It is critical that the information is easy to read and understand. If it is too confusing or use too many technical words, many employees will either not read it at all or forget it almost right away. We would want senior managements buy-in, but for the materials to be effective, it is more important they are easy to understand. Staff should learn about social engineering and our policies, but in a simplified language they can understand and relate to.

Encrypting with the receiver's public key gives us confidentiality, because only they can decrypt the message. Encrypting with the sender's private key gives us non-repudiation. Remember the public key can decrypt the private key for either user or vice versa. Since the receiver has their own private key and the sender's public key, they can decrypt the entire message.

If we want staff rotation, cross training and minimize the risk of fraud, the type of access control that is best for that would be role-based access control. Here rights are assigned based on job role, and as part of that we can use job rotation and mandatory vacations to cross train and lower the risk of fraud. Discretionary access control is based on the data owner's discretion and does nothing for what we are trying to do here. The same goes for rule-based access control, that is what our older firewalls use, IF this, THEN that.

The most important thing when implementing a heuristic IDS is tuning it. If it is not tuned right, we would get a lot of false positives (permitted traffic is denied), and false negatives (malicious traffic is not detected). We would apply patches when they are released, but they are not the MOST important thing. Encryption and packet filtering in this case are distractors, they would not be appropriate.

Role based access control would be the most efficient type of access control based on the answer options. Access is assigned to job roles reducing administrative overhead and making it more efficient. Decentralized would require more administrative overhead, so would discretionary access control, where the data owner would assign access at their discretion. Centralized access control is more efficient than decentralized, but in this example, we do not have enough information for it to the be the right answer.

We would use patch management to address new operating system security vulnerabilities. Change management is the control process we have in place to ensure changes to our environment are planned, tested, and implemented properly; patch management would be part of our change management process. Server management is the management of everything regarding the server, and security vulnerability management is managing vulnerabilities on a server, including patch management, but patch management is a MORE right answer.

It is most efficient to make a standard baseline and add additional standards to locations that need higher security. It could be an issue if we implemented the maximum standards in every location, best practices are nice, but we have no clue if they would be enough, and just implementing what every location has in common is never enough.

In our risk analysis, we would look at the size and likelihood of a loss, we need to quantify it to design appropriate countermeasures. What similar organizations do is to us unimportant, every environment is unique. We would never give the same protection profile to all our assets, they are not created equally, we need to give them the protection profile that matches what we discovered in the risk analysis. The potential size of the loss is always more important than how likely the incident is to happen. Us losing $1,000,000 in one incident is much worse than us having 100 incidences costing us $10.

2FA would make it the MOST secure, the user would most likely use Type 1 and Type 2 authentication (something you know and something you have). The IDS would detect attacks, but not attackers pretending to be authorized users. Challenge response would make the connection more secure, but 2FA is much more secure. SSO makes it easier for users but does nothing for user authentication.

Of the options here WPA-2 (Wi-Fi Protected Access-2) is the most secure protocol to implement on our new wireless network. Hiding our SSID does very little, since it still broadcasts, it takes a few seconds to find it regardless of it being hidden. Adding MAC filtering on our switch ports is also easy to bypass, the attacker would just have to spoof the MAC address of a trusted divide on a specific port and they would have network access. Finally, WEP is very easy break today, there are weaknesses in the algorithm, even very long complex passwords can be broken in less than 10 minutes.