CCSK - Schellminantor
According to Cloud Security Alliance logical model of cloud computing, which of the following defines the protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. (A). Metastructure (B). Infostructure (C). Infrastructure (D). Applistructure
Answer: A According to CSA Securityguidelines4.0. Metastucture is defined as the protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enables management and configuration.
Which of the following processes plays a major role in managing system vulnerabilities? (A). Capacity Management (B). Patch Management (C). Incident Management (D). Release Management
(B) Patch Management Although other process are part of overall security strategy proper patch management plays key role in keeping control on system vulnerabilities.
ln which of the following cloud service models is the customer required to maintain the operating system? (A). PaaS (B). Public Cloud (C). IaaS (D). SaaS
Answer: C According to "The NIST Definition of Cloud Computing," in IaaS, "the capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include OSs and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over OSs, storage, and deployed applications; and possibly limited control of select networking components (e.g, host firewalls)."
Which of the following is NOT of the essential characteristics as defined by NIST? (A). Rapid Elastici (B). Resource Sharing (C). Resource Pooling (D). On-Demand self service
Answer: C All others are characteristics as defined by NIST.
Which is the most common control used for Risk Transfer? (A). Contracts (B). SLA (C). Insurance (D). Web Application Firewall
Answer: C Buying insurance is most common method of transferring risk.
Which is the primary tool for governance in Cloud Computing environment? (A). Governance memo (B). Service Level Agreement (C). Operational level Agreement (D). Contract
Answer: C Contracts: The primary tool of governance is the contract between a cloud provider and a cloud customer(this is true for public and private cloud). The contract is your only guarantee of any level of service or commitment-assuming there is no breach of contract, which tosses everything into a legal scenario. Contracts are the primary tool to extend governance into business partners and providers.
Which statement best describes why it is important to know how data is being accessed? (A). The devices used to access data have different storage formats. (B). The devices used to access data use a variety of operating systems and may have different programs installed on them. (C). The device may affect data dispersion. (D). The devices used to access data use a variety of applications or clients and may have different security characteristics. (E). The devices used to access data may have different ownership characteristics.
Answer: D
Which term is used to describe the use of tools to selectively degrade portions of the cloud to continuously test business continuity? (A). Planned Outages (B). Resiliency Planning (C). Expected Engineering (D). Chaos Engineering (E). Organized Downtime
Answer: D
Which of the following is most commonly used to program Application Programming Interface(API)? (A). SOAP (B). JSON (C). HTTP (D). REST
Answer: D APIs are typically REST for cloud services, since REST is easy to implement across the Internet. REST APIs have become the standard for web-based services since they run over Hl'-P/S and thus work well across diverse environments.
Which of the following allows organizations to access, report, and obtain evidence of actions, controls, and processes that were performed or run by a specified user? (A). Traceability (B). Acceptability (C). Accountability (D). Auditability
Answer: D Auditability is the trait where organisations can collect and verify the correctness of the organisations processes and procedures.
Which of the following document defines the roles and responsibilities for risk management between a cloud provider and a cloud customer? (A). Risk Management Agreement (B). Service Level Agreement (C). Operational level Agreement (D). Contract
Answer: D Contract defines defines the roles and responsibilities for risk management between a cloud provider and a cloud customer
Which one of the following is not a risk mitigation strategy? (A). Avoidance (B). Acceptance (C). Transfer (D). Suppression
Answer: D Following are the risk mitigation strategies
Which of the followinglS0 Standard provides Code of practice for information security controls based on IS0/IEC 27002for cloud services? (A). ISO 27018 (B). ISO 27034 (C). ISO 27032 (D). ISO 27017
Answer: D IS0 27017 provides Code of practice for information security controls based on ISO/IEC27002 for cloud services.
No policy on resource capping can lead to: (A). Data disclosure (B). Data manipulation (C). Resource manipulation (D). Resource Exhaustion
Answer: D It can lead to resource exhaustion if you do not put upper limit on resource allocation. Cloud services are on-demand Therefore there is a level of calculated risk in allocating all the resources of a cloud service, because resources are allocated according to statistical projections. In accurate modelling of resources usage- common resources allocation algorithms are vulnerable to distortions of fairness
Which of the following are two most effective ways of protection against data breaches in the cloud environment? (A). Contracts and SLAs (B). Data Loss Prevention techniques and Web Application Firewall (C). Encryption and Honeypot (D). Multifactor Authentication and Encryption
Answer: D Multifactor Authentication and Encryption are most effective protect mechanisms against data breaches in cloud environment. Other options do form part of overall security strategy in cloud but Option D is the strongest contender for the answer.
ENISA: A reason for risk concerns of a cloud provider being acquired is: (A). Arbitrary contract termination by acquiring company (B). Resource isolation may fail (C). Provider may change physical location (D). Mass layoffs may occur (E). Non-binding agreements put at risk
Answer: E
"Standards like the SSAE16 have a defined scope. which includes both what is assessed (e.g. which of the provider's services) as well as which controls are assessed. A provider can thus "pass" an audit that doesn't include any security controls. which isn't overly useful for security and risk managers. " True or False? (A). True (B). False
Answer: A This is true, When cloud assessment is done, it is very important to understand the scope of the audit and the standard used. In statement above, we can see that, audit scope ofSSAE16 is decided by cloud provider and can be very limited and one may not be get full visilibility into the security of the cloud service provider.
Code execution environments that run within an operating system. sharing and leveraging resources of that operating system. are known as: (A). VMs (B). Containers (C). Nodes (D). Host
Answer: B Containers are code execution environments that run within an operating system(for now), sharing and leveraging resources of that operating system. While a VM is a full abstraction of an operating system, a container is a constrained place to run segregated processes while still utilizing the kernel and other capabilities of the base 0S. Ref: CSA Security Guidelines V4.0
Which is the most important trust mechanism between cloud service provider and cloud customer? (A). Meeting SLA requirements (B). Contract (C). Audit reports (D). Logging and Monitoring reports
Answer: B Contract is the most important document which defines trust and relationship between cloud service provider and the customer.
The relationship between the shareholders (and other stakeholders) of the organisation versus the Senior Management of the organisation is governed by: (A). IT Governance (B). Corporate Governance (C). Corporate Vision (D). Corporate Mission
Answer: B Corporate governance is the system of rules, practices and processes by which a company is directed and controlled. Corporate governance, essentially involves balancing the interests of a company's many stakeholders, such as shareholders, management, customers, suppliers, financiers, government and the community.
IT Risk management is best described in: (A). FIPS 140-2 (B). ISO 27005 (C). NIST SP800-14 (D). ISO 27017
Answer: B IS027005 standards describes IT Risk Management process
Which ISO standards addresses Privacy in the cloud environment? (A). ISO 27017 (B). ISO 27018 (C). ISO 27034 (D). ISO 27032
Answer: B ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
Whose responsibility is to maintain security incident and event management(SIEM) capabilities in PaaS (Platform as a Service) model? (A). Cloud Carrier (B). Cloud Service provider (C). Cloud Customer (D). Cloud Access Security Broker
Answer: B In forms of service models, it is cloud service provider's responsibility to maintain security incident and event management(SIEM) capabilities
Application security is a shared responsibility between cloud service provider between cloud service provider and cloud customer Platform as a Service(PaaS) model. (A). True (B). False
Answer: B It is false. This type of question is there to confuse students. Although, we do develop applications on platform provided, its security is total responsibility of the cloud customer.
What refers refer the model that allows customers to scale their computer and/ or storage needs with little or no intervention from or prior communication with the provider. The services happen in real time? (A). Broad network access (B). On-demand self-service (C). Resource pooling (D). Rapid elasticity
Answer: B It is the characteristic of 0n-demand self-service that allows customers to scale their computer and/ or storage needs with little or no intervention from or prior communication with the provider
Which of the following is key benefit of private cloud model? (A). Distributed data location (B). Assurance of Data Location (C). Off-loading IT Management (D). Less expensive
Answer: B One of the key challenges in cloud computing is its distributed environment and dispersed data centers across the globe. It is very difficult to trace data location in public clouds. Therefore. Assurance of data location is key advantage of private cloud.
Which of the following reports the cloud service provide normally share with customer WITHOUT any non-disclosure agreement and is in the public domain? (A). SOC1 Type1 (B). SOC2 Type2 (C). SOC3 (D). SOC2 Type1
Answer: C A Soc3 reports on the same information as a Soc2 report. The main difference between the two is that a Soc3 is intended fora general audience. These reports are shorter and do not include the same details as a Soc2 report, which is distributed to an informed audience of stakeholders. Due to their more general nature, Soc3 reports can be shared openly and posted on a company's website with a seal indicating their compliance
Which of the following is a form of compliance inheritance and the cloud service provider takes responsibility for the costs and maintenance of certifications for its infrastructure or services? (A). Internal Audit (B). Third-party Audit (C). Passthrough Audit (D). Physical Audit
Answer: C A pass-through audit is a form of compliance inheritance. ln this model. all or some of the cloud provider's infrastructure and services undergo an audit to a compliance standard. The provider takes responsibility for the costs and maintenance of these certifications. Reference: CSA Security Guidelines V.4(reproduced here for the educational purpose)
The granting of right to access to a user. program or process. is called: (A). Authentication (B). Authorization (C). Entitlement (D). RBAC
Answer: B Authorization is the process of granting of right to access to a user, program or process. It should not be confused with Authentication.
Who is responsible for infrastructure Security in Software as a Service(SaaS) service model? (A). Cloud Customer (B). Cloud Service Provider (C). Cloud Carrier (D). It's a shared responsibility between Cloud Service Provider and Cloud Customer
Answer: B Cloud service Provider is responsible for infrastructure in Software as a service(SaaS) service Model
Which of the following items is NOT an example of Security as a Service (SecaaS)? (A). Spam filtering (B). Authentication (C). Provisioning (D). Web filtering (E). Intrusion detection
Answer: C
Which of the cloud service model has least maintenance or administration from a cloud customer perspective? (A). IaaS (B). PaaS (C). SaaS (D). XaaS
Answer: C SaaS requires least maintenance from the customer as all the infrastructure up to application is managed by the cloud service provider
Which concept provides the abstraction needed for resource pools? (A). Virtualization (B). Applistructure (C). Hypervisor (D). Metastructure (E). Orchestration
Answer: A
Which data security control is the LEAST likely to be assigned to an IaaS provider? (A). Application logic (B). Access controls (C). Encryption solutions (D). Physical destruction (E). Asset management and tracking
Answer: A
______ refers to the deeper integration of development and operations teams through better collaboration and communications, with a heavy focus on automating application deployment and infrastructure operations? (A). DevOps (B). SySOpS (C). Automation (D). Chef
Answer: A
"Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms" Which of the following characteristics defines this: (A). On-demand self-service (B). Broad network access (C). Resource pooling (D). Rapid elasticity
Answer: A
Containers can be implemented without the use of VMs at all and run directly on hardware. (A). True (B). False
Answer: A
NO.76 Private clouds can be hosted off-premises as well. (A). True (B). False
Answer: A
To understand their compliance alignments and gaps with a cloud provider, what must cloud customers rely on? (A). Third-party attestations (B). Provider run audits and reports (C). EDiscovery tools (D). Provider documentation (E). Provider and consumer contracts
Answer: A
What is true of searching data across cloud environments? (A). You might not have the ability or administrative rights to search or access all hosted data. (B). The cloud provider must conduct the search with the full administrative controls. (C). All cloud-hosted email accounts are easily searchable. (D). Search and discovery time is always factored into a contract between the consumer and provider. (E). You can easily search across your environment using any E-Discovery tool.
Answer: A
Where does the encryption engine and key reside when doing file-level encryption? (A). On the Instance attached to the system (B). Encryption engine resides on the server and keys on the client side (C). On the KMS attached to the system (D). On the client Side
Answer: A File-level encryption: Database servers typically reside on volume storage. For this deployment, you are encrypting the volume or folder of the database, with the encryption engine and keys residing on the instances attached to the volume. External file system encryption protects from media theft, lost backups, and external attack but does not protect against attacks with access to the application layer, the instances 0S, or the data
Which of the following functions maps to all the phases of Data security life cycle? (A). Read/Access (B). Process (C). Store (D). Destroy
Answer: A Functions: There are three things we can do with a given datum: . Read, View/read the data, including creating, copying, file transfers, dissemination, and other exchanges of information. * Process. Perform a transaction on the data; update it; use it in a business processing transaction, etc. . Store, Hold the data (in a file, database, etc.).
Which of the following is a responsibility of Cloud customer? (A). Image Asset Management (B). Isolation (C). Secure Virtualization Infrastructure (D). Meta Structure
Answer: A Image asset management. Cloud compute deployments are based on master images-be it a virtual machine, container, or other code-that are then run in the cloud. This is often highly automated and results in a larger number of images to base assets on, compared to traditional computing master images. Managing these-including which meet security requirements, where they can be deployed, and who has access to them-is an important security responsibility. Reference: CSA Security GuidelinesV.4(reproduced here for the educational purpose)
Due to multi-tenancy nature of cloud. there is the possibility that data belonging to one customer will be read or received by another. This is known as: (A). Information Bleed (B). Wilful data disclosure (C). Data dispersion (D). Data disclosure
Answer: A Information Bleed With multiple customers processing and storing data over the same infrastructure, there is the possibility that data belonging to one customer will be read or received by another. Moreover, even if this does not happen with raw data, it might be possible for one customer to detect telltale information about another customer's activity, such as when the customer is processing data, how long the procedure takes, and so on.
Which form of storage has features are typically minimal. allowing you to only store, retrieve, copy and delete files as well as the ability to control which users can undertake these actions? (A). Object Storage (B). Volume Storage (C). Ephemeral Storage (D). Block Storage
Answer: A Object Storage has features are typically minimal, allowing you to only store, retrieve, copy, and delete files as well as the ability to control which users can undertake these actions.
Which of the following help to intermediate IAM between an organization's existing identity providers and many different cloud services used by the organization? (A). Federated Identity Provider (B). Relying Party (C). Cloud Access Security Broker (D). Active Director
Answer: A One of the better-known categories heavily used in cloud security is Federated Identity Brokers. These services help intermediate IAM between an organization's existing identity providers(internal Security Guidance v4.0 Copyright2017. Cloud Security Alliance. All rights reserved or cloud-hosted directories) and the many different cloud services used by the organization. They can provide webbased Single Sign 0n(SS0). helping ease some of the complexity of connecting to a wide range of external services that use different federation configurations. Reference: CSA Security Guidelines V.4(reproduced here for the educational purpose)
Which one of the following is an example of misuse or abuse of cloud services? (A). DDoS Attack (B). Account Hijacking (C). XSS attacks (D). Honeypot
Answer: A Public cloud platform can be used to launch DDoS attack on other platforms. Please note here and understand the meaning of phrase "abuse or misuse of cloud Services" This phrase means to launch attacks or campaign by using cloud as a platform. mostly. public cloud.
The basis for deciding which laws are most appropriate in a situation where conflicting laws exist. refers to: (A). The Restatement(Second) Conflict of Law (B). Doctrine of proper law (C). Tort law (D). Criminal law
Answer: A The Restatement(Second) Conflict of Law refers to a collation of developments in common law that help the courts stay up with changes. Many states have conflicting laws. and judges use these restatements to assist them in determining which laws should apply when conflicts occur.
Which of the following is key component of regulated PII components? (A). Mandatory Breach Reporting (B). Cloud Service Provider Consent (C). E-discovery (D). Data disclosure
Answer: A The key component and differentiator related to regulated PII is mandatory breach reporting requirements. At present. 47 states and territories within the United States, including the District of Columbia. Puerto Rico. and the Virgin Islands, have legislation in place that requires both private and government entities to notify and inform individuals of any security breaches involving PII.
Which of the following is a key consideration in Data security but does not feature in Data Security Life cycle? (A). Storage Location (B). Storage Device (C). Storage protocol (D). Access Method
Answer: A The lifecycle represents the phases information passes through but doesnt address its location or how it is accessed.
The key focus of any business continuity or disaster recovery should be: (A). Health and human safety (B). Critical assets (C). Critical infrastructure (D). Financial documents
Answer: A The primary goal of whole business continuity and disaster recovery exercise should be health and human safety.
Private cloud model can be managed by third party who may not be part of the organization served by that private cloud. (A). True (B). False
Answer: A This is true This is a tricky question that you should look into carefully. Main purpose of private cloud is usage by one organization (use) but it can be managed by third party as well. Definition: Private cloud According to NIST, "the cloud infrastructure is provisioned for exclusive use by a single organisation comprising multiple consumers (e.g, business units). It may be owned, managed, and operated by the organisation, a third party or some combination of them, and it may exist on or off premises. "
What is the main driver for decision to deploy cloud solutions? (A). It's a financial decision (B). Its business driven (C). Cloud has less risks and costs associated (D). None of the above
Answer: B All the decisions related to cloud migration are driven by business requirements and effective Business Impact Analysis(BIA)and cost-benefit analysis
CCM: The following list of controls belong to which domain of the CCM? GRM 06 - Policy GRM 07 - Policy Enforcement GRM 08 - Policy Impact on Risk Assessments GRM 0 9 - Policy Reviews GRM 10 - Risk Assessments GRM 11 - Risk Management Framework (A). Governance and Retention Management (B). Governance and Risk Management (C). Governing and Risk Metrics
Answer: B
Cloud architectures necessitate certain roles which are extremely high-risk. Examples of such roles include CP system administrators and auditors and managed security service providers dealing with intrusion detection reports and incident response. They are known as high-risk because their malicious activities can lead to abuse of high privilege roles and can impact confidentiality, integrity and availability of data. (A). True (B). False
Answer: B
Interoperability is the ability that enables the migration of cloud services from one cloud provider to another or between public cloud and a private cloud. (A). True (B). False
Answer: B
An agreed-upon description of the attributes of a product. at a point in time that serves as a basis for defining change is called: (A). Standardization (B). Baseline (C). Trusted Module (D). Secured Server
Answer: B A baseline is an agreed-upon description of the attributes of a product. at a point in time that serves as a basis for defining change.
The process which frees the resources from their physical constraints to enable pooling is called: (A). Automation (B). Abstraction (C). Orchestration (D). Classification
Answer: B Abstraction. often via virtualization. frees the resources from their physical constraints to enable pooling. Then a set of core connectivity and delivery tools(orchestration)ties these abstracted resources together. creates the pools. and provides the automation to deliver them to customers. Ref: CSA Security Guidelines V4.0
Which of the following storage types are associated with PaaS? (A). Volume and Object (B). Structured and Unstructured (C). Ephemeral and Content Deliver (D). Raw and Long-Term Storage
Answer: B PaaS utilizes the following data storage types: Structured: Information with a high degree of organisation, such that inclusion in a relational database is seam less and readily searchable by simple, straightforward search engine algorithms or other search operations. Unstructured: Information that does not reside in a traditional row-column database. Unstructured data files often include text and multimedia content. Examples include email messages, word processing documents, videos, photos, audio files, presentations, web pages, and many other kinds of business documents. Although these sorts of files may have an internal structure, they are still considered unstructured because the data they contain does not fit neatly in a database.
Which of the following type of risk assessment most effectively supports cost-benefit analyses of alternative risk responses or courses of action? (A). Qualitative Analysis (B). Quantitative Analysis (C). Third party Risk Analysis (D). Outsourced risk analysis
Answer: B Quantitative assessments typically employ a set of methods, principles, or rules for assessing risk based on the use of numbers This type of assessment most effectively supports cost-benefit analyses of alternative risk responses or courses of action.
What is the characteristic that allows the cloud provider to meet various demands from customers while remaining financially viable? (A). Broad network access (B). Resource pooling (C). Rapid elasticity (D). Measured service
Answer: B Resource pooling is characteristic that allows the cloud provider to meet various demands from customers while remaining financially viable.
Metrics which govern the contractual obligations of cloud service are found in: (A). Contract itself (B). Service Level Agreements(SLA) (C). Operational Level Agreement(OLA) (D). Service Book
Answer: B The SLA is the list of defined, specific, numerical metrics that will used to determine whether the provider is sufficiently meeting the contract terms during each period of performance.
Which of the following is not one of the essential characteristics as defined by NIST 800-145? (A). Broad Network Access (B). On-demand Shelf service (C). Rapid Elasticity (D). Resource Pooling
Answer: B The key characteristic is on-demand self-service and not shelf" service.
Which one of the following is the key techniques to create cloud infrastructure? (A). Authentication (B). Abstraction (C). Orientation (D). Classification
Answer: B The key techniques to create a cloud are abstraction and orchestration. We abstract the resources from the underlying physical infrastructure to create our pools, and use orchestration (and automation) to coordinate carving out and delivering a set of resources from the pools to the consumers. As you will see, these two techniques create all the essential characteristics we use to define something as a "cloud."
Which of the following controls and configures the metastructure, and is also part of the metastructure itself? (A). Web Application Firewall (B). Management Plance (C). Network Firewall (D). API Gateway
Answer: B The management plane controls and configures the metastructure, and is also part of the metastructure itself. As a reminder, cloud computing is the act of taking physical assets (like networks and processors) and using them to build resource pools. Meta structure is the glue and guts to create, provision, and deprovision the pools. The management plane includes the interfaces for building and managing the cloud itself, but also the interfaces for cloud users to manage their own allocated resources of the cloud. Ref: CSA Security Guidelines v4.0
All of the following are type of access controls except: (A). Physical (B). Natural (C). Technical (D). Administrative
Answer: B There is no control as such for Natural control. There are three types of controls 1. Physical 2. Technical 3. Administrative
Which of the below hypervisors are 0S based and are more attractive to attackers? (A). Type I (B). Type II (C). Type III (D). Type V
Answer: B Type II hypervisors are 0S-based and more attractive to attackers. There are lot of vulnerabilities which are found not only on 0S but also in applications residing on the 0S.
The individual's right to have data(PII) removed from a entity/ provider at anytime per their request. is known as: (A). Right of erasure (B). Right to be forgotten (C). Right to claim (D). Right to disclosure
Answer: B Under this principle of "Right to be forgotten", any individual can notify any entity that has PII fort hat individual and instruct that entity to delete and destroy all of that individual's PII in that entity's control. This is a very serious and powerful individual right, and compliance can be extremely difficult.
Which of following is an exploit in which the attacker runs code on a VM that allows an operating system running within it to break out and interact directly with the hypervisor? (A). VM rootkit (B). VM Escape (C). VM HBR (D). VM DOS
Answer: B Virtual machine escape is an exploit in which the attacker runs code on a VM that allows an operating system running within it to break out and interact directly with the hypervisor. Such an exploit could give the attacker access to the host operating system and all other virtual machines(VMs) running on that host.
Which is the key technology that enables the sharing of resources and makes cloud computing most viable in terms of cost savings? (A). Scalability (B). Virtualization (C). Software Defined Networking(SDN) (D). Content Delivery Networks(CDN)
Answer: B Virtualization is the foundational technology that underlies and makes cloud computing possible. Virtualization is based on the use of powerful host computers to provide a shared resource pool that can be managed to maximize the number of guest operating systems(OSs) running on each host.
When the data is transferred to third party. who is ultimately responsible for security of data? (A). Cloud Service Provider (B). Cloud Controller (C). Cloud Processor (D). Cloud Security Broker
Answer: B Whatever will be the scenario. Data controller will be responsible for security of data in cloud
The risk left in any system after all countermeasures and strategies have been applied is called: (A). Annualised Risk (B). Mitigated Risk (C). Residual Risk (D). Leftover risk
Answer: C
Which governance domain deals with evaluating how cloud computing affects compliance with internal security policies and various legal requirements, such as regulatory and legislative? (A). Legal Issues: Contracts and Electronic Discovery (B). Infrastructure Security (C). Compliance and Audit Management (D). Information Governance (E). Governance and Enterprise Risk Management
Answer: C
Which of the following processes leverages virtual network topologies to run more smaller and more isolated networks without incurring additional hardware costs? (A). VLANs (B). Grid networking (C). Micro-segmentation (D). Converged Networking
Answer: C Explanation: This type of question are asked to create confusion. Following are the five phases of SDLC: 1. Planning and requirements analysis: Business and security requirements and standards are being determined. This phase is the main focus of the project managers and stakeholders. Meetings with managers, stakeholders, and users are held to determine requirements. The software development lifecycle calls for all business requirements(functional and nonfunctional)to be defined even before initial design begins. Planning for the quality-assurance requirements and identification of the risks associated with the project are also conducted in the planning stage. The requirements are then analyzed for their validity and the possibility of incorporating them into the system to be developed. 2. Defining: The defining phase is meant to clearly define and document the product requirements to place them in front of the customers and get them approved. This is done through a requirement specification document, which consists of all the product requirements to be designed and developed during the project lifecycle. 3. Designing: System design helps in specifying hardware and system requirements and helps in defining overall system architecture. The system design specifications serve as input for the next phase of the model. Threat modeling and secure design elements should be undertaken and discussed here. 4. Developing: Upon receiving the system design documents, work is divided into modules or units and actual coding starts. This is typically the longest phase of the software development lifecycle. Activities include code review, unit testing, and static analysis. 5. Testing: After the code is developed, it is tested against the requirements to make sure that the product is actually solving the needs gathered during the requirements phase. During this phase, unit testing, integration testing, system testing, and acceptance testing are conducted.
In which service model, cloud consumer is responsible to manage authorizations and entitlements only? (A). Infrastructure as a Service (IaaS) (B). Platform as a Service (PaaS) (C). Software as a Service (SaaS) (D). All of them
Answer: C It is important to read the question carefully and then choose the best answer. Although cloud consumer is responsible for authorizations and entitlements across all service models but questions uses "only''. Therefore, answer is Software as a Service (SaaS) and a SaaS provider is responsible for perimeter security, logging/ monitoring/auditing, and application security.
Which of the following can lead to vendor lock-in? (A). Big Data sets (B). Large supplier Redundancy (C). Lack of transparency in terms of use (D). CSP's vendor utilization
Answer: C Lack of transparency in terms of use can lead to vendor lock-in. Contracts and SLAs should clearly define the relationship between Cloud Service Provider(CSP)and the cloud customer. Clause of data portability should be there.
An adversary uses a cloud Platform to launch a DDoS attack against XYZ company. This type of risk is termed as: (A). Malicious Insider (B). Data Breaches (C). Abuse of Cloud Services (D). Account Hijacking
Answer: C Malicious actors may leverage cloud computing resources to target users, Organizations or other cloud providers. Examples of misuse of cloud service-based resources include launching DDoS attacks, email spam and phishing campaigns; "mining" for digital currency; large-scale automated click fraud; brute- force compute attacks of stolen credential databases; and hosting of malicious or pirated content.
Which of the following is NOT key Cloud computing characteristics? (A). On Demand self service (B). Metered pricing (C). Metered servicing (D). Broad Network Access
Answer: C Often, this type of questions looks simple, but a confusion is created and you need to be careful while picking up the right options ln our case, metered pricing and metered servicing looks similar but Metered pricing is one of the characteristics of cloud computing.
What would you call logic/procedures running on a shared database platform as? (A). Virtual Machine (B). Container (C). Platform-based Workload (D). Serverless Computing
Answer: C Platform-based workloads: This is a more complex category that covers workloads running on a shared platform that aren't virtual machines or containers, such as logic/procedures running on a shared database platform. Imagine a stored procedure running inside a multitenant database, or a machine- learning job running on a machine-learning Platform as a Service. Isolation and security are totally the responsibility of the platform provider, although the provider may expose certain security options and controls. Reference: CSA Security GuidelinesV.4(reproduced here for the educational purpose)
Which of the following is not one of the essential characteristics of Cloud Computing? (A). On-demand self service (B). Broad network access (C). Resource Sharing (D). Rapid elasticity
Answer: C Resource sharing is not one of the key characteristics of Cloud Computing
The amount of risk that the leadership and stakeholders of an organization are willing to accept is know as: (A). Risk Acceptance (B). Residual Risk (C). Risk Tolerance (D). Risk Residual
Answer: C Risk tolerance is the amount of risk that the leadership and stakeholders of an organization are willing to accept. It varies based on asset and you shouldn't make a blanket risk decision about a particular provider; rather, assessments should align with the value and requirements of the assets
Centralization of log streams is characteristic of which devices? (A). IDS (B). IPS (C). SIEM (D). DLP
Answer: C SIEM is a combination of Security Incident Management(SIM)and Security Event Management(SEM). A SEM system centralizes the storage and interpretation of logs and allows near real-time analysis which enables security personnel to take defensive actions more quickly. A SIM system collects data into a central repository for trend analysis and provides automated reporting for compliance and centralized reporting.
Which of the following is also knows as white-box test and can be used to find XSS errors, SQL injection. buffer overflows. unhandled error conditions. and potential backdoors? (A). Threat Modelling (B). Dynamic Application Security Testing(DAST) (C). Static Application Security Testing(SAST) (D). Static Application Security Testing(SAST)
Answer: C Static application security testing(SAST) is generally considered a white-box test, where the application test performs an analysis of the application source code, byte code, and binaries without executing the application code. SAST is used to determine coding errors and omissions that are indicative of security vulnerabilities. SAST is often used as a test method while the tool is under development(early in the development lifecycle). SAST can be used to find XSS errors, SQL injection, buffer overflows, unhandled error conditions, and potential backdoors.
Which of the following phases of data security lifecycle typically occurs nearly simultaneously with creation? (A). Save (B). Use (C). Store (D). Encrypt
Answer: C Storing is the act committing the digital data to some sort of storage repository and typically occurs nearly simultaneously with creation. Reference: CSA Security Guidelines V.4(reproduced here for the educational purpose)
Which is the document used by Cloud Service Provider to declare the level of personal data protection and security that it sustains for the relevant data processing? (A). Contract (B). Service Level Agreement(SLA) (C). Privacy Level Agreement(PLA) (D). Privacy Charter
Answer: C The PLA, as defined by the CSA, does the following Provides a clear and effective way to communicate the level of personal data protection offered by a service provider. Works as a tool to assess the level of a service provider's compliance with data protection legislative requirements and leading practices Provides a way to offer contractual protection against possible financial damages due to lack of compliance
Which of the following is not part of STRIDE model? (A). Spoofing (B). Denial of Service (C). Distributed Denial of Service (D). Elevation of Privilege
Answer: C The letters in STRIDE threat model represent Spoofing of identity, Tampering with data, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. The other options are simply mixed up or incorrect versions of the same.
Which of the following is a key tool for enabling and enforcing separation and isolation in multitenancy? (A). Networking (B). Control Plane (C). Management Plane (D). Processors
Answer: C The management plane is a key tool for enabling and enforcing separation and isolation in multitenancy. Limiting who can do what with the APIs is one important means for segregating out customers, or different users within a single tenant. Resources are in the pool, out of the pool, and where they are allocated Reference: CSA Security Guidelines V.4(reproduced here for the educational purpose)
Under the new EU data protection rules. data destruction and corruption of personal data. (A). does not attract any additional penalty (B). does not guarantee damages that can claimed by cloud customer. (C). are considered forms of data breaches and require notification (D). does not need notification but cloud service provider is legally liable
Answer: C They are considered as forms of data breached and require notification. Further cloud customer is legally liable.
Which of the following Storage type is NOT associated with SaaS solution? (A). Content Delivery network (B). Raw Storage (C). Volume Storage (D). Ephemeral Storage
Answer: C Volume storage is commonly associated with IaaS solutions. All the other 3 options are related to SaaS solutions
Identifying the specific threats against servers and determine the effectiveness of existing security controls in counteracting the threats. is known as: (A). Risk Mitigation (B). Risk Assessment (C). Risk Management (D). Risk Determination
Answer: C like this, which has similar-looking answers should be carefully answered Risk Management is overall process which covers from identifying threats to ultimately review the effectiveness of the controls.
How does running applications on distinct virtual networks and only connecting networks as needed help? (A). It reduces hardware costs (B). It provides dynamic and granular policies with less management overhead (C). It locks down access and provides stronger data security (D). It reduces the blast radius of a compromised system (E). It enables you to configure applications around business groups
Answer: D
Select the best definition of "compliance" from the options below. (A). The development of a routine that covers all necessary security measures. (B). The diligent habits of good security practices and recording of the same. (C). The timely and efficient filing of security reports. (D). The awareness and adherence to obligations, including the assessment and prioritization of corrective actions deemed necessary and appropriate. (E). The process of completing all forms and paperwork necessary to develop a defensible paper trail.
Answer: D
What factors should you understand about the data specifically due to legal, regulatory, and jurisdictional factors? (A). The physical location of the data and how it is accessed (B). The fragmentation and encryption algorithms employed (C). The language of the data and how it affects the user (D). The implications of storing complex information on simple storage systems (E). The actual size of the data and the storage format
Answer: D
What is known as a code execution environment running within an operating system that shares and uses the resources of the operating system? (A). Platform-based Workload (B). Pod (C). Abstraction (D). Container (E). Virtual machine
Answer: D
Which attack surfaces, if any, does virtualization technology introduce? (A). The hypervisor (B). Virtualization management components apart from the hypervisor (C). Configuration and VM sprawl issues (D). All of the above
Answer: D
Which of the following is an effective way of segregating different cloud networks and datacenters in a hybrid cloud environment? (A). Virtual LANs (B). Dedicated Hosting (C). Virtual Private Networks (D). Bastion Virtual Network
Answer: D One emerging architecture for hybrid cloud connectivity is "bastion" or "transit" virtual networks: . This scenario allows you to connect multiple, different cloud networks to a data center using a single hybrid connection. The cloud user builds a dedicated virtual network for the hybrid connection and then peers any other networks through the designated bastion network. . Second-level networks connect to the data center through the bastion network, but since they aren't peered to each other they can't talk to each other and are effectively segregated. Also, you can deploy different security tools, firewall rulesets, and Access Control Lists in the bastion network to further protect traffic in and out of the hybrid connection.
Which of the following is the key difference between cloud computing and traditional virtualization? (A). Abstraction (B). Classification (C). Isolation (D). Orchestration
Answer: D Orchestration is the difference between cloud computing and traditional virtualization; virtualization abstracts resources. but it typically lacks the orchestration to pool them together and deliver them to customers on demand. instead relying on manual processes. Ref: CSA Security Guidelines V4.0
Which of the following is NOT one of the vulnerabilities that can lead of risk of "abuse of high privilege roles" or "Cloud provider malicious insider''? (A). AAA Vulnerabilities (B). System and 0S vulnerabilities (C). Poor enforcement of role definitions (D). Lack of data center hardware redundancy
Answer: D Redundancy has nothing to do with abuse of high privilege roles. All others can lead to risk of risk of "abuse of high privilege roles" or "Cloud provider malicious insider"
Which of the following is NOT a characteristic of cloud computing? (A). On-demand self service (B). Resource Pooling (C). Metered service (D). Reduced personnel cost
Answer: D The characteristics of cloud computing are 1. 0n-demand self-service: A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. 2. Broad network access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms(e.g, mobile phones, tablets, laptops and workstations). 3. Resource pooling: The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction(e.g, country, state or datacenter). Examples of resources include storage, processing, memory and network bandwidth. 4. Rapid elasticity: Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at anytime. 5. Measured service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service(e.g, storage, processing, bandwidth and active user accounts). Resource usage can be monitored, controlled and reported, providing transparency for the provider and consumer.
Lack of CPU or network bandwidth and intermittent access to provisioned resources are examples of which of the following cloud risk? (A). Isolation failure (B). Software vulnerabilities (C). API vulnerabilities (D). Resource Exhaustion
Answer: D They are all examples of resource exhaustion
