WGU D488 – Cybersecurity Architecture &
Engineering Practice Questions & Answers (with
Rationales)
1. Which principle ensures users are given only the minimum access required
to perform their job?
A. Defense in Depth
B. Separation of Duties
C. Least Privilege
D. Zero Trust
Correct Answer: C. Least Privilege
Rationale: Least privilege reduces attack surface by limiting access rights to only what is
necessary.
2. Which security model focuses on confidentiality and is commonly used in
government systems?
A. Biba Model
B. Clark-Wilson Model
C. Bell-LaPadula Model
D. Brewer-Nash Model
Correct Answer: C. Bell-LaPadula Model
Rationale: Bell-LaPadula enforces confidentiality using “no read up, no write down.”
3. What is the primary goal of Zero Trust Architecture (ZTA)?
A. Eliminate firewalls
B. Trust internal users by default
C. Verify every access request
D. Centralize authentication
Correct Answer: C. Verify every access request
Rationale: Zero Trust assumes no implicit trust, regardless of network location.
,4. Which architecture component is responsible for enforcing access control
decisions?
A. Policy Decision Point (PDP)
B. Policy Enforcement Point (PEP)
C. Identity Provider (IdP)
D. Security Information Event Manager
Correct Answer: B. Policy Enforcement Point (PEP)
Rationale: PEP enforces access decisions made by the PDP.
5. What type of control is a firewall?
A. Detective
B. Corrective
C. Preventive
D. Compensating
Correct Answer: C. Preventive
Rationale: Firewalls prevent unauthorized network access before it occurs.
6. Which cryptographic concept ensures data has not been altered in transit?
A. Confidentiality
B. Authentication
C. Integrity
D. Non-repudiation
Correct Answer: C. Integrity
Rationale: Integrity verifies that data remains unchanged.
7. What is the primary purpose of a DMZ in network architecture?
A. Encrypt internal traffic
B. Isolate public-facing services
C. Authenticate users
D. Monitor internal logs
, Correct Answer: B. Isolate public-facing services
Rationale: A DMZ limits exposure of internal networks.
8. Which protocol provides secure remote access using encryption?
A. FTP
B. Telnet
C. SSH
D. SNMP
Correct Answer: C. SSH
Rationale: SSH encrypts remote access sessions.
9. Which cloud responsibility belongs to the customer under the shared
responsibility model?
A. Physical data center security
B. Hypervisor security
C. Data classification
D. Hardware maintenance
Correct Answer: C. Data classification
Rationale: Customers are responsible for protecting their own data.
10. What security concept combines something you know, have, and are?
A. Single Sign-On
B. Federation
C. Multi-Factor Authentication
D. Role-Based Access Control
Correct Answer: C. Multi-Factor Authentication
Rationale: MFA uses multiple authentication factors.
11. Which architecture strategy uses multiple layers of security controls?
A. Zero Trust
B. Defense in Depth
Engineering Practice Questions & Answers (with
Rationales)
1. Which principle ensures users are given only the minimum access required
to perform their job?
A. Defense in Depth
B. Separation of Duties
C. Least Privilege
D. Zero Trust
Correct Answer: C. Least Privilege
Rationale: Least privilege reduces attack surface by limiting access rights to only what is
necessary.
2. Which security model focuses on confidentiality and is commonly used in
government systems?
A. Biba Model
B. Clark-Wilson Model
C. Bell-LaPadula Model
D. Brewer-Nash Model
Correct Answer: C. Bell-LaPadula Model
Rationale: Bell-LaPadula enforces confidentiality using “no read up, no write down.”
3. What is the primary goal of Zero Trust Architecture (ZTA)?
A. Eliminate firewalls
B. Trust internal users by default
C. Verify every access request
D. Centralize authentication
Correct Answer: C. Verify every access request
Rationale: Zero Trust assumes no implicit trust, regardless of network location.
,4. Which architecture component is responsible for enforcing access control
decisions?
A. Policy Decision Point (PDP)
B. Policy Enforcement Point (PEP)
C. Identity Provider (IdP)
D. Security Information Event Manager
Correct Answer: B. Policy Enforcement Point (PEP)
Rationale: PEP enforces access decisions made by the PDP.
5. What type of control is a firewall?
A. Detective
B. Corrective
C. Preventive
D. Compensating
Correct Answer: C. Preventive
Rationale: Firewalls prevent unauthorized network access before it occurs.
6. Which cryptographic concept ensures data has not been altered in transit?
A. Confidentiality
B. Authentication
C. Integrity
D. Non-repudiation
Correct Answer: C. Integrity
Rationale: Integrity verifies that data remains unchanged.
7. What is the primary purpose of a DMZ in network architecture?
A. Encrypt internal traffic
B. Isolate public-facing services
C. Authenticate users
D. Monitor internal logs
, Correct Answer: B. Isolate public-facing services
Rationale: A DMZ limits exposure of internal networks.
8. Which protocol provides secure remote access using encryption?
A. FTP
B. Telnet
C. SSH
D. SNMP
Correct Answer: C. SSH
Rationale: SSH encrypts remote access sessions.
9. Which cloud responsibility belongs to the customer under the shared
responsibility model?
A. Physical data center security
B. Hypervisor security
C. Data classification
D. Hardware maintenance
Correct Answer: C. Data classification
Rationale: Customers are responsible for protecting their own data.
10. What security concept combines something you know, have, and are?
A. Single Sign-On
B. Federation
C. Multi-Factor Authentication
D. Role-Based Access Control
Correct Answer: C. Multi-Factor Authentication
Rationale: MFA uses multiple authentication factors.
11. Which architecture strategy uses multiple layers of security controls?
A. Zero Trust
B. Defense in Depth