Computer processing time is increased for longer asymmetric encryption keys, and the increase may be

disproportionate. For example, one benchmark showed that doubling the length of an RSA key from
512 bits to 1,024 bits caused the decrypt time to increase nearly six-fold.

Reverse proxies are primarily designed to hide physical and logical internal structures from outside
access. Complete Uniform Resource Locators (URLs) or Uniform Resource Identifiers (URIs) can be
partially or completely redirected without disclosing which internal or demilitarized zone (DMZ) server
is providing the requested data. This technology might be used if a trade-off between security,
performance and costs has to be achieved. Proxy servers cache some data but normally cannot cache
all pages to be published because this depends on the kind of information the web servers provide.

The ability to accelerate access depends on the speed of the back-end servers, i.e., those that are cached. Thus,
without making further assumptions, a gain in speed cannot be assured, but virtualization and hiding of internal
structures can. If speed is an issue, a scale-out approach (avoiding adding additional delays by passing firewalls,
involving more servers, etc.) would be a better solution.

Due to the limited caching option, reverse proxies are not suitable for enhancing fault tolerance.

User requests that are handled by reverse proxy servers are using exactly the same bandwidth as direct requests
to the hosts providing the data.

While peer-to-peer computing does increase the risk of virus infection, the risk of data leakage is more severe,
especially if it contains proprietary data or intellectual property. Peer-to-peer computing can share the
contents of a user hard drive over the Internet. The risk that sensitive data could be shared with others
is the greatest concern. Peer-to-peer computing may utilize more network bandwidth and therefore may create
performance issues. However, data leakage is a more severe risk. Peer-to-peer computing may be used to
download or share unauthorized software, which users could install on their PCs unless other controls prevent it.
However, data leakage is a more severe risk.

Password sniffing attacks can be used to gain access to systems on which proprietary information is
stored.

A screened subnet firewall would provide the best protection. The screening router can be a
commercial router or a node with routing capabilities and the ability to allow or avoid traffic between
nets or nodes based on addresses, ports, protocols, interfaces, etc. The subnet would isolate Internet-
based traffic from the rest of the corporate network.

Application-level gateways are mediators between two entities that want to communicate, also known as proxy
gateways. The application level (proxy) works at the application level, not just at a packet level. This would be the
best solution to protect an application but not a network.

A packet filtering router examines the header of every packet or data traveling between the Internet and the
corporate network. This is a low-level control.

A circuit level gateway, such as a Socket Secure (SOCKS) server, will protect users by acting as a proxy, but is not
the best defense for a network.

Advanced encryption standard (AES) provides the GREATEST assurance for database password encryption?

Blind testing is also known as black-box testing. This refers to a test where the penetration tester is not given any
information and is forced to rely on publicly available information. This test simulates a real attack, except that the
target organization is aware of the test being conducted.

Targeted testing is also known as white-box testing. This refers to a test where the penetration tester is provided
with information and the target organization is also aware of the testing activities. In some cases, the tester is also
provided with a limited-privilege account to be used as a starting point.

Double-blind testing is also known as zero-knowledge testing. This refers to a test where the
penetration tester is not given any information and the target organization is not given any warning—
both parties are “blind” to the test. This is the best scenario for testing response capability because the
target will react as if the attack were real.

External testing refers to a test where an external penetration tester launches attacks on the target’s network
perimeter from outside the target network (typically from the Internet).

Single sign-on (SSO) is a great productivity boost for users and the IT organization because users do
not need to enter user IDs and passwords repeatedly. SSO significantly reduces the number of IT help
desk calls regarding lost passwords. For any authentication system, SSO or a strong password policy is
crucial.

Black box penetration testing assumes no prior knowledge of the infrastructure to be tested. Testers
simulate an attack from someone who is unfamiliar with the system. It is important to have
management knowledge of the proceedings so that if the test is identified by the monitoring systems,
the legality of the actions can be determined quickly.

A registration authority is responsible for verifying information supplied by the subject requesting a
certificate, and verifies the requestor’s right to request a certificate on behalf of themselves or their
organization.

Certification authorities, not registration authorities, actually issue certificates once verification of the information
has been completed.

Digital signatures for the sender are attested by the certificate authority and can be verified by the
recipient; therefore, repudiation is not possible. Additionally, the digital signature mechanism ensures
the integrity of the message content by creating a one-way hash at both the source and destination
and then comparing the two.

Scanners look for sequences of bits called signatures that are typical of virus programs. They examine memory,
disk boot sectors, executable files and command files for bit patterns that match a known virus. Therefore,
scanners need to be updated periodically to remain effective.

Active monitors interpret disk operating system (DOS) and read-only memory (ROM) basic input-output system
(BIOS) calls, looking for virus-like actions. Active monitors can be misleading, because they cannot distinguish
between a user request and a program or virus request. As a result, users are asked to confirm actions such as
formatting a disk or deleting a file or set of files.

Integrity checkers compute a binary number on a known virus-free program that is then stored in a
database file. This number is called a cyclical redundancy check (CRC). When that program is called to
execute, the checker computes the CRC on the program about to be executed and compares it to the
number in the database. A match means no infection; a mismatch means that a change in the program
has occurred. A change in the program could mean a virus.

Vaccines are known to be good antivirus software. However, they need to be updated periodically to remain
effective.

Web of trust is a key distribution method suitable for communication in a small group. It is used by
tools such as pretty good privacy (PGP) and distributes the public keys of users within a group.

A Kerberos Authentication System extends the function of a key distribution center by generating “tickets” to
define the facilities on networked machines, which are accessible to each user.

A host-based intrusion prevention system (IPS) prevents unauthorized changes to the host. If a
malware attack attempted to install a rootkit, the IPS would refuse to permit the installation without
the consent of an administrator.

A network-based intrusion detection system (IDS) relies on attack signatures based on known exploits and attack
patterns. If the IDS is not kept up to date with the latest signatures, or the attacker is able to create or gain access
to an exploit unknown to the IDS, it will go undetected. A web server exploit performed through the web
application itself, such as a Structured Query Language (SQL) injection attack, would not appear to be an attack to
the network-based IDS.

A firewall by itself does not protect a web server because the ports required for users to access the web server
must be open in the firewall. Web server attacks are typically performed over the same ports that are open for
normal web traffic. Therefore, a firewall does not protect the web server.

Operating system (OS) patching will make exploitation of the server more difficult for the attacker and less likely.
However, attacks on the web application and server OS may succeed based on issues unrelated to any unpatched
server vulnerabilities, and the host-based IPS should detect any attempts to change files on the server, regardless
of how access was obtained.

Validated digital signature in an email software application will help detect spam.

Validated electronic signatures are based on qualified certificates that are created by a certificate
authority (CA), with the technical standards required to ensure the key can neither be forced nor
reproduced in a reasonable time. Such certificates are only delivered through a registration authority
(RA) after a proof of identity has been passed. Using strong signatures in email traffic, nonrepudiation
can be assured and a sender can be tracked. The recipient can configure his/her email server or client
to automatically delete emails from specific senders.

A content-filtering proxy server will effectively monitor user access to Internet sites and block access
to unauthorized web sites.

Symmetric key cryptosystems are generally less complicated and, therefore, use less processing power than
asymmetric techniques, thus making it ideal for encrypting a large volume of data.

Symmetric key cryptosystems are less computationally intensive and are ideal for encrypting a large volume of
data.

Symmetric key encryption requires that the secret keys be distributed among the communicating
parties. The larger the user group, the more challenging the key distribution. The major disadvantage
is the need to get the keys into the hands of those with whom you want to exchange data, particularly
in e-commerce environments where customers are unknown, untrusted entities. Effective key
distribution is one of the primary benefits of asymmetric encryption.

Symmetric algorithms are usually less complex than asymmetric algorithms.

A digital signature does not encrypt the message so it cannot provide confidentiality.

A digital signature does not encrypt the message so it cannot provide security.

A digital signature is created by signing a hash of a message with the private key of the sender. This
provides for the integrity (through the hash) and the proof of origin (nonrepudiation) of the message.

A digital signature does not provide confidentiality.

Outgoing traffic with an IP source address different than the internal IP range in the network is invalid.
In most of the cases, it signals a denial-of-service (DoS) attack originated by an internal user or by a
previously compromised internal machine; in both cases, applying this filter will stop the infected
machine from participating in the attack.

Electromagnetic interference (EMI) is caused by outside electromagnetic waves affecting the desired signals, which
is not the case here.

Crosstalk has nothing to do with the length of the unshielded twisted pair (UTP) cable.

Dispersion affects microwave and radio signals and is not a factor with UTP.
Attenuation is the weakening of signals during transmission. When the signal becomes weak, it begins
to generate errors, and the user may experience communication problems. UTP faces unacceptable
levels of attenuation around 100 meters.

Kerberos is a network authentication protocol for client-server applications that can be used to restrict
access to the database to authorized users.

Vitality detection tries to ensure that a user presenting a biometric is “alive” and not merely an image or photocopy
of the biometric values.

Multimodal biometrics uses a combination of biometric methods to authenticate a user. If the attacker can gain
access to the biometric templates the use of multiple templates will not be an effective control.

Before-image/after-image logging of database transactions is a detective control, as opposed to Kerberos, which is

a preventive control.