370 Appendix ■ Answers
- B. An IPS is an example of a mechanism like a hardware-, software-, or firmware-based
control or system. Specifications are document-based artifacts like policies or designs,
activities are actions that support an information system that involves people, and an
individual is one or more people applying specifications, mechanisms, or activities. - C. Jim has agreed to a black box penetration test, which provides no information about
the organization, its systems, or its defenses. A crystal or white box penetration test
provides all of the information an attacker needs, whereas a gray box penetration test
provides some, but not all, information. - The status messages match with the descriptions as follows:
- Open: C. The port is accessible on the remote system and an application is accepting
connections on that port. - Closed: A. The port is accessible on the remote system, but no application is accept-
ing connections on that port. - Filtered: B. The port is not accessible on the remote system.
- Open: C. The port is accessible on the remote system and an application is accepting
- C. Service Organization Control (SOC) reports replaced SAS-70 reports in 2010. A Type
I report only covers a point in time, so Susan needs an SOC Type II report to have the
information she requires to make a design and operating effectiveness decision based on
the report. - B. WPA2 enterprise uses RADIUS authentication for users rather than a preshared key.
This means a password attack is more likely to fail as password attempts for a given user
may result in account lockout. WPA2 encryption will not stop a password attack, and
WPA2’s preshared key mode is specifically targeted by password attacks that attempt to
find the key. Not only is WEP encryption outdated, but it can also frequently be cracked
quickly by tools like aircrack-ng. - D. In many cases when an exploit is initially reported, there are no prebuilt signatures
or detections for vulnerability scanners, and the CVE database may not immediately
have information about the attack. Jacob’s best option is to quickly gather information
and review potentially vulnerable servers based on their current configuration. As
more information becomes available, signatures and CVE information are likely to be
published. Unfortunately for Jacob, IDS and IPS signatures will only detect attacks and
won’t detect whether systems are vulnerable unless he sees the systems being exploited. - C. Interface testing is used to ensure that software modules properly meet interface
specifications and thus will properly exchange data. Dynamic testing tests software in a
running environment, whereas fuzzing is a type of dynamic testing that feeds invalid input
to running software to test error and input handling. API checksums are not a testing
technique. - B. Not only should active scanning be expected to cause wireless IPS alarms, but they
may actually be desired if the test is done to test responses. Accidentally scanning guests
or neighbors or misidentifying devices belonging to third parties are all potential problems
with active scanning and require the security assessor to carefully verify the systems that
she is scanning.