- (Topic 1)
An alternative to using passwords for authentication in logical or technical access control is:

1. A. manage without passwords
2. B. biometrics
3. C. not there
4. D. use of them for physical access control

Correct Answer: B
An alternative to using passwords for authentication in logical or technical access control is biometrics. Biometrics are based on the Type 3 authentication mechanism-something you are.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37.

- (Topic 2)
Which of the following are NOT a countermeasure to traffic analysis?

1. A. Padding messages.
2. B. Eavesdropping.
3. C. Sending noise.
4. D. Faraday Cage

Correct Answer: B
Eavesdropping is not a countermeasure, it is a type of attack where you are collecting traffic and attempting to see what is being send between entities communicating with each other.
The following answers are incorrect:
Padding Messages. Is incorrect because it is considered a countermeasure you make messages uniform size, padding can be used to counter this kind of attack, in which decoy traffic is sent out over the network to disguise patterns and make it more difficult to uncover patterns.
Sending Noise. Is incorrect because it is considered a countermeasure, tansmitting non- informational data elements to disguise real data.
Faraday Cage Is incorrect because it is a tool used to prevent emanation of electromagnetic waves. It is a very effective tool to prevent traffic analysis.

- (Topic 6)
Which of the following standards is concerned with message handling?

1. A. X.400
2. B. X.500
3. C. X.509
4. D. X.800

Correct Answer: A
X.400 is used in e-mail as a message handling protocol. X.500 is used in directory services. X.509 is used in digital certificates and X.800 is used a network security standard.
Reference: http://www.alvestrand.no/x400/.

- (Topic 4)
What can be described as a measure of the magnitude of loss or impact on the value of an asset?

1. A. Probability
2. B. Exposure factor
3. C. Vulnerability
4. D. Threat

Correct Answer: B
The exposure factor is a measure of the magnitude of loss or impact on the value of an asset.
The probability is the chance or likelihood, in a finite sample, that an event will occur or that a specific loss value may be attained should the event occur.
A vulnerability is the absence or weakness of a risk-reducing safeguard.
A threat is event, the occurrence of which could have an undesired impact.
Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 3, August 1999.

- (Topic 6)
All following observations about IPSec are correct except:

1. A. Default Hashing protocols are HMAC-MD5 or HMAC-SHA-1
2. B. Default Encryption protocol is Cipher Block Chaining mode DES, but other algorithms like ECC (Elliptic curve cryptosystem) can be used
3. C. Support two communication modes - Tunnel mode and Transport mode
4. D. Works only with Secret Key Cryptography

Correct Answer: D
Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, Pages 166-167.