Cover: (ISC)2® CCSP® Certified Cloud Security Professional: Official Study Guide by Ben Malisow

(ISC) CCSP®
Certified Cloud Security Professional

Official Study Guide


Ben Malisow




Logo of Sybex: A Wiley Brand

Acknowledgments

The author would like to thank (ISC)2 for making this work possible, and the sublime publishing and editing team at Sybex, including Jim Minatel, Kelly Talbot, Katie Wisor, and Christine O'Connor. This book is dedicated to all the candidates seeking CCSP certification; I hope it helps.

About the Author

Ben Malisow, CISSP, CISM, CCSP, SSCP, and Security+, is an instructor for (ISC)2, teaching prep classes for the CISSP, CCSP, and SSCP certifications. He has been in the information technology and information security field for almost 25 years. He wrote the internal IT security policy for DARPA, served as the information system security manager for the FBI's most-classified counterterror intelligence-sharing network, and helped develop the IT security architecture for the Department of Homeland Security's Transportation Security Administration. Ben has taught courses at many schools and universities, including Carnegie Mellon's CERT/SEI, UTSA, the College of Southern Nevada, and grades 6–12 in the public school system in Las Vegas. He is widely published in the field, having written for SecurityFocus.com, ComputerWorld, and various other publications as well as several books. You can find his blog at Securityzed.com.

About the Technical Editor

Aaron Kraus began his career as a security auditor for US federal government clients. From there he moved into security risk management for healthcare and financial services, which offered more opportunities to travel, explore, and eat amazing food around the world. He currently works for a cyber risk insurance startup in San Francisco and spends his free time dabbling in cooking, cocktail mixology, and photography.

Introduction

The Certified Cloud Security Professional (CCSP) certification satisfies the growing demand for trained and qualified cloud security professionals. It is not easy to earn this credential; the exam is extremely difficult, and the endorsement process is lengthy and detailed.

The CCSP (ISC)2 Official Study Guide offers the cloud professional a solid foundation for taking and passing the Certified Cloud Security Professional (CCSP) exam. However,
if you plan on taking the exam to earn the certification, this cannot be stressed enough:
you cannot expect to pass the exam using this book as your sole source. Please refer to the list of additional recommended reading at the end of this introduction.

(ISC)2

The CCSP exam is governed by (ISC)2. (ISC)2 is a global not-for-profit organization with four primary mission goals:

A board of directors elected from the ranks of its certified practitioners operates the (ISC)2.

(ISC)2 supports and provides a wide variety of certifications, including the CISSP, SSCP, CAP, CSSLP, HCISPP, and CCSP. These certifications are designed to verify the knowledge and skills of IT security professionals across all industries. You can obtain more information about the organization and its other certifications by visiting www.isc2.org.

Topical Domains

The CCSP certification covers material from the six topical domains. They are as follows:

These domains cover all of the pertinent areas of security related to the cloud. All the material in the certification are vendor- and product-agnostic. Each domain also contains a list of topics and subtopics the CCSP-certified professional is expected to know.

The detailed list of domains/topics of knowledge, experience requirements, exam procedures, and exam domain weights can be found in the CCSP Certification Exam Outline: https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/CCSP-Exam-Outline.ashx.

Prequalifications

(ISC)2 has defined the qualifications and requirements you must meet to become a CCSP:

Candidates who do not meet these requirements may still sit for the exam and become an Associate of (ISC)2. Associates have six years (from passing the exam) to fulfill any remaining experience requirements.

Certified members of (ISC)2 must also adhere to the (ISC)2 formal code of ethics, which can be found on the (ISC)2 website at www.isc2.org/ethics.

Overview of the CCSP Exam

The CCSP exam typically consists of 125 multiple-choice questions covering the six domains of the CCSP CBK, and you must achieve a score of 70 percent or better to pass.

You will have three hours to complete the exam. Twenty-five of the questions will be unscored questions used solely for research purposes. Be sure to answer every question as best you can because you will not know which questions are scored and which are not and you will receive 0 points for unanswered questions. Points are not subtracted for incorrect answers; never leave any question unanswered, even if your answer is a guess.

CCSP Exam Question Types

Most of the questions on the CCSP exam are in the multiple-choice format, with four options and a single correct answer. Some are straightforward, such as asking you to identify a definition. Other questions will ask you to identify an appropriate concept or best practice. Here is one example:

  1. Putting sensitive operational information in a database away from the production environment in order to provide higher protection and isolation is called ___________________.
    1. Randomization
    2. Elasticity
    3. Obfuscation
    4. Tokenization

You must select the one correct or best answer. Sometimes the answer will seem obvious to you, and other times it will be harder to discriminate between two good answers and pick the best. Watch out for general, specific, universal, superset, and subset answer selections. In other cases, none of the answers will seem correct. In these instances, you will want to select the least incorrect answer. There are also questions that are based on theoretical scenarios, where you must answer several questions given a specific situation.

Image of Note The correct answer to the question above is option D, tokenization. In a tokenized arrangement, sensitive information is placed in a database away from the production environment, and tokens (representing the stored sensitive information) are stored in a database within the production environment. In order to select the correct answer, the reader has to understand how tokenization works and how that method can be used to isolate sensitive data from the production environment; the question does not mention tokens or tokenization, so it requires complex thought. An easier answer would be “data segregation,” but that's not an option. This is not an easy question.

In addition to the standard multiple-choice question format, (ISC)2 has added a new question format that uses a drag-and-drop approach. For instance, you may see a list of items on one side of the screen that you need to drag and drop onto their appropriate counterparts on the other side of the screen. Other interactive questions may include matching terms with definitions and clicking on specific areas of a chart or graphic. These interactive questions are weighted with a higher point value than the multiple-choice type, so you should pay extra attention when answering them.

Study and Exam Preparation Tips

I recommend planning for at least 30 days of intensive studying for the CCSP exam. I have compiled a list of tips that should help:

Advice on Taking the Exam

Here are some test-taking tips and general guidelines:

Manage your time. You have three hours to answer 125 questions. That equates to just a bit less than two minutes per question, which in most cases is more than enough time.

Make sure you get plenty of sleep the night before. Be sure to bring any food or drink you think you might need, although they will be stored while you are taking the exam. Also, remember to bring any medications you need to take and alert the staff of any condition that might interfere with your test taking, such as diabetes or heart disease. No test or certification is worth your health.

You may not wear a watch into the test lab. There are timers on the computers and in the testing labs. You must also empty your pockets, with the exception of your locker key and ID.

You must bring at least one picture ID with a signature, such as a driver's license, with you to the testing center, and you should have at least one more form of ID with a signature. Arrive at least 30 minutes early to the testing site to make sure you have everything you need. Bring the registration form that you received from the testing center along with your IDs.

Completing the Certification Process

Once you have successfully completed the CCSP exam, there are a few more things to do before you have earned your new credential. First, transmission of your (ISC)2 score happens automatically. You will receive instructions on the printed results from your test as you leave the testing center. They will include instructions on how to download your certification form, which will ask you for things such as whether you already have another (ISC)2 credential (such as the CISSP) and similar questions. Once completed, you will need to sign and submit the form to (ISC)2 for approval. Usually, you will receive notice of your official certification within three months. Once you are fully certified, you can use the CCSP designation in your signatures and other places of importance, per (ISC)2 usage guidelines.

Notes on This Book's Organization

This book covers all of the six CCSP Common Body of Knowledge (CBK) domains in sufficient depth to provide you with a basic understanding of the necessary material. The main body of the book is composed of 11 chapters that are arranged as follows:

Obviously, the book does not follow the order of the domains or the official exam outline. Instead, the chapters of the book are arranged in a way to explain the material in a narrative format that conveys the concepts in a linear manner.

Each chapter includes elements designed to assist you in your studies and to test your knowledge of the material presented in the chapter. It is recommended that you read Chapter 1 first to best orient yourself in the subject matter before moving on to the other chapters.

Image of Note Please see the table of contents and chapter introductions for more detailed domain topics covered in each chapter.

Elements of This Study Guide

This study guide contains several core elements that will help you prepare for the CCSP exam and the real world beyond it:

What Is Included with the Additional Study Tools

Beyond all of the information provided in the text, this book comes with a helpful array of additional online study tools. All of the online study tools are available by registering your book at www.wiley.com/go/sybextestprep. You'll need to choose this book from the list of books there, complete the required registration information, including answering the security verification to prove book ownership. After that you will be emailed a pin code. Once you get the code, follow the directions in the email or return to www.wiley.com/go/sybextestprep to set up your account using the code and get access.

The Sybex Test Preparation Software

The test preparation software, made by the experts at Sybex, can help prepare you for the CCSP exam. In this test engine, you will find all the review and assessment questions from the book and additional bonus practice exam questions that are included with the study tools. You can take the assessment test, test yourself by chapter, take the practice exam, or take a randomly generated exam consisting of all the questions.

Glossary of Terms in PDF

Sybex offers a robust glossary of terms in PDF format. This comprehensive glossary includes essential terms you should understand for the CCSP certification exam, in a searchable format.

Bonus Practice Exams

Sybex includes two practice exams; these contain questions meant to survey your understanding of the essential elements of the CCSP CBK. Both tests are 125 questions long, the length of the actual certification exam. The exams are available online at www.wiley.com/go/sybextestprep.

Assessment Test

  1. What type of solutions enable enterprises or individuals to store data and computer files on the Internet using a storage service provider rather than keeping the data locally on a physical disk such as a hard drive or tape backup?

    1. Online backups
    2. Cloud backup solutions
    3. Removable hard drives
    4. Masking
  2. When using an infrastructure as a service (IaaS) solution, which of the following is not an essential benefit for the customer?

    1. Removing the need to maintain a license library
    2. Metered service
    3. Energy and cooling efficiencies
    4. Transfer of ownership cost
  3. ___________________ focuses on security and encryption to prevent unauthorized copying and limitations on distribution to only those who pay.

    1. Information rights management (IRM)
    2. Masking
    3. Bit splitting
    4. Degaussing
  4. Which of the following represents the correct set of four cloud deployment models?

    1. Public, private, joint, and community
    2. Public, private, hybrid, and community
    3. Public, Internet, hybrid, and community
    4. External, private, hybrid, and community
  5. What is a special mathematical code that allows encryption hardware/software to encrypt and then decipher a message?

    1. PKI
    2. Key
    3. Public-private
    4. Masking
  6. Which of the following lists the correct six components of the STRIDE threat model?

    1. Spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege
    2. Spoofing, tampering, refutation, information disclosure, denial of service, and social engineering elasticity
    3. Spoofing, tampering, repudiation, information disclosure, distributed denial of service, and elevation of privilege
    4. Spoofing, tampering, nonrepudiation, information disclosure, denial of service, and elevation of privilege
  7. What is the term that describes the assurance that a specific author actually created and sent a specific item to a specific recipient, and that the message was successfully received?

    1. PKI
    2. DLP
    3. Nonrepudiation
    4. Bit splitting
  8. What is the correct term for the process of deliberately destroying the encryption keys used to encrypt data?

    1. Poor key management
    2. PKI
    3. Obfuscation
    4. Crypto-shredding
  9. In a federated environment, who is the relying party, and what do they do?

    1. The relying party is the service provider, and they consume the tokens generated by the identity provider.
    2. The relying party is the service provider, and they consume the tokens generated by the customer.
    3. The relying party is the customer, and they consume the tokens generated by the identity provider.
    4. The relying party is the identity provider, and they consume the tokens generated by the service provider.
  10. What is the process of replacing sensitive data with unique identification symbols/addresses?

    1. Randomization
    2. Elasticity
    3. Obfuscation
    4. Tokenization
  11. Which of the following data storage types are associated or used with platform as a service (PaaS)?

    1. Databases and big data
    2. SaaS application
    3. Tabular
    4. Raw and block
  12. What is the term used for software technology that abstracts application software from the underlying operating system on which it is executed?

    1. Partition
    2. Application virtualization
    3. Distributed
    4. SaaS
  13. Which of the following represents the US legislation enacted to protect shareholders and the public from enterprise accounting errors and fraudulent practices?

    1. PCI
    2. Gramm-Leach-Bliley Act (GLBA)
    3. Sarbanes–Oxley Act (SOX)
    4. HIPAA
  14. Which of the following is a device that can safely store and manage encryption keys and is used in servers, data transmission, and log files?

    1. Private key
    2. Hardware security module (HSM)
    3. Public key
    4. Trusted operating system module (TOS)
  15. What is a type of cloud infrastructure that is provisioned for open use by the general public and is owned, managed, and operated by a cloud provider?

    1. Private cloud
    2. Public cloud
    3. Hybrid cloud
    4. Personal cloud
  16. When transparent encryption of a database is used, where does the encryption engine reside?

    1. Within the database application itself
    2. At the application using the database
    3. On the instances attached to the volume
    4. In a key management system
  17. What is a type of assessment that employs a set of methods, principles, or rules for assessing risk based on nonnumerical categories or levels?

    1. Quantitative assessment
    2. Qualitative assessment
    3. Hybrid assessment
    4. SOC 2
  18. Which of the following best describes the Cloud Security Alliance Cloud Controls Matrix (CSA CCM)?

    1. A set of regulatory requirements for cloud service providers
    2. A set of software development lifecycle requirements for cloud service providers
    3. A security controls framework that provides mapping/cross relationships with the main industry-accepted security standards, regulations, and controls frameworks
    4. An inventory of cloud service security controls that are arranged into separate security domains
  19. When a conflict between parties occurs, which of the following is the primary means of determining the jurisdiction in which the dispute will be heard?

    1. Tort law
    2. Contract
    3. Common law
    4. Criminal law
  20. Which one of the following is the most important security consideration when selecting a new computer facility?

    1. Local law enforcement response times
    2. Location adjacent to competitor's facilities
    3. Aircraft flight paths
    4. Utility infrastructure
  21. Which of the following is always safe to use in the disposal of electronic records within a cloud environment?

    1. Physical destruction
    2. Overwriting
    3. Encryption
    4. Degaussing
  22. Which of the following does not represent an attack on a network?

    1. Syn flood
    2. Denial of service
    3. Nmap scan
    4. Brute force
  23. Which of the following takes advantage of the information developed in the business impact analysis (BIA)?

    1. Calculating ROI
    2. Risk analysis
    3. Calculating TCO
    4. Securing asset acquisitions
  24. Which of the following terms best describes a managed service model where software applications are hosted by a vendor or cloud service provider and made available to customers over network resources?

    1. Infrastructure as a service (IaaS)
    2. Public cloud
    3. Software as a service (SaaS)
    4. Private cloud
  25. Which of the following is a federal law enacted in the United States to control the way financial institutions deal with private information of individuals?

    1. PCI
    2. ISO/IEC
    3. Gramm-Leach-Bliley Act (GLBA)
    4. Consumer Protection Act
  26. The typical function of Secure Sockets Layer (SSL) in securing Wireless Application Protocol (WAP) is to protect transmissions that exist ___________________

    1. Between the WAP gateway and the wireless endpoint device
    2. Between the web server and the WAP gateway
    3. From the web server to the wireless endpoint device
    4. Between the wireless device and the base station
  27. What is an audit standard for service organizations?

    1. SOC 1
    2. SSAE 18
    3. GAAP
    4. SOC 2
  28. What is a company that purchases hosting services from a cloud server hosting or cloud computing provider and then resells to its own customers?

    1. Cloud programmer
    2. Cloud broker
    3. Cloud proxy
    4. VAR
  29. Which of the following is comparable to grid computing in that it relies on sharing computing resources rather than having local servers or personal devices to handle applications?

    1. Server hosting
    2. Legacy computing
    3. Cloud computing
    4. Intranet
  30. What is a set of technologies designed to analyze application source code and binaries for coding and design conditions that are indicative of security vulnerabilities?

    1. Dynamic application security testing (DAST)
    2. Static application security testing (SAST)
    3. Secure coding
    4. OWASP

Answers to Assessment Test

1. B. Cloud backup solutions enable enterprises to store their data and computer files on the Internet using a storage service rather than storing data locally on a hard disk or tape backup. This has the added benefit of providing access to data should the primary business location be damaged in some way that prevents accessing or restoring data locally due to damaged infrastructure or equipment. Online backups and removable hard drives are other options but do not by default supply the customer with ubiquitous access. Masking is a technology used to partially conceal sensitive data.

2. A. In an IaaS model, the customer must still maintain licenses for operating systems (OSs) and applications used in the cloud environment. In PaaS models, the licensing for OSs is managed by the cloud provider, but the customer is still responsible for application licenses; in SaaS models, the customer does not need to manage a license library.

3. A. Information rights management (IRM) (often also referred to as digital rights management, or DRM) is designed to focus on security and encryption as a means of preventing unauthorized copying and limiting distribution of content to only authorized personnel (usually, the purchasers). Masking entails hiding specific fields or data in particular user views in order to limit data exposure in the production environment. Bit splitting is a method of hiding information across multiple geographical boundaries, and degaussing is a method of deleting data permanently from magnetic media.

4. B. The only correct answer for this is public, private, hybrid, and community. Joint, Internet, and external are not cloud models.

5. B. An encryption key is just that: a key used to encrypt and decrypt information. It is mathematical code that supports either hardware- or software-based encryption, is used to encrypt or decrypt information, and is kept confidential by the parties involved in the communication. PKI is an arrangement for creating and distributing digital certificates. Public-private is the description of the key pairs used in asymmetric encryption (this answer is too specific for the question; option B is preferable). Masking entails hiding specific fields or data in particular user views in order to limit data exposure in the production environment.

6. A. The letters in the acronym STRIDE represent spoofing of identity, tampering with data, repudiation, information disclosure, denial of service, and elevation (or escalation) of privilege. The other options are simply mixed up or incorrect versions of the same.

7. C. Nonrepudiation means that a party to a transaction cannot deny they took part in that transaction.

8. D. The act of crypto-shredding means destroying the key that was used to encrypt the data, thereby making the data very difficult to recover.

9. A. The identity provider maintains the identities and generates tokens for known users. The relying party (RP) is the service provider, which consumes tokens. All other answers are incorrect.

10. D. Replacing sensitive data with unique identification symbols is known as tokenization, a way of hiding or concealing sensitive data by representing it with unique identification symbols/addresses. While randomization and obfuscation are also means of concealing information, they are done quite differently.

11. A. PaaS uses databases and big data storage types.

12. B. Application virtualization abstracts application software from the underlying operating system on which it is executed. SaaS is a cloud service model. A partition is an area of memory, usually on a drive. Distributed is a modifier usually suggesting multiple machines used for a common purpose.

13. C. The Sarbanes–Oxley Act (SOX) was enacted in response to corporate scandals in the late 1990s/early 2000s. SOX not only forces executives to oversee all accounting practices, it also holds them accountable for fraudulent/deceptive activity. HIPAA is a US law for medical information. PCI is an industry standard for credit/debit cards. GLBA is a US law for the banking and insurance industries.

14. B. A hardware security module (HSM) is a device that can safely store and manage encryption keys. These can be used in servers, workstations, and so on. One common type is called the Trusted Platform Module (TPM) and can be found on enterprise workstations and laptops. There is no such term as a trusted operating system module, and public and private keys are used with asymmetric encryption.

15. B. This is the very definition of public cloud computing.

16. A. In transparent encryption, the encryption key for a database is stored in the boot record of the database itself.

17. B. A qualitative assessment is a set of methods or rules for assessing risk based on non-mathematical categories or levels. One that uses mathematical categories or levels is called a quantitative assessment. There is no such thing as a hybrid assessment, and an SOC 2 is an audit report regarding control effectiveness.

18. C. The CCM cross-references many industry standards, laws, and guidelines.

19. B. Contracts between parties can establish the jurisdiction for resolving disputes; this takes primacy in determining jurisdiction (if not specified in the contract, other means will be used). Tort law refers to civil liability suits. Common law refers to laws regarding marriage, and criminal law refers to violations of state or federal criminal code.

20. D. Of the answers given, option D is the most important. It is vital that any data center facility be close to resilient utilities, such as power, water, and connectivity.

21. C. Encryption can always be used in a cloud environment, but physical destruction, overwriting, and degaussing may not be available due to access and physical separation factors.

22. C. All of the rest of these options represent specific network attacks. Nmap is a relatively harmless scanning utility designed for network mapping. Although it can be used to gather information about a network as part of the process of developing an attack, it is not by itself an attack tool.

23. B. Among other things, the BIA gathers asset valuation information that is crucial to risk management analysis and further selection of security controls.

24. C. This is the definition of the software as a service (SaaS) model. Public and private are cloud deployment models, and infrastructure as a service (IaaS) does not provide applications of any type.

25. C. The Gramm-Leach-Bliley Act targets US financial and insurance institutions and requires them to protect account holders' private information. PCI refers to credit card processing requirements, ISO/IEC is a standards organization, and the Consumer Protection Act, while providing oversight for the protection of consumer private information, is limited in scope.

26. C. The purpose of SSL is to encrypt the communication channel between two endpoints. In this example, it is the end user and the server.

27. B. Both SOC 1 and SOC 2 are report formats based on the SSAE 18 standard. While SOC 1 reports on controls for financial reporting, SOC 2 (Types 1 and 2) reports on controls associated with security or privacy.

28. B. The cloud computing broker purchases hosting services and then resells them.

29. C. Cloud computing is built on the model of grid computing, whereby resources can be pooled and shared rather than having local devices do all the compute and storage functions.

30. B. Static application security testing (SAST) is used to review source code and binaries to detect problems before the code is loaded into memory and run.

Suggested Reading

In order to properly prepare for the exam, you should definitely review resources in addition to this book. As a bare minimum, the author suggests the following:

Cloud Security Alliance, Security Guidance v4.0:

OWASP, Top Ten:

Image of Note The 2017 version of the OWASP top ten threats is the most recent as of publication of this book, but the versions do not vary widely, and understanding the concepts in any version will do for study purposes.

NIST SP 800-53:

Image of Note NIST SP 800-53, Revision 4 is the most current version as of the publication of this book, but a new version is expected soon.

NIST SP 800-37:

The Uptime Institute, Tier Standard: Topology:

Cloud Security Alliance, Cloud Controls Matrix:

Cloud Security Alliance Consensus Assessments Initiative Questionnaire:

Cloud Security Alliance STAR Level and Scheme Requirements:

CCSP Official (ISC)2 Practice Tests: