BCS CISMP-V9 BCS Foundation Certificate in Information Security Management Principles V9.0 Exam Practice Test

Answer : B

The Advanced Encryption Standard (AES) is the current specification for the encryption of electronic data established by the National Institute of Standards and Technology (NIST). AES is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information, converting data to an unintelligible form called ciphertext and back to its original form, plaintext. The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits.It was selected by NIST as a Federal Information Processing Standard (FIPS) to protect electronic data and is widely recognized and used for secure data encryption1.

Answer : B

The AAA service, which stands for Authentication, Authorization, and Accounting, is essential for managing user access to network resources. When it comes to providing AAA services for both wireless and remote access network services in a non-proprietary manner, RADIUS (Remote Authentication Dial-In User Service) is the most suitable technology.

RADIUS is an open standard protocol widely used for network access authentication and accounting. It is supported by a variety of network vendors and devices, making it a non-proprietary solution that can be easily integrated into different network environments.RADIUS provides a centralized way to authenticate users, authorize their access levels, and keep track of their activity on the network1.

TACACS+is a Cisco proprietary protocol and therefore does not meet the requirement of avoiding proprietary solutions.

OAuthis a framework for authorization and is not typically used for network access control in the same way that RADIUS is.

MS Access Databaseis not a network authentication protocol and would not provide the necessary AAA services for network security.

Answer : A

Contracting third parties to meet specific security standards is prudent because vulnerabilities within their networks can be exploited to gain unauthorized access to a client's environment. Third-party vendors often have access to an organization's sensitive data and systems, which can become a potential entry point for cyber attackers. By ensuring that third parties adhere to stringent security standards, an organization can better protect itself against the risk of data breaches and cyber attacks that may originate from less secure third-party networks. This proactive approach to third-party security helps maintain the integrity and confidentiality of the organization's data and systems.

Answer : C

The cryptographic protocol that preceded Transport Layer Security (TLS) is Secure Sockets Layer (SSL). SSL was the standard security protocol designed to provide communications security over a computer network before TLS was introduced. TLS evolved from SSL, with the first version of TLS (1.0) being developed as SSL version 3.1.However, the name was changed to TLS to indicate that it was no longer associated with Netscape, the company that developed SSL123.

SSL was used from 1994 until it was deprecated in 2015 by the Internet Engineering Task Force (IETF) due to security vulnerabilities.Before its deprecation, TLS was already being used as a backup protocol for SSL 3.0 and quickly became the successor to SSL3. This transition highlights the continuous effort to improve cryptographic protocols to ensure secure communications over the internet.

Answer : D

Turning on SSID broadcasts is not considered a best practice for securing a wireless network. SSID broadcasts make the network name publicly visible, which can be an invitation for unauthorized users to attempt to access the network. Best practices suggest disabling SSID broadcasts to make the network less visible and thus less likely to be targeted by malicious actors.While using WPA encryption, MAC filtering, and dedicating an access point on a VLAN connected to a firewall are all recommended security measures, advertising the network's presence via SSID broadcasts does not enhance security and could potentially compromise it12.

Answer : C

According to the OWASP Top 10 list, Injection Flaws are among the most prolific web application vulnerabilities. This category includes a variety of attacks such as SQL, NoSQL, OS, and LDAP injection where untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. Injection flaws are particularly dangerous because they can lead to data breaches, loss of data integrity, and denial of service, among other impacts.

Answer : C

Security by Design' in software engineering refers to the practice of integrating security measures into the software development process from the very beginning. This approach ensures that security is not an afterthought but a fundamental component of the system's architecture and design.It involves continuous testing, authentication safeguards, and adherence to best programming practices to make systems as free of vulnerabilities and impervious to attack as possible1.By incorporating security early in the design process, potential flaws can be identified and mitigated early on, significantly reducing the cost and complexity of addressing security issues later in the development lifecycle23.