Appendix A. Answers

2. A. Explanation: Key clustering occurs when different encryption keys generate the same ciphertext from the same plaintext message. Cryptanalysis is the science of decrypting ciphertext without prior knowledge of the key or cryptosystem used. A keyspace is all the possible key values when using a particular algorithm or other security measure. Confusion is the process of changing a key value during each round of encryption.

3. D. Explanation: A symmetric algorithm uses a private or secret key that must remain secret between the two parties. A running key cipher uses a physical component, usually a book, to provide the polyalphabetic characters. A concealment cipher occurs when plaintext is interspersed somewhere within other written material. An asymmetric algorithm uses both a public key and a private or secret key.

4. C. Explanation: A one-time pad is the most secure encryption scheme because it is used only once.

5. B. Explanation: The 3DES-EEE3 implementation encrypts each block of data three times, each time with a different key. The 3DES-EDE3 implementation encrypts each block of data with the first key, decrypts each block with the second key, and encrypts each block with the third key. The 3DES-EEE2 implementation encrypts each block of data with the first key, encrypts each block with the second key, and then encrypts each block again with the first key. The 3DES-EDE2 implementation encrypts each block of data with the first key, decrypts each block with the second key, and then encrypts each block with the first key.

6. D. Explanation: RSA is an asymmetric algorithm and should be discontinued because of management’s request to no longer implement asymmetric algorithms. All the other algorithms listed here are symmetric algorithms.

7. A. Explanation: ECC is not a hash function. It is an asymmetric algorithm. All the other options are hash functions.

8. C. Explanation: A CRL contains a list of all the certificates that have been revoked. A CA is the entity that creates and signs digital certificates, maintains the certificates, and revokes them when necessary. An RA verifies the requestor’s identity, registers the requestor, and passes the request to the CA. The OCSP is an Internet protocol that obtains the revocation status of an X.509 digital certificate.

9. D. Explanation: A brute-force attack executed against a cryptographic algorithm uses all possible keys until a key is discovered that successfully decrypts the ciphertext. A frequency analysis attack relies on the fact that substitution and transposition ciphers will result in repeated patterns in ciphertext. A reverse engineering attack occurs when an attacker purchases a particular cryptographic product to attempt to reverse engineer the product to discover confidential information about the cryptographic algorithm used. A ciphertext-only attack uses several encrypted messages (ciphertext) to figure out the key used in the encryption process.

10. C. Explanation: You should enable perfect forward secrecy (PFS) on the main office and branch offices’ ends of the VPN. PFS increases the security for a VPN because it ensures that the same key will not be generated by forcing a new key exchange. PFS ensures that a session key created from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future. PFS depends on asymmetric or public key encryption. If you implement PFS, disclosure of the long-term secret keying information that is used to derive a single key does not compromise the previously generated keys. You should not implement IPsec because it does not protect against key compromise. While it does provide confidentiality for the VPN connection, the scenario specifically states that you needed to ensure that the key is not compromised.

2. A. Explanation: You should prevent metadata from being used interactively.

3. B. Explanation: Placing older data on low-cost, low-performance storage while keeping more active data on faster storage systems is sometimes called tiering.

4. D. Explanation: In NAS, almost any machine that can connect to the LAN (or is interconnected to the LAN through a WAN) can use protocols such as NFS, CIFS, or HTTP to connect to a NAS and share files.

5. B. Explanation: Virtual storage area networks (VSANs) are logical divisions of a storage area network, much like a VLAN is a logical subdivision of a local area network. They provide separation between sections of a SAN.

6. B. Explanation: Fiber Channel over Ethernet (FCoE) encapsulates Fiber Channel traffic within Ethernet frames much as iSCSI encapsulates SCSI commands in IP packets.

7. C. Explanation: NFS was developed for use with UNIX and Linux-based systems, while CIFS is a public version of Server Message Block (SMB), which was invented by Microsoft.

8. B. Explanation: Multipathing is simply the use of multiple physical or virtual network paths to the storage device. This can provide both network fault tolerance and increased performance. It therefore satisfies the availability requirement of CIA.

9. C. Explanation: LUN masking can be done at either the host bus adapter (HBA) level or at the storage controller level. Using it at the storage controller level provides greater security because it is possible to defeat LUN masking at the HBA level by forging either an IP address, MAC address, or World Wide Name.

10. B. Explanation: Synchronous replication provides near-real-time replication but uses more bandwidth and cannot tolerate latency.

2. D. Explanation: One or more consecutive sections with only a 0 can be represented with a single empty section (double colons), but this technique can be applied only once.

3. D. Explanation: Teredo assigns addresses and creates host-to-host tunnels for unicast IPv6 traffic when IPv6 hosts are located behind IPv4 network address translators (NATs).

4. B. Explanation: When HTTPS is used, port 80 is not used. Rather, it uses port 443.

5. C. Explanation: Extensible Authentication Protocol (EAP) is not a single protocol but a framework for port-based access control that uses the same three components that are used in RADIUS.

6. D. Explanation: 802.1x is a standard that defines a framework for centralized port-based authentication. It can be applied to both wireless and wired networks and uses three components:

Supplicant: The user or device requesting access to the network

Authenticator: The device through which the supplicant is attempting to access the network

Authentication server: The centralized device that performs authentication

7. A. Explanation: A signature-based IDS uses a database of attack characteristics called signatures. This database must be kept updated to provide protection.

8. B. Explanation: A web application firewall applies rule sets to an HTTP conversation. These sets cover common attack types to which these session types are susceptible.

9. C. Explanation: Among the architectures used are:

Interception-based model: Watches the communication between the client and the server

Memory-based model: Uses a sensor attached to the database and continually polls the system to collect the SQL statements as they are being performed.

Log-based model: Analyzes and extract information from the transaction logs

10. B. Explanation: Switches improve performance over hubs because they eliminate collisions. Each switch port is in its own collision domain, while all ports of a hub are in the same collision domain.

2. B. Explanation: Autorun should be disabled.

3. C. Explanation: Network DLP is installed at network egress points near the perimeter. It analyzes network traffic.

4. A. Explanation: On Linux-based systems, a common host-based firewall is iptables, which replaces a previous package called ipchains. It has the ability to accept or drop packets.

5. C. Explanation: The following are all components of hardening an OS:

Unnecessary applications should be removed.

Unnecessary services should be disabled.

Unrequired ports should be blocked.

The connecting of external storage devices and media should be tightly controlled if allowed at all.

6. B. Explanation: The inherent limitation of ACLs is their inability to detect whether IP spoofing is occurring. IP address spoofing is a technique hackers use to hide their trail or to masquerade as another computer. A hacker alters the IP address as it appears in a packet to attempt to allow the packet to get through an ACL that is based on IP addresses.

7. B. Explanation: Management interfaces are used for accessing a device remotely. Typically, a management interface is disconnected from the in-band network and is connected to the device’s internal network. Through a management interface, you can access the device over the network by using utilities such as SSH and Telnet. SNMP can use the management interface to gather statistics from the device.

8. A. Explanation: Bluesnarfing is the unauthorized access to a device using a Bluetooth connection. In this case, the attacker is trying to access information on the device.

9. B. Explanation: A Trusted Platform Module (TPM) chip is a security chip installed on a computer’s motherboard that is responsible for managing symmetric and asymmetric keys, hashes, and digital certificates. This chip provides services to protect passwords, encrypt drives, and manage digital rights, making it much harder for attackers to gain access to computers that have a TPM chip enabled.

10. A. Explanation: Hypervisors can be either Type I or Type II. A Type I hypervisor (or native, bare metal) is one that runs directly on the host’s hardware to control the hardware and to manage guest operating systems. A guest operating system thus runs on another level above the hypervisor.

2. B. Explanation: This particular XSS example is designed to steal a cookie from an authenticated user.

3. C. Explanation: Cross-Site Request Forgery (CSRF) is an attack that causes an end user to execute unwanted actions on a web application in which he or she is currently authenticated. Unlike with XSS, in CSRF, the attacker exploits the website’s trust of the browser rather than the other way around. The website thinks that the request came from the user’s browser and is made by the user when actually the request was planted in the user’s browser.

4. B. Explanation: Input validation is the process of checking all input for things such as proper format and proper length.

5. A. Explanation: A SQL injection attack inserts, or “injects,” a SQL query as the input data from the client to the application. In this case, the attack is identified in the error message, and we can see a reference to the SELECT command as data, which indicates an attempt to inject a command as data.

6. B. Explanation: Fuzz testing, or fuzzing, injects invalid or unexpected input (sometimes called faults) into an application to test how the application reacts. It is usually done with a software tool that automates the process.

7. C. Explanation: A packet containing a long string of NOPs followed by a command usually indicates a type of buffer overflow attack called an NOP slide. The purpose is to get the CPU to locate where a command can be executed.

8. A. Explanation: Integer overflow occurs when an arithmetic operation attempts to create a numeric value that is too large to be represented within the available storage space. For instance, adding 1 to the largest value that can be represented constitutes an integer overflow. The register width of a processor determines the range of values that can be represented.

9. B. Explanation: The Open Web Application Security Project (OWASP) is a group that monitors attacks, specifically web attacks. OWASP maintains a list of top 10 attacks on an ongoing basis. This group also holds regular meetings at chapters throughout the world, providing resources and tools including testing procedures, code review steps, and development guidelines.

10. D. Explanation: In this example of a buffer overflow, 16 characters are being sent to a buffer that is only 8 bytes. With proper input validation, this will cause an access violation.

2. B. Explanation: There is a trade-off when a decision must be made between the two architectures. A private solution provides the most control over the safety of your data but also requires staff and knowledge to deploy, manage, and secure the solution.

3. C. Explanation: A community cloud is shared by organizations that are addressing a common need, such as regulatory compliance. Such shared clouds may be managed by either a cross-company team or a third-party provider. This can be beneficial to all participants because it can reduce the overall cost to each organization.

4. B. Explanation: The auditors and the compliance team should be using matching frameworks.

5. C. Explanation: Policies are broad and provide the foundation for development of standards, baselines, guidelines, and procedures.

6. B. Explanation: Downstream liability refers to liability that an organization accrues due to partnerships with other organizations and customers.

7. A. Explanation: Due care means that an organization takes all the actions it can reasonably take to prevent security issues or to mitigate damage if security breaches occur.

8. B. Explanation: The International Organization for Standardization (ISO), often incorrectly referred to as the International Standards Organization, joined with the International Electrotechnical Commission (IEC) to standardize the British Standard 7799 (BS7799) to a new global standard that is now referred to as the ISO/IEC 27000 series. ISO 27000 is a security program development standard on how to develop and maintain an information security management system (ISMS).

9. D. Explanation: A three-legged firewall is an example of traditional perimiterization. Examples of de-perimiterization include telecommuting, cloud computing, “bring your own device” (BYOD), and outsourcing.

10. C. Explanation: It’s a well-known fact that security measures negatively affect both network performance and ease of use for users. With this in mind, the identification of situations where certain security measures (such as encryption) are required and where they are not required is important. Eliminating unnecessary measures can both enhance network performance and reduce complexity for users.

2. D. Explanation: SLE indicates the monetary impact of each threat occurrence. ARO is the estimate of how often a given threat might occur annually. ALE is the expected risk factor of an annual threat event. EF is the percent value or functionality of an asset that will be lost when a threat event occurs.

3. B. Explanation: Risk avoidance involves terminating the activity that causes a risk or choosing an alternative that is not as risky. Residual risk is risk that is left over after safeguards have been implemented. Risk transfer is passing the risk on to a third party. Risk mitigation is defining the acceptable risk level the organization can tolerate and reducing the risk to that level.

4. A. Explanation: Advisory security policies provide instruction on acceptable and unacceptable activities. Nondisclosure agreements (NDAs) are binding contracts that are signed to ensure that the signer does not divulge confidential information. Informative security policies provide information on certain topics and act as an educational tool. Regulatory security policies address specific industry regulations, including mandatory standards. System-specific security policies address security for a specific computer, network, technology, or application.

5. C. Explanation: The formula given in the scenario is used to calculate the aggregate CIA score. To calculate ALE, you should multiply the SLE × ARO. To calculate SLE, you should multiply AV × EF. Quantitative risk involves using SLE and ALE.

6. B. Explanation: You are leading the continuous monitoring program, which will periodically assess its information security awareness. A security training program designs and delivers security training at all levels of the organization. A risk mitigation program attempts to identify risks and select and deploy mitigating controls. A threat identification identifies all threats to an organization as part of risk management.

7. C. Explanation: You are providing the total cost of ownership (TCO). Return on investment (ROI) refers to the money gained or lost after an organization makes an investment. Single loss expectancy (SLE) is the monetary impact of each threat occurrence. Net present value (NPV) is a type of ROI calculation that compares ALE against the expected savings as a result of an investment and considers the fact that money spent today is worth more than savings realized tomorrow.

8. A. Explanation: Inherent risks are risks that are unavoidable. You should still implement security controls to protect against them. Residual risk is the level of risk remaining after the safeguards or controls have been implemented. Technical and operational are two types of threat agents, not types of risks.

9. B. Explanation: Confidentiality and integrity have been violated. Changing the data violates integrity, and accessing patented design plans violates confidentiality. Availability is not violated in this scenario.

10. C. Explanation: ALE = SLE × ARO = $1,200 × 5% = $60

SLE = AV × EF = $12,000 × 10% = $1,200

2. A. Explanation: An SLA lists all the guaranteed performance levels of a new connection.

3. C. Explanation: An NDA should be used to ensure data privacy.

4. D. Explanation: The principle of least privilege should be implemented for all positions, not just high-level positions.

5. B. Explanation: The primary concern of PII is confidentiality.

6. C. Explanation: Several invalid password attempts for multiple users is an example of an incident. All the other examples are events.

7. D. Explanation: The steps of a risk assessment are as follows:

1. Identify assets and asset value.

2. Identify vulnerabilities and threats.

3. Calculate threat probability and business impact.

4. Balance threat impact with countermeasure cost.

8. A. Explanation: An SOA identifies the controls chosen by an organization and explains how and why the controls are appropriate.

9. A. Explanation: The four main steps of the BIA are as follows:

1. Identify critical processes and resources.

2. Identify outage impacts and estimate downtime.

3. Identify resource requirements.

4. Identify recovery priorities.

10. B. Explanation: The mean time to repair (MTTR) describes the average amount of time it will take to get a device fixed and back online.

2. C. Explanation: The primary reason for having an e-discovery process is to provide evidence in a digital investigation.

3. B. Explanation: A data custodian should be responsible for implementing the controls.

4. A. Explanation: You should adopt a data retention policy of 5 years. Laws and regulations cannot be ignored. Adopting the longer data retention policy will ensure that you comply with federal law.

5. B. Explanation: You will need to restore two backups: Monday’s full backup and Thursday’s differential backup.

6. C. Explanation: After detecting the attack, the IT technician should respond to the incident by stopping the remote desktop session. The steps in incident response are as follows:

1. Detect the incident.

2. Respond to the incident.

3. Report the incident to the appropriate personnel.

4. Recover from the incident.

5. Remediate all components affected by the incident to ensure that all traces of the incident have been removed.

6. Review the incident and document all findings.

7. D. Explanation: The primary crime scene during a digital attack is the system or device being attacked. All the other devices are considered as part of the evidence trail but are not primary crime scenes.

8. A. Explanation: The most likely reason that this attack was successful was that no one was reviewing the audit logs.

9. A. Explanation: The chain of custody is not concerned with who detected the evidence. The chain of custody shows who controlled the evidence, who secured the evidence, and who obtained the evidence.

10. B. Explanation: The five rules of evidence are as follows:

Be authentic.

Be accurate.

Be complete.

Be convincing.

Be admissible.

2. A. Explanation: The IETF issues RFCs.

3. B. Explanation: Situational awareness is being aware of the environment in which a system operates at a certain point in time.

4. C, D. Explanation: You should give the following reasons for the increase in client-side attacks:

Client computers are not usually as protected as servers.

There are more clients than servers.

5. D. Explanation: A zero-day attack occurs when a security vulnerability in an application is discovered on the same day the application is released.

6. C. Explanation: An advanced persistent threat (APT) is being carried out. An APT is carried out over a long period of time and targets a specific entity.

7. A, B, C. Explanation: Malware, phishing, and social engineering attacks can be carried out using social media. Wardriving attacks cannot.

8. B. Explanation: A private cloud will ensure that the data is owned by your organization. All the other options are reasons for choosing a public cloud.

9. D. Explanation: Natural disasters are not listed as one of the three threat actors by the FBI.

10. B. Explanation: A request for proposal (RFP) requires that a vendor reply with a formal bid proposal.

2. B. Explanation: You should implement each solution one at a time in the virtual lab, run a simulation for the attack in the virtual lab, collect the metrics on the servers’ performance, roll back each solution, implement the next solution, and repeat the process for each solution. Then you should choose which solutions to implement based on the metrics collected. Each solution should be tested in isolation, without the other solutions being deployed. You should run the simulation for the attack in the virtual lab before collecting metrics on the servers’ performance.

3. C. Explanation: You should perform a cost/benefit analysis for the new security control before deploying the control.

4. D. Explanation: When you are collecting and comparing metrics on a day-to-day basis, you are performing daily workloads.

5. A. Explanation: The purpose of a network trends collection policy is to collect trends that will allow you to anticipate where and when defenses might need to be changed.

6. B. Explanation: Performance is the manner in which or the efficiency with which a device or technology reacts or fulfills its intended purpose.

7. C. Explanation: Usability means making a security solution or device easier to use and matching the solution or device more closely to organizational needs and requirements.

8. D. Explanation: You should report the issue to senior management to find out if the higher latency value is acceptable.

9. A. Explanation: You should create a lessons-learned report. All of the other options should be performed before deployment.

10. B. Explanation: You should provide mean time to repair (MTTR) and mean time between failures (MTBF) to provide management with metrics regarding availability.

2. B. Explanation: Protocol analyzers, or sniffers, collect raw packets from the network and are used by both legitimate security professionals and attackers. Using such a tool, you could tell if the traffic of interest is encrypted.

3. D. Explanation: Fuzzers are software tools that find and exploit weaknesses in web applications.

4. B. Explanation: By configuring authentication, you can prevent routing updates with rogue routers.

5. C. Explanation: Malware sandboxing aims at detecting malware code by running it in a computer-based system of one type or another to analyze it for behavior and traits indicative of malware. One of its goals is to spot zero-day malware—that is, malware that has not yet been identified by commercial antimalware systems and therefore does not yet have a cure.

6. D. Explanation: In a blind test, the testing team is provided with limited knowledge of the network systems and devices using publicly available information. The organization’s security team knows that an attack is coming. This test requires more testing team effort than the other test options.

7. A. Explanation: In black-box testing, or zero-knowledge testing, the team is provided with no knowledge regarding the organization’s network. This type of testing is the least time-consuming.

8. B. Explanation: In over-the-shoulder code review, coworkers review the code while the author explains his reasoning.

9. C. Explanation: Pharming is similar to phishing, but pharming actually pollutes the contents of a computer’s DNS cache so that requests to a legitimate site are actually routed to an alternate site.

10. D. Explanation: The steps in performing a penetration test are as follows:

1. Document information about the target system or device.

2. Gather information about attack methods against the target system or device.

3. Identify the known vulnerabilities of the target system or device.

4. Execute attacks against the target system or device to gain user and privileged access.

5. Document the results of the penetration test and report the findings to management, with suggestions for remedial action.

2. B. Explanation: The programmers should collaborate with the network administrator to determine the performance and security impact of the new application on the enterprise.

3. C. Explanation: The facilities manager and physical security manager are most likely to provide valuable information in this area.

4. D. Explanation: The sales staff’s devices are often targets for attackers.

5. A. Explanation: Database administrators should grant permission based on individual user accounts, not roles.

6. B. Explanation: The business unit managers and the chief information officer (CIO) are most likely to be considered data owners.

7. C. Explanation: All personnel within an organization will have some level of security requirements and responsibilities.

8. B. Explanation: Departmental security policies and security awareness training are administrative controls. Administrative or management controls are implemented to administer the organization’s assets and personnel and include security policies, procedures, standards, baselines, and guidelines that are established by management.

9. C, D. Explanation: Biometrics and guards are physical controls. Physical controls are implemented to protect an organization’s facilities and personnel.

10. B, C. Explanation: Authentication and firewalls are technical controls. Logical or technical controls are software or hardware components used to restrict access.

2. B. Explanation: While split tunneling allows access to the LAN and the Internet at the same time, it reduces the amount of bandwidth available to each session. You can provide better performance for the participants by disallowing split tunneling on the VPN concentrator.

3. B. Explanation: While encryption would help prevent data leakage, it would do nothing to stop the introduction of malware through the IM connection.

4. A. Explanation: Many products implement proprietary encryption, but in regulated industries this type of encryption may not be legal. Always use the level of encryption required by your industry, such as Advanced Encryption Standard (AES).

5. B. Explanation: You want to select a product that uses a secure protocol. One example is Extensible Messaging and Presence Protocol (XMPP) over TLS.

6. B. Explanation: Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions (SIMPLE) is deigned to secure presence traffic.

7. C. Explanation: Sender Policy Framework (SPF) is an email validation system that works by using DNS to determine whether an email sent by someone has been sent by a host sanctioned by that domain’s administrator. If it can’t be validated, it is not delivered to the recipient’s box.

8. C. Explanation: VoIP systems do not use the PBX.

9. B. Explanation: The following types of information should not be stored in a public cloud-based solution:

Credit card information

Trade secrets

Financial data

Health records

State and federal government secrets

Proprietary or sensitive data

Personally identifiable information

10. D. Explanation: IPsec is actually a suite of protocols, in the same way that TCP/IP is. It includes the following components:

Authentication Header (AH): AH provides data integrity, data origin authentication, and protection from replay attacks.

Encapsulating Security Payload (ESP): ESP provides all that AH does as well as data confidentiality.

Internet Security Association and Key Management Protocol (ISAKMP): ISAKMP handles the creation of a security association for the session and the exchange of keys.

Internet Key Exchange (IKE): Also sometimes referred to as IPsec Key Exchange, IKE provides the authentication material used to create the keys exchanged by ISAKMP during peer authentication. This was proposed to be performed by a protocol called Oakley that relied on the Diffie-Hellman algorithm, but Oakley has been superseded by IKE.

2. C. Explanation: When decommissioning an asset, you should back up all the data on the asset and ensure that the data is completely removed. You should shred all the hard drives in the asset only if you are sure you will not be reusing the asset or if the hard drives contain data of the most sensitive nature.

3. D. Explanation: All changes should be formally requested. The following are some change management guidelines:

Each request should be analyzed to ensure that it supports all goals and polices.

Prior to formal approval, all costs and effects of the methods of implementation should be reviewed.

After they’re approved, the change steps should be developed.

During implementation, incremental testing should occur, relying on a predetermined fallback strategy, if necessary.

Complete documentation should be produced and submitted with a formal report to management.

4. B. Explanation: A system is actually deployed during the implementation stage of the SDLC. The steps in the SDLC are as follows:

1. Initiate

2. Acquire/develop

3. Implement

4. Operate/maintain

5. Dispose

5. A. Explanation: You should now implement the disposal stage of the SDLC for the old system.

6. D. Explanation: As part of the initiation stage, you should assess the business impact of the system.

7. C. Explanation: During the acquisition stage, you should design the security architecture.

8. B. Explanation: A security requirements traceability matrix (SRTM) documents the security requirements that a new asset must meet.

9. A. Explanation: Geolocation is a device-tracking technology.

10. D. Explanation: Radio frequency identification (RFID) uses chips and receivers to manage inventory.

1. Determine which applications and services access the information.

2. Document where the information is stored.

3. Document which security controls protect the stored information.

4. Determine how the information is transmitted.

5. Analyze whether authentication is used when accessing the information.

If it is, determine whether the authentication information is securely transmitted.

If it is not, determine whether authentication can be used.

6. Analyze enterprise password policies, including password length, password complexity, and password expiration.

7. Determine whether encryption is used to transmit data.

If it is, ensure that the level of encryption is appropriate and that the encryption algorithm is adequate.

If it is not, determine whether encryption can be used.

8. Ensure that the encryption keys are protected.

2. C. Explanation: You should first determine whether authentication can be used. Users should use authentication when accessing private or confidential data.

3. A. Explanation: You should consider open standards, de facto standards, and de jure standards.

4. B. Explanation: Because management wants a solution without investing in hardware that will no longer be needed in the future, you should contract with a public cloud service provider.

5. D. Explanation: Data isolation ensures that tenant data in a multi-tenant solution is isolated from other tenants’ data via a tenant ID in the data labels.

6. C. Explanation: A physical network diagram would give you the most information. A physical network diagram shows the details of physical communication links, such as cable length, grade, and wiring paths; servers, with computer name, IP address (if static), server role, and domain membership; device location, such as printer, hub, switch, modem, router, or bridge, as well as proxy location; communication links and the available bandwidth between sites; and the number of users, including mobile users, at each site.

7. A. Explanation: You should deploy a demilitarized zone (DMZ) that will contain only the resources that the partner organization needs to access.

8. D. Explanation: You should deploy a virtual private network (VPN) to allow sales people to access internal resources remotely.

9. B. Explanation: You should recommend customer relationship management (CRM), which identifies customers and stores all customer-related data, particularly contact information and data on any direct contact with customers.

10. A. Explanation: You should deploy Directory Services to allow easy access internal resources.

2. B. Explanation: Password history controls how long before a password can be reused. Password policies usually remember a certain number of previously used passwords.

3. C. Explanation: For Linux, passwords are stored in the /etc/passwd or /etc/shadow file. Because the /etc/passwd file is a text file that can be easily accessed, you should ensure that any Linux servers use the /etc/shadow file where the passwords in the file can be protected using a hash.

4. D. Explanation: A hand topography scan records the peaks and valleys of the hand and its shape. This system is usually implemented in conjunction with hand geometry scans because hand topography scans are not unique enough if used alone.

5. D. Explanation: A vascular scan scans the pattern of veins in the user’s hand or face. It is based on physiological characteristics rather than behavioral characteristics. While this method can be a good choice because it is not very intrusive, physical injuries to the hand or face, depending on which the system uses, could cause false rejections.

6. A. Explanation: The false rejection rate (FRR) is a measurement of valid users that will be falsely rejected by the system. This is called a Type I error.

7. A. Explanation: The following is a list of the most popular biometric methods ranked by user acceptance, starting with the methods that are most popular:

1. Voice pattern

2. Keystroke pattern

3. Signature dynamics

4. Hand geometry

5. Hand print

6. Fingerprint

7. Iris scan

8. Retina scan

8. A. Explanation: A policy enforcement point (PEP) is an entity that is protecting the resource that the subject (a user or an application) is attempting to access. When it receives a request from a subject, it creates an XACML request based on the attributes of the subject, the requested action, the resource, and other information.

9. D. Explanation: Attestation provides evidence about a target to an appraiser so the target’s compliance with some policy can be determined before allowing access.

10. A. Explanation: AD uses the same authentication and authorization system used in UNIX: Kerberos. This system authenticates a user once and then, through the use of a ticket system, allows the user to perform all actions and access all resources to which he has been given permission without the need to authenticate again.