408 Appendix ■ Answers
3 3. A. Encrypting the files reduces the probability that the data will be successfully stolen, so
it is an example of risk mitigation. Deleting the files would be risk avoidance. Purchasing
insurance would be risk transference. Taking no action would be risk acceptance.- C. Sampling should be done randomly to avoid human bias. Choosing a time frame may
miss historic issues or only account for the current administrator’s processes. Sampling
is an effective process if it is done on a truly random sample of sufficient size to provide
effective coverage of the userbase. - B. The EU-U.S. Privacy Shield principles are
■ (^) Notice
■ (^) Choice
■ (^) Accountability for Onward Transfer
■ (^) Security
■ (^) Data Integrity and Purpose Limitation
■ (^) Access
■ (^) Recourse, Enforcement, and Liability
- The testing methodologies match with the level of knowledge as follows:
- Black box: C. No prior knowledge of the system.
- White box: A. Full knowledge of the system.
- Gray box: B. Partial or incomplete knowledge.
- C. The file clearly shows HTTP requests, as evidenced by the many GET commands.
Therefore, this is an example of an application log from an HTTP server. - B. The US Trusted Foundry program helps to protect the supply chain for components
and devices by ensuring that the companies that produce and supply them are secure.
TEMPEST is the name of a program aimed at capturing data from electronic emissions,
GovBuy is not a government program or supplier, and MITRE conducts research and
development for the US government. - B. Social engineering exploits humans to allow attacks to succeed. Since help desk employees
are specifically tasked with being helpful, they may be targeted by attackers posing as
legitimate employees. Trojans are a type of malware, whereas phishing is a targeted attack
via electronic communication methods intended to capture passwords or other sensitive data.
Whaling is a type of phishing aimed at high-profile or important targets. - C. Identity proofing that relies on a type of verification outside the initial environment
that required the verification is out-of-band identity proofing. This type of verification
relies on the owner of the phone or phone number having control of it but removes the
ability for attackers to use only Internet-based resources to compromise an account.
Knowledge-based authentication relies on answers to preselected information, whereas
dynamic knowledge–based authentication builds questions using facts or data about the
user. Risk-based identity proofing uses risk-based metrics to determine whether identities
should be permitted or denied access. It is used to limit fraud in financial transactions,
such as credit card purchases. This is a valid form of proofing but does not necessarily use
an out-of-band channel, such as SMS.