They are vulnerable to non-adversarial disturbances.

Vibration sensors are similar and are also implemented to detect forced
entry. Financial institutions may choose to implement these types of sensors on exterior
walls, where bank robbers may attempt to drive a vehicle through. They are also commonly
used around the ceiling and flooring of vaults to detect someone trying to make an
unauthorized bank withdrawal. Such sensors are proned to false positive. If there is a large truck with heavy equipment
driving by it may trigger the sensor. The same with a storm with thunder and lighting, it may
trigger the alarm even thou there are no adversarial threat or disturbance.
The following are incorrect answers:
All of the other choices are incorrect.
Reference                                                                                                                                                             used for this question:
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (pp. 495-496).
McGraw-Hill . Kindle Edition.

Public key certificate

In cryptography, a public key certificate (or identity certificate) is an electronic
document which incorporates a digital signature to bind together a public key with an
identity — information such as the name of a person or an organization, their address, and
so forth. The certificate can be used to verify that a public key belongs to an individual.
In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate
authority (CA). In a web of trust scheme, the signature is of either the user (a self-signed
certificate) or other users ("endorsements"). In either case, the signatures on a certificate
are attestations by the certificate signer that the identity information and the public key
belong together.
In computer security, an authorization certificate (also known as an attribute certificate) is a digital document that describes a written permission from the issuer to use a service or a
resource that the issuer controls or has access to use. The permission can be delegated.
Some people constantly confuse PKCs and ACs. An analogy may make the distinction
clear. A PKC can be considered to be like a passport: it identifies the holder, tends to last
for a long time, and should not be trivial to obtain. An AC is more like an entry visa: it is
typically issued by a different authority and does not last for as long a time. As acquiring an
entry visa typically requires presenting a passport, getting a visa can be a simpler process.
A real life example of this can be found in the mobile software deployments by large service providers and are typically applied to platforms such as Microsoft Smartphone (and
related), Symbian OS, J2ME, and others.
In each of these systems a mobile communications service provider may customize the
mobile terminal client distribution (ie. the mobile phone operating system or application
environment) to include one or more root certificates each associated with a set of
capabilities or permissions such as "update firmware", "access address book", "use radio
interface", and the most basic one, "install and execute". When a developer wishes to
enable distribution and execution in one of these controlled environments they must
acquire a certificate from an appropriate CA, typically a large commercial CA, and in the
process they usually have their identity verified using out-of-band mechanisms such as a  combination of phone call, validation of their legal entity through government and
commercial databases, etc., similar to the high assurance SSL certificate vetting process,
though often there are additional specific requirements imposed on would-be
developers/publishers.
Once the identity has been validated they are issued an identity certificate they can use to sign their software; generally the software signed by the developer or publisher's identity
certificate is not distributed but rather it is submitted to processor to possibly test or profile
the content before generating an authorization certificate which is unique to the particular
software release. That certificate is then used with an ephemeral asymmetric key-pair to
sign the software as the last step of preparation for distribution. There are many
advantages to separating the identity and authorization certificates especially relating to
risk mitigation of new content being accepted into the system and key management as well
as recovery from errant software which can be used as attack vectors.                                                   References:
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne,
page 540.
http://en.wikipedia.org/wiki/Attribute_certificate
http://en.wikipedia.org/wiki/Public_key_certificate

Clark-Wilson model

The Clark-Wilson model uses separation of duties, which divides an
operation into different parts and requires different users to perform each part. This
prevents authorized users from making unauthorized modifications to data, thereby
protecting its integrity.
The Clark-Wilson integrity model provides a foundation for specifying and analyzing an
integrity policy for a computing system.
The model is primarily concerned with formalizing the notion of information integrity.
Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the
system should be kept valid from one state of the system to the next and specifies the
capabilities of various principals in the system. The model defines enforcement rules and
certification rules.
The model’s enforcement and certification rules define data items and processes that
provide the basis for an integrity policy. The core of the model is based on the notion of a
transaction.
A well-formed transaction is a series of operations that transition a system from one
consistent state to another consistent state.
In this model the integrity policy addresses the integrity of the transactions.
The principle of separation of duty requires that the certifier of a transaction and the
implementer be different entities. The model contains a number of basic constructs that represent both data items and
processes that operate on those data items. The key data type in the Clark-Wilson model is
a Constrained Data Item (CDI). An Integrity Verification Procedure (IVP) ensures that all
CDIs in the system are valid at a certain state. Transactions that enforce the integrity policy
are represented by Transformation Procedures (TPs). A TP takes as input a CDI or
Unconstrained Data Item (UDI) and produces a CDI. A TP must transition the system from
one valid state to another valid state. UDIs represent system input (such as that provided
by a user or adversary). A TP must guarantee (via certification) that it transforms all
possible values of a UDI to a “safe” CDI. In general, preservation of data integrity has three goals:
Prevent data modification by unauthorized parties
Prevent unauthorized data modification by authorized parties
Maintain internal and external consistency (i.e. data reflects the real world)
Clark-Wilson addresses all three rules but BIBA addresses only the first rule of intergrity              References:                                                                                                                                                   HARRIS, Shon, All-In-One CISSP Certification Fifth Edition, McGraw-Hill/Osborne, Chapter
5: Security Architecture and Design (Page 341-344).
and
http://en.wikipedia.org/wiki/Clark-Wilson_model

 traffic padding

Traffic padding is a countermeasure to traffic analysis.
Even if perfect cryptographic routines are used, the attacker can gain knowledge of the
amount of traffic that was generated. The attacker might not know what Alice and Bob were
talking about, but can know that they were talking and how much they talked. In certain
circumstances this can be very bad. Consider for example when a military is organising a
secret attack against another nation: it may suffice to alert the other nation for them toknow merely that there is a lot of secret activity going on.
As another example, when encrypting Voice Over IP streams that use variable bit rate
encoding, the number of bits per unit of time is not obscured, and this can be exploited to
guess spoken phrases.
Padding messages is a way to make it harder to do traffic analysis. Normally, a number of
random bits are appended to the end of the message with an indication at the end how
much this random data is. The randomness should have a minimum value of 0, a maximum
number of N and an even distribution between the two extremes. Note, that increasing 0does not help, only increasing N helps, though that also means that a lower percentage of
the channel will be used to transmit real data. Also note, that since the cryptographic
routine is assumed to be uncrackable (otherwise the padding length itself is crackable), it
does not help to put the padding anywhere else, e.g. at the beginning, in the middle, or in a
sporadic manner.
The other answers are all techniques used to do Penetration Testing.                                                           References:                                                                                                                                                           KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, pages 233, 238.
and
https://secure.wikimedia.org/wikipedia/en/wiki/Padding_%28cryptography%29#Traffic_anal
ysis

Synchronous dynamic password tokens

Synchronous dynamic password tokens generate a new unique password
value at fixed time intervals, so the server and token need to be synchronized for the
password to be accepted.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control
systems (page 37).
Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-
Hill/Osborne, 2002, chapter 4: Access Control (page 136).

A trusted third-party authentication protocol.

Is correct because that is exactly what Kerberos is.
The following answers are incorrect:
A three-headed dog from Egyptian mythology. Is incorrect because we are dealing with
Information Security and not the Egyptian mythology but the Greek Mythology.
A security model. Is incorrect because Kerberos is an authentication protocol and not just a
security model.
A remote authentication dial in user server. Is incorrect because Kerberos is not a remote
authentication dial in user server that would be called RADIUS.

Biometrics

The only way to be truly positive in authenticating identity for access is to
base the authentication on the physical attributes of the persons themselves (i.e., biometric
identification). Physical attributes cannot be shared, borrowed, or duplicated. They ensure
that you do identify the person, however they are not perfect and they would have to be
supplemented by another factor.
Some people are getting thrown off by the term Masquarade. In general, a masquerade is
a disguise. In terms of communications security issues, a masquerade is a type of attack
where the attacker pretends to be an authorized user of a system in order to gain access to
it or to gain greater privileges than they are authorized for. A masquerade may be attempted through the use of stolen logon IDs and passwords, through finding security
gaps in programs, or through bypassing the authentication mechanism. Spoofing is anotherterm used to describe this type of attack as well.
A UserId only provides for identification.
A password is a weak authentication mechanism since passwords can be disclosed,
shared, written down, and more.
A smart card can be stolen and its corresponding PIN code can be guessed by an intruder.
A smartcard can be borrowed by a friend of yours and you would have no clue as to who is
really logging in using that smart card.
Any form of two-factor authentication not involving biometrics cannot be as reliable as a
biometric system to identify the person.
Biometric identifying verification systems control people. If the person with the correct
hand, eye, face, signature, or voice is not present, the identification and verification cannot take place and the desired action (i.e., portal passage, data, or resource access) does not
occur.
As has been demonstrated many times, adversaries and criminals obtain and successfully
use access cards, even those that require the addition of a PIN. This is because these
systems control only pieces of plastic (and sometimes information), rather than people.
Real asset and resource protection can only be accomplished by people, not cards and
information, because unauthorized persons can (and do) obtain the cards and information.
Further, life-cycle costs are significantly reduced because no card or PIN administration
system or personnel are required. The authorized person does not lose physical
characteristics (i.e., hands, face, eyes, signature, or voice), but cards and PINs are
continuously lost, stolen, or forgotten. This is why card access systems require systems
and people to administer, control, record, and issue (new) cards and PINs. Moreover, the take place and the desired action (i.e., portal passage, data, or resource access) does not
occur.
As has been demonstrated many times, adversaries and criminals obtain and successfully
use access cards, even those that require the addition of a PIN. This is because these
systems control only pieces of plastic (and sometimes information), rather than people.
Real asset and resource protection can only be accomplished by people, not cards and
information, because unauthorized persons can (and do) obtain the cards and information.
Further, life-cycle costs are significantly reduced because no card or PIN administration
system or personnel are required. The authorized person does not lose physical
characteristics (i.e., hands, face, eyes, signature, or voice), but cards and PINs are
continuously lost, stolen, or forgotten. This is why card access systems require systems
and people to administer, control, record, and issue (new) cards and PINs. Moreover, thetake place and the desired action (i.e., portal passage, data, or resource access) does not
occur.
As has been demonstrated many times, adversaries and criminals obtain and successfully
use access cards, even those that require the addition of a PIN. This is because these
systems control only pieces of plastic (and sometimes information), rather than people.
Real asset and resource protection can only be accomplished by people, not cards and
information, because unauthorized persons can (and do) obtain the cards and information.
Further, life-cycle costs are significantly reduced because no card or PIN administration
system or personnel are required. The authorized person does not lose physical
characteristics (i.e., hands, face, eyes, signature, or voice), but cards and PINs are
continuously lost, stolen, or forgotten. This is why card access systems require systems
and people to administer, control, record, and issue (new) cards and PINs. Moreover, the cards are an expensive and recurring cost.
NOTE FROM CLEMENT:
This question has been generating lots of interest. The keyword in the question is:
Individual (the person) and also the authenticated portion as well.
I totally agree with you that Two Factors or Strong Authentication would be the strongest
means of authentication. However the question is not asking what is the strongest mean of
authentication, it is asking what is the best way to identify the user (individual) behind the
technology. When answering questions do not make assumptions to facts not presented in the question or answers.
Nothing can beat Biometrics in such case. You cannot lend your fingerprint and pin to
someone else, you cannot borrow one of my eye balls to defeat the Iris or Retina scan.
This is why it is the best method to authenticate the user.
I think the reference is playing with semantics and that makes it a bit confusing. I have
improved the question to make it a lot clearer and I have also improve the explanations
attached with the question.
The reference mentioned above refers to authenticating the identity for access. So the
distinction is being made that there is identity and there is authentication. In the case of
physical security the enrollment process is where the identity of the user would be validated
and then the biometrics features provided by the user would authenticate the user on a one
to one matching basis (for authentication) with the reference contained in the database of
biometrics templates. In the case of system access, the user might have to provide a
username, a pin, a passphrase, a smart card, and then provide his biometric attributes.Biometric can also be used for Identification purpose where you do a one to many match.
You take a facial scan of someone within an airport and you attempt to match it with a large
database of known criminal and terrorists. This is how you could use biometric for
Identification.
There are always THREE means of authentication, they are:
Something you know (Type 1)
Something you have (Type 2)
Something you are (Type 3)                                                                                                                                    Reference(s) used for this question:
TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th
edition (volume 1) , 2000, CRC Press, Chapter 1, Biometric Identification (page 7).
and
Search Security at http://searchsecurity.techtarget.com/definition/masquerade

Authentication

Biometric devices can be use for either IDENTIFICATION or
AUTHENTICATION
ONE TO ONE is for AUTHENTICATION
This means that you as a user would provide some biometric credential such as your
fingerprint. Then they will compare the template that you have provided with the one stored
in the Database. If the two are exactly the same that prove that you are who you pretend to
be.
ONE TO MANY is for IDENTIFICATION
A good example of this would be within airport. Many airports today have facial recognition
cameras, as you walk through the airport it will take a picture of your face and then
compare the template (your face) with a database full of templates and see if there is a
match between your template and the ones stored in the Database. This is for IDENTIFICATION of a person.
Some additional clarification or comments that might be helpful are: Biometrics establish
authentication using specific information and comparing results to expected data. It does
not perform well for identification purposes such as scanning for a person's face in a
moving crowd for example.
Identification methods could include: username, user ID, account number, PIN, certificate,
token, smart card, biometric device or badge.
Auditing is a process of logging or tracking what was done after the identity and
authentication process is completed.
Authorization is the rights the subject is given and is performed after the identity is
established                                                                                                                                                            Reference OIG (2007) p148, 167                                                                                                            Authentication in biometrics is a "one-to-one" search to verify claim to an identity made by
a person.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38.

 Integrity control mechanisms

Integrity Controls Mechanisms are not part of physical security. All of the
other detractors were correct this one was the wrong one that does not belong to Physical
Security. Below you have more details extracted from the SearchSecurity web site:
Information security depends on the security and management of the physical space in
which computer systems operate. Domain 9 of the CISSP exam's Common Body of
Knowledge addresses the challenges of securing the physical space, its systems and the
people who work within it by use of administrative, technical and physical controls. The
following QUESTION NO: s are covered:
Facilities management: The administrative processes that govern the maintenance and
protection of the physical operations space, from site selection through emergency
response. Risks, issues and protection strategies: Risk identification and the selection of security
protection components.
Perimeter security: Typical physical protection controls.
Facilities management
Facilities management is a complex component of corporate security that ranges from the planning of a secure physical site to the management of the physical information system
environment. Facilities management responsibilities include site selection and physical
security planning (i.e. facility construction, design and layout, fire and water damage
protection, antitheft mechanisms, intrusion detection and security procedures.) Protections
must extend to both people and assets. The necessary level of protection depends on the
value of the assets and data. CISSP® candidates must learn the concept of critical-path
analysis as a means of determining a component's business function criticality relative to
the cost of operation and replacement. Furthermore, students need to gain an
understanding of the optimal location and physical attributes of a secure facility. Among the
QUESTION NO: s covered in this domain are site inspection, location, accessibility and
obscurity, considering the area crime rate, and the likelihood of natural hazards such as
floods or earthquakes This domain also covers the quality of construction material, such as its protective qualities
and load capabilities, as well as how to lay out the structure to minimize risk of forcible
entry and accidental damage. Regulatory compliance is also touched on, as is preferred
proximity to civil protection services, such as fire and police stations. Attention is given to
computer and equipment rooms, including their location, configuration (entrance/egress
requirements) and their proximity to wiring distribution centers at the site.
Physical risks, issues and protection strategies
An overview of physical security risks includes risk of theft, service interruption, physical
damage, compromised system integrity and unauthorized disclosure of information.
Interruptions to business can manifest due to loss of power, services, telecommunications
connectivity and water supply. These can also seriously compromise electronic security
monitoring alarm/response devices. Backup options are also covered in this domain, as is
a strategy for quantifying the risk exposure by simple formula.Investment in preventive security can be costly. Appropriate redundancy of people skills,
systems and infrastructure must be based on the criticality of the data and assets to be
preserved. Therefore a strategy is presented that helps determine the selection of cost
appropriate controls. Among the QUESTION NO: s covered in this domain are regulatory
and legal requirements, common standard security protections such as locks and fences,
and the importance of establishing service level agreements for maintenance and disaster
support. Rounding out the optimization approach are simple calculations for determining
mean time between failure and mean time to repair (used to estimate average equipment
life expectancy) — essential for estimating the cost/benefit of purchasing and maintaining
redundant equipment.  As the lifeblood of computer systems, special attention is placed on adequacy, quality and  protection of power supplies. CISSP candidates need to understand power supply
concepts and terminology, including those for quality (i.e. transient noise vs. clean power);
types of interference (EMI and RFI); and types of interruptions such as power excess by
spikes and surges, power loss by fault or blackout, and power degradation from sags and
brownouts. A simple formula is presented for determining the total cost per hour for backup
power. Proving power reliability through testing is recommended and the advantages of
three power protection approaches are discussed (standby UPS, power line conditioners
and backup sources) including minimum requirements for primary and alternate power
provided. Environmental controls are explored in this domain, including the value of positive pressure
water drains and climate monitoring devices used to control temperature, humidity and
reduce static electricity. Optimal temperatures and humidity settings are provided.
Recommendations include strict procedures during emergencies, preventing typical risks
(such as blocked fans), and the use of antistatic armbands and hygrometers. Positive
pressurization for proper ventilation and monitoring for air born contaminants is stressed.
The pros and cons of several detection response systems are deeply explored in this
domain. The concept of combustion, the classes of fire and fire extinguisher ratings are
detailed. Mechanisms behind smoke-activated, heat-activated and flame-activated devices
and Automatic Dial-up alarms are covered, along with their advantages, costs and shortcomings. Types of fire sources are distinguished and the effectiveness of fire
suppression methods for each is included. For instance, Halon and its approved
replacements are covered, as are the advantages and the inherent risks to equipment of
the use of water sprinklers.
Administrative controls
The physical security domain also deals with administrative controls applied to physical
sites and assets. The need for skilled personnel, knowledge sharing between them,
separation of duties, and appropriate oversight in the care and maintenance of equipment
and environments is stressed. A list of management duties including hiring checks,
employee maintenance activities and recommended termination procedures is offered.
Emergency measures include accountability for evacuation and system shutdown
procedures, integration with disaster and business continuity plans, assuring documented
procedures are easily available during different types of emergencies, the scheduling of
periodic equipment testing, administrative reviews of documentation, procedures and
recovery plans, responsibilities delegation, and personnel training and drills. Perimeter security
Domain nine also covers the devices and techniques used to control access to a space. These include access control devices, surveillance monitoring, intrusion detection and
corrective actions. Specifications are provided for optimal external boundary protection,
including fence heights and placement, and lighting placement and types. Selection of door
types and lock characteristics are covered. Surveillance methods and intrusion-detection
methods are explained, including the use of video monitoring, guards, dogs, proximity
detection systems, photoelectric/photometric systems, wave pattern devices, passive
infrared systems, and sound and motion detectors, and current flow sensitivity devices that
specifically address computer theft. Room lock types — both preset and cipher locks (and
their variations) - device locks, such as portable laptop locks, lockable server bays, switch
control locks and slot locks, port controls, peripheral switch controls and cable trap locks
are also covered. Personal access control methods used to identify authorized users for
site entry are covered at length, noting social engineering risks such as piggybacking.
Wireless proximity devices, both user access and system sensing readers are covered (i.e.
transponder based, passive devices and field powered devices) in this domain. Now that you've been introduced to the key concepts of Domain 9, watch the Domain 9,
Physical Security video
Return to the CISSP Essentials Security School main page
See all SearchSecurity.com's resources on CISSP certification training
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-
Hill/Osborne, 2001, Page 280.

 Confidentiality and Integrity

Kerberos addresses the confidentiality and integrity of information.
It also addresses primarily authentication but does not directly address availability.
Reference(s) used for this question                                                                                                                          KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 42.
and
https://www.ietf.org/rfc/rfc4120.txt
and
http://learn-networking.com/network-security/how-kerberos-authentication-works

PIN

PIN Stands for Personal Identification Number, as the name states it is a
combination of numbers.
The following answers are incorrect:
User ID This is incorrect because a Userid is not required to be a number and a Userid is
only used to establish identity not verify it.
Password. This is incorrect because a password is not required to be a number, it could be
any combination of characters.
Challenge. This is incorrect because a challenge is not defined as a number, it could be
anything. 

It should be configured to be fail-safe

Access controls are meant to protect facilities and computers as well as
people.
In some situations, the objectives of physical access controls and the protection of people's
lives may come into conflict. In theses situations, a person's life always takes precedence.
Many physical security controls make entry into and out of a facility hard, if not impossible.
However, special consideration needs to be taken when this could affect lives. In an
information processing facility, different types of locks can be used and piggybacking
should be prevented, but the issue here with automatic locks is that they can either be
configured as fail-safe or fail-secure.
Since there should only be one access door to an information processing facility, the
automatic lock to the only door to a man-operated room must be configured to allow people
out in case of emergency, hence to be fail-safe (sometimes called fail-open), meaning that
upon fire alarm activation or electric power failure, the locking device unlocks. This is
because the solenoid that maintains power to the lock to keep it in a locked state fails and
thus opens or unlocks the electronic lock.
Fail Secure works just the other way. The lock device is in a locked or secure state with no
power applied. Upon authorized entry, a solinoid Fail Secure lock, loss of power of fire alarm activation causes the lock to remain in a secure
mode.
Reference(s) used for this question:
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 451). McGraw-
Hill. Kindle Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 20249-20251). Auerbach Publications. Kindle
Edition.