CCSK QB
CCSK QB
CCSK QB
Which of the following WAN virtualization technology is used to create networks which span multiple
base networks?
The ability of a cloud services datacenter and its associated components. Including servers, storage
and so on to continue operating in the event of a disruption which may be equipment failure, power
outage or a natural disaster known as:
Resiliency
Which is the set of technologies that are designed to detect condition indicative of a security
vulnerability in an application in its running state?
Ans: DAST
-----------------------------------------------------------------Data---------------------------------------------------------
Ans: The natural or legal person, public authority, agency, or any other body which alone or jointly with
others determines the purposes and means of the processing of personal data.
To help model data handling and controls for data security what can be used?
Which of the following functions maps to all the phases of Data security life cycle?
Read / Access
Who is responsible for the safe custody, transport, data storage and implementation of business rules
in relation to the privacy?
Data Custodian
-----------------------------------------------------------------General---------------------------------------------------------
REST APIs are the standard for web-based services because they run over HTTPS and work well across
diverse environments.
True
What is the process to determine any weaknesses in the application and the potential ingress, egress,
and actors involved before the weakness is introduced to production?
Threat Modeling
Logical design of data center might be affected by which of the following topics?
• Virtualization technology
• Multi tenancy
The "authentication" component of identity, entitlement and access management (WA) are best
defined by which of the following:
To address application security in a Cloud computing environment how should an SDLC be modified?
Network logs from cloud providers are typically flow records, not full packet captures
True
Which of the following statement regarding service administrator account is not true?
Service administrator’s accounts are more suited for common daily use.
Service administrator’s help compartmentalize individual sessions.
Service administrator accounts can expose the entire deployment.
Service administrator’s accounts manage parts of the service.
By which of the following Scoping and review tasks can be sped up?
Consider the given statement: Information Lifecycle Management is a mature field that maps well to
the needs of security professionals. State whether correct or incorrect?
Ans: Incorrect
For protecting and managing data in a cloud select the key control factor of the following:
Between the lawyers and technology professionals stronger collaboration is required by cloud
computing?
Ans: Correct
Is accepting the risk of an entire cloud provider going down is often a legitimate option?
Correct
Why particular attention must be paid to 13CIDR routines involving a multiple jurisdictions?
Select the validity of the following statement - "The incident response processes should be updated
for server less computing."
Statement is Correct
Code execution environments that run within an operating system, sharing and leveraging resources
of that operating system are called?
Container
When a File is split into fragments and all of the fragments are sent to multiple physical storage
repositories.
Which cloud services feature refers to unilateral provision of -computing capability as per need, by the
consumer?
On-demand self-service
Identify the encryption method used if object storage is used in an application's back-end?
Client / Application encryption
Only 1 and 2
Which cloud deployment model consists of 2 or more cloud services which are unique entities but
bounded by standardized proprietary technology for data and application portability?
Hybrid Cloud
Which of the following statements regarding SDN (Software Defined Networking) is not CORRECT?
Which of the following statements regarding SDN (Software Defined Networking) is not true?
INCORRECT
Which of the following refers to a model that allows customers to closely match resource
consumption with demand?
Rapid elasticity
A framework of containers for all components of application security, best practices, catalogued and
leveraged by the ORGANIZATION, is called:
ONF
Which of the vulnerabilities is inherited from general software development practice in PaaS
environment?
Backdoors
In order to determine critical assets and processes of the organization, it must, first, conduct a?
Containers can be implemented without the use of Ms at all and run directly on hardware?
Correct
Which of the following leverages virtual network topologies to run more, smaller, and more isolated
networks without incurring additional hardware costs that historically make such models prohibitive?
Microsegmentalion
In the laaS hosted environment, who is ultimately responsible for platform security?
Customer
Cloud architectures necessitate certain roles which are extremely high-risk. Examples of such roles
include CP system administrators and auditors and managed security service providers dealing with
intrusion detection reports and incident response.
They are known as high-risk because their malicious activities can lead to abuse of high privilege roles
and can impact confidentiality, Integrity and availability of data.
Incorret
Cloud customer can do vulnerability assessment of their whole infrastructure on cloud just like they
conduct vulnerability assessment of their traditional infrastructure.
Incorrect
Which of the following is correct about Due Care & Due Diligence?
Due diligence is the act of investigating and understanding the risks a company faces whereas Due care
is the development and implementation of policies and procedures to aid in protecting the company. Its
assets and its people from threats.
Interoperability is the ability that enables the migration of cloud services from one cloud provider to
another or between public cloud and a private cloud.
Incorrect
Which are the two major categories of network virtualization commonly seen in cloud computing
today?
When virtual machines may communicate with each other over a hardware backplane, rather than a
network, it gives rise to
Blind spot
What is it called when you lose control of the amount of content on your image store?
Sprawl
What is a type of computing comparable to grid computing that relies on sharing computing resources
rather than having local servers or personal devices to handle applications?
Cloud Computing
The most pragmatic option for data disposal in the cloud is which of the following?
Crypto shredding
Ben was working on a project and hosted all its data on a public cloud. The project is now complete
and he wants to remove the data. Which of the following is best option for him in order to leave no
remanence?
Cryptographic erasure
Which of the following is NOT a component of Software Defined Perimeter as defined by Cloud
Security Alliance working group on SDP?
SDP Client
The basis for deciding which laws are most appropriate in a situation where conflicting laws exist,
refers to?
SAAS
Who manages Web Consoles which are an important competent of Management Plane?
Cloud Security provider is responsible for Platform Security in Platform as a Service (PaaS) model
Incorrect
Under the new EU data protection rules, data destruction and corruption of personal data:
Which of the following is a key consideration in Data security but does not feature in Data Security Life
cycle?
• Storage protocol
• Access Method
• Storage Location
• Storage Device
Metastructure
Which of the following is a key tool for enabling and enforcing separation and isolation in
multitenancy?
Management Plane (Metastructre)
Who is responsible for the safe custody, transport, data storage, and implementation of business rules
in relation to the privacy?
Data custodian
Metrics which govern the contractual obligations of cloud service are found in?
The intermediary that provides connectivity and transport of cloud services between the CSPs and the
cloud service consumers is called:
Cloud Carrier
Which of the fallowing document defines the roles and responsibilities for risk management between
a cloud provider and a cloud customer?
Contract
Which of the following help to intermediate IAM between an organization's existing identity providers
and many different cloud Services used by the organization?
What is the characteristic that allows the cloud provider to meet various demands from customers
while remaining financially viable?
Resource pooling
Cloud service providers leverage which of the following to manage costs and enable capabilities?
On-demand self-service
Broad network access
Economies of scale
Measured service
Resource Pooling
The relationship between the shareholders (and other stakeholders) of the organization versus the
Senior Management of the organization is governed by:
Corporate Governance
Which document defines the minimum levels of service, availability, security, controls, processes,
communication & support?
Deploying
Multi-tenancy and shared resources are defining characteristics of cloud computing. However,
mechanisms separating storage, memory, routing may fail due to several reasons. What risk are we
talking about?
Isolation Failure
The nature of contracts with cloud providers will often preclude things like on-premises audits. What
options does the customer have in this situation?
Which of the following is a form of a compliance inheritance in which all or some of the cloud
provider's infrastructure and services undergo an audit to a compliance standard?
Which of the following can the cloud provider implement to mitigate the credential compromise or
theft?
Anomaly detection
A company administrator determines that the best approach to dealing with any sudden increases in
network traffic is to create an auto-scaling group that will create an unlimited number of web servers
to meet increased demand.
The administrator has created an economic denial of service scenario if there is ever a denial of service
attack against the company.
Which of the following is not considered a vulnerability associated with the risk of loss of business
reputation due to co-tenant activities?
Object Storage
What should always be done to protect against possible management interface compromise where an
attacker gains access to your cloud environment (select the best answer)?
Which of the following is a key area of control for the cloud provider network architecture?
DODS
Alice wants to update, but not replace, a file via a REST API. What method should Alice use?
PATCH
Which of the fallowing defines the ease with which application components are moved and reused
elsewhere regardless of provider, platform, OS, infrastructure, location, storage, the format of data,
or API's?
Portability
Select two attributes that a virtual appliance should have in a cloud environment.
Before beginning a vulnerability assessment (VA) of one of your running instances, what should be
done first?
Determine whether a provider allows customers to perform a VA and if any advance notice is required.
Why must the provider encrypt hard drives at the physical layer?
Which of the following is the number one security priority for a cloud service provider?
Nathan is trying to troubleshoot an issue with a packet capture tool on a running instance. He notices
clear-text FTP usernames and passwords in the captured network traffic that is intended for another
tenant's machine. What should Nathan do?
• This is normal behavior in a cloud. He should contact the other tenant and advise them that
using clear-text credentials in a cloud is a bad idea.
• Nathan should contact the other tenant and submit his finding for a bug bounty.
• This is not possible because FTP is prohibited in a cloud environment
• He should contact the provider and advise them that he will be canceling his use of their cloud
services because the provider has failed to isolate the network.
• You can compartmentalize application stacks in their own isolated virtual networks, which
increases security.
• An entire virtual network can be managed from a single management plane.
• Network filtering in a physical network is easier
• All of these are true.
• The provider uses direct storage with a bunch of hard drives attached to a server.
• The provider uses a storage area network_
• The provider uses a NAS
• The provider builds the storage pool however they want.
• The master account credentials should be retrieved and used to perform an investigation of
the metastructure to ensure that the attacker is no longer in the management plane.
• Every account should be logged off and their passwords reset
• Every server should be terminated.
• Snapshots of every instance should be performed using APIs
• Perform a snapshot.
• Log on to the server instance and disable all user accounts.
• “Pause" the instance if the vendor allows such action.
• Change the virtual firewall rule set to allow access only from an investigator workstation.
Annually
Which phase does proactive scanning and network monitoring, vulnerability assessments, and
performing risk assessments fall under?
• Preparation
• Detection
• Containment, eradication, and recovery
• Post-incident
What is (are) the most important aspect(s) of incident response in a cloud environment?
What is a role?
• A role is a part of federation. It is how your group membership within your company is granted
entitlements in your IaaS provider.
• A role is the job you perform at work.
• A role is a temporary credential that is inherited by a system within a cloud environment.
• All of these are correct
Which of the following phases of data security lifecycle typically occurs nearly simultaneously with
creation?
• Save
• Store
Which of the following is NOT one of the vulnerabilities that can lead to risk of "abuse of high
privilege roles" or "Cloud provider malicious Insider:
When creating business strategies for cloud migration, which is the most important aspect?
Incorrect
Business Continuity and Disaster Recovery is not a shared responsibility and the cloud user is
completely responsible for it.
False
• Data disclosure
• Mandatory Breach Reporting
• Cloud Service Provider Consent
• E-discovery
Where does the encryption engine and key reside when doing file-level encryption?
-----------------------------------------------------------------ENISA---------------------------------------------------------
Which of the following is not one of the categories of risks as defined in, ENISA (European Network
and Information Security Agency) document on Security risk and recommendation?
ENISA: Lock-in is ranked as a high risk in ENISA research, a key underlying vulnerability causing lock in
is:
ENISA: Which of the following is not one of the five key legal issues common across all scenarios?
Global Proliferation
Which of the following could be considered a malicious insider as per ENISA Top Security Risks?
Provider's auditor (ENISA document lists provider employees and contractors as potential malicious
insiders)
-----------------------------------------------------------------Container---------------------------------------------------------
Which of the given option is not applicable for the compute abstraction types?
State whether correct or incorrect that the Containers provide security isolation?
Ans: Incorrect
Which of the following statements is accurate when discussing the differences between a container
and a virtual machine?
• A virtual machine can be moved to and from any cloud service provider, while a container is tied
to a specific provider.
• A container contains the application and required dependencies (such as libraries). A virtual
machine contains the operating system, application, and any dependencies.
• Containers remove the dependency of a specific kernel. Virtual machines can run on any
platform.
• All of these are accurate statements.
Which of the following components in a container environment require access control and strong
authentication?
• Container runtime
• Orchestration and scheduling system
• Image repository
• All of these
-----------------------------------------------------------------BCP/DR---------------------------------------------------------
Which term is used to describe the use of tools to selectively degrade portions of the cloud to
continuously test business continuity?
Chaos Engineering
Business Continuity and Disaster Recovery is not a shared responsibility and the cloud user is
completely responsible for it
INCORRECT
What layers of the logical stack should be considered as part of BCP / DR?
• Infostucture
• Metastructure
• Infrastructure
All layers of the logical model
Which of the following needs to be part of business continuity planning by the customer?
• Determining how the laaS provider will fix any availability issues in your application
• Using contracts to ensure that DR does not result in a different jurisdiction being used to store
and process data
• Determining how to guarantee availability in the DR region by discussing your DR plans with
the vendor
• Implementing chaos engineering
Which of the following introduces the most complexity when considering a multicloud approach to
BCPIDR:
• Applistructure
• Metastructure
• Infrastructure
• Infostructre
What is the key difference between Business Continuity and Business Continuity Management?
Business Continuity is the capability of the organization whereas Business Continuity Management is the
holistic process.
-----------------------------------------------------------------SDN---------------------------------------------------------
Which of the following is/are the accurate statement(s) about the differences between SDN and
VLAN?
• SDN isolates traffic, which can help with micro segmentation. VLANs segment network nodes
into broadcast domains.
• VLANs have roughly 65,000 IDs, while SON has more than 16 million.
• SDN separates the control plane from the hardware device and allows for applications to
communicate with the control plane.
• All of these are accurate statements.
• By using northbound APIs that allow software to drive actions at the control layer
• By using southbound APIs that allow software to drive actions at the control layer
• By removing the control plane from the underlying networking appliance and placing it in the
SDN controller
• SDN is a decentralized model
Which of the following decouples the network control plane from the data plane and allows to
abstract networking from the tradition a limitations of a LAN?
-----------------------------------------------------------------Structure---------------------------------------------------------
According to Cloud Security Alliance logical model of cloud computing, which of the following defines
the protocols and mechanisms that provide the interface between the infrastructure layer and the
other layers:
Metastructure
Which plane is used by consumers to launch virtual machines or configuring virtual networks?
Management Plane
According to CSA Security guidelines, there are four layers of Logical Models for Cloud Computing.
Which of the following is not one of the layers as defined by Cloud Security Alliance?
Ans: Softstructre
When it comes to securing the management plane, how are access identification, authentication, and
authorization implemented?
If an attacker gets into your management plane, they have full remote access to your entire cloud
environment.
True
The data and information like content in database or file storage are part of which layer of Logical
Model?
Infostructure
Who manages the web console which is one of the ways the management plane is delivered?
Cloud Provider
What level of privileges should be assigned to a user account with access to the metastructure?
When you're using immutable servers, how administrative access to the applistructure should be
granted to make changes to running instances?
Administrative access should be limited to the operations team. This is in support of the standard
separation of duties approach to security.
Administrative access should be limited to the development team. This is in support of the new
approach to software development, where the developers own the applications they build.
Administrative access should be restricted for everyone. Any changes made at the applistructure level
should be made to the image, and a new
Which of the following acids abstraction layer on top of networking hardware and decouples network
control plane from the data plane?
• VLANs
• Virtual Private Networks
• Converged Networks
• Software Defined Networks
Which layer is the most important for securing because it is considered to be the foundation for
secure cloud operations?
Infrastructure
Which of the following controls and configures the metastructure, and is also part of the
metastructure itself?
• Management Plane
• API Gateway
• Web Application Firewall
• Network Firewall
• Risk Assessment
• Risk Determination
• Risk Management
• Risk Mitigation
Which of the following are communications method for components within a cloud, some of which or
an entirely different set) are exposed to the cloud users to manage their resources and configurations:
• Data Identifiers
• Application Programming Interfaces (API)
Which of the following is NOT one of the common networks underlying in Cloud Infrastructure?
• Service Network
• Management Network
• Security Network
Which of following is an exploit in which the attacker runs code on a VM that allows an operating
system running within it to break out and interact directly with the hypervisor:
• VM rootkit
• VM Escape
• VM DOS
• VM HBR
• Data manipulation
• Data disclosure
• Resource Exhaustion
In a cloud scenario, who is the data processor and who is the data controller?
• Cloud Service Provider is the data controller and its customer is the data processor
• Neither cloud service provider nor customer is data processor or data controller.
• Cloud Service Provider is the data processor and its customer is the data controller
In cloud services, risks and responsibilities are shared between the cloud provider and customer:
however which of the following holds true.
• Cloud provider has ultimate legal liability for unauthorized and illicit data disclosures
• Cloud Customer has ultimate legal liability for unauthorized and illicit data disclosures
• Cloud Customer liability is limited to financial responsibility
• Cloud Provider liability is limited to financial responsibility
Ensuring the use of data and information complies with organizational policies, standards and strategy -
including regulatory, contractual, and business objectives, known as:
• IT Governance
• Enterprise Governance
• Corporate Governance
• Data Governance
Which of the following will not be provided by cloud services when requested by the customer?
Which is the primary tool used to manage identity and access management of resources spread across
hundreds of different clouds and resources?
• SAML 2.0
• Entitlement Matrix
• Federation
• Active Directory
-----------------------------------------------------------------Governance---------------------------------------------------------
When deploying Security as a Service in a highly regulated industry or environment, what should both
parties agree on in advance and include in the SLA?
The metrics defining the service level required to achieve regulatory objectives.
-----------------------------------------------------------------Audits-----------------------------------------------------------------
Attestations and certifications are activities that will be valid at any future point in time and providers
must keep any published results readily available for quick reference.
INCORRECT
Which is the key mechanism used by organizations that supports, assures and demonstrate
compliance?
Audits
ANF and ONF are referred in which of the following ISO standards?
Which standard offers guidelines for information security controls applicable to the provision and use
of cloud services?
ISO 27018
Which of the following establishes commonly accepted control objectives, controls and guidelines for
implementing measures to protect Personally Identifiable Information (PII) in accordance with the
privacy principles in ISOIIEC 29100 for the public cloud computing environment?
ISO 27018
Which of the following is true about the pass-through audit which is a form of compliance
inheritance?
Which of the following is a form of compliance inheritance and the cloud service provider takes
responsibility for the costs and maintenance of certifications for its infrastructure or services.
Pass-through Audit
Standards like the SSAE 16 have a defined scope, which includes both what is assessed (e.g. which of
the provider's services) as well as which controls are assessed. A provider can thus "pass" an audit
that doesn't include any security controls, which isn’t overly useful for security and risk managers.
Correct
Which of the following is an assurance program and documentation registry for cloud provider
assessments?
• Cloud Service Provider's infrastructure is out of scope in the customer's compliance audit
• Cloud Service Provider's infrastructure should be included in the customer's compliance audit
• Everything the customer configures and builds on top of the certified services is out of scope of
Customer Compliance Audit program
• There is no need for compliance audit by customer since the Cloud Service Provider is already
compliant.
-----------------------------------------------------------------CCM-----------------------------------------------------------------
Which of the following is NOT true about CSA Cloud control matrix (CCM)?
ISO 27001 certification can be taken as proof to achieve Third-party assessment level in CSA star
program?
Correct
CCM: in the CCM tool, "Encryption and Key Management" is an example of which of the following?
Domain
CCM: A hypothetical company called: "Health4Sure" is located in the United States and provides cloud
based services for tracking patient health. The company is compliant with HIPAA/HITECH Act among
other industry standards. Health4Sure decides to assess the overall security of their cloud service
against the CCM toolkit so that they will be able to present this document to potential clients.
Which of the following approach would be most suitable to assess the overall security posture of
Health4Sure's cloud service?
The CCM domains are not mapped to HIPAA/HITECH Act. Therefore Health4Sure should assess the
security posture of their cloud service against each and every control in the CCM. This approach will
allow a thorough assessment of the security posture
Which of the following tools lists cloud security controls and maps them to multiple security and
compliance standards?
What can be used to determine what actors are allowed to do and what they're not allowed to do?
Entitlements
The following list of controls belongs to which domain of the CCM? GRM 04 - Management Program
GRM 05 - Support / Involvement GRM 06 — Policy GRM 07 — Policy Enforcement
CCM: The following list of controls belongs to which domain of the CCM? GRM 06 - Policy GRM 07 -
Policy Enforcement GRM 08 - Policy Impact on Risk Assessments GRM 09 - Policy Reviews GRM 10 -
Risk Assessments GRM 11 – Risk Management Framework
• Third-party attestation
• Self-assessment
• Continuous-monitoring program
• Technology Audit program
Which of the following is an assurance program and documentation registry for cloud provider
assessments?
CSA Star
The Cloud Security Alliance STAR Registry is used for which of the following purposes?
CCM: The CCM provides an anchor-point and common language for balanced measurement of security
and compliance postures.
With CCM all supply chain parties can speak the same language?
True
Which of the following tools provide a standard template for cloud providers to document their
security and compliance controls?
Which of the following statement about CSA s CCM and Security Guidance is not true?
CSA’s CCM provides a set of controls and maps them to multiple security and compliance standards.
CSA’s CCM tells you WHAT to do. CSA’s Security Guidance tells HOW to do it.
C. CSA’s Security Guidance provides a set of best practices and recommendations.
D. CSA’s Security Guidance tells you WHAT to do. The CCM tells you HOW to do it.