416 Appendix ■ Answers
1 07. D. Patents and trade secrets can both protect intellectual property in the form of a
process. Patents require public disclosure and have expiration dates while trade secrets
remain in force for as long as they remain secret. Therefore, trade secret protection most
closely aligns with the company’s goals.- D. The Security Content Automation Protocol (SCAP) is a suite of specifications used to
handle vulnerability and security configuration information. The National Vulnerability
Database provided by NIST uses SCAP. XACML is the eXtensible Access Control Markup
Language, an OASIS standard used for access control decisions, and neither VSML nor
SCML are industry terms. - B. The three components of the DevOps model are software development, operations, and
quality assurance. - A. The Simple Security Property prevents an individual from reading information at
a higher security level than his or her clearance allows. This is also known as the “no
read up” rule. The Simple Integrity Property says that a user can’t write data to a higher
integrity level than their own. The *-Security Property says that users can’t write data to a
lower security level than their own. The Discretionary Security Property allows the use of
a matrix to determine access permissions. - B. The work breakdown structure (WBS) is an important project management tool that
divides the work done for a large project into smaller components. It is not a project plan
because it does not describe timing or resources. Test analyses are used during later phases
of the development effort to report test results. Functional requirements may be included
in a work breakdown structure, but they are not the full WBS.
112. B. Network Access Control (NAC) systems can be used to authenticate users and then
validate their system’s compliance with a security standard before they are allowed to
connect to the network. Enforcing security profiles can help reduce zero-day attacks,
making NAC a useful solution. A firewall can’t enforce system security policies, whereas
an IDS can only monitor for attacks and alarm when they happen. Thus, neither a firewall
nor an IDS meets Kolin’s needs. Finally, port security is a MAC address–based security
feature that can only restrict which systems or devices can connect to a given port.- C. This scenario violates the least privilege principle because an application should never
require full administrative rights to run. Gwen should update the service account to have
only the privileges necessary to support the application. - B. Trace coverage is not a type of structural coverage. Common types of structural
coverage include statement, branch or decision coverage, loop coverage, path coverage,
and data flow coverage. - A. During the information gathering and discovery phase of a penetration test, testers
will gather information about the target. Whois can provide information about an
organization, including IP ranges, physical addresses, and staff contacts. Nessus would
be useful during a vulnerability detection phase, and Metasploit would be useful during
exploitation. zzuf is a fuzzing tool and is less likely to be used during a penetration test.