(ISC)² CCSP

Test your cloud knowledge with these CCSP sample questions [updated 2022]

August 11, 2022 by Infosec

With the rise in popularity and practicality of cloud computing in the past few years, organizations of all sizes and types realize that it is important not only to utilize Cloud strategies for their business but also to require that their staff is formally certified in this ever-changing discipline.

To help meet the rising demand, (ISC)² official training partners offer the most relevant, up-to-date course content for the certified cloud security professionals (CCSP) certification. The newest version of the test became effective on August 1, 2022.

If you’ve dabbled in cloud technologies but want to find out how much you really know, take our 10-question quiz!

Question No. 1

What is the key benefit for a customer when using the infrastructure as a service (IaaS) solution?

  1. Ability to scale up infrastructure services based on projected usage
  2. Transfer in the cost of ownership
  3. Usage is measured and priced based on consumed units
  4. The efficiency of a cooling system and increased energy

Answer: 3. Usage is measured and priced based on consumed units

Explanation: Infrastructure as a service (IaaS) has many key advantages for its customers, including:

  • The ability to scale infrastructure services up or down, based on actual usage.
  • Usage is priced and measured based on consumed units or instances.
  • Ownership cost is reduced because assets for everyday use are not needed, and there is no loss of asset value over the passage of time.
  • Cooling and energy costs are reduced.

Question No. 2

Which of these is a list of the four cloud deployment models?

  1. Public, private, joint, community
  2. Public, private, hybrid, community
  3. External, private, hybrid, community
  4. Public, internal, hybrid, community

Answer: 2. Public, private, hybrid, community

Explanation: According to the definition of cloud computing by NIST, the four cloud deployment models are:

Public — The cloud infrastructure is open for use by the general public. It can be owned, operated and managed by a government organization, a business, or both and exists on the cloud provider’s premises.

Private — The Infrastructure can be used only by a single organization that comprises multiple consumers or business units. It may exist on or off the cloud provider’s premises.

Hybrid — Cloud infrastructure combines two or more cloud infrastructures, i.e., private, public or community. These infrastructures remain separate entities but are linked by a standard technology that allows data portability, such as load balancing or cloud bursting between clouds.

Community — The cloud infrastructure can be used only by a distinct community of users or organizations with shared interests. It may be owned, operated and managed by one or more community members and exists on or off cloud provider’s premises.

Question No. 3

Which of the following are the six components of the STRIDE threat model?

  1. Spoofing, repudiation, tampering, information disclosure, social engineering and denial of service
  2. Spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege
  3. Tampering, spoofing, non-repudiation, denial of service, information disclosure and elevation of privilege
  4. Spoofing, tampering, information disclosure, repudiation, distributed denial of service, elevation of privilege

Answer: 2. Spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege

Explanation:

The STRIDE threat model is based on the following threats:

  1. Spoofing — The attacker takes over the subject’s identity.
  2. Tampering — Attacker alters data.
  3. Repudiation — Event is denied illegitimately.
  4. Information disclosure — Information is accessed without authorization.
  5. Denial of service — Attackers overload the system to deny legitimate access.
  6. Elevation of privilege — Attacker gains privilege above the permitted level.

Question No. 4

Who is the relying party in a federated environment, and what do they do?

  1. The customer, who consumes tokens generated by the identity provider.
  2. The service provider, who consumes tokens generated by the customer.
  3. The identity provider, who consumes tokens generated by the service provider.
  4. The service provider, who consumes tokens generated by the identity provider.

Answer: 4. The service provider, who consumes tokens generated by the identity provider.

Explanation: A relying party (RP) and an identity provider (IP) are in a federated environment. The service provider is the relying party that consumes tokens generated by the identity provider for all known identities.

Question No. 5

Which of these are data storage types that can be used with platform as a service?

  1. Unstructured and ephemeral
  2. Tabular and object
  3. Structured and unstructured
  4. Raw and block

Answer: 3. Structured and unstructured

Explanation:

Structured data is highly organized information that is readily available and easily searchable by simple search algorithms and operations.

Unstructured data cannot correctly fit into a database and often consists of text and multimedia. Some examples of unstructured data are emails, word processing documents, photos, audios, presentations, videos, etc.

Question No. 6

What is the Cloud Security Alliance cloud controls matrix?

  1. Regulatory requirements for cloud service providers
  2. A set of SDLC requirements for cloud service providers
  3. An inventory of security controls for cloud service arranged into distinct security domains
  4. An inventory of security controls for cloud service arranged into security domains hierarchy

Answer: 3. An inventory of security controls for cloud service arranged into distinct security domains

Explanation: The Cloud Security Alliance cloud controls matrix is a framework for security controls designed for the cloud community. It can be considered as an inventory of cloud service security controls arranged into the following distinct security domains:

  • Application and interface security
  • Audit assurance and compliance
  • Business continuity management and operational resilience
  • Change control and configuration management
  • Data security and information lifecycle management
  • Datacenter security
  • Encryption and key management
  • Governance and risk management
  • Human resources
  • Identity and access management
  • Infrastructure and virtualization security
  • Interoperability and portability
  • Mobile security
  • Security incident management, e-discovery and cloud
  • Supply chain management, transparency and accountability
  • Threat and vulnerability management

Question No. 7

Where does the encryption engine reside when using transparent encryption of the database?

  1. In the key management system
  2. Within the database
  3. On instance(s) attached to the volume
  4. At the database-using application

Answer: 2. Within the database

Explanation: Database encryption comes with the following options, each of which is explained.

Transparent encryption: Many database management systems can encrypt the complete database or just some portions. In transparent encryption, the encryption engine resides in the database and is transparent to the application. The keys reside within the instances while their management and processing may be offloaded to an external key management system. This type of encryption is effective in protecting from database- and application-level attacks, media theft and backup system intrusion.

File-level encryption: The database server resides on volume storage. The database folder or volume is encrypted, and the encryption engine and keys reside on instances attached to the volume. It protects against lost backups, external attacks and media theft.

Application-level encryption: The encryption engine resides in the application using the database. It protects against a wide array of threats, including application-level attacks, compromised databases and administrative accounts.

Question No. 8

Which of the following electronic records disposal method can always be used in a cloud environment?

  1. Overwriting
  2. Encryption
  3. Physical destruction
  4. Degaussing

Answer: 2. Encryption

Explanation: Safe disposal of electronic data can be done in the following ways:

Degaussing—The use of strong magnets to scramble data on magnetic tapes and hard drives

Physical destruction—Physically shredding or incinerating the records to destroy them completely

Overwriting—Writing unimportant or random data over the actual data to make the real data unreadable. More overwrites ensure better destruction of data.

Encryption—Rewriting the data in an encrypted format so it cannot be read without an encryption key.

The first three methods of destroying digital data are irrelevant to cloud computing, so encryption is the only suitable option. Encrypting the data for its disposal is called crypto-shredding or digital shredding. In crypto-shredding, encryption keys required to read the data are deliberately destroyed. Moreover, the keys are made completely unrecoverable.

Question No. 9

What is presented to a cloud service organization or customer in an audit scope statement?

  1. A list of security controls to be audited
  2. Results of the audit, findings and recommendations
  3. Required level of information for the organization or client being audited to understand and agree with the focus, scope and type of assessment that is to be performed
  4. The projected cost of audit and auditor credentials

Answer: 3. Required level of information for the organization or client being audited to understand and agree with the focus, scope and type of assessment that is to be performed

Explanation: An audit scope statement typically includes all the required information, such as:

  • General objectives and focus statement
  • Scope of audit (along with the exclusions).
  • Acceptance criteria.
  • Audit type (attestation, certification, etc.).
  • Classification (secret, confidential, public, etc.)
  • Security assessment requirements.
  • Assessment criteria

Question No. 10

Which key issue related to the object storage type should the cloud service provider be aware of?

  1. Access control
  2. Data consistency can be achieved only after change propagation occurs to all replica instances.
  3. Continuous monitoring
  4. Data consistency can be achieved only after change propagation occurs to a specific percentage of replica instances, 

Answer: 2. Data consistency can be achieved only after change propagation occurs to all replica instances.

Explanation: An object storage system typically comes with minimal features. It gives the ability to store, copy, retrieve and delete files and also the authority to control which user can perform these actions. If you want to be able to search or have an object metadata central repository for other apps to draw on, you have to do it by yourself. Many storage systems such as Amazon S3 provide REST APIs to let programmers work with objects and containers. However, what cloud service providers need to know about object storage systems is that they can only achieve data consistency in the end. Whenever a file is updated, you must wait for the change to be propagated to all replicas before requests can return the latest version. This is why object storage is unsuitable for data that constantly changes. But it can be a good solution for static data such as audio and video files, archives, backups and machine images.

Sources:

CCSP Exam Outline August 2022, (ISC)2

Posted: August 11, 2022
Infosec
View Profile

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training.