Chapter 1 Domain 1: Cloud Concepts, Architecture, and Design (Ben Malisow) Flashcards

Question

The Statement on Standards for Attestation Engagements (SSAE) 18 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). As an IT security professional, when reviewing SOC reports for a cloud provider, which report would you most like to see? A. SOC 1 B. SOC 2, Type 1 C. SOC 2, Type 2 D. SOC 3

Answer 1

C. SOC 2, Type 2 Explanation: The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function. The SOC 1 report provides information about financial reporting mechanisms of the target only and is of little interest to the IT security professional, so option A is incorrect. The SOC 2, Type 1 report describes IT security controls designed by the target only but not how effectively those controls function, so option B is incorrect. The SOC 3 report is only an attestation that the target was audited and that it passed the audit, without detail, so option D is incorrect. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 204). Wiley. Kindle Edition.

Answer 2

A. SOC 1 Explanation: The SOC 1 report provides information about financial reporting mechanisms of the target only. Although this information may be of little use to the IT security professional, it may be of great use to potential investors, if for nothing other than providing some assurance that reporting is valid and believable. The SOC 2, Type 1 report describes IT security controls designed by the target only but not how effectively those controls function. While of some interest to the IT security professional, this is of little interest to the investor, so option B is incorrect. The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function. While of great interest to the IT security professional, this is of little interest to the investor, so option C is incorrect. The SOC 3 report is only an attestation that the target was audited and that it passed the audit, without detail, so option D is incorrect. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 204). Wiley. Kindle Edition.

Answer 3

D. SOC 3 Explanation: The SOC 3 report is an attestation that the target was audited and that it passed the audit, without detail; you could use the SOC 3 reports to quickly narrow down the list of possible providers by eliminating the ones without SOC 3s. The SOC 1 report provides information about financial reporting mechanisms of the target only. This information may be of little use to the IT security professional and won’t help you choose a cloud vendor, so option A is incorrect. The SOC 2, Type 1 report describes IT security controls designed by the target only but not how effectively those controls function. While of some interest to the IT security professional, it is more comprehensive and detailed than a SOC 3 report, so it would take more time; option B is incorrect. The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function. While of great interest to the IT security professional, it is very detailed and comprehensive and wouldn’t be a speedy tool to narrow the field. Option C is incorrect. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 204). Wiley. Kindle Edition.

Answer 4

D. A company that offers credit card debt repayment counseling Explanation: PCI DSS applies only to those entities that want to engage in the business of taking or processing credit card payments, which would include options A, B, and C. A counseling service is not engaged in commerce involving credit cards and therefore is under no obligation to adhere to the PCI DSS. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 204). Wiley. Kindle Edition.

Answer 5

B. Jail time Explanation: Because PCI DSS is strictly voluntary, and the PCI Council is not a government body but a consortium of private interests, they cannot detain or imprison anyone. They can, however, assess fees, suspend processing privileges, and require more auditing, so the other answers Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 204). Wiley. Kindle Edition.

Answer 6

B. Number of transactions over the course of a year Explanation: The PCI merchant levels are based on how many transactions a compliant entity engages in over the course of a year. All the other options are incorrect because the dollar value of transactions and location of the merchant or processor are not the criteria used for determining PCI DSS merchant levels. Only the transactions a compliant entity engages in over the course of a year is the correct answer. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 205). Wiley. Kindle Edition.

Answer 7

A.1 Explanation: Merchant level 1 is for the merchants that engage in the most transactions per year (six million or more). It carries with it the requirement for the most comprehensive, detailed, and repeated security validation actions. It may be tempting to choose the highest number when choosing an answer for the highest merchant level. It may be counterintuitive to think that level 1 would be a higher level than a level 4. However, level 1 is the highest merchant level and is the correct answer to this question. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 205). Wiley. Kindle Edition.

Answer 8

C.Technical and nontechnical Explanation: The Payment Card Industry Data Security Standard (PCI DSS) requires multiple kinds of technical and nontechnical security requirements (including specific control types) for those entities that choose to subscribe to the standard. Option A is partially correct and partially incorrect. While the security requirements are partially technical, some requirements are also nontechnical. Therefore, option A is incorrect. Option B is also partially correct and partially incorrect. While the security requirements are partially nontechnical, some requirements are technical. Therefore, option B is incorrect. Option C is incorrect because the requirements are technical and nontechnical, not neither technical nor nontechnical. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 205). Wiley. Kindle Edition.

Answer 9

D. Tokenization or encryption Explanation: The Payment Card Industry Data Security Standard (PCI DSS) allows for cardholder information at rest to be secured with either tokenization or encryption, but use of one is mandatory. The other options are distractors and not dictated by PCI DSS. They can, however, be useful in fulfilling certain credit card support services, such as customer support, where the personnel engaged in the activity (customer support agents, for instance) may need access to a limited set of the cardholder’s account information (for instance, name, mailing address, and date of the payment) but do not have a need to know other elements of that data set (particularly, the full credit card number); masking and obfuscation can satisfy that business need without putting data unduly at risk. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 205). Wiley. Kindle Edition.

Answer 10

B. The card verification value (CVV) Explanation: The Payment Card Industry Data Security Standard (PCI DSS) disallows the storage of the CVV for any length of time; the CVV may only be used during the payment transaction, and not saved. The other options may be stored for future transactions with the same merchant. However, unlike the CVV they may be stored by the merchant. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 205). Wiley. Kindle Edition.

Answer 11

B. How thoroughly the product has been tested Explanation: The EAL is a measure of how thoroughly the security features the product vendor claims the product offers have been tested and reviewed, and by whom. The EAL does not offer any true measure of how well those security features will work in a production environment so options A and C are incorrect. Whether those features are preferable to other features offered by competing products, or whether the product is “good.” Therefore, option D is incorrect. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 205). Wiley. Kindle Edition.

Answer 12

A. 1 Explanation: EAL 1 is for functionally tested products. Option B is incorrect because EAL 3 is for solutions that have been methodically tested and checked. Option C, EAL 5 is incorrect because that is for solutions that have been semi-formally designed and tested. Option D is incorrect because EAL 7 is for solutions that have been formally verified design and tested. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 206). Wiley. Kindle Edition.

Answer 13

D. 7 Explanation: EAL 7 is for those products that have undergone independent third-party testing and verification of security feature design. All other options are distractors and incorrect. EAL 1 is for functionally tested products. EAL 3 is for solutions that have been methodically tested and checked. EAL 5 is for solutions that have been semi-formally designed and tested. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 206). Wiley. Kindle Edition.

Answer 14

B. The vendor/manufacturer Explanation: The vendor/manufacturer of a given product will pay to have it certified, with the premise that certification costs are offset by premium prices that certified products command and that customers won’t purchase uncertified products. NIST does not certify products for Common Criteria. NIST is a U.S. government organization. Option C is incorrect because the cloud customer does not pay to have IT products certified. Option D is incorrect because the end user is an individual and individuals do not pay to have IT products certified. (Note: Of course, the manufacturer/vendor is going to amortize the cost of the certification process across the price of the products they sell, so the customers who purchase the product will eventually “pay” for the certification, but that’s a very oblique and abstract way of reading the question.) Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 206). Wiley. Kindle Edition.

Answer 15

D. The National Institute of Standards and Technology (NIST) Explanation: NIST publishes the list of validated crypto modules. The other choices are government or non-government organizations that are not involved with publishing the list of cryptographic modules that meet FIPS 140-2 requirements. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 206). Wiley. Kindle Edition.

Answer 16

C. Independent (private) laboratories ``` Explanation: Vendors seeking HSM certification under FIPS 140-2 send their products to independent laboratories that have been validated as Cryptographic Module Testing Laboratories under the National Voluntary Laboratory Accreditation Program (the Accreditation Program is run by NIST, which approves the laboratories). As of this writing, 21 labs in the United States and Canada are accredited. Option A is incorrect because NIST does not perform the review process. NIST approves the independent laboratories that perform the review process. Option B is incorrect. Of all the activities that the NSA does perform, reviewing the process for Hardware Security Modules in accordance with FIPS 140-2 is certainly not one of them. Option D is incorrect because the ENISA is a European Union organization that supports European Union institutions and stakeholders. ``` Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 206). Wiley. Kindle Edition.

Answer 17

D. 4 Explanation: The highest security level a product can reach is 4. Option A is incorrect because Level 1 is the lowest level of security. Option B is incorrect because Level 2 simply improves upon the physical security of Level 2. Option C is incorrect because Level 3 improves upon Level 2 certification and adds tamper-detection/response capabilities. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 206). Wiley. Kindle Edition.

Answer 18

B. The amount of physical protection provided by the product, in terms of tamper resistance ``` Explanation: The security levels acknowledge different levels of physical protection offered by a crypto module, with 1 offering crypto functionality and no real physical protection and 4 offering tamper-resistant physical features and automatic zeroization of security parameters upon detection of tamper attempts. The question asks what distinguishes the security levels for cryptographic modules. Option A focuses on the sensitivity of the data being protected. The sensitivity of the data that is being protected is important when it comes to the cryptographic module being used, but that is not the distinction between the security levels in FIPS 140-2. Option C is incorrect because the size of the IT environment the cryptographic module is protecting is not what distinguishes the different levels. Option D is not correct because whether the cryptographic module is or is not allowed in a certain geographic location has no bearing on whether or not it works. The cryptographic module either works or it does not, regardless of its location. ``` Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 207). Wiley. Kindle Edition. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 207). Wiley. Kindle Edition.

Answer 19

A. Sensitive but unclassified (SBU) Explanation: FIPS 140-2 is only for SBU data. Options B, C, and D are incorrect because FIPS 140-2 certifies cryptographic modules for unclassified data. Secret, Top Secret, and Sensitive Compartmentalized Information all are categorized as classified information when it refers to their sensitivity level. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 207). Wiley. Kindle Edition.

Answer 20

B. Module vendors ``` Explanation: Vendors who want their products certified under FIPS 140-2 must pay the laboratory that performs the evaluation. Option A is incorrect because the U.S. government is not in the business of paying for cryptographic module certifications. The U.S. government can require the use of cryptographic modules in certain situations. Certification laboratories receive funds for certifying cryptographic modules. They do not pay to have them certified. Therefore, option C is incorrect. Option D is incorrect. Users do not pay to have solutions certified. ``` Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 207). Wiley. Kindle Edition.

Answer 21

B. Disciplined coding practices and processes Explanation: Most of the items on the Top Ten could be addressed with strong coding practices and by adhering to strict internal management processes (on the part of the organization involved in development). A good number of the items that continually appear on the list, such as injection, cross-site scripting, insecure direct object references, security misconfiguration, missing function-level access control, use of components with known vulnerabilities, and unvalidated redirects and forwards, can all be addressed by basic development practices, such as bounds checking/input validation, code validation/verification protocols, and informed oversight of the project. Strangely, option A is not correct in this case. Social engineering is perhaps the aspect of information security that is least understood (by users) and easiest to exploit, and it is the attack tactic most likely to succeed. Social engineering training could probably reduce the greatest number of overall security threats in our field today. However, this specific question is all about application security, and the element of social engineering is negligible. Option C is not correct because source code testing is only one aspect of code review and would not address as many items on the Top Ten as option B would. Option D is not correct for much the same reason option A is incorrect; this question is specifically about application security, and the physical protection element is very minor. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 207). Wiley. Kindle Edition.

Answer 22

C. Trick the application into running commands. Explanation: In injection attacks (a large percentage of which are called SQL injection, for the prevalence with which attackers target databases with this attack), the attacker enters a string of command code into a user-facing field in an attempt to get the application to run the command. This results in a process that the attacker can leverage or puts the software into a fail state that might negate some of the security controls that are present in normal operation. Option A is incorrect; this is a description of social engineering. Option B is incorrect; SQL injection does not typically involve malware. An attack that allows someone to penetrate a facility is a physical attack. The attacker has to physically be at the facility itself. Option D is incorrect. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 208). Wiley. Kindle Edition.

Answer 23

C. Input validation/bounds checking Explanation: Attackers attempting injection put command code into a data entry field; if the application has suitable input validation (that is, refusing code strings and confirming that input conforms to field value types), it will block those attacks. Injection attacks target applications, not users, so user training has little to do with preventing injection, making option A incorrect. The OS usually has little to do with injection attacks, which usually target user-facing web apps that ride on the OS, so option B is not correct. Injection attacks are logical, not physical, so locks won’t aid the security effort in this case, making option D incorrect. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 208). Wiley. Kindle Edition.

Answer 24

A. Do not use custom authentication schemes. Explanation: This answer requires a bit of thought and knowledge of common practices. Throughout the IT industry, many developers attempt to design and implement their own authentication schema. According to OWASP, this approach is almost always a bad idea because of the many vulnerabilities such custom schemes may fail to address. Using approved, tested authentication implementations is a way to avoid this problem. Authentication schema should be transparent to users, who will have little or (preferably) no control over that element of communication. Thus, training is not applicable in this case, making option B wrong. Input validation is used to counter injection attacks and has no efficacy in authentication implementations, making option C incorrect. The X.400 standards are for email communication and are not applicable to session authentication; thus, option D is wrong. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 208). Wiley. Kindle Edition.

Answer 25

D. Failure to follow Health Insurance Portability and Accountability Act (HIPAA) guidance Explanation: HIPAA is the U.S. federal law governing medical information; it has nothing to do with authentication or session management. Failure to follow HIPAA leads to regulatory noncompliance (for those covered by it). All the other options are practices that can enhance an attacker’s ability to compromise authentication implementations and sessions. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 208). Wiley. Kindle Edition.

Answer 26

C. Weak physical entry points in the data center Explanation: As breaking authentication and session management is a logical attack, lack of physical controls don’t affect such attacks. All the other options are practices that can enhance an attacker’s ability to compromise authentication implementations and sessions. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 208). Wiley. Kindle Edition.

Answer 27

D. Encrypt all HTML documents. Explanation: In many cases, HTML documents are meant to be seen by the public or new users who do not yet have trust associations (accounts) with the organization, so encrypting every HTML document would be counter to the purpose. Moreover, total encryption of everything, even material that is not particularly sensitive or valuable, incurs an additional cost with no appreciable benefit. The other options are all actions that OWASP recommends for reducing the risk of XSS attacks: www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 209). Wiley. Kindle Edition.

Answer 28

B. Use XML escape for all identity assertions. Explanation: Option B is a incorrect because the answer narrows the risk for only the identity assertions and does not address XSS attack risks. All the other options are actions recommended by OWASP for reducing XSS attack risks. This question is particularly difficult as it delves into a level of detail that may or may not appear on the actual exam; however, all source documents listed in the Candidate Information Bulletin, including the OWASP Top Ten, are fair game for the test, so it is best to have at least an understanding of these sources. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 209). Wiley. Kindle Edition.

Answer 29

A. www.sybex.com/authoraccounts/benmalisow Explanation: The URL in option A reveals a location of specific data as well as the format for potential other data (such as other authors’ pages/accounts); this is a classic example of an insecure direct object reference. Option B is a DoS program string; C is a SQL database command line (which wouldn’t reveal any information on its own; it would prompt for a password); and option D is just an email address. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 209). Wiley. Kindle Edition.

Answer 30

B. Check access each time a direct object reference is called by an untrusted source. Explanation: Untrusted sources calling a direct reference should be authenticated to ensure that the source has authorization to access that object. Option A will not aid in insecure direct object risks; this is not a user issue, usually, but a programming issue. Option C is for physical security, while insecure direct object references are logical attacks. Option D does not reduce the risk of insecure direct object references because classification and categorization are not protections themselves but need to be paired with proper control sets in order to provide protection. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 209). Wiley. Kindle Edition.

Answer 31

C. Leaving default accounts unchanged Explanation: Default accounts are a continual security problem in the InfoSec space, and one that is relatively easy to address. Any new systems should be checked for default accounts, which should be stripped out before deployment. Untrusted users should not have encryption keys, so this is not a misconfiguration; therefore, option A is incorrect. A public-facing website can be extremely useful for marketing purposes and is not necessarily a security issue in and of itself, so option B is incorrect. Option D might or might not be true; both turnstiles and mantraps are physical security controls, and we can’t be sure whether one or the other is preferable in any given situation, so we don’t know if this is a misconfiguration or a proper configuration. Option C is therefore preferable. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 209). Wiley. Kindle Edition.

Answer 32

A. Having unpatched software in the production environment Explanation: Any software with out-of-date builds can be considered misconfigured. Option B is bad security practice but not considered a misconfiguration. Data owners are supposed to classify/categorize the data under their control, so option C is not a correct answer. Preventing users from reaching untrusted resources may be a proper control in a given environment, so option D is not a misconfiguration, and not a correct answer. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 210). Wiley. Kindle Edition.

Answer 33

B. Have a repeatable hardening process for all systems/software. Explanation: This question requires some thought. All the options are examples of good security practices and could therefore arguably be ways to reduce misconfiguration risks. However, option B is the best answer for this specific question: it is a method for reducing risks due to misconfiguration—a repeatable process for hardening systems/software that addresses other bad practices and is itself a good practice. This is the best answer. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 210). Wiley. Kindle Edition.

Answer 34

C. A repeatable patching process that includes updating libraries as well as software Explanation: All the options are examples of good security practices and could therefore arguably be ways to reduce misconfiguration risks. However, option C is the best answer for this specific question. The other three options are personnel/administrative/managerial controls, where the security misconfiguration is more a technical issue, which requires a technical solution. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 210). Wiley. Kindle Edition.

Answer 35

B. Follow a published, known industry standard for baseline configurations. Explanation: All the options are examples of good security practices and could therefore arguably be ways to reduce misconfiguration risks. However, option B is the best answer for this specific question. The other three options are personnel/administrative/managerial controls, where the security misconfiguration is more a technical issue, which requires a technical solution. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 210). Wiley. Kindle Edition.

Answer 36

D. Perform periodic scans and audits of the environment. Explanation: All of these are good security practices, but only option D is a method for detecting and addressing misconfigurations. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 210). Wiley. Kindle Edition.

Answer 37

A. Extensive user training on proper data handling techniques Explanation: Users are the most likely source of sensitive data exposure, particularly inadvertently. Ensuring that users know how to handle material properly is an excellent means for addressing the issue. Option B is incorrect because firewalls that inspect inbound traffic only will not notice data exposed accidentally or maliciously as it travels outbound. Option C is incorrect because it has nothing to do with data disclosure and is instead about business continuity and disaster recovery (BC/DR). Option D is incorrect because it has nothing to do with data disclosure and is instead about physical security. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 210). Wiley. Kindle Edition.

Answer 38

B. Avoiding categorizing data as sensitive Explanation: B. Data needs to be categorized according to its value/sensitivity; avoiding accurate categorization is just as troublesome, from a security perspective, as not categorizing the data or overcategorizing it (putting it in a higher category than it deserves). All the other options are ways of reducing the risk of sensitive data disclosure. Option A reduces the possibility of disclosure by reducing the amount of data on hand (from the OWASP: “Data you don’t have can’t be stolen”). Option C reduces the chance of disclosing keys, which leads to disclosing the data. Option D reduces the possibility that the form will disclose sensitive data to someone filling it out by prompting with an entry that should be protected. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 210). Wiley. Kindle Edition.

Answer 39

A. Set the default to deny all access to functions, and require authentication/authorization for each access request. Explanation: Setting the default to denying access forces all resource requests to be verified, thus ensuring that no particular function may be run without explicitly ensuring that it was called by an authorized user. Option B is used to deter cross-site scripting attacks, so it is incorrect. Option C is correct but insufficient; option A includes a more restrictive mode, so is therefore a better choice. Option D is used to deter the possibility of insecure direct object references, so it is incorrect. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 211). Wiley. Kindle Edition.

Answer 40

A. Run a process as both user and privileged user, compare results, and determine similarity. Explanation: The method in option A will help you determine if there are functions that regular users should not have access to and thereby demonstrate that you are missing necessary controls. According to the OWASP, “automated tools are unlikely to find these problems,” so option B is incorrect. Option C is incorrect because it is the exact opposite of what you’re trying to accomplish; this is an example of what happens when function-level access controls are missing. Option D in no way addresses the problem of missing function-level access controls, which is a technical problem, not a user issue. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 211). Wiley. Kindle Edition.

Answer 41

D. Include a CAPTCHA code as part of the user resource request process. Explanation: Having the user authenticate the intentional request is a way to reduce the automated, forged requests attackers might submit as part of CSRF; CAPTCHA is a great way to reduce the likelihood of success for automated attacks. Option A is incorrect because HTTP requests are usually made by the browser, without the user’s knowledge; the user has no perspective of such requests, so this wouldn’t be a useful mechanism in prevention. Option B is incorrect because it’s unrealistic. Removing all browsers would decrease the utility of the systems to the point where productivity would be negligible. Option C is incorrect for similar reasons; the danger from CSRF is not because of links to the target website but because of the browser behavior. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 211). Wiley. Kindle Edition. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 211). Wiley. Kindle Edition.

Answer 42

D. The attacker could trick the user into calling a fraudulent customer service number hosted by the attacker and talk the user into disclosing personal information Explanation: This is a description of social engineering, not CSRF, which is a browser-based attack. All the other options are possible exploits an attacker might try to accomplish with a CSRF attack. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 211). Wiley. Kindle Edition.

Answer 43

B. Ensure that all HTTP resource requests include a unique, unpredictable token. Explanation: This is the option OWASP recommends as the very least form of protection. Having a unique, unpredictable token for each session reduces the likelihood an attacker will be able to reuse tokens known by the browser or craft tokens that can be used in future attacks. Option A is not optimal or sensible because it would inhibit all web traffic and remote access. Option C is not optimal or sensible because it would severely limit your online capabilities. Option D is not sensible because all browsers use stored tokens/cookies, and no browser is preferable for the purpose over others. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 211). Wiley. Kindle Edition. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 211). Wiley. Kindle Edition.

Answer 44

B. Update to current versions of component libraries as soon as possible. Explanation: This is not an easy question and requires an understanding of how component libraries are used in software design. Option B is preferable to the others because, according to the OWASP, publishers of component libraries do not often patch old components but rather issue the fixed component(s) as a new version. This is also why option D is incorrect. Options A and C are two ways of stating the same thing, and not optimal; trying to use this method would require every one of your software packages to be wholly written by your programmers, which is actually not more secure than using published component libraries because the risk of additional human error and lack of review is introduced to the process. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 212). Wiley. Kindle Edition.

Answer 45

B. The particular vulnerabilities exist only in a context not being used by developers. Explanation: This is not an easy question and requires an understanding of how component libraries are used in software design. Option B makes the most sense; some vulnerabilities are known to exist only when a component is used in a specific way or with specific services; if the programmers are not including that way of using the component or the risky service, then the vulnerability would not pose a threat to the software they are creating and may therefore be acceptable. Option A is not correct because an underwriter would be unlikely to cover a claim resulting solely from negligence; using a component with a known vulnerability and putting the product/user at risk knowingly would probably invalidate any insurance policy. Option C might conceivably be considered correct in a fashion; different countries have different legislation/regulations, and a vulnerability that could cause noncompliance in one country might not in another. However, this is a rather tortured reading of the question, requiring some convoluted reasoning, and this option is therefore not the best answer. Option D is not correct because a hidden vulnerability, by definition, is not a known vulnerability. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 212). Wiley. Kindle Edition.

Answer 46

B. Review all updates/lists/notifications for components your organization uses. Explanation: Staying current with published vulnerabilities for your component is crucial. This might not be simple as there are many versions of design components, and nomenclature is not always uniform. Option A is incorrect because even standard libraries are subject to vulnerabilities, so you have to review notifications about those as well. Option C is not correct; this is a method for reducing the risk of cross-site scripting (XSS) attacks. Option D will not work as users have no influence or effect on which components are used in software design. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 212). Wiley. Kindle Edition.

Answer 47

B. Train users to recognize invalidated links. Explanation: Oddly enough, this may be a good topic to explain during user training; when an attacker is trying to conduct an attack by exploiting unvalidated redirects and forwards, it is often in conjunction with a social engineering/phishing aspect. Users trained to recognize social engineering/phishing indicators might be able to avoid susceptibility to these attacks. Option A is not correct; this is a method for reducing the risk of cross-site scripting (XSS) attacks. Option C is not correct; it is ridiculous and would result in preventing all remote access. Option D is not correct; audit logging would only track activity, not prevent a user from being directed/forwarded to an attack site. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 212). Wiley. Kindle Edition.

Answer 48

A. Don’t use redirects/forwards in your applications. Explanation: Basic as it may seem, not including redirects and forwards within your software is an easy way to avoid the problem altogether, and redirects/forwards are not necessary for efficient usage. Option B is a incorrect because this type of attack is not aimed at stored credentials. Options C and D are both incorrect because neither of those types of solutions detect or prevent this type of attack. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 213). Wiley. Kindle Edition.

Answer 49

A. Interoperability Explanation: This is the definition of cloud migration interoperability challenges. Portability is the measure of how difficult it might be to move the organization’s systems/data from a given cloud host to another cloud host. Stability has no specific meaning here and is just a distractor. Security might be an element of this challenge but is not the optimum answer; the question posed a concern about functionality, not disclosure or tainting the information. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 213). Wiley. Kindle Edition.

Answer 50

B. Portability Explanation: This is the definition of cloud migration portability, the measure of how difficult it might be to move the organization’s systems/data from a given cloud host to another cloud host. Interoperability issues involve whether the cloud customer’s legacy services/data will interface properly with the provider’s systems. Stability has no specific meaning here and is just a distractor. Security might be an element of this challenge, but it is not the optimum answer; the question posed a concern about functionality, not disclosure or tainting the information. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 213). Wiley. Kindle Edition.

Answer 51

D. Regulatory Explanation: This is the definition of a regulatory issue. Option B might also be a factor in this kind of issue, but because the subject of privacy or any specific related topic (such as personally identifiable information [PII], the European Union General Data Protection Regulation) was not mentioned, option D is the better answer. Resiliency issues involve the provider’s ability to handle disruptive externalities, such as natural disasters, system failures, and utility outages. Performance issues address the ability of the provider to meet the customer’s IT needs. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 213). Wiley. Kindle Edition. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 213). Wiley. Kindle Edition.

Answer 52

D.Auditability Explanation: This is not an easy question. In the context of the question, the cloud customer is trying to ascertain whether they are getting what they’re paying for; that is, a way for them to audit the cloud provider and the service as a whole. This is not a regulatory issue, as it concerns the contractual agreement between the provider and the customer, not a third party performing oversight. It is also not a privacy issue (primarily; privacy concerns might be part of the contract, but it’s not the prevailing aspect of the issue here). Resiliency issues involve the provider’s ability to handle disruptive externalities, such as natural disasters, system failures, or utility outages. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 213). Wiley. Kindle Edition.

Answer 53

B. It would cause additional processing overhead and time delay. Explanation: B. Encryption consumes processing power and time; as with all security controls, additional security means measurably less operational capability—there is always a trade-off between security and productivity. Option A is gibberish and only a distractor. Option C is incorrect because vendor lock-out does not result from encryption; it is what might happen if the cloud provider goes out of business while holding your data. Data subjects are the individuals whose personally identifiable information (PII) an organization holds; usually, they will not know or care if something is encrypted (unless there is a breach of that PII, and then investigators will want to determine how that PII was protected) and would probably welcome total encryption, even though that might mean a decrease in operational capability. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 213). Wiley. Kindle Edition.

Answer 54

C. The protection might be disproportionate to the value of the asset(s). Explanation: Security should be commensurate with asset value, as determined by management; putting extra security on everything in an environment is usually not cost effective. The other options don’t make sense. For example, encryption doesn’t affect the potential for physical theft, encryption can be implemented organization-wide, and access controls can be placed on encrypted information as well as unencrypted. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 214). Wiley. Kindle Edition.

Answer 55

C. Discretion Explanation: Discretion is not an element of identification and has no meaning in this context. All the other options are aspects of the identification portion of IAM. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 214). Wiley. Kindle Edition.

Answer 56

B. The human resources (HR) office Explanation: Of these options, HR is most likely to participate in identity provisioning; HR will usually validate the user’s identity against some documentation (driver’s license, passport, etc.) as part of the user’s initial employment process and then pass confirmation of validation along to whatever entity issues system sign-on credentials. None of the other entities usually takes part in user identification. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 214). Wiley. Kindle Edition.

Answer 57

B. Open but unassigned accounts are vulnerabilities. Explanation: Unused accounts that remain open can serve as attack vectors. All the other options are not associated with identity and access management. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 214). Wiley. Kindle Edition.

Answer 58

D. To determine whether the user is still performing well Explanation: Job performance is not a germane aspect of account review and maintenance; that is a management concern, not an access control issue. All the other options are legitimate access control concerns. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 214). Wiley. Kindle Edition.

Answer 59

A. The user’s manager Explanation: This is not an easy question. The best answer to the question does not appear on the list; that would be the data owner, because the data owner should be the ultimate arbiter of who has what access to the data under the owner’s control. However, of these options, A is the best; the user’s manager will have the greatest amount of insight into the role of the user within the organization and therefore will understand best which data the user needs to access. The security manager does not have this insight, and the task of reviewing all access for all users within the organization would be far too large an undertaking for that position. Accounting and incident response play no part in reviewing ongoing user account applicability. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 214). Wiley. Kindle Edition.

Answer 60

C. Lightweight Directory Access Protocol (LDAP) Explanation: LDAP is used in constructing and maintaining centralized directory services, which are vital in all aspects of IAM. SSL and IPSec are used to create secure communication sessions—important, but not most applicable for IAM. AADT is a fictitious term used as a distractor. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 214). Wiley. Kindle Edition.

Answer 61

D. Privileged users can cause more damage to the organization. Explanation: The additional capabilities of privileged users make their activities riskier to the organization, so these accounts bear extra review. The number of encryption keys a user has is meaningless out of context; the amount of risk is the issue, not the number of keys. The user’s type (regular versus privileged) is not an indicator, itself, of trustworthiness. Additional review activity for privileged users is an extra control we place on privileged users, not a reason for doing so. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 214). Wiley. Kindle Edition.

Answer 62

D. Pat-down checks of privileged users to deter against physical theft Explanation: The efficacy of frisking administrators and managers is doubtful, and the harm to morale and disparity of enforcement likely outweighs any security benefit. All the other options could and should be included in privileged account review. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 214). Wiley. Kindle Edition.

Answer 63

C. The bank branch being used by the privileged user Explanation: Which bank branch a privileged user frequents is unlikely to be of consequence. Too much money can indicate that the privileged user is accepting payment from someone other than the employer, which can be an indicator of malfeasance or corruption. Too little money can indicate that the privileged user is subject to undue financial stress, which might be the result of behavior that makes the privileged user susceptible to subversion, such as a drug habit, family problems, or excess gambling. Specific senders and recipients of personal funds can indicate untoward activity on the part of the privileged user. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 215). Wiley. Kindle Edition.

Answer 64

D.More often than regular user account reviews Explanation: There is no specific rule for the timeliness of privileged user account reviews. However, as a matter of course, privileged user accounts should be reviewed more often than the accounts of regular users because privileged users can cause more damage and therefore entail more risk. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 215). Wiley. Kindle Edition.

Answer 65

A. Temporary Explanation: Privileged users should have privileged access to specific systems/data only for the duration necessary to perform their administrative function; any longer incurs more risk than value. The other options are not associated with appropriate privilege access management. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 215). Wiley. Kindle Edition.

Answer 66

C. From internal or external sources Explanation: The CSA points out that data breaches come from a variety of sources, including both internal personnel and external actors. Although breaches might be overt or covert, or large or small, we don’t usually think of them in these terms, and the CSA doesn’t discuss them that way, so options A and D aren’t correct. Option B is just incorrect because subterranean is not associated with the CSA’s Notorious Nine list of common threats. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 215). Wiley. Kindle Edition.

Answer 67

A. Notify affected users Explanation: Data breach notification laws are plentiful; organizations operating in the cloud are almost sure to be subject to one or more such laws. Option B is incorrect because the CSA does not suggest that an organization that operates in the cloud environment and suffers a data breach may be required to reapply for cloud service. Option C is unlikely because most cloud customers won’t have physical access to/control of devices; moreover, a breach does not always entail sanitization. Option D does not make sense, either; regulations are imposed on organizations, as legal mandates, and an organization does not get to choose which regulations affect it. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 215). Wiley. Kindle Edition.

Answer 68

D. Cost of detection Explanation: The cost of detection exists whether or not the organization suffers a breach. All other options are costs an organization will likely face as the result of a breach. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 215). Wiley. Kindle Edition.

Answer 69

C. All standards-based notification schemes Explanation: This question requires a bit of thought. Option C is correct because an organization is not required to subscribe to all standards but instead only the standards it selects (or are imposed on it through regulation). However, most cloud customers will have to comply with multiple state laws (at the very least, the laws of the states where the customer’s organization resides, where the data center resides, and where its end clientele reside); any contractual requirements (between the cloud customer and its consumers, vendors, or service providers, such as, for example, Payment Card Industry Data Security Standard [PCI DSS]); and any federal regulations that govern that cloud customer’s industry. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 215). Wiley. Kindle Edition.

Answer 70

A. Malicious or inadvertent Explanation: Data loss can be the result of deliberate or accidental behavior. The other options are less correct than option A. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 215). Wiley. Kindle Edition.

Answer 71

B. Improper policy Explanation: Bad policy won’t explicitly lead to data loss, but it might hinder efforts to counter data loss. However, misplaced crypto keys can result in a self-imposed denial of service, bad backup procedures can result in failure to retain data (a form of data loss), and accidental overwrites occur all the time—hence the need for proper backups. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 216). Wiley. Kindle Edition.

Answer 72

D. All of the triad Explanation: All. Service traffic hijacking can affect all portions of the CIA triad. Through hijacking, an attacker could eavesdrop on legitimate communication (breaching confidentiality), insert inaccurate/incorrect data into legitimate communication (damaging integrity), and/or redirect legitimate users from valid services (making the legitimate sources unavailable). Although all of the answers are correct, option D is the most comprehensive and therefore the best answer. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 216). Wiley. Kindle Edition.

Answer 73

B. Sharing account credentials between users and services Explanation: Users sharing account credentials is a fairly common (although undesirable) practice and one that can lead to significant misuse of the organization’s resources and greatly increase risk to the organization. Although ending all user activity would make our IT environments so much more secure and defensible, it would also make them utterly useless from a productivity standpoint, so option A is incorrect. Option C is incorrect because the CSA recommends multifactor authentication as a means to reduce the risk of hijacking. Though not documented on the CSA’s website, the CSA most certainly does not recommend the prohibition of interstate commerce in order to diminish the likelihood of account/service traffic hijacking. Therefore, option D is an incorrect answer. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 216). Wiley. Kindle Edition.

Answer 74

C. Remote access Explanation: Cloud computing users are especially susceptible to hijacking attacks because all of their use is contingent on remote access; users in a traditional internal environment are not passing as much traffic over untrusted infrastructure (the Internet), and the type of traffic is often different (where identity credentials are passed only to servers/systems that are locally, physically connected to the user’s device). Scalability might be seen as an attribute of cloud computing that increases the potential for hijacking attacks because a proliferation of users means more attack surface. But even that aspect is contingent on the users accessing cloud resources remotely, so option C is still a better answer than A. The metered service nature of cloud computing has nothing to do with a hijacking threat; metered service indicates that the customer pays only for those resources users consume. Cloud customers pool resources might be of concern when considering hijacking attacks because poorly configured cloud environments could leave one cloud customer subject to attack by another tenant in that same environment. But, again, hijacking is predicated on attacking data in transit, so it is the remote access aspect that is the best answer for this question. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 216). Wiley. Kindle Edition.

Answer 75

A. Most of the cloud customer’s interaction with resources will be performed through APIs. Explanation: Because a significant percentage of cloud customer interactions with the cloud environment will utilize APIs, the threat of insecure APIs is of great concern in cloud computing. Option B is incorrect because APIs are not inherently insecure and it is unlikely that the CSA has stated that they are. Option C is incorrect because it is predicated on the inaccurate notion that all APIs are inherently insecure and that the vulnerabilities of all known APIs have been published. Lastly, option B is inaccurate because APIs are not known carcinogens. To be a carcinogen, the carcinogen needs to be a substance that causes cancer in living tissue. As far as we know, APIs do not cause cancer. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 216). Wiley. Kindle Edition.

Answer 76

A. Cloud customers and third parties are continually enhancing and modifying APIs. Explanation: The continuous modification of APIs issued/designed by cloud providers introduces the potential for vulnerabilities to be created in interfaces that were previously thought to be vetted and secure. Increased complexity necessarily means increased potential for vulnerability. And third-party modifications may lead to user credentials being unknowingly exposed to those third parties. Automation is not inherently a source of threats/vulnerabilities, so option B is not correct. Options C and D are not true. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 217). Wiley. Kindle Edition.

Answer 77

B. Customers perform many high-value tasks via APIs. Explanation: APIs will be used for many tasks that could have a significant negative impact on the organization, so any vulnerabilities are of great concern. Not all API interaction involves administrative access, so option A is wrong. APIs may or may not be cursed. Secure code practices can be used to design robust APIs, so option D is incorrect. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 217). Wiley. Kindle Edition. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 217). Wiley. Kindle Edition.

Answer 78

C. Availability issues prevent productivity in the cloud. Explanation: If users can’t access the cloud provider, then the operational environment is, for all intents and purposes, useless. DoS attacks that affect availability of cloud services are therefore a great concern. A lot of attackers/criminals operate internationally; this has no bearing on whether an organization operates in the cloud or otherwise. Option A is incorrect. There are laws prohibiting DoS attacks, so option B is incorrect. The volume of DoS traffic necessary to disrupt modern cloud providers is rather significant, so these types of attacks are not simple. Option D is incorrect. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 217). Wiley. Kindle Edition.

Answer 79

D. Distributed denial of service (DDoS) Explanation: Denial-of-service attacks staged from multiple machines against a specific target is the definition of a DDoS. All the other options are either fictitious or are not typically associated with the definition of DDoS. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 217). Wiley. Kindle Edition.

Answer 80

B. Multitenancy Explanation: In a managed cloud service context, one malicious cloud administrator could ostensibly victimize a great number of cloud customers, making the impact much greater than a sole insider in the legacy environment. The other options are not applicable to the insider threat. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 217). Wiley. Kindle Edition.

Answer 81

A. Scalability Explanation: Because users in cloud customer organizations often do not pay directly for cloud services (and are often not even aware of the cost of use), scalability can be a significant management concern; individuals, offices, or departments within the organization can create dozens or even hundreds of new virtual systems in a cloud environment, for whatever purpose they need or desire, and the cost is realized only by the department in the organization that is charged with paying the bill. This type of abuse hinges on the immense scalability of cloud services and is frequently not associated with any malicious intent but is instead an inadvertent result of well-intentioned or careless behavior. The other options are not applicable to the threat of abuse of cloud services. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 217). Wiley. Kindle Edition.

Answer 82

D. Vetting the cloud provider’s administrators and personnel to ensure the same level of trust as the legacy environment Explanation: The cloud customer will not have any insight into the personnel security aspects of the cloud provider; when an organization contracts out a service, the organization loses that granular level of control. It is imperative that the cloud customer determine whether any application dependencies exist in the legacy environment before migrating to the cloud. Reviewing the contract between the cloud customer and provider is an essential element of due diligence. Determining the long-term financial viability of a cloud provider is a way to avoid losing production capability/data in the cloud. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 217-218). Wiley. Kindle Edition.

Answer 83

B. Vendor lockout Explanation: This is the definition of vendor lockout. Vendor lock-in is when data portability is limited, either through unfavorable contract language or technical limitations. Vendor incapacity and unscaled are not meaningful terms in the context of cloud computing. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 218). Wiley. Kindle Edition.

Answer 84

D. Hubs Explanation: A hub is a (mostly archaic) network device that simply connects physical machines together; it cannot serve the purpose of network segmentation. All the other options are segmentation methods/tools. Option C may be perceived as a viable answer because bridges connect network segments (allowing a segmented network, but not really creating segmentation), but option D is a better choice for this question. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 218). Wiley. Kindle Edition.

Answer 85

A. The lack of defined endpoints makes it difficult to uniformly define, manage, and protect IT assets. Knowing exactly where and what your assets are, from an IT security professional’s perspective, allows you to better apply uniform and ubiquitous governance and controls across the environment. Without these clear demarcations, that task becomes more difficult. Nothing is impossible; these tasks may become more challenging, but not impossible. So options B and C are incorrect. Option D is not true because lack of physical endpoints may actually reduce the threat of physical theft/damage.

Answer 86

A. Never Explanation: PaaS customers should never be given shell access to underlying infrastructure because any changes by one customer may negatively impact other customers in a multitenant environment. All the other options are simply incorrect. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 218). Wiley. Kindle Edition.

Answer 87

B. Authorization creep/inheritance Explanation: Mass permissions assigned to multiple instances may be susceptible to inadvertent authorization creep and permission inheritance over time as users shift roles and responsibilities and are assigned to new tasks and teams and as new users come into the existing, fluid environment. All the other options are just wrong, with at least one nonsensical element in each. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 218). Wiley. Kindle Edition.

Answer 88

C. Organizational policies Explanation: Organizational policies dictate rules for access entitlement. International standards do not apply to every organization’s internal needs and individual user roles, so option A is incorrect. Not all organizations are bound by all (or any) federal regulations, but all organizations should have policies regarding user access rules, so option B is incorrect. Option D is a nod to Star Trek and also incorrect. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 218). Wiley. Kindle Edition.

Answer 89

A. Authentication Explanation: Authentication is verifying that the user is who they claim to be and assigning them an identity assertion (usually a user ID) based on that identity. Authorization is granting access based on permissions allocated to a particular user/valid identity assertion. Nonrepudiation is the security concept of not allowing a participant in a transaction to deny that they participated. Regression is a statistical concept not relevant to the question in any way. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 219). Wiley. Kindle Edition.

Answer 90

B. Authorization Explanation: This is the definition of authorization. Authentication is verifying that the user is who they claim to be and assigning them an identity assertion (usually a user ID) based on that identity. Nonrepudiation is the security concept of not allowing a participant in a transaction to deny that they participated. Regression is a statistical concept not relevant to the question in any way. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 219). Wiley. Kindle Edition.

Answer 91

B. Authentication-authorization-access Explanation: In access management, the user is first authenticated (their identity verified and validated as correct), then authorized (permissions granted based on their valid identity), and given access. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 219). Wiley. Kindle Edition.

Answer 92

B. They are often used for software development. Explanation: PaaS environments are attractive for software development because they allow testing of software on multiple operating systems that are administered by the cloud provider. Software developers routinely use backdoors as development and administrative tools in their products; these backdoors, if left in software when it ships, are significant vulnerabilities. All cloud environments, including PaaS, rely on virtualization, have multitenancy, and are scalable, so those options are not correct. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 219). Wiley. Kindle Edition.

Answer 93

C. Inadvertently or on purpose Explanation: Backdoors that were used legitimately during the development process can sometimes be left in a production version of the delivered software accidentally, when developers forget to remove them. Sometimes, these products ship with backdoors purposefully placed there for administrative and customer service functions as well. Option A is incorrect as backdoors are not a control. Option B is incorrect because backdoors don’t serve as DoS protection in any way. Option D is incorrect because backdoors are not distractions for attackers, but means for attack. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 219). Wiley. Kindle Edition. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 219). Wiley. Kindle Edition.

Answer 94

C. SQL injection Explanation: This is an example of typical SQL injection. All the other options are also attacks listed in the Open Web Application Security Project (OWASP) Top Ten, but they do not have the characteristics as the one contained in the question. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 219). Wiley. Kindle Edition.

Answer 95

A. Cross-site scripting Explanation: This is the definition of a cross-site scripting attack. Options B and C are also attacks listed in the Open Web Application Security Project (OWASP) Top Ten. Option D is not in the Top Ten and is made up as a fictitious option. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 219). Wiley. Kindle Edition.

Answer 96

D. Security misconfiguration Explanation: D. This is likely a security misconfiguration, as crypto keys must not be disclosed or the cryptosystem does not provide protection; most successful attacks on cryptosystems have been configuration/implementation attacks, not mathematical or statistical. The other options are all also in the Open Web Application Security Project (OWASP) Top Ten. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 220). Wiley. Kindle Edition.

Answer 97

B. Virtual sprawl Explanation: In the cloud environment, it is very easy for a user to generate a new virtual instance; that is one of the advantages of the cloud. However, this can pose a problem for management, as users might generate many more instances than expected because the users don’t usually realize (or have to pay) the per-instance costs associated with doing so. However, the organization will have to pay the full price of many more instances at the end of each billing cycle, and exceeding the allotted amount dictated by the contract can be quite expensive. In the traditional environment, this would not pose a risk because the number of possible instances is limited by the resource capacity within the organization and additional instances don’t have attendant direct costs. All the other options are not cloud-specific risks; they also exist in the traditional environment. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 220). Wiley. Kindle Edition.

Answer 98

D. Type 2, because it has a greater attack surface Explanation: A Type 2 hypervisor is run on top of an existing operating system, greatly increasing the potential attack surface. Option A does not make logical sense; a Type 1 hypervisor is not more straightforward than other hypervisors. Option A is not the correct answer. Option B is not true. A Type 1 hypervisor has a smaller attack surface, not a larger one. Option C is not true in general. Type 2 hypervisors are not necessarily less protected than other hypervisors. Option C is not the correct answer. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 220). Wiley. Kindle Edition.

Answer 99

B. Amount of data uploaded/downloaded during a pay period Explanation: Option B is the only element that lends itself well to a discrete, objective metric; the other options might be something the customer is interested in but will often have little control over; if the customer is insistent on those points, they should be included in the contract, not the SLA. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 220). Wiley. Kindle Edition.

Answer 100

B. The financial penalty for not meeting service levels Explanation: Usually, when a provider does not meet the terms specific in the SLA, the provider will not be paid for a period of service; this is the strongest, most immediate tool at the customer’s disposal. The other options simply are not true. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 220). Wiley. Kindle Edition.

Answer 101

D. Reduced cost of administering the operating system (OS) in the cloud environment Explanation: In an IaaS configuration, the customer still has to maintain the OS, so option D is the only answer that is not a direct benefit for the cloud customer. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 220). Wiley. Kindle Edition.

Answer 102

C. Events are anything that can occur in the IT environment, whereas incidents are unscheduled events. Explanation: This is the textbook definition of an incident versus event. However, this question is not easy, because many sources in the IT security field define incidents differently; it’s common to think of incidents as events that have an adverse impact, or incidents are something that require response. However, option C is the correct answer. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 220). Wiley. Kindle Edition.

Answer 103

D. None Explanation: Elasticity is a beneficial characteristic in that it supports the management goal of matching resources to user needs, but it does not provide any security benefit. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 220). Wiley. Kindle Edition.

Answer 104

B. A testbed/sandbox Explanation: Cloud customers can test different hardware/software implementations in the cloud without affecting the production environment and use this information to make decisions before investing in particular solutions. Option A is not true because the cloud does not store physical assets. Option C is not accurate because production data in the cloud must still be secured. And option D is not true because cloud hosting is not free; there is some cost (even if that cost is less than it would be for comparable on-premises hosting). Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 220). Wiley. Kindle Edition.

Answer 105

D .American Institute of Certified Public Accountants (AICPA) Explanation: The American Institute of Certified Public Accountants publishes the SSAE 18 standard. NIST is a U.S. government entity that publishes many standards for federal agencies, so option A is incorrect. ENISA is a European Union (EU) standards body, so option B is incorrect. The GDPR is an EU law about privacy data, so option C is incorrect. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 221). Wiley. Kindle Edition.

Answer 106

D. System and Organization Controls (SOC) reports Explanation: SOC reports are the audit reporting mechanisms dictated by SSAE 18. SOX is a federal law targeting publicly traded corporations in the United States. SSL is a way to conduct secure online transactions. SABSA is an architecture framework. Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 221). Wiley. Kindle Edition.

Answer 107

C. Cloud Controls Matrix (CSA CCM) The SOC 1 audit report is not for security controls; it is for financial reporting controls. The AICPA SOC 2 Type 1 audit report reviews the controls an organization has selected and designed. Both the CAIQ and the CCM are tools created by the CSA to review an organization’s controls across several frameworks, regulations, and standards.

Answer 108

C. SOC 2 Type 2 Explanation: The SOC 2 Type 2 reviews the implementation of security controls. The SOC 1 reviews financial reporting controls, not security controls. The SOC 2 Type 1 reviews the design and selection of security controls, not implementation. The SOC 3 is only an attestation of an audit, so option C is better.

Answer 109

A. Privacy data security policy; auditing the controls dictated by the privacy data security policy Explanation: Due care is the minimal level of effort necessary to perform your duty to others; in cloud security, that is often the care that the cloud customer is required to demonstrate in order to protect the data it owns. Due diligence is any activity taken in support or furtherance of due care. This answer, then, is optimum: the due care is set out by the policy, and activities that support the policy (here, auditing the controls the policy requires) are a demonstration of due diligence. The General Data Protection Regulation (GDPR) and GLBA are both legislative mandates; these might dictate a standard of due care, but they are not the due care or due diligence, specifically. Door locks and turnstiles are physical security controls; they both might be examples of due care efforts, but neither demonstrates due diligence. Due care and diligence can be demonstrated by either internal or external controls/ processes; there is no distinction to be made based on where the control is situated.

Answer 110

B. Distinguished name (DN) Explanation: The distinguished name (DN) is the nomenclature for all entries in an LDAP environment. A domain name is used to identify one or more IP addresses. For instance, Microsoft.com and google.com are domain names. Option A is incorrect. A directory name is typically associated with a file system structure and not something related to LDAP. Option C is incorrect. “Default Name” is not a common term, and is made up. Option D is not the correct answer.

Answer 111

B. Inversion Explanation: Inversion is not part of the IAM process at all and has no meaning in this context. All the other options are elements of identification.

Answer 112

C. It forces collusion for unauthorized access. Explanation: By creating a need for two identity assertions or authentication elements to access assets, two-person integrity prevents a single person from gaining unauthorized access and forces a would-be criminal to join up with at least one other person to conduct a crime. This reduces the possibility of the crime taking place. All the other options are simply untrue and are therefore exceedingly poor choices for answers to CCSP test questions.

Answer 113

D. Payment Card Industry Data Security Standard (PCI DSS) Explanation: The PCI DSS is a voluntary standard, having only contractual obligation. All the other options are statutes, created by lawmaking bodies.

Answer 114

C. Hybrid cloud deployment model Explanation: Because the cloud customer will retain ownership of some elements of hardware, software, or both at the customer’s location (for instance, security hardware modules [HSMs]), client-side key management could be considered a hybrid cloud model. Option A is incorrect because the scenario stated in the question does not identify a threat. Option B is incorrect because the scenario stated in the question does not identify a risk. Allowing the customer to retain their own encryption keys is actually less risky than sharing their encryption keys with the provider. Option D is incorrect because the provider does not have a right to the customer’s encryption keys, so, there cannot be an infringement on the provider’s rights.

Answer 115

C. Retaining control of governance Explanation: With a private cloud deployment, the customer gets to dictate governance requirements, which is a significant benefit for customers in highly regulated industries. Private clouds typically cost more than public cloud deployments, so option A is incorrect. Performance is not necessarily enhanced (or decreased) by any of the cloud deployment models, so option B is incorrect. Retaining a higher degree of control over the cloud environment will necessarily require the cloud customer to have more maintenance capability, not less, so option D is incorrect.

Answer 116

B. Hosted application management and software on demand Explanation: In SaaS, the cloud provider might license and deliver commercially available software for the customer, via the cloud (hosted application management), or provide the customer access to the provider’s proprietary software (software on demand). All the other options are incorrect. The options contain legitimate words put together to form gibberish.

Answer 117

D. Your organization Explanation: The cloud customer is ultimately responsible for all legal repercussions involving data security and privacy; the cloud provider might be liable for financial costs related to these responsibilities, but those damages can only be recovered long after the notifications have been made by the cloud customer. All the other options are incorrect because they do not correctly identify who is required to make data breach notifications in accordance with all applicable laws. That responsibility rests with the cloud customer.

Answer 118

D. Infrastructure as a service (IaaS), private Explanation: An IaaS service model allows an organization to retain the most control of their IT assets in the cloud; the cloud customer is responsible for the operating system, the applications, and the data in the cloud. The private cloud model allows the organization to retain the greatest degree of governance control in the cloud; all the other deployment models would necessitate giving up governance control in an environment with pooled resources.

Answer 119

C. Software as a service (SaaS), public Explanation: With SaaS, the cloud customer is responsible only for the data in the cloud; the cloud provider is responsible for the underlying IT infrastructure, the operating system, and the applications; maintenance for this service model will be minimal, compared to the others. A public cloud deployment will reduce costs even more, as it is the least expensive of the options—with the least amount of control for the cloud customer. All the other options would include some degree of administration of the cloud resources on the part of the cloud customer and so are not as optimal as option C.