CCAK Questions Bank

A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours is an example of availability technical impact. Availability is the protection of data and services from disruption or denial, and it is one of the three dimensions of information security, along with confidentiality and integrity. Availability technical impact refers to the extent of damage or harm that a threat can cause to the availability of the information system and its components, such as servers, networks, applications, and data. A DDoS attack is a malicious attempt to overwhelm a target system with a large volume of traffic or requests from multiple sources, making it unable to respond to legitimate requests or perform its normal functions. A DDoS attack can cause a significant availability technical impact by rendering the customer’s cloud inaccessible for a prolonged period of time, resulting in loss of productivity, revenue, customer satisfaction, and reputation. References := CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM, page 81; What is a DDoS Attack? | Cloudflare

 The greatest risk associated with hidden interdependencies between cloud services is the lack of visibility over the cloud service providers’ supply chain. Hidden interdependencies are the complex and often unknown relationships and dependencies between different cloud services, providers, sub-providers, and customers. These interdependencies can create challenges and risks for the security, availability, performance, and compliance of the cloud services and data. For example, a failure or breach in one cloud service can affect other cloud services that depend on it, or a change in one cloud provider’s policy or contract can impact other cloud providers or customers that rely on it.12

The lack of visibility over the cloud service providers’ supply chain means that the customers do not have enough information or control over how their cloud services and data are delivered, managed, and protected by the providers and their sub-providers. This can expose the customers to various threats and vulnerabilities, such as data breaches, data loss, service outages, compliance violations, legal disputes, or contractual conflicts. The customers may also face difficulties in monitoring, auditing, or verifying the security and compliance status of their cloud services and data across the supply chain. Therefore, it is important for the customers to understand the hidden interdependencies between cloud services and to establish clear and transparent agreements with their cloud providers and sub-providers regarding their roles, responsibilities, expectations, and obligations.3

References := How to identify and map service dependencies - Gremlin1; Mitigate Risk for Data Center Network Migration - Cisco2; Practical Guide to Cloud Service Agreements Version 2.03; HIDDEN INTERDEPENDENCIES BETWEEN INFORMATION AND ORGANIZATIONAL …

Visibility to the source code within build scripts would give an auditor the best view of design and implementation decisions when an organization uses programmatic automation for Infrastructure as a Service (IaaS) deployments. IaaS is a cloud service model that provides virtualized computing resources, such as servers, storage, network, and operating systems, over the internet. Programmatic automation is the process of using code or scripts to automate the provisioning, configuration, management, and monitoring of the cloud infrastructure. Build scripts are files that contain commands or instructions to create or modify the cloud infrastructure according to the desired specifications.12

An auditor can use the source code within build scripts to gain insight into how the organization designs and implements its cloud infrastructure. The source code can reveal the following information3:

The type, size, and number of cloud resources that are provisioned and deployed

The configuration settings and parameters that are applied to the cloud resources

The security controls and policies that are enforced on the cloud resources

The dependencies and relationships between the cloud resources

The testing and validation methods that are used to verify the functionality and performance of the cloud resources

The logging and auditing mechanisms that are used to track and record the changes and activities on the cloud resources

By reviewing the source code within build scripts, an auditor can evaluate whether the organization follows the best practices and standards for cloud infrastructure design and implementation, such as scalability, reliability, security, compliance, and efficiency. An auditor can also identify any gaps or risks in the organization’s cloud infrastructure and provide recommendations for improvement.

References := What is Infrastructure as Code? | Cloud Computing - AWS1; What is Programmatic Automation? - Definition from Techopedia2; How to audit your IaC for better DevSecOps - TechBeacon3

 The objective that is most appropriate to measure the effectiveness of password policy is newly created account credentials satisfy requirements. This is because password policy is a set of rules and guidelines that define the characteristics and usage of passwords in a system or network. Password policy aims to enhance the security and confidentiality of the system or network by preventing unauthorized access, data breaches, and identity theft. Therefore, the best way to evaluate the effectiveness of password policy is to check whether the newly created account credentials meet the requirements of the policy, such as length, complexity, expiration, and history. This objective can be measured by conducting periodic audits, reviews, or tests of the account creation process and verifying that the passwords comply with the policy standards. This is part of the Cloud Control Matrix (CCM) domain IAM-02: User ID Credentials, which states that "The organization should have a policy and procedures to manage user ID credentials for cloud services and data."1 References := CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM, page 76