Iris scan

From most effective (lowest CER) to least effective (highest CER) are:
Iris scan, fingerprint, voice verification, keystroke dynamics.
Reference : Shon Harris Aio v3 , Chapter-4 : Access Control , Page : 131
Also see: http://www.sans.org/reading_room/whitepapers/authentication/biometricselection-
body-parts-online_139

Availability

The CIA triad stands for Confidentiality, Integrity and Availability

Tamper resistant, mobile storage and application of private keys of the users

Reference: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-
Hill/Osborne, page 139;
SNYDER, J., What is a SMART CARD?.
Wikipedia has a nice definition at: http://en.wikipedia.org/wiki/Tamper_resistance
Security
Tamper-resistant microprocessors are used to store and process private or sensitive
information, such as private keys or electronic money credit. To prevent an attacker from
retrieving or modifying the information, the chips are designed so that the information is not
accessible through external means and can be accessed only by the embedded software,
which should contain the appropriate security measures.
Examples of tamper-resistant chips include all secure cryptoprocessors, such as the IBM
4758 and chips used in smartcards, as well as the Clipper chip. It has been argued that it is very difficult to make simple electronic devices secure against
tampering, because numerous attacks are possible, including:
physical attack of various forms (microprobing, drills, files, solvents, etc.)
freezing the device
applying out-of-spec voltages or power surges
applying unusual clock signals
inducing software errors using radiation
measuring the precise time and power requirements of certain operations (see power
analysis)
Tamper-resistant chips may be designed to zeroise their sensitive data (especially
cryptographic keys) if they detect penetration of their security encapsulation or out-ofspecification
environmental parameters. A chip may even be rated for "cold zeroisation",
the ability to zeroise itself even after its power supply has been crippled. Nevertheless, the fact that an attacker may have the device in his possession for as long
as he likes, and perhaps obtain numerous other samples for testing and practice, means
that it is practically impossible to totally eliminate tampering by a sufficiently motivated
opponent. Because of this, one of the most important elements in protecting a system is
overall system design. In particular, tamper-resistant systems should "fail gracefully" by
ensuring that compromise of one device does not compromise the entire system. In this
manner, the attacker can be practically restricted to attacks that cost less than the
expected return from compromising a single device (plus, perhaps, a little more for kudos).
Since the most sophisticated attacks have been estimated to cost several hundred
thousand dollars to carry out, carefully designed systems may be invulnerable in practice.

training

Some physical controls include fences, lights, locks, and facility construction
materials. Some administrative controls include facility selection and construction, facility
management, personnel controls, training, and emergency response and procedures.
From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne,
3rd. Ed., Chapter 6, page 403.

The use of discriminating judgment

The Answer: The use of discriminating judgment, a guard can make the
determinations that hardware or other automated security devices cannot make due to its
ability to adjust to rapidly changing conditions, to learn and alter recognizable patterns, and
to respond to various conditions in the environment. Guards are better at making value
decisions at times of incidents. They are appropriate whenever immediate, discriminating
judgment is required by the security entity.
The following answers are incorrect:
The use of physical force This is not the best answer. A guard provides discriminating
judgment, and the ability to discern the need for physical force.
The operation of access control devices A guard is often uninvolved in the operations of an
automated access control device such as a biometric reader, a smart lock, mantrap, etc.
The need to detect unauthorized access The primary function of a guard is not to detect
unauthorized access, but to prevent unauthorized physical access attempts and may deter
social engineering attempts.The following reference(s) were/was used to create this question: Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: Physical
security (page 339).
Source: ISC2 Offical Guide to the CBK page 288-289.

 include intrusion detection systems and automatically-generated violation reports from
audit trail information.

.

Detective/Technical measures include intrusion detection systems and
automatically-generated violation reports from audit trail information. These reports can
indicate variations from "normal" operation or detect known signatures of unauthorized
access episodes. In order to limit the amount of audit information flagged and reported by
automated violation analysis and reporting mechanisms, clipping levels can be set.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35.

 a virtual password by the system

Passwords can be compromised and must be protected. In the ideal case, a
password should only be used once. The changing of passwords can also fall between
these two extremes.
Passwords can be required to change monthly, quarterly, or at other intervals, depending
on the criticality of the information needing protection and the password's frequency of use. Obviously, the more times a password is used, the more chance there is of it being
compromised.
It is recommended to use a passphrase instead of a password. A passphrase is more
resistant to attacks. The passphrase is converted into a virtual password by the system.
Often time the passphrase will exceed the maximum length supported by the system and it
must be trucated into a Virtual Password.
Reference(s) used for this question:
http://www.itl.nist.gov/fipspubs/fip112.htm
and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 36 & 37.

Audit mechanisms.
.

Is a means of being able to track user actions. Through the use of audit logs
and other tools the user actions are recorded and can be used at a later date to verify what actions were performed.
Accountability is the ability to identify users and to be able to track user actions.
The following answers are incorrect:
Documented design as laid out in the Common Criteria. Is incorrect because the Common
Criteria is an international standard to evaluate trust and would not be a factor in System
Accountability.
Authorization. Is incorrect because Authorization is granting access to subjects, just
because you have authorization does not hold the subject accountable for their actions.
Formal verification of system design. Is incorrect because all you have done is to verify the
system design and have not taken any steps toward system accountabilityReferences:
OIG CBK Glossary (page 778)

physical attributes of a person

Today implementation of fast, accurate reliable and user-acceptable
biometric identification systems is already under way.
From: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management
Handbook, 4th Edition, Volume 1, Page 7.

 Spoofing attack

A spoofing attack is when an attempt is made to gain access to a computer
system by posing as an authorized user or system. Spamming refers to sending out or
posting junk advertising and unsolicited mail. A smurf attack is a type of denial-of-service
attack using PING and a spoofed address. Sniffing refers to observing packets passing on
a network.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3:
Telecommunications and Network Security (page 77).