Managing Cloud Security Assessment Questions
Wayne's company accepts credit card payments, and needs to meet industry requirements for security for card information. What specialized compliance requirement is he most likely to need to meet?
PCI Wayne needs to meet the Payment Card Industry (PCI) standards, often known as PCI DSS. HIPAA applies to covered entities including health plans, healthcare providers, and healthcare clearinghouses. HITECH amends HIPAA and covers the same group. NERC/CIP applies to entities that own or operate facilities that are part of the U.S. and Canadian power grid.
Felix has enabled maintenance mode on one of his clustered virtualization hosts. What will happen next?
Running VMs will be transferred to other cluster hosts and when this is done the system will be flagged as ready for maintenance Maintenance mode is used to transfer load to other servers, making the host available for hardware, firmware, or other maintenance.
Orlando wants to enable single sign‐on for his cloud‐hosted environment. Which of the following is a common standard for SSO integration?
SAML Both SAML and Microsoft's Active Directory are commonly used for SSO integrations. Interactive application security testing (IAST), cloud application security broker (CASB), and Extensible Markup Language (XML) are not SSO standards.
Kathleen wants to use her existing identity and access management system to provide authentication and access control. Which of the following standards should she ensure she can support to successfully integrate with many cloud service providers?
SAML Cloud service providers typically provide SAML integration for identity and access management services. TACACS is an outdated Cisco authentication protocol, RADIUS is primarily used for remote access servers, and Netlogin was made up for this question. Netlogon, however, is a Windows Server process.
What term is used to describe a list of all of the software and code components of an application or service?
SBOM A software bill of materials, or SBOM, lists all the components of an application or service, helping organizations to track dependencies, security issues, and versions for components of their software. ASVS is a standard for application security verification. The CI/CD pipeline, or continuous integration/continuous deployment pipeline, is an application development process that is constantly building, testing, and releasing software, and SCCM is the name of Microsoft's System Center Configuration Manager, a management tool that is now called Microsoft Endpoint Configuration Manager.
Erin wants to hire a company that will help her move to Microsoft's Azure cloud. What cloud computing role best describes a company that provides integration and aggregation services to customers like Erin?
A cloud service broker Cloud service brokers provide services like aggregation to provide discounts and bulk purchase opportunities to their customers as well as integration and customization services. The cloud service provider will provide the underlying service, and regulators ensure that regulations are being met. A cloud services architect would help design the environment or service.
Craig has been tasked with handling security hygiene for his company. Which of the following tasks is considered part of security hygiene?
Baselining Both baselining and patching are considered part of security hygiene efforts by the CCSP exam. End‐to‐end encryption, deploying IPS, and using full disk encryption may be part of your security architecture or baseline but baselining is the best answer provided.
What phase in a software development lifecycle typically includes gathering business requirements?
Analysis The analysis phase of a SDLC includes gathering business requirements. Planning phases typically outline the high‐level goals and plan for the effort. Design phase activities include system and infrastructure design, including business rules and layouts for interfaces. Finally, work in the development phase creates the actual code needed for the effort.
Megan wants to conduct a forensic analysis of potentially malicious traffic in a SaaS environment. What tools should she use to conduct this analysis?
Analyzing network traffic in a SaaS environment is typically not possible for customers While network traffic capture is usually possible in an infrastructure as a service environment, software as a service (SaaS) environments don't provide customers with the access required to view or capture network traffic.
Lisa is managing data in her organization according to the cloud data lifecycle. The data she is reviewing is in the Share phase. What phase will typically come next?
Archive Lisa knows that archiving data comes after the Share phase in the cloud data lifecycle. While the data lifecycle is not just a one‐way cycle, and data elements may move between phases, archiving is an appropriate step after data is no longer in regular use.
Valerie wants to monitor her intrusion prevention system for attacks and wants to detect new, unknown attack methods based on recognition of patterns and common indicators of compromise. What capabilities should she look for when selecting an IPS?
Artificial intelligence and machine learning The combination of artificial intelligence and machine learning provide the greatest capability to detect unknown, new threats by combining known indicators of compromise and behavior‐based monitoring.
Megan wants to ensure accountability in her organization's DevOps workflows. Which of the following practices will help the most with her task?
Avoid shared credentials Avoiding the use of shared credentials is the most important item in this list to ensure accountability. Even if auditing is on, if credentials are shared, Megan will be unable to determine who performed an action. Shared secrets are a form of shared credentials and would work counter to this, and disallowing API keys removes a useful tool for API security so it shouldn't be in her list of desirable options.
Jack's company has deployed its microservice‐based application stack into Microsoft's Azure cloud. It is considering attempting to duplicate the stack in Amazon's AWS environment and wants to use the same infrastructure as code that it's running in Azure to deploy into Amazon. What concern should Jack bring up?
Azure and AWS use distinct infrastructure as code tools, and the code will not be portable Jack's primary concern should be about the portability of the code and environment. While a Kubernetes cluster might be movable between Azure and AWS, code generated by CloudFormation in AWS is distinctly different from Azure's Blueprints, and the code cannot be simply transferred. Naming conventions are likely be portable in many cases, and both Azure and AWS offer strong SLAs, so both of these considerations are less likely to be an issue. Microservices running between two clouds are possible, although concerns might exist due to latency or other potential issues.
Henry is performing a penetration test. As part of the test he will act like an attacker and will have to acquire information about the information without knowing more than his target organization's website address. What type of testing methodology best describes the process Henry is using?
Black box Black box, or zero knowledge, tests are performed as if the tester is an attacker and do not provide prior knowledge about the targets. White box, or full knowledge, tests provide detailed knowledge about the environment or systems. Static tests analyze source code, and Heimdall is a web application dashboard, not a testing method.
Ryan has been asked to conduct a test on an application. He and his team will not be provided information about the application and will have to approach the test like they are external attackers. What type of test is Ryan conducting?
Black box testing Black box, or zero knowledge, tests provide no information about the application or system. White box, or full knowledge, tests provide full information about the system. Gray box, or partial knowledge, tests provide some but not full information. Blue box and red box testing are not terms used to describe testing.
Susan wants to use cloud storage for her database that is directly connected and low latency and works like a SAN. What type of cloud storage solution should she try first?
Block storage Block storage works like a SAN (storage area network) or DAS (direct attached storage) and is designed to be low latency and high performance. File storage works like a traditional file share such as a NAS (network attached storage). Object storage is often used for cloud native applications and is massively scalable and provides deep support for metadata. Smart storage was made up for this question.
Joanna is preparing to brief her customer about potential legal risks of signing a contract with a cloud service. Which of the following is not a cloud‐specific risk she needs to brief her customer about?
Breach of contract Which of the following data classification types is not typically used in commercial data classification policies?
Carla's organization has a significant volume of unstructured data in an active data storage area that it needs to protect because the data may contain sensitive information. What can her organization do to improve its understanding and control of unstructured data?
Build a sensitive data catalog and use it to conduct discovery on the unstructured data repository Carla's organization can build a sensitive data catalog that identifies the organization's sensitive data. The catalog can then be used along with discovery tools to process the unstructured data, allowing the organization to identify much, if not all, of the sensitive data in the unstructured data repository. Since the data storage area is active, encryption at rest will only prevent physical attacks in most cases—the data has to be unencrypted to use and thus electronic attacks are likely to obtain real data. Hashing does not protect data in this circumstance and would prevent its use. Masking is only useful if you know what you need to mask; you cannot mask an entire unstructured data store and retain usability.
What important information are customer stories used to gather in an agile SDLC?
Business requirements Customer stories are used to determine business requirements, often through understanding pain points and functional needs as well as exceptions. Recovery time and recovery point objectives are used as part of business continuity and disaster recovery planning, and timeboxes define how long an agile team will work on a specific deliverable.
Kim is responsible for her organization's compliance with PCI DSS. What type of data is she responsible for?
Contractually protected data PCI DSS is a compliance standard for credit card data, and organizations that process credit cards are contractually obligated to protect it. It is not protected by regulations and is not protected health information or personally identifiable information.
Jen is preparing a container for one of her organization's applications. Which of the following is not part of a typical container package?
A guest operating system Containers typically contain things like application dependencies, libraries, and configuration files. Unlike a virtual machine, they do not contain a guest operating system.
Annie has set up a system on her network that is intentionally vulnerable and has added monitoring tools so that she can observe attackers and capture tools and techniques that they use. What type of security system has she deployed?
A honeypot Annie has deployed a honeypot. Honeypots are designed to allow defenders to capture and analyze attack behavior and tools. Tarpits are systems designed to slow down attackers by creating fake networks and services for them to scan. A Trojan is a type of malware, and trapdoor is not a common security term in this context.
Naomi is preparing her organization's disaster recovery plan. Which of the following is not something she would typically need to prepare as part of that planning process?
A legal analysis of disaster regulations A critical asset inventory, a set of disaster criteria that determine when the organization would declare an event a disaster, a process to declare disasters, a list of essential points of contact, and detailed task and activity lists are all common disaster recovery planning items. A legal analysis of disaster regulations is not typically required.
Barbara has determined that it is acceptable to lose up to 1 hour of business transaction data if an unplanned data loss incident occurs. What has Barbara determined for her organization?
An RPO Barbara has determined her organization's RPO, or recovery point objective. An RPO is the maximum amount of data loss that is acceptable in a data loss incident. A recovery time objective (RTO) is the maximum amount of time an organization can take to recover, while an SLA is a service‐level agreement that determines acceptable service levels and an MSA is a master service agreement that determines how two organizations will work together.
Maria's cloud service provider promises 99.999 percent uptime and has contractual penalties that will apply if the provider does not meet that standard. What is this type of document called?
An SLA Maria's cloud vendor provides an SLA, or service‐level agreement, that defines service levels and expectations. A SOW is a statement of work, which defines what will be done for an engagement, and an MSA, or master service agreement, sets the overall terms for two organizations to work together.
Charles wants to use federated identity for his organization and has selected Google as an identity provider. What information will his organization receive from Google when they log on with a Google account?
An authentication validation Identity providers validate logins through their own infrastructure and provide service providers like Charles with validated authentication, not the password or a hash of the password, thus keeping the account and authentication process secure. That's where the trust in federation comes into play; Charles has to trust that Google is properly authenticating users to its services if he wants to use the service.
Elias uses his Google email address and password to log into a web application provided by a third party. Google provides information to the third party validating that Elias is the person who logged in and that the account is valid. What role is Google playing in this scenario?
An identity provider In this scenario, Google is acting as an identity provider. The organization providing the application is a service provider and a relying party. Identity brokers integrate multiple identity providers with different service providers.
Jason wants to train his organization's developers on common application security issues. What industry resource could he pick to base his training on?
The OWASP Top 10 The OWASP Top 10 and the SANS Top 25 most dangerous software errors are both widely used in the security industry as foundations for training and awareness about software flaws and common issues. The remaining options were made up for this question.
Elaine wants to use a common industry list of vulnerabilities and issues to help keep her development team informed of cloud application issues. Which of the following could she use to outline common cloud application issues?
The SANS Top 25 Both the SANS Top 25 and the OWASP Top 10 lists would be useful for Elaine. NIST and CSA don't publish lists like these.
Jen wants to ensure that her organization has the capabilities it needs to conduct forensics in its infrastructure as a service hosted data center. If Jen wants to capture memory in an IaaS environment, what will she need?
The ability to capture memory on a per‐instance basis Since instances are the scope of customer control in IaaS environments, Jen should focus on ensuring she has the ability to capture memory on a per‐instance basis. IaaS providers won't provide access to the underlying hardware, memory mirroring isn't a technique used for capture, and capturing memory to disk typically requires a specialized memory capture tool rather than a command‐line capability.
The service provider that Jim is preparing to sign a contract with notes that it uses cryptographic modules that are FIPS 140‐2 certified. What does Jim know about the organization based on that?
The cryptographic modules have met at least basic security requirements There are four levels of FIPS 140‐2, but the problem doesn't mention which has been met. That means that Jim only knows that its cryptographic modules have met at least a basic level of security like using an approved algorithm, but he does not know if there are physical security mechanisms or other features involved. If the service provider identified the FIPS level (1-4) that its devices were certified to, Jim would be able to better understand its underlying technology and security posture.
What cloud term describes the component that allows control of the resource pool, systems, and services inside of a cloud‐hosted environment?
The management plane A cloud provider's management plane allows the provider to manage the underlying resources and will typically be exposed to the customer in specific ways that allow customers to control their own environments by making requests for resources and services. Hypervisors are the underlying components in virtualization systems, guest operating systems are run on hypervisors, and CCM controllers were made up for this question.
Mike wants to calculate the return investment for his cloud infrastructure versus his prior on‐premises design. Which of the following elements won't be needed to calculate ROI?
The profit that the systems will generate over time The ROI of a cloud infrastructure versus an on‐premises infrastructure is calculated by comparing the cost to operate on premises against the cost to move and operate in the cloud. It does not involve profits made from the infrastructure as part of operating a business.
Naomi has been asked to decide whether her organization should build a data center or if they should pay an existing data center to host its servers. What factor is typically the most significant in decisions like this for organizations?
The size and scope of the organization's computing needs The size and scope of an organization's computing needs, and thus the scope of its hosting needs, is normally the biggest influencer in this decision. Organizations with smaller needs can often save money by hosting with an existing provider, while organizations with significant needs will have other requirements that are likely to make building and maintaining their own facilities the better option.
To whom must breaches be reported under Sarbanes-Oxley?
To auditors Sarbanes-Oxley requires breach reporting to auditors as well as implementing methods to identify if breaches have occurred.
What is service continuity management's goal in ITIL 4?
To ensure services are restored in agreed‐upon time frames after major service disruptions ITIL v4's service continuity management process supports business continuity management and ensures services are restored in an agreed‐upon time frame after major service disruption.
What is the key goal of the change management process in ITIL?
To minimize the risk associated with changes ITIL change management focuses on minimizing the risk associated with changes. That means that organizations can handle more changes, and it isn't directly associated with security incidents related to change.
Gary's organization is writing its procedures for secure data deletion in its cloud environment. What is the only viable method for secure deletion in an infrastructure as a service environment?
Using a crypto‐shredding process Crypto‐shredding, which involves deleting or overwriting encryption, is the only viable way for customers to ensure data is securely destroyed in most cloud environments. Physically destroying shared infrastructure isn't something providers will want to do, and both zero‐wiping and deprovisioning cannot be relied on for complete destruction of data.
Chris wants to avoid common vulnerabilities in his cloud application development efforts. Which of the following is not a common vulnerability as defined by OWASP's Application Security Top 10?
Using open‐source software Using open‐source software is not a common vulnerability. Injection flaws, using components with known vulnerabilities, and insecure configurations are all common vulnerabilities.
Megan wants to validate the open‐source software that she has downloaded for use in her cloud environment. Which of the following is the best technique to validate the software?
Validate using a PGP signature The best case scenario for Megan is if the software developer digitally signs the software and she can validate it using a signature file, the software, and the developer's public key. Validating the checksum is a common option, but not as secure as a digital signature. Neither scanning for malware nor checking for file sizes will validate the software package effectively.
Dana's organization has built an infrastructure as code-based cloud environment using its cloud provider's APIs and other tools native to the platform. The vendor has instituted significant price increases, and Dana has identified a new risk based on the cost increases and the organization's usage model for the platform. What risk has Dana identified?
Vendor lock‐in Vendor lock‐in is a significant issue for Dana due to the investment her organization has in using its current vendor's tools. It would take significant time and effort to migrate to another vendor since each vendor‐specific reference or capability would need to be identified and replaced. API keys are not discussed, and there's no indication of a need for data escrow or audit in the question.
After a breach of an organization's cloud‐hosted service, which of the following is least likely to be notified of the breach?
Vendors Unless there is a notification clause in the contracts requiring customers to notify their vendors of a breach, vendors who sell products to or provide services to an organization are the least likely to be notified after an organization experiences a breach. Customers, partners, and regulators are all commonly notified of breaches.
Kathleen wants to acquire digital evidence in her platform as a service environment. Which of the following artifacts will she be unable to obtain from most platform as a service solutions?
Virtual machine images Logs are typically available for PaaS systems, but virtual machine images are not available because the underlying systems are shared by customers and provided by the service provider, not owned, configured, or managed by the customer.
What building block technology allows cloud service providers to sell access to shared underlying resources for CPU, memory, networks, and other infrastructure?
Virtualization Virtualization is one of the underlying technologies that makes the cloud possible. As you prepare for the CCSP exam, remember that you'll need to be familiar with the basics of how virtualization, storage, networking, databases, and orchestration make up cloud infrastructure.
Henry is a software developer at a large company. The company uses a SDLC model in which each stage begins only after the previous stage has been completed. What model is Henry's company using?
Waterfall Henry's company is using Waterfall, which is a linear development process in which each stage starts after the previous stage is completed. Agile focuses on iterative development processes, which can occur in parallel or as needed for the effort. Spiral combines Waterfall's linear model with iterative components, essentially looping through processes until it is complete. OWASP is not a SDLC model.
Jaime's organization operates an e‐commerce website that uses Azure as its cloud hosting provider. Her website has experienced a data breach and compromise of systems that handle customer data that is hosted in the organization's Azure environment. Which of the following groups is Jaime most likely to notify about the breach?
Customers In most cases, Jaime's organization will notify customers of the customer data breach. Since no regulated data is mentioned, no breach of Azure itself was noted, and there are no partner organizations in the question, Jaime's primary concern from this list will be customers.
ITIL defines three types of changes. Which of the following is not one of the three ITIL change types?
Disaster response changes ITIL defines standard, emergency, and normal changes but not disaster response changes.
Vincent's company needs to operate computation and data storage closer to the locations where processing will occur due to specific requirements for latency and response time. What cloud‐related concept should he consider as a potential solution?
Edge computing Edge computing places computation and storage closer to where data originates or is used. This can reduce latency and improve overall performance while also saving bandwidth. Quantum computing relies on quantum states to perform calculations, allowing for processing that traditional computers cannot perform or improved performance in certain workloads. Blockchain is designed to record information in a way that makes it difficult to falsify. Confidential computing isolates sensitive workloads to provide increased security.
Allison's company is concerned about the impact of privacy laws that have been passed in multiple countries in which her company operates. What should she advise her organization to do to address these new regulations?
Engage expert counsel for each country the organization operates in or conducts business with to review regulations that may impact the company The best option Allison's company has is to engage expert counsel to review each country whose laws it may have to comply with. It is often impossible to simultaneously comply with every law in every country since laws may conflict. While it helps to prioritize compliance, the first and most important need is to understand what compliance needs to involve. Finally, selecting a data haven and operating there will not make her organization compliant!
Susan knows that the privacy laws that impact her company based in the European Union are different from the privacy laws in the United States where her organization frequently conducts business. What should Susan do to handle this conflict?
Engage expert counsel to provide advice on compliance Engaging expert counsel to determine the best path forward when dealing with complex legal situations is the best answer available to organizations like Susan's.
Amanda's organization has very specific audit requirements it needs to meet. What process should she use to ensure that her organization's use of the cloud meets those requirements?
Ensure the service provider can meet the audit requirements before engaging with them Amanda needs to ensure that her organization selects a vendor who can meet its requirements before moving its services to that vendor's environment. Auditing after the fact won't ensure that it can be compliant.
Ed's organization is preparing to move to a cloud service provider's environment. He wants to ensure that the provider is using strong encryption and wants to identify a common industry standard to require his vendors to meet. Which of the following standards should he select?
FIPS 140‐2 Of the answers listed, FIPS 140‐2 is the only standard that deals with encryption. Ed should select FIPS 140‐2.
Angie logs into her service provider's web portal using her Facebook account and password. She knows that Facebook is providing an authentication token to the service provider that ensures that she's the proper account user. What type of IAM solution best describes this?
Federated identity Angie is using federated identity, where an identity provider (Facebook) authenticates her and certifies that the account belongs to her. Her service provider relies on that assertion and then grants her permissions and access based on what it has assigned her account in its environment.
Jaime is able to log into the web purchase portal provided by one of her vendors with her company's credentials. What type of technology is in place to allow her to use her credentials through other service providers?
Federated identity Federation allows service providers to rely on an identity provider—in this case, Jaime's company—to authenticate users and provide an authentication confirmation or token. They can then authorize users to use their service. Multifactor authentication is not mentioned anywhere in the description, no secrets are described, and a CASB is used to apply security policies to cloud services.
James wants to protect the APIs that his organization exposes to customers. What API security best practice should he implement to help prevent resource exhaustion based denial‐of‐service attacks?
Filter API requests to only trusted entities Filtering API requests to only trusted entities is the ideal answer, but often organizations may need to throttle requests if they have an open API. Encryption won't prevent attacks or issues like that, nor will logging or testing.
Which of the following network security controls both provide the same functionality?
Firewalls and security groups In most cloud environments, firewalls and security groups provide the same functionality.
Nina's organization has determined its RTO. Which of the following is an example of an RTO?
Four hours of outage time A recovery time objective (RTO) is the maximum amount of time that an organization can take to recover. A four‐hour outage is an example of an RTO. Data center and backup options are not RTOs. The amount of data lost is an example an RPO, or recovery point objective, however.
Ian wants to check on the network bandwidth utilization for his cloud IaaS server because he knows that costs are often driven by utilization. Where is the best place for him to monitor this?
From the cloud provider's console since most billed traffic in cloud environments is traffic destined for the internet If Ian is worried about cost, his first step should be to understand his cloud provider's billing policies and what traffic is billed. In most IaaS environments, traffic is billed when it leaves the provider's own internal networks, so Ian's best bet is to look at the console to see how traffic is being billed.
Integration testing and regression testing are both examples of what type of testing?
Functional testing Both integration testing and regression testing test the functionality of software and are thus functional testing. Nonfunctional testing like load testing or stress testing focuses on performance instead of functionality. User acceptance testing validates whether users are able to successfully use the software, and security testing tests the security of the software or application.
What type of QA testing uses the specifications of the software as part of the testing, including what outputs it should produce in a given situation?
Functional testing Functional testing is part of a quality assurance process that validates the expected functionality of a software package or application. Nonfunctional testing includes things like performance, scalability, and usability. Both static and dynamic testing can involve more than QA. Static testing focuses on the code of the application, while dynamic testing is done with the running code.
Jason operates services in multiple parts of the European Union. What regulatory standard related to PII is he likely to have to comply with as part of operating his service?
GDPR The EU's General Data Protection Regulation, or GDPR, regulates data privacy and protection. HITECH is a U.S. law. GAPP, or Generally Accepted Privacy Principles, is used by accountants and CPAs to help manage privacy. PIAs, or privacy impact assessments, are assessments done to determine privacy impact.
Joanna's organization uses a security baseline for its servers and wants to determine how different the current server configuration for its servers is from that baseline. What is this process called?
Gap analysis Gap analysis involves checking for differences between a baseline and the current configuration of a system, software, or service. Dynamic and static testing are software testing options, and vulnerability scanning may identify vulnerabilities that indicate differences from a baseline, but it doesn't fully cover validation of baseline configurations against current state configurations.
Juan is using a cloud baseline security standard to help ensure the systems he is responsible for are secure. As he checks the machines, he determines where their configuration does not match the baseline. What is this process known as?
Gap analysis Juan is conducting a gap analysis from the baseline to his current configuration. This may be done as part of an audit, but the most accurate answer here is baselining.
Megan's organization is a healthcare provider and operates its infrastructure and systems in a cloud environment. Which specialized compliance requirement is it most likely to have to meet from the following list?
HIPAA HIPAA, or the Health Insurance Portability and Accountability Act, specifically covers health plans, healthcare providers, and healthcare clearinghouses. NERC is the North American Electric Reliability Corporation, CIP stands for Critical Infrastructure Protection, and the relevant compliance requirement is NERC/CIP. CSPOT was made up for this question.
What specialized compliance requirement was updated by the Health Information Technology for Economic and Clinical Health (HITECH) Act?
HIPAA The HITECH Act updated HIPAA, adding new requirements for healthcare providers, clearinghouses, and insurance providers.
Rich wants to deliver MFA codes to his organization's superusers in the most secure way possible. Which of the following MFA code delivery options is the most secure?
Hardware device (token) based delivery of codes A hardware‐based token is the most secure way to deliver codes. After that, phone applications are next on the list, although they are less secure because phones can be compromised. SMS and phone call delivery both suffer from the potential for on‐path attacks, SIM swapping, or VoIP call redirection. Rich should select hardware‐based tokens for his organization and ensure that his superusers keep the tokens secure and report any losses immediately.
What common best practice helps to ensure that data center locations do not lose connectivity in the event of an issue?
Having multiple internet service providers with different physical paths Using different internet service providers and ensuring that connections to those ISPs use different physical paths is a common best practice to ensure that an outage or damage to cables along a path does not disrupt data center operations. Using different media types like fiber or coaxial cable and using different internet protocols are not common best practices.
Quentin's organization has locations in both Germany and the United States and is concerned about data security and handling requirements differences between the two countries. Which of the following options will best help Quentin to ensure his organization is compliant with the requirements if data is captured in Germany and stored and processed in the United States?
Hire expert counsel to review requirements Quentin's best option from the list is to hire expert counsel to review the requirements and advise his organization about what compliance requirements need to be met. Complying with requirements for either country alone is unlikely to meet requirements, particularly due to the GDPR. Establishing internal policies without concern for data practices in either country without being aware of those requirements will also result in compliance issues.
What common cloud design pattern is used to handle environments that need to quickly scale up as service demand changes using many small systems?
Horizontal scaling Horizontal scaling describes using more machines rather than the larger machines used in vertical scaling. Both rely on multitenancy and tenant partitioning, but neither of those terms describes this scaling process.
Ujama has been asked to conduct a privacy impact assessment (PIA) for his organization. Which of the following will not be analyzed by a PIA?
How data ownership is decided Privacy impact assessments look at how personally identifiable information (PII) is collected, accessed, used, shared, safeguarded, stored, and maintained. It does not specifically include how data ownership is maintained.
Nina is preparing for e‐discovery in her cloud environment. What important planning should she undertake if her organization stores its business documents, records, and files in its cloud provider's data storage service?
How to identify documents based on a discovery or legal hold request Nina's first concern for discovery and legal hold scenarios is if she can identify the data that the hold request or discovery requires. Providers and law enforcement being able to access documents is a security concern, but not a direct issue related to discovery, and sensitivity tagging or ratings doesn't influence discovery or holds.
Mike is designing his organization's business continuity and disaster recovery plans. What should the first priority be in his organization's BC and DR plans?
Human safety The first priority of any business continuity or disaster recovery plan should always be human safety.
Allison wants to use a security baseline as part of her hardening process for Windows servers. Which of the following organizations doesn't provide reliable, industry‐accepted baselines.
ISO While the International Organization for Standardization, or ISO, provides standards for many things, there is no ISO standard for Windows server security. The Center for Internet Security, Microsoft, and the National Institute for Standards and Technology all provide Windows server security baselines, among others.
Selah wants to implement an information security management system following a commonly accepted standard. Which of the following could she adopt as a foundation for her ISMS?
ISO 27001 ISO 27001 defines an information security management system. ISO 27002 covers guidelines for implementing, maintaining, and improving information security management. NERC/CIP is the North American Reliability Corporation Critical Infrastructure Protection standard. ISAE is the International Standard on Assurance Engagements, an audit standard, but it does not use an 800‐91 designation.
Susan wants to perform data discovery on a large dataset stored in her cloud provider's long‐term storage environment. What concern should she express about data discovery processes against a dataset like this in an environment like Amazon's Glacier storage?
Long‐term storage often de‐prioritizes rapid access, and discovery will be slow and potentially expensive Long‐term storage de‐prioritizes rapid access like the patterns typically associated with data discovery, which means the work that Susan wants to accomplish will be slow and potentially expensive due to the access patterns used by data discovery tools. Backup and long‐term storage can typically be accessed by tools, but this isn't an ideal or potentially even practical use of the storage. Long‐term storage is not designed for rapid access, and metadata can still be discovered by accessing files regardless of the storage type.
Jack wants to correlate audit events between his on‐premises data center SIEM and his cloud SIEM. How can he best ensure his ability to correlate the events?
Make sure that both systems have their time servers set correctly One of the simplest but most important elements in log correlation is ensuring that time stamps are correct. That means that both systems need to have their time servers set correctly and working—if not, an event that happened at 7 a.m. may appear to have happened at 8 a.m., making the correlation between the events never happen. Using the same SIEM product may help, but time stamps are still more important. Forwarding all logs is costly and leads to duplicate alerting. Log code correction was made up for this question.
Gary wants to analyze data stored in an object‐based datastore hosted with his cloud provider as part of a forensic analysis due to a breach. What typical forensic action will he be unable to take?
Making a binary copy of the volume Since object stores are not hosted in a single volume or drive, Gary won't be able to make a binary copy of the volume the files are stored in. Fortunately, many other forensic techniques that look at files and metadata about the files like creation, change, and deletion times are likely to be feasible.
Lara is testing the stability and performance of her organization's new software. What term best describes this type of testing?
Nonfunctional testing Testing stability, performance, and other quality‐related items are examples of nonfunctional testing. While this is also likely to be a type of dynamic testing using running software, the question does not specify if testing is run against live software. Static testing focuses on source code, and functional testing tests exactly what it sounds like, the function of software.
Selah's organization has strict chain of custody requirements when handling audit logs. Why is chain of custody important for audit log information?
Nonrepudiation Chain of custody is an important component of the ability to provide nonrepudiation of data events. If the data has been secure and provably unmodified, and the chain of access and transfer can be proven, the event information can be used in court or internal investigations.
Joanna is carefully documenting the chain of custody for forensic artifacts captured from a compromised system in her cloud‐hosted data center. Why would Joanna document a chain of custody during a forensic investigation?
Non‐repudiation Joanna is focusing on ensuring non‐repudiation of her forensic data by maintaining a well‐documented chain of custody. Chain of custody is not used to ensure geolocation or legal hold compliance, and cloud vendors do not typically require chain of custody documentation as part of their contracts with customers.
A member of Naomi's team has expressed a concern about her organization's use of encryption due to the potential for quantum computing breaking the encryption. What should Naomi do to address this concern?
Note the concern and remain aware of quantum computing developments, but do not take any immediate action While it may be surprising, quantum computing has not yet reached a point where quantum cracking of encryption is a current issue or even one that will occur in the immediate future. That means Naomi should take note of the concern and remain aware of the current state of quantum computing technology and encryption cracking. Increasing key length may not have a meaningful impact once quantum encryption cracking is available, and decreasing key length will definitely not help! Finally, hashing is not reversible, meaning that it does not fulfill the same function as encryption and cannot be substituted for it.
Shelly's organization operates in multiple countries and uses a cloud service provider with a multinational infrastructure to support its operations. Shelly's organization is therefore subject to laws and regulations in each of those countries. Some of the regulations conflict with different requirements for each. Which of the following is not a way that Shelly can approach dealing with the issues?
Operate under the laws and regulations of the organization's home country In situations like this, there is often not a perfect answer, but simply operating under the laws of Shelly's home country does not address any of the risks involved with conflicting regulations. While Shelly's organization should seek legal advice, limiting data handling and processing is a common strategy when regulations conflict. Organizations often accept some risk when dealing with conflicting regulations but minimize it by identifying the strongest requirements across the conflicting regulations and meeting those.
Angela is following the OWASP secure coding practices checklist. Which of the following is not an item on the checklist?
Output validation The OWASP secure coding checklist includes a long list of items, but validating output is not a typical practice. Instead, it points to output encoding, which ensures that output is properly encoded and sanitized and that it is created on a trusted system. Input validation, session management, and access control are all legitimate items from the checklist.
Joanna wants to adopt a risk‐centric model for assessing threats. Which of the following models should she adopt?
PASTA PASTA (Process for Attack Simulation and Threat Analysis) is a risk‐based threat modeling framework. STRIDE focuses on threats, ATT&CK is a framework used to describe adversary tactics, techniques, and procedures, and CAKE is not a threat model or framework.
James has adopted a seven‐step, risk‐centric risk modeling methodology. Which of the well‐known threat modeling methodologies is he using?
PASTA PASTA, or the Process for Attack Simulation and Threat Analysis, is a seven‐step process that defines objectives, defines technical scope, decomposes the application, analyzes the threats, performs vulnerability analysis, performs attack analysis, and finally, performs risk and impact analysis.
Gary has been tasked with validating his cloud service provider's compliance with common compliance requirements. What standard should he ask about if he wants to ensure credit card processing security requirements can be properly met?
PCI DSS PCI DSS covers credit card handling security. NIST 800‐53 addresses security and privacy controls, but not credit card data. GLBA is a U.S. law that covers financial institutions and how they protect customers data, and ISO/IEC 27017 covers cloud computing.
Chelsea wants to use a cloud service to provide a customer relationship management (CRM) system. She wants to have significant control over the configuration and customization of the system but does not want to operate underlying hardware or operating systems. What cloud service model should she select?
PaaS Chelsea's design requirements match a platform as a service environment; the provider delivers an environment where the customers can configure the service but does not run systems. This provides more control and flexibility than SaaS but not as much control as a full independent infrastructure as a service, or IaaS, environment. Finally, IDaaS is identity as a service.
Erica wants to test her organization's disaster recovery plan. Which testing model provides the most complete test with the lowest chance of inadvertent outages?
Parallel testing Parallel testing allows for a nearly complete test without creating the potential for an actual interruption that full interruption testing includes. Walkthroughs and checklists don't attempt to validate technology and are process driven instead.
Isabella's organization wants to store its data in a long‐term archival storage solution provided by its preferred cloud vendor. What process action should her organization perform to ensure that its business continuity efforts are successful when working with archival cloud storage?
Periodic testing of retrieval capabilities A key practice to ensure that organizations can retrieve data needed for business continuity efforts is to test the retrieval process. Data labeling helps with data security and other efforts, but isn't key to business continuity. Retention periods also help with security, but they also ensure that organizations don't keep data that they shouldn't. Finally, archival storage is an appropriate solution for long‐term storage.
Chloe's organization has adopted a platform as a service tool. Chloe wants to outline which components her organization will be responsible for and which the PaaS vendor will be responsible for. Which services is the service provider responsible for?
Physical security, infrastructure security, and platform security PaaS vendors are typically responsible for physical security and infrastructure security and hold shared responsibility with customers for platform security.
In a platform as a service environment, which of the following is typically a shared security responsibility between the customer and service provider?
Platform security In a PaaS environment, security, risk and compliance, data security, and application security are all the responsibility of the customer. Platform security is a shared responsibility, and infrastructure and physical security are the responsibility of the service provider.
Keith is considering operating his organization's cloud services in a multi‐cloud design. What consideration from the following list should he be most concerned about if he wants to use the same infrastructure design implementation in both Azure and AWS environments?
Portability Keith should be concerned about the portability of his design and implementation between the two major cloud providers. Since each uses its own APIs and tools, Keith will have to design his environment to use the same tools without relying heavily on those built‐in tools, or he will have to build the components that rely on each vendor's proprietary tools to work in both environments, meaning that his implementation will not be fully portable.
Jason's organization is designing its cloud‐based business disaster recovery plan. Its chosen cloud service provider provides both availability zones (AZs) and regions for customers. What should Jason's plan include to prepare for a hurricane impacting the region hosting his services?
Prepare to move services to another region in the event that a major disaster impacts their primary region Jason is preparing for a major disaster rather than a business continuity and availability concern. That means he should be prepared to move services to another geographic region in the event that his region suffers significant damage or outages due to the natural disaster. Regions contain multiple availability zones, and customers often balance services across multiple AZs, but large‐scale disasters mean that Jason should be considering a move to a region that is not impacted by the disaster.
Ben has deployed virtualization and other tools to multiple data centers where his organization hosts servers. The tools allow his organization to quickly stand up new services and to provide cloud services throughout the organization. What model of cloud use is Ben's organization using?
Private cloud Ben's organization has built a private cloud, an organization‐owned and ‐managed cloud service. Public clouds are hosted for many users as part of a business, hybrid clouds are often run onsite and offsite, and multi‐cloud environments involve multiple cloud vendors.
Julia is the CIO of her organization and wants to use a cloud to handle large‐scale data processing. She has a large budget and wants to control her cloud to allow her to use custom hardware and to choose where her cloud service locations are to match customer locations. What type of cloud design should Julia direct her organization to take?
Private cloud Private clouds are often used when organizations have large budgets, specialized needs, or large‐scale computational, storage, or other requirements and want to control their cloud infrastructure completely. Facebook and Dropbox are examples of organizations that built their own clouds to meet their specialized needs.
Ben is writing his organization's problem management process based on ITIL v4. Which of the following is not one of the three phases in an ITIL‐based problem management cycle?
Problem occurrence The ITIL problem management process involves three phases: problem identification, where problems are identified and logged; problem control, where analysis and documentation occurs; and error control, which seeks to handle known errors and potential permanent solutions.
Zoe's organization is deploying an information rights management system. She has already ensured that data labels and classifications are in place. What important task should she address next to ensure that data can be used by the proper staff members?
Provisioning Zoe knows that she needs to identify roles and groups and then provision the staff members who need data access with appropriate rights so they can perform their work. Assigning data stewards, custodians, and other data roles helps with overall data management but is not required for an IRM to work. Issuing certificates will typically be part of the provisioning process itself.
Bruce wants to identify any cloud‐specific risks to his software. Which of the following risks is most often associated with cloud services instead of software development in any environment?
Publicly open storage buckets In general, storage buckets are more commonly associated with cloud services than on‐premises environments. Issues related to cloud service providers, including misconfiguration of services like storage buckets, set cloud development apart from on‐premises software development and deployment.
Jason is concerned about the impact of developing technologies on his organization's current practices. He has identified the encryption at rest of his data as a potentially impacted area. Which of the following developing technology areas is most likely to create security concerns for his 256‐bit AES‐based encryption at rest solution?
Quantum computing Quantum computing has the potential to invalidate current encryption technologies. Fortunately, while Jason may want to identify this as a risk, it should be far enough in the future to allow Jason to continue to operate with industry standard best practices as he is currently doing and to address the potential problems caused by quantum computing at a date in the future.
Hannah wants to follow ITIL practices for release and deployment management. Which of the following is not an objective of release and deployment management under ITIL?
Securing releases ITIL's release management process focuses on the release itself—creating, testing, verifying, and deploying them—but it doesn't focus on security specifically.
Angie wants to use an information rights management tool to protect organizational data using certificates. Which of the following is not a typical use of certificates in an IRM environment?
Security devices User certificates are used to identify users; computer certificates are used to identify computers, and devices; and content certificates are used to encrypt content. Security devices are not a typical use of certificates in an IRM tool.
What cloud security capability is best compared to a firewall?
Security groups Security groups work much like firewalls using rules to allow or prevent traffic from moving through a cloud environment. IAM roles focus on user permissions; distribution groups are groups of users, computers, or other entities used to send email to those groups; and WAFs, or web application firewalls, are used to protect web applications.
The company Kim works for is preparing to lease space in a data center. The data center sells space by the rack to customers, with multiple data center bays filled with racks at the provider's site. Which of the following security controls is not one that Kim should look for in a shared‐space data center environment like this if they are looking for a high‐security environment?
Shared racks with per‐customer system labeling Shared racks cannot be appropriately secured in an environment like this, and Kim's company is looking for a high security environment. Dedicated physical space would be even more ideal, but many organizations cannot afford the expense of their own dedicated space, resulting in locked, per‐customer keyed racks and appropriate monitoring and access controls being needed for secure, shared data center environments.
Which of the following is not typically considered a key cloud computing characteristic?
Single tenancy The CCSP Exam Outline (Candidate Information Bulletin) focuses on a few specific characteristics of cloud computing, including on‐demand self‐service, broad network access, multitenancy, rapid elasticity and scalability, resource pooling, and measured service. Single tenancy is not a common characteristic of cloud computing.
Frank wants to conduct a STRIDE assessment as part of the threat modeling phase of his organization's SDLC. Which of the following is not a threat STRIDE considers?
Social engineering STRIDE stands for spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege. Social engineering is not considered in the STRIDE model.
Mackenzie uses Dropbox's storage for her organization and wants to categorize the service. Which of the following models best describes Dropbox?
Software as a service Dropbox is a software as a service (SaaS) model for cloud storage.
Derek's organization operates in a cloud software as a service environment. When data is deleted, what is the best option that is typically available to SaaS customers to ensure media containing data is properly sanitized?
Software as a service providers do not provide access to the underlying storage in a way that allows customers to erase data. If Derek wants to ensure this, his best option is to ensure that the SaaS provider uses internal processes that include cryptographic erase for customer data and that data security practices are included in a service‐level agreement and/or the contract with the service provider.
Valerie has stored her organization's information in a database. Which of the following terms best describes data in a database?
Structured data Databases are an example of structured data. The data in a database could be labeled or tagged bu htat's not necessarily always the case. Semi‐structured data applies some structure, like the structure found in HTML and XML.
Jim wants to digitally sign a file. He signs it and sends it to Kathleen, who wants to validate his signature. What key does she need to validate his signature?
Jim's public key Kathleen needs Jim's public key to validate his signature.
Yariv is operating an ITIL compliant configuration management practice. What term describes a database that stores configuration records in a configuration management practice?
A CMDB CMDBs, or configuration management databases, are used to store configuration records as well as to document the relationships between configuration items like systems and services. A CI is a configuration item. A DML is a definitive management library, which contains the official versions of configuration items, documentation, and software. Service asset libraries were made up for this question.
Lynette wants to detect SQL injection attacks against her database service while also monitoring the activities of privileged users. What tool can she use to best meet both of these needs?
A DAM A database activity monitoring tool can monitor for queries that do not match baseline activity and thus may be SQL injection attacks and can also help to monitor privileged user accounts access to the database. An IPS or an IDS can monitor for SQL injection, but neither is designed to monitor for privileged use in databases. DAF was made up for this question.
Mark wants to ensure that sensitive information that his organization acquires from customers is not inadvertently sent out of his organization while also ensuring that attackers cannot easily exfiltrate data from his servers. What type of solution should he look for to help meet this need?
A DLP system Mark should identify and use a data loss prevention (DLP) system and ensure that his data is properly classified and tagged to help ensure that sensitive data does not leave his organization.
Antonio's company wants to enter a long‐term contract with a cloud services provider. What type of agreement should it use to establish the terms under which both organizations will work together so that they can easily engage further in the future?
A MSA Antonio should make sure his company signs a master service agreement, or MSA with its chosen service provider. It will provide the underlying terms for future contracts, which will likely use a statement of work, or SOW. It may establish a SLA, or service‐level agretement, that lists the performance requirements for services. A nondisclosure agreement, or NDA, protects information either company (or both) wants to stay secure.
Tara wants to ensure that the vendor she is working with will meet uptime requirements that her organization needs to meet to satisfy customer expectations. Which of the following should she insist the vendor sign?
A SLA An SLA, or service‐level agreement, sets out the performance standards for a contract or service agreement. Tara can ensure the SLA signed with her organization meets her organization's needs. A nondisclosure agreement, a master services agreement, and a statement of work are not typically used to set performance terms as an SLA does.
Meena needs to document what a contractor will do as part of an engagement, including project deliverables, timelines, and the payment terms and conditions. What type of document could she use to accomplish this?
A SOW A SOW, or statement of work, is used to describe a project's or effort's requirements, including the work that will be performed, project deliverables, the timeline, payment terms and conditions, and other details about how the work will be done. An NDA is a nondisclosure agreement; an MSA is master services agreement, which is the document that describes how organizations will work together over time through terms and conditions; and an SLA is a service‐level agreement used to define what service levels will be.
Theresa wants to ensure that her data center has appropriate power protection. Which of the following should she ensure is in place to handle brownouts and other short power outages?
A UPS A UPS, or uninterruptible power supply, provides power during short power outages while also preventing power spikes and other irregularities from impacting protected systems. A UPS can provide time for a generator to start. Multiple power providers can experience outages at the same time. Surge protectors cannot provide power; they simply stop surges.
Isaac wants to add a layer of protection for his web applications that are hosted in an IaaS cloud environment. If he wants to use rules that support the OWASP Top 10, what type of device should he deploy to protect against that list of common exploits and vulnerabilities?
A WAF Isaac's best option would be to deploy a web application firewall (WAF). Many WAF services and devices have built‐in rulesets designed around the OWASP Top 10 among other common issues and vulnerabilities. A database activity monitoring (DAM) tool would be better suited to database security and monitoring, an API gateway helps to secure programmatic interfaces to data, and XML firewalls focus on filtering XML requests.
Scott wants to securely store his organization's secrets, including encryption keys and certificates. What service should he ask his cloud provider about?
A cloud HSM A cloud hardware security module (HSM) is the best option amongst those listed to create, store, and manage secrets, including keys and certificates.
Hui wants to test her organization's business continuity plan and wants to simulate an actual issue as closely as possible. What type of test should she conduct?
A simulation A simulated exercise is the most similar to an actual event, including real‐life recovery actions. Hui should run a simulation once she's sure that her organization understands the potential impact and time commitment that a simulation can involve.
Jocelyn wants to create, store, and manage encryption keys and certificates in her environment. If she wants to use the most secure environment possible, what type of service should she look for from her potential cloud service vendors?
A cloud HSM Hardware security modules, or HSMs, are the most secure option for creation, storage, and management of encryption keys and certificates, so Jocelyn should look for a HSM service to meet her needs. A TPM is a trusted Platform Module and is used to ensure secure boot services on hardware devices. PGP key servers are used to publish public keys, and TLS key services were made up for this question.
Kim wants to enforce her organization's security policy on activities in her cloud infrastructure and applications. What type of tool can she put in place to most effectively perform his task?
A cloud access security broker A CASB, or cloud access security broker, is an on‐premises or cloud‐based system that sits logically between on‐premises users and cloud applications and systems. It monitors activity and enforces security policies and would meet Kim's needs. Federated identity is used to allow users to use the same credentials for multiple services, policy‐based IPS systems are used to detect and block attacks, and cloud enforcement gateways were made up for this question.
Felix wants to find a company that can help him with the complex relationship they have with AWS. He is primarily focused on contractual concerns and ensuring the service is delivered to his organization's needs. What third party should he choose to help with this?
A cloud broker A cloud service broker manages the relationship between a cloud service provider and customers. That can include providing services, ensuring that customers are able to use the services, and ensuring that the service performs as expected for them. Cloud service providers (CSPs) typically work closely with a service provider but can leverage bulk purchases and agreements, optimize costs, and provide other capabilities. Providers provide the underlying cloud services and regulators are responsible for ensuring that legal or other requirements are met. While partners and brokers can be similar, partners tend to be more implementation oriented instead of contract oriented.
The college that Jack works for is one of a group of institutions that have established their own cloud environment. The institutions share in costs and administration. What type of cloud environment is Jack operating in?
A community cloud Jack is operating in a community cloud—a private cloud that is run by multiple organizations. Hybrid clouds operate both in private and public cloud environments, public clouds are available to customers, and private clouds are run by organizations for their own use.
Gurvinder manages the databases for his organization, and in his role he and his team are tasked with ensuring that personally identifiable information in the databases is properly protected. What data role does Gurvinder hold?
A data custodian Gurvinder is a data custodian and controls the technical environment where data is handled. Thus, he is responsible for the safe handling of data as well as proper implementation of business rules. Data stewards are responsible for oversight of data, data owners make decisions about who can use data and how it is used, and data controllers determine why and how personal data is used.
Isaac wants to document how a web service transfers information to the his web servers from application servers via APIs and how the application servers retrieve data from a MirandaDB cluster. What type of documentation should he create?
A data flow diagram Data flow diagrams are used to document where and how data flows through systems and services. Isaac should create a data flow diagram to document his environment. Data dispersion diagrams and data storage diagrams were made up for this question, and the data lifecycle is just that, a cycle, and isn't useful for this type of systems documentation.
Helen wants to build a service catalog based on ISO 20000‐1. Which of the following is not an item that would be included in the service catalog according to the ISO 20000‐1 standard?
A list of alternative products A list of alternative products isn't part of the ISO 20000‐1 service catalog recommended contents. It does recommend a description of the service, service‐level definitions (service targets), contacts related to the service, support hours, security requirements and issues, and dependencies on other services. Questions like this may initially throw you for a loop—you may not have read the entire ISO 20000‐1 standard, but this isn't necessarily a memorization question. Instead, make sure you focus on what you know about service management and what would reasonably included.
Jason's organization has adopted a cloud IaaS provider, and Jason is learning about how resilience is designed into cloud hosting environments. How would you describe an availability zone to Jason?
A physically separate location within a region designed to be tolerant of local failures like power or connectivity Availability zones are generally separate locations inside of a region designed to be tolerant to local failures like power, cooling, or connectivity. Multiple availability zones make up a region, which is a larger geographic.
What term does ITIL v4 use to describe a cause or potential cause of one or more incidents?
A problem ITIL v4 uses the term problem to describe a cause or potential cause of one or more incidents. Problem management then works to reduce both the likelihood and impact of incidents by working to identify why they happen, or why they might happen. It then involves managing workarounds and known errors, which are problems that have been analyzed but not resolved.
Damian's manager has asked him to prepare a service continuity management process based on ITIL. What will Damian build?
A process to ensure that services are restored in a timely manner after a major disruption ITIL's service continuity management process supports business continuity management with the goal of ensuring that services are restored within a defined timeline after major disruptions.
Melissa's organization has deployed a web application to its infrastructure as a service cloud provider's service. She wants to protect against the OWASP Top 10 security risks. What type of service would best help her protect her organization against those risks?
A web application firewall The OWASP Top 10 focuses on web application security issues, meaning that Melissa should adopt a web application firewall to offer a broad range of protection. In fact, many WAF services have rulesets specifically designed to protect against the OWASP Top 10. An API gateway is useful for controlling and managing API requests, a database activity monitoring tool does just what its name suggests, and an XML firewall would be most useful in an environment that relied heavily on XML and needed additional protections, specifically against XML‐based attacks.
Steve's organization is using a SLC that includes sprints as part of its development process. What SDLC is Steve's company using?
Agile The agile SDLC model includes short working cycles known as sprints to get work done. Other common agile terms include timeboxing, planning poker, and user stories.
Isaballe is using a community standard for secure coding that uses three levels of security verification. What standard is she using?
ASVS ASVS, or the Application Security Verification Standard, consists of three levels of security verification, from Level 1's low assurance level that can be done entirely through penetration testing to Level 3's critical applications security validation that requires in‐depth validation and testing. Each ASVS category includes numbered requirements, whether each requirement is required for each of the three levels, and a CWE number if the issue is identified in the CWE listings.
As part of their security testing process, Jacob's team intentionally attempts to break software as an attacker would. What type of testing is his team conducting?
Abuse case testing Abuse case testing is intended to replicate an attacker's or malicious actor's likely actions against a software package or application. Use case testing is designed to simulate normal use. Dynamic testing is done live with software, while static testing looks at the code of the software itself.
Valerie wants to identify the threats that she should focus on versus those her cloud service vendor is responsible for. In an SaaS environment, which of the following threats does she need to take responsibility for addressing?
Account credential security SaaS vendors have broad responsibility for the services they provide, including securing the services and architecture of the environment. Valerie knows she needs to be responsible for the security of credentials, including passwords and multi‐factor authentication tokens and applications.
Ben has revoked a number of certificates used in his web services environment and wants to ensure that end users do not continue to trust them. What should he do to ensure that the certificates are properly invalidated?
Add them to a certificate revocation list Certificates should be added to a certificate revocation list (CLR) when they expire, ensuring that clients can check the CRL and see that the certificates have been revoked. Emailing users, replacing the certificates with new certificates, and setting expiration dates do not properly accomplish this task.
Which of the following is not a common reason that organizations retain data past their normally defined data retention policies?
Backups Organizations may be required to retain data longer than defined in their data retention policies because of regulations and laws, legal holds, and contractual requirements. Retaining information longer than defined in policy due to backups is a failure to implement organizational policies.
A vulnerability scan that Melissa recently ran showed that a system was vulnerable despite a recent patch that was supposed to fix the issue. What should she do?
Check to ensure the patch is installed and mark the vulnerability as a false positive Validating that patches were properly installed and marking vulnerabilities as a false positive it a common practice for situations like this. Disabling the detection would cause other issues to be missed, rebooting a system might help in rare cases, and ignoring the report is not a safe option!
James has hired a third‐party auditor to assess his company's hybrid‐ cloud environment. What restrictions are likely to exist for audits in this type of scenario?
Cloud providers often do not allow customers to audit their facilities and underlying infrastructure James knows that when organizations create their audit plans, they need to account for limitations in the contracts they have signed with third‐party service providers like cloud service providers. Many cloud service providers do not allow organizations to independently audit their systems, facilities, or infrastructure. That means that James may need to rely on existing third‐party audits provided by the service provider.
Olivia wants to control access to cloud services used by her on‐premises users. Which of the following tools should she select if she wants a policy‐based tool to meet those needs?
CASB A cloud access security broker, or CASB, is a tool specifically designed to control access to cloud services. It can be deployed on premises or in the cloud and allow policy‐based settings to be enforced when users attempt to use cloud services. A SIEM is a security information and event management tool, the Cloud Security Alliance (CSA) provides best practices and certificates for cloud use, and an intrusion detection system (IDS) can detect access attempts but can't stop them or control them and is not designed to control access in a comprehensive way.
Which of the following are you typically able to monitor in an infrastructure as a service environment?
CPU load Infrastructure as a service environments don't allow the same level of hardware monitoring as a traditional hardware environment. Since hardware monitoring is handled, CPU usage, memory usage, and disk utilization are some of the remaining things that can be monitored.
Helen's organization has experienced a compromise of a system running in a VMware environment. What method can her team use to capture a forensically sound image, including its memory state of a running virtual machine?
Capture a snapshot A snapshot of a running virtual machine can be used as a forensically sound image and will meet Helen's needs. Backups do not capture memory state, and incremental backups don't capture the full system. Shutting down the machine will also lose memory state.
Kathleen's organization has decided to create a security operations center. Which of the following is not a typical task taken on by a SOC?
Communicate with organizational customers about security events Security operations centers typically focus on detecting, analyzing, preventing, and responding to security incidents. Direct communications with customers is typically handled by a communications team or organization rather than by SOC analysts.
What external requirement drives many data retention policies?
Compliance requirements Compliance requirements often drive data retention policies and may require specific timeframes for retention. Once compliance requirements have been met, considerations like business needs and the potential for litigation come into play, but legal holds don't drive retention policies; they merely require the organization to retain data for the hold, not as a matter of ongoing policy. Neither business continuity nor disaster recovery drive most retention policies. Instead, business continuity and disaster recovery are likely to drive technical design and procedures to ensure data is available.
Chris is working to ensure that physical access to systems in a shared service data center is secured. Which of the following is commonly used to ensure that customers don't access systems that aren't theirs?
Console‐based access mechanisms Securing console‐based access is a common security method in shared‐service data centers where customers may have access to console systems. RDP and SSH are remote access methodologies rather than physical access methods, and jumpboxes are deployed in data centers to allow access from logically lower security zones to higher security zones, not to prevent physical access issues.
Michelle wants to run applications on a shared operating system, using shared binaries and libraries but with separate environments for each application. What type of technology should she select to meet her needs?
Containers Containers run on an underlying operating system, and share binaries and libraries but provide separation for applications. Virtual machines run their own distinct operating systems on top of a hypervisor and underlying hardware. A sandbox is an isolation environment intended to allow safe execution of code for study or testing. Honeypots are security tools designed to allow defenders to observe attackers and attack methodologies in an intentionally vulnerable system or simulated system.
Bob's organization uses Amazon's S3 object storage as part of its web services environment. After a compromise, Bob wants to preserve data related to the compromise that was stored in his S3 buckets. What process can he use to preserve the files for forensic purposes?
Copy the data to a new S3 bucket for later forensic analysis Since S3 is object storage data that would normally be part of a disk image, the S3 storage will not be captured. Instead, Bob will want to preserve the metadata stored along with the objects, meaning that a copy to a separate S3 bucket that can be preserved while the original environment is restored to production is likely his best option.
Kyle knows that DRM and IRM increasingly have overlapping deployments and wants to explain the difference between DRM and IRM to his organization's leadership. What is DRM used for versus what IRM is used for?
Copyright protection versus highly sensitive information protection DRM is often used to protect copyrighted materials, while IRM is often used to protect sensitive data to prevent exposure or loss.
A cloud‐hosted Linux instance that Yun is responsible for shows signs of compromise. What should Yun do to preserve the instance for forensic analysis?
Create a snapshot of the live instance Creating a snapshot of the live instance will preserve the memory and disk state. The incident response team can then determine if the instance should be paused or other actions should be taken. Terminating the instance will lose memory information, as will rebooting it. Logging into the instance is not needed and will create artifacts on the instance due to the login process.
What stage of the cloud data lifecycle typically includes data classification?
Creation Data should be classified when it created. This ensures that the data can be handled according to its classification throughout its lifecycle.
Joanna wants to ensure that data is properly destroyed when it is removed from her cloud‐hosted environment as part of its defined lifecycle. What destruction or deletion method should she choose?
Cryptographic erasure Due to the nature of cloud storage, cryptographic erasure is the only practical means of data destruction. Customers typically cannot ensure physical destruction or the access to disks that degaussing would require. Zero‐wiping may leave remnant data in cloud‐hosted storage systems because of how space is allocated and due to the built‐in wear leveling found in modern SSDs.
Megan wants to ensure that her hardware security module (HSM) is using acceptable cryptographic techniques. What U.S.‐based certification should she look for?
FIPS 140‐2 Many HSM security requirements standards point to FIPS 140‐2 (and soon, FIPS 140‐3 because 140‐2 is end of life) as a useful standard to validate cryptographic components against. None of the other options listed are used to validate cryptographic components.
Nicole is matching database fields between two databases to allow the data models to be connected. What is this process called?
Data mapping Data mapping involves the process of matching fields from one database to fields in another database. It is done as part of data integration and migration processes as well as other efforts that need connect data from two databases. Data labeling tags data with labels. Data matching finds records related to the same entity, and data consolidation pulls data from multiple sources to a single place.
What term is used to describe matching fields in one database to fields in another database?
Data mapping The process of matching fields in one database to fields in another is called data mapping. It is often used to help with data integration and data migration tasks.
Susan's organization has moved its organization data to cloud‐based file storage. A recent incident involving compromised credentials has caused the company to want to monitor file traffic, particularly when it involves proprietary company data. What cloud service should Susan look for, and how can she most effectively ensure that it monitors for the company's most sensitive data?
DLP, data labels Susan should look for a data loss prevention, or DLP, solution and use data labels to ensure that her organization's sensitive business data is tagged with appropriate metadata. An IDS or IPS may be useful for monitoring for data loss events, but a DLP is specifically designed for this purpose and will provide additional controls and insight. A service‐level agreement, or SLA, will not help in this scenario.
Sharif needs to explain the DREAD threat assessment mnemonic to his team. What does DREAD stand for?
Damage, Reproducibility, Expoitability, Affected Users, Discoverability DREAD stands for Damage, Reproducibility, Exploitability, Affected Users, and Discoverability. While DREAD is no longer in use and has been supplanted by other threat modeling frameworks, the CCSP exam outline still mentions it, so you'll need to know what it stands for.
Mike is responsible for the custody, transport, and storage of data and the implementation of business rules. What data role has he been assigned?
Data custodian Data custodians are responsible for the safety of data when it is in their custody, in transit, or in storage and must implement business rules as part of their role. Data owners and controllers are responsible for deciding who has access to data, and data stewards have oversight and governance roles, so they might set the business rules that custodians implement.
Juan wants to ensure that his organization's data cannot be easily lost or damaged and makes multiple copies of it in different storage services between two cloud service providers. What technique has Juan used?
Data dispersion Having copies of data in multiple storage systems, services, or clouds is an example of data dispersion. RAID describes multiple storage techniques that include performance and reliability options. Cloud mirroring and storage cloning were made up for this question.
As part of an organization's security practices, personally identifiable information is replaced with asterisks when support staff view account information using internal support tools. What security technique is this an example of?
Data masking This is an example of data masking, where sensitive data is hidden and only presented to authorized individuals. Tokenization replaces data with a token that can be used for processing without exposing the actual data. Secrets management is the process of ensuring secrets like encryption keys are kept secure throughout their lifecycle. Hashing is a one‐way function that converts a string to a fixed‐length output using an algorithm that creates a unique value for any given input string.
ISO/IEC 27050 describes seven main steps for eDiscovery. Which of the following is not a step in that e‐discovery process?
Deletion The seven steps identified by ISO/IEC 27050 are ESI identification, preservation, collection, processing, review, analysis, and production. Deletion is not included in the seven steps, but disposal of forensic data is still important as a practice and process for after investigations and legal matters are settled.
Ingrid wants to ensure the availability of her guest operating systems. What is the best solution to improve availability when using a cloud service provider?
Deploy her services to multiple regions Deploying to multiple regions, while more complex and expensive, will provide Ingrid with the best assurance of availability she will have, accounting for both regional issues like natural disasters and host issues like an instance crashing. Containers can help, but both of the container solutions mention a single region or AZ, not multiple, and multiple regions are preferable to multiple availability zones unless there is a performance issue due to latency between regions.
What stage of the cloud secure data lifecycle involves cryptographic erasure?
Destroy Cryptographic erasure is used to destroy data in environments where physical destruction of the data storage devices or media is impossible and is part of the Destroy phase for the cloud data lifecycle.
Cameras, fences, and signage are all examples of what type of physical security controls found in an on‐premises data center?
Deterrent Cameras, fences, and signage all work to deter potential intruders for on‐premises data centers. Administrative controls are policy based, preventative controls attempt to stop unwanted events from occurring, and detective controls allow you to identify when an event occurs.
Dana has collected forensic images of compromised systems and has stored them in her cloud provider's storage. She knows that the images may be required to support a legal case. What should she plan for to ensure that the images are usable for that case?
Ensuring a documented chain of custody Dana needs to ensure that she documents the chain of custody for the images so that there is not a question about who had access to them prior their use in a legal case. Converting them to local virtual machine images isn't required to support a legal case, nor is moving them to local storage for a legal team to inspect them a requirement, although some legal teams may ask for copies for their forensic staff or contractors. Finally, deleting the images wouldn't help them to be used in a legal case.
Jason's organization has used a software as a service vendor for its key customer relationship management tool for a few years. The organization has determined that it wants to move to a new SaaS CRM. Which of the following is not a common concern when terminating SaaS contracts?
Ensuring the organization's right to audit the service provider Ending a relationship after years of use can create a number of concerns, including ensuring that data is available and able to be transferred to the new vendor, ensuring that the vendor disposes of data properly after the contract is over, and ensuring that the termination process for the contract is properly followed. Auditing after termination or as part of the termination process is not a common concern or process.
Kathleen sets up storage for the web server instances that her organization uses in a scalable, auto‐resizing pool for its main website. What type of storage type best describes the system drives for servers like this that are frequently created, used, then terminated?
Ephemeral Kathleen is using ephemeral storage, which is storage with a short life span. Long‐term storage focuses on reliability and integrity of data while often de‐prioritizing performance. Raw storage refers to underlying disks and other storage devices. Object storage leverages metadata tags to allow data to be easily retrieved and stores objects all at once and doesn't allow modification.
Katie wants to adopt a recognized information security management system for her cloud services company. What standard should she adopt so that her organization can more easily support audits and assessments to a known standard?
ISO 27001 ISO 27001 is a specification for an information security management system, or ISMS, including the policies and procedures that organizations use for risk management. Building security management practices based on ISO 27001 will help Katie's organization when they work with auditors who are familiar with the framework. HITECH addresses privacy and security as part of an attempt to strengthen HIPAA and isn't a ISMS, nor is SSAE, which is an audit standard, and ISO 27050 focuses on e‐discovery.
Jack is preparing to sign a contract with a new cloud service provider. If he wants to ensure that his provider is using an international standard for risk management programs, what standard from the following list should he look for?
ISO 31000 ISO 31000 is the only risk management framework listed. It is an international standard that focuses on designing, implementing, and reviewing risk management processes and practices. NIST SP 800‐53 covers security and privacy controls, ISO 27001 is an information security management framework, and IEC 8900 was made up for this question.
Brian wants to adopt a risk framework for his organization. His company operates in multiple countries, so he wants to adopt an internationally recognized risk framework. What framework should he choose to meet these requirements?
ISO 31000:2018 ISO 31000 is an international standard that focuses on developing risk management practices and management. NIST is a U.S.‐based standard for risk management and thus isn't as likely to be accepted in international organizations. Both IEC 27800 and CISA 1100‐2020 were made up for this question.
Scott's organization is preparing for its internal information security management system to be audited. What audit standard is the organization likely to be audited against?
ISO/IEC 27007 ISO/IEC 27007 sets out guidelines for auditing information security management systems—and will look familiar as it's part of the 2700x series of standards. NIST 800‐30 is a guide to conducting risk assessments, RFC 1918 defines nonroutable address space, and ISAE 2020 was made up for this question.
Jim wants to adopt an industry standard that will help him ensure the security of his supply chain relationships. Which standard should he select?
ISO/IEC 27036 ISO/IEC 27036 addresses risks related to the acquisition of goods and services. ISO/IEC 20000‐1 focuses on service management for information technology. ITIL is an operations model for delivering technology‐enabled services and products. NIST 800‐171 provides recommended requirements for the production of controlled unclassified information (CUI).
Michelle wants to select an international standard to base her organization's cloud vendor relationship practices on. What standard should she select from the following list?
ISO/IEC 27036 ISO/IEC 27036 is a standard that describes information security for supplier relationships. ISO/IEC 20000‐1 focuses on service management; ITIL is the IT Infrastructure Library, a set of practices to manage services and assets. COBIT defines control objectives for IT management and governance.
Paul wants to use an international standard as the foundation for his risk management practice for cloud services. Which standard should he select from the following list?
ISO/IEC 27036 Paul knows that ISO/IEC standards are international standards and that 27036 specifically addresses securing supplier relationships for cloud services. SSAE 16 is an auditing standard, and ISAE is the International Standard on Assurance Engagements.
Ken wants to centralize security monitoring and incident response activities for his organization but does not have the staff to do so. What option should he propose to organizational leadership?
Identify and sign a contract with an outsourced SOC Since Ken doesn't have staffing to manage security, an outsourced SOC, or security operations center, would be his best option. A SIEM tool without staff won't be helpful, and a network operations center (NOC) is focused on network management instead of security management.
What does ISO/IEC 20000‐1 specify?
It specifies the requirements for a service management system ISO/IEC 200000‐1 specifies the requirements for a service management system (SMS).
Maria has configured DNSSEC for her organization. What elements of DNS queries will it protect?
It will prevent attackers from manipulating DNS responses but will not protect the privacy of DNS lookups DNSSEC protects DNS queries from being manipulated or poisoned but does not make DNS requests private.
Theresa is setting up a secrets management system as part of her organization's CI/CD pipeline. She wants to ensure that inadvertent exposures of secrets doesn't result in long‐term risk to her organization. What should she do to help limit the long‐term risk of exposed secrets?
Implement a rotation process for secrets Theresa knows that exposed secrets may be used at any time, and that rotation processes limit the potential threat life span of an exposed secret. Least privilege will limit the impact of an exposed secret but not the long‐term risk. Separation of duties is used to ensure that a single individual cannot accomplish a critical task by themselves without oversight or visibility. Auditing is a best practice, but it won't help with secrets exposure.
Tools like CloudFormation, Azure Resource Manager, Google's Deployment Manager, Terraform, Puppet, Chef, Terraform, or Ansible are all elements of what type of strategy?
Infrastructure as code Continuous configuration and automation tools like Puppet, Chef, Terraform, and Ansible are all key elements of an infrastructure as code strategy. Tools like Terraform, Resource Manager, CloudFormation, and Deployment Manager are also key to IAC strategies.
Susan's team uses a tool that allows them to define systems using a markup language, then use that markup to create their cloud‐hosted systems and infrastructure. If they need a new environment, they simply modify the instructions to match any changed needs or configurations and run it in their cloud data center. What type of model is Susan's team using?
Infrastructure as code Susan is using an infrastructure as code (IaC) design to create and manage her cloud data center. A continuous integration/continuous delivery model, containerization, and virtualization may be part of that design, but the overall concept here is infrastructure as code.
Gary is setting up a VMware virtual machine and when he runs the operating system, he discovers that the system will only run in low resolutions and that it does not have the ability to cut and paste between virtual machines. What does he need to do to fix this?
Install virtualization tools Virtualization tools provide a variety of capabilities from full resolution video to improved network card access and cut‐and‐paste functionality. Gary should install the guest operating system tools for VMware.
Liam's organization uses load‐balanced, cloud‐hosted systems that scale on demand to meet the performance needs for its website and applications. Liam needs to install patches on the systems. What is the best methodology for his organization to ensure patches can be done without downtime?
Instantiate new, patched servers and add them to the load balanced pool, then drain connections from the unpatched systems and terminate them Instantiating new, patched servers and adding them to the load balancer and then draining connections to the existing servers and removing them provides the smoothest transition and allows for issues with the patch to be handled without interrupting the website and applications.
Jeff has recently taken a new role as a security team member at a software development company. During his orientation, he is told that the organization uses interactive application security testing. What can he assume about the environment based on this?
Instrumentation is deployed to gather information about applications and their performance IAST, or interactive application security testing, relies on instrumentation to monitor applications. Agents provide application data to identify issues during both manual and automated tests. It does not necessarily require users for all software testing, static testing (although software composition analysis can be part of IAS), or manual vulnerability testing.
Ian wants to ensure that the hosting provider his organization has selected can handle connectivity outages. What should he ensure that the provider has in place?
Internet connectivity from more than one vendor with more than one physical path Connectivity through multiple internet service providers (ISPs) as well as multiple physical paths mean that a single accident or problem won't destroy the connection and that vendor issues won't result in a loss of connectivity either. The rest of the answers either rely on a single vendor or a single path, which does not meet Ian's availability needs.
Jacob wants to deploy network‐connected devices with sensors to allow his organization to do remote data capture and automation. What technology is best described by this scenario?
Internet of Things The term the Internet of Things (IoT) is used to describe network‐connected devices, often with sensors that connect together to perform tasks. Jacob's design is a common one for IoT systems. Distributed computing merely describes computation in multiple locations, client‐server architecture relies on clients that access servers, and availability zones (AZs) are a data center concept describing redundant facilities in a region of multiple AZs.
John has determined the recovery point objective for his organization as part of its disaster recovery plan. What does setting an RPO achieve?
It determines how old the data that can be restored will be in the event of a disaster A recovery point objective determines how much data can be lost in a disaster and thus how much may have to be reentered or assumed to be permanently lost. It does not determine how long a service recovery will take in the event of a disaster.
Kristen wants to determine which privacy laws apply to her organization. She knows that her company provides services to customers in multiple locations that operate under different laws than where the company is headquartered. What concern does she need to address?
Jurisdiction Kristen needs to determine whether the way her company operates means that the locations where her customers are may claim jurisdiction over the business her company conducts with them. Stare decisis is a legal term used to describe precedent, scope is the impact of a law's requirements on an organization, and double jeopardy is a legal concept describing the prosecution of a person twice for the same offense.
Fred operates a database in a cloud hosting environment on the West Coast of the United States. His organization's primary location is on the East Coast of the United States and connects to the database to perform regular transactions. What monitoring information will provide him the most useful information if he sees slowness in large, multi‐step database transactions?
Latency between geographic locations Fred knows that each call to the database has to traverse the entire United States and that latency between the geographic locations is likely to play a major factor in the speed of processing the transactions. He'll want to monitor latency to determine if he may need to talk to his cloud provider about an East Coast zone instead of where his database is deployed now!
Christina's organization has recently experienced a data breach of systems hosted in a cloud IaaS environment. Her incident management process requires her to notify impacted organizations and individuals. Which of the following organizations is likely not included in that list?
Law enforcement Her service provider, partner organizations, and customers are all likely to fit within the definition of impacted organizations. Choosing to notify law enforcement is typically decided through a separate process, often with organizational legal counsel involved.
Theresa is helping design a DevOps security model for her organization. What security concept should she ensure is followed to ensure that each participant has the privileges they require?
Least privilege Least privilege is key in DevOps security models to ensure that team members only have the privileges they need to accomplish their role. Automated provisioning can help, but least privilege is more important!
The organization that Chris works for has been notified of pending litigation and has been instructed to preserve data related to the suit. What is this process called?
Legal hold Legal holds are legal notifications of an in‐progress or pending legal case that requires that data be preserved. Data locking and a litigation storage order were made up for this question, and legal jeopardy is a term used to describe when a person may be brought to trial.
Jim's organization hosts services in multiple cloud data centers across the United States. What legal concern should he have if an incident occurs in a data center in another state?
Legal jurisdiction Since Jim knows that the incident happened in another state, he is aware that that state's laws will apply. That means his first concern should be legal jurisdiction for any issues that may arise as a result of the incident. Fortunately (or sometimes unfortunately!) contracts often determine the jurisdiction for any contract‐related issues.
Greg is concerned about potential legal liability and cost based on his organization's use of third‐party software. What should he carefully monitor to limit legal liability for his use of commercial software?
Licensing Licensing is an issue in many organizations—it can be very easy to violate license terms, install more copies of software than are licensed, or create other license compliance issues. In a cloud environment, you may encounter software that is licensed differently for the cloud or software that the software vendor will not license for use in virtualized or cloud systems. Patching and updates not being done may lead to vulnerabilities or compromise, but they typically don't create legal liability due to the use of commercial software.
Tara wants to ensure that her organization's web servers can handle load at any scale. What cloud technologies should she put in place to handle this?
Load balancers and auto‐scaling groups Load balancers and auto‐scaling groups are designed to handle load at scale. Web application firewalls won't help handle load, and using larger instances or lots of small instances in a single availability zone isn't as useful as load balancing and scaling.
When Selah logs in to her company's CRM, she can see partial customer data to help her validate customers' identity when she talks to them. One customer's data reads: **** Maple Ave, Decatur, IL
Masking Masking replaces sensitive data elements with another character, often an asterisk (*) or an x. This allows data to be referred to, or for partial data to be validated, without exposing the entire data element. Obfuscation is intended to obscure the meaning of data, anonymization focuses on removing identifiable data, and hashing replaces data with a one‐way hash, allowing data to still be referred to without using the actual data.
Olivia wants to create persistent data labels in the data creation phase of her cloud data lifecycle to allow her DLP system to better assess the data. Where should she place the labels and what type of label should she use to help her DLP?
Metadata, confidentiality level Olivia's best option is to include information about the data's confidentiality level in the file's metadata. This prevents filename changes from modifying the label or causing it to be lost and allows the DLP system to assess the sensitivity level of a file more easily.
Brian's organization is a healthcare provider and is legally required to protect protected health information (PHI). What key difference exists in the possible penalties for exposure or mishandling of the data between this and contractually protected data that it acquires about its patients from a third‐party data provider?
Most penalties for contractually protected data breaches are financial Penalties for breach of contractually protected data are typically financial in nature, while criminal charges may occur in addition to financial or regulatory penalties with legally protected data. That means that contractually protected data is unlikely to have the most severe penalties, that there are meaningful differences, and that there are more than just criminal penalties for breach of legally protected data.
Donna's organization wants to provide remote access to systems inside its cloud data center via SSH for systems management. What security control will most effectively prevent attacks using compromised credentials against systems with open access to SSH from the Internet?
Multi‐factor authentication Multi‐factor authentication is one of the best security controls available to combat attacks using stolen credentials. An IPS can be helpful against many attacks, but stolen credentials will often appear to be a legitimate user. A jump box provides an additional layer of security but doesn't stop legitimate credential use, and changing SSH ports can stop brute force or less advanced attackers, but a more capable attacker will still identify SSH on alternate ports.
Glenn wants to secure the administrative console provided by his cloud service provider. Which of the following best practices will provide the most protection against stolen or lost credentials being used to log in to the console?
Multi‐factor authentication Multi‐factor authentication provides the strongest protection among the items on this list against the use of stolen or lost credentials. An attacker would also need to have the secondary factor—often a token, application, or phone for SMS messages.
Kirk wants to identify a useful metric for cloud service vendor risks as he decides which vendor to select. Which of the following is most likely to help him identify vendors with poor risk management practices?
Number of issues not resolved in a SOC 2 Type 2 audit Kirk knows that SOC 2 Type 2 audits test security controls over time and that he will have a better understanding of an organization's security practices given a period of time instead of a point in time. He also knows that knowing how an organization handles issues rather than just the simple number of issues will be more valuable over time, so he will select the number of issues not resolved in a SOC 2 Type 2 audit.
Olivia wants to provide risk management metrics and needs to select the most meaningful measure for her organization. Which of the following risk metrics provides the most information about her organization's ability to assess risk accurately and act on that risk assessment?
Number of risks that occurred The number of risks that occurred tells the most complete story about the risk assessment and management efforts for Olivia's company. If the risks that occurred were risks that were accepted, the company is likely doing well. If risks were identified and not remediated or accepted and then occurred, her organization isn't doing well with controls. If risks occurred that weren't identified, then it may have issues with assessment. Cost is useful to know but isn't an effective measure of the ability to assess risk or act on risk, and simply counting risks doesn't mean you've addressed them.
The storage system that Jody uses includes three elements for each thing that is stored in it: the data, metadata, and a globally unique identifier. What type of storage is Jody using?
Object storage Jody is using object storage. Each object includes the data, metadata, and a unique identifier. Block storage works like a traditional hard drive with blocks of storage allocated to file and tracked by an allocation table. Blob storage stores large volumes of unstructured data, and file storage does just what it sounds like: stores files.
Jake is designing a resilient data center. Which of the following is not a common element in resilient data center design?
Redundant heating Cooling, power, and connectivity are all commonly redundant, but since data centers generate so much waste heat, they rarely have redundant heating capabilities for the data center itself. They may have heating for office or work spaces, but those typically don't have redundant heating either since the primary purpose of the data center is to house servers and devices, not people.
Full disk encryption and cryptographic erasure both help to limit what type of attacks against raw storage?
Remnant data recovery after reallocation While most major cloud providers have solutions in place to ensure that reallocated raw storage does not contain accessible remnant data, using full disk encryption and cryptographic erasure ensures that mistakes by the cloud provider or a lack of appropriate handling practices and technology do not result in data exposure. Compromises will still allow access as disks must be decrypted for the system to use them, neither of these techniques prevent data loss, and using encryption and cryptographic erasure techniques will not prevent cryptographic malware.
Karl is responsible for a group of Amazon EC2 instances that are used as part of his organization's service infrastructure. He needs to plan ahead for potential compromises and knows that the machines are frequently instantiated or deleted based on load. How can he handle ephemeral storage associated with auto‐scaling groups in the event a compromise requires forensic analysis?
Remove the compromised machine or machines from the auto‐scaling group and capture a machine image Removing the machine from the auto‐scaling group and capturing a machine image will preserve both the system and its state, allowing for effective forensic analysis. Karl's biggest challenge may be preserving the machines in time, as auto‐scaling groups may remove systems before the compromise is detected. The original image isn't useful for forensic analysis because it will have been created prior to the compromise. Re‐instantiating systems will remove the compromised systems but won't allow analysis, and running build scripts in a protected environment will create clean machines without the exploit in place as well.
What method can Adam use to most effectively assess a major third‐party cloud provider's security controls and practices as well as its effectiveness over time?
Request a SOC 2 Type 2 report A SOC 2 Type 2 report assesses control effectiveness over time. SOC 1 reports only assess internal controls over financial reporting, so neither type of SOC 1 report will be useful. A SOC 2 Type 1 report only looks at a point in time and will also not meet his goals.
Casey is updating her organization's audit policies because her company is moving to a cloud infrastructure as a service vendor's platform to host its data center. The current policy includes language that requires an internal auditor to assess the data center's security every year and to report to the board of trustees. Which of the following changes should Casey include in her updated policy to meet common cloud practices?
Request an annual audit report from the vendor Most infrastructure as a service vendors do not allow customers to conduct audits of their facilities and services. Casey should request a copy of the provider's third‐party audit results and report on those to her board on an annual basis.
Melissa wants to use an agile SDLC. What are the phases of the agile lifecycle?
Requirements, design, develop, test, deploy Agile is quite flexible, but its phases typically look like requirements gathering, design work, code development, testing, and deployment. Waterfall uses a requirements, design, implementation, verification, maintenance sequence. Spiral's process iterates on determining objectives, identifying and resolving risks, developing and testing software, and then planning the next iteration. Finally, the V model uses a sequence of expressing needs, analyzing those needs, designing, building, testing, validating, and delivering software.
Which of the following is not a key cloud computing characteristic?
Resource segregation The CCSP Exam Outline (Candidate Information Bulletin) defines a number of key elements you should be familiar with as core cloud subjects. They include on‐demand self‐service, broad network access, multitenancy, rapid elasticity and scalability, resource pooling, and measured service. It does not include resource segregation.
Elaine wants to perform a vulnerability scan of her cloud‐hosted environment from an external perspective. What should she do before beginning the scan?
Review her cloud service provider's rules for vulnerability scans Elaine should first review her cloud provider's rules for vulnerability scanning and then follow them. That may include notification prior to the scan and following specific rules for the scan, or it may even mean not running a scan.
Ryan is preparing to sign a contract with a major software as a service cloud service provider. Which of the following common contractual elements is a major cloud provider unlikely to accept?
Right to audit language for SOC 2 Type 2 audits Cloud service providers typically engage their own auditors and provide widely accepted audit documentation with appropriate attestations and are unlikely to allow each customer to retain the right to audit the organization independently. SLAs, insurance coverage, and data access at the end of a contract are all common elements, particularly with SaaS vendors.
Thomas wants to calculate the risk severity for a risk in his cloud‐hosted environment. What equation should he use?
Risk Severity = Likelihood × Impact Calculating risk severity involves multiplying the likelihood by the impact of the risk if it occurred.
Gurvinder wants to ensure the availability of guest operating systems in his cloud infrastructure as a service environment. Which of the following methods will provide the greatest assurance of availability?
Run load‐balanced instances across multiple regions with automatic scaling set up Running load‐balanced instances will ensure that a guest operating system failure will not stop the service from functioning. Running in multiple regions will help ensure that a regional outage or network interruption will not cause an outage. Moving to dedicated hardware near a single location and geographic clustering both create the potential for a natural disaster or other major issue to disrupt services. Finally, you cannot run operating systems in containers; containers are used for applications.
Jaime's company is required to meet ongoing audit requirements and to provide audit reports to regulators who cover her industry. What type of SOC audit should she provide if the regulators want a point‐in‐time audit of security controls?
SOC 2 Type 1 Jaime knows that a SOC 2 audit covers security controls and that Type 1 audits cover a point in time. SOC 1 audits cover financial controls and Type 2 audits cover a period of time.
Amanda wants to request an audit report from her potential cloud service vendor that shows the effectiveness of its security controls over time. What type of audit report should she request?
SSAE 16 Type 2 A SSAE 16 Type 2 report will focus on trust principles including security, confidentiality, integrity, availability, and privacy. SSAE 16 Type 1 reports are point‐in‐time reports, so won't show the controls over time. SOC 1 reports only cover business practices that might impact financial statements, so she knows that a SOC 1 audit of any type won't provide the detail she's looking for. Amanda could also request a SOC 2 Type 2 report to obtain information about security, availability, integrity, confidentiality, and privacy, but SOC 2 reports are not listed in the options for this question.
What two audit standards result in SOC 1 and SOC 2 reports?
SSAE 16 and ISAE 3402 Both SSAE 16 and ISAE 3402 cover SOC 1 and SOC 2 reports. PCI DSS assessments are conducted to ensure compliance but do not generate SOC 1 or SOC 2 reports, nor do NIST standards.
Wayne wants to run code in his virtualization environment but doesn't know if it is secure or safe to do so. What design concept can he use to allow him to safely run potentially dangerous code?
Sandboxing Sandboxing focuses on placing software and other potentially dangerous system components in a protected zone where it can be run, observed, and isolated if needed. Wayne should use common sandbox design patterns to create a safe environment to run the suspect code. Containers and virtualization may be part of that design, but they're not the solution by themselves. Microservices are used to build scalable, redundant services but aren't part of this design motif.
Christina wants to allow inbound HTTPS traffic from any address to her servers using a security group. What source, protocol, and port should she allow to be able to do this?
Source: 0.0.0.0/0 Protocol: TCP Port: 443 A source of 0.0.0.0/0 includes all possible IPv4 addresses. HTTPS is a TCP protocol, and port 443 is used for HTTPS. Each of the other sources defines a narrower range, UDP is not the underlying protocol for HTTPS, and port 80 is the HTTP port, not the HTTPS port.
Alaina wants to use the STRIDE model for threat modeling. What does STRIDE stand for?
Spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privileges STRIDE is an acronym that stands for spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privileges.
The Cloud Security Alliance points to a number of key areas to consider during e‐discovery. Which of the following is most likely to drive higher costs in a cloud environment when the organization is operating under a litigation hold?
Storage duration The duration of storage retention is likely to be a primary driver of the cost of the storage because cloud storage is typically billed by quantity and time. Identifying the data custodian, needs to segregate data, or cloud provider constraints are not as likely to drive costs.
Erin is conducting data discovery on data stored in a database. What type of data is she performing discovery on?
Structured data Data in a database is considered structured data because it uses clearly defined data types and is organized a way that makes it easily searchable. Restructured data was made up for this question.
Brian has managed his organization's onsite data center for years and is now moving to a cloud data center. Which of the following monitoring items that he is used to monitoring will he no longer be able to monitor in the cloud environment?
System temperature Brian won't be able to monitor system temperature since underlying hardware is not exposed to customers. He will still be able to see how much storage space is being used (disk utilization)—, network traffic, and CPU usage since those are all billable items.
Nick wants to protect data in transit between two systems. What protocol should he select to protect web traffic?
TLS TLS, or Transport Layer Security, is the commonly used protocol for web and other network traffic and replaced SSL. PGP is used for file encryption and signatures, and SHA1 is a hashing algorithm.
Lucca is planning ahead for his organization's SOC 2 Type 2 audit later in the year. The audit will occur in his organization's cloud‐hosted platform as a service environment. What should Lucca be prepared to explain to the auditors about the environment?
That the underlying infrastructure is not run by his organization and cannot be directly audited Lucca should be prepared to explain that underlying infrastructure information is not the responsibility of his organization and to provide the cloud provider's SOC audit information. It is unlikely that the cloud provider will allow Lucca's auditors to audit their cloud service. Logging and auditing can be used in a PaaS environment and individual users are typically logged for security reasons.
Adam needs to access a secret using the AWS Secrets Manager. What happens when Secrets Manager send a request to the key management service (KMS) for the secret?
The KMS decrypts the data key, and the Secrets Manager uses it to decrypt the secret data The KMS decrypts the data key when the Secrets Manager makes a valid request. It then provides the data key and the encrypted secret data to the Secrets Manager, which decrypts the secret data, allowing it to be used.
Frank is conducting a PASTA assessment, and is in stage 2, defining the technical scope. He is reviewing a containerized environment and wants to determine appropriate items that make up its attack surface. Which of the following is the best starting point for his analysis?
The Kubernetes configuration Kubernetes is used to run containerized environments, making the Kubernetes configuration an excellent starting point for this phase of a PASTA assessment.
Jane is designing her data center's HVAC system and wants to ensure that the systems can handle a chilled water outage. What type of solution should Jane put in place if she is cost sensitive but needs a redundancy option?
The ability to switch to utility provider water The ability to switch to utility provider water will reduce Jane's ability to cool systems but provides a useful alternative to adding another chilled water system because it is much cheaper and can typically run without significant additional control needed once switched over. A chilled water storage tank won't support a data center for a long outage, storing water for reuse is efficient but doesn't help with an outage, and a second water chiller system could be quite expensive.
Henry knows that major cloud vendors frequently locate their data centers based on a handful of common requirements. What major driver often most directly influences large‐scale data center locations?
The availability of large amounts of power at a low price The major cost driver for most data centers is their ongoing power consumption, meaning that cloud and other data center owners focus on the ability to obtain large quantities of power at lower prices than they might in other regions. Once power is settled, additional factors like geographic considerations and even the ability to cool the data center more effectively are typically considered.
Gary is reviewing the CWE/SANS Top 25 and is attempting to understand the scoring calculations that place items on the list. What three components make up the CWSS score?
The base finding subscore, the environmental subscore, and the attack surface subscore CWSS scores are made up the base finding subscore including items like technical impact and acquired privilege; the environmental subscore, including business impact, among other items; and the attack surface subscore, which tracks required privileges and deployment scope along with other items. The CWE/SANS Top 25 uses CWSS scores to rank software vulnerabilities.
Rogerio's company wants to provide information to its board of trustees about its cloud‐hosted IaaS environment as part of its annual audit review. If Rogerio wants to document the security of the underlying platform, what audit information should he provide?
The cloud vendor's external audit The cloud vendor's external audit will provide the most relevant view of the underlying IaaS platform. Rogerio's internal or external audits of his company will not cover the underlying platform, and the cloud vendor is unlikely to provide its own internal auditing information—and external audits are typically preferred even if internal audits are available.
Fred uses a hashing algorithm to create unique values for data that he then uses to replace the original data in a copy of the database. He then references the original database using the hashed values when he needs to retrieve the information. What is this technique called?
Tokenization Fred is tokenizing data by replacing it with a unique value that can be referenced as needed back to the original data. This helps to secure the data while making it accessible as needed. Masking would hide data values when they are used, anonymization removes identifiable information, and de‐identification works to remove information that allows individuals to be identified.
Maria needs to protect data in a database from being exposed if the database is compromised, but she still needs to be able to perform operations against the data. What technique can she use to still be able to use the data while protecting it?
Tokenization Tokenization replaces data with a token value that can be looked up from a token store as needed, allowing the data to still be used. Hashing is a one‐way function that replaces a string with a fixed‐length output that is unique to each possible string. Masking replaces data with characters when accessed to keep sensitive data secure.
Which of the following data classification types is not typically used in commercial data classification policies?
Top Secret Secret and Top Secret classification levels are typically associated with government use. Confidential, sensitive, and public classifications are commonly used by companies and other organizations.
Casey wants to decrease the possibility of her organization's developers inadvertently introducing common vulnerabilities to their code. What should she to do help prevent dangerous coding habits?
Train the developer team on the OWASP Top 10 Training is one of the most important elements when creating secure code. Casey should prioritize training and ongoing skill building and awareness. A WAF can help protect code once it is written, but removing vulnerabilities before they are in production is critical. That's the same reason a vulnerability scanning process in production is too late; it's common to include vulnerability scanning in the test phase before entering production. PASTA and other threat modeling techniques can be helpful to understand attacks and threats but don't stop bad code from being written.
Derek has chosen to purchase cybersecurity insurance for his organization. What type of risk treatment method has he selected?
Transfer Purchasing insurance is an example of risk transfer. Avoiding the risk would require taking actions to make sure it doesn't occur, while mitigation would include efforts to limit the impact of the risk. Acceptance is just that—accepting the risk.
Which form of risk treatment occurs when an organization purchases insurance?
Transfer Purchasing insurance is an example of transferring risk. Avoiding risk often requires not undertaking the activity, mitigating risks leverages controls to limit a risk's impact, and accepting risk is just that: formally accepting the risk and the potential for impact if an event occurs.
The company that Kathleen works for recently deployed a SIEM to help with log capture and analysis. One of the SIEM's features is an alerting function for certain types of logged events and detection, and Kathleen has begun receiving hundreds of notifications to her phone at all times of the day due to the events being logged. What should she do to handle the notifications?
Tune alerts to avoid over‐notification While it can be tempting to simply turn off notifications when alerts are coming in over and over, the best answer is to spend time to tune the alerts to avoid over‐notification. That may involve setting reasonable alert thresholds based on actual occurrences, or it may require other investigation.
Juanita is operating in a cloud IaaS environment and runs her instances on the underlying infrastructure. What type of tool is most often used to virtualize hardware for consumption by customers running full operating systems in an IaaS service?
Type 1 hypervisors Type 1 hypervisors, which run directly on underlying hardware, are the most common solution for IaaS service providers. Type 2 hypervisors run on an existing operating system. Containers move up a layer of abstraction and once again run on an underlying operating system while providing application segmentation, and microservices describes a way that services are provided, not a virtualization model.
Selah runs VMware on her Windows workstation as part of her security work. This allows her to run multiple operating systems in virtual isolated networks for testing. What type of hypervisor is Selah running?
Type 2 Type 1 hypervisors run directly on the underlying hardware, or "bare metal," and Type 2 hypervisors run inside of another operating system like Windows or Linux. There are not Type 3 or 4 hypervisors.
Jill is performing initial data assessments before tackling data discovery tasks in her organization. She finds a shared drive with thousands of Microsoft Word documents. How should she describe this information in her assessment preparation notes?
Unstructured data Microsoft Word documents are a form of unstructured data. While markup is used to indicate visual and layout elements, text documents like Word documents, email, and similar data are not considered structured data.
Asha needs to search through emails that her organization sent via its cloud email host. What type of data discovery is Asha conducting?
Unstructured data discovery Asha is performing unstructured data discovery. Emails, documents, websites, and social media are all common examples of unstructured data. This makes tools that can do keyword searches and data mapping very useful.
Kristen is responsible for preserving data due to a litigation hold. How long does she need to preserve the data for?
Until the hold is released Legal holds must be preserved until the hold is released or ended.
What step occurs in the CSA's data lifecycle at point X?
Use The missing step is the Use step. The Cloud Security Alliance's six‐step data security lifecycle is Create, Store, Use, Share, Archive, and Destroy.
Brian is configuring a single sign‐on (SSO) service with a major infrastructure as a service provider. Which of the following is not a SSO identity source that he should consider for his organization's critical cloud infrastructure?
User‐created personal accounts from Facebook and Google Bringing your own accounts that are user generated and controlled is not well suited to integration for single sign‐on in a critical infrastructure environment. Vendor‐native SSO, Active Directory, and SAML‐based IdPs are all controlled by the organization and can be properly secured and managed.
Emily's organization operates servers in an infrastructure as a service (IaaS) environment. They're concerned about attacks that utilize inadvertently exposed secrets if their developers upload them to sites like GitHub. What practice should she implement first to reduce the risk of exposure of secrets?
Use a key management system and awareness training A key management system with proper training is one of the best ways to reduce risk. Secret scanning can be helpful, but significant numbers of exposures happen via developers personal Git repositories, resulting in an inability to track and scan for exposures. Revoking exposed secrets is reactive, not proactive, but it's a good response practice. Private repositories may sound like a useful idea, and are—but they often lead to lax practices since developers feel safe leading to a potential treasure trove for an attacker who gains access.
Susan wants to assess the security practices of her software vendors. What method can she use to most effectively measure the security of a software vendor?
Use a vendor security assessment questionnaire Susan should use a vendor security assessment questionnaire that vendors can fill out based on her organization's security needs. Industry standards exist for these, including the Cloud Security Alliance's questionnaire as well as higher education's HECVAT assessment tool. Operational practices assessments like a SOC 2 type 1 or 2 audit won't provide insight into the quality of the software that a vendor produces. Simply searching for news articles can be useful for a quick check but won't provide detailed or complete information.
Rene wants to reduce the risk of a failure of her primary cloud provider due to a network outage that impacts the region in which her systems operate. Which of the following strategies will best enable her to handle a provider network outage while not creating large volumes of additional work?
Use infrastructure as code techniques to deploy disaster recovery capabilities to another region Since cloud providers typically have redundant network connectivity, Rene knows that it would take a significant event to disrupt their network connection. She will plan to use infrastructure as code techniques to set up a disaster recovery capability in another region, but she will not select a different vendor because she wants to limit the additional work that using another vendor would create. Finally, she won't add additional connectivity for her own organization because she is focused on vendor outages, not her own connectivity, in this effort.
Hina wants to back up instances in her cloud environment. What is the most common option in use for cloud instance backups?
Use instance snapshots Hina should use a snapshot tool, typically provided by her cloud service provider, to capture snapshots of any instances she needs to back up. Installing backup agents adds overhead and potentially cost compared to built‐in tools, and in cloud environments, Hina is likely to be using her provider's virtualization environment and may not have control of the hypervisor to install a backup agent. Creating a snapshot of the hypervisor might back up more than the instances she wants to capture and would waste space and time.
Dean wants to avoid vendor lock‐in for his cloud computing environment. Which of the following strategies should he follow to limit the level of vendor lock‐in he will have while building his organization's cloud data center environment
Use open‐source tools wherever possible Using open‐source tools wherever possible instead of vendor‐native tools or service‐provider APIs will help to ensure that Dean can move his environment to other providers more easily. Unfortunately, this will also mean that Dean will give up on some of the features and capabilities that using a service provider's tooling can provide. Data flow diagrams can be useful if you have to move or change a service or system but don't prevent vendor lock‐in by themselves.
Brian's organization has adopted his IaaS vendor's blob storage capability and wants to log authenticated and anonymous requests for access to files. What should he do to ensure he has appropriate logs and audit information?
Use the cloud vendor's native auditing tools Cloud storage vendors typically provide auditing and logging capabilities for their storage services. Brian should review his vendor's capabilities and determine if they meet his logging and audit needs.
Maria's organization uses ITIL 4 as its operational standard and wants to follow ITIL best practices for release management. What two methods are used for release management in ITIL 4?
Waterfall and agile ITIL 4 focuses on traditional release management (Waterfall) and agile release management for DevOps environments. If you encounter a question like this on the exam and don't know the specific way a standard defines practices, you can first eliminate unlikely answers; here you should be able to rule out scrum as an agile practice. Next, RAD, or rapid application development, is a far less common practice than Waterfall and agile, making that pairing the most likely answer.
Kelly has been asked to explain XML firewalls to her organization. Which of the following key features is not a common ability for XML firewalls?
XML document rewriting to known schema XML firewalls filter based on schemas and perform schema validation, but modifying data to meet a schema can cause issues for an application. Most XML firewalls won't force traffic to meet a schema and instead will flag and drop it. Note that some web application firewalls and other security devices support rewriting based on rules, but the reasons for using rewriting are not typically to enforce schema compliance.
