A. Security configuration management is the overall process of establishing and maintaining secure settings, which includes reducing elements, but it is not the specific technique itself.

B. The least privilege principle is an access control concept that grants users or processes only the minimum permissions necessary, not about removing system components.

C. Patch management is the process of applying updates to fix vulnerabilities in existing software, rather than removing the software or services.

1. National Institute of Standards and Technology (NIST). (2008). Special Publication 800-123: Guide to General Server Security. Section 3.2, "Server Hardening," Paragraph 1. "One of the primary principles of server hardening is to provide only the minimum necessary functionality... This involves removing all unneeded software, services, and utilities from the server."

2. National Institute of Standards and Technology (NIST). (2020). Special Publication 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations. Control Family: Configuration Management, Control ID: CM-7, "Least Functionality." The control requires organizations to "[configure] the system to provide only essential capabilities" and "[prohibit] or [restrict] the use of... functions, ports, protocols, and/or services."

3. Saltzer, J. H., & Schroeder, M. D. (1975). The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9), 1278–1308. https://doi.org/10.1109/PROC.1975.9939. This foundational paper discusses the principle of "Economy of mechanism," which supports keeping system design as simple and small as possible, aligning with the concept of reducing elements to improve security.

A. Separation of duties is a security control that divides a critical task among multiple individuals to prevent fraud or error, not a standard of conduct.

B. Due diligence refers to the preparatory investigation and research conducted before taking an action to identify potential risks and liabilities.

D. Least privilege is an access control principle that ensures users are only granted the minimum level of access necessary to perform their job functions.

1. Cornell Law School, Legal Information Institute (LII). "Due Care." The LII, a reputable academic source, defines due care as: "The degree of care that a reasonable person would exercise under the same or similar circumstances." This provides the foundational legal definition.

Source: https://www.law.cornell.edu/wex/duecare

2. NIST Special Publication 800-161 Revision 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. This official publication distinguishes between the two key concepts.

Section 2.3.2, "Due Diligence and Due Care," states: "Due care is the prudent and responsible execution of the duties and responsibilities associated with a given role or position." This directly supports the concept of ongoing, reasonable action.

3. (ISC)². Official (ISC)² Guide to the CISSP CBK. 6th Edition. CRC Press, 2022. This is an official vendor document for a foundational cybersecurity certification whose concepts are shared with the CC.

Chapter 3, "Security Governance Principles," defines due care as "the standard of care that a reasonable person is expected to exercise in all activities that could potentially harm others." It explicitly contrasts this with due diligence, which is defined as the "process of investigation."

B. Focusing solely on prevention is the domain of risk management and security controls, not business continuity, which plans for events that have already occurred.

C. A BCP is fundamentally composed of recovery strategies for critical business processes; avoiding them would defeat its entire purpose.

D. A BCP is a core component of a coordinated response, providing the framework and procedures needed to manage a major incident effectively.

1. National Institute of Standards and Technology (NIST). (2010). Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems. Section 2.2, Business Continuity Plan (BCP), Page 7. "The BCP focuses on sustaining an organization’s mission/business processes during and after a disruption."

2. International Organization for Standardization. (2019). ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements. Section 1, Scope. The standard specifies requirements to "plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise."

3. Whitman, M. E., & Mattord, H. J. (2019). Principles of Information Security (6th ed.). Cengage Learning. Chapter 5, "Planning for Contingencies." The text defines business continuity planning as the process that "ensures that critical business functions can continue if a disaster occurs."

A. Somewhere you are: This is incorrect because it refers to authentication based on the user's physical location (geolocation), not their possession of an object.

B. Something you are: This is incorrect as it pertains to inherent biological traits (biometrics) like a fingerprint or iris scan, not a physical device.

D. Something you know: This is incorrect because it refers to secret information like a password or PIN, not a tangible item that the user possesses.

---

1. National Institute of Standards and Technology (NIST). (June 2017). Special Publication (SP) 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management.

Section 4.2.3, "Out-of-Band Authenticators," Page 21: This section describes authenticators that use a communication channel separate from the primary one (e.g., a phone call). It explicitly states, "The out-of-band device is a 'something you have' factor." A mobile phone used for a callback is a classic example of such a device.

2. Ometov, A., et al. (2018). "A Survey on Multi-Factor Authentication for the Internet of Things." Sensors, 18(1), 175.

Section 2.1, "Authentication Factors," Paragraph 3: The authors define the possession factor: "The possession factor (something you have) implies that a user has a certain item in his/her possession, e.g., a smart card, a mobile phone, or a physical key." This peer-reviewed article directly classifies a mobile phone as a "something you have" factor.

DOI: https://doi.org/10.3390/s18010175

3. University of California, Berkeley. (Fall 2020). CS 161: Computer Security, Lecture 10: Authentication.

Slide 10, "Factors of Authentication": The course material categorizes authentication factors and provides examples. Under the "Something you have" category, it lists "Physical key," "Smartcard," and "Cell phone (for 2FA)," confirming that a mobile phone used in an authentication process is considered a possession factor.

A. Regulations: These are mandatory requirements imposed by external governmental or legal bodies, not an organization's internally-developed strategic direction.

B. Standards: These are mandatory, specific requirements for technology or processes that support policies; they are tactical, not strategic.

C. Procedures: These are detailed, step-by-step instructions for performing a task; they are operational and represent the lowest level of documentation.

1. National Institute of Standards and Technology (NIST) Special Publication 800-12 Revision 1, An Introduction to Information Security. Section 4.1, "Policy, Standards, and Practices," states: "Policies are the high-level documents that set the strategic direction, course, and tone for an organization’s security program." (Page 27, Paragraph 2).

2. National Institute of Standards and Technology (NIST) Special Publication 800-100, Information Security Handbook: A Guide for Managers. Section 2.2, "Security Policy," describes policy as the "foundation of a security program" and notes that it "sets the strategic direction for security." (Page 10, Paragraph 1).

3. University of California, Berkeley, Information Security Office, Policy Program. The documentation on "Policy, Standard, Guideline, and Procedure Definitions" states: "A policy is a statement of intent and is implemented as a procedure or protocol. Policies are the 'what' and the 'why'." This aligns with the strategic, context-setting role of policies.

A. Regularly updating antivirus software: Antivirus software protects against malware infections while the system is running; it offers no protection against data access if the device is stolen and the drive is accessed directly.

B. Using strong passwords: A strong OS password can be bypassed by an attacker with physical access, for example, by booting from an external drive or by removing the storage drive and mounting it in another computer.

C. Enabling a firewall: A firewall protects a device from unauthorized network traffic. It is irrelevant to protecting data stored locally on a device that has been physically stolen.

1. National Institute of Standards and Technology (NIST) Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. Section 2.1, "Threats," explicitly lists "Loss or theft of the device" as a primary threat. The document states, "If an unencrypted device is lost or stolen, the data on it is completely accessible to whomever has the device." Section 3.1, "Full Disk Encryption," is presented as the primary solution to this threat.

2. Microsoft Documentation, BitLocker overview. The official documentation for Microsoft's FDE solution states, "BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled." This directly addresses the scenario where the device is no longer in the authorized user's possession, such as in a theft.

3. Pfleeger, C. P., Pfleeger, S. L., & Margulies, J. (2015). Security in Computing (5th ed.). This is a standard textbook used in university computer science curricula. Chapter 5.4, "Encryption," discusses its use in protecting stored data: "Encryption is a primary way to protect data in storage... Full disk encryption... means that the entire disk, including all system and user files, is encrypted. A user must enter a password to boot the computer, and that password decrypts the disk." This highlights its effectiveness against physical access threats.

A. Community cloud: This model is shared by a specific group of organizations with common goals, so tenants are known within the community.

B. Private cloud: This infrastructure is dedicated to a single organization, so there is no sharing with external, unknown customers.

C. Shared cloud: This is a general descriptive term, not one of the four standard deployment models (Public, Private, Community, Hybrid) defined by NIST.

1. Mell, P., & Grance, T. (2011). The NIST Definition of Cloud Computing (Special Publication 800-145). National Institute of Standards and Technology. Retrieved from https://doi.org/10.6028/NIST.SP.800-145.

Page 3, Section 2, "Deployment Models": "Public cloud: The cloud infrastructure is provisioned for open use by the general public... It exists on the premises of the cloud provider." This definition underpins the concept of shared infrastructure among unknown parties.

2. Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., ... & Zaharia, M. (2009). A View of Cloud Computing (Technical Report No. UCB/EECS-2009-28). EECS Department, University of California, Berkeley.

Page 2, Section 2, "Defining Cloud Computing": Describes a Public Cloud as a resource available to the general public on a pay-as-you-go basis, contrasting it with a Private Cloud which is internal to an organization. This highlights the "general public" aspect where tenants are not pre-associated.

3. Carnegie Mellon University, School of Computer Science. (n.d.). 15-319/15-619 Cloud Computing, Lecture 2: Cloud Models and Architectures.

In course materials covering cloud deployment models, the Public Cloud is consistently defined as a multi-tenant environment where resources are shared by a diverse and anonymous customer base, managed by a third-party provider.

A. SQL Injection Attack: This attack targets the back-end database by inserting malicious SQL statements into an entry field, aiming for data theft or manipulation, not crashing the application with malformed data.

B. On Path Attack: This involves intercepting and potentially altering communications between two parties to eavesdrop or impersonate, not directly attacking an application to make it crash.

C. Distributed Denial-of-Service Attack: This attack uses a high volume of traffic from multiple sources to overwhelm a system's resources (like bandwidth or CPU), not a single piece of crafted data to exploit a software flaw.

1. Kuperman, B. A., et al. (2005). A Taxonomy of Buffer Overflows. University of Virginia, Department of Computer Science. Technical Report CS-2005-14. In Section 2, "Background," the report states, "When the buffer is overfilled, the excess data 'spills over' into adjacent memory, overwriting whatever data had been there... At a minimum, this memory corruption can cause the program to crash."

2. MITRE. (2023). CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'). Common Weakness Enumeration. The "Consequences" section notes that a primary technical impact is "Availability: The application may crash or be in a state where it is not usable."

3. Erickson, J. (2008). Hacking: The Art of Exploitation, 2nd Edition. No Starch Press. Chapter 3, "Exploitation," Section "Stack-Based Buffer Overflows," pp. 86-87, describes how writing past a buffer's boundaries can overwrite critical program data on the stack, leading to a segmentation fault and causing the program to crash. (Note: While a commercial book, its author is a recognized academic and it is used as courseware in many universities).

4. Aleph One. (1996). Smashing The Stack For Fun And Profit. Phrack Magazine, Volume 7, Issue 49. This foundational paper on the topic explains in Section 4, "Stack-based buffer overruns," how overflowing a buffer corrupts the stack, which typically results in a "Segmentation violation" error, terminating the program. This is a seminal, peer-reviewed publication in the security community.

B. Extender – Not a security term in password hashing; no role against rainbow tables.

C. MD5 – A hash algorithm, not the random value added; MD5 itself can be used with or without salting.

D. Hash – The fixed-length output produced after hashing; it is the result, not the random value added.

1. NIST Special Publication 800-63B, “Digital Identity Guidelines: Authentication and Lifecycle Management,” §5.1.1.2, p. 18 (June 2017).

2. Philip Oechslin, “Making a Faster Cryptanalytic Time-Memory Trade-Off,” Advances in Cryptology – CRYPTO 2003, LNCS 2775, pp. 617-630 (2003). DOI:10.1007/978-3-540-45146-436

3. MIT OpenCourseWare, 6.857 “Network and Computer Security,” Lecture 5 slides, “Password Hashing and Salting,” slides 7-9 (Spring 2014).

4. National Research Council, “Cryptography’s Role in Securing the Information Society,” Chapter 5, §“Password File Protection,” p. 110 (1996).

A. The primary harm is to the client's security, not a direct action against the reputation of the security profession itself.

B. While the action is dishonest, Canon III is more specific as it directly addresses the failure in professional service owed to a client.

C. The immediate duty violated is to the client (principal), not directly to society, although an exploited vulnerability could eventually harm the public.

1. (ISC)². (2023). ISC2 Code of Ethics. Retrieved from https://www.isc2.org/Ethics. The canon states, "Provide diligent and competent service to principals." Withholding critical security information is a direct failure to meet this standard.

2. Chapple, M., Seidl, D., & St. Germain, J. (2023). Official (ISC)² Certified in Cybersecurity (CC) Study Guide. Wiley. In Chapter 1, "Security Principles," the explanation for Canon III emphasizes providing high-quality work for employers and clients (principals). The text states, "This means you should always strive to provide high-quality work for your employers and clients" (p. 13). Concealing a vulnerability is the antithesis of providing high-quality, diligent service.