(ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests. Ben Malisow
Чтение книги онлайн.
Читать онлайн книгу (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests - Ben Malisow страница 13
102 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, why are denial of service (DoS) attacks such a significant threat to cloud operations?DoS attackers operate internationally.There are no laws against DoS attacks, so they are impossible to prosecute.Availability issues prevent productivity in the cloud.DoS attacks that can affect cloud providers are easy to launch.
103 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what do we call denial of service (DoS) attacks staged from multiple machines against a specific target?Invasive denial of service (IDoS)Pervasive denial of service (PDoS)Massive denial of service (MDoS)Distributed denial of service (DDoS)
104 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what aspect of managed cloud services makes the threat of malicious insiders so alarming?ScalabilityMultitenancyMetered serviceFlexibility
105 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what aspect of managed cloud services makes the threat of abuse of cloud services so alarming from a management perspective?ScalabilityMultitenancyResiliencyBroadband connections
106 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, which of the following is not an aspect of due diligence that the cloud customer should be concerned with when considering a migration to a cloud provider?Ensuring that any legacy applications are not dependent on internal security controls before moving them to the cloud environmentReviewing all contractual elements to appropriately define each party’s roles, responsibilities, and requirementsAssessing the provider’s financial standing and soundnessVetting the cloud provider’s administrators and personnel to ensure the same level of trust as the legacy environment
107 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. A cloud customer that does not perform sufficient due diligence can suffer harm if the cloud provider they’ve selected goes out of business. What do we call this problem?Vendor lock-inVendor lockoutVendor incapacityUnscaled
108 Which of the following is not a method for creating logical segmentation in a cloud data center?Virtual local area networks (VLANs)Network address translation (NAT)BridgingHubs
109 According to (ISC)2, the lack/ambiguity of physical endpoints as individual network components in the cloud environment creates what kind of threat/concern?The lack of defined endpoints makes it difficult to uniformly define, manage, and protect IT assets.Without physical endpoints, it is impossible to apply security controls to an environment.Without physical endpoints, it is impossible to track user activity.The lack of physical endpoints increases the opportunity for physical theft/damage.
110 When should cloud providers allow platform as a service (PaaS) customers shell access to the servers running their instances?NeverWeeklyOnly when the contract stipulates that requirementAlways
111 In a PaaS implementation, each instance should have its own user-level permissions; when instances share common policies/controls, the cloud security professional should be careful to reduce the possibility of _______________ and _______________ over time.Denial of service (DoS)/physical theftAuthorization creep/inheritanceSprawl/hashingIntercession/side-channel attacks
112 In a platform as a service (PaaS) environment, user access management often requires that data about user activity be collected, analyzed, audited, and reported against rule-based criteria. These criteria are usually based on _______________ .International standardsFederal regulationsOrganizational policiesFederation directives
113 An essential element of access management, _______________ is the practice of confirming that an individual is who they claim to be.AuthenticationAuthorizationNonrepudiationRegression
114 An essential element of access management, _______________ is the practice of granting permissions based on validated identification.AuthenticationAuthorizationNonrepudiationRegression
115 What is the usual order of an access management process?Access-authorization-authenticationAuthentication-authorization-accessAuthorization-authentication-accessAuthentication-access-authorization
116 Why are platform as a service (PaaS) environments at a higher likelihood of suffering backdoor vulnerabilities?They rely on virtualization.They are often used for software development.They have multitenancy.They are scalable.
117 Backdoors are sometimes left in software by developers _______________.In lieu of other security controlsAs a means to counter denial of service (DoS) attacksInadvertently or on purposeAs a way to distract attackers
118 Alice is staging an attack against Bob’s website. She is able to introduce a string of command code into a database Bob is running, simply by entering the command string into a data field. This is an example of which type of attack?Insecure direct object referenceBuffer overflowSQL injectionDenial of service
119 Bob is staging an attack against Alice’s website. He is able to embed a link on her site that will execute malicious code on a visitor’s machine if the visitor clicks on the link. This is an example of which type of attack?Cross-site scriptingBroken authentication/session managementSecurity misconfigurationInsecure cryptographic storage
120 Alice is staging an attack against Bob’s website. She has discovered that Bob has been storing cryptographic keys on a server with a default admin password and is able to get access to those keys and violate confidentiality and access controls. This is an example of which type of attack?SQL injectionBuffer overflowUsing components with known vulnerabilitiesSecurity misconfiguration
121 Which of the following is a management risk that organizations migrating to the cloud will have to address?Insider threatVirtual sprawlDistributed denial of service (DDoS) attacksNatural disasters
122 Which kind of hypervisor is the preferred target of attackers, and why?Type 1, because it is more straightforwardType 1, because it has a greater attack surfaceType 2, because it is less protectedType 2, because it has a greater attack surface
123 Which of the following would make a good provision to include in the service-level agreement (SLA) between cloud customer and provider?Location of the data centerAmount of data uploaded/downloaded during a pay periodType of personnel security controls for network administratorsPhysical security barriers on the perimeter of the data center campus
124 What is the most significant aspect of the service-level agreement (SLA) that incentivizes the cloud provider to perform?The thoroughness with which it details all aspects of cloud processingThe financial penalty for not meeting service levelsThe legal liability for violating data breach notification requirementsThe risk exposure to the cloud provider
125 From a customer perspective, all of the following are benefits of infrastructure as a service (IaaS) cloud services except _______________.Reduced cost of ownershipReduced energy costsMetered usageReduced cost of administering the operating system (OS) in the cloud environment
126 From an academic perspective, what is the main distinction between an event and an incident?Incidents can last for extended periods (days or weeks), whereas an event is momentary.Incidents can happen at the network level, whereas events are restricted to the system level.Events are anything that can occur in the IT environment, whereas incidents are unscheduled events.Events occur only during processing, whereas incidents can occur at any time.