WGU D488 Cybersecurity Architecture & Engineering OBJECTIVE ASSESSMENT ACTUAL EXAM COMPLETE QUESTIONS AND CORRECT DETAILED ANSWERS || 100% GUARANTEED PASS LATEST VERSION

WGU D488 Cybersecurity Architecture & Engineering OBJECTIVE ASSESSMENT ACTUAL EXAM COMPLETE QUESTIONS AND CORRECT DETAILED ANSWERS || 100% GUARANTEED PASS LATEST VERSION 1. A private subnet must use a ________ located in a public subnet in order to connect to the Internet. - ANSWER Network Address Translation (NAT) Gateway 2. In a cloud environment, the _______ is a Virtual Private Cloud component used to allow communication between the VPC and the Internet. - ANSWER Internet Gateway 3. Methods of Defending against DDoS Attacks - ANSWER 1. Rate Limiting 2. Web Application Firewall (WAF) 3. Blackhole Routing 4. Cloud Service Providers (CSP) 5. DDoS Mitigation Software/Appliance 4. Can be used to reduce the amount of throughput available to the server or service that may be experiencing a DDoS attack. - ANSWER Rate Limiting 5. A device or virtual appliance which provides multiple security services in a single solution. It can be a useful mechanism for the protection of branch locations or similar scenario where a more simplified approach is warranted. - ANSWER Unified Threat Management (UTM) 6. List the services offered in a UTM - ANSWER 1. Content Filtering 2. SPAM Filtering 3. Antivirus 4. Web Filtering 5. Firewall 7. A ____________ provides for protocol-specific outbound traffic. For example, you might deploy a web _____ that enables client computers on the LAN to connect to websites and secure websites on the Internet. - ANSWER Forward Proxy 8. A ______ intercepts client traffic without the client having to be reconfigured. A ______ must be implemented on a switch or router or other in-line network appliance. - ANSWER Transparent Proxy 9. A _____ means that the client must be configured with the proxy server address and port number to use it. The port on which the proxy server accepts client connections is often configured as port 8080. - ANSWER Non-transparent Proxy 10. A _______ is a system put in-line of traffic destined to a specific host or group of hosts. The _______ can inspect traffic, distribute traffic among many systems, cache content in order to improve performance, and/or perform traffic encryption. One way to describe a ________ is that it is in line of traffic from the "outside-in", meaning traffic originating - ANSWER Reverse Proxy 11. An ________ provides a mechanism allowing software interfaces to be detached from the main application. In a similar way, that a WAF can offload the inspection and protection of web traffic, an _________ can be used to offload the inspection and protection of data interface traffic. - ANSWER API Gateway 12. _______ helps to mitigate against spoofing and poisoning attacks by providing a validation process for DNS responses. _____ is a set of specifications designed to provide an added level of security to traditional DNS. - ANSWER Domain Name System Security Extensions (DNSSEC) 13. ______ operates as guardians between two connected sites. Where two organizations are connected, regardless of whether the connection is traditional, cloud, or a hybrid combination, the _______ enforces a data sharing policy by performing content inspection. The are typically associated with military establishments whereby the ____ can enforce mandatory access controls and interpret data sensitivity levels in order to support the establishment's required information assurance capabilities. - ANSWER Cross Domain Solutions (CDS) 14. An example of implementing horizontal scalability. ____ leverage the global footprint of cloud platforms by distributing and replicating the components of any service, such as web apps, media, and storage, across all the key service areas needing access to the content. - ANSWER Content Delivery Network (CDN) 15. A security analyst is leading a disaster recovery simulation and wants to determine whether all parties involved in the response know what to do and how to work together to complete the exercise. What simulation should they perform? A - Checklist B - Walk-through C - Tabletop exercise D - Active failover - ANSWER C - Tabletop exercise The tabletop exercise will identify a specific objective or goal and then use it to determine whether all parties involved in the response know what to do and how to work together to complete the exercise. A checklist test requires copies of the BCDR plan distributed to all the departments, teams, and other participants included in the plan. A walk-through requires all groups included in the BCDR plan to identify a representative to participate in a meeting to review the plans. An active failover is not a simulation, but it would be an option if the parties want to attempt performing an active failover. 16. A security analyst is setting up documents for the outputs of the test or incident, along with recommendations based on the outputs and findings. Which standard should the analyst reference? A - NIST 800-53 B - NIST 800-61 C - NIST 800-84 D - ISO standard 15408 - ANSWER C - NIST 800-84 NIST SP 800-84, the "Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities," includes an after-action report template that helps with documentation and findings. NIST 800-53, "Security and Privacy Controls for Information Systems," outlines necessary controls for audits of information systems used for certification. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61, "Computer Security Incident Handling Guide," identifies the groups that are necessary when responding to an incident. The ISO standard 15408 addresses IT security techniques, including the introduction and general model and the functional and assurance components that define various operations. 17. A security practitioner is conducting a privacy impact assessment (PIA) as part of a business continuity plan. What should the practitioner assess? Select 3 answers. A - Sensitivity B - Collection methods C - Sharing methods D - System inventory - ANSWER A, B & C; Sensitivity, Collection methods, Sharing methods 18. A large part of this assessment includes analyzing the sensitivity level of privacy data. A system containing full names will need to be handled differently from one containing social security numbers or other similar government-supplied identifiers. 19. Another large part of this assessment includes collection methods, including how the company uses and maintains data. This helps to ensure that these processes continue in the event of a disaster. 20. A privacy impact assessment should also document whether the company shares the data and the parties included in the sharing arrangement. 21. The company should have performed a system inventory during the initial stage of the business continuity planning. 22. Disaster recovery (DR) protocol - ANSWER Procedures for consistent and efficient recovery operations. 23. Simple Network Management Protocol (SNMP) - ANSWER Monitors network devices to prevent downtime. 24. File Transfer Protocol (FTP) - ANSWER Transfers files between systems for backup and recovery. 25. Hypertext Transfer Protocol (HTTP) - ANSWER Enables communication between web servers and clients. 26. Maximum Tolerable Downtime (MTD) - ANSWER Longest acceptable downtime before significant harm occurs. 27. Recovery Point Objective (RPO) - ANSWER Maximum acceptable data loss measured in time. 28. Business Continuity Planning (BCP) - ANSWER Strategies to ensure critical business functions continue. 29. Business Impact Analysis (BIA) - ANSWER Evaluates effects of disruptions on business operations. 30. Privacy Impact Assessment (PIA) - ANSWER Evaluates effects of data handling on privacy. 31. Security Orchestration, Automation, and Response (SOAR) - ANSWER Streamlines incident response through automation. 32. Security Information and Event Management (SIEM) - ANSWER Aggregates and analyzes security data for threats. 33. Content Delivery Network (CDN) - ANSWER Improves website speed by distributing content globally. 34. Cloud Access Security Broker (CASB) - ANSWER Enforces data security policies in cloud applications. 35. A network administrator is trying to set up network security so that only trusted devices have network access. What solution should the administrator set up? A - VPN B - DNSSEC C - NGFW D - NAC - ANSWER D - NAC Network Access Control (NAC) allows the creation of policies designed to evaluate connected devices and determine whether to allow access to a network environment. In an enterprise setting, a virtual private network (VPN) has two primary applications: to enable people to connect to the enterprise from home or other remote locations or to provide connectivity between branch locations. Domain Name System Security Extensions (DNSSEC) help to mitigate against spoofing and poisoning attacks by providing a validation process for DNS responses. A next-generation firewall (NGFW) can perform all of the tasks of a standard firewall but add additional functionality allowing it to inspect higher-level protocols, such as HTTP, to provide more granular protection against malicious traffic. 36. A website administrator is setting up a cluster of web servers and wants to ensure that if one server goes down, the system in place will route the traffic through the others. Which network appliance should the administrator use? A - Firewall B - Load balancer C - Router D - NAT gateway - ANSWER B - Load balancer A common implementation for load balancers is for fault tolerance, where the load balancer is able to determine if a particular web server in a group is inoperable so that the system can re-direct traffic. Firewalls provide a foundational level of protection for any network by blocking or allowing traffic based on a set of pre-configured rules. Routers forward traffic between subnets by inspecting IP addresses and so operate at layer 3 of the OSI model. A NAT gateway allows connectivity between private subnets, or Virtual Private Clouds (VPC), and the Internet. 37. A security analyst is attempting to create efficiencies by automating certain tasks defined in the security playbook. Which automation tool would help the analyst accomplish this? A - SOAR B - Bootstrapping C - Autoscaling D - VDI - ANSWER A - SOAR Security orchestration, automation, and response (SOAR) automate some of the routine tasks ordinarily performed by security personnel in response to a security incident. Bootstrapping describes the set of automated tasks performed as part of the deployment of an instance. This is not related to security incident handling but is more along the lines of system administration tasks. Autoscaling allows the application of policies that include specific definitions of minimum and maximum capacity. Virtual desktop infrastructure (VDI) uses desktop virtualization to separate the personal computing environment from the user's physical machine. 38. A systems administrator has been running a data center full of physical servers for a small company but is worried about ensuring operations. The administrator begins assessing various Type 1 hypervisors for future migration. What are some major Type 1 hypervisors the sysadmin can evaluate for future migration? Select 3 answers. A - ESXi B - Hyper-V C - Windows Server D - XEN - ANSWER A, B & D; ESXi, Hyper-V, XEN VMware ESXi Server is a very popular bare metal virtual platform. It allows installing multiple operating systems that can run simultaneously on a single computer. Microsoft's Hyper-V is Microsoft's solution for Type 1 hypervisors. When choosing a solution, the administrator can do a physical to virtual migration to virtualize the servers to run on the hypervisor. Citrix's XEN Server is another popular solution for Type 1 hypervisors. The hardware needs to only support the base system requirements for the hypervisor plus resources for the type and number of guest OSs that the sysadmin will install. The Windows Server itself is not the Type 1 hypervisor, but Hyper-V is the solution provided by Microsoft. 39. A solutions architect is designing a security architecture for a nuclear power plant facility. Which of the following would be the best design? A - Jump box B - Guest environment C - Peer-to-peer D - Air gap - ANSWER D - Air gap An air gap provides an empty area surrounding a high-value asset, and a security administrator closely monitors it for intrusions. As well as being disconnected from any network, the physical space surrounding the host makes it easier to detect unauthorized attempts to approach the asset. A jump box is a specially configured, highly hardened, and closely monitored system used to perform administrative tasks or to access servers located within an environment. Guest environments describe the hosts and networks available for use by visitors, such as the public or vendors. Peer-to-Peer networks are de-centralized networks, meaning that the participating nodes self-organize to provide the types of services typically associated with client-server networks. 40. A cloud engineer is setting up controls between VPCs. Which of the following should the engineer use? A - NAC lists B - VNET C - Screened subnet D - Jump box - ANSWER A - NAC lists In a cloud environment, network access control (NAC) Lists (or "nackles") control inbound and outbound traffic between networks, or more specifically, between virtual private clouds (VPCs). A VPC or virtual network (VNET) allows for the creation of cloud resources within private networks that parallel the functionality of creating the same resources in a traditional, privately operated data center. A screened subnet uses two firewalls placed on either side of the demilitarized zone (DMZ). The edge firewall restricts traffic on the external/public interface and allows permitted traffic to the hosts in the DMZ. A jump box is a specially configured, highly hardened, and closely monitored system used to perform administrative tasks or to access servers located within an environment.