432 Appendix ■ Answers
4. A. Key risk indicators (KRIs) are often used to monitor risk for organizations that
establish an ongoing risk management program. Using automated data gathering and tools
that allow data to be digested and summarized can provide predictive information about
how organizational risks are changing. KPIs are key performance indicators, which are
used to assess how an organization is performing. Quantitative risk assessments are good
for point-in-time views with detailed valuation and measurement-based risk assessments,
whereas a penetration test would provide details of how well an organization’s security
controls are working.- D. The three-way handshake is SYN, SYN/ACK, ACK. System B should respond with
“Synchronize and Acknowledge” to System A after it receives a SYN. - A. Systems that respond to ping will show the time to live for packets that reach them.
Since TTL is decremented at each hop, this can help build a rough network topology map.
In addition, some firewalls respond differently to ping than a normal system, which means
pinging a network can sometimes reveal the presence of firewalls that would otherwise
be invisible. Hostnames are revealed by a DNS lookup, and ICMP types allowed through
a firewall are not revealed by only performing a ping. ICMP can be used for router
advertisements, but pinging won’t show them! - C. Authorization defines what a subject can or can’t do. Identification occurs when a
subject claims an identity, accountability is provided by the logs and audit trail that track
what occurs on a system, and authorization occurs when that identity is validated. - A. The commercial classification scheme discussed by (ISC)^2 includes four primary
classification levels: confidential, private, sensitive, and public. Secret is a part of the
military classification scheme. - B. All of these are objects. Although some of these items can be subjects, files, databases,
and storage media can’t be. Processes and programs aren’t file stores, and of course none
of these are users. - A. Testing for desired functionality is use case testing. Dynamic testing is used to
determine how code handles variables that change over time. Misuse testing focuses on
how code handles examples of misuse, and fuzzing feeds unexpected data as an input to
see how the code responds. - B. Privilege creep is a common problem when employees change roles over time and
their privileges and permissions are not properly modified to reflect their new roles. Least
privilege issues are a design or implementation problem, and switching roles isn’t typically
what causes them to occur. Account creep is not a common industry term, and account
termination would imply that someone has removed her account instead of switching her
to new groups or new roles. - C. These are examples of private IP addresses. RFC1918 defines a set of private IP
addresses for use in internal networks. These private addresses including 10.0.0.0 to
10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 196.168.255.255
should never be routable on the public Internet.