Isaca Updated CCAK Exam Questions and Answers by koa

APIs are likely to be attacked continuously by bad actors because they are generally the most exposed part of an application or system. APIs serve as the interface between different components or services, and often expose sensitive data or functionality to the outside world. APIs can be accessed by anyone with an Internet connection, and can be easily discovered by scanning or crawling techniques. Therefore, APIs are a prime target for attackers who want to exploit vulnerabilities, steal data, or disrupt services.

References:

ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 88-89.

OWASP, The Ten Most Critical API Security Risks - OWASP Foundation, 2019, p. 4-5

The Egregious 11 refers to a list of top threats to cloud computing, as published by the Cloud Security Alliance (CSA) in 2019. The CSA is a leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment. The Egregious 11 report ranks the most critical and pressing cloud security issues, such as data breaches, misconfigurations, insufficient identity and access management, and account hijacking. The report also provides recommendations for security, compliance, risk and technology practitioners to mitigate these threats. The Egregious 11 is based on a survey of industry experts and a review of current literature and media reports. The report is intended to raise awareness of the risks and challenges associated with cloud computing and promote strong security practices.12 References := CCAK Study Guide, Chapter 5: Cloud Auditing, page 961; CSA Top Threats to Cloud Computing: Egregious 11

The technical impact of this incident would be categorized as an integrity breach in reference to the Top Threats Analysis methodology. The Top Threats Analysis methodology is a process developed by the Cloud Security Alliance (CSA) to help organizations identify, analyze, and mitigate the top threats to cloud computing, as defined in the CSA Top Threats reports. The methodology consists of six steps: scope definition, threat identification, technical impact identification, business impact identification, risk assessment, and risk treatment. Each of these provides different insights and visibility into the organization’s security posture.1

The technical impact identification step involves determining the impact on confidentiality, integrity, and availability of the information system caused by each threat. Confidentiality refers to the protection of data from unauthorized access or disclosure. Integrity refers to the protection of data from unauthorized modification or deletion. Availability refers to the protection of data and services from disruption or denial.2

An integrity breach occurs when a threat compromises the accuracy and consistency of the data or system. An integrity breach can result in data corruption, falsification, or manipulation, which can affect the reliability and trustworthiness of the data or system. An integrity breach can also have serious consequences for the business operations and decisions that depend on the data or system.3

In this case, the cybersecurity criminal was able to access an encrypted file system and overwrite parts of some files with random data. This means that the data in those files was altered without authorization and became unusable or invalid. This is a clear example of an integrity breach, as it violated the principle of ensuring that data is accurate and consistent throughout its lifecycle.4

References := CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM, page 811; What is CIA Triad? Definition and Examples2; Data Integrity vs Data Security: What’s The Difference?3; Data Integrity: Definition & Examples

 The organization (client) is accountable for the use of a cloud service. Accountability in cloud computing is the responsibility of cloud service providers and other parties in the cloud ecosystem to protect and properly process the data of their clients and users. However, accountability ultimately rests with the organization (client) that uses the cloud service, as it is the data owner and controller. The organization (client) has to ensure that the cloud service provider and its suppliers meet the agreed-upon service levels, security standards, and regulatory requirements. The organization (client) also has to perform due diligence and oversight on the cloud service provider and its suppliers, as well as to comply with the shared responsibility model, which defines how the security and compliance tasks and obligations are divided between the cloud service provider and the organization (client)123.

The other options are not correct. Option A, the cloud access security broker (CASB), is incorrect because a CASB is a software tool or service that acts as an intermediary between cloud users and cloud service providers, providing visibility, data security, threat protection, and compliance. A CASB does not use the cloud service, but facilitates its secure and compliant use4. Option B, the supplier, is incorrect because a supplier is a third-party entity that provides services or products to the cloud service provider, such as infrastructure, software, hardware, or support. A supplier does not use the cloud service, but supports its delivery5. Option C, the cloud service provider, is incorrect because a cloud service provider is a company that provides cloud computing services to the organization (client). A cloud service provider does not use the cloud service, but offers it to the organization (client)6. References :=

Accountability Issues in Cloud Computing (5 Step … - Medium1

Shared responsibility in the \uE000cloud\uE001 - Microsoft Azure2

Who Is Responsible for Cloud Security? - Security Intelligence3

What is CASB? - Cloud Security Alliance4

Cloud Computing: Auditing Challenges - ISACA5

What is Cloud Provider? - Definition from Techopedia