ISC2 CCSP Exam Questions

Correct answer: Cloud service broker

The cloud service broker is responsible for negotiating relationships between the customer and the provider. They would be considered independent of both.

Cloud service partners are defined in ISO/IEC 17788 as a party that is engaged in support of, or auxiliary to, either the cloud service customer or the cloud service provider.

The cloud auditor is defined in ISO/IEC 17788 as a partner that audits the provision and use of cloud services.

The cloud auditors and cloud service broker would be considered cloud service partners. The partner is a more generic role.

The cloud service customer is defined in ISO/IEC 17788 as a natural person associated with the cloud service customer.

Correct answer: If they are anticipating malware, it is necessary to consider the financial impact on their business, which is determined by the time of the day and year. This is further impacted by the system(s) that are affected.

There are many factors that can impact how bad an incident could be for a business. The impact of the event and the urgency it needs to be treated with are critical aspects. The correct answer identifies those two elements. The impact is financial and the urgency is the day of the year and the time that certain systems would be offline.

The answer "If they are anticipating that a bad actor could gain access to their system, they must take into consideration the legal impact it could have" Identifies the type of incident (the bad actor gaining access) and the impact is legal, but it does not identify any level of urgency.

The answer "If they are anticipating that an event could have an impact on their business, it is critical to consider what time of the day the event could occur" identifies the urgency through the time of day, but it does not get to any level of urgency as neither the systems nor the type of impact is considered.

The answer "If they are anticipating that a power outage could occur that would have an impact, it is necessary to take into consideration the time of the day it could occur" identifies the incident type and time of day, but it does not get to the systems or the impact it would have. 

Correct answer: Lexical Analysis

When working with unstructured data, there are a few different techniques that a data discovery tool can use:

• Pattern Matching: Pattern matching looks for data formats common to sensitive data, often using regular expressions. For example, the tool might look for 16-digit credit card numbers or numbers structured as XXX-XX-XXXX, which are likely US Social Security Numbers (SSNs).
• Lexical Analysis: Lexical analysis uses natural language processing (NLP) to analyze the meaning and context of text and identify sensitive data. For example, a discussion of “payment details” or “card numbers” could include a credit card number.
• Hashing: Hashing can be used to identify known-sensitive files that change infrequently. For example, a DLP solution may have a database of hashes for files containing corporate trade secrets or company applications.

Schema analysis can’t be used with unstructured data because only structured databases have schemas.

Correct answer: Security by design

The Cloud Security Alliance (CSA) and Software Assurance Forum for Excellence in Code (SAFECode) present the idea that there is a collective responsibility to secure applications, as they are developed for use within corporations and the cloud. That responsibility can be broken down into three parts:

1. Security by design refers to the inclusion of security at every stage of the development process rather than after an application has been released or in reaction to a security exploit or vulnerability. From application feasibility to retirement, security is an integral element of the process. Bruis is the representation of that consistent effort in this question.
2. Shared security responsibility means that everyone within the corporation and/or the project has a responsibility to pay attention to security as they are doing their work.
3. Security as a business objective is the idea that an organization should have a compliance-driven approach to security.

Correct answer: Regulators

CSPs are likely to have contracts or some form of agreement with vendors, partners, and customers, but rarely (if ever) with a regulator. Cloud providers purchase servers, routers, firewalls, switches, etc., so they will have contracts with vendors. 

They would have contracts with the auditors that come in and assess their environments, possibly for SOC 2 or ISO 27001 audits. There would be a contract between the CSP and the audit company. Auditors are considered partners according to ISO 17788.

The CSP would definitely have contracts with their customers. This is probably the first contract people think of when talking about clouds.

The organization/tenant/customer is responsible for ensuring their cloud environment is in compliance with all regulatory obligations applicable to their organization. However, this is not done through a contract with the regulators.

Correct answer: Auditability

When deploying cloud infrastructure, organizations must keep various security-related considerations in mind, including:

• Security: Data and applications hosted in the cloud must be secured just like in on-prem environments. Three key considerations are the CIA triad of confidentiality, integrity, and availability.
• Privacy: Data hosted in the cloud should be properly protected to ensure that unauthorized users can’t access the data of customers, employees, and other third parties.
• Governance: An organization’s cloud infrastructure is subject to various laws, regulations, corporate policies, and other requirements. Governance manages cloud operations in a way that ensures compliance with these various constraints.
• Auditability: Cloud computing outsources the management of a portion of an organization’s IT infrastructure to a third party. A key contractual clause is ensuring that the cloud customer can audit (directly or indirectly) the cloud provider to ensure compliance with contractual, legal, and regulatory obligations. A SOC 2 report shows that a cloud service provider meets certain requirements regarding the protection of the customer's data.
• Regulatory Oversight: An organization’s responsibility for complying with various regulations (PCI DSS, GDPR, etc.) also extends to its use of third-party services. Cloud customers need to be able to ensure that cloud providers are compliant with applicable laws and regulations.

Correct answer: Broken authentication

Broken authentication is one of the OWASP Top 10 vulnerabilities. Broken authentication occurs when an issue with a session token or cookie makes it possible for an attacker to gain unauthorized access to a web application. This can occur when session tokens are not properly validated, making it possible for an attacker to hijack the token and gain access. Another example of this can occur when cookies are not properly destroyed after a user logs out, making it possible for the next user to gain access with their cookies.

Security misconfiguration occurs when someone does not understand how to configure the software, what configuration needs to be there, etc.

A great resource for the OWASP top 10 can be found OWASP's website. It is good to be familiar with the top 10 and some of the solutions or fixes to prevent them from occurring.

Broken access control is not top of the OWASP Top 10 list. Broken access control occurs in a variety of ways, such as failing to setup access based on the logic of least privilege or if elevation of permissions is possible for the average user when it should not be.

Correct answer: Network Intrusion Detection System (NIDS)

A Network Intrusion Detection System (NIDS) analyzes all the traffic on the network and detects possible intrusions. It can send an alert out to administrators to investigate. 

A Host Intrusion Detection System (HIDS) runs on a single host and analyzes all inbound and outbound traffic for that host to detect possible intrusions. Since the question specifies a cluster of servers, the NIDS is a better choice. It is possible to add HIDS to all the clusters; it is just not what the question is driving at.

A Network Intrusion Prevention System (NIPS) works in the same manner as an NIDS, but it also has the capability to prevent attacks rather than just detect them. This is not the best answer because the question is looking for information about intruders.

A honeypot is an isolated system used to trick a bad actor into believing that it is a production system. This should distract them long enough for the Security Operations Center (SOC) to detect the bad actor's presence and take action to remove them from the systems and network.

Correct answer: Right of access

Data subject rights under the EU GDPR include:

• Right of access
• Right to rectification
• Right to restriction of processing
• Notification obligations
• Right to data portability
• Right to object
• Right to erasure
• Right to be forgotten 
• Automated individual decision-making, including profiling

Of the answers listed, only right of access is a data subject right under the GDPR. 

Correct answer: SDN

Software-defined networking (SDN) allows a policy-based network through a controller node. 

Software-defined storage (SDS) is a method of abstracting the software storage logic from the actual hardware. This makes management more effective. 

Content delivery network (CDN) is a method of distributing content such as videos to the end users by storing the needed content on edge servers that are closer to the users. The content is only cached at the edge. When it is no longer needed, it is deleted. 

SSH is commonly used by network and server administrators for remote connection to devices such as switches and routers.

Correct answer: Create, Store, Use, Share, Archive, Destroy

Create, Store, Use, Share, Archive, Destroy are the phases in the cloud data lifecycle in the correct order.

All other options are in the incorrect order.

Correct answer: General technology risks

Cloud computing risks can depend on the cloud service model used. Some risks common to all cloud services include:

• CSP Data Center Location: The location of a CSP’s data center may impact its exposure to natural disasters or the risk of regulatory issues. Cloud customers should verify that a CSP’s locations are resilient against applicable natural disasters and consider potential regulatory issues.
• Downtime: If a CSP’s network provider is down, then its services are unavailable to its customers. CSPs should use multivendor network connectivity to improve network resiliency.
• Compliance: Certain types of data are protected by law and may have mandatory security controls or jurisdictional limitations. These restrictions may affect the choice of a cloud service model or CSP.
• General Technology Risks: Larger CSPs with big-name customers can become a big target for attackers looking to compromise a high-value target.

Residual risk is left over after inherent risks are treated. 

Correct answer: Performance monitoring

Performance monitoring is a continual process in which the CSP ensures that systems operate reliably and that customer service level agreements are met.

Baseline monitoring collects data on system resources, such as CPU usage, memory usage, disk I/O, and network traffic, during normal operations. This data is used to establish performance baselines, which can help detect anomalies, identify performance issues, and optimize system resources.

Monitoring resource utilization helps track how cloud resources are being used, including CPU utilization, memory usage, storage capacity, network bandwidth, and other relevant metrics. By analyzing this data, administrators can identify resource bottlenecks, optimize resource allocation, and make informed decisions about scaling resources up or down based on demand.

Hardware monitoring refers to the process of monitoring and managing the physical infrastructure components of a cloud computing environment. It involves monitoring the health, performance, and availability of hardware devices and components that support the cloud infrastructure, including servers, storage systems, networking equipment, and other hardware resources.

Correct answer: Parallel Test

Business continuity/disaster recovery plan (BCP/DRP) testing can be performed in various ways. Some of the main types of tests include:

• Tabletop Exercises: In a tabletop exercise, the participants talk through a provided scenario. They say what they would do in a situation but take no real actions.
• Simulation/Dry Run: A simulation involves working and talking through a scenario like a tabletop exercise. However, the participants may take limited, non-disruptive actions, such as spinning up backup cloud resources that would be used during a real incident.
• Parallel Test: In a parallel test, the full BC/DR process is carried out alongside production systems. In a parallel test, the BCP/DRP steps are actually performed.
• Full Test: In a full test, primary systems are taken down as they would be in the simulated event. This test ensures that the BCP/DRP systems and processes are capable of maintaining and restoring operations.

Correct answer: Discovery and classification

DLP is made up of three common stages: discovery and classification, monitoring, and enforcement. 

In-motion monitoring is part of DLP monitoring. Gateway devices such as email servers, firewalls, and network proxies are typical deployment points for in-motion DLP monitoring. 

Database servers, workstations, and smartphones are not typical gateway devices that would host an in-motion monitoring deployment. 

Correct answer: Infrastructure as a Service

In an Infrastructure as a Service (IaaS) environment, the customer has the greatest control over its infrastructure stack. This means that it needs to rely less on the service provider than in other service models, creating fewer potential external security risks and threats.

Correct answer: Remote Desktop Protocol (RDP)

RDP is a Microsoft created protocol that can be used for remote access when managing machines such as virtual servers. There are other alternatives that could be used, such as Secure Shell (SSH), but of the options listed, it is the best answer.

IPSec is commonly used for site-to-site connections. For example, to connect a corporate worksite to the cloud local area network within the IaaS.

DHCP is used by connected devices to request an Internet Protocol (IP) address.

AES could be used to encrypt the RDP session, but it is RDP that allows for the remote access.

Correct answer: Unauthorized Provisioning

Data storage in the cloud faces various potential threats, including:

• Unauthorized Access: Cloud customers should implement access controls to prevent unauthorized users from accessing data. Also, a cloud service provider (CSP) should implement controls to prevent data leakage in multitenant environments.
• Unauthorized Provisioning: The ease of setting up cloud data storage may lead to shadow IT, where cloud resources are provisioned outside of the oversight of the IT department. This can incur additional costs to the organization and creates security and compliance challenges since the security team can’t secure data that they don’t know exists.
• Regulatory Non-Compliance: Various regulations mandate security controls and other requirements for certain types of data. A failure to comply with these requirements — by failing to protect data or allowing it to flow outside of jurisdictional boundaries — could result in fines, legal action, or a suspension of the business’s ability to operate.
• Jurisdictional Issues: Different jurisdictions have different laws and regulations regarding data security, usage, and transfer. Many CSPs have locations around the world, which can violate these laws if data is improperly protected or stored in an unauthorized location.
• Denial of Service: Cloud environments are publicly accessible and largely accessible via the Internet. This creates the risk of Denial of Service attacks if the CSP does not have adequate protections in place.
• Data Corruption or Destruction: Data stored in the cloud can be corrupted or destroyed by accident, malicious intent, or natural disasters.
• Theft or Media Loss: CSPs are responsible for the physical security of their data centers. If these security controls fail, an attacker may be able to steal the physical media storing an organization’s data.
• Malware: Ransomware and other malware increasingly target cloud environments as well as local storage. Access controls, secure backups, and anti-malware solutions are essential to protecting cloud data against theft or corruption.
• Improper Disposal: The CSP is responsible for ensuring that physical media is disposed of correctly at the end of life. Cloud customers can also protect their data by using encryption to make the data stored on a drive unreadable.

Correct answer: Hypervisor 

In an IaaS environment, the cloud customer will likely have access to logs from the operating system, the virtual devices, and the applications that they are using. They would have this access because the virtual devices and their operating systems as well as the applications are owned by the cloud service customer. However, it's unlikely that the cloud customer will have access to any logs from the hypervisor itself. If the cloud customer wanted logs from the hypervisor, they would need to work with the cloud provider and have something written into their contract. 

Even though the cloud customer has access to the logs from the operating systems, virtual servers, databases, and applications, they will still likely need some method to aggregate all these logs, such as a security information and event management (SIEM) system. 

Correct answer: Tags

Tags are pervasive in cloud deployments. A plan must be built for the corporation on how to tag assets. If it is not done consistently, it is not helpful. A tag is made up of two pieces, a key and a value. For example, in the tag "cert:CCSP," "cert" is the key, and "CSSP" is the value. Tags are also sometimes called "labels" (e.g., in Kubernetes) 

A datatype is a data categorization. 

Tags are technically a type of identifier. However, an identifier is too generic of an answer in this case.