Certified Cloud Security Professional (CCSP) Practice Quiz


---------------------------------------------------------
Date stamp: 12-05-2016
Time stamp: 11-10-46
http://www.gocertify.com/quizzes/isc2-quizzes/certified-cloud-security-professional-practice-quiz-1.html

Certified Cloud Security Professional (CCSP) Practice Quiz 1

Provided by Cloud Security Alliance and (ISC)²

Question 1 of 11

When using an Infrastructure as a Service solution, what is a key benefit provided to the customer?

The ability to scale up infrastructure services based on projected usage.

Cost of ownership is transferred.

Increased energy and cooling system efficiencies.

Usage is metered and priced on the basis of units consumed.

Correct!
Explanation:
Infrastructure as a Service has a number of key benefits for organizations, which include but are not limited to:
• Usage is metered and priced on the basis of units (or instances) consumed. This can also be billed back to specific departments or functions.
• The ability to scale up and down of infrastructure services based on actual usage. This is particularly useful and beneficial where there are significant spikes and dips within

the usage curve for infrastructure.
• Reduced cost of ownership. There is no need to buy any assets for everyday use, no loss of asset value over time, and reduced costs of maintenance and support.
• Reduced energy and cooling costs along with “Green IT” environment effect with optimum use of IT resources and systems.
Question 2 of 11

What are the four cloud deployment models?

Public, Private, Hybrid and Community

Public, Internal, Hybrid and Community

External, Private, Hybrid and Community

Public, Private, Joint and Community

Correct!
Explanation:
According to the NIST Definition of Cloud Computing, the Cloud deployment models are:
• Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed,

and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.
• Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission,

security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some

combination of them, and it may exist on or off premises.
• Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government

organization, or some combination of them. It exists on the premises of the cloud provider.
• Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound

together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
Question 3 of 11

What are the six components that make up the STRIDE Threat Model?

Spoofing, Tampering, Non-Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege

Spoofing, Tampering, Repudiation, Information Disclosure, Distributed Denial of Service and Elevation of Privilege

Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Social Engineering

Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege

Correct.
Explanation:
In the STRIDE threat model, the following six threats are considered and controls used to address the threats:
1. Spoofing: Attacker assumes identity of subject.
2. Tampering: Data or messages are altered by an attacker.
3. Repudiation: Illegitimate denial of an event.
4. Information Disclosure: Information is obtained without authorization.
5. Denial of Service: Attacker overloads system to deny legitimate access.
6. Elevation of Privilege: Attacker gains a privilege level above what is permitted.
Question 4 of 11

In a federated environment, who is the Relying Party, and what do they do?

The Relying Party is the Identity Provider and they would consume the tokens generated by the service provider.

The Relying Party is the service provider and they would consume the tokens generated by the customer.

--The Relying Party is the service provider and they would consume the tokens generated by the Identity Provider.

The Relying Party is the customer and they would consume the tokens generated by the Identity Provider.

Correct
Explanation:
In a federated environment, there will be an Identity Provider (IP) and a Relying Party (RP). The Identity Provider would hold all of the identities and generate a token for known

users. The Relying Party (RP) would be the service provider and would consume these tokens.

Question 5 of 11

Which of the following are data storage types used with a Platform as a Service solution?

Unstructured and Ephemeral

Raw and Block

Tabular and Object

Structured and Unstructured

Correct!
Explanation:
PaaS utilizes the following data storage types:
• Structured – structured data refers to information with a high degree of organization, such that inclusion in a relational database is seamless and readily searchable by simple,

straightforward search engine algorithms or other search operations.
• Unstructured – usually refers to information that does not reside in a traditional row-column database. Unstructured data files often include text and multimedia content.

Examples include e-mail messages, word processing documents, videos, photos, audio files, presentations, webpages and many other kinds of business documents. Note that while these

sorts of files may have an internal structure, they are still considered "unstructured" because the data they contain does not fit neatly in a database.
Question 6 of 11

When using transparent encryption of a database, where does the encryption engine reside?

In a Key Management System

On the instance(s) attached to the volume

Within the database

At the application using the database

Correct!
Explanation:
For database encryption, the following options should be understood:
• File level encryption: Database servers typically reside on volume storage. For this deployment, we are encrypting the volume or folder of the database, with the encryption

engine and keys residing on the instances attached to the volume. External file system encryption will protect from media theft, lost backups, and external attack but will not

protect against attacks with access to the application layer, the instances O/S, or the database itself.
• Transparent encryption: Many database management systems contain the ability to encrypt the entire database or specific portions, such as tables. The encryption engine resides

within the DB, and it is transparent to the application. Keys usually reside within the instance although processing and management of them may also be offload to an external Key

Management System (KMS). This encryption can provide effective protection from media theft, backup system intrusions, and certain database and application-level attacks.
• Application-level encryption: In application-level encryption, the encryption engine resides at the application that is utilizing the database. Application encryption can act as

a robust mechanism to protect against a wide range of threats, such as compromised administrative accounts along with other database and application-level attacks. Since the data

is encrypted before reaching the database, it is challenging to perform indexing, searches, and metadata collection. Encrypting at the application layer can be challenging, based

on the expertise requirements for cryptographic development and integration.
Question 7 of 11

What is the Cloud Security Alliance Cloud Controls Matrix?

An inventory of Cloud Service security controls that are arranged into a hierarchy of security domains.

A set of regulatory requirements for Cloud Service Providers.

An inventory of Cloud Service security controls that are arranged into separate security domains.

A set of Software Development Life Cycle requirements for Cloud Service Providers.

Correct!
Explanation:
The Cloud Security Alliance Cloud Controls Matrix (CCM) is an essential and up to date security controls framework that is addressed to the cloud community and stakeholders. A

fundamental richness of the CCM is its ability to provide mapping/cross relationships with the main industry-accepted security standards, regulations, and controls frameworks such

as the ISO 27001/27002, ISACA’s COBIT, and PCI-DSS.
The CCM can be seen as an inventory of Cloud Service security controls, arranged in the following separate security domains:
• Application & Interface Security
• Audit Assurance & Compliance
• Business Continuity Management & Operational Resilience
• Change Control & Configuration Management
• Data Security & Information Lifecycle Management
• Datacenter Security
• Encryption & Key Management
• Governance and Risk Management
• Human Resources
• Identity & Access Management
• Infrastructure & Virtualization Security
• Interoperability & Portability
• Mobile Security
• Security Incident Management, E-Discovery & Cloud
• Supply Chain Management, Transparency and Accountability
• Threat and Vulnerability Management
Question 8 of 11

Which of the following methods for the safe disposal of electronic records can ALWAYS be used within a cloud environment?

Encryption

Degaussing

Overwriting

Physical destruction

Correct!
Explanation:
In order to safely dispose of electronic records, the following options are available:
• Physical destruction: Physically destroying the media by incineration, shredding, or other means.
• Degaussing: Using strong magnets for scrambling data on magnetic media such as hard drive and tapes.
• Overwriting: Writing random data over the actual data. The more times the overwriting process occurs, the more thorough the destruction of the data is considered to be.
• Encryption: Using an encryption method to re-write the data in an encrypted format to make it unreadable without the encryption key.
Crypto-shredding
Since the first three options are not fully applicable to cloud computing, the only reasonable method remaining is encrypting the data. The process of encrypting the data in order

to dispose of it is called digital shredding or crypto-shredding. Crypto-shredding is the process of deliberately destroying the encryption keys that were used to encrypt the data

originally. Since the data is encrypted with the keys, the result is that the data is rendered unreadable (at least until the encryption protocol used can be broken or is capable

of being brute-forced by an attacker). In order to perform proper crypto-shredding, consider the following:
• The data should be encrypted completely without leaving any clear text remaining.
• The technique must make sure that the encryption keys are totally unrecoverable. This can be hard to accomplish if an external cloud provider or other third party manages the

keys.
Question 9 of 11

What is the key issue associated with the Object Storage type that the CSP has to be aware of?

Data consistency is achieved only after change propagation to all replica instances has taken place.

Data consistency is achieved only after change propagation to a specified percentage of replica instances has taken place.

Continuous Monitoring

Access Control

Correct!
Explanation:
The features you get in an object storage system are typically minimal. You can store, retrieve, copy, and delete files, as well as control which users can undertake these

actions. If you want the ability to search or to have a central repository of object metadata that other applications can draw on, you will generally have to implement it

yourself. Amazon S3 and other object storage systems provide REST APIs that allow programmers to work with the containers and objects. The key issue that the CSP has to be aware

of with object storage systems is that data consistency is achieved only eventually. Whenever you update a file, you may have to wait until the change is propagated to all of the

replicas before requests will return the latest version. This makes object storage unsuitable for data that changes frequently. However, it would provide a good solution for data

that does not change much, like backups, archives, video and audio files, and virtual machine images.
Question 10 of 11

What does an audit scope statement provide to a cloud service customer or organization?

The required level of information for the client or organization subject to the audit to fully understand (and agree) with the scope, focus, and type of assessment being

performed.

A list of all of the security controls to be audited.

The outcome of the audit, as well as a listing of any findings that need to be addressed.

The credentials of the auditors, as well as the projected cost for the audit.

Correct!
Explanation:
An audit scope statement provides the required level of information for the client or organization subject to the audit to fully understand (and agree) with the scope, focus, and

type of assessment being performed. Typically, an audit scope statement would include:
• General Statement of focus and objectives.
• Scope of audit (including exclusions).
• Type of audit (certification, attestation, etc.).
• Security assessment requirements.
• Assessment criteria (including ratings).
• Acceptance criteria.
• Deliverables.
• Classification (Confidential, Highly Confidential, Secret, Top Secret, Public, etc.).
The audit scope statement can also list the circulation list, along with key individuals associated with the audit.
Question 11 of 11

Did you enjoy this quiz?

Yes

No