ccsk mock exam V21

1、1. A key element of the Store phase of Data Security Lifecycle is:A. Asset ManagementB. Crypto-shredding (对应destory)C. ClassifyD. Application SecurityE. Rights Management2. In incident response, which of the following cloud provider technology implementation can impede investigations?A. Choice of fi

2、rewall systemB. SecurityInformation Event Management (SIEM) toolsc. Proprietary log formatsD. Encrypted custome r dataE. Virtualizati on environment snapshots3. What capabilities can a cloud pavider delive r to suppo rt offline analysis of potential incidents?A. Encrypted customer dataB. VPN capabil

3、itiesC. Defense in depth strategiesD. Snapshots of customers entire virtual environmentE. Regular audits stipulated in service level agreement4. An important consideration when performing a remote vulnerability test of a cloud-based application is toA. Schedule vulne rability test at nightB. Obtain

4、contractual permission for testC. Use application layer testing tools exclusivelyD. Use network layer testing tools exclusivelyE. Use techniques to evade cloud providers detection systems5. What is benefit of federation of identity in a Cloud environment?A. Enabling allied enterprises to authenticat

5、e, provide single or reduced Sign-On(SSO)B. Provides granula r a pplication entitlementsC. Simplifies the secure and timelymanagement of on-boa rding (provisioning) and off-boarding(dep rovisioning) of userS in the cloudD. Allows transmission of user information from a Policy Information Point (PIP)

6、 to a Policy Decision Point (PDP)E. Enforces the policy decision at the Policy Enforcement Point (PEP)6. prominent recommended standards to enable federation of identity in cloud environments includeA. OpenlDB. KerberosC. SAML and WS-Fede rationD. X.509E. 5507. A key element of the Create phase of t

7、he Data Security Lifecycle isA. ClassifyB. Rights ManagementC. Application 5ecu rityD. EncryptionE. Crypto-Shredding8. A cloud deployment of two or more unique clouds is known as:A. Infrastructures as a 5erviceB. A Community CloudC. A Hybrid CloudD. A Private CloudE. Jericho Cloud Cube Model9. ENl5A

8、: because it is practically impossible to process data in encrypted form, customers should have the following expectation of cloud providers:A. Provider shot Id always manage custome r encryption keys with hardware security module (H5M) storageB. Provider should immediately notify customer wheneve r

9、 data is in plaintext formC. Provider should be PCI compliantD. provider must be highly trustworthy and have compensating controls to protect custome r data when it is in plaintext formE. Homomorphic encryption should be implemented where necessa rV10. How can key management be leveraged to prevent

10、cloud providers from inappropriately accessing customer data?A. Use strong multi-factor authenticationB. Segregate keys from the provider hosting dataC. Stipulate enc ryption in contract languageD. 5ecure backup processes for key management systemsE. Select cloud providers within the same country as

11、 customer11. Which of the following is a consideration specific to the migration of virtual machine systems to new cloud providers?A. Loss of hypervisor accessB. Use of industry accepted VM hardening guidelinesC. Understanding what tools are provided for secure data transferD. Traffic filtering on V

12、M bac kpla ne or Enterprise Services Bus (ESB)E: Identification of provider-specific exteisions to virtual machine environment12. How must performance monitoring of Providers and testing for vulnerabilities be handled in a client-provider relationship?A. As long as the Provider does not suffer a bre

13、ach, it does not have to provide customers with visibility into vulnerability scan resultsB. providers who obtain clean scan results in regular periodic testing enjoy a limited ”SafeHarbor from liability associated with a breach.C. The cloud services provider must contractually supply results of per

14、iodic scan and vulne rability testing to the customerD. The cloud services agreement must allow the cloud services client Or designated third party to test for vulnerabilities in the system.E. The custome r must define acceptable levels of performance that providers must meet14. ENISA: Which of the

15、following is among the vulnerabilities contributing to a high risk ranking for Network Management?A. User provisioning vulnerabilitiesB. AAA vulne rabilitiesC. Hypervisor vu Inera bilitiesD. Inadequate physical security proceduresE. System or 0/s vulnerabilities15. . The key portability objective(s)

16、 for lnfrastructure as a Service ( laaS) is/areA. preserving snapshots of virtual machine imagesB. Migration of custom written applications and achieving a successful data migrationC. Achieving a successful data migration onlyD. Migration of custom written applications onlyE. Getting new cloud provi

17、der to abso rb costs of transition16. EN ISA: Which is not one of the ive key legal issues common across all scenarios?A. data protectionB. globalizationC. intellectual propertyD. professional negligenceE. outsourci ng services and changes in control17. From a traditional security perspective, the i

18、ncrease in centralization of data creates concern for an increase in which risk?A. Lack of complianceB. DowntimeC. Account takeoversD. Identity theft巳 Insider abuse18. For cloud customers, a Right to Audit clause in the contract with you r cloud providerA. is an undue burden upon internal audito r5B

19、. is a prerequisite for engaging with cloud providerSC replaces cloud provider certification requirementsD. prevents a cloud provider from ignoring compliance requirementsE. should be obtained whenever possible19. Which attack surfaces, if any does virtualization technology introduce?A. The hypervis

20、orB. Virtualization management components apa rt from the hyperviso rC ”Network attacks that communicate between different VMs over a shared physical hardware backplane，rather than a network.D. All of the above20. ENISA: in Infrastructure as a Service (laaS), who is responsible for guest systems mon

21、itoring?A. Internet Service Provider (ISP)B. Cloud ProviderC. CustomerD. Shared responsibilityE. Data Com门1issioner21. What is a key success facto r to suppo rt application security in infrastructure as a Service ( laas) environments?A. Limit use to private cloud delivery modelB. Use of structured d

22、ata tablesC. Realtime antivirus shieldsD. Use of SAML Or OpenIDE:trusted virtual machine images22. Which of the following should be reviewed as part of the vendor selection process, when conside ring Providers?A. Willingness to allow the customer or a third-party to audit the service.B. For laas pro

23、viders only, the Provider 气 inclusion of security into the softwa re development lifecycle.C. Compatibility of providers custome r support processes, procedures, tools and support hours with your5D. A & CE. providers approach to balancing damage control with evidence gathering after a data breach23.

24、 In a client-provider relations hip, who is res poisible for which portions of data classification?A. Client defines data classification; Provider enforces the clients requirements based on classificationB. provider defines data classification; Client enforces the providers requirements based on cla

25、ss ificationC. Client and provider jointly define data classification policy; provider classifies data and enforces the clients requirements based on classification.D. Customer defines data classification; provider encrypts data at rest and data in tra1sit.E. provider enforces a Default Deny All” po

26、licy for all but data owner and authorized personnel24. EN ISA: which is a potential security benefit of cloud computing?A. More efficient and timely system updatesB. Provider can obfuscate system 0/S and versionsC. Greater compatibility with customer IT infrastructureD. ISO 27001 certificationE. Lo

27、ck-In25. Implementing security controls that satisfy regulatory requirementsA. are assured by SAS 70 Type II auditsB. are primarily a customer responsibility in laaS environmentsC. must be stated within the provider contractD. a re primarily a customer responsibility in Saas environmentsE. should be

28、 listed on the cloud provider roadmap26. What should be the subject of an organizations risk analysis of a Cloud Service Provider?A. Alignment of the providers risk assessment strategy and processes with the usersB. The vendorC. The providers ability to maintain current asset inventory and valuation

29、 informationD. Recent vulnerability assessments and penetration tests.E. The overall service27. When responding to subpoenas and other legal requests, the cloud service provider and customer shouldA. unified processesB. identical access to custome r on-premise logfilesC. separate processes and proce

30、dures to avoid conflicts of interestD. a protected VPN for exchanging legal documentsE. a single legal counsel representing both parties28. If a customer has a mandate to use a specific cloud provider which is lacking in appropriate redundancy capabilities including failover, the customer mayA. Insi

31、st upon custom SLAs guaranteeing redundancyB. Use a third party cloud brokering solutionC. Backup sensitive information ta a separate cloud provider nightlyD. Use a load bala ricing device at the customers network perimeterE. Utilize cloud bursting29. In the CSA Reference Model, what do we call the

32、layer that differentiates Platform as a Service ( PaaS) from Infrastructure as a Service(laaS)?A. Virtual machinesB. AbstractionC. Multi-TenancyD. RoutersE: Integration & Middlewa re30. True or False: With the common carrier model of service delivery,the service provider should normally have little

33、or no access to or control over the customers data or systems beyond the contracted level of management.A. TRUEB. False31. What best desc ribes the tradeoff of lnfrastructure as a Service as compared to other cloud deploymentA. Lower initial cost and greate r security featuresB. Greater security fea

34、tu res and less extensibilityC. Lower initial costs and greater long terms costsD. Less security features and greater extensibilityE. Greater initial costs and greater security features32. Which of the following is one of the five essential cha racteristics of cloud computing as defined by NIST?A. M

35、ulti-tenancyB. Measured serviceC. Unlimited bandwidthD. Nation-state bounda riesE. Hybrid clouds33. ENISA: VM hopping is:A. Instability in VM patch management causing VM routing errorsB. lmproper management of VM instances- causing customer VMs to be commingled with other custome r systemsC. Lack of

36、 vulnerability management standa rdsD. Using a compromised VM to exploit a hypervisor, used to take control of other VMsE. Looping within virtualized routing systems34. How can clients best address a providers use of virtualization technologies in the clients business continuity plan?A. Understand h

37、ow VM images can be captu red and ported to new providers if needed.B. Ensure that the contract requires the Provider to achieve a specified business continuity objective .C. Ensure that the contract requires the Provider to conduct a Business Continuity Plan (BCP) test at least annually.D. Ensure t

38、hat auditors and security assessors are familiar with Cloud and visualizati on challengeE. prefer open to proprieta ry virtua lization APl s for ma nage me nt, security,a nd interoperability35. Which practices will minimize softwa re modification when porting Platform as a Service (PaaS) solutions?A

39、. Use a common programming language throughoutB. Assure possibility of migration of backups, logs, metadata and test systems used by the providerC. Quality assu ra nce testing in the software development lifecycleD. Develop an architectu re with abstraction to minimize direct access to proprieta ry

40、modulesE. Well documented service level agreements36. The key concern of data backup and recovery schemes is A Data should not be commingled with other customersB Assu ra nce that deleted data is in fact unrecoverableC Assu rance that cloud provider has multiple data centers for disaste r recoverVD

41、Data aggregation should not cause breachesE They must prevent data loss, unwanted data overWrite and destruction37 ENISA: An Open Standard that simplifies laaS virtual machine portability between providerS isA SAMLB OCCIC SAJACC D:DMTF E OVF38. ENISA: Licensing Risks refer toA. Cloud provider may no

42、t have all approp riate government operating licensesB. A traditional software licensing scheme may lead to high costs or lack of compliance in cloud systemsC. Risk that softwa re company may go out of business, leading to expiration of licenses for mission critical softwa reD. Use of country-issued

43、 drivers licenses for user identificationE. Cloud provider employees not maintaining operating system license files39. What are six phases of the Data Security Lifecycle?A. Create,Classify,Use, Store, Retain. DestroyB. Create. Classify, Use,Store, Archive, Destroyc. Create, Store, Use,Share,A rchive

44、, DestroyD. Assign,Define,Create, Process, Store, DestroyE. Assign, Define, Store, Process, Transmit, Destroy40. ENISA: an underlying vulne rability related to Loss of Governance isA. Lack of supplier redundancyB. Unclear a sset ownershipC. Hypervisor vu Inera bilitiesD. Lack of reputational isolati

45、onE. Inadequate capacity planning41. Amazon Web Services EC2 Security Groups are an example of which security principle?A. Vetting of employeesB. Virtual Machine hardeningC. Patch managementD. Compartmentalizati on/ IsolationE. De-perimeterisation42. When utilizing a public laaS network, which of th

46、e following is a typical Vulne rability Assessment problem to overcome?A. Tools like Nmap and Nessus are not compatible with public cloud configu rationsB. Cloud provider may disallow or disrupt scanning activitiesC. Custome r cannot obtain physical access to scanning ta rgetsD. Typical hypervisor c

47、onfigu ration obfuscates O/S fingerp rintingE. Scanning activity must occur with SSL connections43. The key concern of data location is:A. Data should not be commingled with other customersB. Data is stored only in geographic locations permitted by regulationsC. Data is located only on redundant sto

48、rage subsystems with high MTBF (mean time between failures)D. Assu rance that all data requested by legal autho rities has been retrievedE. Assu rance that prohibited locations cannot access the data44. Which of the fol lowing is the best description of information risk management?A. Assessi ng the

49、risks to data at rest and data in motionB. Aligning risk exposure to risk toleranceC. Assessing and mitigating the gaps in information protection between vendo r a nd userD. A continuous process for managing the risks to information accuracy acco rding to the risk appetite of the information owner.E

50、. A continuous process for managing the risks to information through due diligence, compliance and business enablement45. Which of the following could be a area of plaintext exposu re of data even when traditional data-in-transit, data-in-re st and data archive enc ryption is employed?A. Backup tape

51、sB. Network trafficC. SCPD. Virtual machine swap filesE. RAID storage46. Th e cloud consumer has more tact ical respo nsibility for implementing and managing securitycontrols in which cloud deployment model?A. Software as a ServiceB. Jericho Cloud Cube ModelC. lnfrastructure as a ServiceD. Security

52、as a ServiceE. Platform as a Service47. Storage as a Service is considered a sub-offering ofA. HadoopB. Software as a ServiceC. Securityas a ServiceD. Platform as a ServiceE：Infrastructure as a Service48. What is the most common form of virtualization?A. Process virtual machine (VM) or application v

53、irtualizationB. Virtualized operating systemC. Emulation of the underlying raw hardware (native execution)D. presentation virtualizationE. Hypervisored or virtual machine virtualization49. Cloud providers can minimize risks of insider abuse via which recommended best practice?A. Compartmentalizati o

54、n of job dutiesB. Onsite inspection of cloud provider facilitiesC. Regula rly tested disaste r recove rY plansD. Well documented service level agreementsE. Minimizing use of third party providers50. In an laaS environment with limited security solutions preconfigured, how might one restrict administ