CCSP Free Practice Test

- (Exam Topic 3)
Which of the following threat types involves the sending of commands or arbitrary data through input fields in an application in an attempt to get that code executed as part of normal processing?

1. A. Cross-site scripting
2. B. Missing function-level access control
3. C. Injection
4. D. Cross-site forgery

Correct Answer: C
An injection attack is where a malicious actor will send commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. This can trick an application into exposing data that is not intended or authorized to be exposed, or it could potentially allow an attacker to gain insight into configurations or security controls. Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials. Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes.

- (Exam Topic 4)
BCDR strategies typically do not involve the entire operations of an organization, but only those deemed critical to their business.
Which concept pertains to the required amount of time to restore services to the predetermined level?

1. A. RPO
2. B. RSL
3. C. RTO
4. D. SRE

Correct Answer: C
The recovery time objective (RTO) measures the amount of time necessary to recover operations to meet the BCDR plan. The recovery service level (RSL) measures the percentage of operations that would be recovered during a BCDR situation. The recovery point objective (RPO) sets and defines the amount of data an organization must have available or accessible to reach the predetermined level of operations necessary during a BCDR situation. SRE is provided as an erroneous response.

- (Exam Topic 2)
Which of the cloud cross-cutting aspects relates to the ability to reuse or move components of an application or service?

1. A. Availability
2. B. Interoperability
3. C. Reversibility
4. D. Portability

Correct Answer: B
Interoperability is the ease with which one can move or reuse components of an application or service. This is maximized when services are designed without specific dependencies on underlying platforms, operating systems, locations, or cloud providers.

- (Exam Topic 1)
Which of the following is NOT a criterion for data within the scope of eDiscovery?

1. A. Possession
2. B. Custody
3. C. Control
4. D. Archive

Correct Answer: D
eDiscovery pertains to information and data that is in the possession, control, and custody of an organization.

- (Exam Topic 1)
From a legal perspective, what is the most important first step after an eDiscovery order has been received by the cloud provider?

1. A. Notification
2. B. Key identification
3. C. Data collection
4. D. Virtual image snapshots

Correct Answer: A
The contract should include requirements for notification by the cloud provider to the cloud customer upon the receipt of such an order. This serves a few important purposes. First, it keeps communication and trust open between the cloud provider and cloud customers. Second, and more importantly, it allows the cloud customer to potentially challenge the order if they feel they have the grounds or desire to do so.