Data diddling

Data diddling involves alteration of existing data and is extremely common. It
is one of the easiest types of crimes to prevent by using access and accounting controls,
supervision, auditing, separation of duties, and authorization limits. It is a form of active
attack. All other choices are examples of passive attacks, only affecting confidentiality.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-
Hill/Osborne, 2002, Chapter 10: Law, Investigation, and Ethics (page 645)

Complex Instruction Set Computers (CISC)

Complex Instruction Set Computer (CISC) uses instructions that perform
many operations per instruction. It was based on the fact that in earlier technologies, the
instruction fetch was the longest part of the cycle. Therefore, by packing more operations
into an instruction, the number of fetches could be reduced. Pipelining involves overlapping
the steps of different instructions to increase the performance in a computer. Reduced
Instruction Set Computers (RISC) involve simpler instructions that require fewer clock
cycles to execute. Scalar processors are processors that execute one instruction at a time.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security
Architectures and Models (page 188).

The security perimeter

The security perimeter is the imaginary line that separates the trusted
components of the kernel and the Trusted Computing Base (TCB) from those elements that
are not trusted. The reference monitor is an abstract machine that mediates all accesses to
objects by subjects. The security kernel can be software, firmware or hardware
components in a trusted system and is the actual instantiation of the reference monitor.
The reference perimeter is not defined and is a distracter.
Source: HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide,
January 2002.

A fault-tolerant system

A fault-tolerant system is capable of detecting that a fault has occurred and
has the ability to correct the fault or operate around it. In a fail-safe system, program
execution is terminated, and the system is protected from being compromised when a
hardware or software failure occurs and is detected. In a fail-soft system, when a hardware
or software failure occurs and is detected, selected, non-critical processing is terminated.
The term failover refers to switching to a duplicate "hot" backup component in real-time
when a hardware or software failure occurs, enabling processing to continue.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security
Architecture and Models (page 196).

People

The Answer: People. The other choices can be strengthened and counted on
(For the most part) to remain consistent if properly protected. People are fallible and
unpredictable. Most security intrusions are caused by employees. People get tired,
careless, and greedy. They are not always reliable and may falter in following defined
guidelines and best practices. Security professionals must install adequate prevention and
detection controls and properly train all systems users Proper hiring and firing practices can
eliminate certain risks. Security Awareness training is key to ensuring people are aware of
risks and their responsibilities.
The following answers are incorrect:Software. Although software exploits are major threat
and cause for concern, people are the weakest point in a security posture. Software can be
removed, upgraded or patched to reduce risk.
Communications. Although many attacks from inside and outside an organization use
communication methods such as the network infrastructure, this is not the weakest point in
a security posture. Communications can be monitored, devices installed or upgraded to
reduce risk and react to attack attempts.
Hardware. Hardware components can be a weakness in a security posture, but they are
not the weakest link of the choices provided. Access to hardware can be minimized by
such measures as installing locks and monitoring access in and out of certain areas.
The following reference(s) were/was used to create this question:
Shon Harris AIO v.3 P.19, 107-109
ISC2 OIG 2007, p.51-55

Be tailored to meet organizational security goals.

In general, IT security measures are tailored according to an organization's
unique needs. While numerous factors, such as the overriding mission requirements, and
guidance, are to be considered, the fundamental issue is the protection of the mission or
business from IT security-related, negative impacts. Because IT security needs are not
uniform, system designers and security practitioners should consider the level of trust when
connecting to other external networks and internal sub-domains. Recognizing the
uniqueness of each system allows a layered security strategy to be used - implementing
lower assurance solutions with lower costs to protect less critical systems and higher
assurance solutions only at the most critical areas.
The more complex the mechanism, the more likely it may possess exploitable flaws.
Simple mechanisms tend to have fewer exploitable flaws and require less maintenance.
Further, because configuration management issues are simplified, updating or replacing a
simple mechanism becomes a less intensive process.
Security designs should consider a layered approach to address or protect against a
specific threat or to reduce a vulnerability. For example, the use of a packet-filtering router
in conjunction with an application gateway and an intrusion detection system combine to
increase the work-factor an attacker must expend to successfully attack the system. Addinggood password controls and adequate user training improves the system's security posture
even more.
The need for layered protections is especially important when commercial-off-the-shelf
(COTS) products are used. Practical experience has shown that the current state-of-the-art
for security quality in COTS products does not provide a high degree of protection against
sophisticated attacks. It is possible to help mitigate this situation by placing several controlsin series, requiring additional work by attackers to accomplish their goals.
Source: STONEBURNER, Gary & al, National Institute of Standards and Technology
(NIST), NIST Special Publication 800-27, Engineering Principles for Information
Technology Security (A Baseline for Achieving Security), June 2001 (pages 9-10).

Very-Long Instruction-Word Processor (VLIW)

Very long instruction word (VLIW) describes a computer processing
architecture in which a language compiler or pre-processor breaks program instruction
down into basic operations that can be performed by the processor in parallel (that is, at
the same time). These operations are put into a very long instruction word which the
processor can then take apart without further analysis, handing each operation to an
appropriate functional unit.
The following answer are incorrect:
The term "CISC" (complex instruction set computer or computing) refers to computers
designed with a full set of computer instructions that were intended to provide needed
capabilities in the most efficient way. Later, it was discovered that, by reducing the full set
to only the most frequently used instructions, the computer would get more work done in a
shorter amount of time for most applications. Intel's Pentium microprocessors are CISC
microprocessors.
The PowerPC microprocessor, used in IBM's RISC System/6000 workstation and
Macintosh computers, is a RISC microprocessor. RISC takes each of the longer, more
complex instructions from a CISC design and reduces it to multiple instructions that are shorter and faster to process. RISC technology has been a staple of mobile devices for
decades, but it is now finally poised to take on a serious role in data center servers and
server virtualization. The latest RISC processors support virtualization and will change the
way computing resources scale to meet workload demands.
A superscalar CPU architecture implements a form of parallelism called instruction level
parallelism within a single processor. It therefore allows faster CPU throughput than would
otherwise be possible at a given clock rate. A superscalar processor executes more than
one instruction during a clock cycle by simultaneously dispatching multiple instructions to
redundant functional units on the processor. Each functional unit is not a separate CPU
core but an execution resource within a single CPU such as an arithmetic logic unit, a bit
shifter, or a multiplier.
Reference(s) Used for this question:
http://whatis.techtarget.com/definition/0,,sid9_gci214395,00.html
and
http://searchcio-midmarket.techtarget.com/definition/CISC
and
http://en.wikipedia.org/wiki/Superscalar

Policies

Policies are high-level statements, beliefs, goals and objectives and the
general means for their attainment for a specific subject area. Standards are mandatory
activities, action, rules or regulations designed to provide policies with the support structure
and specific direction they require to be effective. Guidelines are more general statements
of how to achieve the policies objectives by providing a framework within which to
implement procedures. Procedures spell out the specific steps of how the policy andsupporting standards and how guidelines will be implemented.
Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version
1.0, april 1999. 

system stability.

A major objective with Configuration Management is stability. The changes to
the system are controlled so that they don't lead to weaknesses or faults in th system.
The following answers are incorrect:
system maintenance. Is incorrect because it is not the best answer. Configuration
Management does control the changes to the system but it is not as important as the
overall stability of the system.
system operations. Is incorrect because it is not the best answer, the overall stability of the
system is much more important.
system tracking. Is incorrect because while tracking changes is important, it is not the best
answer. The overall stability of the system is much more important.

System functions are layered, and none of the functions in a given layer can access
data outside that layer.

Data Hiding is protecting data so that it is only available to higher levels this
is done and is also performed by layering, when the software in each layer maintains its
own global data and does not directly reference data outside its layers.
The following answers are incorrect:
Auditing processes and their memory addresses cannot be accessed by user processes. Is
incorrect because this does not offer data hiding.
Only security processes are allowed to write to ring zero memory. This is incorrect, the
security kernel would be responsible for this.
It is a form of strong encryption cipher. Is incorrect because this does not conform to the
definition of data hiding

Overt channel

An overt channel is a path within a computer system or network that is
designed for the authorized transfer of data. The opposite would be a covert channel which
is an unauthorized pathA covert channel is a way for an entity to receive information in an unauthorized manner. It
is an information flow that is not controlled by a security mechanism. This type of
information path was not developed for communication; thus, the system does not properly
protect this path, because the developers never envisioned information being passed in
this way. Receiving information in this manner clearly violates the system’s security policy.
All of the other choices are bogus detractors.
Reference(s) used for this question:
KRUTZ,Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 219.
and
Shon Harris, CISSP All In One (AIO), 6th Edition , page 380
and
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 378). McGraw-
Hill. Kindle Edition.

Evaluation

Evaluation as a general term is described as the process of independently
assessing a system against a standard of comparison, such as evaluation criteria.
Evaluation criterias are defined as a benchmark, standard, or yardstick against which
accomplishment, conformance, performance, and suitability of an individual, hardware,
software, product, or plan, as well as of risk-reward ratio is measured.
What is computer security evaluation? Computer security evaluation is the detailed examination and testing of the security
features of an IT system or product to ensure that they work correctly and effectively and
do not show any logical vulnerabilities. The Security Target determines the scope of the
evaluation. It includes a claimed level of Assurance that determines how rigorous the
evaluation is.
Criteria
Criteria are the "standards" against which security evaluation is carried out. They define
several degrees of rigour for the testing and the levels of assurance that each confers.
They also define the formal requirements needed for a product (or system) to meet each
Assurance level.
TCSEC
The US Department of Defense published the first criteria in 1983 as the Trusted Computer
Security Evaluation Criteria (TCSEC), more popularly known as the "Orange Book". The
current issue is dated 1985. The US Federal Criteria were drafted in the early 1990s as a
possible replacement but were never formally adopted. ITSEC
During the 1980s, the United Kingdom, Germany, France and the Netherlands produced
versions of their own national criteria. These were harmonised and published as the
Information Technology Security Evaluation Criteria (ITSEC). The current issue, Version
1.2, was published by the European Commission in June 1991. In September 1993, it was
followed by the IT Security Evaluation Manual (ITSEM) which specifies the methodology to
be followed when carrying out ITSEC evaluations.
Common Criteria
The Common Criteria represents the outcome of international efforts to align and develop
the existing European and North American criteria. The Common Criteria project
harmonises ITSEC, CTCPEC (Canadian Criteria) and US Federal Criteria (FC) into the
Common Criteria for Information Technology Security Evaluation (CC) for use in evaluating
products and systems and for stating security requirements in a standardised way.
Increasingly it is replacing national and regional criteria with a worldwide set accepted by
the International Standards Organisation (ISO15408). The following answer were not applicable:
Certification is the process of performing a comprehensive analysis of the security features
and safeguards of a system to establish the extent to which the security requirements are
satisfied. Shon Harris states in her book that Certification is the comprehensive technical evaluation of the security components and their compliance for the purpose of
accreditation.
Wikipedia describes it as: Certification is a comprehensive evaluation of the technical and
non-technical security controls (safeguards) of an information system to support the
accreditation process that establishes the extent to which a particular design and
implementation meets a set of specified security requirements
Accreditation is the official management decision to operate a system. Accreditation is the
formal declaration by a senior agency official (Designated Accrediting Authority (DAA) or
Principal Accrediting Authority (PAA)) that an information system is approved to operate at
an acceptable level of risk, based on the implementation of an approved set of technical,
managerial, and procedural security controls (safeguards).
Acceptance testing refers to user testing of a system before accepting delivery. Reference(s) used for this question:
HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January
2002.
and
https://en.wikipedia.org/wiki/Certification_and_Accreditation
and
http://www.businessdictionary.com/definition/evaluation-criteria.html
and
http://www.cesg.gov.uk/products_services/iacs/cc_and_itsec/secevalcriteria.shtml