callicon +1 210-504-8191
whatsAppIcon +1 210-504-8191
emailIcon info@koenig-solutions.com
koenig-logo
logo-30-years
Login
koenig-logo
+1 210-504-8191
+1 210-504-8191

Certified Cloud Security Professional (CCSP) Quiz Questions and Answers

Answer :
  • Disciplined coding practices and processes

Explanation :

Most of the items on the Top Ten could be attenuated with strong coding practices and by adhering to strict internal management processes (on the part of the organization involved in development). A good number of the items on the 2013 list, such as injection, cross-site scripting, insecure direct object references, security misconfiguration, missing function level access control, using components with known vulnerabilities, and unvalidated redirects and forwards, can all be addressed by basic development practices, such as bounds checking/input validation, code validation/verification protocols, and informed oversight of the project.Strangely, option A is not correct in this case. While social engineering is perhaps the aspect of information security that is least understood (by users) and most easy to exploit, as well as the attack tactic most likely to succeed, and social engineering training could probably reduce the greatest number of overall security threats in our field today, this specific question is all about application security, and the element of social engineering is negligible.Option C is not correct because source code testing is only one aspect of code review and would not address as many items on the Top Ten as option B.Option D is not correct for much the same reason option A is incorrect; this question is specifically about application security, and the physical protection element is very minor.
Answer :
  • Remote access

Explanation :

Cloud computing users are especially susceptible to highjacking attacks because all of their use is contingent upon remote access; users in a legacy, internal environment are not passing as much traffic over untrusted infrastructure (the Internet), and the type of traffic is often different (where identity credentials are passed only to servers/systems that are locally, physically connected to the user’s device). Scalability might be seen as an attribute of cloud computing that increases the potential for highjacking attacks because a proliferation of users means more attack surface…but even that aspect is contingent upon the users accessing cloud resources remotely, so option C is still a better answer than A. The metered service nature of cloud computing has nothing to do with a highjacking threat; metered service only indicates that the customer only pays for those resources users consume. The fact that cloud customers pool resources might be of concern when considering highjacking attacks because poorly configured cloud environments could leave one cloud customer subject to attack by another tenant in that same environment…but, again, highjacking is predicated on attacking data in transit, so it is the remote access aspect that is the best answer for this question.
Answer :
  • Getting signed user agreements from all users

Explanation :

This is a tricky question. In the cloud environment, we know that all users will be entering the environment through remote access; in many cases, this will include the use of their personal devices. In order for DLP solutions to function properly, all devices accessing the production environment must have local DLP agents installed, and that requires signed user agreements. It would be unnecessary (and intrusive, and cumbersome) to install DLP agents on all assets in the cloud data center, which includes not only your organization’s assets but also those of all the other cloud tenants in that data center. This might even be illegal. Option B is incorrect. Assuming you could install (or even know) all the routers between your users and the cloud data center is ridiculous; option C is incorrect. Getting your customer to install a DLP client would be nice, in theory…but also pointless. Your customers don’t work for you; they are outside your organization. DLP tools are used to prevent sensitive data from leaving your environment; by the time it has reached a customer, sensitive information is far outside your control and DLP would be of no use. Option D is incorrect.
Answer :
  • The particular vulnerabilities only exist in a context not being used by developers.

Explanation :

This is not an easy question and requires an understanding of how component libraries are used in software design. Option B makes the most sense; some vulnerabilities are known to only exist when a component is used in a specific way or with specific services; if the programmers are not including that way of using the component or the risky service, then the vulnerability would not pose a threat to the software they are creating and may therefore be acceptable. Option A is not correct because an underwriter would be unlikely to cover a claim resulting solely from negligence; using a component with a known vulnerability and putting the product/user at risk knowingly would probably invalidate any insurance policy. Option C might conceivably be considered correct in a fashion; different countries have different legislation/regulations, and a vulnerability that could cause noncompliance in one country might not in another. However, this is a rather tortured reading of the question, requiring some convoluted reasoning, and this option is therefore not the best answer. Option D is not correct because a hidden vulnerability, by definition, is not a known vulnerability.
Answer :
  • Security controls and countermeasures

Explanation :

Every security process, tool, and behavior entails a related cost, both financially and operationally. While a “base price” cloud service might appear extremely affordable compared to the legacy environment, add-ons such as encryption, DRM, SIM/SEM/SIEM, and IDS/IPS may all come with additional cost and may attenuate performance, thus reducing the cost savings compared to the cost of operations prior to migration. This is extremely important for the organization to consider before migration, especially if the organization functions in a highly regulated industry. Option A is nonsensical and only used for a distractor. Option C is wrong because it should be the opposite of the actual case: Losing ownership of the IT assets, and paying only for the use of those assets, should lead directly to a savings over the legacy costs, if compared on a seat-to-seat basis. Option D should not be true; the cost of connecting users to the Internet should not be significantly greater if the organization operates in the cloud or with an on-premises data center—if the cost is considerably greater, the organization should never have migrated in the first place.
Answer :
  • Data owners

Explanation :

The data owner is responsible for the disposition of the data under their control; this includes access decisions. The cloud provider is not typically the data owner; option A is incorrect. Ostensibly, senior management is the data owner (the organization, as a whole, is the legal owner of the data, and the senior managers are the legal representatives of the organization). However, in practice, this responsibility can be (and usually is) delegated down to a manageable level, where the titular data owner for a given data set understands it best and can provide a sufficiently granular control of that data set. This is rarely senior management and is more likely department heads, branch managers, or some other form of middle management. Option C is preferable to B. System administrators will usually be the literal granters of access, in so far as admins will modify access control systems that allow or disallow access for specific individuals or roles. However, the sysadmin does not make the decision of who is granted access and instead responds to direction from data owners (middle management); again, C is preferable to D.
Answer :
  • SOC 3

Explanation :

The SOC 3 report is only an attestation that the target was audited and that it passed the audit, without detail; you could use the SOC 3 reports to quickly narrow down the list of possible providers by eliminating the ones without SOC 3s. The SOC 1 report only provides information about financial reporting mechanisms of the target. This information may be of little use to the IT security professional and won’t help you choose a cloud vendor, so option A is incorrect. The SOC 2, Type 1 report only describes IT security controls designed by the target but not how effectively those controls function. While of some interest to the IT security professional, it is more comprehensive and detailed than a SOC 3 report, so it would take more time; option B is incorrect. The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function. While of great interest to the IT security professional, it is very detailed and comprehensive and wouldn’t be a speedy tool to narrow the field. Option C is incorrect.
Answer :
  • Multitenancy

Explanation :

Of these four options, multitenancy poses the greatest risk to software developers in the cloud motif, because developers need to be concerned with two things: protecting their intellectual property (the software they’re making) and protecting resource calls their software makes to the underlying infrastructure (which, if detectable by other cloud customers, could provide information that constitutes a side-channel attack). Metered service doesn’t pose much of a security risk. The SLA might include some security aspects (such as response time), but it’s usually more of a performance-ensuring tool, and this choice is not as good as option A. Remote access, in this particular case, provides more benefit than risk: Alice can utilize work from developers located across the country or across the planet. While she does have to consider the risks inherent in all remote access, those risks are not as significant as the risks due to multitenancy, so answer A is still preferable.
Answer :
  • Privacy data security policy; auditing the controls dictated by the privacy data security policy

Explanation :

Due care is the minimal level of effort necessary to perform your duty to others; in cloud security, that is often the care that the cloud customer is required to demonstrate in order to protect the data it owns. Due diligence is any activity taken in support or furtherance of due care. This answer, then, is optimum: The due care is set out by the policy, and activities that support the policy (here, auditing the controls the policy requires) are a demonstration of due diligence. The Data Directive and GLBA are both legislative mandates; these might dictate a standard of due care, but they are not the due care or due diligence, specifically. Door locks and turnstiles are physical security controls; they both might be examples of due care efforts, but neither demonstrate due diligence. Due care and diligence can be demonstrated by either internal or external controls/processes; there is no distinction to be made based on where the control is situated.
Answer :
  • SOC 1

Explanation :

The SOC 1 report only provides information about financial reporting mechanisms of the target. While this information may be of little use to the IT security professional, it may be of great use to potential investors, if for nothing other than providing some assurance that reporting is valid and believable. The SOC 2, Type 1 report only describes IT security controls designed by the target but not how effectively those controls function. While of some interest to the IT security professional, this is of little interest to the investor, so option B is incorrect. The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function. While of great interest to the IT security professional, this is of little interest to the investor, so option C is incorrect. The SOC 3 report is only an attestation that the target was audited and that it passed the audit, without detail, so option D is incorrect.