Appendix A. Answers
Chapter 1
1. b. A third-party connection agreement (TCA) is a document that spells out exactly the security measures that should be taken with respect to the handling of data exchanged between the parties. This document should be executed in any instance where a partnership involves depending on another entity to secure company data.
2. b. There is a trade-off when a decision must be made between the two architectures. A private solution provides the most control over the safety of your data but also requires staff and knowledge to deploy, manage, and secure the solution.
3. c. A community cloud is shared by organizations that are addressing a common need, such as regulatory compliance. Such shared clouds may be managed by either a cross-company team or a third-party provider. A community cloud can be beneficial to all participants because it can reduce the overall cost to each organization.
4. b. The auditors and the compliance team should be using matching frameworks.
5. c. Policies are broad and provide the foundation for development of standards, baselines, guidelines, and procedures.
6. b. Downstream liability refers to liability that an organization accrues due to partnerships with other organizations and customers.
7. a. Due care means that an organization takes all the actions it can reasonably take to prevent security issues or to mitigate damage if security breaches occur.
8. b. A publicly traded corporation is most likely to be affected by the Sarbanes-Oxley (SOX) Act.
9. d. A three-legged firewall is an example of traditional perimeterization. Examples of de-perimeterization include telecommuting, cloud computing, bring your own device (BYOD), and outsourcing.
10. c. It’s a well-known fact that security measures negatively affect both network performance and ease of use for users. With this in mind, the identification of situations where certain security measures (such as encryption) are required and where they are not required is important. Eliminating unnecessary measures can both enhance network performance and reduce complexity for users.
Chapter 2
1. b. You should implement separation of duties, a security control that requires multiple employees to complete a task.
2. a. An SLA lists all the guaranteed performance levels of a new connection.
3. c. An NDA should be used to ensure data privacy.
4. d. The principle of least privilege should be implemented for all positions, not just high-level positions.
5. b. The primary concern of PII is confidentiality.
6. c. Several invalid password attempts for multiple users is an example of an incident. All the other examples are events.
7. d. The steps of a risk assessment are as follows:
1. Identify assets and asset value.
2. Identify vulnerabilities and threats.
3. Calculate threat probability and business impact.
4. Balance threat impact with countermeasure cost.
8. a. An SOA identifies the controls chosen by an organization and explains how and why the controls are appropriate.
9. b. A request for proposal (RFP) requires that a vendor reply with a formal bid proposal.
10. c. First, you should develop the policy for NAC. A policy should be written first, and then the process, and then the procedures.
Chapter 3
1. d. Technical threat agents include hardware and software failure, malicious code, and new technologies. Human threat agents include both malicious and non-malicious insiders and outsiders, terrorists, spies, and terminated personnel. Natural threat agents include floods, fires, tornadoes, hurricanes, earthquakes, or other natural disaster or weather event. Environmental threat agents include power and other utility failure, traffic issues, biological warfare, and hazardous material issues (such as spillage).
2. d. SLE indicates the monetary impact of each threat occurrence. ARO is the estimate of how often a given threat might occur annually. ALE is the expected risk factor of an annual threat event. EF is the percent value or functionality of an asset that will be lost when a threat event occurs.
3. b. Risk avoidance involves terminating an activity that causes a risk or choosing an alternative that is not as risky. Residual risk is risk that is left over after safeguards have been implemented. Risk transfer is passing the risk on to a third party. Risk mitigation is defining the acceptable risk level the organization can tolerate and reducing the risk to that level.
4. a. Advisory security policies provide instruction on acceptable and unacceptable activities. Non-disclosure agreements (NDAs) are binding contracts that are signed to ensure that the signer does not divulge confidential information. Informative security policies provide information on certain topics and act as an educational tool. Regulatory security policies address specific industry regulations, including mandatory standards. System-specific security policies address security for a specific computer, network, technology, or application.
5. a. The formula given in the scenario is used to calculate the aggregate CIA score. To calculate ALE, you should multiply SLE × ARO. To calculate SLE, you should multiply AV × EF. Quantitative risk involves using SLE and ALE.
6. b. You are leading the continuous monitoring program, which will periodically assess its information security awareness. A security training program designs and delivers security training at all levels of the organization. A risk mitigation program attempts to identify risks and select and deploy mitigating controls. A threat identification identifies all threats to an organization as part of risk management.
7. c. You are providing the total cost of ownership (TCO). Return on investment (ROI) refers to the money gained or lost after an organization makes an investment. Single loss expectancy (SLE) is the monetary impact of each threat occurrence. Net present value (NPV) is a type of ROI calculation that compares ALE against the expected savings as a result of an investment and considers the fact that money spent today is worth more than savings realized tomorrow.
8. a. Inherent risks are risks that are unavoidable. You should still implement security controls to protect against them. Residual risk is the level of risk remaining after safeguards or controls have been implemented. Technical and operational are two types of threat agents, not types of risks.
9. b. Confidentiality and integrity have been violated. Changing the data violates integrity, and accessing patented design plans violates confidentiality. Availability has not been violated in this scenario.
10. c. ALE = SLE × ARO = $1,200 × 5% = $60
SLE = AV × EF = $12,000 × 10% = $1,200
Chapter 4
1. a. You should capture benchmarks for all upgraded servers, compare those benchmarks to the old baselines, and replace the old baselines using the new benchmarks for any values that have changes. Benchmarks should always be compared to baselines. Baselines should be updated if changes made to a system can improve the system’s performance.
2. b. You should implement the solutions one at a time in the virtual lab, run a simulation for the attack in the virtual lab, collect the metrics on the servers’ performance, roll back each solution, implement the next solution, and repeat the process for each solution. Then you should choose which solutions to implement based on the metrics collected. Each solution should be tested in isolation, without the other solutions being deployed. You should run the simulation for the attack in the virtual lab before collecting metrics on the servers’ performance.
3. c. You should perform a cost/benefit analysis for the new security control before deploying the control.
4. d. When you are collecting and comparing metrics on a day-to-day basis, you are performing daily workloads.
5. a. The purpose of a network trends collection policy is to collect trends that will allow you to anticipate where and when defenses might need to be changed.
6. b. Performance is the manner in which or the efficiency with which a device or technology reacts or fulfills its intended purpose.
7. c. Usability means making a security solution or device easier to use and matching the solution or device more closely to organizational needs and requirements.
8. d. You should report the issue to senior management to find out if the higher latency value is acceptable.
9. a. You should create a lessons-learned report. All the other options should be performed before deployment.
10. b. You should provide mean time to repair (MTTR) and mean time between failures (MTBF) to provide management with metrics regarding availability.
Chapter 5
1. a. Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that provides a graphical interface to connect to another computer over a network connection. Unlike using Telnet and SSH, which allow only work at the command line, RDP enables you to work on the computer as if you were at its console.
2. d. One or more consecutive sections with only a 0 can be represented with a single empty section (double colons), but this technique can be applied only once.
3. d. Teredo assigns addresses and creates host-to-host tunnels for unicast IPv6 traffic when IPv6 hosts are located behind IPv4 network address translators.
4. b. When HTTPS is used, port 80 is not used. Rather, HTTPS uses port 443.
5. c. Extensible Authentication Protocol (EAP) is not a single protocol but a framework for port-based access control that uses the same three components as RADIUS.
6. d. 802.1x is a standard that defines a framework for centralized port-based authentication. It can be applied to both wireless and wired networks and uses three components:
Supplicant: The user or device requesting access to the network
Authenticator: The device through which the supplicant is attempting to access the network
Authentication server: The centralized device that performs authentication
7. a. A signature-based IDS uses a database of attack characteristics called signatures. This database must be kept updated to provide protection.
8. b. A web application firewall (WAF) applies rule sets to an HTTP conversation. These sets cover common attack types to which these session types are susceptible.
9. c. Among the architectures used are:
Interception-based model: Watches the communication between the client and the server
Memory-based model: Uses a sensor attached to the database and continually polls the system to collect the SQL statements as they are being performed
Log-based model: Analyzes and extracts information from the transaction logs
10. d. A microSD HSM is an HSM that connects to the microSD port on a device that has such a port. The card is specifically suited for mobile apps written for Android and is supported by most Android phones and tablets with a microSD card slot.
Chapter 6
1. b. A trusted operating system (OS) is an operating system that provides sufficient support for multilevel security and evidence of meeting a particular set of government requirements. The goal of designating operating systems as trusted was first brought forward by the Trusted Computer System Evaluation Criteria (TCSEC).
2. b. Autorun should be disabled.
3. c. Network DLP is installed at network egress points near the perimeter. It analyzes network traffic.
4. a. On Linux-based systems, a common host-based firewall is iptables, which replaces a previous package called ipchains. It has the ability to accept or drop packets.
5. c. The following are all components of hardening an OS:
Unnecessary applications should be removed.
Unnecessary services should be disabled.
Unrequired ports should be blocked.
The connecting of external storage devices and media should be tightly controlled, if allowed at all.
6. b. The inherent limitation of ACLs is their inability to detect whether IP spoofing is occurring. IP address spoofing is a technique hackers use to hide their trail or to masquerade as other computers. A hacker alters the IP address as it appears in a packet to attempt to allow the packet to get through an ACL that is based on IP addresses.
7. b. Management interfaces are used for accessing a device remotely. Typically, a management interface is disconnected from the in-band network and is connected to the device’s internal network. Through a management interface, you can access the device over the network by using utilities such as SSH and Telnet. SNMP can use the management interface to gather statistics from the device.
8. a. Bluesnarfing involves unauthorized access to a device using a Bluetooth connection. In this case, the attacker is trying to access information on the device.
9. b. A Trusted Platform Module (TPM) chip is a security chip installed on a computer’s motherboard that is responsible for managing symmetric and asymmetric keys, hashes, and digital certificates. This chip provides services to protect passwords, encrypt drives, and manage digital rights, making it much harder for attackers to gain access to computers that have TPM chips enabled.
10. b. Attestation services allow an authorized party to detect changes to an operating system. Attestation services involve generating a certificate for the hardware that states what software is currently running. The computer can use this certificate to attest that unaltered software is currently executing.
Chapter 7
1. b. Containerization is a newer feature of most mobile device management (MDM) software that creates an encrypted “container” to hold and quarantine corporate data separately from that of the users. This allows for MDM policies to be applied only to that container and not the rest of the device.
2. a. Corporate-owned, personally enabled (COPE) is a strategy in which an organization purchases mobile devices, and users manage those devices. Organizations can often monitor and control the users’ activity to a larger degree than with personally owned devices.
3. d. An MDM configuration profile is used to control the use of a device and, when applied to a device, make changes to settings such as the passcode settings, Wi-Fi passwords, VPN configurations, and more.
4. b. Application wrappers (implemented as policies) enable administrators to set policies that allow employees with corporate-owned or personal mobile devices to safely download an app, typically from an internal store.
5. a. Profiles can restrict items that are available to a user, such as the camera. The individual settings are called payloads, and payloads may be organized into categories in some implementations.
6. b. Virtual network computing (VNC) technology is a graphical desktop sharing system that uses the Remote Frame Buffer (RFB) protocol to remotely control another computer. There is a mobile version of VNC that can be installed for this purpose.
7. c. The product release information (PRI) is the connection between a mobile device and a radio. From time to time, this may need to be updated, and such updates may add features or increase data speed.
8. b. The preferred roaming list (PRL) is a list of radio frequencies residing in the memory of some kinds of digital phones. It lists frequencies the phone can use in various geographic areas.
9. c. Remote wipes are instructions that can be sent remotely to a mobile device to erase all the data when the device is stolen or lost.
10. a. Simple Certificate Enrollment Protocol (SCEP) is used to provision certificates to network devices, including mobile devices.
Chapter 8
1. c. Secure by default means that without changes, the application is secure. For example, some server products have certain capabilities (such as FTP), but the service has to be enabled. This ensures that the port is not open if it is not being used.
2. b. This particular XSS example is designed to steal a cookie from an authenticated user.
3. c. Cross-Site Request Forgery (CSRF) is an attack that causes an end user to execute unwanted actions on a web application in which he or she is currently authenticated. Unlike with XSS, in CSRF, the attacker exploits the website’s trust of the browser rather than the other way around. The website thinks that the request came from the user’s browser and is made by the user when actually the request was planted in the user’s browser.
4. b. Input validation is the process of checking all input for things such as proper format and proper length.
5. a. A SQL injection attack inserts, or “injects,” a SQL query as the input data from the client to the application. In this case, the attack is identified in the error message, and we can see a reference to the SELECT command as data, which indicates an attempt to inject a command as data.
6. b. Fuzz testing, or fuzzing, injects invalid or unexpected input (sometimes called faults) into an application to test how the application reacts. It is usually done with a software tool that automates the process.
7. c. A packet containing a long string of NOPs followed by a command usually indicates a type of buffer overflow attack called an NOP slide. The purpose is to get the CPU to locate where a command can be executed.
8. a. Integer overflow occurs when an arithmetic operation attempts to create a numeric value that is too large to be represented within the available storage space. For instance, adding 1 to the largest value that can be represented constitutes an integer overflow. The register width of a processor determines the range of values that can be represented.
9. b. The Open Web Application Security Project (OWASP) is a group that monitors attacks, specifically web attacks. OWASP maintains a list of top 10 attacks on an ongoing basis. This group also holds regular meetings at chapters throughout the world, providing resources and tools including testing procedures, code review steps, and development guidelines.
10. d. In this example of a buffer overflow, 16 characters are being sent to a buffer that is only 8 bytes. With proper input validation, this will cause an access violation.
Chapter 9
1. c. In a blind test, the testing team is provided with limited knowledge of the network systems and devices and performs the test using publicly available information only. The organization’s security team knows that an attack is coming. This test requires more effort from the testing team.
2. d. Runtime debugging is the process of using a programming tool to not only identify syntactic problems in code but also discover weaknesses that can lead to memory leaks and buffer overflows. Runtime debugging tools operate by examining and monitoring the use of memory.
3. b. Pivoting is a technique used by hackers and pen testers alike to advance from the initially compromised host to other hosts on the same network. It allows the leveraging of pen test tools installed on the compromised machine to route traffic through other hosts on the subnet and potentially allows access to other subnets.
4. b. By configuring authentication, you can prevent routing updates with rogue routers.
5. c. Malware sandboxing aims to detect malware code by running it in a computer-based system of some type to analyze it for behavior and traits that indicate of malware. One of its goals is to spot zero-day malware—that is, malware that has not yet been identified by commercial anti-malware systems and for which there is not yet a cure.
6. a. In a double blind test, the testing team is provided with limited knowledge of the network systems and devices using publicly available information. The organization’s security team does not know that an attack is coming.
7. a. In black-box testing, or zero-knowledge testing, the team is provided with no knowledge regarding the organization’s network. This type of testing is the least time-consuming.
8. b. In over-the-shoulder code review, coworkers review the code while the author explains his reasoning.
9. c. Pharming is similar to phishing, but pharming actually pollutes the contents of a computer’s DNS cache so that requests to a legitimate site are routed to an alternate site.
10. d. The steps in performing a penetration test are as follows:
Step 1. Document information about the target system or device.
Step 2. Gather information about attack methods against the target system or device.
Step 3. Identify the known vulnerabilities of the target system or device.
Step 4. Execute attacks against the target system or device to gain user and privileged access.
Step 5. Document the results of the penetration test and report the findings to management, with suggestions for remedial action.
Chapter 10
1. a. Port scanners can be used to scan a network for open ports. Open ports indicate services that may be running and listening on a device that may be susceptible to being used for an attack. These tools basically ping every address and port number combination and keep track of which ports are open on each device as the pings are answered by open ports with listening services and not answered by closed ports.
2. b. Protocol analyzers, or sniffers, collect raw packets from the network and are used by both legitimate security professionals and attackers. Using such a tool, you could tell if the traffic of interest is encrypted.
3. d. Fuzzers are software tools that find and exploit weaknesses in web applications.
4. a. Security Content Automation Protocol (SCAP) is a standard that the security automation community uses to enumerate software flaws and configuration issues. It standardized the nomenclature and formats used. A vendor of security automation products can obtain a validation against SCAP, demonstrating that it will interoperate with other scanners and express the scan results in a standardized way.
5. c. Only available in Windows Vista and above, the /SCANFILE switch scans a file that you specify and fixes problems if they are found.
6. b. Common Platform Enumerations (CPE) are methods for describing and classifying operating systems applications and hardware devices.
7. c. Network enumerators use protocols such as ICMP and SNMP to gather information. WhatsUp Gold is an example of such software.
8. b. Sniffers collect raw packets from the network and are used by both legitimate security professionals and attackers. Using such a tool, you could tell if the traffic of interest is encrypted.
9. d. OllyDbg is a reverse engineering tool. Specifically, it is a 32-bit, assembler-level analyzing debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly useful in cases where the source is unavailable.
10. b. Malicious individuals use RFID tools to steal proximity badge information from an unsuspecting employee who physically walks near the concealed device.
Chapter 11
1. d. You should not consider data size when a legal case is presented to a company. In e-discovery, you should consider inventory and asset control, data retention policies, data recovery and storage, data ownership, data handling, and legal holds.
2. c. The primary reason for having an e-discovery process is to provide evidence in a digital investigation.
3. b. A data custodian should be responsible for implementing the controls.
4. a. You should adopt a data retention policy of 5 years. Laws and regulations cannot be ignored. Adopting the longer data retention policy will ensure that you comply with the federal law.
5. b. You need to restore two backups: Monday’s full backup and Thursday’s differential backup.
6. c. After detecting the attack, the IT technician should respond to the incident by stopping the remote desktop session. The steps in incident response are as follows:
Step 1. Detect the incident.
Step 2. Respond to the incident.
Step 3. Report the incident to the appropriate personnel.
Step 4. Recover from the incident.
Step 5. Remediate all components affected by the incident to ensure that all traces of the incident have been removed.
Step 6. Review the incident and document all findings.
7. a. The tcpdump command captures packets on Linux and UNIX platforms. A version for Windows, called WinDump, is also available
8. a. The most likely reason that this attack was successful was that no one was reviewing the audit logs.
9. a. The chain of custody is not concerned with who detected the evidence. The chain of custody shows who controlled the evidence, who secured the evidence, and who obtained the evidence.
10. b. The five rules of evidence are as follows:
Be authentic.
Be accurate.
Be complete.
Be convincing.
Be admissible.
Chapter 12
1. a, b, d. The following analysis steps should occur:
Step 1. Determine which applications and services access the information.
Step 2. Document where the information is stored.
Step 3. Document which security controls protect the stored information.
Step 4. Determine how the information is transmitted.
Step 5. Analyze whether authentication is used when accessing the information.
If it is, determine whether the authentication information is securely transmitted.
If it is not, determine whether authentication can be used.
Step 6. Analyze enterprise password policies, including password length, password complexity, and password expiration.
Step 7. Determine whether encryption is used to transmit data.
If it is, ensure that the level of encryption is appropriate and that the encryption algorithm is adequate.
If it is not, determine whether encryption can be used.
Step 8. Ensure that the encryption keys are protected.
2. c. You should first determine whether authentication can be used. Users should use authentication when accessing private or confidential data.
3. a. You should consider open standards, de facto standards, and de jure standards.
4. a. Tailored commercial (or commercial customized) software is a new breed of software that comes in modules, which can be combined to arrive at exactly the components required by the organization. It allows for customization by the organization.
5. d. Data isolation ensures that tenant data in a multitenant solution is isolated from other tenants’ data via tenant IDs in the data labels.
6. c. A physical network diagram would give you the most information. A physical network diagram shows the details of physical communication links, such as cable length, grade, and wiring paths; servers, with computer name, IP address (if static), server role, and domain membership; device location, such as printer, hub, switch, modem, router, or bridge, as well as proxy location; communication links and the available bandwidth between sites; and the number of users, including mobile users, at each site.
7. a. You should deploy a demilitarized zone (DMZ) that will contain only the resources that the partner organization needs to access.
8. a. This concept is called data sovereignty. When an organization operates globally, this issue must be considered.
9. b. You should recommend customer relationship management (CRM), which involves identifying customers and storing all customer-related data, particularly contact information and data on any direct contact with customers.
10. a. You should deploy Directory Services to allow easy access to internal resources.
Chapter 13
1. b. Because management wants a solution that does not involve investing in hardware that will no longer be needed in the future, you should contract with a public cloud service provider.
2. d. Data isolation ensures that tenant data in a multitenant solution is isolated from other tenants’ data via tenant IDs in the data labels.
3. c. A private cloud is a solution owned and managed by one company solely for that company’s use. It provides the most control and security but also requires the biggest investment in both hardware and expertise.
4. a. Hypervisors can be either Type 1 or Type 2. A Type 1 hypervisor (or native, bare metal) is one that runs directly on the host’s hardware to control the hardware and to manage guest operating systems. A guest operating system thus runs on another level, above the hypervisor.
5. a. In an IaaS model, the vendor simply provides access to the data center and maintains that access. An example of this is a company hosting all its web servers with a third party that provides everything.
6. d. The same security issues that must be mitigated in the physical environment must also be addressed in the virtual network.
7. a. In a VMEscape attack, the attacker “breaks out” of a VM’s normally isolated state and interacts directly with the hypervisor. Since VMs often share the same physical resources, if the attacker can discover how his VM’s virtual resources map to the physical resources, he will be able to conduct attacks directly on the real physical resources.
8. a. Hyperconvergence takes convergence a step further, utilizing software to perform integration without hardware changes. It utilizes virtualization as well. It integrates numerous services that are managed from a single interface.
9. a. Secure enclaves and secure volumes both have the same goal: to minimize the amount of time that sensitive data is unencrypted as it is used. Secure enclaves are processors that process data in its encrypted state. This means that even those with access to the underlying hardware in the virtual environment are not able to access the data.
10. b. A cloud security broker, or cloud access security broker (CASB), is a software layer that operates as a gatekeeper between an organization’s on-premise network and a provider’s cloud environment.
Chapter 14
1. c. A complex password includes a mixture of upper- and lowercase letters, numbers, and special characters. For many organizations today, this type of password is enforced as part of the organization’s password policy. An advantage of this type of password is that it is very hard to crack. A disadvantage is that it is harder to remember and can often be very difficult to enter correctly.
2. b. Password history controls the amount of time until a password can be reused. Password policies usually remember a certain number of previously used passwords.
3. c. For Linux, passwords are stored in the /etc/passwd or /etc/shadow file. Because the /etc/passwd file is a text file that can be easily accessed, you should ensure that any Linux servers use the /etc/shadow file, where the passwords in the file can be protected using a hash.
4. d. A hand topography scan records the peaks and valleys of the hand and its shape. This system is usually implemented in conjunction with hand geometry scans because hand topography scans are not unique enough if used alone.
5. d. A vascular scan scans the pattern of veins in the user’s hand or face. It is based on physiological characteristics rather than behavioral characteristics. While this method can be a good choice because it is not very intrusive, physical injuries to the hand or face, depending on which the system uses, could cause false rejections.
6. a. The false rejection rate (FRR) is a measurement of valid users who will be falsely rejected by the system. This is called a Type I error.
7. a. The following is a list of the most popular biometric methods, ranked by user acceptance, starting with the methods that are most popular:
1. Voice pattern
2. Keystroke pattern
3. Signature dynamics
4. Hand geometry
5. Hand print
6. Fingerprint
7. Iris scan
8. Retina scan
8. a. A policy enforcement point (PEP) is an entity that is protecting the resource that the subject (a user or an application) is attempting to access. When it receives a request from a subject, it creates an XACML request based on the attributes of the subject, the requested action, the resource, and other information.
9. d. Attestation provides evidence about a target to an appraiser so the target’s compliance with some policy can be determined before access is allowed.
10. a. AD uses the same authentication and authorization system used in UNIX: Kerberos. This system authenticates a user once and then, through the use of a ticket system, allows the user to perform all actions and access all resources to which he has been given permission without the need to authenticate again.
Chapter 15
1. c. You should encrypt the folder and all its contents. Hashing reduces a message to a hash value. Hashing is a method for determining whether the contents of a file have been changed. But hashing does not provide a means of protecting data from editing. Decryption converts ciphertext into plaintext. A digital signature is an object that provides sender authentication and message integrity by including a digital signature with the original message.
2. d. A symmetric algorithm uses a private, or secret, key that must remain secret between the two parties. A running key cipher uses a physical component, usually a book, to provide the polyalphabetic characters. A concealment cipher occurs when plaintext is interspersed somewhere within other written material. An asymmetric algorithm uses both a public key and a private, or secret, key.
3. b. The 3DES-EEE3 implementation encrypts each block of data three times, each time with a different key. The 3DES-EDE3 implementation encrypts each block of data with the first key, decrypts each block with the second key, and encrypts each block with the third key. The 3DES-EEE2 implementation encrypts each block of data with the first key, encrypts each block with the second key, and then encrypts each block again with the first key. The 3DES-EDE2 implementation encrypts each block of data with the first key, decrypts each block with the second key, and then encrypts each block with the first key.
4. d. RSA is an asymmetric algorithm and should be discontinued because of management’s request to no longer implement asymmetric algorithms. All the other algorithms listed here are symmetric algorithms.
5. a. ECC is not a hash function. It is an asymmetric algorithm. All the other options are hash functions.
6. c. A CRL contains a list of all the certificates that have been revoked. A CA is the entity that creates and signs digital certificates, maintains the certificates, and revokes them when necessary. An RA verifies the requestor’s identity, registers the requestor, and passes the request to the CA. The OCSP is an Internet protocol that obtains the revocation status of an X.509 digital certificate.
7. c. You should enable perfect forward secrecy (PFS) on the main office and branch office ends of the VPN. PFS increases the security for a VPN because it ensures that the same key will not be generated by forcing a new key exchange. PFS ensures that a session key created from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future. PFS depends on asymmetric or public key encryption. If you implement PFS, disclosure of the long-term secret keying information that is used to derive a single key does not compromise the previously generated keys. You should not implement IPsec because it does not protect against key compromise. While it does provide confidentiality for the VPN connection, the scenario specifically states that you needed to ensure that the key is not compromised.
8. a. Crypto module is a term used to describe the hardware, software, and/or firmware that implements cryptographic logic or cryptographic processes. Several standards bodies can assess and rate these modules. Among them is the NIST, using the Federal Information Processing Standard (FIPS) Publication 140-2.
9. b. An example is the Trusted Platform Module (TPM) on an endpoint device that stores RSA encryption keys specific to the host system for hardware authentication. Another example is the processors contained in hardware security modules.
10. c. Secure Shell (SSH) is an application and protocol that is used to remotely log in to another computer using a secure tunnel. After a session key is exchanged and the secure channel is established, all communication between the two computers is encrypted over the secure channel.
Chapter 16
1. c. While network performance may be a consideration in the selection of a product, it is the only issue listed here that is not a security issue.
2. b. Although split tunneling allows access to the LAN and the Internet at the same time, it reduces the amount of bandwidth available to each session. You can provide better performance for participants by disallowing split tunneling on the VPN concentrator.
3. b. Although encryption would help prevent data leakage, it would do nothing to stop the introduction of malware through the IM connection.
4. a. Many products implement proprietary encryption, but in regulated industries, this type of encryption may not be legal. Always use the level of encryption required by your industry, such as Advanced Encryption Standard (AES).
5. b. You want to select a product that uses a secure protocol. One example is Extensible Messaging and Presence Protocol (XMPP) over TLS.
6. b. Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions (SIMPLE) is designed to secure presence traffic.
7. c. Sender Policy Framework (SPF) is an email validation system that works by using DNS to determine whether an email sent by someone has been sent by a host sanctioned by that domain’s administrator. If it can’t be validated, it is not delivered to the recipient’s inbox.
8. c. VoIP systems do not use the PBX.
9. b. The following types of information should not be stored in a public cloud–based solution:
Credit card information
Trade secrets
Financial data
Health records
State and federal government secrets
Proprietary or sensitive data
Personally identifiable information
10. d. Unified communication combines voice, video, email, instant messaging, personal assistant, and other communication features.
Chapter 17
1. c. Using best practice documentation allows security personnel to ensure that they know what to do according to industry standards.
2. a. The IETF issues RFCs.
3. d. securiCAD focuses on threat modeling of IT infrastructures using a CAD-based approach where assets are automatically or manually placed on a drawing pane.
4. c, d. You should give the following reasons for the increase in client-side attacks:
Client computers are not usually as protected as servers.
There are more clients than servers.
5. d. A zero-day attack occurs when a security vulnerability in an application is discovered on the same day the application is released.
6. d. Topology discovery is the process of identifying the devices and their connectivity relationship with one another. It entails attempting to create a map of the network.
7. a. Phishing is a social engineering attack that involves sending a mass email that appears to come from a trusted party, such as the recipient’s bank. It includes a link that purports to connect to the bank’s site, when in reality it is a fake site under the attacker’s control that appears to be identical to the bank’s site in every way.
8. b. The IETF is responsible for creating requests for comments (RFCs) that describe research and innovations on the Internet and its systems. Most RFCs are submitted for peer review, and, once approved, are published as Internet standards.
9. d. The FBI does not list natural disasters as one of the three threat actors.
10. a. Hadoop is an open-source software framework used for distributed storage and processing of big data.
Chapter 18
1. a. A configuration item (CI) is a uniquely identifiable subset of the system that represents the smallest portion to be subject to an independent configuration control procedure. When an operation is broken into individual CIs, the process is called configuration identification.
2. c. When decommissioning an asset, you should back up all the data on the asset and ensure that the data is completely removed. You should shred all the hard drives in the asset only if you are sure you will not be reusing the asset or if the hard drives contain data of the most sensitive nature.
3. d. All changes should be formally requested. The following are some change management guidelines:
Each request should be analyzed to ensure that it supports all goals and policies.
Prior to formal approval, all costs and effects of the methods of implementation should be reviewed.
After changes are approved, the change steps should be developed.
During implementation, incremental testing should occur, and it should rely on a predetermined fallback strategy, if necessary.
Complete documentation should be produced and submitted with a formal report to management.
4. b. A system is actually deployed during the implementation stage of the SDLC. The steps in the SDLC are as follows:
1. Initiate
2. Acquire/develop
3. Implement
4. Operate/maintain
5. Dispose
5. a. You should now implement the disposal stage of the SDLC for the old system.
6. d. As part of the initiation stage, you should assess the business impact of the system.
7. c. During the acquisition stage, you should design the security architecture.
8. b. A security requirements traceability matrix (SRTM) documents the security requirements that a new asset must meet.
9. a. Geolocation is a device-tracking technology.
10. d. Radio frequency identification (RFID) involves using chips and receivers to manage inventory.
Chapter 19
1. a. The following people should be involved in the data center design and deployment: database administrator, network administrator, facilities manager, physical security manager, and management.
2. b. The programmers should collaborate with the network administrator to determine the performance and security impact of the new application on the enterprise.
3. c. The facilities manager and physical security manager are most likely to provide valuable information in this area.
4. d. The sales staff’s devices are often targets for attackers.
5. a. Database administrators should grant permission based on individual user accounts, not roles.
6. b. The business unit managers and the chief information officer (CIO) are most likely to be considered data owners.
7. c. All personnel within an organization will have some level of security requirements and responsibilities.
8. a, b. Departmental security policies and security awareness training are administrative controls. Administrative or management controls are implemented to administer the organization’s assets and personnel and include security policies, procedures, standards, baselines, and guidelines that are established by management.
9. c, d. Biometrics and guards are physical controls. Physical controls are implemented to protect an organization’s facilities and personnel.
10. b, c. Authentication and firewalls are technical controls. Logical, or technical, controls are software or hardware components used to restrict access.