Advertisement
opexxx

Certified Cloud Security Professional (CCSP) Practice Quiz

May 12th, 2016
846
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.03 KB | None | 0 0
  1.  
  2. ---------------------------------------------------------
  3. Date stamp: 12-05-2016
  4. Time stamp: 11-10-46
  5. http://www.gocertify.com/quizzes/isc2-quizzes/certified-cloud-security-professional-practice-quiz-1.html
  6.  
  7. Certified Cloud Security Professional (CCSP) Practice Quiz 1
  8.  
  9. Provided by Cloud Security Alliance and (ISC)²
  10.  
  11. Question 1 of 11
  12.  
  13. When using an Infrastructure as a Service solution, what is a key benefit provided to the customer?
  14.  
  15. The ability to scale up infrastructure services based on projected usage.
  16.  
  17. Cost of ownership is transferred.
  18.  
  19. Increased energy and cooling system efficiencies.
  20.  
  21. Usage is metered and priced on the basis of units consumed.
  22.  
  23. Correct!
  24. Explanation:
  25. Infrastructure as a Service has a number of key benefits for organizations, which include but are not limited to:
  26. • Usage is metered and priced on the basis of units (or instances) consumed. This can also be billed back to specific departments or functions.
  27. • The ability to scale up and down of infrastructure services based on actual usage. This is particularly useful and beneficial where there are significant spikes and dips within
  28.  
  29. the usage curve for infrastructure.
  30. • Reduced cost of ownership. There is no need to buy any assets for everyday use, no loss of asset value over time, and reduced costs of maintenance and support.
  31. • Reduced energy and cooling costs along with “Green IT” environment effect with optimum use of IT resources and systems.
  32. Question 2 of 11
  33.  
  34. What are the four cloud deployment models?
  35.  
  36. Public, Private, Hybrid and Community
  37.  
  38. Public, Internal, Hybrid and Community
  39.  
  40. External, Private, Hybrid and Community
  41.  
  42. Public, Private, Joint and Community
  43.  
  44. Correct!
  45. Explanation:
  46. According to the NIST Definition of Cloud Computing, the Cloud deployment models are:
  47. • Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed,
  48.  
  49. and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.
  50. • Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission,
  51.  
  52. security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some
  53.  
  54. combination of them, and it may exist on or off premises.
  55. • Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government
  56.  
  57. organization, or some combination of them. It exists on the premises of the cloud provider.
  58. • Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound
  59.  
  60. together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
  61. Question 3 of 11
  62.  
  63. What are the six components that make up the STRIDE Threat Model?
  64.  
  65. Spoofing, Tampering, Non-Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege
  66.  
  67. Spoofing, Tampering, Repudiation, Information Disclosure, Distributed Denial of Service and Elevation of Privilege
  68.  
  69. Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Social Engineering
  70.  
  71. Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege
  72.  
  73. Correct.
  74. Explanation:
  75. In the STRIDE threat model, the following six threats are considered and controls used to address the threats:
  76. 1. Spoofing: Attacker assumes identity of subject.
  77. 2. Tampering: Data or messages are altered by an attacker.
  78. 3. Repudiation: Illegitimate denial of an event.
  79. 4. Information Disclosure: Information is obtained without authorization.
  80. 5. Denial of Service: Attacker overloads system to deny legitimate access.
  81. 6. Elevation of Privilege: Attacker gains a privilege level above what is permitted.
  82. Question 4 of 11
  83.  
  84. In a federated environment, who is the Relying Party, and what do they do?
  85.  
  86. The Relying Party is the Identity Provider and they would consume the tokens generated by the service provider.
  87.  
  88. The Relying Party is the service provider and they would consume the tokens generated by the customer.
  89.  
  90. --The Relying Party is the service provider and they would consume the tokens generated by the Identity Provider.
  91.  
  92. The Relying Party is the customer and they would consume the tokens generated by the Identity Provider.
  93.  
  94. Correct
  95. Explanation:
  96. In a federated environment, there will be an Identity Provider (IP) and a Relying Party (RP). The Identity Provider would hold all of the identities and generate a token for known
  97.  
  98. users. The Relying Party (RP) would be the service provider and would consume these tokens.
  99.  
  100. Question 5 of 11
  101.  
  102. Which of the following are data storage types used with a Platform as a Service solution?
  103.  
  104. Unstructured and Ephemeral
  105.  
  106. Raw and Block
  107.  
  108. Tabular and Object
  109.  
  110. Structured and Unstructured
  111.  
  112. Correct!
  113. Explanation:
  114. PaaS utilizes the following data storage types:
  115. • Structured – structured data refers to information with a high degree of organization, such that inclusion in a relational database is seamless and readily searchable by simple,
  116.  
  117. straightforward search engine algorithms or other search operations.
  118. • Unstructured – usually refers to information that does not reside in a traditional row-column database. Unstructured data files often include text and multimedia content.
  119.  
  120. Examples include e-mail messages, word processing documents, videos, photos, audio files, presentations, webpages and many other kinds of business documents. Note that while these
  121.  
  122. sorts of files may have an internal structure, they are still considered "unstructured" because the data they contain does not fit neatly in a database.
  123. Question 6 of 11
  124.  
  125. When using transparent encryption of a database, where does the encryption engine reside?
  126.  
  127. In a Key Management System
  128.  
  129. On the instance(s) attached to the volume
  130.  
  131. Within the database
  132.  
  133. At the application using the database
  134.  
  135. Correct!
  136. Explanation:
  137. For database encryption, the following options should be understood:
  138. • File level encryption: Database servers typically reside on volume storage. For this deployment, we are encrypting the volume or folder of the database, with the encryption
  139.  
  140. engine and keys residing on the instances attached to the volume. External file system encryption will protect from media theft, lost backups, and external attack but will not
  141.  
  142. protect against attacks with access to the application layer, the instances O/S, or the database itself.
  143. • Transparent encryption: Many database management systems contain the ability to encrypt the entire database or specific portions, such as tables. The encryption engine resides
  144.  
  145. within the DB, and it is transparent to the application. Keys usually reside within the instance although processing and management of them may also be offload to an external Key
  146.  
  147. Management System (KMS). This encryption can provide effective protection from media theft, backup system intrusions, and certain database and application-level attacks.
  148. • Application-level encryption: In application-level encryption, the encryption engine resides at the application that is utilizing the database. Application encryption can act as
  149.  
  150. a robust mechanism to protect against a wide range of threats, such as compromised administrative accounts along with other database and application-level attacks. Since the data
  151.  
  152. is encrypted before reaching the database, it is challenging to perform indexing, searches, and metadata collection. Encrypting at the application layer can be challenging, based
  153.  
  154. on the expertise requirements for cryptographic development and integration.
  155. Question 7 of 11
  156.  
  157. What is the Cloud Security Alliance Cloud Controls Matrix?
  158.  
  159. An inventory of Cloud Service security controls that are arranged into a hierarchy of security domains.
  160.  
  161. A set of regulatory requirements for Cloud Service Providers.
  162.  
  163. An inventory of Cloud Service security controls that are arranged into separate security domains.
  164.  
  165. A set of Software Development Life Cycle requirements for Cloud Service Providers.
  166.  
  167. Correct!
  168. Explanation:
  169. The Cloud Security Alliance Cloud Controls Matrix (CCM) is an essential and up to date security controls framework that is addressed to the cloud community and stakeholders. A
  170.  
  171. fundamental richness of the CCM is its ability to provide mapping/cross relationships with the main industry-accepted security standards, regulations, and controls frameworks such
  172.  
  173. as the ISO 27001/27002, ISACA’s COBIT, and PCI-DSS.
  174. The CCM can be seen as an inventory of Cloud Service security controls, arranged in the following separate security domains:
  175. • Application & Interface Security
  176. • Audit Assurance & Compliance
  177. • Business Continuity Management & Operational Resilience
  178. • Change Control & Configuration Management
  179. • Data Security & Information Lifecycle Management
  180. • Datacenter Security
  181. • Encryption & Key Management
  182. • Governance and Risk Management
  183. • Human Resources
  184. • Identity & Access Management
  185. • Infrastructure & Virtualization Security
  186. • Interoperability & Portability
  187. • Mobile Security
  188. • Security Incident Management, E-Discovery & Cloud
  189. • Supply Chain Management, Transparency and Accountability
  190. • Threat and Vulnerability Management
  191. Question 8 of 11
  192.  
  193. Which of the following methods for the safe disposal of electronic records can ALWAYS be used within a cloud environment?
  194.  
  195. Encryption
  196.  
  197. Degaussing
  198.  
  199. Overwriting
  200.  
  201. Physical destruction
  202.  
  203. Correct!
  204. Explanation:
  205. In order to safely dispose of electronic records, the following options are available:
  206. • Physical destruction: Physically destroying the media by incineration, shredding, or other means.
  207. • Degaussing: Using strong magnets for scrambling data on magnetic media such as hard drive and tapes.
  208. • Overwriting: Writing random data over the actual data. The more times the overwriting process occurs, the more thorough the destruction of the data is considered to be.
  209. • Encryption: Using an encryption method to re-write the data in an encrypted format to make it unreadable without the encryption key.
  210. Crypto-shredding
  211. Since the first three options are not fully applicable to cloud computing, the only reasonable method remaining is encrypting the data. The process of encrypting the data in order
  212.  
  213. to dispose of it is called digital shredding or crypto-shredding. Crypto-shredding is the process of deliberately destroying the encryption keys that were used to encrypt the data
  214.  
  215. originally. Since the data is encrypted with the keys, the result is that the data is rendered unreadable (at least until the encryption protocol used can be broken or is capable
  216.  
  217. of being brute-forced by an attacker). In order to perform proper crypto-shredding, consider the following:
  218. • The data should be encrypted completely without leaving any clear text remaining.
  219. • The technique must make sure that the encryption keys are totally unrecoverable. This can be hard to accomplish if an external cloud provider or other third party manages the
  220.  
  221. keys.
  222. Question 9 of 11
  223.  
  224. What is the key issue associated with the Object Storage type that the CSP has to be aware of?
  225.  
  226. Data consistency is achieved only after change propagation to all replica instances has taken place.
  227.  
  228. Data consistency is achieved only after change propagation to a specified percentage of replica instances has taken place.
  229.  
  230. Continuous Monitoring
  231.  
  232. Access Control
  233.  
  234. Correct!
  235. Explanation:
  236. The features you get in an object storage system are typically minimal. You can store, retrieve, copy, and delete files, as well as control which users can undertake these
  237.  
  238. actions. If you want the ability to search or to have a central repository of object metadata that other applications can draw on, you will generally have to implement it
  239.  
  240. yourself. Amazon S3 and other object storage systems provide REST APIs that allow programmers to work with the containers and objects. The key issue that the CSP has to be aware
  241.  
  242. of with object storage systems is that data consistency is achieved only eventually. Whenever you update a file, you may have to wait until the change is propagated to all of the
  243.  
  244. replicas before requests will return the latest version. This makes object storage unsuitable for data that changes frequently. However, it would provide a good solution for data
  245.  
  246. that does not change much, like backups, archives, video and audio files, and virtual machine images.
  247. Question 10 of 11
  248.  
  249. What does an audit scope statement provide to a cloud service customer or organization?
  250.  
  251. The required level of information for the client or organization subject to the audit to fully understand (and agree) with the scope, focus, and type of assessment being
  252.  
  253. performed.
  254.  
  255. A list of all of the security controls to be audited.
  256.  
  257. The outcome of the audit, as well as a listing of any findings that need to be addressed.
  258.  
  259. The credentials of the auditors, as well as the projected cost for the audit.
  260.  
  261. Correct!
  262. Explanation:
  263. An audit scope statement provides the required level of information for the client or organization subject to the audit to fully understand (and agree) with the scope, focus, and
  264.  
  265. type of assessment being performed. Typically, an audit scope statement would include:
  266. • General Statement of focus and objectives.
  267. • Scope of audit (including exclusions).
  268. • Type of audit (certification, attestation, etc.).
  269. • Security assessment requirements.
  270. • Assessment criteria (including ratings).
  271. • Acceptance criteria.
  272. • Deliverables.
  273. • Classification (Confidential, Highly Confidential, Secret, Top Secret, Public, etc.).
  274. The audit scope statement can also list the circulation list, along with key individuals associated with the audit.
  275. Question 11 of 11
  276.  
  277. Did you enjoy this quiz?
  278.  
  279. Yes
  280.  
  281. No
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement