430 Appendix ■ Answers
11 2. B. Kathleen’s needs point to a directory service, and the Lightweight Directory Access
Protocol (LDAP) would meet her needs. LDAP is an open, industry-standard, and vendor-
neutral protocol for directory services. Kerberos and RADIUS are both authentication
protocols, and Active Directory is a Microsoft product and is not vendor neutral, although
it does support a number of open standards.- A. Application firewalls add layer 7 functionality to other firewall solutions. This includes
the ability to inspect Application-layer details such as analyzing HTTP, DNS, FTP, and
other application protocols. - C. The create rule allows a subject to create new objects and also creates an edge from the
subject to that object, granting rights on the new object. - A. Metasploit provides an extensible framework, allowing penetration testers to create
their own exploits in addition to those that are built into the tool. Unfortunately,
penetration testing can only cover the point in time when it is conducted. When
conducting a penetration test, the potential to cause a denial of service due to a fragile
service always exists, but it can test process and policy through social engineering and
operational testing that validates how those processes and policies work. - D. EAL7 is the highest level of assurance under the Common Criteria. It applies when a
system has been formally verified, designed, and tested. - C. X.509 defines standards for public key certificates like those used with many
smartcards. X.500 is a series of standards defining directory services. The Service
Provisioning Markup Language (SPML) and the Security Assertion Markup Language
(SAML) aren’t standards that Alex should expect to see when using a smartcard to
authenticate. - C. The Children’s Online Privacy Protection Act (COPPA) regulates websites that cater to
children or knowingly collect information from children under the age of 13. - A. The Health Insurance Portability and Accountability Act (HIPAA) applies to
healthcare information and is unlikely to apply in this situation. The Federal Information
Security Management Act (FISMA) and Government Information Security Reform Act
regulate the activities of all government agencies. The Homeland Security Act (HSA)
created the US Department of Homeland Security, and more importantly for this question
included the Cyber Security Enhancement Act of 2002 and the Critical Infrastructure
Information Act of 2002. The Computer Fraud and Abuse Act (CFAA) provides specific
protections for systems operated by government agencies. - C. Turnstiles are unidirectional gates that prevent more than a single person from entering
a facility at a time. - C. Access control systems rely on identification and authentication to provide
accountability. Effective authorization systems are desirable, but not required, since
logs can provide information about who accessed what resources, even if access to those
resources is not managed well. Of course, poor authorization management can create
many other problems.