ISC2 CCSP Exam Questions

Correct answer: Are identified by Common Weakness Enumeration (CWE) scores based on the Common Weakness Scoring System (CWSS), which is a community developed project

The CWE list identifies known hardware and software weakness types such as XML Injection, whereas the CVE list identifies unique vulnerabilities, such as "local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40107." 

The CWSS is a scoring system designed by the community to prioritize "software weaknesses in a consistent, flexible, open manner."

The NIST RMF is a risk management process to give the government and business a way to perform "security, privacy, and cyber supply chain risk management activities into the system development life cycle." 

The NVD is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. NIST uses the CVEs.

Correct answer: Resource Sharing

Platform as a Service (PaaS) environments inherit all the risks associated with IaaS models, including personnel threats, external threats, and a lack of relevant expertise. Some additional risks added to the PaaS model include:

• Interoperability Issues: With PaaS, the cloud customer develops and deploys software in an environment managed by the provider. This creates the potential that the customer’s software may not be compatible with the provider’s environment or that updates to the environment may break compatibility and functionality.
• Persistent Backdoors: PaaS is commonly used for development purposes since it removes the need to manage the development environment. When software moves from development to production, security settings and tools designed to provide easy access during testing (i.e. backdoors) may remain enabled and leave the software vulnerable to attack in production.
• Virtualization: PaaS environments use virtualized OSs to provide an operating environment for hosted applications. This creates virtualization-related security risks such as hypervisor attacks, information bleed, and VM escapes.
• Resource Sharing: PaaS environments are multitenant environments where multiple customers may use the same provider-supplied resources. This creates the potential for side-channel attacks, breakouts, information bleed, and other issues with maintaining tenant separation.

Correct answer: Unstructured

The complexity of data discovery depends on the type of data being analyzed. Data is commonly classified into one of three categories:

• Structured: Structured data has a clear, consistent format. Data in a database is a classic example of structured data where all data is labeled using columns. Data discovery is easiest with structured data because the data discovery tool just needs to understand the structure of the database and the context to identify sensitive data.
• Unstructured Data: Unstructured data is at the other extreme from structured data and includes data where no underlying structure exists. Documents, emails, photos, and similar files are examples of unstructured data. Data discovery in unstructured data is more complex because the tool needs to identify data of interest completely on its own. A user's sent email folder and meeting recordings are examples of unstructured data. 
• Semi-Structured Data: Semi-structured data falls between structured and unstructured data, having some internal structure but not to the same degree as a database. HTML, XML, and JSON are examples of semi-structured data formats that use tags to define the function of a particular piece of data.

Loosely structured is not a common classification for data.

Correct answer: eDiscovery

eDiscovery is the process of searching for and collecting electronic data of any kind (emails, digital images, documents, etc.) so that the data can be used in either civil legal proceedings or criminal legal proceedings. 

Chain of custody is the record of how the evidence was handled; who handled it; what they were doing with it; where it was or where it was stored; when it was collected/inspected/handled; and why it was handled, inspected, and analyzed.

Investigation is the process of analyzing the data and pursuing the understanding of the evidence to comprehend who, what, where, why, when, and how something happened.

Non-repudiation is when the evidence removes the ability for someone to deny that they did something like creating or sending an email, signing a contract, or creating data.

Correct answer: Integration testing

Integration testing aims to verify the interaction and compatibility of different software modules, components, or systems when combined or integrated together. It focuses on identifying defects or issues that may arise due to the interaction between these software elements.

Usability testing, also known as user experience (UX) testing or user acceptance testing, is a process of evaluating a software application's ease of use, intuitiveness, and overall user satisfaction. The goal of usability testing is to assess how well the software meets the needs of its intended users and identify any usability issues or areas for improvement.

Dynamic application security testing (DAST) is a type of testing tool that primarily performs vulnerability scanning. 

Correct answer: Resource pooling

Cloud providers may choose to do resource pooling, which is the process of aggregating all the cloud resources together and allocating them to their cloud customers. There is pooling of physical equipment into the data center. Then there is a pool of resources within a server that are allocated to running virtual machines. That is the CPU, the RAM, and the available network bandwidth.

Multi-tenancy occurs when a service provider gives multiple users (tenants) an allocation of shared resources. Resource pooling enables multitenancy, but the act of a service provider pooling their resources is not multitenancy. 

Portability is the ability to move data from one provider to another without having to reenter the data.

On-demand self-service is the ability for the customer/tenant to use a portal to purchase and provision cloud resources without having much, if any, interaction with the cloud provider.

Correct answer: Implement the plan

When developing a Disaster Recovery Plan (DRP), the following order should be followed:

1. Project management and initiation
2. Conduct a Business Impact Analysis (BIA)
3. Develop recovery strategies
4. Develop the documentation
5. Implement the plan
6. Test the plan
7. Report and revise
8. Embed the plan in the user community

As they have just developed the plan in this scenario, the next step is to implement it. The instinct for most people is to move to test the plan so that it can then be implemented. Since these are the steps to be taken after significant failure, it is necessary to build the alternative cloud to fail into before you can test it.

Correct answer: FIPS 140-2

Cloud providers’ systems may be subject to certification against standards that address a specific component, such as a cryptographic module. Examples of these system/subsystem product certifications include:

• Common Criteria: Common Criteria (CC) are guidelines for comparing various security systems. A protection profile describes the security requirements of systems being compared, and the evaluation assurance level (EAL) describes the level of testing performed on the system, ranging from 1 (lowest) to 7 (highest).
• FIPS 140-2: Federal Information Processing Standard (FIPS) 140-2 is a US government standard for cryptographic modules. FIPS compliance is necessary for organizations that want to work with the US government and mandates the use of secure cryptographic algorithms like AES.

ISO 27017 is an ISO (International Organization for Standardization) standard focused on the implementation of security controls from ISO 27002 (another ISO standard that provides specific security controls) in cloud environments. 

Correct answer: Building is more expensive and offers more control.

Organizations that can build their own data centers will have the most input into everything from physical security to all other aspects of the setup. This typically offers more control than buying a prebuilt space. 

However, buying, subletting, or leasing space in an already-built data center is a much quicker, easier, and typically less expensive option for many organizations. 

Correct answer: Their payment card companies must follow the Payment Card Industry - Data Security Standard (PCI-DSS)

The PCI-DSS is a contractual requirement that applies to companies that accept and process payment cards. As a retail store, this definitely applies to the data that they have in their possession.

As a retail clothing store, it is unlikely that they will have health data from their employees. Since credit cards are a definite piece of data that they have, PCI-DSS is a better answer.

PCI-DSS is a contractual requirement, not a law, nor is it US-specific.

The question is not specific as to where the store is, so they may be within the EU. If they are in the EU, the GDPR would apply. However, GDPR is a law, not a contract.

Correct answer: Separation of System and User Functionality

NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations defines 51 security controls for systems and communication protection. Among these are:

• Policy and Procedures: Policies and procedures define requirements for system and communication protection and the roles, responsibilities, etc. needed to meet them.
• Separation of System and User Functionality: Separating administrative duties from end-user use of a system reduces the risk of a user accidentally or intentionally misconfiguring security settings.
• Security Function Isolation: Separating roles related to security (e.g., configuring encryption and logging) from other roles also implements separation of duties and helps prevent errors.
• Denial-of-Service Prevention: Cloud resources are Internet-accessible, making them a prime target for DoS attacks. These resources should have protections in place to mitigate these attacks as well as allocate sufficient bandwidth and compute resources for various systems.
• Boundary Protection: Monitoring and filtering inbound and outbound traffic can help block inbound threats and stop data exfiltration. Firewalls, routers, and gateways can also be used to isolate and protect critical systems.
• Cryptographic Key Establishment and Management: Cryptographic keys are used for various purposes, such as ensuring confidentiality, integrity, authentication, and non-repudiation. They must be securely generated and secured against unauthorized access.

Correct answer: Recovery Service Level 

The Recovery Service Level (RSL) is the level of service (percentage of normal) that the alternate site must be able to support. For example, if the server normally handles 400 calls an hour from customers but needs to be able to at least handle 300 calls an hour so that the customers' basic needs are met, then that is the RSL. RSL would be 75% of normal functionality.

The Maximum Tolerable Outage (MTO) is the amount of time that a corporation can survive being in this alternate state. Using the above example, since they are only at 75% functionality, they may only be able to handle that state for three days.

The Recovery Time Objective (RTO) is the amount of time that it takes to do the recovery work. This would take the server from not functioning to functioning at some level. The level needed is the RSL.

The Maximum Tolerable Downtime (MTD) is the amount of time that the system can be offline, not working, or non-functional. 

Correct answer: Object storage

There are several forms of cloud storage CCSP candidates should be familiar with, including:

• Block storage: A form of storage where data is exposed in small chunks (known as blocks) in the same way a disk controller exposes data to a physical server. Block storage is analogous to a cloud hard drive. Examples of cloud block storage services include AWS Elastic Block Storage, Azure Disk Storage, and Google Persistent Disk. 
• File storage: A form of storage where data is stored using a filesystem structure in the cloud. Examples include AWS Elastic File System and Azure Files. 
• Object storage: A form of storage where storage objects are stored in a “bucket” without additional hierarchical organization required (users can create folder-like hierarchies using object names). Storage objects cannot be edited once they are created. Object storage offers granular access control down to the object level. Examples of object storage include Amazon S3 and Azure Blob Storage. 
• Images: An image is a chunk of code that can be instantiated to run containers, virtual machines, and other computed resources. 

Correct answer: ALE

How much a single occurrence of a threat will cost a business is the single loss expectancy (SLE). The total number of times this is expected within a year is the annual rate of occurrence (ARO). The total cost of a threat over a year is calculated by multiplying the ARO times the SLE and that will result in the annualized loss expectancy (ALE). 

A recovery time objective (RTO) is the time that is given to the recovery team to perform the recovery actions after a disaster has been declared.

Correct answer: Each level of the virtualization infrastructure as well as wherever the client accesses the management plane

Logging is imperative for a cloud environment. Role-based access should be implemented, and logging should be done at each and every level of the virtualization infrastructure as well as wherever the client accesses the management plane (such as a web portal). 

The SIEM cannot analyze the logs to find the possible compromise points unless logging is enabled, and the logs are delivered to that central point. This is necessary in case there is a compromise, which could happen anywhere within the cloud.

Correct answer: Parallel

Parallel is the fourth level in the test phase (see #6 below). 

The phases of developing a BC/DR plan are shown here: 

1. Policy
2. Project Management & Initiation
3. Business Impact Analysis (BIA)
4. Develop Strategies
5. Document
6. Implement, Test, and Update
7. Embed in the user communities

In the test phase, there are about five basic levels of testing. The most basic is a checklist or desk check. This serves to ensure that the document contains all the pieces that they have been able to identify and develop. It is possible to perform this test using a list of commonly forgotten items from BC/DR plans.

The second level is historically called a structured walkthrough, although today it is more commonly called a tabletop. This allows the team to talk through the plan in a logical order to see if the pieces all fit as they believe they should.

The third level is a simulation, which does not fit well into cloud discussions. A good example is a fire drill.

The fourth is then a parallel test. This brings the backup environment to a functional state but does not take the production environment offline or cause a failover. 

To test the failover capability, the final test is a full interruption.

There are alternative names to these tests that some people use. There is no one correct list because ISC2 does not follow a single standard for their exams.

Correct answer: Cryptographic Key Establishment and Management

NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations defines 51 security controls for systems and communication protection. Among these are:

• Policy and Procedures: Policies and procedures define requirements for system and communication protection and the roles, responsibilities, etc. needed to meet them.
• Separation of System and User Functionality: Separating administrative duties from end-user use of a system reduces the risk of a user accidentally or intentionally misconfiguring security settings.
• Security Function Isolation: Separating roles related to security (such as configuring encryption and logging) from other roles also implements separation of duties and helps to prevent errors.
• Denial-of-Service Prevention: Cloud resources are Internet-accessible, making them a prime target for DoS attacks. These resources should have protections in place to mitigate these attacks as well as allocate sufficient bandwidth and compute resources for various systems.
• Boundary Protection: Monitoring and filtering inbound and outbound traffic can help to block inbound threats and stop data exfiltration. Firewalls, routers, and gateways can also be used to isolate and protect critical systems.
• Cryptographic Key Establishment and Management: Cryptographic keys are used for various purposes, such as ensuring confidentiality, integrity, authentication, and non-repudiation. They must be securely generated and secured against unauthorized access.

Correct answer: VMware

Virtual Update Manager (VUM) was developed by VMware. It is used to update both the vSphere hosts and the virtual machines that are running under them. 

(You don't need to know anything vendor specific for the exam, but this information might be useful at your work.)

Correct answer: MDM

Mobile device management (MDM) is the term used to describe the management and maintenance of mobile devices (e.g., tablets and mobile phones) that have access to corporate resources. Usually, MDM software will be installed on the devices so that the IT staff can manage the devices remotely in the case of a lost or stolen device.

MDM software usually has the following:

1. Symmetric encryption technology for the drive on the mobile device
2. Remote control to be able to disable or even "brick" the device if it is lost or stolen
3. Remote control to be able to delete files in the event the phone is lost or stolen

Bring your own device (BYOD) is a model where employees use their own devices for work-related activities. BYOD environments are a common example of a use case for MDM. 

Using a security information and event management (SIEM) tool is good practice but does not directly enable device management. 

A virtual private network (VPN) can reduce the risk of network-related incidents but does not directly enable device management. An MDM could enforce a VPN on devices that need access to sensitive resources. 

Correct answer: Security

The Trust Service Criteria from the American Institute of Certified Public Accountants (AICPA) for the Security Organization Controls (SOC) 2 audit report is made up of five key principles: Availability, Confidentiality, Process integrity, Privacy, and Security. Security is always required as part of a SOC 2 audit. The other four principles are optional.