ccsk mock exam V2.1
1. A key element of the "Store" phase of Data Security Lifecycle is:
A. Asset Management
B. C rypto-shredding (对应destory)
C. Classify
D. Application Security
E. Rights Management
2. In incident response, which of the following cloud provide r technology implementation can impede investigations?
A. Choice of firewall system
B. S ecurityInformation Event Management (SIEM) tools
c. P r oprietary log formats
D. Encrypted custome r data
E. V irtualizati on environment snapshots
3. What capabilities can a cloud pavider delive r to suppo rt offline analysis of potential incidents?
A. Enc r ypted customer data
B. V PN capabilities
C. Defense in depth st r ategies
D. Snapshots of customer's entire virtual envi r onment
E. Regular audits stipulated in se r vice level agreement
4. An impo r tant consideration when perfo r ming a remote vulnerability test of a cloud-based application is to
A. Schedule vulne r ability test at night
B. O btain contractual permission fo r test
C. Use application layer testing tools exclusively
D. Use network laye r testing tools exclusively
E. Use techniques to evade cloud provider's detection systems
5. What is benefit of federation of identity in a Cloud environment?
A. Enabling allied enterprises to authenticate, provide single or reduced Sign-On(SSO)
B. Provides granula r a pplication entitlements
C. Simplifies the secure and timely management of
on-boa r ding (p r ovisioning) and off-boarding(dep r ovisioning) of
use r S in the cloud
D. Allows transmission of use r info r mation f r om a Policy
Info r mation Point (PIP) to a Policy Decision Point (PDP)
E. Enfo r ces the policy decision at the Policy Enfo r cement Point (PEP)
6. p r ominent r ecommended standards to enable federation of identity in cloud envi r onments include
A. OpenlD
B. Kerberos
C. SAML and WS-Fede r ation
D. X.509
E. 550
7. A key element of the "Create" phase of the Data Security Lifecycle is
A. Classify
B. Rights Management
C. Application 5ecu r ity
D. Enc r yption
E. Crypto-Shredding
8. A cloud deployment of two or more unique clouds is known as:
A. Inf r astructures as a 5e r vice
B. A Community Cloud
C. A Hybrid Cloud
D. A Private Cloud
E. J e r icho Cloud Cube Model
9. ENl5A: because it is practically impossible to process data in encrypted
form, customers sho uld ha ve the following e xpectation of cloud
p r ovide r s:
A. Provider shot」Id always manage custome r encryption keys with ha r dware security module (H5M) storage
B. Provide r should immediately notify customer wheneve r data is in plaintext fo r m
C. Provide r should be PCI compliant
D. provider must be highly t r ustwo r thy and have compensating controls to p r otect custome r data when it is in plaintext fo r m
E. Homomorphic encryption should be implemented where necessa r V
10. How can key management be leve r aged to p r event cloud providers
f r om inapprop r iately accessin
g customer data?
A. Use strong multi-factor authentication
B. S eg r egate keys f r om the provider hosting data
C. Stipulate enc r yption in contract language
D. 5ecure backup p r ocesses fo r key management systems
E. S elect cloud provide r s within the same country as customer
11.Which of the following is a consideration specific to the migration of virtual machine systems to new cloud providers?
A. Loss of hypervisor access
B. Use of indust r y accepted VM hardening guidelines
C. Understanding what tool s a r e p r ovid e d fo r s e cu r e data transfer
D. Tr a ffi c fil te ring o n VM b ac kpl a n e o r En te r pri se Se rvi ces Bu s (E S B)
E: Identification of provider-specific exte『isions to virtual machine environment
12.How must performance monito r ing of Provide r s and testing fo r vulnerabilities be handled in a client-pro vider relationship?
A. As long as the P r ovide r does not suffer a breach, it does not have to
p r ovide customers with visibility into vulnerability scan results
B. providers who obtain "clean" scan r esults in r egular periodic testing
enjoy a limited ”Safe
Ha r bor" from liability associated with a breach.
C. The cloud services provider must contractually supply r esults of pe r iodic scan and vulne r ability testing to the customer
D. The cloud services ag r eement must allow the cloud se r vices client O r designated third party to test for vulnerabilities in the system.
E. T he custome r must define acceptable levels of pe r fo r mance that provide r s must meet
14.ENISA: Which of the following is among the vulnerabilities contributing to a high r isk r anking fo r Netwo r k Management?
A. User provisioning vulnerabilities
B. A AA vulne r abilities
C. Hype r visor vu Inera bilities
D. Inadequate physical security procedu r es
E. S ystem or 0/s vulnerabilities
15.. The key po r tability objective(s) for lnfrast r uctu r e as a Service ( laaS) is/are
A. p r ese r ving snapshots of virtual machine images
B. Mig r ation of custom w r itten applications and achieving a successful data mig r ation
C. Achieving a successful data migration only
D. Migration of custom written applications only
E. Getting new cloud p r ovide r to abso r b costs of t r ansition
16.EN ISA: Which is not one of the ive key legal issues common across all
scenarios?
A. data p r otection
B. g lobalization
C. intellectual prope r ty
D. p r ofessional negligence
E. outsourci ng se r vices and changes in cont r ol
17.F r om a t r aditional s ecurity perspective, the inc r ease in centralization of data c r eates concern for an increase in which r isk?
A. Lack of compliance
B. Downtime
C. Account takeovers
D. Ide ntity theft
巳Insider abuse
18. For cloud custome r s, a "Right to Audit" clause in the contract with you r cloud provide r
A. is an undue burden upon internal audito r5
B. is a prerequisite for engaging with cloud provide r S
C r eplaces cloud p r ovide r certification r equi r ements
D. prevents a cloud provide r from igno r ing compliance requirements
E. s hould be obtained whenever possible
19. Which attack su r faces, if any does virtualizati on technology introduce?
A. The hype r viso r
B. V irtualization management components apa r t from the hyperviso r
C ”Network" attacks that communicate between different VMs over a shared physical ha r dware backplane,r athe r than a network.
D. All of the above
20. ENISA: in Infrastructure as a Service (laaS), who is responsible for guest systems monito r ing?
A. Internet Se r vice Provider (ISP)
B. C loud Provide r
C. Customer
D. Shared r esponsibility
E. Data Com门1issioner
21. What is a key success facto r to suppo r t application security in infrastructure as a Service ( laas)environments?
A. Limit use to private cloud delivery model
B. Use of structu r ed data tables
C. Realtime antivirus shields
D. Use of SAML O r OpenID
E:tr usted virtual machine images
22. Which of the following should be r eviewed as part of the vendor selection p r ocess, when conside r ing Providers?
A. Willing ness to allow the custo mer o r a third-party to audit the service.
B. Fo r laas p r ovide r s only, the Provider 气inclusion of security into the softwa r e development lifecycle.
C. Compatibility of provider's custome r support processes, procedures, tools and support hours with you r5
D. A & C
E. provider's app r oa c h to balancing damage cont r ol with evidence gather ing after a data breach
23. In a c lient-p r ovide r r elati o n s hip, who i s r es p o『isible for which po r tions of
data classification?
A. Client defines data classification; P r ovide r enforces the
client's requirements based on classification
B. p r o vid e r d e fin e s data cl as sification; Cli e nt enfo r c es th e p r ovide r's
r equir e m e nts based on c l ass i fica ti o n
C. Client and provide r jointly define data classification policy; provider classifies data and enfo r ces the client’s
requi r ements based on classification.
D. Customer defines data classification; provide r encrypts data at rest and data in tra『1sit.
E. provider enforces a "Default Deny All”policy fo r all but data owner and authorized personnel
24. EN ISA: which is a potential security benefit of cloud computing?
A. Mo r e efficient and timely system updates
B. Provider can obfuscate system 0/S and versions
C. Greater compatibility with custome r IT infrastructure
D. ISO 27001 ce r tification
E. Lock-In
25. Implementing security cont r ols that satisfy r egulatory r equirements
A. are assured by SAS 70 Type II audits
B. a re p r ima r ily a custome r r esponsibility in laaS environments
C. must be stated within the provide r cont r act
D. a r e primarily a customer responsibility in Saas environments
E. s hould be listed on the cloud p r ovide r roadmap
26. What should be the subject of an organization's r isk analysis of a Cloud
Service Provider?
A. Alignment of the provider's r isk assessment strategy and processes with
the user's
B. T he vendor
C. The provider's ability to maintain current asset inventory and valuation information
D. Recent vulne r ability assessments and penet r ation tests.
E. T he ove r all service
27. When r esponding to subpoenas and othe r legal requests, the cloud se r vice provider and custome r should
A. unified processes
B. identical access to custome r on-premise logfiles
C. separate processes and p r ocedu r es to avoid conflicts of interest
D. a protected VPN for exchanging legal documents
E. a single legal counsel rep r esenting both parties
28. If a customer has a mandate to use a specific cloud provider which is lacking in appropriate redundancy capabilities including failover, the custome r may
A. Insist upon custom SLAs gua r anteeing redundancy
B. Use a third party cloud brokering solution
C. Backup sensitive information ta a separate cloud provider nightly
D. Use a load bala r icing device at the customer's network perimete r
E. Utilize cloud bursting
29. In the CSA Reference Model, what do we call the laye r tha t differentiates Platfo r m as a Service ( P aaS) f r om Inf r ast r uctu r e a s a Service(laaS)?
A. Virtual m ac hin es
B. A bstraction
C. Multi-Tenancy
D. Routers
E: Integration & Middlewa r e
30. T r ue or False: With the common ca rr ier model of service delivery,the se r vice provider should no r mally have little o r no access to o r cont r ol ove r the custome r s' data or systems beyond the contracted level of management.
A. TRUE
B. False
31. W hat best desc r ibes the tradeoff of lnfrast r ucture as a Service as compared to other cloud deployme nt
A. Lower initial cost and greate r security features
B. G r eate r secu r ity featu r es and less extensibility
C. Lowe r initial costs and g r eate r long te r ms costs
D. Less security features and greater extensibility
E. G r eate r initial costs and greater security features
32. Which of the following is one of the five essential cha r acte r istics of cloud computing as defined by NIST?
A. Multi-tenanc y
B. Measured se r vice
C. Unlimited bandwidth
D. Nation-state bounda r ies
E. Hybrid clouds
33. ENISA: "VM hopping" is:
A. Instability in VM patch management causing VM r outing e r rors
B. lmprope r management of VM instances- causing customer VMs to be commingled with othe r custome r systems
C. Lack of vulnerability management standa r ds
D. Using a comp r omised VM to exploit a hype r visor, used to take cont r ol of other VMs
E. Looping within virtualized routing systems
34. How can clients best add r ess a provider's use of virtualization technologies in the client's business continuity plan?
A. Understand how VM images can be captu r ed and ported to new providers if needed.
B. Ensure that the contract requires the Provider to achieve a specified business continuity objective .
C. Ensure that the contract requi r es the Provider to conduct a Business Continuity Plan (BCP) test at least annually.
D. Ensu r e that audito r s and security asse s s ors are familiar with Cloud and visualizati on challenge
E. p r e f e r o p e n to prop r i e t a ry virtu a li za tion APl s fo r m a n a g e m e nt, se curity,a nd int e rop e r a bility
35. Which practices will minimize softwa r e modification when po r ting Platform as a Service (PaaS)solutions?
A. Use a common p r ogramming language th r oughout
B. Assure possibility of migration of backups, logs, metadata and test systems used by the provider
C. Quality assu r a nce testing in the software development lifecycle
D. Develop an architectu r e with abstraction to minimize direct access to proprieta r y modules
E. W ell documented se r vice level agreements
36. The key concern of data backup and
r ecovery schemes is A Data should not be
commingled with other customers
B Assu r a nce that deleted data is in fact unrecoverable
C Assu r ance that cloud provide r has multiple data centers fo r disaste r
r ecove r V
D Data aggregation should not cause breaches
E They must prevent data loss, unwanted data ove r W r ite and destruction
37 ENISA: An Open Standard that simplifies laaS virtual machine portability between provide r S is
A
SAML
B
OCCI
C
S A JA CC
D:
DMTF
E OVF
38. ENISA: Licensing Risks r efer to
A. Cloud provider may not have all approp r iate government operating licenses
B. A traditional software licensing scheme may lead to high costs or lack of
compliance in cloud systems
C. Risk that softwa r e company may go out of business, leading to expiration of licenses for mission critical softwa r e
D. Use of country-issued drive r s licenses fo r use r identification
E. Cloud provider employees not maintaining operating s ystem license
files
39. What are six phases of the Data Security Lifecycle?
A. Create,Classify,Use, Store, Retain. Dest r oy
B. C reate. Classify, Use,Store, Archive, Dest r oy
c. C r eate, Sto r e, Use,Sha r e,A r c hive, Dest r oy
D. Assign,Define,Create, Process, Sto r e, Destroy
E. A s s ign, Define, Store, P r oce s s, Tran s mit, Destroy
40. ENISA: an underlying vulne r ability related to Loss of Governance is
A. Lack of s upplie r r edundancy
B. Uncl e a r a sse t owne r s hip
C. Hyp e rvi so r vu In e r a bili t i es
D. Lack of r eputational isolation
E. Inadequate capacity planning
41. Amazon Web Se r vices EC2 Secu r ity G r oups are an example of which
security principle?
A. Vetting of employees
B. V irtual Machine ha r dening
C. Patch management
D. Compartmentalizati on/ Isolation
E. De-pe r imeterisation
42. When utilizing a public laaS network, which of the following is a typical Vulne r ability Assessment p r oblem to
overcome?
A. Tools like Nmap and Nessus a r e not compatible with public cloud configu r ations
B. C loud provider ma y disallow or disrupt scanning activities
C. Custome r cannot obtain physical access to scanning ta r gets
D. Typical hype r viso r configu r ation obfuscates O/S fingerp r inting
E. S canning activity must occu r with SSL connections
43. The key concern of data location is:
A. Data should not be commingled with other c ustomers
B. Data is stored only in geographic locations permitted by regulations
C. Data is located only on r edundant storage subsystems with high MTBF
(mean time between failures)
D. Assu r ance that all data r equested by legal autho r ities has been retrieved
E. A ssu r ance that prohibited locations cannot access the data
44. Which of the fol lowing is the best description of information risk
management?
A. Assessi ng the r isks to data at r est and data in motion
B. A ligning risk exposure to risk tole r ance
C. Assessing and mitigating the gaps in info r mation p r otection between vendo r a nd user
D. A continuous p r ocess fo r managing the r isks to information accuracy acco r ding to the r isk appetite of the information owner.
E. A continuous p r ocess fo r managing the risks to information th r ough due diligence, compliance and business enablement
45. Which of the following could be a area of plaintext exposu r e of data even when t r aditional data-in-transit, data-in-re s t and data archive enc
r yption is employed?
A. Backup tapes
B. Network traffic
C. SCP
D. Virtual machine swap files
E. RAID sto r age
46. Th e c l o ud co n s um e r h as m o r e tact i ca l r es p o n s ibili t y fo r impl e m e ntin g
a nd m a n ag in g sec u r i t y
controls in which cloud deployme nt model?
A. Software as a Se r vice
B. J e r icho Cloud Cube Model
C. lnfrast r uctu r e as a Se r vice
D. Security as a Service
E. Platform as a Se r vice
47. Storage as a Se r vice is considered a sub-offering of
A. Hadoop
B. S oftware as a Se r vice
C. Securityas a Service
D. Platform as a Se r vice
E:Inf r astructure as a Se r vice
48. What is the most commo n form of virtualization?
A. Process virtual machine (VM) or application virtualization
B. V irtualized operating system
C. Emulation of the unde r lying raw hardware (native execution)
D. p r esentation virtualization
E. Hypervisored o r virtual machine virtualization
49. Cloud p r ovide r s can minimize risks of inside r abuse via which
r ecommended best practice?
A. Compartme ntalizati on of job duties
B. O nsite inspection of cloud provider facilities
C. Regula r ly tested disaste r recove r Y plans
D. Well documented service level agreements
E. Minimizing use of thi r d party providers
50. In an laaS environment with limited security solutions preconfigu r ed, how might one rest r ict administrative access, assuming SSH is used fo r system administrators?
A. Whitelist a source IP I network used by s ystems administ r ators for po r t 22
B. Require hard to guess passwo r ds
C. Limit inbound connections from systems within the same laaS p r ovide r
D. Whitelist a source IP I netwo r k used by systems administrato r s fo r port 443
E. Monito r syslog files daily
1.Why is it important to be able to restore
B
2.In order to validate the identity
b
3.If a customer has mandate
b
b
5.What of the following best
b
6. D
7.DENISA:which is not ident
a
b
9.The key concern of data backup
e
10.How can a customer best
a
11.What is resource pooling
a
12.D
13.A cloud deployment of two or
c
14.Why should customers understand
b