454 Appendix ■ Answers
8 8. C. Release control includes acceptance testing to ensure that any alterations to end-user
work tasks are understood and functional.- A. Configuration control ensures that changes to software versions are made in
accordance with the change control and configuration management process. Updates can
be made only from authorized distributions in accordance with those policies. - B. Ben is reusing his salt. When the same salt is used for each hash, all users with the same
password will have the same hash, and the attack can either attempt to steal the salt or
may attempt to guess the salt by targeting the most frequent hash occurrences based on
commonly used passwords. Short salts are an issue, but the salts used here are 32 bytes
(256 bits) long. There is no salting algorithm used or mentioned here; salt is an added
value for a hash, and plaintext salting is a made-up term. - B. Risk transference involves actions that shift risk from one party to another. Purchasing
insurance is an example of risk transference because it moves risk from the insured to the
insurance company. - C. The Online Certificate Status Protocol (OCSP) eliminates the latency inherent in
the use of certificate revocation lists by providing a means for real-time certificate
verification. - D. Static code analysis uses techniques like control flow graphs, lexical analysis, and data
flow analysis to assess code without running it. Dynamic code analysis runs code on a
real or virtual processor and uses actual inputs for testing. Fuzzing provides unexpected
or invalid input to test how programs handle input outside the norm. Manual analysis is
performed by reading code line by line to identify bugs or other issues. - B. TCP’s use of a handshake process to establish communications makes it a connection-
oriented protocol. TCP does not monitor for dropped connections, nor does the fact that it
works via network connections make it connection-oriented. - A. The LDAP bind operation authenticates and specifies the LDAP protocol version.
Auth, StartLDAP, and AuthDN operations do not exist in the LDAP protocol. - C. The two most important elements of a qualitative risk assessment are determining the
probability and impact of each risk upon the organization. Likelihood is another word for
probability. Cost should be taken into account but is only one element of impact, which
also includes reputational damage, operational disruption, and other ill effects. - B. When a message reaches the Data Link layer, it is called a frame. Data streams exist at
the Application, Presentation, and Session layers, whereas segments and datagrams exist at
the Transport layer (for TCP and UDP, respectively). - A. If the (ISC)^2 peer review board finds that a certified individual has violated the (ISC)^2
code of ethics, the board may revoke their certification. The board is not able to terminate
an individual’s employment or assess financial penalties. - D. SDLC approaches include steps to provide operational training for support staff as
well as end-user training. The SDLC may use one of many development models, including