452 Appendix ■ Answers
6 8. B. System owners have to ensure that the systems they are responsible for are properly
labeled based on the highest level of data that their system processes, and they have to
ensure that appropriate security controls are in place on those systems. System owners
also share responsibility for data protection with data owners. Administrators grant
appropriate access, whereas data owners own the classification process.- A. Jack is performing misuse case analysis, a process that tests code based on how it
would perform if it was misused instead of used properly. Use case testing tests valid
use cases, whereas static code analysis involves reviewing the code itself for flaws rather
than testing the live software. Hacker use case testing isn’t an industry term for a type of
testing. - D. Vendors complete security targets (STs) to describe the controls that exist within their
product. During the review process, reviewers compare those STs to the entity’s Protection
Profile (PP) to determine whether the product meets the required security controls. - C. Both TCP and UDP port numbers are a 16-digit binary number, which means there
can be 2^16 ports, or 65,536 ports, numbered from 0 to 65,535. - A. MITRE’s Common Vulnerabilities and Exploits (CVE) dictionary and NIST’s
National Vulnerability Database (NVD) both provide information about vulnerabilities. - D. The military classification scheme contains three major levels. They are, in descending
order of sensitivity: Top Secret, Secret, and Confidential. Unclassified is a default, and
not a classification, whereas Sensitive But Unclassified (SBU) has been replaced with
Controlled Unclassified Information (CUI). - D. In an automated recovery, the system can recover itself against one or more failure
types. In an automated recovery without undue loss, the system can recover itself against
one or more failure types and also preserve data against loss. In function recovery, the
system can restore functional processes automatically. In a manual recovery approach, the
system does not fail into a secure state but requires an administrator to manually restore
operations. - A. Antenna placement, antenna design, and power level control are the three important
factors in determining where a signal can be accessed and how usable it is. A captive
portal can be used to control user logins, and antenna design is part of antenna types. The
FCC does provide maximum broadcast power guidelines but does not require a minimum
power level. - C. Physically destroying the drive is the best way to ensure that there is no remnant data
on the drive. SSDs are flash media, which means that you can’t degauss them, whereas
both random pattern writes and the built-in erase commands have been shown to be
problematic due to the wear leveling built into SSDs as well as differences in how they
handle erase commands.
7 7. A. Confidentiality ensures that data cannot be read by unauthorized individuals while
stored or in transit.