Call-back

Call-back allows for a distant user connecting into a system to be called back
at a number already listed in a database of trusted users. The disadvantage of this system
is that the user must be at a fixed location whose phone number is known to the
authentication server. Being mobile workers, users are accessing the system from multiple
locations, making call-back inappropriate for them.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control
systems (page 44).

An active vulnerability assessment.

A network-based vulnerability assessment tool/system either re-enacts
system attacks, noting and recording responses to the attacks, or probes different targets
to infer weaknesses from their responses.
Since the assessment is actively attacking or scanning targeted systems, network-based
vulnerability assessment systems are also called active vulnerability systems.
There are mostly two main types of test:
PASSIVE: You don't send any packet or interact with the remote target. You make use of
public database and other techniques to gather information about your target.
ACTIVE: You do send packets to your target, you attempt to stimulate response which will
help you in gathering information about hosts that are alive, services runnings, port state,
and more.
See example below of both types of attacks:
Eavesdropping and sniffing data as it passes over a network are considered passive
attacks because the attacker is not affecting the protocol, algorithm, key, message, or any
parts of the encryption system. Passive attacks are hard to detect, so in most cases
methods are put in place to try to prevent them rather than to detect and stop them.
Altering messages , modifying system files, and masquerading as another individual are
acts that are considered active attacks because the attacker is actually doing something
instead of sitting back and gathering data. Passive attacks are usually used to gain
information prior to carrying out an active attack. IMPORTANT NOTE:
On the commercial vendors will sometimes use different names for different types of scans.
However, the exam is product agnostic. They do not use vendor terms but general terms.
Experience could trick you into selecting the wrong choice sometimes. See feedback from
Jason below:
"I am a system security analyst. It is my daily duty to perform system vulnerability analysis.
We use Nessus and Retina (among other tools) to perform our network based vulnerability
scanning. Both commercially available tools refer to a network based vulnerability scan as
a "credentialed" scan. Without credentials, the scan tool cannot login to the system being
scanned, and as such will only receive a port scan to see what ports are open and
exploitable"
Reference(s) used for this question:Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 865). McGraw-
Hill. Kindle Edition.
and
DUPUIS, Clement, Access Control Systems and Methodology CISSP Open Study Guide,
version 1.0, march 2002 (page 97).

clipping level

The correct answer is "clipping level". This is the point at which a system
decides to take some sort of action when an action repeats a preset number of times. That
action may be to log the activity, lock a user account, temporarily close a port, etc. Example: The most classic example of a clipping level is failed login attempts. If you have a
system configured to lock a user's account after three failed login attemts, that is the
"clipping level".
The other answers are not correct because:
Acceptance level, forgiveness level, and logging level are nonsensical terms that do not
exist (to my knowledge) within network security.
Reference:
Official ISC2 Guide - The term "clipping level" is not in the glossary or index of that book. I
cannot find it in the text either. However, I'm quite certain that it would be considered part
of the CBK, despite its exclusion from the Official Guide.All in One Third Edition page: 136 - 137

static password

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:
Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36.

cost

Cost is a factor when considering Biometrics but it is not a security
characteristic.
All the other answers are incorrect because they are security characteristics related to
Biometrics.
data acquisition process can cause a security concern because if the process is not fast
and efficient it can discourage individuals from using the process.
enrollment process can cause a security concern because the enrollment process has to
be quick and efficient. This process captures data for authentication.
speed and user interface can cause a security concern because this also impacts the users
acceptance rate of biometrics. If they are not comfortable with the interface and speed they
might sabotage the devices or otherwise attempt to circumvent them. References:
OIG Access Control (Biometrics) (pgs 165-167)
From: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management
Handbook, 4th Edition, Volume 1, Pages 5-6.
in process of correction

Limiting the local access of operations personnel

The questions specifically said: "within a different function" which eliminate
Job Rotation as a choice.
Management monitoring of audit logs is a detective control and it would not prevent
collusion.
Changing passwords regularly would not prevent such attack.
This question validates if you understand the concept of separation of duties and least
privilege. By having operators that have only the minimum access level they need and only
what they need to do their duties within a company, the operations personnel would be
force to use collusion to defeat those security mechanism.
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

To ensure that no single individual can compromise a system.

The primary objective of proper separation of duties is to ensure that one
person acting alone cannot compromise the company's security in any way. A proper
separation of duties does not prevent employees from disclosing information, nor does it
ensure that access controls are in place or that audit trails are not tampered with.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 12: Operations Security (Page 808).

The Bell LaPadula Model

From the glossary of Computer Security Basics:
The Bell-LaPadula model is the security policy model on which the Orange Book
requirements are based. From the Orange Book definition, "A formal state transition model
of computer security policy that describes a set of access control rules. In this formal
model, the entities in a computer system are divided into abstract sets of subjects and
objects. The notion of secure state is defined and it is proven that each state transition
preserves security by moving from secure state to secure state; thus, inductively proving
the system is secure. A system state is defined to be 'secure' if the only permitted access
modes of subjects to objects are in accordance with a specific security policy. In order to
determine whether or not a specific access mode is allowed, the clearance of a subject is
compared to the classification of the object and a determination is made as to whether the
subject is authorized for the specific access mode."
The Biba Model is an integrity model of computer security policy that describes a set of
rules. In this model, a subject may not depend on any object or other subject that is less
trusted than itself.
The Clark Wilson Model is an integrity model for computer security policy designed for a
commercial environment. It addresses such concepts as nondiscretionary access control,
privilege separation, and least privilege. TEMPEST is a government program that prevents
the compromising electrical and electromagnetic signals that emanate from computers and
related equipment from being intercepted and deciphered.
Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly,
1991.
Also: U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange
Book), DOD 5200.28-STD. December 1985 (also available here).

Due care

My friend JD Murray at Techexams.net has a nice definition of both, see his
explanation below:
Oh, I hate these two. It's like describing the difference between "jealously" and "envy."
Kinda the same thing but not exactly. Here it goes:
Due diligence is performing reasonable examination and research before committing to a
course of action. Basically, "look before you leap." In law, you would perform due diligence
by researching the terms of a contract before signing it. The opposite of due diligence
might be "haphazard" or "not doing your homework."
Due care is performing the ongoing maintenance necessary to keep something in proper
working order, or to abide by what is commonly expected in a situation. This is especially
important if the due care situation exists because of a contract, regulation, or law. The
opposite of due care is "negligence."
In summary, Due Diligence is Identifying threats and risks while Due Care is Acting upon
findings to mitigate risks EXAM TIP:
The Due Diligence refers to the steps taken to identify risks that exists within the
environment. This is base on best practices, standards such as ISO 27001, ISO 17799,
and other consensus. The first letter of the word Due and the word Diligence should remindyou of this. The two letters are DD = Do Detect.
In the case of due care, it is the actions that you have taken (implementing, designing,
enforcing, updating) to reduce the risks identified and keep them at an acceptable level.
The same apply here, the first letters of the work Due and the work Care are DC. Which
should remind you that DC = Do correct.
The other answers are only detractors and not valid.
Reference(s) used for this question:
CISSP Study Guide, Syngress, By Eric Conrad, Page 419
HARRIS, Shon, All-In-One CISSP Certification Exam Guide Fifth Edition, McGraw-Hill,Page 49 and 110.
and
Corporate; (Isc)² (2010-04-20). Official (ISC)2 Guide to the CISSP CBK, Second Edition
((ISC)2 Press) (Kindle Locations 11494-11504). Taylor & Francis. Kindle Edition.
and
My friend JD Murray at Techexams.net

Software plans and requirements

The software plans and requirements phase addresses threats,
vulnerabilities, security requirements, reasonable care, due diligence, legal liabilities,
cost/benefit analysis, level of protection desired, test plans.
Implementation is incorrect because it deals with Installing security software, running the
system, acceptance testing, security software testing, and complete documentationcertification and accreditation (where necessary).
System Feasibility is incorrect because it deals with information security policy, standards,
legal issues, and the early validation of concepts.
Product design is incorrect because it deals with incorporating security specifications,
adjusting test plans and data,
determining access controls, design documentation, evaluating encryption options, and
verification.
Sources:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and
Systems Development (page 252).
KRUTZ, Ronald & VINES, Russel, The CISSP Prep Guide: Gold Edition, Wiley Publishing
Inc., 2003, Chapter 7: Security Life Cycle Components, Figure 7.5 (page 346).