Practice Free CCCS-203b Exam Online Questions
Question #71
An organization is integrating CrowdStrike Falcon Cloud Security with Kubernetes to enhance workload protection using an admission controller.
What is a critical requirement for successfully deploying Falcon’s Kubernetes admission controller?
- A . The admission controller must be registered with the Kubernetes API server as either a mutating or validating webhook to enforce security policies.
- B . The admission controller must be configured to modify the etcd database directly to prevent unauthorized resource creation.
- C . The admission controller must be deployed as a sidecar container in every pod to enforce security policies dynamically.
- D . The Kubernetes cluster must be configured to allow only manually approved API requests before the admission controller can take effect.
Correct Answer: A
A
Explanation:
Option A: Admission controllers in Kubernetes function as webhooks that the API server invokes during resource creation. They can be either mutating webhooks, which modify API requests, or validating webhooks, which approve or deny them based on security policies. Falcon Cloud Security leverages this functionality to enforce security policies on workload deployment, preventing misconfigurations, vulnerabilities, and non-compliant images from being deployed.
Option B: Admission controllers do not modify etcd directly. They operate at the request validation stage before data is stored in etcd, ensuring that only compliant and secure configurations proceed.
Option C: Admission controllers are not deployed as sidecar containers in every pod. Instead, they act as centralized services that interact with the API server to validate and enforce security rules before pod creation.
Option D: API requests are not manually approved before admission controllers take effect. Instead, the webhook-based controller evaluates and either modifies or denies requests automatically.
A
Explanation:
Option A: Admission controllers in Kubernetes function as webhooks that the API server invokes during resource creation. They can be either mutating webhooks, which modify API requests, or validating webhooks, which approve or deny them based on security policies. Falcon Cloud Security leverages this functionality to enforce security policies on workload deployment, preventing misconfigurations, vulnerabilities, and non-compliant images from being deployed.
Option B: Admission controllers do not modify etcd directly. They operate at the request validation stage before data is stored in etcd, ensuring that only compliant and secure configurations proceed.
Option C: Admission controllers are not deployed as sidecar containers in every pod. Instead, they act as centralized services that interact with the API server to validate and enforce security rules before pod creation.
Option D: API requests are not manually approved before admission controllers take effect. Instead, the webhook-based controller evaluates and either modifies or denies requests automatically.
Question #72
While using Falcon’s Image Assessment feature, you want to prioritize scanning images for critical vulnerabilities before deployment.
Which configuration option should you use to achieve this goal?
- A . Adjust the Scan Scope in Image Assessment to include all images but only flag vulnerabilities with a CVSS score of 7 or higher.
- B . Set the Scan Rule in Cloud Workload Protection to include only images with high CVSS scores and exclude others.
- C . Enable Real-Time Scan Prioritization in the registry integration settings to target critical vulnerabilities.
- D . Use the Image Scan Priority feature in Falcon’s Prevention Policies to focus on high-severity CVEs.
Correct Answer: B
B
Explanation:
Option A: The "Scan Scope" term is not used in Falcon. While filtering by CVSS score is valid, the configuration should be done via scan rules.
Option B: Configuring scan rules based on CVSS scores enables prioritization of critical vulnerabilities during image scanning.
Option C: Real-time prioritization is not an available feature for Falcon’s registry integrations. Scanning rules are applied during policy configuration.
Option D: "Image Scan Priority" is not part of Prevention Policies. Image Assessment configuration occurs within Cloud Workload Protection.
B
Explanation:
Option A: The "Scan Scope" term is not used in Falcon. While filtering by CVSS score is valid, the configuration should be done via scan rules.
Option B: Configuring scan rules based on CVSS scores enables prioritization of critical vulnerabilities during image scanning.
Option C: Real-time prioritization is not an available feature for Falcon’s registry integrations. Scanning rules are applied during policy configuration.
Option D: "Image Scan Priority" is not part of Prevention Policies. Image Assessment configuration occurs within Cloud Workload Protection.
Question #73
CrowdStrike Falcon Cloud Security has detected anomalous behavior on a virtual machine (VM) running in a cloud environment.
The following events were flagged:
• An outbound connection to torproject.org
• Multiple failed login attempts using various usernames
• The execution of base64 and nc (netcat) commands
• A process named kworker running from /tmp
What is the most appropriate response to this detection?
- A . Run an antivirus scan on the VM and delete any flagged files to remove potential malware.
- B . Immediately isolate the VM, capture memory and disk snapshots for forensic analysis, and investigate further.
- C . Modify the VM’s firewall rules to block outgoing traffic and wait for additional alerts before taking action.
- D . Ignore the alert, as the presence of kworker is normal in Linux environments and does not indicate a security issue.
Correct Answer: B
B
Explanation:
Option A: Running an antivirus scan may detect malware, but it does not prevent ongoing attacker activity or preserve forensic evidence for deeper investigation.
Option B: The combination of Tor connections, failed logins, base64 and netcat usage, and execution from /tmp suggests potential malware activity or an active attack. Isolating the VM prevents further compromise, while forensic analysis helps identify the root cause.
Option C: Blocking outbound traffic may slow down attacker activities but does not fully prevent further actions or identify the existing compromise. Immediate isolation is more effective.
Option D: While kworker is a normal Linux process, its execution from /tmp is highly suspicious, as /tmp is a common location for malware execution. Ignoring this alert is a security risk.
B
Explanation:
Option A: Running an antivirus scan may detect malware, but it does not prevent ongoing attacker activity or preserve forensic evidence for deeper investigation.
Option B: The combination of Tor connections, failed logins, base64 and netcat usage, and execution from /tmp suggests potential malware activity or an active attack. Isolating the VM prevents further compromise, while forensic analysis helps identify the root cause.
Option C: Blocking outbound traffic may slow down attacker activities but does not fully prevent further actions or identify the existing compromise. Immediate isolation is more effective.
Option D: While kworker is a normal Linux process, its execution from /tmp is highly suspicious, as /tmp is a common location for malware execution. Ignoring this alert is a security risk.
Question #74
When reviewing base images for a secure containerized deployment, which of the following practices aligns best with security best practices for minimizing attack surfaces?
- A . Using the latest version of the base image without modification.
- B . Using a minimal base image with only the necessary dependencies.
- C . Relying solely on runtime security tools to mitigate risks.
- D . Building a custom base image with multiple utility tools pre-installed.
Correct Answer: B
B
Explanation:
Option A: While using the latest version is generally good practice, it must be from a verified source and appropriately reviewed. Blindly trusting the latest version can still introduce unnecessary dependencies or vulnerabilities.
Option B: This is the correct answer because minimal base images reduce the attack surface by limiting the included software to only what is necessary for the application to run. This approach minimizes potential vulnerabilities and simplifies vulnerability management.
Option C: Runtime tools are important but are not a substitute for secure image practices. Images must be secured at the build and review stages to prevent vulnerabilities from reaching runtime.
Option D: This increases the attack surface because each additional tool or dependency introduces more potential vulnerabilities. Custom images should be minimal and tailored to application requirements.
B
Explanation:
Option A: While using the latest version is generally good practice, it must be from a verified source and appropriately reviewed. Blindly trusting the latest version can still introduce unnecessary dependencies or vulnerabilities.
Option B: This is the correct answer because minimal base images reduce the attack surface by limiting the included software to only what is necessary for the application to run. This approach minimizes potential vulnerabilities and simplifies vulnerability management.
Option C: Runtime tools are important but are not a substitute for secure image practices. Images must be secured at the build and review stages to prevent vulnerabilities from reaching runtime.
Option D: This increases the attack surface because each additional tool or dependency introduces more potential vulnerabilities. Custom images should be minimal and tailored to application requirements.
Question #75
A large enterprise is onboarding multiple cloud accounts into CrowdStrike Falcon and wants to assign security responsibilities to different teams based on their cloud resources.
How can cloud groups help achieve this goal?
- A . By requiring security analysts to manually tag every resource in order to apply security policies.
- B . By limiting cloud visibility, ensuring that only senior administrators can access security-related alerts.
- C . By merging all cloud accounts under a shared security policy that applies the same rules across all business units.
- D . By enabling role-based access control (RBAC), ensuring each team only sees alerts and policies relevant to their assigned cloud resources.
Correct Answer: D
D
Explanation:
Option A: Cloud groups can automatically assign resources based on predefined rules rather than requiring security analysts to manually tag every resource.
Option B: Cloud groups are meant to improve visibility and accountability, not restrict access
unnecessarily. RBAC can be used to grant appropriate permissions without limiting cloud visibility entirely.
Option C: Cloud groups allow for segmentation of security policies, rather than forcing a one-size-fits-all approach across all cloud accounts.
Option D: Cloud groups work alongside role-based access control (RBAC) in Falcon to ensure that teams only receive alerts and policies relevant to their assigned cloud resources. This helps improve accountability and reduces alert fatigue.
D
Explanation:
Option A: Cloud groups can automatically assign resources based on predefined rules rather than requiring security analysts to manually tag every resource.
Option B: Cloud groups are meant to improve visibility and accountability, not restrict access
unnecessarily. RBAC can be used to grant appropriate permissions without limiting cloud visibility entirely.
Option C: Cloud groups allow for segmentation of security policies, rather than forcing a one-size-fits-all approach across all cloud accounts.
Option D: Cloud groups work alongside role-based access control (RBAC) in Falcon to ensure that teams only receive alerts and policies relevant to their assigned cloud resources. This helps improve accountability and reduces alert fatigue.
Question #76
Which of the following steps is required to successfully integrate the Falcon CWPP Image Scanning Script with a CI/CD pipeline for image assessment?
- A . Modify the pipeline script to execute the Image Scanning Script during the post-deployment phase.
- B . Install the Falcon CWPP agent on all developer machines.
- C . Schedule the script to run daily on the production environment’s container images.
- D . Use the Falcon API to fetch a unique API token and store it in the pipeline configuration file.
Correct Answer: D
D
Explanation:
Option A: Image scanning should occur before deployment to identify vulnerabilities early in the development lifecycle. Running the script post-deployment defeats the purpose of proactive security measures.
Option B: While the Falcon CWPP agent is part of the larger CrowdStrike solution, it is not required for the Image Scanning Script’s integration into a CI/CD pipeline. The scanning process is executed during pipeline stages and doesn’t depend on agents on developer machines.
Option C: Image assessments should be part of the CI/CD pipeline to detect vulnerabilities during development. Running scans on production images introduces unnecessary risk and is not the intended use case of the Image Scanning Script.
Option D: To authenticate the Image Scanning Script with the Falcon platform, a unique API token is required. This token allows secure communication between the CI/CD pipeline and the Falcon API, enabling image assessments to occur seamlessly. Failure to include this step results in authentication issues, causing the script to fail.
D
Explanation:
Option A: Image scanning should occur before deployment to identify vulnerabilities early in the development lifecycle. Running the script post-deployment defeats the purpose of proactive security measures.
Option B: While the Falcon CWPP agent is part of the larger CrowdStrike solution, it is not required for the Image Scanning Script’s integration into a CI/CD pipeline. The scanning process is executed during pipeline stages and doesn’t depend on agents on developer machines.
Option C: Image assessments should be part of the CI/CD pipeline to detect vulnerabilities during development. Running scans on production images introduces unnecessary risk and is not the intended use case of the Image Scanning Script.
Option D: To authenticate the Image Scanning Script with the Falcon platform, a unique API token is required. This token allows secure communication between the CI/CD pipeline and the Falcon API, enabling image assessments to occur seamlessly. Failure to include this step results in authentication issues, causing the script to fail.
Question #77
The security team wants to exclude a specific container image from being assessed by Falcon’s image assessment policy.
Which of the following steps should they take to configure this exclusion?
- A . Configure an exception for the image repository in the Falcon runtime policies.
- B . Add the image digest to the allowlist under image assessment exclusions.
- C . Add the container image tag to the policy exclusion list.
- D . Apply a "Do Not Scan" label to the container in Kubernetes.
Correct Answer: B
B
Explanation:
Option A: Runtime policies address runtime behavior and do not affect pre-deployment image assessments.
Option B: Excluding an image from the image assessment policy requires adding its immutable digest to the allowlist. This ensures that the specific image is excluded from assessment while maintaining security for other images in the registry.
Option C: Tags are mutable and can point to different image versions over time. Exclusions based on tags are not reliable for security purposes.
Option D: Kubernetes labels do not control Falcon’s image assessment policies. Exclusions are configured within the Falcon Cloud platform, not at the Kubernetes level.
B
Explanation:
Option A: Runtime policies address runtime behavior and do not affect pre-deployment image assessments.
Option B: Excluding an image from the image assessment policy requires adding its immutable digest to the allowlist. This ensures that the specific image is excluded from assessment while maintaining security for other images in the registry.
Option C: Tags are mutable and can point to different image versions over time. Exclusions based on tags are not reliable for security purposes.
Option D: Kubernetes labels do not control Falcon’s image assessment policies. Exclusions are configured within the Falcon Cloud platform, not at the Kubernetes level.
Question #78
Which of the following best describes the benefits of Falcon Cloud Security in securing cloud workloads and how its components work together?
- A . Falcon Cloud Security offers endpoint detection and response (EDR) solutions that operate only within on-premises environments, ensuring data is never sent to the cloud.
- B . Falcon Cloud Security requires third-party integrations to achieve workload protection in hybrid environments.
- C . Falcon Cloud Security provides real-time threat detection, policy enforcement, and workload protection across multi-cloud environments, integrating seamlessly with other Falcon modules.
- D . Falcon Cloud Security is limited to monitoring and alerting and does not actively prevent threats in cloud environments.
Correct Answer: C
C
Explanation:
Option A: Falcon Cloud Security is a cloud-native solution, not confined to on-premises environments. It leverages cloud-based analytics to provide protection for workloads in multi-cloud, hybrid, and on-premises setups. This answer misconstrues Falcon’s cloud capabilities by focusing solely on on-premises environments.
Option B: Falcon Cloud Security does not rely solely on third-party integrations for hybrid cloud protection. It is built to function effectively across hybrid environments with native capabilities, although it can augment security with integrations if desired.
Option C: Falcon Cloud Security delivers comprehensive protection by offering real-time threat
detection, policy enforcement, and workload protection across multi-cloud setups (e.g., AWS, Azure, GCP). It integrates seamlessly with other CrowdStrike modules, such as Falcon Insight (EDR) and Falcon Discover, creating a unified security approach.
Option D: While Falcon Cloud Security provides monitoring and alerting, it also actively prevents threats using advanced AI and behavioral analysis. The claim that it is limited to monitoring overlooks its preventative measures and proactive threat-hunting capabilities.
C
Explanation:
Option A: Falcon Cloud Security is a cloud-native solution, not confined to on-premises environments. It leverages cloud-based analytics to provide protection for workloads in multi-cloud, hybrid, and on-premises setups. This answer misconstrues Falcon’s cloud capabilities by focusing solely on on-premises environments.
Option B: Falcon Cloud Security does not rely solely on third-party integrations for hybrid cloud protection. It is built to function effectively across hybrid environments with native capabilities, although it can augment security with integrations if desired.
Option C: Falcon Cloud Security delivers comprehensive protection by offering real-time threat
detection, policy enforcement, and workload protection across multi-cloud setups (e.g., AWS, Azure, GCP). It integrates seamlessly with other CrowdStrike modules, such as Falcon Insight (EDR) and Falcon Discover, creating a unified security approach.
Option D: While Falcon Cloud Security provides monitoring and alerting, it also actively prevents threats using advanced AI and behavioral analysis. The claim that it is limited to monitoring overlooks its preventative measures and proactive threat-hunting capabilities.
Question #79
While editing an existing Kubernetes Admission Controller policy in Falcon Cloud Security, what change would likely cause a disruption in cluster operations?
- A . Deleting an unused Admission Controller policy.
- B . Changing the policy to enforce runtime application behavior monitoring.
- C . Adding a policy that restricts access to Kubernetes Secrets.
- D . Modifying the policy to block deployment of containers without defined resource limits.
Correct Answer: D
D
Explanation:
Option A: Deleting an unused policy has no immediate effect on cluster operations, as it is not actively being enforced.
Option B: Admission Controllers do not enforce runtime behavior; this is typically handled by runtime security tools like Kubernetes security policies or host monitoring agents.
Option C: Restricting access to Secrets is a valid and recommended security practice but would not directly cause operational disruptions unless misconfigured, such as blocking necessary application Secrets.
Option D: Blocking containers without resource limits may disrupt operations if existing deployments do not comply with this new requirement, potentially affecting CI/CD pipelines or existing automation scripts.
D
Explanation:
Option A: Deleting an unused policy has no immediate effect on cluster operations, as it is not actively being enforced.
Option B: Admission Controllers do not enforce runtime behavior; this is typically handled by runtime security tools like Kubernetes security policies or host monitoring agents.
Option C: Restricting access to Secrets is a valid and recommended security practice but would not directly cause operational disruptions unless misconfigured, such as blocking necessary application Secrets.
Option D: Blocking containers without resource limits may disrupt operations if existing deployments do not comply with this new requirement, potentially affecting CI/CD pipelines or existing automation scripts.
Question #80
What is the primary role of the Kubernetes Admission Controller in relation to the CrowdStrike Kubernetes and Container Sensor?
- A . To analyze and enforce policies on API requests to the Kubernetes cluster before they are processed by the API server.
- B . To manage container image scanning and vulnerability assessments within Kubernetes clusters.
- C . To collect and report telemetry data from running Kubernetes workloads to the CrowdStrike Falcon platform.
- D . To deploy the CrowdStrike Kubernetes and Container Sensor as a sidecar to each pod.
Correct Answer: A
A
Explanation:
Option A: The Kubernetes Admission Controller is a core Kubernetes feature that intercepts API requests to the Kubernetes cluster and applies policies before they are persisted. CrowdStrike leverages this capability to enforce security controls, such as validating configurations and applying runtime policies, before workloads are allowed to run in the cluster. This ensures that malicious or misconfigured deployments are blocked at the admission stage.
Option B: While container image scanning is essential for security, this is not the function of the Admission Controller. Image scanning is typically handled by other tools or services integrated with CI/CD pipelines.
Option C: This describes the function of the CrowdStrike Kubernetes and Container Sensor, not the Kubernetes Admission Controller. The Admission Controller operates at the API server level, not at the runtime monitoring level.
Option D: Deployment of the sensor is handled by separate installation processes and configurations.
The Admission Controller is unrelated to deploying sidecar containers.
A
Explanation:
Option A: The Kubernetes Admission Controller is a core Kubernetes feature that intercepts API requests to the Kubernetes cluster and applies policies before they are persisted. CrowdStrike leverages this capability to enforce security controls, such as validating configurations and applying runtime policies, before workloads are allowed to run in the cluster. This ensures that malicious or misconfigured deployments are blocked at the admission stage.
Option B: While container image scanning is essential for security, this is not the function of the Admission Controller. Image scanning is typically handled by other tools or services integrated with CI/CD pipelines.
Option C: This describes the function of the CrowdStrike Kubernetes and Container Sensor, not the Kubernetes Admission Controller. The Admission Controller operates at the API server level, not at the runtime monitoring level.
Option D: Deployment of the sensor is handled by separate installation processes and configurations.
The Admission Controller is unrelated to deploying sidecar containers.