Practice Free CCCS-203b Exam Online Questions
Question #41
You are setting up registry credentials for Falcon Cloud Security to assess images from an approved registry.
What is the best practice to follow when managing these credentials?
- A . Store the credentials in plain text within the configuration file.
- B . Share the credentials across multiple teams for ease of use.
- C . Use default admin credentials for simplicity during setup.
- D . Use a service account with minimal permissions to generate the credentials.
Correct Answer: D
D
Explanation:
Option A: Storing credentials in plain text poses a significant security risk. Credentials should always be encrypted or securely stored using tools like AWS Secrets Manager or HashiCorp Vault.
Option B: Sharing credentials across multiple teams violates the principle of least privilege and increases the risk of unauthorized access.
Option C: Using default admin credentials is highly insecure and can lead to unauthorized access if the credentials are compromised.
Option D: Best practices recommend using a service account with the least privilege necessary to reduce the risk of over-privileged access in case of a breach. This ensures security while granting Falcon Cloud Security access for image assessments.
D
Explanation:
Option A: Storing credentials in plain text poses a significant security risk. Credentials should always be encrypted or securely stored using tools like AWS Secrets Manager or HashiCorp Vault.
Option B: Sharing credentials across multiple teams violates the principle of least privilege and increases the risk of unauthorized access.
Option C: Using default admin credentials is highly insecure and can lead to unauthorized access if the credentials are compromised.
Option D: Best practices recommend using a service account with the least privilege necessary to reduce the risk of over-privileged access in case of a breach. This ensures security while granting Falcon Cloud Security access for image assessments.
Question #42
While implementing a custom compliance framework within CrowdStrike, you must ensure the framework adapts to evolving regulatory requirements.
Which of the following actions best supports this goal?
- A . Delegate all regulatory updates to individual business units.
- B . Incorporate automated regulatory change monitoring into the framework.
- C . Disable notifications for compliance-related updates in CrowdStrike.
- D . Rely solely on historical compliance audits for framework updates.
Correct Answer: B
B
Explanation:
Option A: While business units may provide input, centralizing updates ensures consistency and compliance across the organization. Decentralized updates increase the risk of gaps and inefficiencies.
Option B: Automated monitoring of regulatory changes ensures that the compliance framework remains current with evolving requirements. This approach reduces the risk of missing critical updates and facilitates proactive adjustments to maintain compliance. Automation streamlines the process and minimizes manual oversight, enabling the organization to respond swiftly to regulatory changes.
Option C: Disabling notifications can result in missed updates about changes to regulatory requirements or the CrowdStrike platform itself, jeopardizing compliance efforts. Notifications are vital for staying informed and proactive.
Option D: Historical audits provide valuable insights but do not account for new or upcoming regulatory changes. Solely relying on them can lead to outdated practices and non-compliance.
B
Explanation:
Option A: While business units may provide input, centralizing updates ensures consistency and compliance across the organization. Decentralized updates increase the risk of gaps and inefficiencies.
Option B: Automated monitoring of regulatory changes ensures that the compliance framework remains current with evolving requirements. This approach reduces the risk of missing critical updates and facilitates proactive adjustments to maintain compliance. Automation streamlines the process and minimizes manual oversight, enabling the organization to respond swiftly to regulatory changes.
Option C: Disabling notifications can result in missed updates about changes to regulatory requirements or the CrowdStrike platform itself, jeopardizing compliance efforts. Notifications are vital for staying informed and proactive.
Option D: Historical audits provide valuable insights but do not account for new or upcoming regulatory changes. Solely relying on them can lead to outdated practices and non-compliance.
Question #43
Which of the following scenarios represents a security risk that CrowdStrike Identity Analyzer (CIEM) is designed to identify and address?
- A . A network security group is configured to allow inbound traffic on port 443
- B . A serverless function has a concurrency limit set to 100 executions
- C . An IAM role with permissions to delete all cloud resources is assigned to multiple non-human identities
- D . An encrypted storage bucket is accessed by an authorized application
Correct Answer: C
C
Explanation:
Option A: Allowing inbound traffic on port 443 (HTTPS) is a standard practice for secure web services. While this could be a misconfiguration if unnecessary, it falls under network security rather than identity management, which is the focus of CIEM.
Option B: Concurrency settings relate to resource performance and scalability, not identity or entitlement management. CIEM does not monitor or manage execution limits for serverless functions.
Option C: CIEM is specifically designed to detect and analyze overly permissive roles and identities,
particularly when sensitive permissions (like resource deletion) are assigned to multiple non-human identities. This scenario poses a significant security risk if those identities are compromised or misused.
Option D: This is an expected and secure behavior when proper access policies are in place. CIEM would not flag this as an issue since the access is authorized and aligns with standard operational practices.
C
Explanation:
Option A: Allowing inbound traffic on port 443 (HTTPS) is a standard practice for secure web services. While this could be a misconfiguration if unnecessary, it falls under network security rather than identity management, which is the focus of CIEM.
Option B: Concurrency settings relate to resource performance and scalability, not identity or entitlement management. CIEM does not monitor or manage execution limits for serverless functions.
Option C: CIEM is specifically designed to detect and analyze overly permissive roles and identities,
particularly when sensitive permissions (like resource deletion) are assigned to multiple non-human identities. This scenario poses a significant security risk if those identities are compromised or misused.
Option D: This is an expected and secure behavior when proper access policies are in place. CIEM would not flag this as an issue since the access is authorized and aligns with standard operational practices.
Question #44
You are using the Packages dashboard to identify all Python packages found on assessed container images. You must provide a list of those packages to a team member who is not a Falcon user.
Which option meets these requirements?
- A . Filter by package name & version: PYTHON and export to CSV or JSON
- B . Filter by package type: PYTHON and create a saved filter for your team member to view
- C . Filter by package name & version: PYTHON and create a saved filter for your team member to view
- D . Filter by package type: PYTHON and export to CSV or JSON
Correct Answer: D
D
Explanation:
In Falcon Cloud Security, the Packages dashboard allows filtering package inventory by package type, such as Python, Java, or OS-level packages.
To share results with a team member who is not a Falcon user, the data must be exported. Creating saved filters does not grant access to non-users. Filtering by package type: PYTHON ensures all Python-related packages are included regardless of name or version, providing complete coverage.
Exporting the filtered results to CSV or JSON enables easy sharing, offline analysis, and integration into other tools.
Therefore, the correct option is Filter by package type: PYTHON and export to CSV or JSON.
D
Explanation:
In Falcon Cloud Security, the Packages dashboard allows filtering package inventory by package type, such as Python, Java, or OS-level packages.
To share results with a team member who is not a Falcon user, the data must be exported. Creating saved filters does not grant access to non-users. Filtering by package type: PYTHON ensures all Python-related packages are included regardless of name or version, providing complete coverage.
Exporting the filtered results to CSV or JSON enables easy sharing, offline analysis, and integration into other tools.
Therefore, the correct option is Filter by package type: PYTHON and export to CSV or JSON.
Question #45
What is the recommended practice when deleting a container registry connection from Falcon Cloud Security?
- A . Revoke all tokens associated with the registry immediately after deletion.
- B . Notify all team members and pause all security assessments before deletion.
- C . Delete the connection directly without verifying its usage in any workflows.
- D . Ensure the registry is no longer referenced in any active policies or integrations before deletion.
Correct Answer: D
D
Explanation:
Option A: Revoking tokens is a good practice but should occur after deletion is confirmed to avoid disrupting ongoing access prematurely.
Option B: Notifying the team is optional and pausing assessments is unnecessary, as deleting the connection does not typically require halting operations.
Option C: Deleting the connection without verification can break dependent workflows and cause image
assessments or security scans to fail.
Option D: Before deleting a registry connection, it’s critical to verify that it is no longer referenced in policies, workflows, or integrations to prevent disruption or errors in Falcon Cloud Security operations.
D
Explanation:
Option A: Revoking tokens is a good practice but should occur after deletion is confirmed to avoid disrupting ongoing access prematurely.
Option B: Notifying the team is optional and pausing assessments is unnecessary, as deleting the connection does not typically require halting operations.
Option C: Deleting the connection without verification can break dependent workflows and cause image
assessments or security scans to fail.
Option D: Before deleting a registry connection, it’s critical to verify that it is no longer referenced in policies, workflows, or integrations to prevent disruption or errors in Falcon Cloud Security operations.
Question #46
What should you do if an API key used for a cloud account integration is suspected to be compromised?
- A . Disable the cloud account integration and restart the API client
- B . Update the API key’s privileges to restrict access temporarily
- C . Delete the API key and create a new one with the same scopes
- D . Rotate the API key and notify the Falcon administrator immediately
Correct Answer: D
D
Explanation:
Option A: This is incorrect because disabling the cloud account integration might interrupt monitoring and leave the account vulnerable to threats.
Option B: This is incorrect because privileges cannot be dynamically updated on a compromised key. A rotation is necessary to revoke the key and replace it securely.
Option C: This is incorrect because simply deleting and recreating the key without proper notification and impact analysis might delay response efforts. Rotation is a more structured approach.
Option D: This is correct because rotating the API key ensures that the compromised key is no longer valid. Notifying the administrator helps assess potential security impacts and plan further mitigation steps.
D
Explanation:
Option A: This is incorrect because disabling the cloud account integration might interrupt monitoring and leave the account vulnerable to threats.
Option B: This is incorrect because privileges cannot be dynamically updated on a compromised key. A rotation is necessary to revoke the key and replace it securely.
Option C: This is incorrect because simply deleting and recreating the key without proper notification and impact analysis might delay response efforts. Rotation is a more structured approach.
Option D: This is correct because rotating the API key ensures that the compromised key is no longer valid. Notifying the administrator helps assess potential security impacts and plan further mitigation steps.
Question #47
What is one of the primary functions of the CrowdStrike Kubernetes Admission Controller in securing containerized workloads?
- A . Automatically applying kernel-level protections to all running containers.
- B . Intercepting pod creation requests to ensure they comply with configured security policies.
- C . Scanning all container images for vulnerabilities during runtime.
- D . Monitoring inter-container network traffic and blocking suspicious connections.
Correct Answer: B
B
Explanation:
Option A: Kernel-level protections are managed by the CrowdStrike Falcon Container Sensor, not the Admission Controller. The Admission Controller focuses on admission-time security policies rather than runtime protections.
Option B: The Kubernetes Admission Controller intercepts pod creation requests submitted to the Kubernetes API server. It verifies these requests against security policies configured by the CrowdStrike platform, such as ensuring containers include the CrowdStrike Falcon sensor or restricting the use of insecure configurations (e.g., running containers as root). This functionality enforces security at the earliest stage of workload deployment.
Option C: Vulnerability scanning is typically performed by image scanning tools or registry integrations.
The Admission Controller does not scan images but ensures security compliance during pod admission.
Option D: Network monitoring and blocking are functions of network security solutions, not the Kubernetes Admission Controller. The Admission Controller focuses solely on admission control.
B
Explanation:
Option A: Kernel-level protections are managed by the CrowdStrike Falcon Container Sensor, not the Admission Controller. The Admission Controller focuses on admission-time security policies rather than runtime protections.
Option B: The Kubernetes Admission Controller intercepts pod creation requests submitted to the Kubernetes API server. It verifies these requests against security policies configured by the CrowdStrike platform, such as ensuring containers include the CrowdStrike Falcon sensor or restricting the use of insecure configurations (e.g., running containers as root). This functionality enforces security at the earliest stage of workload deployment.
Option C: Vulnerability scanning is typically performed by image scanning tools or registry integrations.
The Admission Controller does not scan images but ensures security compliance during pod admission.
Option D: Network monitoring and blocking are functions of network security solutions, not the Kubernetes Admission Controller. The Admission Controller focuses solely on admission control.
Question #48
After deploying the CrowdStrike Container Sensor on your Kubernetes cluster, you notice that it is only monitoring a subset of your containers.
Which of the following is the most likely cause of this issue?
- A . The containers were created using privileged mode.
- B . The CrowdStrike Container Sensor pod is not running on every node in the cluster.
- C . Network policies within the Kubernetes cluster are blocking outbound traffic from the sensor.
- D . The CrowdStrike Falcon Console account does not have the appropriate role permissions to view all containers.
Correct Answer: B
B
Explanation:
Option A: The CrowdStrike Container Sensor is designed to monitor both privileged and unprivileged
containers. Privileged mode is not a factor that would prevent the sensor from monitoring containers.
Option B: For the CrowdStrike Container Sensor to monitor all containers, it must be deployed on every node in the Kubernetes cluster where containers are running. This ensures that the sensor can collect data from all workloads on those nodes. If the sensor pod is not deployed on certain nodes, containers on those nodes will not be monitored.
Option C: Network policies might prevent telemetry data from reaching the CrowdStrike Falcon Console, but this would result in missing data for all containers, not just a subset.
Option D: Permissions in the Falcon Console govern what data can be viewed, but they do not impact what the sensor itself monitors.
B
Explanation:
Option A: The CrowdStrike Container Sensor is designed to monitor both privileged and unprivileged
containers. Privileged mode is not a factor that would prevent the sensor from monitoring containers.
Option B: For the CrowdStrike Container Sensor to monitor all containers, it must be deployed on every node in the Kubernetes cluster where containers are running. This ensures that the sensor can collect data from all workloads on those nodes. If the sensor pod is not deployed on certain nodes, containers on those nodes will not be monitored.
Option C: Network policies might prevent telemetry data from reaching the CrowdStrike Falcon Console, but this would result in missing data for all containers, not just a subset.
Option D: Permissions in the Falcon Console govern what data can be viewed, but they do not impact what the sensor itself monitors.
Question #49
A security team has deployed a runtime protection sensor as a DaemonSet in a Kubernetes cluster. However, after deployment, the sensor fails to send security events to the central CrowdStrike Cloud. The cluster nodes show no network connectivity issues.
Which of the following is the most likely cause of the problem?
- A . The sensor is blocked by Kubernetes network policies; verify the namespace and allow necessary outbound traffic.
- B . The sensor DaemonSet is not using a privileged security context; restart with the –privileged flag enabled.
- C . The container runtime (e.g., containerd or CRI-O) is misconfigured; reinstall Kubernetes to ensure proper integration.
- D . The sensor lacks permissions to access container runtime data; check the Kubernetes RBAC settings.
Correct Answer: A
A
Explanation:
Option A: Kubernetes NetworkPolicies restrict outbound network traffic by default in some environments. If the namespace where the sensor runs has a restrictive policy, it could block egress traffic to the CrowdStrike Cloud, preventing event transmission.
Option B: While some security sensors may require privileged access, the issue described involves network connectivity, not container runtime access. Lack of privileges would cause failure in collecting logs rather than blocking outbound traffic.
Option C: Reinstalling Kubernetes is a drastic and unnecessary step. If the container runtime were misconfigured, containers might fail to start, but the problem described is event transmission failure, not container runtime issues.
Option D: RBAC misconfigurations could cause issues in accessing Kubernetes API resources, but they would not typically prevent event transmission to an external service.
A
Explanation:
Option A: Kubernetes NetworkPolicies restrict outbound network traffic by default in some environments. If the namespace where the sensor runs has a restrictive policy, it could block egress traffic to the CrowdStrike Cloud, preventing event transmission.
Option B: While some security sensors may require privileged access, the issue described involves network connectivity, not container runtime access. Lack of privileges would cause failure in collecting logs rather than blocking outbound traffic.
Option C: Reinstalling Kubernetes is a drastic and unnecessary step. If the container runtime were misconfigured, containers might fail to start, but the problem described is event transmission failure, not container runtime issues.
Option D: RBAC misconfigurations could cause issues in accessing Kubernetes API resources, but they would not typically prevent event transmission to an external service.
Question #50
While editing the cloud security posture policy in Falcon to enhance compliance with industry standards, you notice a rule that detects misconfigured IAM roles in your AWS environment.
What action should you configure for this rule to prevent unauthorized access effectively?
- A . Set the action to "Monitor Only" to track usage of the misconfigured roles.
- B . Add a condition to the rule requiring all IAM roles to use least-privilege policies.
- C . Enable auto-remediation to delete all misconfigured IAM roles immediately.
- D . Set the action to "Alert" and notify the security operations team.
Correct Answer: B
B
Explanation:
Option A: Monitoring alone provides visibility but does not address the root cause or prevent potential security risks from misconfigured IAM roles.
Option B: Adding a condition that enforces least-privilege policies ensures that IAM roles are configured to minimize unnecessary permissions. This is a proactive approach to reducing the risk of unauthorized access while aligning with best practices for identity and access management.
Option C: Auto-remediation by deletion is overly aggressive and may disrupt legitimate operations, especially in production environments.
Option D: While alerts provide visibility, they do not actively enforce secure configurations. This action is insufficient for preventing unauthorized access.
B
Explanation:
Option A: Monitoring alone provides visibility but does not address the root cause or prevent potential security risks from misconfigured IAM roles.
Option B: Adding a condition that enforces least-privilege policies ensures that IAM roles are configured to minimize unnecessary permissions. This is a proactive approach to reducing the risk of unauthorized access while aligning with best practices for identity and access management.
Option C: Auto-remediation by deletion is overly aggressive and may disrupt legitimate operations, especially in production environments.
Option D: While alerts provide visibility, they do not actively enforce secure configurations. This action is insufficient for preventing unauthorized access.