Flashcards in “CCSK: Certificate of Cloud Security Knowledge 5 of 6 Practice

Question 1

How can security be increased in an immutable environment?

A.By disabling remote logins
B.By implementing event-driven security
C.By leveraging serverless computing if offered by the provider
D.By increasing the frequency of vulnerability assessments

Answer 1

A.By disabling remote logins

Explanation:
When leveraging immutable workloads, security can be increased by removing the ability to log in remotely. Any changes must be made centrally in immutable environments. File integrity monitoring can also be implemented to enhance security, as any change made to an immutable instance is likely evidence of a security incident.

Question 2

Which of the following CI/CD statements is false?

A.Security tests can be automated
B.A Ci/CD system can automatically generate audit logs
C.A CI/CD system replaces the current change management processes
D. A CI/CD leverages a continuous integration server

Answer 2

C.A CI/CD system replaces the current change management processes

Explanation:
The false statement is that a CI/CD system replaces the current change management processes. In fact, a CI/CD system can integrate with your current change management system. All the other statements are true.

Question 3

How does penetration testing change as a result of the cloud?

A.The penetration tester must understand the various provider services that may be part of the application
B.In most cases, server instances used to run applocations will have customized kernels, which will not be understood by anyone except the provider
C.Because of the nature of virtual networking, penetration tests must be performed by the cloud provider
D.Penetration testing is not possible with containers, so many pentests results will be inconclusive

Answer 3

A.The penetration tester must understand the various provider services that may be part of the application

Explanation:
There is a high probability that applications will leverage various cloud provider services. How communication between these services occurs is critical for the penetration tester, so only testers with experience in a particular platform should perform these tests.

Question 4

During which phase of the SSDLC should threat modeling be performed by customers?

A.Design
B.Development
C.Deployment
D.Operations

Answer 4

A.Design

Explanation:
Threat modeling should be performed as part of the application design phase, before a single line of code is actually written during the development phase.

Question 5

During which phase of the SSDLC should penetration testing first be performed by customers?

A.Design
B.Development
C.Deployment
D.Operations

Answer 5

D.Operations

Explanation:
Penetration testing should be initially performed as part of the deployment phase of the SSDLC. You need to have an actual application to perform penetration testing against, and this testing should be performed before the application runs in a production environment. Of course, periodic penetration testing is a good thing during the operations phase, but the question asked when it should first be performed.

Question 6

What is event-driven security?

A.When a provider will shut down a service for customers in the event of an attack being detected
B.Automating a response in the event of a notification, as established by the provider
C.Automating response in the event of a notification, as established by the customer
D.Automatic notification to a system administrator of an action being performed

Answer 6

C.Automating response in the event of a notification, as established by the customer

Explanation:
Event-driven security is the implementation of automated responses to notifications. This is created by the customer, who often leverages some form of API monitoring. If an API is used, this will trigger a workflow that may include both sending a message to a system administrator and running a script to address the instance automatically (such as reverting a change, changing virtual firewall rulesets, and so on).

Question 7

What should be offered by SaaS providers to enforce multitenancy isolation?

A.Provider-managed keys
B.Encryption based on AES-256
C.Per customer keys
D.Customer-managed hardware security module

Answer 7

C.Per customer keys

Explanation:
SaaS providers are recommended to implement per-customer keys whenever possible to provide better multitenancy isolation enforcement.

Question 8

What is event-driven security?

A.When a provider will shut down a service for customers in the event of an attack being detected
B.Automating a response in the event of a notification, as established by the provider
C.Automating response in the event of a notification, as established by the customer
D.Automatic notification to a system administrator of an action being performed

Answer 8

C.Automating response in the event of a notification, as established by the customer

Explanation
Event-driven security is the implementation of automated responses to notifications. This is created by the customer, who often leverages some form of API monitoring. If an API is used, this will trigger a workflow that may include both sending a message to a system administrator and running a script to address the instance automatically (such as reverting a change, changing virtual firewall rulesets, and so on).

Question 9

What should be offered by SaaS providers to enforce multitenancy isolation?

A.Provider-managed keys
B.Encryption based on AES-256
C.Per-customer keys
D.Customer-managed hardware security module

Answer 9

C.Per-customer keys

Explanation:
SaaS providers are recommended to implement per-customer keys whenever possible to provide better multitenancy isolation enforcement.

Question 10

If your organization needs to ensure that data stored in a cloud environment will not be accessed without permission by anyone, including the provider, what can you do?

A.Use a local HSM and import generated keys into the providers encryption system as a customer-managed key
B.Use an encryption key based on a proprietary algorithm
C.Do not store the data in a cloud environment
D.Use customer-managed keys to allow for encryption while having complete control over the key itself

Answer 10

C.Do not store the data in a cloud environment

Explanation:
Your only option is not using the cloud. If data is encrypted locally and then copied to a cloud, this would also stop a provider from being able to unencrypt the data if compelled by legal authorities to do so. It is generally not recommended that you create your own encryption algorithms, and they likely wouldn’t work in a provider’s environment anyway.

Question 11

Which of the following controls can be used to transform data based on the individual accessing the data?

A.Enterprise Rights management
B.Dynamic Data Masking
C.Test Data Generation
D.Data Loss Prevention

Answer 11

B.Dynamic Data Masking

Explanation:
Only dynamic data masking will transform data on the fly with a device such as a proxy that can be used to restrict presentation of actual data based on the user accessing the data. Test data generation requires that data be exported and transformed for every user who is accessing the copied database. None of the other answers is applicable.

Question 12

Why would an SaaS provider require that customers use provider-supplied encryption?

A.Data encrypted by a customer prior to being sent to the provider application may break functionality
B.Customer-managed keys do not exist in SaaS
C.SaaS cannot use encryption because it breaks functionality
D.All SaaS implementations require that all tenants use the same encryption key

Answer 12

A.Data encrypted by a customer prior to being sent to the provider application may break functionality

Explanation:
If a customer encrypts data prior to sending it to the SaaS provider, it may impact functionality. SaaS providers should offer customer-managed keys to enhance multitenancy isolation.

Question 13

Which of the following storage types is presented like a file system and is usually accessible via APIs or a front-end interface?

A.Object storage
B.Volume storage
C.Database storage
D.Application/platform storage

Answer 13

A.Object storage

Explanation:
Object storage is presented like a file system and is usually accessible via APIs or a front-end interface. The other answers are incorrect.

Question 14

Which of the following should be considered your primary security control?

A.Encryption
B.Logging
C.Data Residency Restrictions
D.Access Controls

Answer 14

D.Access Controls

Explanation:
Access controls are always your number-one security control.

Question 15

Which of the following deployment models allows for a customer to have complete control over encryption key management when implemented in a provider’s cloud environment?

A.Virtual Appliance/Software Key Management
B.HSM/Appliance-based key management

Answer 15

A.Virtual Appliance/Software Key Management

Explanation:
The only option for an encryption key-management system in a cloud environment is the implementation of a virtual machine or software run on a virtual machine that the customer manages.

Question 16

Which of the following security controls is listed by the payment card industry as a form of protecting credit card data?

A.Tokenization
B.Provider-managed keys
C.Dynamic Data Masking
D.Enterprise Rights Management

Answer 16

A.Tokenization

Explanation:
Tokenization is a control the payment card industry lists as an option to protect credit card data.

Question 17

Which of the following is a main differentiator between URL filtering and CASB?

A.DLP
B.DRM
C.ERM
D.Ability to block access based on whitelists and blacklists

Answer 17

A.DLP

Explanation:
The main difference between URL filtering and CASB is that, unlike traditional whitelisting or blacklisting of domain names, CASB can use DLP when it is performing inline inspection of SaaS connections

Question 18

Which of the following is NOT a main component when considering data security controls in cloud environments?

A.Controlling data allowed to be sent to a cloud
B.Protecting and managing data security in the cloud
C.Performing risk assessment of prospective cloud providers
D.Enforcing information lifecycle management

Answer 18

C.Performing risk assessment of prospective cloud providers

Explanation:
Although risk assessment of cloud providers is critical, this activity is not a data security control.

Question 19

Which of the following is an example of an attribute that can be used with ABAC?

A.If the user logged on with MFA
B.Biometric data
C.Biometric authentication status
D.Both (if the user logged on with MFA) and (biometric authentication status)

Answer 19

D.Both (if the user logged on with MFA) and (biometric authentication status)

Explanation:
Everything about a user and their connection can be used as an attribute to determine access control. However, in the biometric model, actual biometric data is held within the device itself. The fact that biometrics were used is an attribute that can be used.

Question 20

Why should multifactor authentication always be considered?

A.It is a best practice according to the CSA Guidance
B.Cloud services can be accessed by anyone using a web browser
C.Cloud services have the essential characteristic of broad network access
D.MFA is not recommended because users who lose their phones will require manual effort to reset their accounts

Answer 20

C.Cloud services have the essential characteristic of broad network access

Explanation:
Cloud services have the essential characteristic of broad network access. This is similar to the fact that it can be accessed by any browser (B), but C is the better response because not all access to a cloud service will always require a web browser. Of course, implementing MFA is a CSA best practice, but that alone is not the reason why it should be implemented. While loss of a cell phone with a soft-token MFA device will likely require manual effort to reset the MFA settings, it is not a valid reason to avoid the use of MFA, especially for privileged accounts.

Question 21

Which of the following is the best federation protocol to implement and support?

A.SAML
B.OAuth
C.OpenID
D.There is no best protocol. You have to determine your use cases and constraints before selecting a protocol

Answer 21

D.There is no best protocol. You have to determine your use cases and constraints before selecting a protocol

Explanation:
There is no “magic bullet” protocol for federation. You must always consider your requirements based on use cases and constraints.

Question 22

What is a role?

A.A role is part of federation. It is how your group membership within your company is granted entitlements in your IaaS provider
B.A role is the job your perform at work
C.A role is temporary credential that is inherited by a system within a cloud environment
D.All of these are correct

Answer 22

D.All of these are correct

Explanation:
All the answers are correct. This is why the CSA Guidance says that “role is a confusing and abused term used in many ways.”

Question 23

Which of the following is a factor in multifactor authentication?

A.A secret handshake
B.The color of your eyes
C.A one-time password
D.All of these

Answer 23

D.All of these

Explanation:
The factors are something you know (secret handshake), something you have (one-time password), and something you are (eye color). Do these make sense from a technical perspective? Probably not, but they meet the criteria of the three factors all the same.

Question 24

Which of the following protocols is XML-based and supports both authentication and authorization?

A.SAML
B.OAuth
C.OpenID
D.SCIM

Answer 24

A.SAML

Explanation:
SAML is XML-based and handles both authentication and authorization. OAuth only deals with “AuthOrization” (memory trick), and OpenID only deals with authentication. SCIM is a provisioning language.

Question 25

Alice wants to update, but not replace, a file via a REST API. What method should Alice use?

A.GET
B.POST
C.PUT
D.PATCH

Answer 25

D.PATCH

Explanation:
Alice should use the PATCH method to update, but not replace, a file. The PUT method creates a new file. POST is similar to PATCH, but a POST will update and delete the file.

Question 26

Which of the following introduces the most complexity when considering a multicloud approach to BCP/DR?

A.Applistructure
B.Metastructure
C.Infrastructure
D.Infostructrue

Answer 26

B.Metastructure

Explanation:
The metastructure introduces the most complexity when considering a multicloud approach to BCP/DR.

Question 27

When you’re considering security agents for cloud instances, what should be a primary concern?

A.The vendor has won awards
B.The vendor uses heuristic-based detection as opposed to signature-based detection
C.The vendor selected for cloud server instances is the same vendor you use for internal instances
D.The vendor agent does not use IP addresses to identify systems

Answer 27

D.The vendor agent does not use IP addresses to identify systems

Explanation:
The best answer is that the agent does not use IP addressing as an identification mechanism. Server instances in a cloud can be ephemeral in nature, especially when immutable instances are used. All the other answers are optional in nature and not priorities for cloud security agents. `

Question 28

Which of the following is/are accurate statement(s) about the differences between SDN and VLAN?

A.SDN isolated traffic, which can help with microsegmentation. VLANs segment network nodes into broadcast domains
B.VLANs have roughly 65,000 IDs, while SDN has more than 16 million
C.SDN separates the control plane from the hardware device and allows for applications to communicate with the control plane
D.All of these are accurate statements

Answer 28

D.All of these are accurate statements

Explanation:

Question 29

When you’re using immutable servers, how should administrative access to the applistructure be granted to make changes to running instances?

A.Administrative access should be limited to the operations team. This is in support of the standard separation of duties approach to security
B.Administrative access should be limited to the development team. This is in support of the new approach to software development, where the developers own the applications they build
C.Administrative access should be restricted for everyone. Any changes made at the applistructure level should be made to the image, and a new instance is created using that image
D.Administrative access to the applistructure is limited to the provider in an immutable environment

Answer 29

C.Administrative access should be restricted for everyone. Any changes made at the applistructure level should be made to the image, and a new instance is created using that image

Explanation:
Administrative access to the servers in an immutable environment should be restricted for everyone. Any required changes should be made to an image, and that image is then used to build a new instance. All of the other answers are incorrect.

Question 30

Which of the following is the main purpose behind microsegmentation?

A.It is a fine-grained approach to grouping machines to make them easier to administer
B.It is a fine-grained approach to grouping machines that limits blast radius
C.Microsegmentation can leverage traditional VLAN technology to group machines
D.Microsegmentation implements a zero-trust network

Answer 30

B.It is a fine-grained approach to grouping machines that limits blast radius

Explanation:
The best answer is that the purpose behind implementing microsegmentation is to limit the blast radius if an attacker compromises a resource. Using microsegmentation, you are able to take a very fine-grained approach to grouping machines (such as five web servers in the DMZ, but not every system in the DMZ, can communicate). This answer goes beyond answer D, that microsegmentation creates a “zero-trust” network, so B is the better and more applicable answer.

Question 31

Which of the following statements is accurate when discussing the differences between a container and a virtual machine?

A.A container contains the application and required dependencies (such as libraries). A virtual machine contains the operating system application, and any dependencies
B.A virtual machine can be moved to and from any cloud service provider, while a container is tied to a specific provider
C.Containers remove the dependency of a specific kernel. Virtual machines can run on any platform
D.All of these are accurate statements

Answer 31

A.A container contains the application and required dependencies (such as libraries). A virtual machine contains the operating system application, and any dependencies

Explanation:
A container contains the application and required dependencies (such as libraries). A virtual machine contains the operating system, application, and any dependencies.

Question 32

What is the main characteristic of the cloud that impacts workload security the most?

A.Software defined networks
B.Elastic nature
C.Multitenancy
D.Shared responsibility model

Answer 32

C.Multitenancy

Explanation
The best answer is that multitenancy has the greatest impact on cloud security, and for this reason, cloud providers need to make sure they have very tight controls over the isolation capabilities within the environment. Although the other answers have merit, none of them is the best answer.

Question 33

Select two attributes that a virtual appliance should have in a cloud environment.

A.Ability to tie into providers orchestration capability
B.Failover
C.Granular permissions for administrators
D.Auto-scaling

Answer 33

B.Failover
D.Auto-scaling

Explanation:
Auto-scaling and failover are the two most important attributes that a virtual appliance should have in a cloud environment. Any appliance can become a single point of failure and/or a performance bottleneck, and these aspects must be addressed by virtual appliances in a cloud environment. Granular permissions are a good thing to have, but they are not cloud specific. Finally, tying into a provider’s orchestration would be great, but this is not one of the two best answers. You may be thinking that elasticity is tying into the orchestration, and you would be correct. However, the degree of the integration isn’t mentioned. For an example of orchestration, does the virtual appliance have the ability to change a firewall ruleset based on the actions of a user in the cloud or a particular API being called? That’s the type of orchestration that would be ideal, but it requires the vendor to have very tight integration with a particular provider. This type of orchestration is usually native with the provider’s services (for example, a security group can be automatically changed based on a particular action). Auto-scaling and failover are the two most important attributes that a virtual appliance should have in a cloud environment. Any appliance can become a single point of failure and/or a performance bottleneck, and these aspects must be addressed by virtual appliances in a cloud environment. Granular permissions are a good thing to have, but they are not cloud specific. Finally, tying into a provider’s orchestration would be great, but this is not one of the two best answers. You may be thinking that elasticity is tying into the orchestration, and you would be correct. However, the degree of the integration isn’t mentioned. For an example of orchestration, does the virtual appliance have the ability to change a firewall ruleset based on the actions of a user in the cloud or a particular API being called? That’s the type of orchestration that would be ideal, but it requires the vendor to have very tight integration with a particular provider. This type of orchestration is usually native with the provider’s services (for example, a security group can be automatically changed based on a particular action).

Question 34

Wendy wants to add an instance to her cloud implementation. When she attempts to add the instance, she is denied. She checks her permissions and nowhere does it say she is denied the permission to add an instance. What could be wrong?

A.Wendy is trying to launch a Windows server but has permissions to only create only Linux instances
B.Wendy does not have root access to the Linux server she is trying to run
C.This is because of the deny-by-default nature of the cloud. If Wendy is not explicitly allowed to add an instance, she is automatically denied by default
D.Wendy is a member of a group that is denied access to add instances

Answer 34

B.Wendy does not have root access to the Linux server she is trying to run

Explanation:
A cloud provider should take a deny-by-default approach to security. Therefore, it is most likely that Wendy is not explicitly allowed to launch an instance. Although it is possible that Wendy is also a member of a group that is explicitly denied access to launch an instance, C is the better answer. Metastructure permissions are completely different from operating system permissions, so A and B are incorrect answers.

Question 35

How is management centralized in SDN?

A.By removing the control plane for the underlying networking appliance and placing it in the SDN controller
B.By using northbound APIs that allow software to drive actions at the control layer
C.By using southbound APIs that allow software to drive actions at the control layer
D.SDN is a decentralized model

Answer 35

A.By removing the control plane for the underlying networking appliance and placing it in the SDN controller

Explanation:
SDN is centralized by taking the “brains” out of the underlying networking appliance and placing this functionality in the SDN controller. Answer B is a true statement in that northbound APIs allow applications (or software if you will) to drive changes, but it does not answer the question posed. I suppose you could argue that C is also a true statement, but again, it doesn’t answer the question posed.

Question 36

Before beginning a vulnerability assessment (VA) of one of your running instances, what should be done first?

A.Select a VA product that works in a cloud environment
B.Determine whether a provider allows customers to perform a VA and if any advance notice is required
C.Open all SDN firewalls to allow a VA to be performed
D.Establish a time and date that you will access the providers data center so you can run the VA on the physical server your instance is running on

Answer 36

B.Determine whether a provider allows customers to perform a VA and if any advance notice is required

Explanation:
You should determine whether your provider allows customers to perform a VA of their systems. If they don’t and you haven’t checked, you may find yourself blocked, because the provider won’t know the source of the scan, which could be coming from a bad actor. An agent installed in the applistructure of a server will function regardless of whether the server is a virtual one in a cloud or a physical server in your data center. Opening all firewalls to perform a VA, answer C, would be a very unfortunate decision, because this may open all traffic to the world if it’s done improperly (any IP address on the Internet could have access to any port on the instance, for example). Finally, you are highly unlikely to gain access to a provider’s data center, yet alone be given permission to run a VA against any provider-owned and -managed equipment.

Question 37

Why must the provider encrypt hard drives at the physical layer?

A.It prevents data from being compromised as a result of theft
B.It prevents data from being accessed by others via the virtual layer
C.It prevents data from being compromised after the drive is replaced
D.Both (It prevents data from being compromised as a result of theft.) and (It prevents data from being compromised after the drive is replaced)

Answer 37

D.Both (It prevents data from being compromised as a result of theft.) and (It prevents data from being compromised after the drive is replaced)

Explanation:
D.Both (It prevents data from being compromised as a result of theft.) and (It prevents data from being compromised after the drive is replaced)

Question 38

How do containers perform isolation?

A.They perform application layer isolation
B.They perform isolation at all layers like a virtual machine does
C.They perform isolation of the repository
D.All of these are correct

Answer 38

A.They perform application layer isolation

Explanation:
Containers perform isolation only at the application layer. This is unlike a virtual machine that can offer isolation for all layers. Repositories require appropriate controls to be put in place to restrict unauthorized access to the code and configuration files held within

Question 39

Which of the following is the number one security priority for a cloud service provider?

A.Implementing SDN firewalls for customers
B.Isolating tenant access to pools of resources
C.Securing the network perimeter
D.Offering network monitoring capability to customers

Answer 39

B.Isolating tenant access to pools of resources

Explanation:
The top priority for providers is ensuring that they implement strong isolation capabilities. All of the other answers are possible priorities, but B is the best answer.

Question 40

Which of the following are examples of compute virtualization?

A.Container
B.Cloud overlay networks
C.Software templates
D.(Containers) and (Software templates)

Answer 40

A.Container

Explanation:
Of the list presented, only containers can be considered as compute virtualization. Software templates are used to build an entire environment quickly. Although you could use these templates in infrastructure as code (IaC) to build or deploy containers and VMs, this is not considered a compute virtualization. A cloud overlay network enables a virtual network to span multiple physical networks.

Question 41

Nathan is trying to troubleshoot an issue with a packet capture tool on a running instance. He notices clear-text FTP usernames and passwords in the captured network traffic that is intended for another tenant’s machine. What should Nathan do?

A.This is normal behavior in a cloud. He should contact the other tenant and advise them that using clear-text credentials is a bad idea
B.Nathan should contact the other tenant and submit his finding for a bug bounty
C.This is not possible because FTP is prohibited in a cloud environment
D.He should contact the provider and advise them that he will be canceling his use of their cloud services because the provider has failed to isolate the network

Answer 41

D.He should contact the provider and advise them that he will be canceling his use of their cloud services because the provider has failed to isolate the network

Explanation:
Nathan is able to see network traffic destined for other machines, so there has been a failure of network isolation, and this should be the provider’s top security priority. If I were Nathan, I would change cloud providers as soon as possible. All the other answers are not applicable (although writing a bunch of screen captures to the other tenant’s FTP directory to advise them of their exposure would be pretty funny).

Question 42

What is/are benefits of a virtual network compared to physical networks?

A.You can compartmentalize application stacks in their own isolated virtual networks, which increases security
B.An entire virtual network can be managed from a single management plane
C.Network filtering in a physical network is easier
D.All of these are true

Answer 42

A.You can compartmentalize application stacks in their own isolated virtual networks, which increases security

Explanation:
The only accurate answer listed is that virtual networks can be compartmentalized, and this can increase security; this is expensive, if not impossible, in a physical network. SDN can offer a single management plane for physical network appliances, and the “ease” of filtering is quite subjective. Filtering in a virtual network is different, but it may or may not be more difficult.

Question 43

How is a storage pool created?

A.The provider uses direct storage with a bunch of hard drives attached to a server
B.The provider uses a storage area network
C.The provider uses a NAS
D.The provider builds the storage pool however they want

Answer 43

D.The provider builds the storage pool however they want

Explanation:
It is completely up to the provider as to how they build a storage pool. They can use any of the other technologies listed in the answers, or they can use something completely different and proprietary.

Question 44

A provider wants to ensure that customer data is not lost in the event of drive failure. What should the provider do?

A.Use a SAN and copy the data across multiple drives in a storage controller
B.Replicate the data to an offshore third party
C.Make multiple copies of the data and store the copies on multiple storage locations
D.Store client data using solid state drives (SSDs)

Answer 44

C.Make multiple copies of the data and store the copies on multiple storage locations

Explanation:
To offer increased resiliency, the provider should make multiple copies of customer data and store copies across multiple storage locations. Answer A looks good, but it’s not the best answer, because a SAN is not required and, more importantly, writing data to multiple drives in the same controller will not protect against the single point of failure in the controller (or the controller corrupting the data). Finally, we haven’t discussed the difference between “normal” magnetic storage drives versus solid state drives, but SSDs can fail just like magnetic ones, so D isn’t the best answer either.

Question 45

Why is volatile memory a security concern for providers?

A.It isnt. Volatile memory protection is the customers responsibility
B.Volatile memory may contain unencrypted information
C.Volatile memory may contain credentials
D.Both (Volatile memory may contain unencrypted information) and (Volatile memory may contain credentials) are correct

Answer 45

D.Both (Volatile memory may contain unencrypted information) and (Volatile memory may contain credentials) are correct

Explanation:
The correct answer is that volatile memory can contain sensitive information such as credentials and data that needs to be unencrypted in order to be processed. Both the provider and the customer play a role in ensuring security related to volatile memory. The provider needs to ensure that volatile memory from one tenant is never seen by another tenant (an even better way to think of it is that one workload shouldn’t have access to another workload). The customer needs to make sure that volatile memory is wiped from a system prior to it being imaged. This can be achieved by rebooting the instance prior to creating the image.

Question 46

Which of the following components in a container environment require access control and strong authentication?

A.Container runtime
B.Orchestration and scheduling system
C.Image repository
D.All of these

Answer 46

D.All of these

Explanation:
Yes, all of these are the right choice this time. But wait! There’s a good story here that I’m including for those of you still with me. In February 2018, Tesla (the car company) was breached. Thankfully for Tesla, the attackers only wanted to use Tesla cloud resources for bitcoin mining. How was Tesla breached? Was it a zero-day attack? Was it advanced state-sponsored agents? Nope! Its container orchestration software (Kubernetes in this case) was accessible from the Internet and didn’t require a password to access it! Not only did this give the attackers the ability to launch their own containers, paid for courtesy of Tesla, but inside the Kubernetes system was a secrets area that had Amazon S3 keys stored in it. The keys were used to access nonpublic information from Tesla. Again, container security involves much more than just application security within a container.

Question 47

Which area of incident response is most impacted by automation of activities?

A.Preparation
B.Detection
C.Containment, eradication and recovery
D.Post-incident

Answer 47

C.Containment, eradication and recovery

Explanation:
The correct answer is containment, eradication, and recovery. Although tools supplied by the cloud provider can greatly enhance detection as well, the tools available to you in a cloud environment have the most impact on containment, eradication, and recovery efforts

Question 48

Upon investigation of a potential incident, what should be performed first?

A.The master account credentials should be retrieved and used to perform an investigation of the metastructure to ensure that the attacker is no longer in the management plane
B.Every account should be logged off and their passwords reset
C.Every server should be terminated
D. Snapshots of every instance should be performed using APIs

Answer 48

A.The master account credentials should be retrieved and used to perform an investigation of the metastructure to ensure that the attacker is no longer in the management plane

Explanation:
An investigation should be performed using the master account so there is complete visibility of all activity taking place in the management plane. Snapshots of servers being investigated can be performed, but this should be done only after it is confirmed that the attacker is no longer in the management plane. Logging everyone off may have limited benefits, but, again, confirmation that the attacker no longer has management plane access is the first step in incident response of the metastructure. Terminating all server instances is not an appropriate answer at all.

Question 49

How can a server instance be quickly quarantined in an IaaS environment?

A.Perform a snapshot
B.Log on to the server instance and disable all user accounts
C.Pause the instance if the vendor allows such action
D.Change the virtual firewall ruleset to allow access only from an investigator workstation

Answer 49

D.Change the virtual firewall ruleset to allow access only from an investigator workstation

Explanation:

The best answer is to change the virtual firewall ruleset to allow access only from the investigator workstation. The steps in the other answers can be performed after the server instance can no longer be reached by an attacker.

Question 50

Which of the following is a consideration concerning log data supplied by a provider?

A.It will meet legal chain-of-custody requirements
B.It is in a format that can be used by customer
C.It is supplied in a timely manner to support investigation
D.It will meet legal chain-of-custody requires and it is in a format that can be used by customers are correct

Answer 50

D.It will meet legal chain-of-custody requires and it is in a format that can be used by customers are correct

Explanation:
The correct answers are A and B. Timely access to any data supplied by the provider is not mentioned in the guidance.

Question 51

How often should incident response plans be tested?

A.Annually
B.Monthly
C.Quarterly
D.As part of due diligence prior to production use of the system

Answer 51

A.Annually

Explanation:
IR plans should be tested annually. Remember, though, that the CSA Guidance specifically states that tests should be performed annually or when significant changes are made. Remember both when you take your exam.

Question 52

Which phase does proactive scanning and network monitoring, vulnerability assessments, and performing risk assessments fall under?

A.Preparation
B.Detection
C.Containment, eradication and recovery
D.Post-incident

Answer 52

A.Preparation

Explanation:
Proactive scanning and network monitoring, vulnerability assessments, and performing risk assessments are all under the preparation phase in the CSA Guidance.

Question 53

What is (are) the most important aspect(s) of incident response in a cloud environment?

A.Obtaining virtual tools to investigate virtual servers
B.Training of incident response staff
C.Setting service level agreements and establishing roles and responsibility
D.All of these

Answer 53

C.Setting service level agreements and establishing roles and responsibility

Explanation:
Yes, all of the entries are important, but the question specifically states which is (are) the most important. The CSA Guidance states that “SLAs and setting expectations around what the customer does versus what the provider does are the most important aspects of incident response for cloud-based resources.” You need to do these things before you can work on the tools and training of individuals.

Question 54

What is the purpose of an “Application Stack Map”?

A.To understand the various systems that are used as part of an application
B.To understand where data is going to reside
C.To understand the programming languages used in an application
D.To understand the various dependencies associated with an application

Answer 54

B.To understand where data is going to reside

Explanation:
The best answer is that an Application Stack Map can be implemented to understand where data is going to reside. On top of knowing where your data can reside, it will help address geographic differences in monitoring and data capture.

Question 55

What is a cloud jump kit?

A.Having an updated resume ready in the event of a RGE (resume0generating event)
B. A kit with required cables, connectors, and hard drives ready for performing investigation of a physical server
C.A collector of tools needed to perform investigations in a remote location
D.Procedures to follow when handing off an investigation a to a provider

Answer 55

C.A collector of tools needed to perform investigations in a remote location

Explanation:
The cloud jump kit is a collection of tools required to perform investigation of remote locations (such as cloud services). This is the set of “virtual tools for a virtual world” if you will. Of course, if you have an incident in a cloud environment and you realize only at that time that you are lacking virtual tools and knowledge of them, this is most likely a resume-generating event. If a provider takes over investigation on their end, they will likely be using their own investigation tools.

Question 56

How may logging in PaaS be different from logging in IaaS?

A.PaaS logs must be supplied by the provider upon request
B.Custom application-level logging will likely be needed
C.PaaS log formats will be in JSON format and will require special tools to read
D.All of these are correct

Answer 56

B.Custom application-level logging will likely be needed

Explanation:
PaaS (and serverless application architectures) will likely need custom application-level logging because there will likely be gaps in what the provider offers and what is required for incident response support. PaaS providers may have more detailed logs available, but you will have to determine when these can be shared by the provider. Finally, although the format of data is important, JSON is easily readable and doesn’t require special tools.

Question 57

Prior to developing applications in a cloud, which training(s) should be undertaken by security team members?

A.Vendor-neutral cloud training
B.Provider specific training
C.Development tool training
D.Both (Vendor-neutral cloud training) and (Provider-specific training)

Answer 57

D.Both (Vendor-neutral cloud training) and (Provider-specific training)

Explanation:
Security team members should take both vendor-neutral training (such as CCSK) and provider-specific training (these are also recommended for developers and operations staff). Tools that are specific to deployments are not listed as required for security team members, only for operations and development staff.

Question 58

Tristan has just been hired as CIO of a company. His first desired action is to implement DevOps. Which of the following is the first item that Tristan should focus on as part of DevOps?

A.Selecting an appropriate continuous integration server
B.Choosing a proof-of-concept project that will be the first use of DevOps
C.Understanding the existing corporate culture and getting leadership buy-in
D.Choosing the appropriate cloud service for DevOps

Answer 58

C.Understanding the existing corporate culture and getting leadership buy-in

Explanation:
Remember that DevOps is a culture, not a tool or technology (although a continuous integration service is a key component of the CI/CD pipeline that will be leveraged by DevOps). Understanding the existing corporate culture and getting leadership buy-in should be Tristan’s first course of action in implementing DevOps in his new position. DevOps is not a cloud technology.

Question 59

When you’re planning a vulnerability assessment, what is the first action you should take?

A.Determine the scope of the vulnerability assessment
B.Determine the platform to be tested
C.Determine whether the vendor needs to be given notification in advance of the assessment
D. Determine whether the assessment will be performed as an outside or on the server instance used by the running application

Answer 59

C.Determine whether the vendor needs to be given notification in advance of the assessment

Explanation:
You should always determine whether a vendor must be advised of any assessment in advance. If the provider requires advance notice as part of the terms and conditions of your use, not advising them of an assessment may be considered a breach of contract. Answers A and B are standard procedures as part of an assessment and must be performed regardless of the cloud. Answer D is an interesting one, because you are not guaranteed even to have a server instance to log onto as part of your assessment. The application could be built using PaaS, serverless, or some other technology managed by the provider.

Question 60

Better segregation of the management plane can be performed by doing which of the following?

A.Running all applications in a PaaS
B.Run applications in their own cloud account
C.Leverage DevOps
D.Use immutable workloads

Answer 60

B.Run applications in their own cloud account

Explanation:

Running applications in their own cloud accounts can lead to tighter segregation of the management plane. None of the other answers is applicable for this question.