A benefit in implementing an enterprise Identity and Access Management (IAM) solution is that the risk associated with orphan accounts is reduced. An orphan account is an account that belongs to a user who has left the organization or changed roles, but the account has not been deactivated or deleted. An orphan account poses a security risk, as it can be exploited by unauthorized users or attackers to gain access to the system or data. An enterprise IAM solution is a system that manages the identification, authentication, authorization, and provisioning of users and devices across the organization. An enterprise IAM solution can help to reduce the risk associated with orphan accounts by automating the account lifecycle management, such as creating, updating, suspending, or deleting accounts based on the user status, role, or policy. An enterprise IAM solution can also help to monitor and audit the account activity, and to detect and remediate any orphan accounts. Password requirements are simplified, segregation of duties is automatically enforced, and data confidentiality is increased are all possible benefits or features of an enterprise IAM solution, but they are not the best answer to the question. Password requirements are simplified by an enterprise IAM solution that supports single sign-on (SSO) or federated identity management (FIM), which allow the user to access multiple systems or applications with one set of credentials. Segregation of duties is automatically enforced by an enterprise IAM solution that implements role-based access control (RBAC) or attribute-based access control (ABAC), which grant or deny access to resources based on the user role or attributes. Data confidentiality is increased by an enterprise IAM solution that encrypts or masks the sensitive data, or applies data loss prevention (DLP) or digital rights management (DRM) policies to the data.

The technique that an organization should use to assure application integrity is digital signing. Digital signing is a technique that uses cryptography to generate a digital signature for a message or a document, such as an application. The digital signature is a value that is derived from the message and the sender's private key, and it can be verified by the receiver using the sender's public key. Digital signing can help to assure application integrity, which means that the application has not been altered or tampered with during the transmission or storage. Digital signing can also help to assure application authenticity, which means that the application originates from the legitimate source. Application authentication, input validation, and device encryption are not techniques that can assure application integrity, but they can help to assure application security, usability, or confidentiality, respectively.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Security Engineering, page 607;Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 3: Security Architecture and Engineering, page 388.

The primary sources used to generate the attack traffic in the DDoS attack using Mirai malware were IoT devices. A DDoS attack is a type of attack that aims to disrupt or degrade the availability or performance of a system or a service, by overwhelming or flooding it with a large amount of traffic or requests from multiple sources. A DDoS attack can cause the system or service to slow down, crash, or become inaccessible for the legitimate users or customers. Mirai is a malware that infects and hijacks IoT devices, such as cameras, routers, or printers, and turns them into a botnet, which is a network of compromised devices that are controlled by a central command and control server. Mirai malware scans the internet for vulnerable IoT devices that use default or weak credentials, and infects them with malicious code that allows the attacker to remotely control them. Mirai malware was used to launch a massive DDoS attack in 2016, targeting several high-profile websites and services, such as Twitter, Netflix, or Amazon, and causing widespread internet disruption. IoT devices were the primary sources used to generate the attack traffic in the DDoS attack using Mirai malware, because:

They are abundant and ubiquitous, as there are billions of IoT devices connected to the internet, and they are expected to grow exponentially in the future.

They are insecure and vulnerable, as many IoT devices lack proper security measures, such as encryption, authentication, or patching, and use default or weak credentials, such as admin or 1234, that can be easily guessed or brute-forced by the attackers.

They are powerful and capable, as many IoT devices have sufficient processing power, memory, and bandwidth to generate a large amount of traffic or requests, and can use various protocols, such as HTTP, TCP, or UDP, to target different layers of the network stack.Reference: [CISSP All-in-One Exam Guide], Chapter 7: Security Operations, Section: Malware, pp. 832-833.

Proxied federation is a type of identity federation model that is best suited for providing shared access of sensitive data on a cloud storage to external business partners, while blinding the identity providers and relying parties from each other. In proxied federation, a third-party entity, called the proxy, acts as an intermediary between the identity providers and relying parties, and handles the authentication and authorization requests and responses on their behalf. The proxy does not disclose the subscriber lists of the identity providers or relying parties to each other, and only shares the necessary attributes or claims to enable the access.The proxy also provides a single point of management, auditing, and policy enforcement for the federation56.Reference:CISSP CBK, Fifth Edition, Chapter 5, page 449;100 CISSP Questions, Answers and Explanations, Question 18.

The statement that is true about the baseline cybersecurity standard that an enterprise is developing for its suppliers is that it should be expressed in business terminology. A baseline cybersecurity standard is a standard that defines the minimum level and type of security controls that are required to protect the information assets and systems of an organization, or its suppliers, from the security risks and threats that they may face. A baseline cybersecurity standard should be expressed in business terminology, which means using the language and concepts that are relevant and understandable for the business stakeholders, such as the management, the customers, or the suppliers. Expressing the baseline cybersecurity standard in business terminology can help to communicate and convey the security objectives and criteria, and to ensure the alignment and integration of the security controls with the business needs and goals of the organization, or its suppliers .Reference: [CISSP CBK, Fifth Edition, Chapter 2, page 113]; [100 CISSP Questions, Answers and Explanations, Question 18].