362 Appendix ■ Answers
3 7. D. Dogs, guards, and fences are all examples of physical controls. While dogs and guards
might detect a problem, fences cannot, so they are not all examples of detective controls.
None of these controls would help repair or restore functionality after an issue, and thus
they are not recovery controls, nor are they administrative controls that involve policy or
procedures, although the guards might refer to them when performing their duties.- B. Password complexity is driven by length, and a longer password will be more effective
against brute-force attacks than a shorter password. Each character of additional length
increases the difficulty by the size of the potential character set (for example, a single
lowercase character makes the passwords 26 times more difficult to crack). While each of
the other settings is useful for a strong password policy, they won’t have the same impact
on brute-force attacks. - A. The stored sample of a biometric factor is called a reference profile or a reference
template. None of the other answers is a common term used for biometric systems. - A. Organizations that have very strict security requirements that don’t have a tolerance
for false acceptance want to lower the false acceptance rate, or FAR, to be as near to zero
as possible. That often means that the false rejection rate, or FRR, increases. Different
biometric technologies or a better registration method can help improve biometric
performance, but false rejections due to data quality are not typically a concern with
modern biometric systems. In this case, knowing the crossover error rate, or CER, or
having a very high CER doesn’t help the decision. - B. The complexity of brute-forcing a password increases based on both the number of
potential characters and the number of letters added. In this case, there are 26 lowercase
letters, 26 uppercase letters, and 10 possible digits. That creates 62 possibilities. Since we
added only a single letter of length, we get 62^1, or 62 possibilities, and thus, the new
passwords would be 62 times harder to brute-force on average. - B. Biometric systems can face major usability challenges if the time to enroll is long
(over a couple of minutes) and if the speed at which the biometric system is able to scan
and accept or reject the user is too slow. FAR and FRR may be important in the design
decisions made by administrators or designers, but they aren’t typically visible to users.
CER and ERR are the same and are the point where FAR and FRR meet. Reference profile
requirements are a system requirement, not a user requirement. - C. TLS provides message confidentiality and integrity, which can prevent eavesdropping.
When paired with digital signatures, which provide integrity and authentication, forged
assertions can also be defeated. SAML does not have a security mode and relies on
TLS and digital signatures to ensure security if needed. Message hashing without a
signature would help prevent modification of the message but won’t necessarily provide
authentication. - B. Integration with cloud-based third parties that rely on local authentication can fail
if the local organization’s Internet connectivity or servers are offline. Adopting a hybrid
cloud and local authentication system can ensure that Internet or server outages are
handled, allowing authentication to work regardless of where the user is or if their home