Which statement below is accurate about the reasons to implement a
layered security architecture?

A.
A layered approach doesn’t really improve the security posture of
the organization.

B.
A layered security approach is intended to increase the work-factor
for an attacker.

C.
A good packet-filtering router will eliminate the need to implement
a layered security architecture.

D.
A layered security approach is not necessary when using COTS
products.

Explanation:
Security designs should consider a layered approach to address or
protect against a specific threat or to reduce a vulnerability. For example,
the use of a packet-filtering router in conjunction with an application
gateway and an intrusion detection system combine to increase
the work-factor an attacker must expend to successfully attack the system.
The need for layered protections is important when commercialoffthe-shelf (COTS) products are used. The current state-of-the-art for
security quality in COTS products do not provide a high degree of protection
against sophisticated attacks. It is possible to help mitigate this
situation by placing several controls in levels, requiring additional
work by attackers to accomplish their goals.

Source: NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security).