presentation of management's description of the service organization's system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date. SOC 1, Type 2: Report on the fairness of the presentation of management's description of the service organization's system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
A cloud consumer suffered a 24-hour outage and is now challenging the service provider to provide financial credits due to this unavailability of services. What agreement needs to be reviewed by both parties to assess the request? A. Cloud-level agreement (CLA) B. Service-level agreement (SLA) C. Penalty-level agreement (PLA) D. Outage-level agreement (OLA)
B. Service-level agreement (SLA) The correct answer is B. The SLA specifies thresholds and financial penalties associated with violations of these thresholds. Well-designed SLAs can significantly contribute to avoiding conflict and can facilitate the resolution of an issue before it escalates into a dispute. It serves as both the blueprint and warranty for cloud computing services.
As a cloud security architect, what measure can you implement in the public cloud environment to guarantee the safe destruction of the data? A. Crypto-encrypt B. Crypto-cipher C. Crypto-shredding D. Crypto-lock
C. Crypto-shredding The correct answer is C. Crypto-shredding is the process of deliberately destroying the encryption keys that were used to encrypt the data originally. Since the data is encrypted with the keys, the result is that the data is rendered unreadable.
ISO/IEC 17789 describes cloud computing systems from four distinct viewpoints. One of these viewpoints is the user view. Please select the most appropriate definition for it. A. The functions necessary for the implementation of a cloud service within service parts and/or infrastructure parts B. The system context, the parties, the roles, the sub-roles, and the cloud computing activities C. The functions necessary for the support of cloud computing activities D. How the functions of a cloud service are technically implemented within already existing infrastructure elements or within new elements to be introduced in this infrastructure
B. The system context, the parties, the roles, the sub-roles, and the cloud computing activities The correct answer is B. According to ISO/IEC 17789, the user view of cloud computing addresses cloud computing activities, roles and sub-roles, parties, and cross-cutting aspects. A cloud computing activity is defined as a specified pursuit or set of tasks. A role is a set of cloud computing activities that serve a common purpose.
What is the goal of interoperability in cloud environments? A. To provide seamless service consumption and management between standalone services and cloud service providers B. To enable cloud service customers to move their data or applications between standalone services and cloud service providers C. To operate several cloud environments from a single standalone service D. To manage standalone services from the virtualization layer of the cloud service providers
B. To enable cloud service customers to move their data or applications between standalone services and cloud service providers The correct answer is B. Interoperability extends the relationship between cloud and noncloud services. The goal of interoperability is to provide seamless service consumption and management between standalone services and cloud service providers.
Which of the following BEST describes cross-site scripting (XSS)? A. Whenever an application takes trusted data and sends it to a web browser without proper validation or escaping B. Whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping C. Whenever an application takes trusted data and sends it to a web browser with proper validation and escaping D. Whenever an application takes untrusted data and sends it to a web browser with proper validation and escaping
B. Whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping The correct answer is B. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
What is the main benefit of using microservices? A. Microservices are used to host containers since the different logical functions can be split B. Microservices consume less resources compared to a monolithic application C. A software developer can develop part of a microservice without other developers having to rebuild and redeploy other parts of the application D. Microservices are used to orchestrate the various containers
C. A software developer can develop part of a microservice without other developers having to rebuild and redeploy other parts of the application The correct answer is C. The primary goals of using microservices with containers are continuous integration and continuous deployment. A software developer can modify, test, or scale one part of the application without other developers having to rebuild and redeploy other parts of the application.
When a private citizen performs an act that the government would need a warrant for, such as a search and seizure, what do they become? A. Deputy Commissioner B. Private investigator C. Agent of the government D. Federal investigator
C. Agent of the government The correct answer is C. A private citizen becomes an agent of the government when they perform an act that the government would need a warrant for, such as a search and seizure. Under those circumstances, the citizen must follow the same rules as the government.
A CCSP has been tasked with performing a static analysis security testing (SAST) on a web application. What sort of activities will they need to carry out? A Validate against the application requirements considering the inputs and expected outputs, regardless of how the inputs are transformed into outputs B. Detect conditions indicative of a security vulnerability in a running application; these tests typically look at exposed HTTP and HTML interfaces of web-enabled applications C. Analyze application source code, byte code, and binaries for coding and design conditions that can indicate security vulnerabilities D. Discover any security issues within the application or system being tested with zero knowledge of its structure, functions, or source code
C. Analyze application source code, byte code, and binaries for coding and design conditions that can indicate security vulnerabilities The correct answer is C. SAST analyzes application source code, byte code, and binaries for coding and design conditions that can indicate security vulnerabilities. SAST solutions analyze an application from the "inside out" in a nonrunning state.
Direct identifiers are fields that uniquely identify the subject (e.g., name, address) and are usually referred to as personally identifiable information. Indirect identifiers typically consist of demographic or socioeconomic information, dates, or events. How would you remove indirect identifiers in a database? A. Deletion B. Tokenization C. Anonymization D. Masking
C. Anonymization C. Anonymization is the process of removing the indirect identifiers in order to prevent data analysis tools or other intelligent mechanisms from collating or pulling data from multiple sources to identify an individual or sensitive information.
"Infrastructure as code" is the term applied to the fully automated, just-in-time, provisioning of virtualized infrastructure. Also called "serverless," container products such as Docker and container orchestration systems such as Kubernetes assist in automating the initial application deployment. What would be the BEST open-source tool to perform the underlying automation? A. Automattor B. InSpec C. Ansible D. Pepper
C. Ansible The correct answer is C. Ansible is a software provisioning, configuration management, and application-deployment tool that can configure Microsoft Windows and Unix-like systems.
ISO/IEC TS 22237-2 lists multiple layers of security referred to as classes. Each class has a guidance profile that specifies the proper controls that should exist at each layer. Availability classes are connected to power distribution and can maintain resilience during disruption. What class is defined as a multipath (resilience provided by redundancy of systems) resilience? A. Class 1 B. Class 2 C. Class 3 D. Class 4
C. Class 3 The correct answer is C. The Class 3 availability class is defined as multipath (resilience provided by redundancy of systems) resilience and concurrent repair/operate solution, where environmental controls contain redundant components with multipath telecommunication cabling using fixed infrastructure.
What is the main document that describes the overall relationship between a cloud service provider and consumer? A. Acceptable use policy B. Service-level agreement C. Cloud service agreement D. Cloud relationship policy
C. Cloud service agreement The correct answer is C. The cloud service agreement (CSA) describes the overall relationship between the customer and provider. Since service management includes the processes and procedures used by the cloud provider, explicit definitions of the roles, responsibilities, and execution of processes need to be formally agreed upon.
According to the ISO/IEC 17789 cloud computing reference architecture, a cloud auditor would be considered a: A. Cloud service customer (CSC) B. Cloud service provider (CSP) C. Cloud service partner (CSN) D. Cloud service broker (CSB)
C. Cloud service partner (CSN) The correct answer is C. A Cloud service partner (CSN) is engaged in support of, or auxiliary to, activities of either the cloud service provider or the cloud service customer, or both. Cloud service broker and cloud auditor both fall under this ISO/IEC 17789 role.
You are about to purchase movie tickets, but the website offering them is asking you for your parents' names, which you think is excessive to purchase the tickets. Based on the OECD's privacy recommendations, which principle is not being followed by the movie's website? A. Data Quality Principle B. Purpose Specification Principle C. Collection Limitation Principle D. Accountability Principle
C. Collection Limitation Principle The correct answer is C. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. https://marcomm.mccarthy.ca/pubs/share2.htm
A company utilizing cloud services cannot deploy multi-factor authentication (MFA) due to a limitation by the SaaS provider, so its CISO implements a password policy that establishes passwords must be changed every 30 days. What sort of security control is this? A. Detective B. Corrective C. Compensating D. Preventive
C. Compensating The correct answer is C. Also called an alternative control, a compensating security control is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time.
Data center operators frequently utilize the Uptime Institute Tier Standard and awarded certification when promoting their data centers. Your public cloud service provider is highlighting that it is a Tier III data center. How is that type of data center also known as? A. Basic site infrastructure B. Redundant site infrastructure capacity components C. Concurrently maintainable site infrastructure D. Fault-tolerant site infrastructure
C. Concurrently maintainable site infrastructure The correct answer is C. The fundamental requirements of a Tier III (concurrently maintainable site infrastructure) data center are: Redundant capacity components. Multiple independent distribution paths serving the critical environment. Only one distribution path is required to serve the critical environment at any time.
You are a cloud administrator and need to configure the hypervisors to allocate a minimum number of compute nodes for the virtual machines. What are you doing to achieve this? A.Sharing resource allocation B. Establishing physical resource limits C. Configuring reservations per virtual machine D. Preventing resource contention
C. Configuring reservations per virtual machine The correct answer is C. A reservation creates a guaranteed minimum resource allocation per VM, which must be met by the host with physical compute resources to allow a guest to power on and operate.
As a result of multitenancy, multiple users can store their data using the applications provided by SaaS. Within these architectures, the data of various users will reside at the same location or across multiple locations and sites. What is a key security consideration when protecting the user data? A. Data aggregation B. Data encryption C. Data segregation D. Data manipulation
C. Data segregation The correct answer is C. A SaaS model should ensure a clear segregation for each user's data. The segregation must be ensured not only at the physical level but also at the application level. The service should be intelligent enough to segregate the data from different users.
Which critical properties need to be understood after mapping the various data phases but before deploying controls in a cloud environment? A.People, processes, technology B. Policies, procedures, guidelines C. Functions, actors, locations D. All above
C. Functions, actors, locations The correct answer is C. Upon completion of mapping the various data phases, along with data locations and device access, it is necessary to identify what can be done with the data (i.e., data functions) and who can access the data (i.e., the actors).
According to the NIST service delivery models, which one provides the ability for the cloud consumer to scale services up and down based on usage? A. Software as a service (SaaS) B.Platform as a service (PaaS) C. Infrastructure as a service (IaaS) D. Anything as a service (XaaS)
C. Infrastructure as a service (IaaS) The correct answer is C. IaaS provides the cloud consumer the ability to scale infrastructure services up and down based on usage, which is particularly useful and beneficial where there are significant spikes and dips in usage within the infrastructure.
You work in a highly regulated industry and constantly are audited to comply with several standards. As part of a digital transformation project, your organization will move sensitive applications and data currently on premises to the public cloud. What cloud service model would be most appropriate in case you require access to the system logs for auditing purposes? A. Software as a service (SaaS) B. Platform as a service (PaaS) C. Infrastructure as a service (IaaS) D. Compliance as a service (CaaS)
C. Infrastructure as a service (IaaS) The correct answer is C. In IaaS environments, the consumer typically will have control of and access to event and diagnostic data. Almost all infrastructure-level logs will be visible to the consumer, along with detailed application logs.
A government organization has been recently audited against ISAE 3402 Type II and one of the findings identified by the auditors was that system-generated evidence was not available for the selected period, resulting in potential unauthorized transactions. What risk from the OWASP Top 10 would BEST describe this finding? A. Security misconfiguration B. Broken access control C. Insufficient logging and monitoring D. Sensitive data exposure
C. Insufficient logging and monitoring
The CCSP should be familiar with the various software development models that enterprises often use. Which of the following describes the agile model? A. It executes application verification and validation in parallel with application development and testing. B. The outcome of one phase is the input for the next phase. Development of the next phase starts only when the previous phase is complete. C. It focuses more on flexibility while developing a product rather than on the requirement. D. It combines the iterative incremental and prototype model approaches.
C. It focuses more on flexibility while developing a product rather than on the requirement. The correct answer is C. Agile modeling is a combination of the iterative incremental and spiral models. This model focuses more on flexibility while developing a product rather than on the requirement. Option A is the V-Model which executes application verification and validation in parallel with application development and testing. Option B is the Waterfall model, the outcome of one phase is the input for the next phase. Development of the next phase starts only when the previous phase is complete.
The CSA Security Trust Assurance and Risk (STAR) Program is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. What CSA STAR level provides continuous monitoring of the current security practices of cloud providers? A. Level 1 B. Level 2 C. Level 3 D. Level 4
C. Level 3 C. CSA STAR Level 3 (Continuous Monitoring) enables automation of the current security practices of cloud providers. Each level of STAR has a continuous monitoring option to offer increased transparency on a regular basis.
An organization is planning to move some of its functions to the cloud but doesn't have resources/skills to operate the cloud environment. It will rely on a third party to do so, but it wants to keep control of its governance. What technology implementation option is best suited for the company? A. Enterprise IT B. Enterprise cloud C. Managed service provider D. Cloud service provider
C. Managed service provider The correct answer is C. When enterprises opt to use managed service providers for information technology, compliance with enterprise-imposed IT governance is typically required.
What are the essential cloud computing characteristics? A. On-demand self-service, limited network access, and resource pooling B. Broadcast service, broad network access, resource pooling, and rapid elasticity C. On-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service D. On-demand self-service, broad network access, dedicated resourcing, rapid elasticity, and measured service
C. On-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service According to NIST SP 800-45, the five essential cloud computing characteristics are on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service.
A digital crime has been committed by a cloud consumer. The local authorities require access to the virtual machines used by the cloud consumer and the hypervisor hosting those machines in order to gather and review some evidence. To whom should they make the formal evidence request? A. Both the cloud consumer and cloud service provider (CSP) B. Only the cloud consumer C. Only the cloud service provider (CSP) D. Cloud auditor
C. Only the cloud service provider (CSP) The correct answer is C. Under the order of a court, certain legal discovery documents, or orders, will specify that you and the cloud service provider are not allowed to disclose any activities undertaken in support of the court order. In some cases, the cloud service provider might be restricted from disclosing a court order or an investigation to you.
OAuth Authorization Framework is a way to enable a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. What are the four roles defined by OAuth? A. Resource provider, resource client, authentication server, and authorization server B. Resource provider, resource tenant, identification server, and authorization server C. Resource owner, resource server, client, and authorization server D. Resource owner, resource server, server, and authorized client
C. Resource owner, resource server, client, and authorization server The correct answer is C. OAuth defines four roles. A resource owner is an entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end user. A resource server is the server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens. A client is an application making protected resource requests on behalf of the resource owner and with its authorization.
What SOC report can be freely shared with the public? A. SOC1 B. SOC2 C. SOC3 D. SOC4
C. SOC3 The SOC 3 report is a publicly available summary of the vendor's SOC 2 report. A key difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report is generally restricted in distribution and coverage, requiring a nondisclosure agreement (NDA) due to the information it contains, whereas a SOC 3 report is broadly available.
When testing a BCDR plan there are various strategies available. If you terminate a production virtual instance in the cloud to test the BCDR and the production environment becomes unavailable, what sort of issue have you identified? A. Cloud dependency B. Recovery inconsistency C. Single point of failure D. BCDR weak point
C. Single point of failure The correct answer is C. The test exposed a single point of failure. A single point of failure (SPOF) is a part of a system that, if it fails, will stop the entire system from working. SPOFs are undesirable in any system with a goal of high availability or reliability.
A platform-as-a-service (PaaS) application typically depends on third parties' application programming interfaces (APIs) to provide services to its customers. If an API used by the PaaS application becomes compromised by a malicious actor, then the customers could become victims of the attack. The risk of this happening is known as A. API vulnerability risk B. PaaS attack risk C. Supply chain risk D. Application stack risk
C. Supply chain risk An API provided by a third party becomes part of your supply chain. The key component the supply chain introduces is risk; not only can it transfer or reduce certain components of risk (dependent on the organization), but it can create increased risk too.
How can you access databases in a PaaS environment? A.Through the management layer B. Through the hypervisor C. Through API calls D. Through the database management layer
C. Through API calls
What is a widely accepted algorithm to exchange or negotiate a symmetric key? A. El Gamal B. RSA C. Elliptic curve D. Diffie-Hellmann
D. Diffie-Hellmann The correct answer is D. Diffie-Hellmann is a key exchange algorithm. It is used to enable two users to exchange or negotiate a secret symmetric key that will be used subsequently for message encryption.
Several cloud customers were affected by a data breach from a cloud service provider (CSP) and their credit card details have been used by malicious actors to commit fraud. A court of law has identified that there was a lack of due care and due diligence by the CSP. The affected customers are looking for remedies in a class- action against the CSP. What type of law applies in this case? A. Criminal law B. Civil law C. Tort law D. Privacy law
C. Tort law The correct answer is C. Tort law encompasses a body of rights, obligations, and remedies that sets out reliefs for persons suffering harm because of the wrongful acts of others. Cases are built upon preponderance of evidence of damage. Negligence or lack of due care and due diligence that would be shown by a reasonable person may also be a factor.
A user has uploaded copyrighted materials to their employer's public cloud environment and shared it with friends online, resulting in a movie studio suing the employer for copyright infringement. What policy has been violated by the user? A.Cloud copyright policy B. Data sharing policy C. User access management policy D. Acceptable use policy
D. Acceptable use policy The correct answer is D. The acceptable use policy prohibits activities that providers consider to be an improper or outright illegal use of their service. This is one area of a CSA where there is considerable consistency across cloud providers.
Transitioning from a traditional enterprise IT infrastructure to the private cloud model involves: A. Significant investment B. Operational modifications C. Cultural change D. All the above
D. All the above
You host a SaaS application in a public cloud environment and are concerned that government authorities can seize your customers' data from a specific geographical location. What technique can you use to limit the exposure to this risk? A. Data deletion B. Data anonymization C. Data tokenization D. Data dispersion
D. Data dispersion When using the data dispersion technique, each storage block is fragmented and the storage application writes each bit into different physical storage containers to achieve greater information assurance, just like the old-fashioned RAID system, only scattered across different physical devices and/or geographical locations.
According to the NIST service deployment models, which one allows "cloud bursting"? A. Private B. Public C. Community D. Hybrid
D. Hybrid The correct answer is D. "Cloud bursting" occurs when a private cloud workload maximum is reached, and public cloud resources are utilized to help support the additional workload. Disaster recovery can be enhanced by hybrid cloud deployments.
A React application calls a set of Spring Boot microservices. The developers tried to ensure that their code is immutable, so they came up with is serializing user state and passing it back and forth with each request. An attacker notices the "R00" Java object signature and uses the Java Serial Killer tool to gain remote code execution on the application server. What is the name of the OWASP Top 10 risk? A.Cross-site scripting (XSS)Insecure B. Direct Object Reference C. Using Components with Known Vulnerabilities D. Insecure Deserialization
D. Insecure Deserialization The correct answer is D. Insecure Deserialization. Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker.
In cloud security, the FIPS 140-2 standard is a specification applied to Trusted Platform Modules (TPMs), hardware security modules (HSMs), and key escrow storage devices. FIPS 140-2 certification consists of four different levels. Which security level triggers the immediate zeroization of all plaintext critical security parameters after the detection of an attempted breach? A. Level 1 B. Level 2 C. Level 3 D. Level 4
D. Level 4 The correct answer is D. Security Level 4 represents the highest rating and provides the highest level of security, with mechanisms providing complete protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access. Detection of an attempted breach triggers the immediate zeroization of all plaintext critical security parameters. Security Level 4 undergoes rigid testing to ensure its adequacy, completeness, and effectiveness.
A large financial organization with several legacy applications is selecting which ones can be migrated to the cloud as part of its "cloud-first" strategy. The technical teams identified that a COBOL application cannot be moved to the cloud due to some legacy components and crypto algorithms. What would BEST describe this common pitfall? A.Lack of knowledge/skillsets B. Awareness of encryption dependencies C. Complexities for integration D. Not all apps are cloud ready
D. Not all apps are cloud ready
What type of storage is utilized when accessing a CDN (content delivery network)? A. Volume storage B. Raw storage C. Ephemeral storage D. Object storage
D. Object storage The correct answer is D. A content delivery network (CDN) utilizes object storage, which is then distributed to multiple geographically distributed nodes to improve internet consumption speed.
As a CCSP you have been tasked to review and provide recommendations for privileged user accounts currently present in your company's cloud environment. You have identified that several administrators have unrestricted access to these environments, and no one is actively monitoring them. What would be your most immediate recommendation to prevent unauthorized changes? A. Delete the privileged accounts B. Implement monitoring C. Deploy 2FA D. Segregation of duties
D. Segregation of duties The correct answer is D. Segregation of duties can form an extremely effective mitigation and risk reduction technique around privileged users and their ability to effect major changes.
What are the five steps (in order) involved in creating an application security management process (ASMP)? A. Specifying the application requirements and environment, creating and maintaining the Application Normative Framework (ANF), assessing application security risks, provisioning and operating the application, and auditing the security of the application B. Assessing the application security risks, specifying the application requirements and environment, creating and maintaining the Application Normative Framework (ANF), provisioning and operating the application, and auditing the security of the application C. Specifying the application requirements and environment, assessing application security risks, provisioning and operating the application, auditing the security of the application, and creating the Application Normative Framework (ANF) D. Specifying the application requirements and environment, assessing application security risks, creating and maintaining the Application Normative Framework (ANF), provisioning and operating the application, and auditing the security of the application
D. Specifying the application requirements and environment, assessing application security risks, creating and maintaining the Application Normative Framework (ANF), provisioning and operating the application, and auditing the security of the application The correct answer is D. The five steps (in order) involved in the creation of an application security management process (ASMP) are specifying the application requirements and environment, assessing application security risks, creating and maintaining the Application Normative Framework (ANF), provisioning and operating the application, and auditing the security of the application.
What is one of the main benefits of using platform as a service (PaaS)? A. Reduced support costs B. High reliability and resilience C. Back-end systems and capabilities D. Support multiple programming languages and frameworks
D. Support multiple programming languages and frameworks The correct answer is D. PaaS should support multiple programming languages and frameworks, thus enabling the developers to code in whichever language they prefer or whichever the design requirements specify.
If you want to encrypt an entire database or specific portions such as tables without modifying the application, what mechanism would you use? A.Basic storage encryption B. Volume storage encryption C. Application-level encryption D. Transparent encryption
D. Transparent encryption The correct answer is D. Many database management systems contain the ability to encrypt the entire database or specific portions, such as tables. The encryption engine resides within the database, and it is transparent to the application.
