Tips to ace the CCSK certification
In the realm of Cloud Security, Cloud providers offer their own security specialty certifications but if you want to get a vendor neutral understanding of Cloud Security as a whole then you could probably look at the top two exams namely CCSP from (ISC)2 and CCSK from CSA. I was initially debating within myself if I should opt for CCSK or CCSP but CCSK seemed more practical to me in terms of scope and exam cost. Also, it is definitely a good start towards CCSP.
Prerequisites
- There are no prerequisites for the certification per say but in my opinion one should be working in Cloud engagements at least for a year.
2. Awareness around cyber security themes
Data Loss Prevention
Governance, Risk and Compliance
Identity and Access Management
DevSecOps
Secure Software Development
Learning Resources
All this exam needs is a thorough study of CSA Security Guidance pdf (CCSK V4.pdf). Read this pdf at least 3 times before the exam. 85% of the questions are covered from this document.
CSA’s Cloud Control Matrix — you could expect 3–4 questions
ENISA pdf — around 3–4 questions
You could download all the above artifacts from CCSK home page. Preparation kit
About the exam
- Exam Duration: 90 minutes
2. Cost : 395 USD. You need to create a CCSK account in CSA’s website https://ccsk.cloudsecurityalliance.org/en/signup
Then buy an exam token for CCSK, each token would have 2 attempts.
3. Questions: 60 (80% is the pass score)
4. It’s an open book exam. This would help you to refer the CCM excel but answering 60 questions in 90 minutes requires you to know the subject well hence don’t depend on your study material to clear the exam.
5. Questions are not easy and straight forward
Books and Online platforms
1. I had purchased the book CCSK Certificate of Cloud Security Knowledge All-in-One Exam Guide. Each chapter has sample questions. Studying this book twice helped me to gain confidence on the subject. Also it covers additional information around the topics you would see in CSA’s Security Guidance pdf hence it helps you understand the concepts holistically. In addition, purchasing this book gets you 10% off on the exam cost.
3. The Udemy course gives you an understanding on the exam but I would recommend this is as optional. This article gives you details on the exam pattern.
4. I had purchased a 1 month subscription from Cybrary and found this course extremely useful https://www.cybrary.it/course/ccsk/. The trainer covers CCSK from exam point of view, the slides presented during the course served as quick reference notes for me.
Practice Tests
https://www.whizlabs.com/certificate-of-cloud-security-knowledge/
https://www.testpreptraining.com/certificate-of-cloud-security-knowledge-v4-practice-exam
At the end take this exam simulator test https://www.ccskcloudsecurity.com/ccsk-member-exam/ccsk-exam-simulator-3/
Flash cards — https://www.cram.com/flashcards/ccsk-3657367
The above is more than sufficient to get you prepared and feel confident. Once you finish reading the CCSK Exam Guide book once, a preparation of about a month time should be good enough. The certification exam is online, non-proctored. Once you submit the exam you would receive the results immediately.
All the best for your exam and please do add your experience in the comments.
Below is a list of sample questions taken from the above links and other publicly available resources, I found them useful in understanding the nature of the exam questions. They are worth purchasing, in total I would have attempted a minimum of 800 questions.
1. Which of the following essential characteristics of a cloud allows customers to closely match resource consumption with demand?
· Resource Pooling
· On-demand self-service
· Broad network access
· Rapid elasticity
· Measured service
Ans : Rapid elasticity
2. Which of the following is the most important aspects of incident response for cloud-based resources?
· Expectations around what the customer does versus what the provider does
· Service Level Agreement
· Non-Disclosure Agreement
· B & C
· E. A & B
Ans: A&B
3. Exiting from an activity giving rise to more risk is called as?
· Ignoring the risk
· Avoiding the risk
· Transferring the risk
· Reducing the risk
· Accepting the risk
Ans: Avoiding the risk
4. Customers should view cloud services and security as –
· Service provider security issue
· Third-party security issue
· Technology security issue
· Supply chain security issue
· Enterprise security strategy
Ans: Supply chain security issue
5. Which of the following includes all the documentation on a provider’s internal and external compliance assessments?
· Contract
· Supplier (cloud provider) assessment
· Compliance reporting
· Audit report
· Cloud Security Alliance STAR Registry
Ans: Compliance reporting
6. Which of the following statement related to direct “lift and shift” of existing application to a cloud environment is true?
· Direct “lift and shift” of existing applications to cloud without architectural changes are more likely to account for failures and will take advantage of potential improvements from leveraging platform.
· Direct “lift and shift” of existing applications to cloud without architectural changes are less likely to account for failures and will not take advantage of potential improvements from leveraging platform.
· Direct “lift and shift” of existing applications to cloud with or without architectural changes will take the same advantage of potential improvements from leveraging platform.
· Direct “lift and shift” of existing applications to cloud without architectural changes is not possible.
Ans: Direct “lift and shift” of existing applications to cloud without architectural changes are less likely to account for failures and will not take advantage of potential improvements from leveraging platform
7. Which of the following gives the customers ability to audit the cloud provider?
· State Laws
· Right to audit clause
· Right to transparency clause
· Customer can not gain the rights to audit
· ISO 27001
Ans: Right to audit clause
8. Point-in-time activities like compliance, audit, and assurance should be conducted by cloud providers to avoid creating any gaps, and thus exposures, for their customers.
· True
· False
Ans: False
9. Which of the following is one of the challenges of application security in a cloud environment?
· Responsiveness
· Isolated environments
· Elasticity
· Devops
· Limited detailed visibility
Ans : Limited detailed visibility
10. Virtualization security in cloud computing is the responsibility of cloud provider.
· True
· False
Ans: True
11. Which of the following clauses in the agreement between customer and cloud provider can provide customers in highly regulated industries with the required information?
· Right to information clause
· Right to audit clause
· Right to transparency clause
· Right to access clause
· Customer can not gain the access to required information
Ans: Right to transparency clause
12. For which of the following SecaaS concerns, providers should be held to the highest standards of multi-tenant isolation and segregation?
· Requirement to handle regulated data
· Global regulatory differences
· Fear of data leakage
· Lack of sufficient visibility
Ans: Fear of data leakage
13. Resource pooling practiced by the cloud services may especially complicate which part of the IR process?
· Detection
· Prevention
· Monitoring
· Recovery
· Forensics
Ans: Forensics
14. In addition to providing better server utilization, and data center consolidation, virtualization also reduces the security threats significantly.
· True
· False
Ans: False
15. Which ensures that the consumers only use what they are allotted and are charged for it?
Ans : Measured service
16. Resource pooling practiced by the cloud services may especially complicate which part of the IR?
Ans: Forensics
17. When you are assessing a provider, which SOC reports should be sought from a vendor when assessing security controls?
Ans: SOC2 Type 1
18. What risk must be mitigated by a customer?
Ans: Risk accepted by the provider
19. Which best describes an identity federation?
Ans : Interconnection of disparate directory services
20. The STAR registry has which of the following type of entries
a. Provider self assessments
b. Provider certification information
c. Provider attestation information
d. All of the above
Ans: D
21. What would be the benefit of a cloud platform security assessment tool connecting via API?
Ability to assess configuration of assets deployed in the cloud
22. What is an immutable network?
A network built using templates
23. Which logical layer will most complicate migrating IaaS services to another provider?
Metastructure
24. What is the first step that should be taken when designing an encryption system?
Create a threat model
25. In which phase of the Incident Response should roles and responsibilities be agreed upon?
As part of the Preparation phase
26. Which is most applicable for providers in protecting the management plane components themselves such as Web and API servers?
Perimeter security
27. What feature of software defined networking eases network isolation?
Packet encapsulation
28. What feature should virtual appliances support to address possible performance impacts?
Auto-scaling
29. What does the management plane refer to?
The interfaces for managing your assets to your cloud
30. Why should a consumer of SecaaS understand how a provider supports a customer’s data feed needs prior to engaging a provider?
To avoid vendor lock-in
31. What is CASB most commonly used for?
To manage an organization’s sanctioned and unsactioned SaaS
32. Virtual network traffic between VMs on a single physical machine should not be bridged back out to the physical network for inspection because
Physical n/w inspection will create a bottleneck
33. When is accepting the risk of an entire cloud provider going down a legitimate option?
Depends on the history of the provider and their internal availability capabilities
34. Container security that a customer must perform in a public cloud does NOT include
Maintaining patch level of the underlying operating system
35. What tool(s) can be used to build an “early warning system” for large data transfers?
Database activity monitoring and File activity monitoring
36. The probability of negotiating contract clauses depends on
The size of the potential customer
37. What is not an aspect of BC/DR in the cloud?
Contractually obligating the provider to ensure there is no loss of availability
38. Incident Response in a PaaS will see the customer being responsible for
Flaws in the application code
39. What can be used to model data handling and controls for data security?
Data security lifecycle
40. How does data move through the data security lifecycle?
Data can bounce between the six phases without restriction
41. What is the core benefit of running every application stack in its own virtual n/w
Reduction of the attack surface
42. Which service model is CASB generally most suited for?
SaaS
43. Audits must be conducted by
An independent auditor
44. What is a cloud jump kit?
These are the tools needed to investigate in a remote location
45. Why do providers typically disable promiscuous network capture?
Network capture could expose data or configuration between tenants
46. Why might a security as a service provider be unable to ensure compliance with laws in your jurisdiction?
The jurisdiction may have different regulations
47. Which can be used for both authentication and authorization services?
SAML
48. Destruction of data is best performed by customers using which means?
Digital methods
49. Who is the data custodian?
The party that manages the data
50. What is a primary tool to address managing the identity and access management to resources with multiple organizations are involved?
Federation
51. How often should logs be collected from running instances?
Logs should be stored remotely from the instances
52. What should a CSP do with regard to networking in a cloud environment?
Ensure isolation between virtual networks even if those networks are controlled by the same consumer
53. What is an example of isolation failure?
Guest VM hopping
54. A CSP should implement internal processes and technical security controls to prevent which parties access to running VMs or volatile memory
Nontenants and CSP admins
55. What can be implemented to discover hostile API activity from mobile devices?
Server/cloud-side security monitoring
56. Why must providers pay particular attention to BC/DR routines that involve multiple jurisdictions?
Because it could incur potential violation of contracts with data residency requirements
57. What is NOT a benefit of SDN security?
Networks are isolated due to restrictions on bridging virtual networks
58. Break-glass account should be used during which phase of the Incident Response?
Containment
59. What is a role in the context of identity and access management according to CSA?
Something used to make access decisions
60. When is an out-of-band communication needed?
When networks are impacted
61. Can traditional bit-by-bit imaging used in forensics be leveraged in a public cloud?
No; traditional forensic activities such as bit-by-bit imaging are not possible in a public cloud environment
62. When data is transferred to the cloud, which entity holds legal responsibility for protecting and securing said data?
The custodian of the data
63. How can the use of microservices architecture assist security?
There is a reduced attack surface of individual instances in a microservices architecture
64. Why is typically best to re-architect deployments when you migrate them to cloud
Resiliency itself along with the fundamental mechanisms for ensure resiliency change in the cloud
65. OVF may address portability in which service model?
IaaS
66. Which service model offers full, multitenant applications, with all the architectural complexities of any large software platform?
SaaS
67. The CCM deals exclusively with security responsibilities of which parties?
Providers and customers
68. What should assessments and audits based on?
Standards
69. The data security lifecycle is a tool that can be used to
Understand the security boundaries and controls around data
70. What is an issue with both inline appliances and agents as customer security tools?
These can create a chokepoint
71. Where can cloud providers offer customers easy access to documentation and reports needed by cloud prospects for assessments?
STAR registry
72. How often will a provider allow customers to perform network-based vulnerability assessments?
Depends on the provider
73. The data security lifecycle addresses location as
Where data is accessed and stored
74. Why might you want to ensure that an SaaS provider uses per-customer keys?
Management of keys would be under customer control
75. How can the Cloud Controls Matrix (CCM) be of most benefit to a cloud customer?
Ensures that compliance requirements are met
76. To store European citizen data in the United States, the cloud provider must
Any of SCC, EU-US privacy shield, obtain certification of binding corporate rules
77. What may be an issue when Directly federating internal directory servers in the free-form model?
It may require users to VPN back to the corporate network before accessing cloud services.
78. What may be your only business continuity option in SaaS outside of accepting downtime?
Scheduled data extraction
Archiving
79. How many security domains are covered in the CCM
14
80. What is the Cloud Security Alliance STAR registry?
An assurance program and documentation repository for cloud provier assessments
81. Which NIST standard deals with incident response?
NIST 800–61
82. Tony is looking to ensure the provider he is considering has a SOC 2 report. Which level of STAR entry should Tony look for on the CSA STAR registry?
Level 2
83. What can be used to restrict traffic between workloads in the same virtual subnet?
Security Groups
84. What can create a governance gap when using cloud computing to organize IT service capabilities?
Responsibilities and mechanisms not defined in contract
85. When considering API security, how should developers treat all API requests?
ALL API requests should be treated as hostile
86. How much application testing be performed when a CI/CD pipeline is used
Testing can be performed automatically in the pipeline and manually as an additional gate
87. Who is responsible for guest systems monitoring in IaaS?
Customer
88. Which essential characteristic enables greater use of immutable infrastructure?
Elasticity
89. Where should a provider disable promiscuous packet sniffing?
Between tenants
Within a single tenant’s own virtual network
90. What must a provider do when a resource is no longer used by a customer?
Ensure resources are appropriately scrubbed before they are released back to the common pool of resources
91. When using serverless computing what should be added to the application code to support security?
Applications running in a serverless environment will need to integrate more logging
92. Which testing type can be used to find embedded credentials in application code?
Static application security testing (SAST)
93. GDPR is applicable to data that is processed in which locations
Within or outside of the EU/EEA
94. In which data security lifecycle phase would modifying of existing content occur
Create
95. How many essential characteristics are listed by ISO/IEC 17788?
Six
96. What is a third party attestations?
Legal statements to communicate the results of an assessment or audit
97. What would determine if downtime for a particular application an acceptable option?
Recovery time objective (RTO)
98. How do CCM and CAIQ work together?
CCM has control specifications that map to regulatory standards
CAIQ has questions that map to regulatory standards
99. Which of the following needs to be part of business continuity planning by the customer?
Chaos engineering
100. What is the release cycle for new functionality in a Cloud platform?
Determined by the provider
101. Alice wants to update but not replace a file via REST API. What method should Alice use?
PATCH
102. When you are considering security agents for cloud instances, what should be a primary concern?
The vendor agent does not use IP addresses to identify systems
103. When you are using immutable servers, how should administrative access to the applistructure be granted to make changes to the running instances?
Administrative access should be restricted for everyone.
104. What is the main characteristic of cloud that impacts workload security the most?
Multitenancy
105. Select two attributes that a virtual appliance should have in a cloud environment
Failover
Auto-scaling
106. Which of the following is the number one security priority for a cloud service provider?
Isolating tenant access to pools of resources
107. Nathan is trying to troubleshoot an issue with a packet capture tool on a running instance. He notices clear text FTP usernames and passwords, What should he do?
He should contact the service provider and advise them that he would be canceling his use of their cloud service
108. What are the benefits of virtual network compared to physical network
You can compartmentalize application stacks in their own isolated virtual network
109. How is a storage pool created?
Provider builds the storage pool however they want
110. A provider wants to ensure that customer data is not lost of drive failure. What should the provider do?
Make multiple copies of the data and store the copies in multiple storage locations
111. How often should incident response plans be tested?
Annually
112. What is(are) the most important aspects of incident response in a cloud environment?
Setting service level agreements and establishing roles and responsibilities
113. If your organization needs to ensure that data stored in a cloud environment will not be accessed without permission by anyone, including the provider what can you do?
Do not store the data in a cloud environment
114. Why would an SaaS provider require that customer use provider-supplied encryption?
Data encrypted by a customer prior to being sent to the provider application may break functionality
115. Which of the following is NOT a main component when considering data security controls in a cloud environment
Performing risk assessment of prospective cloud providers
116. How can data transfers be sped up when using BC/DR SecaaS?
Implementing a local gateway device
117. What is the authoritative source of identity?
The system from which identities are propagated
118. According to CSA, what is an/are attributes of the cloud that makes it ideal to support mobile applications?
Distributed geographical nature of cloud
119. Which is listed by ENISA as a way for SaaS or PaaS providers to protect their customers?
Providers should have a source code escrow agreement in place
120. What factors should you understand about the data specifically due to legal, regulatory, and jurisdictional factors?
A. The physical location of the data and how it is accessed
B. The fragmentation and encryption algorithms employed
C. The language of the data and how it affects the user
D. The implications of storing complex information on simple storage systems
E. The actual size of the data and the storage format
Ans : The implications of storing complex information on simple storage systems
