(ISC)² Certified Cloud Security Professional Exam 4 (CCSP) Practice (Aris Athanasiou)

Question 1

Which of the following organisations would have to comply with FERPA?

A. A financial institution
B. A educational agency
C. A public company
D. A hospital

Answer 1

B. A educational agency

Explanation:
The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law that protects the privacy of student education records. Therefore, the educational agency would have to comply with it.

Question 2

Which of the following is not true about static application security testing (SAST)?

A. Can detect vulnerabilities like XSS and CSRF
B. Can analyse both source code as well as compiled binaries
C. Can be conducted as part of the continuous integration/continuous deployment pipeline
D. Can detect race conditions

Answer 2

D. Can detect race conditions

Explanation:
Static application security testing can not detect race conditions. We typically employ dynamic security testing techniques to identify race conditions. All the other statements are true.

Question 3

What does “production” refer to in the context of digital forensics?

A. The temporary suspension of the organizations data retention policy due to legal
B. The process for generating the data requested in the warrant
C. The presentation of the requested data to the court
D. The environment that data needs to be collected from

Answer 3

C. The presentation of the requested data to the court

Explanation:
In the context of digital forensics “production” refers to the presentation of the requested data to the court or the requesting party.

Question 4

Which mathematical problem does RSA rely on?

A. Finding the discrete logatirhm of a random elliptic curve element with respect to a publicly known base point
B. Discrete logarithm problem (DLP)
C. Factorization of the product of two large prime numbers
D. Traveling salesman problems (TSP)

Answer 4

C. Factorization of the product of two large prime numbers

Explanation:
RSA relies on the factorization of the product of two large prime numbers. Diffie–Hellman, and ElGamal rely on the discrete logarithm problem.

Question 5

Which of the following is not a feature of an API gateway?

A. Policy Enforcement
B. Rate-Limiting
C. Metrics
D. Malware Analysis

Answer 5

D. Malware Analysis

Explanation:
Malware analysis is not a typical feature of an API gateway, the rest of the capabilities are typical features of these products.

Question 6

A large enterprise recently defined, implemented, and fully tested their Business Continuity (BC)/Disaster Recovery (DR) procedures. The newly-appointed CIO has decided that the organisation needs a large number of the existing workloads to the cloud. Which of the following models would allow the organisation to replicate their existing (BC/DR) strategy, minimising rework?

A. BCaaS
B. PaaS
C. IaaS
D. SaaS

Answer 6

C. IaaS

Explanation:
Infrastructure-as-a-Service (IaaS) would allow the enterprise to replicate more of their existing (BC/DR) to the cloud environment compare to PaaS or SaaS.

Question 7

A user attempts to log in to a customer relationship management (CRM) application offered as a SaaS. As the first step, the user is prompted to type in his username. Which of the following best describe the above?

A. Identity Verification
B. Authorization
C. Identification
D. Authentication

Answer 7

C. Identification

Explanation:
Identification occurs when a user (or any subject) claims an identity. By submitting their username, the users claim to be the identity/persona associated with that name.

Authentication is the process of proving your identity and it occurs when subjects provide appropriate credentials to prove their identity.

Once a user is identified and authenticated, they can be granted authorization based on their proven identity.

Identity Verification is the process that typically is performed once, during the creation of the persona/identity, and ties the physical person to the digital identity. This typically involves the physical person presenting their passport or some other proof of identity.

Question 8

Which OSI layer does a web application firewall (WAF) operate?

A. 3
B. 4
C. 7
D. 1

Answer 8

C. 7

Explanation:
Web application firewall (WAF) operate at the OSI Layer 7. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection.

Question 9

Which of the following media sanitisation techniques would provide the most assurance in a cloud environment?

A. Multiple passes with 0s and 1s
B. Crypto-shredding
C. Physical destruction of media mandated by the SLA/contract
D. Overwriting

Answer 9

C. Physical destruction of media mandated by the SLA/contract

Explanation:
The physical destruction of media is always the most effective way of minimising the chances of data remanence. This would be quite challenging in a cloud environment given the multitenancy aspects of it. However, if it is mandated from the SLA or the contract between the cloud provider and the customer, the CSP would have to destroy the media.

Question 10

Which of the following best describes paravirtualization?

A. Running multiple type 2 hpervisors on the same host machine
B. A method for the hypervisor to offer interfaces to the guest OS that can use instead of the normal hardware interfaces
C. Running multiple Type 1 hypervisors on the same host machine
D. Paravirtualization is another term for container virtualization

Answer 10

B. A method for the hypervisor to offer interfaces to the guest OS that can use instead of the normal hardware interfaces

Explanation:
The definition for paravirtualization is a virtualization technique that presents a software interface to virtual machines which is similar, yet not identical to the underlying hardware interface.

Question 11

Which CSA STAR certification framework level involves the CSP submitting a completed Consensus Assessments Initiative Questionnaire (CAIQ)?

A. Level Two
B. Level Four
C. Level Three
D. Level One

Answer 11

D. Level One

Explanation:
Level one of the CSA STAR requires that the cloud providers either submit a completed Consensus Assessments Initiative Questionnaire (CAIQ) or submit a report documenting compliance with the Cloud Controls Matrix (CCM).

Question 12

Which of the following controls can both increase and decrease the risk for an organisation at the same time?

A. Hash customer password before storing them
B. Close down unnecessary ports on the Internet facing firewall
C. Store cryptographic keys outside the cloud service provider
D. Remove services which are not required from baseline images

Answer 12

C. Store cryptographic keys outside the cloud service provider

Explanation:
Storing cryptographic keys outside the cloud service provider can reduce risks such as an attacker gaining access to both the encrypted data and the respective keys, insider threat from the cloud service personnel, etc.

At the same time, it can create new risks for the organisation such as unavailability of the data when connectivity between the cloud service provider and the keys storage service is lost, keys might have to be transferred between the cloud provider and the key storage provider from time to time which increases the chances of a key being compromised, etc.

Question 13

Several countries and unions have developed their own privacy standards. Which country enacted PIPEDA?

A. Canada
B. Japan
C. Argentina
D. USA

Answer 13

A. Canada

Explanation:
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations in Canada.

Question 14

Which aspect of information security is ensured from encryption?

A. Integrity
B. Confidentiality
C. Resiliency
D. Availability

Answer 14

B. Confidentiality

Explanation:
Encryption can protect the confidentiality of data. Although encryption can also provide integrity (through Message Authentication Codes), confidentiality is the most common use-case and therefore the best answer out of the four.

Question 15

What is the difference between SOC Type 1 and Type 2 reports?

A. Type 1 is intended for external stakeholders, type is 2 intended for internal stakeholders
B. Type 1 focuses on the operating effectiveness of the controls, type is 2 presents the auditors opinion regarding the accuracy of managements description of the system
C. Type 1 is intended for internal stakeholders, type 2 is intended for external stakeholders
D. Type 1 presents the auditors opinion regarding the accuracy of managements description of the system, type 2 focuses on the operating effectiveness of the controls

Answer 15

D. Type 1 presents the auditors opinion regarding the accuracy of managements description of the system, type 2 focuses on the operating effectiveness of the controls

Explanation:
The main difference between SOC Type 1 and 2 is that the first is an attestation of controls at a specific point in time, whereas the latter is an attestation of controls over a minimum six-month period focusing on their effectiveness.

Question 16

Which of the following HTTP status codes is associated with client-side errors?

A. 2XX
B. 5XX
C. 3XX
D. 4XX

Answer 16

D. 4XX

Explanation:
HTTP 4xx codes denote client-side errors, some of the code include

400 Bad Request

401 Unauthorized

402 Payment Required

403 Forbidden

404 Not Found

405 Method Not Allowed

Full list of HTTP codes can be found here

Question 17

In cloud environments, automated configuration is usually achieved by consuming a set of APIs provided by the CSP. What does API stand for?

A. Application Programming Interface
B. Applied Programming Infrastructure
C. Applied Programmatic Infrastructure
D. Application Programmatic Interface

Answer 17

A. Application Programming Interface

Explanation:
API stands for Application Programming Interface

Question 18

What does cloud reversibility refer to?

A. The ability to reverse a misconfiguration and roll back to a well known state
B. The ability for an organization to retrieve and delete its data stored in a cloud service provider
C. The ability for an organization to transfer its data stored in a cloud service to a different cloud service provider
D. The ability to trace the source of an attack and unleash a hack-back

Answer 18

B. The ability for an organization to retrieve and delete its data stored in a cloud service provider

Explanation:
The definition of reversibility is the ability of an organisation to retrieve and delete its data stored in a cloud service provider.

Question 19

Which of the following actions is not part of defining the objectives of an audit?

A. Define frequency and tools to be used
B. Refine processes from lessons learned
C. Define the audit output format
D. Define number of auditors involved

Answer 19

B. Refine processes from lessons learned

Explanation:
Refine processes from lessons learned happens after the audit has been completed and is not part of defining the objectives of an audit.

Question 20

A large system integrator (SI) decided to start offering more services around cloud computing. Their business model is purchasing cloud services in bulk and then offering those services to their own customers with a 10% markup over the original price. Which of the following describes the SI?

A. Cloud integrator
B. Cloud Access Broker
C. Cloud computing reseller
D. Cloud operator

Answer 20

C. Cloud computing reseller

Explanation:
This is a typical example of a cloud computing reseller.

Question 21

Which of the following actions does NOT take place during an SSL/TLS handshake?

A. Verifying the validity of a certificate
B. Usage of public key cryptography
C. Establishing a symmetric key
D. Symmetrically encrypting data

Answer 21

D. Symmetrically encrypting data

Explanation:
The SSL/TLS handshake is the process of establishing the symmetric encryption key. The symmetric encryption of data does not start until the handshake is complete

Question 22

The “Trust Services Principles and Criteria” include security, availability, processing integrity, confidentiality, and privacy. Which institute has developed the above framework?

A. National Institute of Standards and Technology (NIST)
B. Internal Organization for Standardization (ISO)

D. Cloud Security Alliance

Answer 22

C. American Institute of Certified Public Accounts (AICPA)

Explanation:
The “Trust Services Principles and Criteria” have been developed from the American Institute of Certified Public Accountants (AICPA).

Question 23

Which of the following term describes a set of cloud computing services optimised for use in a particular industry?

A. Vertical Cloud
B. Elastic Cloud
C. Horizontal Cloud
D. Tailored Cloud

Answer 23

A. Vertical Cloud

Explanation:
A vertical cloud, or vertical cloud computing, is the phrase used to describe the optimization of cloud computing and cloud services for a particular vertical (e.g., a specific industry) or specific application use.

Question 24

The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. What is a Security Target (ST) as described in ISO/IEC 15408?

A. How thoroughly the product is tested on a sliding scale from one to seven, with oine being the lowest-level evaluation and seven being the highest
B. A standard set of security requirements for a specific type of product, such as firewall, IDS, or unified threat management (UTM)
C. An overview, provided by the vendor, of the product and products security features, an evaluation of potential security threats, and the vendors self-assessment detailing how the product conforms to the relevant protection profile
D. The vendor product to be examined against a specific profile by a third-party evaluation lab using a common evaluation methodology (CEM)

Answer 24

C. An overview, provided by the vendor, of the product and products security features, an evaluation of potential security threats, and the vendors self-assessment detailing how the product conforms to the relevant protection profile

Explanation:
The Security Target is a complete and rigorous description of a security problem in terms of target description, threats, assumptions, security objectives, security functional requirements, security assurance requirements, and rationales.

Question 25

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. Which of the following metadata is not required to be shared among partners who federate using SAML? A. Cryptographic Keys B. Token Schema C. Protocol Endpoints D. Entity ID

Answer 25

B. Token Schema Explanation: The token schema does not have to be shared between partners federating via SAML, the schema of the token is mandated from the SAML standard. You can find the SAML schema here.

Question 26

Which of the following is more likely to happen first in an application's SDLC? A. Dynamic Application Security Testing (DAST) B. Synthetic Performance Monitoring C. Real-user monitoring (RUM) D. Static Application Security Testing (SAST)

Answer 26

D. Static Application Security Testing (SAST) Explanation: Static application security testing (SAST) would typically take place first in a software's lifecycle. Dynamic application security testing (DAST) would follow, and finally, Synthetic performance monitoring and Real-user monitoring (RUM) would happen last.

Question 27

Which of the following is not considered an internal threat for a cloud service provider (CSP)? A. A cloud service provider developer B. A cloud service provider ex-employee C. A cloud service provider administrator D. A cloud customer employee

Answer 27

D. A cloud customer employee Explanation: A cloud customer employee is not considered an internal threat to a cloud service provider. They could potentially be a threat to the customer.

Question 28

The new head of development of a medium-sized organisation is looking for best practices and guidelines around securing applications with a web interface. Which of the following would the most useful source of information? A. AICPA GAPP B. OWASP C. CSA CCM D. ISO/IEC 27022

Answer 28

B. OWASP Explanation: The Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.

Question 29

What is the correct order for the following control types in the timeline of a security incident? A. Directive, Preventative, Detective, Compensating, Corrective, Recovery B. Directive, Preventative, Compensating, Detective, Corrective, Recovery C. Directive, Preventative, Compensating, Corrective, Detective, Recovery D. Preventative, Directive, Compensating, Detective, Corrective, Recovery

Answer 29

B. Directive, Preventative, Compensating, Detective, Corrective, Recovery Explanation: According to the CCSP CBK, the correct order for the following control types relative to the timeline of an incident timeline is: Directive, Preventative, Compensating, Detective, Corrective, Recovery

Question 30

Which of the following statements is false regarding Uptime Institute’s Data Center Site Infrastructure Tier 3? A. Redundant capacity components B. Twelve hours of on-site fuel storage C. All IT equipment is dual-powered D. Multiple distribution paths simultaneously servicing the critical environment

Answer 30

D. Multiple distribution paths simultaneously servicing the critical environment Explanation: An Uptime Institute’s Tier 3 data center does not provide multiple distribution paths simultaneously serving the critical environment. This is a feature of an Uptime Institute’s Tier 4 data center.

Question 31

A desirable feature in a cloud environment is DRS. What does the DRS stand for? A. Distributed Resource Selection B. Distributed Resource Scheduling C. Dynamic Resource Scheduling D. Dynamic Resource State

Answer 31

B. Distributed Resource Scheduling Explanation: DRS stands for Distributed Resource Scheduling.

Question 32

Which of the following is not created by the Cloud Security Alliance (CSA)? A. Consensus Assessments Initiative Questionnaire (CIAQ) B. Security, Trust and Assurance Registry (STAR) C. Cloud Control Matrix D. Control Objectives for Information and Related Technologies (COBIT)

Answer 32

D. Control Objectives for Information and Related Technologies (COBIT) Explanation: Control Objectives for Information and Related Technologies (COBIT) is created by ISACA and not CSA. COBIT is a framework for IT governance and management. You can find more about COBIT here.

Question 33

Which of the following has user training as a primary means of combating and mitigating its success against a cloud application according to OWASP? A. Malicious Insiders B. Data Breach C. Account Hijacking D. Advanced Persistent Threats

Answer 33

D. Advanced Persistent Threats Explanation: According to the OWASP Top 10, user training is effective in mitigating advanced persistent threats.

Question 34

Which CSA Star certification framework level requires the CSP to undergo an audit from an independent third party for compliance with ISO/IEC 27001 or AICPA SOC2 and publish the results? A. Level 2 B. Level 4 C. Level 1 D. Level 3

Answer 34

A. Level 2 Explanation: The CSA STAR Level 2 requires the release and publication of available results of an assessment carried out by an independent third party based on CSA CCM and ISO/IEC27001 or AICPA SOC2. You can read more about CSA STAR here.

Question 35

Which of the following is not a typical phase in the process of digital forensics? A. Analysis B. Collection C. Reporting D. Ratification

Answer 35

D. Ratification Explanation: The process for performing digital forensics includes the following phases: Collection, Examination, Analysis, and Reporting Ratification is not one of the phases.

Question 36

The Generally Accepted Privacy Principles (GAPP) is a framework that can help an organisation creating an effective privacy program. The 10 main privacy principle groups are management, notice, choice and consent, collection, user retention and disposal, access, disclosure, security for privacy, quality and monitoring, and enforcement. Which of the following groups developed GAPP? A. Internal Organization for Standardization (ISO) B. National Institute of Standards and Technology (NIST) C. American Institute of Certified Public Accounts (AIPCA) D. Cloud Security Alliance (CSA)

Answer 36

C. American Institute of Certified Public Accounts (AIPCA) Explanation: The Generally Accepted Privacy Principles (GAPP) was developed from the American Institute of Certified Public Accountants (AICPA).

Question 37

An organisation based in Palo Alto, CA wants to ensure they protect their new HQ office which costs $1,000,000. By looking at statistics the CIO has determined that CA is impacted by approximately 2 earthquakes a year. By running earthquake simulation software the company determined that an earthquake would destroy about 25% of the building. In the above scenario, what is the annualised loss expectancy (ALE)? A. $1,000,000 B. $5,000,000 C. $250,000 D. $500,000

Answer 37

D. $500,000 Explanation: The annualised loss expectancy can be computed as the single loss expectancy (SLE) multiplied by the occurrences of the event in the span of a year. In the above scenario, the SLE is $250,000, and given that there are typically 2 earthquakes per year the ALE is $250,000 * 2 = $500,000

Question 38

An LDAP administrator has configured a directory server to store passwords using the SHA-2 hash function. The minimum password length is 6 and the salt consists of 32 bits. If the directory contains 50 accounts and their passwords. How many unique salt values (are likely to) exist? A. 512 B. 2^8 C. 2^6 D. 50

Answer 38

D. 50 Explanation: A salt of 32 bits can produce 2^32=4,294,967,296 unique salt combinations. Given that the directory contains only 50 accounts, the chances are that these will be unique. You can read more about salting passwords here.

Question 39

Which type of risks are addressed in ISO 28000? A. Supply Chain B. Key Management C. Privacy in Cloud Environments D. Virtualization-related Risks

Answer 39

A. Supply Chain Explanation: ISO 28000 specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain.

Question 40

Which of the following hypervisor types could be built into the computer's firmware? A. Type 2 B. Type 1 C. Sandbox D. Container Virtualization

Answer 40

B. Type 1 Explanation: Type 1 hypervisors are usually built into the computer's firmware and are also known as “bare metal” hypervisors. Type 2 hypervisors run on a host operating system to provide virtualization services.

Question 41

Which of the following control domains is not included in CSA's Cloud Controls Matrix (CCM)? A. Released Control B. Change Control C. Datacenter Security D. Human Resources

Answer 41

A. Released Control Explanation: Release control is not included in CSA's CCM.

Question 42

What does double-blind penetration testing refer to? A. The penetration testing team is not restricted any automated vulnerability scanning and exploit tools, the CIO has not been informed in advance about the attack B. The penetration testing team is provided with very limited information on the system, the incident response team of the organization is not informed in advance about the attack C. The penetration testing team is provided with very limited information on the system, the incident response team of the organization is not informed in advance about the attack D. The penetration testing team is restricted from using any automated vulnerability scanning and exploit tools, the incident response team of the organization has turned off all technical security controls except logging

Answer 42

C. The penetration testing team is provided with very limited information on the system, the incident response team of the organization is not informed in advance about the attack Explanation: During a double-blind penetration testing exercise, the testing team is provided with very limited information on the system, while the security operations team of the organisation is not informed in advance about the testing.

Question 43

Who is the most suitable to periodically review the access of an employee to a cloud system? A. The employees manager B. The employee C. The cloud provider D. The Security Officer

Answer 43

A. The employees manager Explanation: The employee's managers understand the day-to-day job of their delegates and what access they require. Therefore they are in the best position to review the access of their subordinates.

Question 44

An EU-based IT services provider recently decided to build a public cloud offering. They quickly attracted several clients which migrated workloads to the cloud and started storing customer data in both volume and object storage. After 6 months of operation, a disgruntled cloud service provider employee deleted all the customer data uploaded from the cloud service consumers. The data lost included both financial and health records. Who is accountable for the lost records? A. Cloud Service Provider B. The cloud service consumer C. The health and financial regulators D. The rogue employee

Answer 44

B. The cloud service consumer Explanation: The cloud service consumer is always accountable and responsible for the security of the data. The accountability sits always with the data owner and can not be delegated.

Question 45

Which of the following is not a typical Disaster Recovery (DR) testing approach? A. Auto-failover test B. Checklist review C. Tabletop exercise D. Parallel Test

Answer 45

A. Auto-failover test Explanation: Auto-failover test is not a valid Disaster Recovery (DR) testing approach, the rest of the options are all valid approaches.

Question 46

Which of the following does proper law refer to? A. Set out reliefs for persons suffering harm because of the wrongful acts of others B. Protect intellectual property C. Determine the jurisdiction when a conflict of law occurs D. Protect shareholders from accounting errors

Answer 46

C. Determine the jurisdiction when a conflict of law occurs Explanation: When the jurisdiction is in dispute, one or more state laws will be relevant to the decision-making process. If there are substantive differences between the laws, the choice of which law to apply will produce a different judgment. Each state, therefore, produces a set of rules to guide the choice of law, and one of the most significant rules is that the law to be applied in any given situation will be the proper law.

Question 47

Which of the cloud service models provides the most balanced responsibility between the CSP and the customer? A. IaaS B. SaaS C. IDaaS D. PaaS

Answer 47

D. PaaS Explanation: Platform as a Service (PaaS) is the most balanced model in terms of the shared responsibility between the cloud customer and provider. In IaaS most of the responsibility is with the customer while in SaaS most of the responsibility is with the provider. It worths reminding that the customer is always responsible and accountable for data security in all models.

Question 48

The newly appointed CIO of a large retailer is considering migrating workloads to a medium-size cloud service provider. The CIO has concerns about the provider since they only recently started offering cloud services and they don’t have an established presence in the market. Which of the following cloud characteristics should be a top priority for the CIO? A. Portability B. Broad Network Access C. Interoperability D. Elasticity

Answer 48

A. Portability Explanation: In the above scenario, and given that the cloud services provider is not mature, the most important cloud characteristic would be portability. This would allow the customer to easily migrate to another CSP if needed.

Question 49

What is the term for an event that has the potential to have an adverse effect on an organisation? A. Vulnerability B. Impact C. Malicious Actor D. Threat

Answer 49

D. Threat Explanation: That is a definition of a threat.

Question 50

Software developed by a company is considered a very valuable asset. Which of the following is typically used to protect it? A. Watermark B. Trade secret C. Trademark D. Copyright

Answer 50

D. Copyright Explanation: Software copyright is used by Software Developers and proprietary software companies to prevent the unauthorized copying of their software. Free and open-source licenses also rely on copyright law to enforce their terms.