5.8.1: Quiz Biometric (Doshi) Flashcards Preview

CISA 3.0 - ISACA > 5.8.1: Quiz Biometric (Doshi) > Flashcards

Flashcards in 5.8.1: Quiz Biometric (Doshi) Deck (15)
Loading flashcards...
1
Q

An organization is considering implementing a biometric access control for one of its critical system. Among below mentioned biometrics, which has the highest reliability and lowest falseacceptance
rate (FAR)?

A. Fingerprints
B. Retina Scan
C.Face recognition
D.Voice recognition

A

B. Retina Scan

In any given scenario, ‘Retina Scan’ has the highest reliability and lowest false-acceptance rate (FAR) among the current biometric methods. A retinal scan is a biometric technique that uses the unique patterns on a person’s retina blood vessels. Due to its unique and unchanging nature, the retina appears to be the most precise and reliable biometric, aside from DNA. The National Center for State Courts estimate that retinal scanning has an error rate of one in ten million.This is highly reliable and has the lowest FAR among the current biometric methods.

2
Q

An organization is considering implementing biometric access control for one of its critical system. The auditor should be MOST concerned with which of the following?

A. False-Acceptance Rate (FAR)
B. False-Rejection Rate (FRR)
C.Equal Error Rate (EER)
D.Number of staff enrolled for biometrics.

A

A. False-Acceptance Rate (FAR)

FAR is a rate of acceptance of unauthorised person i.e. biometric will allow unauthorised person to access the system. In any given scenario, most important performance indicator for biometric system is false-acceptance rate (FAR).This is a fail-unsafe condition, i.e., an unauthorized individual may be granted access. A low FAR is most desirable when it is used to protect highly sensitive data. EER or CER is best indicator when overall performance is to be evaluated.

3
Q

The best overall quantitative performance indicator for biometric system is:

A. False-Acceptance Rate (FAR)
B. False-Rejection Rate (FRR)
C.Equal Error Rate (EER)
D.Number of staff enrolled for biometrics

A

C..Equal Error Rate (EER)

In any given scenario, most important overall quantitative performance indicator for biometric system is CER or EER. A low EER is a combination of a low FRR and a low FAR. CER or EER is a rate at which FAR and FRR is equal. The most effective biometric control system is the one with lowest CER or EER. Low FRRs or low FARs alone does not measure the overall efficiency of the device.

4
Q

An organization is considering implementing a biometric access control for one of its critical system. Among below mentioned biometrics, the MOST effective biometric control system is the one:

A. with highest equal-error rate(EER).
B. with lowest equal-error rate (EER).
C. with highest cross error rate( CER).
D. which covers all the systems in the organization.

A

B. with lowest equal-error rate (EER).

CER or EER is a rate at which FAR and FRR is equal. The most effective biometric control system is
the one with lowest CER or EER. Option A & C are incorrect as the biometric that has the highest
EER or CER is the most ineffective. Option D is not correct as all systems may not be required to
cover under biometric.

5
Q

Which of the following is a measure to ascertain accuracy of a biometric system?

A. response time.
B. registration time.
C. verification time.
D. false-acceptance rate.

A

D. false-acceptance rate.

Three main accuracy measures used for a biometric solution are:
(i)False-Acceptance Rate (FAR),
(ii) False-Rejection Rate (FRR),
(iii)Cross-Error Rate (CER) or Equal-Error Rate (EER)
FAR is a measure of how often invalid individuals are accepted. Other choices are performance
measures.

6
Q

An organization is evaluating the effectiveness of biometric systems for its extremely high security requirements. Which of the following performance indicators is MOST important?

A. False-acceptance rate (FAR)
B. Equal-error rate (EER)
C. False-rejection rate (FRR)
D. Fail to enrol rate (FER)

A

A. False-acceptance rate (FAR)

FAR is a rate of acceptance of unauthorized person i.e. biometric will allow unauthorized person to access the system. In any given scenario, most important performance indicator for biometric system is false-acceptance rate (FAR).This is a fail-unsafe condition, i.e., an unauthorized individual may be granted access. A low FAR is most desirable when it is used to protect highly sensitive data.

7
Q

Which of the following observations is the GREATEST concern to the auditor reviewing biometric control for a critical system?

A. Access to biometric scanner is provided through virtual private network (VPN).
B.Biometric devices are not installed in restricted area.
C.Data transferred between biometric device and access control system is not encrypted.
D.Risk analysis for biometric control is conducted before 2 years

A

C. Data transferred between biometric device and access control system is not encrypted.

A. This is not a concern as VPN provides a secured environment.
B. This is a concern. However greatest concern should be with respect to data transmitted without
encryption.
C. Data transmitted between the biometric device and the access controls system should use a
securely encrypted tunnel to protect the confidentially of the biometric data.
D. This is a concern. The biometric risk analysis should be done periodically, but greatest concern
should data transmitted without encryption.

8
Q

An IS auditor is evaluating the effectiveness of biometric systems for extremely high secured environment. Which of the following stage should be reviewed first?

A. Storage
B. Enrollment
C.Identification
D.Termination

A

B. Enrollment

Biometric life cycle comprised of enrollmenlt, transmission and storage, verification, identification and termination processes. The users of a biometrics device must first be enrolled in the device. This occur through iterative process of acquiring sample, extracting data from sample, validating the sample and developing final template that is stored and subsequently used to authenticate the user.

9
Q
An organization is considering implementing access control for one of its critical system. Among below mentioned control measures, the MOST effective control is:
A. Token based PIN
B. Iris Scan
C.Photo Identification
D.Password
A

B. Iris Scan

Among all the controls, iris scan can be considered as most reliable. Fraudster finds it very difficult to bypass biometric controls. Since no two irises are alike, identification and verification can be done with confidence. Other options are not as strong as Iris Scan.

10
Q

An organization is considering implementing access control for one of its critical system. Among below mentioned control measures, the MOST effective control is:

A. Cipher lock
B. Fingerprint scanner
C. Photo Identification
D. Electronic door lock

A

B. Fingerprint scanner

Among all the controls, fingerprint scanner can be considered as most reliable. Fraudster finds it very difficult to bypass biometric controls. Fingerprint is harder to duplicate, easier to deactivate and individually identified. Since no two fingerprints are alike (very rare chances), identification and verification can be done with confidence. Other options are not as strong as fingerprint scanner.

11
Q

In which of the following attack, use of residual biometric information is done to gain unauthorized access:

A. Mimic
B. Brute-force
C. Cryptographic
D. Replay

A

D. Replay+

In Replay attack, a residual biometric characteristic (example- such as fingerprints left on a
biometric device) is used by an attacker to gain unauthorized access.
In a mimic attack, the attacker attempts to fake the biometric characteristics similar to those of the
enrolled user, such as imitating a voice.
A brute-force attack involves sending the numerous different biometric samples to a biometric
device.
A cryptographic attack targets the algorithm or the encrypted data transmitted between biometric
device and access control system.

12
Q

In which of the following attack, the attacker reproduces characteristics similar to those of the enrolled user:

A. Mimic
B. Brute-force
C. Cryptographic
D. Replay

A

A. Mimic

In a mimic attack, the attacker attempts to fake the biometric characteristics similar to those of the
enrolled user, such as imitating a voice.
A brute-force attack involves sending the numerous different biometric samples to a biometric
device.
A cryptographic attack targets the algorithm or the encrypted data transmitted between biometric
device and access control system.
In Replay attack, a residual biometric characteristic (example- such as fingerprints left on a
biometric device) is used by an attacker to gain unauthorized access.

13
Q

Which of the following attack targets the algorithm or the encrypted data transmitted between biometric device and access control system?

A. Mimic
B. Brute-force
C. Cryptographic
D. Replay

A

C. Cryptographic

A cryptographic attack targets the algorithm or the encrypted data transmitted between biometric
device and access control system.
In a mimic attack, the attacker attempts to fake the biometric characteristics similar to those of the
enrolled user, such as imitating a voice.
A brute-force attack involves sending the numerous different biometric samples to a biometric
device.
In Replay attack, a residual biometric characteristic (example- such as fingerprints left on a
biometric device) is used by an attacker to gain unauthorized access.

14
Q

Which of the following attack involves sending the numerous different biometric samples to a biometric device?

A. Mimic
B. Brute-force
C. Cryptographic
D. Replay

A

B. Brute-force

A brute-force attack involves sending the numerous different biometric samples to a biometric
device.
In a mimic attack, the attacker attempts to fake the biometric characteristics similar to those of the
enrolled user, such as imitating a voice.
In Replay attack, a residual biometric characteristic (example- such as fingerprints left on a
biometric device) is used by an attacker to gain unauthorized access.
A cryptographic attack targets the algorithm or the encrypted data transmitted between biometric
device and access control system.

15
Q

An organization is considering implementing access control for all PCs that access critical data. This will:

A. completely eliminate the risk of false acceptance i.e. unauthorised access will be eliminated completely.
B.require enrollment of all users that access the critical data.
C. require fingerprint reader to be controlled by a separate password.
D. provide assurance that unauthorized access will be impossible.

A

B. require enrollment of all users that access the critical data.

Setting any new biometric process requires enrollment of all users for whom access is to be provided. The fingerprints of accredited users need to be read, identified and recorded, i.e., registered, before a user may operate the system from the screened PCs. Choice A is incorrect, as the risk of false-acceptance cannot be eliminated. Risk of a biometric device may be optimized, but will never be zero because this would imply an unacceptably high risk of false rejection. Choice C is
incorrect, as the fingerprint reader does not need to be protected in itself by a password. Choice D is incorrect because the usage of biometric protection on PCs does not provide assurance that unauthorized access will be impossible.