Practice Free CCCS-203b Exam Online Questions
Question #91
After installing the Falcon sensor on a Linux server hosting Kubernetes workloads, an administrator wants to ensure it provides comprehensive protection.
What is a key feature of the Falcon sensor in this deployment?
- A . The Falcon sensor provides container image vulnerability scanning directly within the Falcon console.
- B . The sensor provides runtime protection by monitoring processes and detecting malicious behaviors within containers.
- C . The Falcon sensor replaces the need for Kubernetes Role-Based Access Control (RBAC) policies.
- D . The Falcon sensor automatically performs deep packet inspection for all network traffic within the Kubernetes cluster.
Correct Answer: B
B
Explanation:
Option A: This is incorrect because the Falcon sensor focuses on runtime protection and process monitoring. Vulnerability scanning is a separate feature, often provided by CrowdStrike’s Cloud Security module or other integrated tools.
Option B: The Falcon sensor offers robust runtime protection, which includes monitoring processes and detecting potentially malicious activities inside both the host and containers. This functionality helps identify threats in real-time, making it a critical component of securing Kubernetes workloads.
Option C: This is incorrect as RBAC policies remain a fundamental part of Kubernetes security. The Falcon sensor complements, but does not replace, Kubernetes native security configurations like RBAC.
Option D: While the Falcon sensor provides process and file activity monitoring, it does not perform deep packet inspection for network traffic. This would require a separate network security solution.
B
Explanation:
Option A: This is incorrect because the Falcon sensor focuses on runtime protection and process monitoring. Vulnerability scanning is a separate feature, often provided by CrowdStrike’s Cloud Security module or other integrated tools.
Option B: The Falcon sensor offers robust runtime protection, which includes monitoring processes and detecting potentially malicious activities inside both the host and containers. This functionality helps identify threats in real-time, making it a critical component of securing Kubernetes workloads.
Option C: This is incorrect as RBAC policies remain a fundamental part of Kubernetes security. The Falcon sensor complements, but does not replace, Kubernetes native security configurations like RBAC.
Option D: While the Falcon sensor provides process and file activity monitoring, it does not perform deep packet inspection for network traffic. This would require a separate network security solution.
Question #92
When configuring a cloud account using APIs in CrowdStrike, which of the following is the correct first step to ensure the account is successfully registered and operational in the CrowdStrike Falcon platform?
- A . Use the CrowdStrike API to configure granular IAM policies before registration.
- B . Directly input the cloud provider’s credentials into the CrowdStrike console.
- C . Assign full administrator access to the CrowdStrike service account in the cloud provider.
- D . Generate an API client ID and secret in the CrowdStrike Falcon console.
Correct Answer: D
D
Explanation:
Option A: Using the CrowdStrike API to configure granular IAM policies is a potential task during or after registration, but it is not the initial step. IAM roles and policies should be defined by the cloud provider’s configuration tools, not CrowdStrike, as a preliminary task.
Option B: Inputting cloud provider credentials directly into the CrowdStrike console is not a step in the configuration process. Instead, API-based integrations rely on secure token-based authentication, not direct username/password access, to align with best practices for security and scalability.
Option C: Assigning full administrator access to the CrowdStrike service account is unnecessary and violates the principle of least privilege. Only specific permissions (e.g., read-only access for threat detection) are required, and overly broad access increases the attack surface.
Option D: Generating an API client ID and secret is the required first step to enable secure communication between the CrowdStrike Falcon platform and the cloud provider. The client ID and secret are used for authentication when configuring API integrations, ensuring secure access to the cloud account’s data. Without this step, the integration cannot proceed.
D
Explanation:
Option A: Using the CrowdStrike API to configure granular IAM policies is a potential task during or after registration, but it is not the initial step. IAM roles and policies should be defined by the cloud provider’s configuration tools, not CrowdStrike, as a preliminary task.
Option B: Inputting cloud provider credentials directly into the CrowdStrike console is not a step in the configuration process. Instead, API-based integrations rely on secure token-based authentication, not direct username/password access, to align with best practices for security and scalability.
Option C: Assigning full administrator access to the CrowdStrike service account is unnecessary and violates the principle of least privilege. Only specific permissions (e.g., read-only access for threat detection) are required, and overly broad access increases the attack surface.
Option D: Generating an API client ID and secret is the required first step to enable secure communication between the CrowdStrike Falcon platform and the cloud provider. The client ID and secret are used for authentication when configuring API integrations, ensuring secure access to the cloud account’s data. Without this step, the integration cannot proceed.
Question #93
You are a cloud administrator tasked with enhancing security for your organization’s cloud environment. Using CrowdStrike’s Cloud Infrastructure Entitlement Manager (CIEM), you want to identify accounts that have Multi-Factor Authentication (MFA) enabled.
Which of the following is the most appropriate method to identify these accounts?
- A . Run the "Inactive Users Report" and cross-reference it with CIEM recommendations.
- B . Analyze failed login attempts from CIEM logs to infer MFA usage.
- C . Use the "MFA Status" filter in CIEM’s Identity Analyzer.
- D . Review the "Account Permissions Summary" in the CIEM dashboard.
Correct Answer: C
C
Explanation:
Option A: The "Inactive Users Report" focuses on identifying accounts with minimal activity, not MFA status. This option is unrelated to the task of identifying MFA-enabled accounts.
Option B: Failed login attempts might highlight suspicious activity or misconfigured accounts but do not directly correlate with MFA usage. Inferring MFA status from login failures is unreliable and prone to errors.
Option C: The "MFA Status" filter in CIEM’s Identity Analyzer is specifically designed to identify which accounts have MFA enabled. It provides a straightforward, automated method to determine MFA usage, ensuring accuracy and reducing manual effort. Using this built-in feature aligns with best practices for leveraging CIEM’s capabilities.
Option D: While the "Account Permissions Summary" provides an overview of permissions and access levels, it does not include information about MFA status. This option is irrelevant to identifying MFA-enabled accounts.
C
Explanation:
Option A: The "Inactive Users Report" focuses on identifying accounts with minimal activity, not MFA status. This option is unrelated to the task of identifying MFA-enabled accounts.
Option B: Failed login attempts might highlight suspicious activity or misconfigured accounts but do not directly correlate with MFA usage. Inferring MFA status from login failures is unreliable and prone to errors.
Option C: The "MFA Status" filter in CIEM’s Identity Analyzer is specifically designed to identify which accounts have MFA enabled. It provides a straightforward, automated method to determine MFA usage, ensuring accuracy and reducing manual effort. Using this built-in feature aligns with best practices for leveraging CIEM’s capabilities.
Option D: While the "Account Permissions Summary" provides an overview of permissions and access levels, it does not include information about MFA status. This option is irrelevant to identifying MFA-enabled accounts.
Question #94
During the deployment of the CrowdStrike Kubernetes Sensor in a Kubernetes cluster, the installation fails with the error: 1. "ServiceAccount missing required permissions."
What is the most likely cause of this issue?
- A . The ServiceAccount is incorrectly assigned to a worker node instead of a master node.
- B . The CrowdStrike Kubernetes Sensor container image is corrupted.
- C . The ServiceAccount does not have the correct RBAC (Role-Based Access Control) permissions for the sensor.
- D . The Kubernetes cluster is running an unsupported version.
Correct Answer: C
C
Explanation:
Option A: ServiceAccounts are cluster-wide and are not assigned to specific nodes. This answer demonstrates a misunderstanding of Kubernetes architecture.
Option B: A corrupted container image would lead to issues like failed image pulls or runtime errors, not an error related to the ServiceAccount permissions.
Option C: This is the correct answer because the error message points to a permissions issue related to the ServiceAccount. CrowdStrike Kubernetes Sensors require specific RBAC permissions to monitor and protect workloads effectively. If these permissions are missing or misconfigured, the deployment will fail.
Option D: While running an unsupported Kubernetes version can cause compatibility issues, it would not result in a "ServiceAccount missing required permissions" error. The error clearly points to RBAC misconfiguration, not version incompatibility.
C
Explanation:
Option A: ServiceAccounts are cluster-wide and are not assigned to specific nodes. This answer demonstrates a misunderstanding of Kubernetes architecture.
Option B: A corrupted container image would lead to issues like failed image pulls or runtime errors, not an error related to the ServiceAccount permissions.
Option C: This is the correct answer because the error message points to a permissions issue related to the ServiceAccount. CrowdStrike Kubernetes Sensors require specific RBAC permissions to monitor and protect workloads effectively. If these permissions are missing or misconfigured, the deployment will fail.
Option D: While running an unsupported Kubernetes version can cause compatibility issues, it would not result in a "ServiceAccount missing required permissions" error. The error clearly points to RBAC misconfiguration, not version incompatibility.
Question #95
You are performing a dry run of an automated remediation workflow designed to disable AWS security groups that allow unrestricted inbound traffic.
Which step ensures that the dry run accurately evaluates the workflow without impacting resources?
- A . Enable "Dry Run Mode" in Falcon Fusion to simulate actions without applying them.
- B . Temporarily revoke permissions to ensure the workflow cannot make changes.
- C . Deploy the workflow to a non-production environment for testing.
- D . Use CloudTrail logs to manually verify the workflow actions post-execution.
Correct Answer: A
A
Explanation:
Option A: Enabling "Dry Run Mode" in Falcon Fusion is the correct step for simulating workflow actions without making changes to the actual resources. This mode allows you to verify that the workflow logic functions as expected, including detecting findings and simulating remediation steps, without impacting live environments.
Option B: Revoking permissions may prevent accidental changes, but it does not allow you to test the workflow logic fully, as the dry run mode simulates actions while still validating permissions.
Option C: While testing in a non-production environment is a valid practice, it is not equivalent to a dry run, which explicitly avoids making changes.
Option D: Reviewing logs is important for auditing, but it does not replace the need for a dry run, which provides upfront validation without impacting resources.
A
Explanation:
Option A: Enabling "Dry Run Mode" in Falcon Fusion is the correct step for simulating workflow actions without making changes to the actual resources. This mode allows you to verify that the workflow logic functions as expected, including detecting findings and simulating remediation steps, without impacting live environments.
Option B: Revoking permissions may prevent accidental changes, but it does not allow you to test the workflow logic fully, as the dry run mode simulates actions while still validating permissions.
Option C: While testing in a non-production environment is a valid practice, it is not equivalent to a dry run, which explicitly avoids making changes.
Option D: Reviewing logs is important for auditing, but it does not replace the need for a dry run, which provides upfront validation without impacting resources.
Question #96
What is a primary function of the Containers and Images Compliance dashboard in CrowdStrike’s Cloud Security platform?
- A . Provides a visual summary of compliance across containers and images
- B . Tracks the network performance of containers and provides detailed network usage data
- C . Allows users to automatically patch non-compliant containers and images
- D . Displays the list of all containers that are unsupported by Falcon Cloud Security with Containers
Correct Answer: A
A
Explanation:
The Containers and Images Compliance dashboard in Falcon Cloud Security is designed to give security and DevOps teams a visual, aggregated view of compliance posture across container images and running containers.
This dashboard summarizes compliance status against benchmarks such as CIS, organizational policies, and security best practices. It highlights compliant versus non-compliant images and containers, severity distribution, and trending risk, enabling teams to quickly assess overall posture and prioritize remediation.
The dashboard does not perform network monitoring, automatic patching, or unsupported container enumeration. Those functions are handled by other Falcon modules or operational workflows.
Therefore, its primary function is to provide a visual summary of compliance across containers and images, making Option A correct.
A
Explanation:
The Containers and Images Compliance dashboard in Falcon Cloud Security is designed to give security and DevOps teams a visual, aggregated view of compliance posture across container images and running containers.
This dashboard summarizes compliance status against benchmarks such as CIS, organizational policies, and security best practices. It highlights compliant versus non-compliant images and containers, severity distribution, and trending risk, enabling teams to quickly assess overall posture and prioritize remediation.
The dashboard does not perform network monitoring, automatic patching, or unsupported container enumeration. Those functions are handled by other Falcon modules or operational workflows.
Therefore, its primary function is to provide a visual summary of compliance across containers and images, making Option A correct.
Question #97
What is the best practice when configuring an assessment schedule in CrowdStrike’s Cloud Security Posture Management (CSPM) module?
- A . Use default settings without reviewing scope and frequency, as they are pre-optimized by CrowdStrike.
- B . Configure assessments at a frequency that aligns with compliance or business requirements.
- C . Schedule assessments for each cloud account individually to avoid overlaps.
- D . Run assessments only during off-peak hours to avoid performance degradation in cloud resources.
Correct Answer: B
B
Explanation:
Option A: Default settings may not always align with an organization’s specific compliance needs or operational cadence. Reviewing and customizing scope and frequency ensures the assessments are optimized for the specific environment.
Option B: Aligning assessment frequency with compliance or business requirements is the best practice. For example, compliance frameworks like SOC 2 or ISO 27001 may mandate daily or weekly assessments, while more frequent scans may be needed in dynamic environments.
Option C: Scheduling assessments individually for each cloud account can be unnecessarily complex and prone to errors. CrowdStrike allows centralized scheduling for multiple accounts, simplifying management and ensuring comprehensive coverage.
Option D: While off-peak scheduling may reduce resource contention in certain cases, CSPM assessments are non-intrusive and should prioritize security and compliance needs over resource availability. Waiting for off-peak hours may delay detection of vulnerabilities.
B
Explanation:
Option A: Default settings may not always align with an organization’s specific compliance needs or operational cadence. Reviewing and customizing scope and frequency ensures the assessments are optimized for the specific environment.
Option B: Aligning assessment frequency with compliance or business requirements is the best practice. For example, compliance frameworks like SOC 2 or ISO 27001 may mandate daily or weekly assessments, while more frequent scans may be needed in dynamic environments.
Option C: Scheduling assessments individually for each cloud account can be unnecessarily complex and prone to errors. CrowdStrike allows centralized scheduling for multiple accounts, simplifying management and ensuring comprehensive coverage.
Option D: While off-peak scheduling may reduce resource contention in certain cases, CSPM assessments are non-intrusive and should prioritize security and compliance needs over resource availability. Waiting for off-peak hours may delay detection of vulnerabilities.
Question #98
An organization is planning to deploy the CrowdStrike Kubernetes protection agent to secure their containerized workloads.
Which of the following is a prerequisite for deploying the Kubernetes protection agent?
- A . The Kubernetes cluster must be running on bare-metal hardware, as cloud-based clusters are unsupported.
- B . Each Kubernetes node must have Docker installed as the only supported container runtime.
- C . The organization must enable automatic pod scaling before installing the Kubernetes protection agent.
- D . The Kubernetes cluster must have internet access to connect to CrowdStrike’s cloud.
Correct Answer: D
D
Explanation:
Option A: This is incorrect because CrowdStrike supports Kubernetes clusters running in both on-premises and cloud-based environments, including managed services like Amazon EKS, Azure AKS, and Google GKE.
Option B: This is incorrect because while Docker is supported, the Kubernetes protection agent also supports other container runtimes like containerd. Requiring Docker exclusively is a misconception.
Option C: This is incorrect as automatic pod scaling is unrelated to the deployment of the Kubernetes protection agent. It is not a requirement and has no impact on the agent’s functionality.
Option D: CrowdStrike’s Kubernetes protection agent communicates with the CrowdStrike Falcon platform in the cloud. Internet access is a critical requirement to enable this communication. Without it, the agent cannot send telemetry data or receive updates.
D
Explanation:
Option A: This is incorrect because CrowdStrike supports Kubernetes clusters running in both on-premises and cloud-based environments, including managed services like Amazon EKS, Azure AKS, and Google GKE.
Option B: This is incorrect because while Docker is supported, the Kubernetes protection agent also supports other container runtimes like containerd. Requiring Docker exclusively is a misconception.
Option C: This is incorrect as automatic pod scaling is unrelated to the deployment of the Kubernetes protection agent. It is not a requirement and has no impact on the agent’s functionality.
Option D: CrowdStrike’s Kubernetes protection agent communicates with the CrowdStrike Falcon platform in the cloud. Internet access is a critical requirement to enable this communication. Without it, the agent cannot send telemetry data or receive updates.
Question #99
What is the primary role of the Kubernetes Admission Controller in relation to the CrowdStrike Kubernetes and Container Sensor?
- A . To analyze and enforce policies on API requests to the Kubernetes cluster before they are processed by the API server.
- B . To manage container image scanning and vulnerability assessments within Kubernetes clusters.
- C . To collect and report telemetry data from running Kubernetes workloads to the CrowdStrike Falcon platform.
- D . To deploy the CrowdStrike Kubernetes and Container Sensor as a sidecar to each pod.
Correct Answer: A
A
Explanation:
Option A: The Kubernetes Admission Controller is a core Kubernetes feature that intercepts API requests to the Kubernetes cluster and applies policies before they are persisted. CrowdStrike leverages this capability to enforce security controls, such as validating configurations and applying runtime policies, before workloads are allowed to run in the cluster. This ensures that malicious or misconfigured deployments are blocked at the admission stage.
Option B: While container image scanning is essential for security, this is not the function of the Admission Controller. Image scanning is typically handled by other tools or services integrated with CI/CD pipelines.
Option C: This describes the function of the CrowdStrike Kubernetes and Container Sensor, not the Kubernetes Admission Controller. The Admission Controller operates at the API server level, not at the runtime monitoring level.
Option D: Deployment of the sensor is handled by separate installation processes and configurations.
The Admission Controller is unrelated to deploying sidecar containers.
A
Explanation:
Option A: The Kubernetes Admission Controller is a core Kubernetes feature that intercepts API requests to the Kubernetes cluster and applies policies before they are persisted. CrowdStrike leverages this capability to enforce security controls, such as validating configurations and applying runtime policies, before workloads are allowed to run in the cluster. This ensures that malicious or misconfigured deployments are blocked at the admission stage.
Option B: While container image scanning is essential for security, this is not the function of the Admission Controller. Image scanning is typically handled by other tools or services integrated with CI/CD pipelines.
Option C: This describes the function of the CrowdStrike Kubernetes and Container Sensor, not the Kubernetes Admission Controller. The Admission Controller operates at the API server level, not at the runtime monitoring level.
Option D: Deployment of the sensor is handled by separate installation processes and configurations.
The Admission Controller is unrelated to deploying sidecar containers.
Question #100
A company needs to ensure that its cloud environment aligns with PCI DSS (Payment Card Industry Data Security Standard) requirements.
Which configuration should the company implement to meet compliance requirements?
- A . Store sensitive data in publicly accessible cloud buckets.
- B . Share administrative credentials among multiple team members to enhance collaboration.
- C . Allow plaintext storage of sensitive customer payment data.
- D . Encrypt all sensitive data both at rest and in transit using strong cryptographic protocols.
Correct Answer: D
D
Explanation:
Option A: This is incorrect because publicly accessible storage creates a significant security risk and violates PCI DSS requirements for restricted access to sensitive data.
Option B: This violates PCI DSS guidelines, which mandate unique credentials for each user to ensure accountability and limit access to authorized personnel only. Sharing credentials undermines security and traceability.
Option C: This violates PCI DSS requirements, which explicitly mandate the encryption of sensitive data to protect against unauthorized access. Plaintext storage is a major compliance failure.
Option D: This is the correct answer because PCI DSS mandates encryption of sensitive data to protect it from unauthorized access during storage and transmission. Strong encryption protocols (e.g., AES-256) are critical for ensuring compliance and mitigating risks of data breaches.
D
Explanation:
Option A: This is incorrect because publicly accessible storage creates a significant security risk and violates PCI DSS requirements for restricted access to sensitive data.
Option B: This violates PCI DSS guidelines, which mandate unique credentials for each user to ensure accountability and limit access to authorized personnel only. Sharing credentials undermines security and traceability.
Option C: This violates PCI DSS requirements, which explicitly mandate the encryption of sensitive data to protect against unauthorized access. Plaintext storage is a major compliance failure.
Option D: This is the correct answer because PCI DSS mandates encryption of sensitive data to protect it from unauthorized access during storage and transmission. Strong encryption protocols (e.g., AES-256) are critical for ensuring compliance and mitigating risks of data breaches.