BCS CISMP-V9 BCS Foundation Certificate in Information Security Management Principles V9.0 Exam Practice Test

Answer : D

RSA (Rivest-Shamir-Adleman) is a widely accepted asymmetric encryption algorithm. Unlike symmetric algorithms, which use the same key for both encryption and decryption, asymmetric algorithms use a pair of keys -- a public key for encryption and a private key for decryption. This method allows for secure key exchange over an insecure channel without the need to share the private key. RSA operates on the principle that it is easy to multiply large prime numbers together to create a product, but it is hard to reverse the process, i.e., to factorize the product back into the original primes. This one-way function underpins the security of RSA.

Answer : C

Security by Design' in software engineering refers to the practice of integrating security measures into the software development process from the very beginning. This approach ensures that security is not an afterthought but a fundamental component of the system's architecture and design.It involves continuous testing, authentication safeguards, and adherence to best programming practices to make systems as free of vulnerabilities and impervious to attack as possible1.By incorporating security early in the design process, potential flaws can be identified and mitigated early on, significantly reducing the cost and complexity of addressing security issues later in the development lifecycle23.

Answer : A

The method used to target senior individuals in an organization for coercing them into actions like misdirected high-value payments is known as awhaling attack. This type of attack is a more targeted version of phishing, aimed specifically at high-ranking executives or important individuals within an organization. The attackers masquerade as a senior player at the organization and use social engineering techniques to trick the target into performing actions such as transferring money or revealing sensitive information. Whaling attacks are highly personalized and often involve extensive research on the target to make the fraudulent requests seem legitimate and convincing.The term ''whaling'' is used because it refers to going after the ''big fish'' or ''whales'' of an organization, such as CEOs or CFOs, who have access to significant resources and sensitive information.Reference: Based on the information provided by Kaspersky's resource center on whaling attacks1.

Answer : D

Cross-Site Request Forgery (CSRF) is an attack that exploits the trust relationship between a user's browser and a server-based website. In a CSRF attack, the attacker tricks the authenticated user's browser into sending a request to a third-party site, which the browser is already authenticated with, without the user's knowledge or consent. This can lead to unauthorized actions being performed on the user's behalf, such as changing user settings, posting content, or even initiating financial transactions.The attack leverages the fact that the browser automatically includes credentials like cookies, session tokens, or other authentication information with each request to a site123.

Reflectoring's 'Complete Guide to CSRF/XSRF (Cross-Site Request Forgery)'1.

OWASP Foundation's ''Anti CSRF Tokens ASP.NET'' article2.

Threat Intelligence's blog on 'Cross-Site Request Forgery (CSRF) - What Is It, How to Prevent It'3.

Answer : D

Botnets are typically used by attackers for a variety of malicious activities, most commonly for:

Generating and distributing spam messages: Botnets can send out large volumes of spam emails to promote products or services, or to distribute malware.

Conducting DDoS attacks: Distributed Denial of Service (DDoS) attacks are often carried out using botnets to overwhelm a target's servers with traffic.

Scanning for system & application vulnerabilities: Botnets can be used to scan a large number of systems for vulnerabilities that can be exploited in further attacks.

However,vishing attacks, which involve voice phishing through phone calls, are not commonly associated with the use of botnets.Vishing typically involves direct voice communication to trick individuals into divulging sensitive information and does not leverage the distributed computing power of botnets, which is central to their usual applications such as spam distribution, DDoS attacks, and vulnerability scanning123.

Answer : D

Developers should undergo Awareness Training to understand the security of the code they have written and how it can improve security defense while being attacked. This type of training educates developers on the importance of security considerations throughout the software development lifecycle (SDLC). It covers best practices for secure coding, common vulnerabilities and how to avoid them, and the impact of code security on the overall security posture of an application. By being aware of security principles and the potential threats, developers can write more secure code, which is crucial for defending against attacks.

Answer : A

The delivery of online security training material offers several advantages over printed media. One of the key benefits is the ease of updating content. When updates are required, online materials can be edited quickly and efficiently, with changes being immediately available to all users.This contrasts with printed materials, which would require a new physical version to be produced and distributed, a process that is both time-consuming and resource-intensive1.

Furthermore, online training materials can be accessed from anywhere at any time, providing flexibility and convenience for learners.They also allow for interactive elements, such as quizzes and simulations, which can enhance the learning experience1.Additionally, online materials can be tracked for usage and completion, enabling organizations to monitor compliance with training requirements2.

While option C mentions a 'discoverable record,' this refers to the legal concept that materials may be used as evidence in litigation. However, this is not an advantage of online over printed media, as both can be discoverable. Option B's claim that online materials are intrinsically more accurate is not necessarily true, as accuracy depends on the content's quality, not the delivery method. Option D is incorrect because while online materials are protected by copyright laws, this is not an exclusive benefit over printed materials, which are also protected.