CISSP Study Quiz 2

A lattice-based access control model, which is a type of label-based mandatory access control model, is used to define the levels of security that an object may have and that a subject may have access to.

EAP-TLS = Extensible Authentication Protocol-Transport Layer Security (uses PKI, establishes TLS tunnel)

EAP-TTLS = Extensible Authentication Protocol-Tunneled Transport Layer Security (establishes TLS tunnel without PKI)
LEAP = Lightweight Extensible Authentication Protocol (Cisco proprietary, insecure)
PEAP = Protected Extensible Authentication Protocol (Cisco, Microsoft, RSA version of EAP-TTLS)

An access control matrix is a table of subjects and objects that specifies the actions individual subjects can take upon individual objects.

The original TACACS was developed during the days of ARPANET which is the basis for the Internet. TACACS uses UDP as its communication protocol. TACACS+ uses TCP as its communication protocol.

A sample of software code or a model (prototype) can be developed to explore a specific approach to a problem before investing expensive time and resources. A team can identify the usability and design problems while working with a prototype and adjust their approach as necessary. Within the software development industry three main prototype models have been invented and used. These are the rapid prototype, evolutionary prototype, and operational prototype.

A biometric system executes a one-to-many comparison against a biometric database in attempt to establish the identity of an unknown user in identification mode. If the comparison of the biometric sample to a template in the database falls within a threshold previously set, identifying the individual will succeed.

To digitally sign a message the sender hashes the plaintext then encrypts the hash with his/her private key

The Mean Time to Repair (MTTR) describes how long it will take to recover a failed system. It is the best estimate for

Minimum Operating Requirements describe the minimum environmental and connectivity requirements in order to operate computer equipment.
Mean Time Between Failures quantifies how long a new or repaired system will run before failing.
The Recovery Point Objective (RPO) is the moment in time in which data must be recovered and made available to users in order to resume business operations.

This is a tricky question. Normally, biometrics is the preferred answer as it is a more secure means of authentication than even multi-factor authentication. However, you would not establish biometric access through a secured server or Web site. Therefore, the answer must be “Ensure the person is authenticated by something he knows and something he has”. This is an example of two-factor authentication.

The spiral model is a risk-driven process model generator for software projects. Thus, the incremental, waterfall, prototyping, and other process models are special cases of the spiral model that fit the risk patterns of certain projects.

An Intrusion Detection System (IDS) typically follows a two-step process. First procedures include inspection of the configuration files of a system to detect inadvisable settings; inspection of the password files to detect inadvisable passwords; and inspection of other system areas to detect policy violations.

In a second step, procedures are network-based and considered an active component; mechanisms are set in place to reenact known methods of attack and to record system responses.

The different functionalities of security controls are preventive, detective, corrective, deterrent, recovery, and compensating.

The six different control functionalities are as follows:

Deterrent Intended to discourage a potential attacker

Preventive Intended to avoid an incident from occurring

Corrective Fixes components or systems after an incident has occurred

Recovery Intended to bring the environment back to regular operations

Detective Helps identify an incident’s activities and potentially an intruder

Compensating Controls that provide an alternative measure of control

Public Key describes a system that uses certificates or the underlying public key cryptography on
which the system is based.

In the traditional public key model, clients are issued credentials or "certificates" by a Certificate
Authority (CA). The CA is a trusted third party. Public key certificates contain the user's name, the
expiration date of the certificate etc. The most common certificate format is X.509. Public key
credentials in the form of certificates and public-private key pairs can provide a strong distributed
authentication system.

The Kerberos and public key trust models are very similar. A Kerberos ticket is analogous to a
public key certificate (a Kerberos ticket is supplied to provide access to resources). However,
Kerberos tickets usually have lifetimes measured in days or hours rather than months or years.

Controlling access to information systems and associated networks is necessary for the preservation of their confidentiality, integrity, and availability.

Confidentiality assures that the information is not disclosed to unauthorized persons or processes. Integrity ensures the consistency of data.

Availability assures that a system’s authorized users have timely and uninterrupted access to the information in the system. The additional access control objectives are reliability and utility.

The function of the auditor is to come around periodically and make sure you are doing what you are supposed to be doing. They ensure the correct controls are in place and are being maintained securely. The goal of the auditor is to make sure the organization complies with its own policies and the applicable laws and regulations. Organizations can have internal auditors and/or external auditors. The external auditors commonly work on behalf of a regulatory body to make sure compliance is being met.

CobiT is a model that most information security auditors follow when evaluating a security program. The Control Objectives for Information and related Technology (CobiT) is a framework and set of control objectives developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs.

A honeypot system is a computer that usually sits in the screened subnet, or DMZ, and attempts to lure attackers to it instead of to actual production computers. To make a honeypot system lure attackers, administrators may enable services and ports that are popular to exploit. Some honeypot systems have services emulated, meaning the actual service is not running but software that acts like those services is available. Honeypot systems can get an attacker’s attention by
advertising themselves as easy targets to compromise. They are configured to look like regular company systems so that attackers will be drawn to them like bears are to honey.

Organizations use these systems to identify, quantify, and qualify specific traffic types to help determine their danger levels. The systems can gather network traffic statistics and return them to a centralized location for better analysis. So as the systems are being attacked, they gather intelligence information that can help the network staff better understand what is taking place within their environment.

Application-layer firewalls are most secure, they have ability to filter based on OSI Layers 3-7

Packet filter = filters traffic on basis of single packet; no concept of "state"
Stateful firewall = uses state table to compare current packets to previous ones
Circuit-layer firewall = operates at layer 5 and cannot filter based on application-layer data

Polyinstantiation means “many instances,” such as two objects with the same names that have different data.

Delegation allows objects to delegate messages to other objects.
Inheritance means an object inherits capabilities from its parent class.
Polymorphism allows the ability to overload operators, performing different methods depending on the context of the input message.

A Trojan horse is code that is disguised as a useful application but contains code that has a malicious or harmful purpose imbedded in it. The Trojan horse can then set up a back door, install keystroke loggers, implement rootkits, upload files from the victim’s system, install bot software, and perform many other types of malicious acts.

DRAM = Dynamic Random Access Memory (slower and cheaper than SRAM, uses capacitors)

EPROM = Erasable Programmable Read Only Memory (can be flashed and written to multiple times)
SRAM = Static Random Access Memory (fast and expensive, uses switches)
SSD = Solid State Drive

Preventive controls stop actions from taking place. It applies restrictions to what a possible user can do, whether the user is authorized or unauthorized.

Operations security is concerned with maintaining networks, computer systems, applications, and environments in a secure and protected manner. It consists of ensuring that users, applications, and servers have the proper access privileges to only the resources they have permissions for to and that oversight is implemented via monitoring, auditing, and reporting controls.

A Pseudo flaw is appears as a vulnerability in an operating system program but is in actual fact a trap for intruders who may attempt to exploit the vulnerability.

The description of the database is called a schema, and the schema is defined by a Data Definition Language (DDL). DDL is similar to a computer programming language and is used for defining data structures, such as database schemas.

Decreasing the amount of minutiae will make the accuracy of the system lower, which lower false rejects but raises false accepts.

Enrollment and Throughput time are not directly connected to FAR and FRR

In Kerberos implementations where the use of an authenticator is configured, the user sends their identification information and a timestamp and sequence number encrypted with the shared session key to the requested service, which then decrypts this information and compares it with the identification data the KDC sent to it about this requesting user. If the data matches, the user is allowed access to the requested service.

The network logs contain information which can give clues on computer incidents that have occurred. This information must be collected, saved for future use (retained), reviewed, and analyzed. These activities related to handling incidents are the responsibility of the Computer Incident Response Team.

Ports 0 to 1023 are well-known ports assigned by the IANA (Internet Assigned Numbers Authority). These ports are reserved for specific services and protocols that are commonly used and recognized worldwide. Well-known ports include ports like HTTP (port 80), HTTPS (port 443), FTP (port 21), SSH (port 22), and many others. These ports are standardized and widely known, making them easily identifiable and accessible for network communication.

There is no Add command within the Structure Query Language (SQL). Instead the Insert command is used to add new data to the database.

There is also no Relist command within SQL.

With the Clark–Wilson model, users are unable to modify critical data (CDI) directly. Users have to be authenticated to a piece of software, and the software procedures (TPs) will carry out the operations on behalf of the user.

Mechanisms based on IP addresses create a problem for mobile users because mobile devices often change their IP addresses as they move between different networks. This means that if an authentication mechanism relies on a specific IP address to verify a user's identity, the user may be denied access or face difficulties in authenticating when their IP address changes. Therefore, mechanisms based on IP addresses are not suitable for mobile users who frequently switch networks.

The canons are applied in order, and Protect society, the commonwealth, and the infrastructure is the first canon listed

ALE = Annualized Loss Expectancy; Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)

SLE = amount lost per occurrence
ARO = number of occurrences per year

The purpose of denormalization is to improve the read performance and processing efficiency of a database by adding redundant data or by grouping data.

A trojan horse is any code that appears to have some useful purpose but contains code that has a malicious or harmful purpose imbedded in it. It is non-self-replicating malware that often includes a trapdoor as a means to gain access to a computer system bypassing security controls.

Resumption Planning details the steps required to restore normal business operations after a recovering from a disruptive event.

Business Continuity Planning develops a long-term plan to ensure the continuity of business operations.
The Continuity of Operations Plan describes the procedures required to maintain operations during a disaster.
The Occupant Emergency Plan provides the response procedures for occupants of a facility in the event a situation poses a threat to the health and safety of personnel, the environment, or property.

The transport layer provides host-to-host (for example, computer-to-computer) communication services.

The session layer provides the mechanism for opening, closing and managing a session between end-user application processes.

An object-oriented database (OODB) has classes to define the attributes and procedures of its objects, which can be a variety of data types such as images, audio, documents, and video. This complex data is required for computer-aided design and imaging.

Identification and authentication are the keystones of most access control systems. Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system. Identification establishes user accountability for the actions on the system. Authentication is verification that the user’s claimed identity is valid and is usually implemented through a user password at log-on time.

Audit trails list the actions performed by the user account used to perform the actions. However, if all the users are using the same user account, you have no way of knowing which person performed which action. Therefore, you have no “accountability”.

In a Kerberos implementation that is configured to use an authenticator, the user sends to the
server her identification information, a timestamp, as well as sequence number encrypted with the
session key that they share. The server then decrypts this information and compares it with the
identification data the KDC sent to it regarding this requesting user. The server will allow the user
access if the data is the same. The timestamp is used to help fight against replay attacks.

An Intrusion Detection System (IDS) is a system that is used to monitor network traffic or to monitor host audit logs in order to determine if any violations of an organization’s security policy have taken place. An IDS can detect intrusions that have circumvented or passed through a firewall or are occurring within the local area network behind the firewall. A network-based IDS usually provides reliable, real-time information without consuming network or host resources. A network-based IDS is passive while it acquires data. Because a network-based IDS reviews packets and headers, denial of service attacks can also be detected. Furthermore, because this IDS is monitoring an attack in realtime, it can also respond to an attack in progress to limit damage.

Kerberos is a network authentication protocol that relies on symmetric key cryptography. It uses a trusted third-party server, known as the Key Distribution Center (KDC), to authenticate users and provide them with tickets to access network resources. These tickets are encrypted using symmetric ciphers, which means that the same secret key is used for both encryption and decryption. This ensures secure communication between the client and the server. Therefore, the statement "it depends upon symmetric ciphers" is true about Kerberos.

In IPSec tunnel mode, the entire IP packet is encrypted and/or authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access) and host-to-host communications.

Buffer overflows are in the source code of various applications and operating systems. They have been around since programmers started developing software. This means it is very difficult for a user to identify and fix them. When a buffer overflow is identified, the vendor usually sends out a patch, so keeping systems current on updates, hotfixes, and patches is usually the best countermeasure.

A buffer overflow takes place when too much data are accepted as input to a specific process. A buffer is an allocated segment of memory. A buffer can be overflowed arbitrarily with too much data, but for it to be of any use to an attacker, the code inserted into the buffer must be of a specific length, followed up by commands the attacker wants executed. So, the purpose of a buffer overflow may be either to make a mess, by shoving arbitrary data into various memory segments,
or to accomplish a specific task, by pushing into the memory segment a carefully crafted set of data that will accomplish a specific task. This task could be to open a command shell with administrative privilege or execute malicious code.

The data link layer provides node-to-node data transfer -- a link between two directly connected nodes. It detects and possibly corrects errors that may occur in the physical layer. It, among other things, defines the protocol to establish and terminate a connection between two physically connected devices. It also defines the protocol for flow control between them.

The data link layer is divided into two functional sublayers: the Logical Link Control (LLC) and the Media Access Control (MAC). The LLC, defined in the IEEE 802.2 specification, communicates with the protocol immediately above it, the network layer. The MAC will have the appropriately loaded protocols to interface with the protocol requirements of the physical layer.

The IEEE MAC specification for Ethernet is 802.3, Token Ring is 802.5, wireless LAN is 802.11, and so on. So when you see a reference to an IEEE standard, such as 802.11, 802.16, or 802.3, it refers to the protocol working at the MAC sublayer of the data link layer of a protocol stack.

IPSec works at the network layer, not at the transport layer

Interpreters translate one command at a time during run-time or execution time.

If a company decides to terminate the activity that is introducing the risk, this is known as risk avoidance. For example, if a company allows employees to use instant messaging (IM), there are many risks surrounding this technology. The company could decide not to allow any IM activity by their users because there is not a strong enough business need for its continued use. Discontinuing this service is an example of risk avoidance.

By being proactive and removing the vulnerability causing the risk, we are avoiding the risk.

You should perform stress tests in a test environment. It is best to use live workload data as the stress test would be more realistic.

Stress testing (sometimes called torture testing) is a form of deliberately intense or thorough testing used to determine the stability of a given system or entity. It involves testing beyond normal operational capacity, often to a breaking point, in order to observe the results.

A capability table stipulates the access rights that a specified subject has in relation to detailed objects.

Access control lists defines subjects that are authorized to access a specific object, and includes the level of authorization that subjects are granted.

Therefore, the difference between the two is that the subject is bound to the capability table, while the object is bound to the ACL.

The statement “Control modifications to system hardware in order to prevent resource changes” is not a key element of a good configuration process. Modifications to system hardware should be controlled by a change control procedure.

An object-oriented database has classes to define the attributes and procedures of its objects, which can be a variety of data types such as images, audio, documents, and video. This complex data is required for computer-aided design and imaging.

IPSEC: Encapsulating Security Payload (ESP) provides encryption (Network Layer)
SSH: supports several encryption algorithms
SSL: implemented asymmetric encryption (Transport Layer)
TLS: supports several encryption algorithms (Transport Layer)

PPTP: No encryption (Data Link Layer)
MPLS: Converged Protocol, no encryption
L2F: authentication tunneling, no encryption (Data Link Layer)
L2TP: Uses IPSEC for encryption (Data Link Layer)
TFTP: no encryption (Application Layer)

Port knocking is an authentication method used by network administrators to control access to computers or other network devices behind a firewall. Port knocking takes advantage of firewall rules to allow a client who knows the "secret knock" to enter the network through a particular port by performing a sequence of connection attempts (called a knock sequence). The correct knock sequence for any given port is created for specific IP addresses by the network administrator. A small program called a daemon monitors the firewall log files for connection requests and determines whether or not a client seeking the network is on the list of approved IP addresses and has performed the correct knock sequence. If the answer is yes, it opens the associated port and allows access. Of course, if unauthorized personnel discover the knock sequence, then they, too,
can gain access.

With Link Encryption each entity has keys in common with its two neighboring nodes in the transmission chain. Thus, a node receives the encrypted message from its predecessor (the neighboring node), decrypts it, and then re-encrypts it with another key that is common to the successor node. Then, the encrypted message is sent on to the successor node where the process is repeated until the final destination is reached. Obviously, this mode does not provide protection if the nodes along the transmission path can be compromised.

Kerberos addresses the confidentiality and integrity of information. It does not directly address availability and attacks such as frequency analysis. Furthermore, because all the secret keys are held and authentication is performed on the Kerberos TGS and the authentication servers, these servers are vulnerable to both physical attacks and attacks from malicious code. Replay can be accomplished on Kerberos if the compromised tickets are used within an allotted time window.
Because a client’s password is used in the initiation of the Kerberos request for the service protocol, password guessing can be used to impersonate a client.

Security structures called referential validation within tables are not an element of a relational database model. Referential integrity is used to ensure all foreign keys reference primary keys. Referential validation is not a security structure within a table.

The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device, with a built-in backdoor, intended to be adopted by telecommunications companies for voice transmission. It was announced in 1993 and by 1996 was entirely defunct.

The Clipper chip used a data encryption algorithm called Skipjack to transmit information and the Diffie-Hellman key exchange-algorithm to distribute the cryptokeys between the peers. At the heart of the concept was key escrow. In the factory, any new telephone or other device with a Clipper chip would be given a cryptographic key, that would then be provided to the government in escrow. If government agencies "established their authority" to listen to a communication, then
the key would be given to those government agencies, who could then decrypt all data transmitted by that particular telephone. The newly formed Electronic Frontier Foundation preferred the term "key surrender" to emphasize what they alleged was really occurring.

This option is incorrect because the block sizes supported by Rijndael are 128, 192, and 256 bits.

Combinatorial software testing is a black-box testing method that seeks to identify and test all unique combinations of software inputs.

Dynamic testing examines code while executing it.
Misuse case testing formally models how security would be impacted by an adversary abusing the application.
Static testing examines the code passively; the code is not running. This form of testing includes walkthroughs, syntax checking, and code reviews.

JAVA was developed so that the same program could be executed on multiple hardware and operating system platforms, it is not Architecture Specific.

Cryptography can prevent unauthorized users from being able to read or modify the data. However, it cannot prevent someone deleting the encrypted data.

Modern cryptography concerns itself with the following four objectives:

1) Confidentiality (the information cannot be understood by anyone for whom it was unintended)
2) Integrity (the information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected)
3) Non-repudiation (the creator/sender of the information cannot deny at a later stage his or her intentions in the creation or transmission of the information)
4) Authentication (the sender and receiver can confirm each other’s identity and the origin/destination of the information.

IaaS = Infrastructure as a service; provides an entire virtualized operating systems, which the customer configures from the OS on up.

Most IPsec implementations consist of an IKE daemon that runs in user space and an IPsec stack in the kernel that processes the actual IP packets. No Public Key Infrastructure is required.

RAID level 0 (disk striping) offers no fault tolerance, just performance improvements

In addition to the accuracy of the biometric systems, there are other factors that must also be considered. These factors include the enrollment time, the throughput rate, and acceptability. The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or authenticated by a system. Acceptable throughput rates are in the range of 10 subjects per minute.

The correct answer is system owner. The system owner is responsible for the actual computers that house data, including the security of hardware and software components. They ensure that the system is maintained, updated, and protected from any potential threats or vulnerabilities. The system owner also oversees the overall functioning and performance of the system to ensure that it meets the organization's needs and objectives.

Serial Line Internet Protocol (SLIP) is an older technology developed to support TCP/IP communications over asynchronous serial connections, such as serial cables or modem dial - up.

The data link layer is responsible for proper communication within the network devices and for changing the data into the necessary format (electrical voltage) for the physical link or channel

Kerberos is a trusted, third party authentication protocol that was developed under Project Athena at MIT. In Greek mythology, Kerberos is a three-headed dog that guards the entrance to the Underworld. Using symmetric key cryptography, Kerberos authenticates clients to other entities on a network of which a client requires services.

Kerberos addresses the confidentiality and integrity of information. It does not directly address availability and attacks such as frequency analysis.

Cryptanalysis is the act of obtaining the plaintext or key from the ciphertext. Cryptanalysis is used to obtain valuable information and to pass on altered or fake messages in order to deceive the original intended recipient. This attempt at “cracking” the cipher is also known as an attack.

In a Known Plaintext attack, the attacker has both the plaintext and the associated ciphertext of several messages.

SRAM = Static Random Access Memory (fast and expensive, contains switches)

DRAM = Dynamic Random Access Memory (slower and cheaper than SRAM, contains capacitors)
EPROM = Erasable Programmable Read Only Memory (can be flashed and written to multiple times)
SSD = Solid State Drive

The TCP/IP model include the following four layers: application, host-to-host, Internet, and Network access.

There are three main performance measures in biometrics. These measures are as follows:

False Rejection Rate (FRR) or Type I Error. The percentage of valid subjects that are falsely rejected.

False Acceptance Rate (FAR) or Type II Error. The percentage of invalid subjects that are falsely accepted.

Crossover Error Rate (CER). The percent in which the False Rejection Rate equals the False Acceptance Rate.

Voice pattern biometrics have the highest Crossover Error Rate (CER). This is because voice patterns tend to change with the individual’s mood and health. The common cold or flu, for instance, would alter the tone and pitch of a person’s voice.

Entity integrity means each tuple has a unique primary key that is not null.

Normalization seeks to make the data in a database table logically concise, organized, and consistent.
Referential integrity means that every foreign key in a secondary table matches a primary key in the parent table; if this is not true, referential integrity has been broken.
Semantic integrity means each attribute (column) value is consistent with the attribute data type.

The potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris pattern within a biometric system is that the optical unit must be positioned so that the sun does not shine into the aperture. This is important because direct sunlight can interfere with the accuracy of the iris recognition process and may result in false readings or errors. Therefore, it is necessary to ensure that the scanner is installed in a location where it is not exposed to direct sunlight to maintain the reliability and effectiveness of the iris scanning technology.

Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished through access control mechanisms that require identification and authentication and through the audit function. These controls must be in accordance with and accurately represent the organization’s security policy. Assurance procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system.

Unshielded Twisted Pair cabling consists of an outer jacket and four pairs of twisted wire medium.

Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support.

Session-layer services are commonly used in application environments that make use of remote procedure calls (RPCs).

A Synchronous token generates a one-time password that is only valid for a short period of time.
Once the password is used it is no longer valid, and it expires if not entered in the acceptable time
frame.

The TLS protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol.

Tunneling is the correct answer because it refers to the process of encapsulating IPv6 packets within IPv4 packets, allowing them to be transmitted over an IPv4 network. This enables communication between an IPv6 network and an IPv4 network by creating a virtual tunnel between them.

To determine the user interface would not be part of the change control phase. This would be done in an earlier phase.

The change control analyst is responsible for approving or rejecting requests to make changes to the network, systems, or software. This role must make certain that the change will not introduce any vulnerability, that it has been properly tested, and that it is properly rolled out. The change control analyst needs to understand how various changes can affect security, interoperability, performance, and productivity.

Cohesion reflects how many different types of tasks a module can carry out. If a module carries out only one task (i.e., subtraction) or several tasks that are very similar (i.e., subtract, add, multiply), it is described as having high cohesion, which is a good thing. The higher the cohesion, the easier it is to update or modify and not affect other modules that interact with it. This also means the module is easier to reuse and maintain because it is more straightforward when compared to a module with low cohesion.

Coupling is a measurement that indicates how much interaction one module requires to carry out its tasks. If a module has low (loose) coupling, this means the module does not need to communicate with many other modules to carry out its job. High (tight) coupling means a module depends upon many other modules to carry out its tasks. Low coupling is more desirable because the modules are easier to understand, easier to reuse, and changes can take place and not affect
many modules around it. Low coupling indicates that the programmer created a well-structured module.

E-mail encryption solutions such as S/MIME have been available for a long time. These encryption solutions have seen varying degrees of adoption in organizations of different types. However, such solutions present some challenges:

Inability to apply messaging policies: Organizations also face compliance requirements that require inspection of messaging content to make sure it adheres to messaging policies. However, messages encrypted with most client-based encryption solutions, including S/MIME, prevent content inspection on the server. Without content inspection, an organization can't validate that all messages sent or received by its users comply with messaging policies.

Decreased security: Antivirus software is unable to scan encrypted message content, further exposing an organization to risk from malicious content such as viruses and worms. Encrypted messages are generally considered to be trusted by most users, thereby increasing the likelihood of a virus spreading throughout your organization.