BCS CISMP-V9 BCS Foundation Certificate in Information Security Management Principles V9.0 Exam Practice Test

Page: 1 / 14
Total 100 questions
Question 1

Which of the following is an asymmetric encryption algorithm?



Answer : D

RSA (Rivest-Shamir-Adleman) is a widely accepted asymmetric encryption algorithm. Unlike symmetric algorithms, which use the same key for both encryption and decryption, asymmetric algorithms use a pair of keys -- a public key for encryption and a private key for decryption. This method allows for secure key exchange over an insecure channel without the need to share the private key. RSA operates on the principle that it is easy to multiply large prime numbers together to create a product, but it is hard to reverse the process, i.e., to factorize the product back into the original primes. This one-way function underpins the security of RSA.


Question 2

In software engineering, what does 'Security by Design'' mean?



Answer : C

Security by Design' in software engineering refers to the practice of integrating security measures into the software development process from the very beginning. This approach ensures that security is not an afterthought but a fundamental component of the system's architecture and design.It involves continuous testing, authentication safeguards, and adherence to best programming practices to make systems as free of vulnerabilities and impervious to attack as possible1.By incorporating security early in the design process, potential flaws can be identified and mitigated early on, significantly reducing the cost and complexity of addressing security issues later in the development lifecycle23.


Question 3

What is the name of the method used to illicitly target a senior person in an organisation so as to try to coerce them Into taking an unwanted action such as a misdirected high-value payment?



Answer : A

The method used to target senior individuals in an organization for coercing them into actions like misdirected high-value payments is known as awhaling attack. This type of attack is a more targeted version of phishing, aimed specifically at high-ranking executives or important individuals within an organization. The attackers masquerade as a senior player at the organization and use social engineering techniques to trick the target into performing actions such as transferring money or revealing sensitive information. Whaling attacks are highly personalized and often involve extensive research on the target to make the fraudulent requests seem legitimate and convincing.The term ''whaling'' is used because it refers to going after the ''big fish'' or ''whales'' of an organization, such as CEOs or CFOs, who have access to significant resources and sensitive information.Reference: Based on the information provided by Kaspersky's resource center on whaling attacks1.


Question 4

What type of attack attempts to exploit the trust relationship between a user client based browser and server based websites forcing the submission of an authenticated request to a third party site?



Answer : D

Cross-Site Request Forgery (CSRF) is an attack that exploits the trust relationship between a user's browser and a server-based website. In a CSRF attack, the attacker tricks the authenticated user's browser into sending a request to a third-party site, which the browser is already authenticated with, without the user's knowledge or consent. This can lead to unauthorized actions being performed on the user's behalf, such as changing user settings, posting content, or even initiating financial transactions.The attack leverages the fact that the browser automatically includes credentials like cookies, session tokens, or other authentication information with each request to a site123.


Reflectoring's 'Complete Guide to CSRF/XSRF (Cross-Site Request Forgery)'1.

OWASP Foundation's ''Anti CSRF Tokens ASP.NET'' article2.

Threat Intelligence's blog on 'Cross-Site Request Forgery (CSRF) - What Is It, How to Prevent It'3.

Question 5

Which of the following uses are NOT usual ways that attackers have of leveraging botnets?



Answer : D

Botnets are typically used by attackers for a variety of malicious activities, most commonly for:

Generating and distributing spam messages: Botnets can send out large volumes of spam emails to promote products or services, or to distribute malware.

Conducting DDoS attacks: Distributed Denial of Service (DDoS) attacks are often carried out using botnets to overwhelm a target's servers with traffic.

Scanning for system & application vulnerabilities: Botnets can be used to scan a large number of systems for vulnerabilities that can be exploited in further attacks.

However,vishing attacks, which involve voice phishing through phone calls, are not commonly associated with the use of botnets.Vishing typically involves direct voice communication to trick individuals into divulging sensitive information and does not leverage the distributed computing power of botnets, which is central to their usual applications such as spam distribution, DDoS attacks, and vulnerability scanning123.


Question 6

As well as being permitted to access, create, modify and delete information, what right does an Information Owner NORMALLY have in regard to their information?



Answer : A

An Information Owner is typically responsible for determining the classification of the information and for ensuring that it is handled and protected in accordance with its classification. This includes the right to assign access privileges to others, which allows the Information Owner to control who can access the information and what level of access they have. This right is essential for maintaining the confidentiality, integrity, and availability of the information, which are core principles of information security management.The Information Owner's role is to ensure that only authorized individuals have access to the information and that they have the appropriate level of access based on their role and need to know.Reference: BCS Foundation Certificate in Information Security Management Principles1.


Question 7

What term is used to describe the act of checking out a privileged account password in a manner that bypasses normal access controls procedures during a critical emergency situation?



Answer : D

The term ''Break Glass'' refers to an emergency access procedure that allows users to bypass normal security controls to gain access to a system or service during a critical situation. This method is analogous to breaking the glass of a fire alarm to handle an emergency. In the context of information security management, it is a controlled process that is typically documented, monitored, and audited to ensure it is used only during genuine emergencies.It is a part of an organization's disaster recovery and business continuity planning, ensuring that critical systems can still be accessed when standard authentication methods fail or are unavailable due to various reasons such as service outages, DDoS attacks, or loss of access by the primary administrator12.


Microsoft Entra ID documentation on managing emergency access admin accounts3.

StrongDM's blog explaining the need for ''Break Glass'' accounts for privileged access1.

SSH Academy's definition of ''Break Glass'' access2.

Page:    1 / 14   
Total 100 questions