Network firewalls, often operating at the network or transport layer, primarily filter traffic based on protocol, port, and IP address. However, since web applications typically use HTTP and HTTPS protocols over ports 80 and 443, which must remain open for the applications to function, network firewalls cannot inherently distinguish between malicious and legitimate web traffic. Therefore, network firewalls alone cannot effectively prevent web application attacks, as these attacks often involve legitimate requests that exploit vulnerabilities in the application itself, necessitating more specialized security measures such as Web Application Firewalls (WAFs) to offer adequate protection.

A macro virus is specifically designed to exploit the macros within office software applications, such as Microsoft Office. These viruses are embedded within documents and automatically execute when the document is opened, making them a common threat to Microsoft Office products.

Bluetooth primarily uses frequency-shift keying (FSK) for its communication. Specifically, it uses Gaussian Frequency-Shift Keying (GFSK) for basic data rates. While Phase-Shift Keying (PSK) is indeed used for Enhanced Data Rate (EDR) in Bluetooth, the fundamental modulation technique for basic Bluetooth communication is FSK. Therefore, FSK is the correct answer.

To show improvement of security over time, metrics must be developed. Metrics provide quantifiable data that can be used to measure and track security performance, participation, effectiveness, and exposure windows. This information is essential for making informed decisions and improving security programs within an organization.

Passive reconnaissance involves gathering information without directly interacting with the target system, thereby avoiding detection. This typically includes collecting data from publicly accessible sources such as websites, social media, publicly available reports, and other open-source intelligence. Other methods like social engineering, network traffic sniffing, and man-in-the-middle attacks would involve more active engagement, which does not align with the definition of passive reconnaissance.