WGU D488 - CASP+/D488 -
Cybersecurity Architecture &
Engineering exam study guide
Design Secure Network Architecture - 25% - ANS Section 1
Identity and Access Management - ANS A framework of policies and technologies used
to manage digital identities and control user access to a resource within an organization
Password Policy - ANS Rules set to enforce strong password creation and
management, including requirements for length, history, complexity, and more.
Privileged Access Management - ANS A security practice that monitors and controls
access to critical systems and data by users with elevated access (e.g. admin accounts)
Password Complexity - ANS A set of rules designed to make a password stronger and
more difficult to crack or guess.
Kerberos - ANS A network authentication protocol that uses symmetric key
cryptography to securely authenticate users and services over the network.
Mandatory Access Control (MAC) - ANS A security model where access to resources is
determined by system-enforced policies. Access is granted based on labels or
classifications. (e.g. "Top Secret")
Attribute-Based Access Control (ABAC) - ANS A security model where access to
resources is determined by attributes such as user role, location, time of access, etc...
In-band authentication - ANS A security method where authentication occurs within the
same communication channel used to access the service or system. An example will
include receiving a verification token on the same device you are using to login.
Out-of-Band authentication - ANS A security method where authentication occurs using
a separate communication channel from the primary one. An example includes receiving
a verification email with a code to confirm your identity.
,Challenge Handshake Authentication Protocol (CHAP) - ANS A secure authentication
protocol used to verify the identity of a user or device over the network by sending them
a "challenge" (random value) from the server to the client.
JSON Web Token - ANS A compact, URL-safe token format used for securely
transmitting information between two parties as a JSON object.
Trusted Platform Module (TPM) - ANS a hardware based security device used to store
cryptographic keys, passwords, and other sensitive data securely. This security device
ensures that the system hardware and software hasn't been tampered with.
Single Sign On (SSO) - ANS An authentication process that allows users to access
multiple applications or systems using single set of credentials.
Internet Protocol Security (IPSec) - ANS A suite of protocols used to secure IP
communications by encrypting and authenticating data packets transmitted over a
network. Commonly used in VPN's.
Simple Network Management Protocol (SNMP) - ANS A protocol used for managing and
monitoring network devices in an IP network. Allows administrators to collect
performance data, configure devices, and receive alerts about issues or failures.
Extensible authentication protocol (EAP) - ANS An authentication framework used to
provide various methods of user authentication over a network. It is commonly used in
wireless networks and VPN's to support different forms of authentication like passwords,
certificates, and tokens.
Open Authentication (OAuth) - ANS A simple authentication method where access is
granted without requiring credentials or any form of authentication. Typically used in
unsecured networks such as public wi-fi.
Secure Socket Layer (SSL) - ANS A cryptographic protocol designed to provide secure
communication over a computer network. SSL encrypts the data exchanged between a
client and server, ensuring confidentiality and integrity. SSL is now deprecated and has
been replaced with the Transport Layer Security (TLS) protocol.
Virtual Private Network (VPN) - ANS A technology that creates a secure, encrypted
connection over a public network (like the internet) to allow remote users or sites the
ability to access a private network safely.
Security Information and Event Management (SIEM) - ANS A security solution that
collects, analyzes, and correlates log and event data from across an organization's IT
environment in real time.
,Web Application Firewall (WAF) - ANS A security solution that monitors, filters, and
blocks malicious traffic to and from web applications.
Secure Socket Shell (SSH) - ANS A cryptographic network protocol used to securely
access and manage remote systems over an unsecured network.
Demilitarized Zone (DMZ) - ANS A network segment that separates an organization's
internal network from external-facing services. It acts as a buffer zone to limit access
between the internet and the internal network.
Hardware Security Module (HSM) - ANS A physical device designed to securely
generate, store, and manage cryptographic keys.
Port Security - ANS A network security feature that restricts access to a switch port
based on MAC addresses.
Software Firewall - ANS A security application installed on individual devices that
monitors and controls incoming and outgoing network traffic based on predefined rules.
Helps block unauthorized access, detect threats, and enforce security policies at the host
level.
Anti-spam gateway - ANS A security solution that filters and blocks unwanted or
malicious email (spam) before it reaches the recipient's inbox.
Proxy server - ANS An intermediary server that sits between a user's device and that
internet. It forwards user requests to the website and returns the responses. Often used
to improve security, control web access, cache content, and anonymize user activity.
Unified Threat Management (UTM) Appliance - ANS An all-in-one security device that
integrates multiple security functions--such as firewall, intrusion detection/prevention
(IDS/IPS), antivirus, content filtering, and VPN--into a single platform. It simplifies
network security management and provides centralized protection against a wide range
of threats.
Intrusion Detection System (IDS) - ANS A security solution that monitors network or
system activity for malicious actions or policy violations. It detects threats like
unauthorized access, malware, or abnormal behavior and alerts administrators but does
not take direct action to stop the threat
Intrusion Prevention System (IPS) - ANS A security solution that actively monitors
network traffic for malicious activity and automatically blocks or prevents detected
threats in real time.
, Deep Packet Inspection (DPI) - ANS An advanced method of analyzing network traffic by
inspecting the data portion (not just headers) of packets.
Signature Based Detection - ANS A threat detection method that identifies known
malware or attacks by comparing activity or files against a database of known
signatures. It's fast and effective but can't identify new or unknown malware. Commonly
used in antivirus and IDS/IPS systems
Virtual Desktop Infrastructure (VDI) - ANS A technology that hosts desktop
environments on a centralized server, allowing users to access virtual desktops remotely
over a network.
Remote Desktop Protocol (RDP) - ANS A Microsoft protocol that allows users to
remotely access and control another computer over a network. RDP uses encryption and
is considered a secure method of remote access.
Digital Rights Management (DRM) - ANS A set of technologies used to protect and
control access to digital content (like software, music, videos, and documents). DRM
enforces licensing, prevents unauthorized copying or distribution, and ensures only
authorized can use the content as intended.
Watermarking - ANS A method used to embed visible or invisible markers (like logos,
text, or metadata) into digital contents.
The security team recently enabled public access to a web application hosted on
a server inside the corporate network. The developers of the application report
that the server has received several structured query language (SQL) injection
attacks in the past several days. The team needs to deploy a solution that will
block the SQL injection attacks. Which solution fulfills these requirements?
A - Virtual private network (VPN)
B - Security information and event management (SIEM)
C - Web application firewall (WAF)
D - Secure Socket Shell (SSH) - ANS C - Web application firewall (WAF)
An IT security team has been notified that external contractors are using their
personal laptops to gain access to the corporate network. The team needs to
recommend a solution that will prevent unapproved devices from accessing the
network. Which solution fulfills these requirements?
A - Implementing a demilitarized zone (DMZ)
B - Installing a hardware security module
C - Implementing port security
D - Deploying a software firewall - ANS C - Implementing port security
Cybersecurity Architecture &
Engineering exam study guide
Design Secure Network Architecture - 25% - ANS Section 1
Identity and Access Management - ANS A framework of policies and technologies used
to manage digital identities and control user access to a resource within an organization
Password Policy - ANS Rules set to enforce strong password creation and
management, including requirements for length, history, complexity, and more.
Privileged Access Management - ANS A security practice that monitors and controls
access to critical systems and data by users with elevated access (e.g. admin accounts)
Password Complexity - ANS A set of rules designed to make a password stronger and
more difficult to crack or guess.
Kerberos - ANS A network authentication protocol that uses symmetric key
cryptography to securely authenticate users and services over the network.
Mandatory Access Control (MAC) - ANS A security model where access to resources is
determined by system-enforced policies. Access is granted based on labels or
classifications. (e.g. "Top Secret")
Attribute-Based Access Control (ABAC) - ANS A security model where access to
resources is determined by attributes such as user role, location, time of access, etc...
In-band authentication - ANS A security method where authentication occurs within the
same communication channel used to access the service or system. An example will
include receiving a verification token on the same device you are using to login.
Out-of-Band authentication - ANS A security method where authentication occurs using
a separate communication channel from the primary one. An example includes receiving
a verification email with a code to confirm your identity.
,Challenge Handshake Authentication Protocol (CHAP) - ANS A secure authentication
protocol used to verify the identity of a user or device over the network by sending them
a "challenge" (random value) from the server to the client.
JSON Web Token - ANS A compact, URL-safe token format used for securely
transmitting information between two parties as a JSON object.
Trusted Platform Module (TPM) - ANS a hardware based security device used to store
cryptographic keys, passwords, and other sensitive data securely. This security device
ensures that the system hardware and software hasn't been tampered with.
Single Sign On (SSO) - ANS An authentication process that allows users to access
multiple applications or systems using single set of credentials.
Internet Protocol Security (IPSec) - ANS A suite of protocols used to secure IP
communications by encrypting and authenticating data packets transmitted over a
network. Commonly used in VPN's.
Simple Network Management Protocol (SNMP) - ANS A protocol used for managing and
monitoring network devices in an IP network. Allows administrators to collect
performance data, configure devices, and receive alerts about issues or failures.
Extensible authentication protocol (EAP) - ANS An authentication framework used to
provide various methods of user authentication over a network. It is commonly used in
wireless networks and VPN's to support different forms of authentication like passwords,
certificates, and tokens.
Open Authentication (OAuth) - ANS A simple authentication method where access is
granted without requiring credentials or any form of authentication. Typically used in
unsecured networks such as public wi-fi.
Secure Socket Layer (SSL) - ANS A cryptographic protocol designed to provide secure
communication over a computer network. SSL encrypts the data exchanged between a
client and server, ensuring confidentiality and integrity. SSL is now deprecated and has
been replaced with the Transport Layer Security (TLS) protocol.
Virtual Private Network (VPN) - ANS A technology that creates a secure, encrypted
connection over a public network (like the internet) to allow remote users or sites the
ability to access a private network safely.
Security Information and Event Management (SIEM) - ANS A security solution that
collects, analyzes, and correlates log and event data from across an organization's IT
environment in real time.
,Web Application Firewall (WAF) - ANS A security solution that monitors, filters, and
blocks malicious traffic to and from web applications.
Secure Socket Shell (SSH) - ANS A cryptographic network protocol used to securely
access and manage remote systems over an unsecured network.
Demilitarized Zone (DMZ) - ANS A network segment that separates an organization's
internal network from external-facing services. It acts as a buffer zone to limit access
between the internet and the internal network.
Hardware Security Module (HSM) - ANS A physical device designed to securely
generate, store, and manage cryptographic keys.
Port Security - ANS A network security feature that restricts access to a switch port
based on MAC addresses.
Software Firewall - ANS A security application installed on individual devices that
monitors and controls incoming and outgoing network traffic based on predefined rules.
Helps block unauthorized access, detect threats, and enforce security policies at the host
level.
Anti-spam gateway - ANS A security solution that filters and blocks unwanted or
malicious email (spam) before it reaches the recipient's inbox.
Proxy server - ANS An intermediary server that sits between a user's device and that
internet. It forwards user requests to the website and returns the responses. Often used
to improve security, control web access, cache content, and anonymize user activity.
Unified Threat Management (UTM) Appliance - ANS An all-in-one security device that
integrates multiple security functions--such as firewall, intrusion detection/prevention
(IDS/IPS), antivirus, content filtering, and VPN--into a single platform. It simplifies
network security management and provides centralized protection against a wide range
of threats.
Intrusion Detection System (IDS) - ANS A security solution that monitors network or
system activity for malicious actions or policy violations. It detects threats like
unauthorized access, malware, or abnormal behavior and alerts administrators but does
not take direct action to stop the threat
Intrusion Prevention System (IPS) - ANS A security solution that actively monitors
network traffic for malicious activity and automatically blocks or prevents detected
threats in real time.
, Deep Packet Inspection (DPI) - ANS An advanced method of analyzing network traffic by
inspecting the data portion (not just headers) of packets.
Signature Based Detection - ANS A threat detection method that identifies known
malware or attacks by comparing activity or files against a database of known
signatures. It's fast and effective but can't identify new or unknown malware. Commonly
used in antivirus and IDS/IPS systems
Virtual Desktop Infrastructure (VDI) - ANS A technology that hosts desktop
environments on a centralized server, allowing users to access virtual desktops remotely
over a network.
Remote Desktop Protocol (RDP) - ANS A Microsoft protocol that allows users to
remotely access and control another computer over a network. RDP uses encryption and
is considered a secure method of remote access.
Digital Rights Management (DRM) - ANS A set of technologies used to protect and
control access to digital content (like software, music, videos, and documents). DRM
enforces licensing, prevents unauthorized copying or distribution, and ensures only
authorized can use the content as intended.
Watermarking - ANS A method used to embed visible or invisible markers (like logos,
text, or metadata) into digital contents.
The security team recently enabled public access to a web application hosted on
a server inside the corporate network. The developers of the application report
that the server has received several structured query language (SQL) injection
attacks in the past several days. The team needs to deploy a solution that will
block the SQL injection attacks. Which solution fulfills these requirements?
A - Virtual private network (VPN)
B - Security information and event management (SIEM)
C - Web application firewall (WAF)
D - Secure Socket Shell (SSH) - ANS C - Web application firewall (WAF)
An IT security team has been notified that external contractors are using their
personal laptops to gain access to the corporate network. The team needs to
recommend a solution that will prevent unapproved devices from accessing the
network. Which solution fulfills these requirements?
A - Implementing a demilitarized zone (DMZ)
B - Installing a hardware security module
C - Implementing port security
D - Deploying a software firewall - ANS C - Implementing port security
