424 Appendix ■ Answers
5 9. A. Rainbow tables rely on being able to use databases of precomputed hashes to quickly
search for matches to known hashes acquired by an attacker. Making passwords longer
can greatly increase the size of the rainbow table required to find the matching hash, and
adding a salt to the password will make it nearly impossible for the attacker to generate a
table that will match unless they can acquire the salt value. MD5 and SHA1 are both poor
choices for password hashing compared to modern password hashes, which are designed
to make hashing easy and recovery difficult. Rainbow tables are often used against lists of
hashes acquired by attacks rather than over-the-wire attacks, so over-the-wire encryption
is not particularly useful here. Shadow passwords simply make the traditionally world-
readable list of password hashes on Unix and Linux systems available in a location
readable only by root. This doesn’t prevent a rainbow table attack once the hashes are
obtained.- C. External auditors can provide an unbiased and impartial view of an organization’s
controls to third parties. Internal auditors are useful when reporting to senior management
of the organization but are typically not asked to report to third parties. Penetration tests
test technical controls but are not as well suited to testing many administrative controls.
The employees who build and maintain controls are more likely to bring a bias to the
testing of those controls and should not be asked to report on them to third parties. - A. Using encryption reduces risk by lowering the likelihood that an eavesdropper will be
able to gain access to sensitive information. - B. Provisioning includes the creation, maintenance, and removal of user objects from
applications, systems, and directories. Registration occurs when users are enrolled in a
biometric system; population and authenticator loading are not common industry terms. - A. In the subject/object model of access control, the user or process making the request
for a resource is the subject of that request. In this example, Ricky is requesting access to
the VPN (the object of the request) and is, therefore, the subject. - C. The formula for determining the number of encryption keys required by a symmetric
algorithm is ((n(n − 1))/2). With six users, you will need ((65)/2), or 15 keys. - B. Patents have the shortest duration of the techniques listed: 20 years. Copyrights last for
70 years beyond the death of the author. Trademarks are renewable indefinitely and trade
secrets are protected as long as they remain secret. - C. In a risk acceptance strategy, the organization chooses to take no action other than
documenting the risk. Purchasing insurance would be an example of risk transference.
Relocating the data center would be risk avoidance. Reengineering the facility is an
example of a risk mitigation strategy.
6 7. C. Uninterruptible power supplies (UPSs) provide immediate, battery-driven power for
a short period of time to cover momentary losses of power. Generators are capable of
providing backup power for a sustained period of time in the event of a power loss, but
they take time to activate. RAID and redundant servers are high-availability controls but
do not cover power loss scenarios.