Assessment
b
Global cloud service providers are generally organized in a three-level structure. Please select the correct structure from one of the options below: a. Data centers, services, customers b. Data centers, availability zones, regions c. Infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) d. Cloud service provider (CSP), managed service provider (MSP) cpnsumer
a
Micro-segmentation is a principal design and activity of the Zero Trust Model, which aids in protecting against dynamic threats. What is a fundamental design requirement of micro-segmentation? a. Understand the protection requirements for east-west (traffic within a data center) and north-south (traffic to and from the internet) traffic flows b. Understand the protection requirements for zones of defense that assume all traffic types and threats will be contained in their appropriate zones c. Understand the protection requirements for the hypervisor d. Understand the protection requirements for the virtual machines
c
OAuth Authorization Framework is a way to enable a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. What are the four roles defined by OAuth? a. Resource provider, resource client, authentication server, and authorization server b. Resource provider, resource tenant, identification server, and authorization server c. Resource owner, resource server, client, and authorization server d. Resource owner, resource server, server, and authorized client
b
What EU-U.S. privacy framework has been established to enable the compliant transfer of personal data from data controllers in the EU to data controllers (or processors) in the U.S.? a. GDPR b. Privacy Shield c. Safe Harbor d. Safe transfer framework (STF)
c
What SOC report can be freely shared with the public? a. SOC 1 b. SOC 2 c. SOC 3 d. SOC 4
c
"Infrastructure as code" is the term applied to the fully automated, just-in-time, provisioning of virtualized infrastructure. Also called "serverless," container products such as Docker and container orchestration systems such as Kubernetes assist in automating the initial application deployment. What would be the BEST open-source tool to perform the underlying automation? a. Automattor b. InSpec c. Ansible d. Pepper
a
A database administrator has been tasked to remove sensitive details from a production database so it can be used in a test environment. This recommendation comes from the security officer due to concerns about data leakage. What technique would you recommend? a. Static masking b. Dynamic masking c. Random substitution d. Algorithmic substitution
c
A pharmaceutical organization moved several of its workloads to the public cloud. Due to a misconfigured web application firewall, a malicious actor was able to login into the object storage and exfiltrate several terabytes of confidential data about the organization's formulas. As a cloud security professional, how would you classify this activity? a. An incident b. An event c. A breach d. A disclosure
d
An application development team incorporated continuous integration/continuous delivery (CI/CD) as part of its release management practices. Although most of the process is automatic, what is the one step that is performed manually? a. Unit test b. Platform test c. Deploy code to staging d. Deploy code to production
b
An attacker managed to infect a hypervisor with a rootkit virus and now can control all virtual machines hosted in that environment. What is this type of attack called? a. VM attack b. Hyperjacking c. VM takeover d. Ransonware
b
An issue with one of the clustered nodes was causing frequent outages to an organization utilizing public cloud services. The cloud administrators identified that the issue was caused by resource exhaustion in the affected clustered node and remediated it after several recurrences in which they spotted the root cause. How was this issue identified by the cloud administrators? a. Incident management b. Problem management c. Resource management d. Virtualization management
a
An organization's cloud administrator recently received a security advisory from a vendor suggesting the patching of a virtual appliance used in the organization's environment might contain a critical vulnerability, although it is not confirmed. According to Information Technology Infrastructure Library (ITIL), what type of change needs to be submitted for approval? a. Normal change b. Emergency change c. Standard change d. Critical change
b
As a cloud network administrator, you identified an issue with the IP addresses assigned to your virtual instances in the recently created virtual private cloud (VPC). All instances are receiving an unresolvable host name that the cloud service provider assigns (for example, IP address 10.0.0.202) and cannot be reached over the internet. What is MOST likely the cause of this issue? a. The Domain Name System (DNS) server is turned off b. The Dynamic Host Configuration Protocol (DHCP) options to use with the VPC are not configured c. The host's file is defining an internal IP range instead of an external one d. The virtual private cloud (VPC) is configured for internal traffic only
b
Clustered storage is the use of two or more storage servers working together to increase performance, capacity, or reliability. As a cloud storage administrator, you have been tasked with selecting the MOST appropriate clustered storage architecture for your organization considering there is a requirement for high performance and scalability. Which of the following architectures would you choose? a. Loosely coupled architecture b. Tightly coupled architecture c. High performance architecture d. Highly scalable architecture
c
Host cluster resource contention can be mediated by implementing what? a. Reservations b. Limits c. Shares d. High availability
c
IPsec is a suite of protocols for communicating securely with IP by providing mechanisms for authentication and encryption. Endpoints communicate with IPsec using either transport or tunnel mode. What is the difference between these modes? a. In transport mode, the IP payload is protected b. In tunnel mode, the IP payload is protected c. In tunnel mode, the IP payload and its IP header are protected d. In transport mode, the IP payload and its IP header are protected
c
Maintenance mode is utilized when updating or configuring different components of the cloud environment, including virtual machines and hosts. For troubleshooting purposes, what needs to remain enabled while the host is in maintenance mode? a. Customer access b. Security alerts c. Logging d. Virtual console
c
Originally VLANs were designed and used to reduce performance issues caused by traffic collisions and broadcast domains. Traditional VLAN identifiers are 12 bits long, which limits networks to 4094 VLANs. Cloud service providers are utilizing VXLAN, an overlay technology encapsulating layer 2 over layer 3 (L2oL3). VXLAN doubles the 12-bit ID of a traditional VLAN to a 24-bit ID VXLAN Network Identifier (VNI). How many networks are possible in a VXLAN? a. 8,096 networks b. 8,188 networks c. 16 million networks d. 24 million networks
a
Security information and event management (SIEM) is a term used to describe a group of technologies that aggregate information about access controls and selected system activity to store for analysis and correlation. A SIEM tool recently deployed in your organization missed a zero-day malware infection in one of the virtual machines, causing havoc and outages for several hours across the cloud environment. What is MOST likely the cause of the missed alert by the SIEM tool? a. A compromised insider whose stolen credentials were used to install the malware b. Logs not captured from the compromised virtual machine c. Logs from the compromised virtual machine not analyzed by the SIEM tool d. Antimalware software not running in the virtual machine
c
Simple Network Management Protocol (SNMP) is an internet-standard protocol for collecting and organizing information about managed devices on IP networks. It can be used to determine the "health" of networking devices including routers, switches, servers, workstations, printers, and modem racks. What SNMP version supports authentication and privacy of the traps? a. SNMPv1 b. SNMPv2 c. SNMPv3 d. SNMPv4
d
The Software Engineering Institute at Carnegie Mellon University (CMU/SEI) released the Incident Management Capability Assessment, which aids organizations in baselining and benchmarking their incident management capabilities. Which of the following incident management categories focuses on maintaining and improving the CSIRT or incident management function? a. Prepare b. Protect c. Detect d. Sustain
a
To secure a virtual machine (VM), it is essential to first define the threats that must be mitigated. Organizations should conduct risk assessments to identify the specific threats against their VMs and determine the effectiveness of existing security controls in counteracting the threats. What is the BEST strategy to enforce configuration management throughout the enterprise and mitigate those threats? a. Establish a baseline and continuously monitor for compliance b. Deploy an intrusion detection system and continuously scan virtual machines for potential threats c. Deploy an intrusion prevention system and continuously scan virtual machines for potential intrusions d. Scan the virtual machines for known and unknown vulnerabilities
a
What are the main activities driving capacity and performance management? a. Research and monitoring of services, performance and capacity modeling, capacity requirement analysis, demand forecasting and performance improvement plan b. Guiding performance to meet service expectations as related to business requirements of a service consumer, with management activities including end-to-end visibility of an organization's services c. Ensuring that accurate and reliable information is maintained about the configuration of services and systems known as configuration items d. Practice of moving new or changed hardware, software, documentation, processes, or service components to a live environment
c
What is the MAIN benefit of using immutable infrastructure over mutable infrastructure? a. All servers in mutable infrastructures don't allow configuration changes b. All servers in immutable infrastructures don't allow configuration changes c. All deployments in an immutable infrastructure are executed by provisioning new servers based on a validated and version-controlled image d. All deployments in a mutable infrastructure are executed by provisioning new servers based on a validated and version-controlled image
a
What is the correct order of the three phases of the initial handshake of TLS 1.3? a. Key exchange, server parameters, authentication b. Authentication, server parameters, key exchange c. Server parameters, authentication, key exchange d. Server parameters, key exchange, authentication
a
What is the main purpose of Domain Name System Security Extensions (DNSSEC)? a. Validate zone transfers with a digital signature b. Digitally sign DNS requests and responses c. Encrypt DNS data to prevent eavesdropping d. Verify the integrity of DNS records
a
When available resource capacity does not meet the demands of the resource consumers (and virtualization overhead), cloud administrators might need to perform some tasks to cope with the increased demand. What is the PRIMARY activity that needs to be performed by the administrators? a. Use the resource allocation settings (shares, reservation, and limit) to determine and reconfigure the amount of CPU, memory, and storage resources available for the affected virtual machines b. Use the management console to shut down and restart the affected virtual machines so the CPU, memory, and storage resources are freed and can be reused c. Use the control plane to issue a command to the data plane so the affected virtual machines can be reconfigured with the required resources d. There is no need for a cloud administrator to perform any tasks as resources are dynamically allocated by the hypervisor
d
You host a SaaS application in a public cloud environment and are concerned that government authorities can seize your customers' data from a specific geographical location. What technique can you use to limit the exposure to this risk? a. Data deletion b. Data anonymization c. Data tokenization d. Data dispersion
b
Your organization hosts several applications in the public cloud. As a cloud administrator what would be the MOST appropriate mechanism to connect to a Windows virtual instance? a. Secure keyboard video mouse (KVM) b. Remote Desktop Protocol (RDP) c. Secure Shell (SSH) d. Telnet
c
A CCSP has been tasked with performing a static analysis security testing (SAST) on a web application. What sort of activities will they need to carry out? a. Validate against the application requirements considering the inputs and expected outputs, regardless of how the inputs are transformed into outputs b. Detect conditions indicative of a security vulnerability in a running application; these tests typically look at exposed HTTP and HTML interfaces of web-enabled applications c. Analyze application source code, byte code, and binaries for coding and design conditions that can indicate security vulnerabilities d. Discover any security issues within the application or system being tested with zero knowledge of its structure, functions, or source code
d
A React application calls a set of Spring Boot microservices. The developers tried to ensure that their code is immutable, so they came up with is serializing user state and passing it back and forth with each request. An attacker notices the "R00" Java object signature and uses the Java Serial Killer tool to gain remote code execution on the application server. What is the name of the OWASP Top 10 risk? a. Cross-site scripting (XSS) b. Insecure Direct Object Reference c. Using Components with Known Vulnerabilities d. Insecure Deserialization
a
A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff. This is an example of a : a. Management control b. Technical control c. Operational control d. Cloud control
a
A cloud access security broker (CASB) is a software tool or service that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure. A CASB acts as a gatekeeper, allowing the organization to extend the reach of their security policies beyond their own infrastructure. By using a CASB, which of the following security functions would be possible by organizations? a. Visibility into application usage b. Detect malware being copied to/from the cloud provider's infrastructure c. Encrypt data at rest and in-transit in the cloud provider's infrastructure d. All the above
b
A cloud customer suffered a 24-hour outage and is now challenging the service provider to provide financial credits due to this unavailability of services. What agreement needs to be reviewed by both parties to assess the request? a. Cloud-level agreement (CLA) b. Service-level agreement (SLA) c. Penalty-level agreement (PLA) d. Outage-level agreement (OLA)
c
A company utilizing cloud services cannot deploy multi-factor authentication (MFA) due to limitation by the SaaS provider, so its CISO implements a password policy that establishes passwords must be changed every 30 days. What sort of security control is this? a. Detective b. Corrective c. Compensating d. Preventative
a
A default installation of the MongoDB database could be accessed without any authentication or access control when browsing the open MongoDB 27017 port issue. As a CCSP you have found data from your company stored in an Amazon Web Services (AWS) MongoDB database—including personally identifiable information (PII) that is at risk. What security threat from the CSA Treacherous 12 have you identified? a. Data breach b. Data loss c. System vulnerabilities d. Malicious insiders
c
A digital crime has been committed by a cloud consumer. The local authorities require access to the virtual machines used by the cloud consumer and the hypervisor hosting those machines in order to gather and review some evidence. To whom should they make their formal evidence request? a. Both the cloud consumer and cloud service provider (CSP) b. Only the cloud consumer c. Only the CSP d. Cloud auditor
b
A flawed hypervisor could facilitate inter-VM attacks. One of those attacks involves installing a malicious, fake hypervisor that can manage the entire server system, allowing malicious actors to stealthily peek into virtual machines. What is the name of that type of attack? a. Hyperstealth b. Hyperjacking c. HyperVM d. Hyperjumping
c
A government organization has been recently audited against ISAE 3402 Type II and one of the findings identified by the auditors was that system-generated evidence was not available for the selected period, resulting in potential unauthorized transactions. What risk from the OWASP Top 10 would BEST describe this finding? a. Security misconfiguration b. Broken access control c. Insufficient logging and monitoring d. Sensitive data exposure
a
A large financial organization is using public cloud services to host and process the credit card applications of millions of customers. While performing a threat model of some new functionality to be incorporated into this application, it has been identified that a threat actor can impersonate a victim by changing the session identifier and assume a different identity. What threat would BEST describe the potential attack? a. Spoofing b. Tampering c. Information disclosure d. Elevation of privilege
d
A large financial organization with several legacy applications is selecting which ones can be migrated to the cloud as part of its "cloud-first" strategy. The technical teams identified that a COBOL application cannot be moved to the cloud due to some legacy components and crypto algorithms. What would BEST describe this common pitfall? a. Lack of knowledge/skillsets b. Awareness of encryption dependencies c. Complexities for integration d. Not all apps are cloud ready
c
A platform-as-a-service (PaaS) application typically depends on third parties' application programming interfaces (APIs) to provide services to its customers. If an API used by the PaaS application becomes compromised by a malicious actor, then the customers could become victims of the attack. The risk of this happening is known as a. API vulnerability risk b. PaaS attack risk c. Supply chain risk d. Application stack risk
b
A public-key infrastructure (PKI) is a set of system, software, and communication protocols required to use, manage, and control public-key cryptography. As part of the PKI the registration authority is responsible for what? a.Signing an entity's digital certificate to certify that the certificate content accurately represents the certificate owner b. Ensuring the accuracy of certificate request content c. Revoking certificates and provide an update service to the other members of the PKI via a certificate revocation list (CRL) d. Verifying the validity of a digital certificate
c
As a cloud security architect, what measure can you implement in the public cloud environment to guarantee the safe destruction of the data? a. Crypto-encrypt b. Crypto-cipher c. Crypto-shredding d. Crypto-lock
d
A user has uploaded copyrighted materials to their employer's public cloud environment and shared it with friends online, resulting in a movie studio suing the employer for copyright infringement. What policy has been violated by the user? a. Cloud copyright policy b. Data sharing policy c. User access management policy d. Acceptable use policy
c
According to the ISO/IEC 17789 cloud computing reference architecture, a cloud auditor would be considered a: a. Cloud service customer (CSC) b. Cloud service provider (CSP) c. Cloud service partner (CSN) d. Cloud service broker (CSB)
c
According to the NIST service delivery models, which one provides the ability for the cloud consumer to scale services up and down based on usage? a. SaaS b. PaaS c. IaaS d. Anything as a service (XaaS)
d
According to the NIST service deployment models, which one allows "cloud bursting"? a. Private b. Public c. Community d. Hybrid
a
Among other benefits, one goal of caching is never having to generate the same response twice. Cache-Control is a powerful HTTP header to manage your caching directives and strategies. What is the BEST architectural style to use when dealing with HTTP cache headers? a. Representational State Transfer (REST) b. Simple Object Access Protocol (SOAP) c. Extensible Markup Language (XML) d. Common Object Request Broker Architecture (CORBA)
b
An attacker is trying to break into a SaaS environment of a consumer by brute-forcing user credentials obtained on the dark web. Due to this behavior, the cloud service provider issues an alert to the consumer indicating possible breach attempts and temporarily blocks the attacker from logging in. What sort of control is this? a. Detective b. Corrective c. Compensating d. Preventative
a
An e-commerce store is collecting personal data from customers purchasing items, including details such as full name, address, items purchased, quantities, etc. The e-commerce store is managed and hosted by a managed cloud service provider. Additionally, all data is copied offsite to a backup service provider in case of a disaster recovery. Which entity is the data controller in this scenario? a. The e-commerce store b. The managed service provider c. The backup service provider d. The customer
a
An important but often overlooked aspect of secure application is the management of third-party applications and software. This represents a major security flaw in cloud operations because every cloud service and function are accessed, configured, and operated using third-party software, the service provider's APIs. What open-source tool can you use to identify and reduce risk from the use of third-party and open-source components? a. OWASP Dependency-Track b. OWASP Dependency-Check c. OWASP Top 10 d, OpenAPI Check Tool
c
An organization is planning to move some of its functions to the cloud but doesn't have resources/skills to operate the cloud environment. It will rely on a third party to do so, but it wants to keep control of its governance. What technology implementation option is best suited for the company? a. Enterprise IT b. Enterprise cloud c. Managed service provider d. Cloud service provider
d
As a CCSP you have been tasked to review and provide recommendations for privileged user accounts currently present in your company's cloud environment. You have identified that several administrators have unrestricted access to these environments, and no one is actively monitoring them. What would be your most immediate recommendation to prevent unauthorized changes? a. Delete the privileged accounts b. Implement monitoring c. Deploy 2FA d. Segregation of duties
b
As a CCSP, what cloud BCDR strategy would you recommend if your organization wants to host data in the cloud but is concerned about the service availability of the cloud provider? a. On-premises, private cloud as BCDR b. On-premises, public cloud as BCDR c. Cloud consumer, primary provider BCDR d. Cloud consumer, alternative provider BCDR
c
As a result of multitenancy, multiple users can store their data using the applications provided by SaaS. Within these architectures, the data of various users will reside at the same location or across multiple locations and sites. What is a key security consideration when protecting the user data? a. Data aggregation b. Data encryption c. Data segregation d. Data manipulation
a
As part of data discovery implementation, who has full responsibility for fulfilling the obligations of privacy and data protection laws? a. The customer as data controller b. The cloud service provider as data processor c. The customer as data processor d. The cloud service provider as data controller
b
Cloud orchestration is the end-to-end automation workflow, or process, that coordinates multiple lower-level automations to deliver a resource or set of resources "as a service." How are the various services managed? a. Cloud management console b. Cloud management platform c. Cloud management plane d. Cloud management service provider
a
Developers have two general approaches from which to choose when developing cloud applications. One option is a "web app," which is an internet-enabled application accessible via a mobile device web browser. Another option is "native app," in which the application is developed to operate on a specific mobile device. What would be the BEST reason for choosing to develop a "web app" instead of a "native app"? a. When there is an emphasis on the user-centric interface b. When there is an emphasis on the platform interface c. When there is a specific requirement about the programming language d. When there is a specific requirement about the application performance
a
STRIDE is a well-known threat modelling methodology. What six threats does STRIDE stand for? a. Spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege b. Spoofing, tampering, redirection, information disclosure, disclosure of secrets, and elevation of privilege c. Stealing, tampering, redirecting, intruding, disclosing, elevation of privilege d. Stealing, tampering, repudiating, informing, denying, escalation of privilege
b
Developers must consider that in virtually all cloud environments, access to cloud services is acquired through the means of an application programming interface (API). These APIs consume tokens rather than traditional usernames and passwords. APIs can be developed using multiple formats, but one of the most common is Representational State Transfer (REST), which is best described as: a. A protocol specification for exchanging information in the implementation of web services b. A software architecture style consisting of guidelines and best practices for creating scalable web services c. The change control process used to implement a new version of code in a cloud environment d. A business continuity strategy that ensures availability of cloud services
b
Digital rights management (DRM) is a technology aimed at controlling the use of digital content. DRM technology was originally invented by publishers to control media such as audio and video rights. How does DRM work when applied to a file? a. DRM encrypts and digitally signs the file b. DRM adds an extra layer of access controls on top of the file c. DRM performs hashing of the file and stores it in a database d. DRM utilizes a public-key infrastructure to store the keys to the files
c
Direct identifiers are fields that uniquely identify the subject (e.g., name, address) and are usually referred to as personally identifiable information. Indirect identifiers typically consist of demographic or socioeconomic information, dates, or events. How would you remove indirect identifiers in a database? a. Deletion b. Tokenization c. Anonymization d. Masking
a
Federation enables you to manage access to your cloud resources centrally. With federation, you can use single sign-on (SSO) to access your cloud accounts using credentials from your corporate directory. What is an example of an open standard to exchange identity and security information between an identity provider (IdP) and an application? a. Security Assertion Markup Language (SAML) b. Open Security Standard (OSS) c. Open Web Application Security Project (OWASP) d. Open Supervised Device Protocol (OSDP)
a
Gas suppression systems operate to starve the fire of oxygen. What system uses multiple fire detectors and will not release until a fire is "confirmed" by two or more detectors (limiting accidental discharge)? a. Aero-K b. FM-200 c. Halon d. Proton
c
How can you access databases in a PaaS environment? a. Through the management layer b. Through the hypervisor c. Through API calls d. Through the database management layer
c
Data center operators frequently utilize the Uptime Institute Tier Standard and awarded certification when promoting their data centers. Your public cloud service provider is highlighting that it is a Tier III data center. How is that type of data center also known as? a. Basic site infrastructure b. Redundant site infrastructure capacity components c. Concurrently maintainable site infrastructure d. Fault-tolerant site infrastructure
b
ISO/IEC 17789 describes cloud computing systems from four distinct viewpoints. One of these viewpoints is the user view. Please select the most appropriate definition for it. a. The functions necessary for the implementation of a cloud service within service parts and/or infrastructure parts b. The system context, the parties, the roles, the sub-roles, and the cloud computing activities c. The functions necessary for the support of cloud computing activities d. How the functions of a cloud service are technically implemented within already existing infrastructure elements or within new elements to be introduced in this infrastructure
a
ISO/IEC 27018 is the first international code of practice that focuses on protection of personal data in the cloud. Cloud service providers adopting this standard must operate under the following five key principles: consent, control, transparency, communication, and yearly audits. Please select the answer that best describes the principle of control. a. Customers have explicit control of how their information is used b. Cloud service providers have no control over how the customer data is used c. Customers have no control over how their information is protected d. Cloud service providers enforce controls on customers' data to protect it
c
ISO/IEC TS 22237-2 lists multiple layers of security referred to as classes. Each class has a guidance profile that specifies the proper controls that should exist at each layer. Availability classes are connected to power distribution and can maintain resilience during disruption. What class is defined as a multipath (resilience provided by redundancy of systems) resilience? a. Class 1 b. Class 2 c. Class 3 d. Class 4
a
If an organization transmits, processes, or stores payment card data, it comes under a contractual obligation with its acquiring banks or others in the ecosystem to protect that data in accordance with applicable security standards. Which of the following is an industry-accepted security standard adopted by the payment card brands for all entities that process, store, or transmit cardholder data and/or sensitive authentication data? a. Payment Card Industry Data Security Standard (PCI DSS) b. Processing Card Integrity and Data Security Standard (PCI DSS) c. Processing Card Integrity and Data Encryption Standard (PCI DES) d. Payment Card Integrity and Data Encryption Standard (PCI DES)
d
If you want to encrypt an entire database or specific portions such as tables without modifying the application, what mechanism would you use? a. Basic storage encryption b. Volume storage encryption c. Application-level encryption d. Transparent encryption
b
In a cloud environment, who is responsible for the management plane? a. Cloud consumer b. Cloud service provider c. Cloud service broker d. Cloud carrier
d
In cloud security, the FIPS 140-2 standard is a specification applied to Trusted Platform Modules (TPMs), hardware security modules (HSMs), and key escrow storage devices. FIPS 140-2 certification consists of four different levels. Which security level triggers the immediate zeroization of all plaintext critical security parameters after the detection of an attempted breach? a. Level 1 b. Level 2 c. Level 3 d. Level 4
b
Lockheed Martin developed a cyber kill chain methodology that helps to distinguish correlation from causation. The methodology can provide a framework for intuiting threat behaviors, actors, and tools. If the defender disrupts any of the first six steps of the cyber kill chain, they can prevent the success of the attack. Please select the correct steps of the cyber kill chain from the list below. a. Discovery, delivery, exploitation, installation, and command and control (C2) b. Reconnaissance, weaponization, delivery, exploitation, installation, and command and control (C2) c. Information gathering, testing, exploitation, exfiltration, and command and control (C2) d. Information gathering, delivery, installation, exfiltration, and command and control (C2)
b
Please fill in the blanks using the terms below. ________ are the foundation of corporate governance. _____ are the result of either a regulation, which is a legislative requirement, or a contractual requirement such as a contract agreement or industry requirement such as Payment Card Industry Security Standard (PCI DSS). a. Standards, policies b. Policies, standards c. Standards, procedures d. Policies, procedures
a
Please select the main key driver for cloud computing a. Shift from CapEx (capital expenditure) to OpEx (operational expenditure) b. Scalability c. Elasticity d. Collaboration
c
Several cloud customers were affected by a data breach from a cloud service provider (CSP) and their credit card details have been used by malicious actors to commit fraud. A court of law has identified that there was a lack of due care and due diligence by the CSP. The affected customers are looking for remedies in a class action against the CSP. What type of law applies in this case? a. Criminal law b. Civil law c. Tort law d. Privacy law
b
Software-defined networks (SDN) are defined by three separate planes or layers. Please select the correct planes from the options below. a. Orchestration, control, and data planes b. Management, control, and data planes c. Management, forwarding, and data planes d. Management, control, and database planes
c
The CCSP should be familiar with the various software development models that enterprises often use. Which of the following describes the agile model? a. It executes application verification and validation in parallel with application development and testing. b. The outcome of one phase is the input for the next phase. Development of the next phase starts only when the previous phase is complete. c. It focuses more on flexibility while developing a product rather than on the requirement. d. It combines the iterative incremental and prototype model approaches.
c
The CSA Security Trust Assurance and Risk (STAR) Program is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. What CSA STAR level provides continuous monitoring of the current security practices of cloud providers? a. Level 1 b. Level 2 c. Level 3 d. Level 4
a
The cloud further heightens the need for applications to go through a software development lifecycle (SDLC) process. All SDLC process models include the following phases (in the right order). a. Define, design, develop, test, deployment, maintenance, and disposal b. Design, define, develop, deployment, test, maintenance, and disposal c. Define, design, develop, deployment, test, operations, and maintenance d. Design, develop, deployment, test, operations, maintenance, and disposal
a
The purpose of a digital signature is to provide the same level of accountability for electronic transactions where a handwritten signature is not possible. What properties are fulfilled when a sender digitally signs a message and sends it to a receiver? a. Message integrity and nonrepudiation of the sender b. Message integrity and nonrepudiation of the receiver c. Confidentiality and nonrepudiation of the sender d. Confidentiality and nonrepudiation of the receiver
d
Transitioning from a traditional enterprise IT infrastructure to the private cloud model involves: a. Significant investment b. Operational modifications c. Cultural change d. All of the above
a
What are the "Trust Services Principles" in a SOC 2 report? a. Security, availability, processing integrity, confidentiality, and privacy b. Confidentiality, processing integrity, and availability c. Trust, security, and privacy d. Trust and security principles
c
What are the essential cloud computing characteristics? a. On-demand self-service, limited network access, and resource pooling b. Broadcast service, broad network access, resource pooling, and rapid elasticity c. On-demand self service, broad network access, resource pooling, rapid elasticity, and measured service d. On-demand self-service, broad network access, dedicated resourcing, rapid elasticity, and measured service
a
What are the five rules of evidence? a. Be authentic, accurate, complete, convincing, and admissible in court b. Be authentic, appropriate, complete, convincing, and admissible in court c. Be trustworthy, accurate, complete, convincing, and admissible in court d. Be trustworthy, appropriate, complete, convincing, and admissible in court
d
What are the five steps (in order) involved in creating an application security management process (ASMP)? a. Specifying the application requirements and environment, creating and maintaining the Application Normative Framework (ANF), assessing application security risks, provisioning and operating the application, and auditing the security of the application b. Assessing the application security risks, specifying the application requirements and environment, creating and maintaining the Application Normative Framework (ANF), provisioning and operating the application, and auditing the security of the application c. Specifying the application requirements and environment, assessing application security risks, provisioning and operating the application, auditing the security of the application, and creating the Application Normative Framework (ANF) d. Specifying the application requirements and environment, assessing application security risks, creating and maintaining the Application Normative Framework (ANF), provisioning and operating the application, and auditing the security of the application
a
What data storage types are commonly used in a PaaS environment? a. Structured and unstructured b. Protected and unprotected c. Shielded and unshielded d. Local and remote
a
What do you call the ability of an air-conditioning system to remove moisture? a. Latent cooling b. Sensible cooling c. Heat cooling d. Moisture cooling
d
What is a widely accepted algorithm to exchange or negotiate a symmetric key? a. El Gamal b. RSA c. Elliptic curve d. Diffie-Hellmann
b
What is it called when an organization performs background checks of its potential employees? a. Due care b. Due diligence c. Due attention d. Due background check
a
What is one of the main benefits of using FaaS (function as a service) in cloud environments? a. Allows application development teams to focus on core business outcomes rather than on building and maintaining guest-operating systems runtime, patching, provisioning, and management b. Allows application development teams to focus on building and maintaining guest operating systems runtime, patching, provisioning, and management while keeping control of the application development c. Allows application development teams to isolate and utilize only the intended components while having appropriate separation from the remaining components d. Allows application development teams to sequence the application, a method that enables each application to run in its own self-contained virtual environment on the client computer
d
What is one of the main benefits of using platform as a service (PaaS)? a. Reduced support costs b. High reliability and resilience c. Back-end systems and capabilities d. Support multiple programming languages and frameworks
a
What is the correct order for an audit plan? a. Define audit objectives, define audit scope, refine audit processes based on lessons learned, fieldwork, analysis, reporting b. Define audit scope, define audit objectives, refine audit processes based on lessons learned, analysis, fieldwork, reporting c. Define audit objectives, define audit scope, field work, analysis, reporting, refine audit processes based on lessons learned a. Define audit scope, define audit objectives, fieldwork, analysis, reporting, refine audit processes based on lessons learned
a
What is the correct order of the data security lifecycle phases? a. Create, store, use, share, archive, and destroy b. Create, use, store, share, archive, and sanitize c. Classify, store, use, share, archive, and destroy d. Classify, use, store, share, archive, and sanitize
a
What is the definition of cloud computing according to NIST? a. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. b. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a dedicated pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. c. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released by the service provider. d. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be provisioned depending on the available resources by the service provider interaction.
b
What is the goal of interoperability in cloud environments? a. To provide seamless service consumption and management between standalone services and cloud service providers b. To enable cloud service customers to move their data or applications between standalone services and cloud service providers c. To operate several cloud environments from a single standalone service d. To manage standalone services from the virtualization layer of the cloud service providers
c
What is the main benefit of using microservices? a. Microservices are used to host containers since the different logical functions can be split b. Microservices consume less resources compared to a monolithic application c. A software developer can develop part of a microservice without other developers having to rebuild and redeploy other parts of the application d. Microservices are used to orchestrate the various containers
c
What is the main document that describes the overall relationship between a cloud service provider and consumer? a. Acceptable use policy b. Service-level agreement c. Cloud service agreement d. Cloud relationship policy
a
What is the main objective of network function virtualization (NFV)? a. Decouple functions, such as firewall management, intrusion detection, network address translation, and name service resolution, apart from specific hardware implementation b. Couple functions, such as firewall management, intrusion detection, network address translation, and name service resolution with specific hardware implementation c. Limit functions, such as firewall management, intrusion detection, network address translation, and name service resolution utilizing specific hardware implementation d. Expand functions, such as firewall management, intrusion detection, network address translation, and name service resolution, using specific hardware implementation
b
What is the name of the transport mechanism in web services that is based on simple URLs and uses the HTTP methods GET, POST, PUT, and DELETE? a. Simple Object Transport Protocol (SOAP) b. Representational State Transfer (REST) c. Extensible Markup Language (XML) d. Distributed Component Object Model (DCOM)
a
What storage types can be used in an IaaS environment? a. Volume and object storage b. Volume and disk storage c. Raw and object storage d. Raw and disk storage
d
What type of storage is utilized when accessing a CDN (content delivery network)? a. Volume storage b. Raw storage c. Ephemeral storage d. Object storage
c
When a private citizen performs an act that the government would need a warrant for, such as a search and seizure, what do they become? a. Deputy Commissioner b. Private investigator c. Agent of the government d. Federal investigator
b
When considering an application for cloud deployment, one must recognize that applications should be broken down into: a. People, processes, and technology b. Data, functions, and processes c. People, functions, and technology d. Data, processes, and technology
c
When testing a BCDR plan there are various strategies available. If you terminate a production virtual instance in the cloud to test the BCDR and the production environment becomes unavailable, what sort of issue have you identified? a. Cloud dependency b. Recovery inconsistency c. Single point of failure d. BCDR weak point
c
Which critical properties need to be understood after mapping the various data phases but before deploying controls in a cloud environment? a. People, processes, technology b. Policies, procedures, guidelines c. Functions, actors, locations d. All above
b
Which of the following BEST describes cross-site scripting (XSS)? a. Whenever an application takes trusted data and sends it to a web browser without proper validation or escaping b. Whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping c. Whenever an application takes trusted data and sends it to a web browser with proper validation and escaping d. Whenever an application takes untrusted data and sends it to a web browser with proper validation and escaping
d
Which of the following BEST describes the Application Normative Framework (ANF)? a. ANF creates norms and frameworks for application security operations b. ANF acts as a framework for all components of application security best practices c. ANF is an international standard for application security policies d. ANF enables a specific application to achieve a required level of security or the targeted level of trust
a
Which of the following statements is a benefit of the General Data Protection Regulation (GDPR)? a. It harmonizes data privacy laws across Europe b. It protects and empowers all citizens' data privacy c. It reshapes the way organizations across the world approach data privacy d. All the above
b
You are a European citizen and created an account with one of the major public cloud service providers headquartered in the U.S. Your data is stored with the EU affiliate and no data access from the non-EU corporate parents is possible. Can U.S. authorities access your data using the U.S. Cloud Act? a. No, the data is protected through GDPR b. No, the affiliate is a separate entity from the parent and there is no technical possibility to access data from the affiliate in the EU c. Yes, the U.S. Cloud Act is stronger legislation than GDPR d. Yes, through a formal request to the cloud service provider
c
You are a cloud administrator and need to configure the hypervisors to allocate a minimum number of compute nodes for the virtual machines. What are you doing to achieve this? a. Sharing resource allocation b. Establishing physical resource limits c. Configuring reservations per virtual machine d. Preventing resource contention
c
You are about to purchase movie tickets, but the website offering them is asking you for your parents' names, which you think is excessive to purchase the tickets. Based on the OECD's privacy recommendations, which principle is not being followed by the movie's website? a. Data quality principle b. Purpose specification principle c. Collection limitation principle d. Accountability principle
a
You are the security officer of a heavily regulated organization and are concerned that data currently stored in the public cloud can be leaked to the public due to a misconfiguration or malicious insider. How can you reduce the likelihood of this happening while fulfilling your regulatory requirements? a. Deploy a data leakage prevention tool b. Deploy a data encryption engine tool c. Deploy a data anonymization tool d. Deploy a data tokenization tool
b
You want to create your personal cloud at home to store and share your pictures, music, and other sensitive documents with other family members. At the moment you are deciding the best storage configuration for your solution taking into consideration costs. What storage configuration would you choose? a. SAN (storage area network) b. NAS (network-attached storage) c. SD-WAN (software-defined wide area network) d. SDN (software-defined network)
b
You want to guarantee the integrity of an encrypted file received from a colleague. How would you achieve that? a. Ask your colleague for the encryption key of the file b. Ask your colleague for the hash of the file and compare it with the hash you produced c. Perform a hash of the file and compare it with the encryption key d. Perform encryption of the file and compare it with the hashed file
c
You work in a highly regulated industry and constantly are audited to comply with several standards. As part of a digital transformation project, your organization will move sensitive applications and data currently on premises to the public cloud. What cloud service model would be most appropriate in case you require access to the system logs for auditing purposes? a. Software as a service (SaaS) b. Platform as a service (PaaS) c. Infrastructure as a service (IaaS) d. Compliance as a service (CaaS)
b
You work in a service organization and recently received an audit report from external auditors involving your organization's financial statements. This report was on the fairness of the presentation of management's description of the service organization's system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. What type of report have you received? a. Soc 1, Type 1 b. Soc 1, Type 2 c. Soc 2, Type 1 d. Soc 2, Type 2
b
Your organization is planning to move to the cloud and is evaluating various cloud service providers. One of the main factors for selection is their security posture. What industry standard tool can you utilize to assess the overall security capabilities of a cloud provider? a. Cloud assessment questionnaire b. Consensus assessment initiative questionnaire c. Cloud security assessment checklist d. Cloud security risk checklist