422 Appendix ■ Answers
3 8. B. SOC 2 reports are released under NDA to select partners or customers and can
provide detail on the controls and any issues they may have. A SOC 1 report would only
provide financial control information, and a SOC 3 report provides less information since
it is publicly available.- C. A SOC 2, Type 2 report includes information about a data center’s security,
availability, processing integrity, confidentiality, and privacy, and includes an auditor’s
opinion on the operational effectiveness of the controls. SOC 3 does not have types, and
an SOC 2 Type 1 only requires the organization’s own attestation. - B. SAS 70 was superseded in 2010 by the SSAE 16 standard with three SOC levels for
reporting. SAS 70 included Type 2 reports, covered data centers, and used 6-month testing
periods for Type 2 reports. - C. Both a logical bus and a logical ring can be implemented as a physical star. Ethernet
is commonly deployed as a physical star but placing a switch as the center of a star, but
Ethernet still operates as a bus. Similarly, Token Ring deployments using a multistation
access unit (MAU) were deployed as physical stars, but operated as rings. - C. Bell-LaPadula uses security labels on objects and clearances for subjects and is
therefore a MAC model. It does not use discretionary, rule-based, role-based, or attribute-
based access control. - D. The Family Educational Rights and Privacy Act (FERPA) protects the privacy of
students in any educational institution that accepts any form of federal funding. - D. The Health Insurance Portability and Accountability Act (HIPAA) mandates the
protection of protected health information (PHI). The SAFE Act deals with mortgages,
the Graham-Leach-Bliley Act (GLBA) covers financial institutions, and FERPA deals with
student data. - C. Attackers may use algorithmic complexity as a tool to exploit a TOC/TOU race
condition. By varying the workload on the CPU, attackers may exploit the amount of
time required to process requests and use that variance to effectively schedule the exploit’s
execution. File locking, exception handling, and concurrency controls are all methods
used to defend against TOC/TOU attacks. - D. Implementations of syslog vary, but most provide a setting for severity level, allowing
configuration of a value that determines what messages are sent. Typical severity levels
include debug, informational, notice, warning, error, critical, alert, and emergency. The
facility code is also supported by syslog, but is associated with which services are being
logged. Security level and log priority are not typical syslog settings. - B. In RAID 1, also known as disk mirroring, systems contain two physical disks. Each
disk contains copies of the same data, and either one may be used in the event the other
disk fails. - B. An application-level gateway firewall uses proxies for each service it filters. Each proxy
is designed to analyze traffic for its specific traffic type, allowing it to better understand
valid traffic and to prevent attacks. Static packet filters and circuit-level gateways simply
look at the source, destination, and ports in use, whereas a stateful packet inspection
firewall can track the status of communication and allow or deny traffic based on that
understanding.