Cybersecurity-Architecture-and-Engineering WGU Cybersecurity Architecture and Engineering (KFO1/D488) Questions and Answers

The correct answer is B — Wireless intrusion prevention system (WIPS).

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), a WIPS actively monitors wireless networks for unauthorized access points and malicious activity, such as man-in-the-middle (MITM) attacks. It can automatically detect, alert, and prevent wireless threats in real time, which is exactly what the organization requires to counteract MITM attacks on the wireless network.

A SIEM (A) collects logs and generates alerts but does not prevent wireless attacks. An inline encryptor (C) encrypts data but does not prevent wireless attacks. A Layer 3 switch (D) operates at the network layer and does not prevent wireless-specific threats.

Reference Extract from Study Guide:

"A wireless intrusion prevention system (WIPS) detects and prevents unauthorized access points and malicious wireless activity, including man-in-the-middle attacks."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Wireless Security and Threat Prevention

=============================================

The correct answer is D — Open Authorization (OAuth).

According to the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) Study Guide, OAuth is the standard protocol used for authorizing access to third-party applications without revealing user credentials. It allows users to log in using social identity providers like Google, Facebook, or LinkedIn, which is perfect for external customers and contractors accessing a mobile application. OAuth is designed for modern applications requiring delegated access.

SAML (A) is generally used for enterprise single sign-on (SSO) solutions, primarily for internal enterprise authentication, not social login. Kerberos (B) is used within controlled internalnetwork environments for authentication. LDAP (C) is a directory access protocol, not an authorization protocol for third-party sign-in.

Reference Extract from Study Guide:

"OAuth enables users to grant a third-party application limited access to their resources withoutexposing their credentials, making it ideal for mobile and web applications involving external users."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Authentication and Authorization Concepts

=============================================

The correct answer is D — Identify.

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), the first step in risk management is identifying potential risks. Only once risks are identified can they be assessed, controlled, and reviewed. In this case, identifying potential data breaches, outages, and cost issues is the starting point.

Assess (A) happens after identification. Control (B) involves implementing responses. Review (C) happens later to check effectiveness.

Reference Extract from Study Guide:

"The first phase of risk management is risk identification, where potential threats and vulnerabilities are recognized and documented."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Risk Management Life Cycle

=============================================

The correct answer is C — Constantly scan for known signatures on every machine.

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), scanning for known malware signatures is an essential method for detecting infections such as botnets. Signature-based detection compares files and behaviors against databases of known indicators of compromise (IOCs).

Two-factor authentication (A) protects login processes but does not detect malware. Firewall rules (B) help control access but do not detect infections. Configuration management (D) ensures system setup integrity but does not detect botnets.

Reference Extract from Study Guide:

"Signature-based scanning detects malware and botnets by comparing system files and behaviors against databases of known threats and indicators of compromise (IOCs)."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Malware Detection and Threat Response

The correct answer is D — Recovery point objective (RPO).

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), the RPO defines the maximum amount of data loss that is tolerable in terms of time. It sets the backup frequency to ensure that in the event of a disruption, no more than the specified amount of data is lost.

Continuous data protection (A) is a method but not the term for the metric. BIA (B) identifies impacts but does not define backup timing. DR (C) refers to the overall recovery process, not backup frequency.

Reference Extract from Study Guide:

"Recovery point objective (RPO) defines the maximum age of files that must be recovered from backup storage for normal operations to resume after a failure."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Disaster Recovery and Recovery Objectives

=============================================

The correct answer is C — Data Protection Impact Assessment (DPIA).

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), a DPIA is conducted to assess how personal data is collected, stored, and processed, evaluating potential privacy impacts and defining measures to mitigate risks. This is essential for compliance with privacy laws and regulations, especially in systems handling sensitive customer information.

DR (A) and BCP (B) are about operational recovery, not data privacy. Risk management (D) is broader and not focused solely on privacy impact.

Reference Extract from Study Guide:

"A Data Protection Impact Assessment (DPIA) evaluates the effects of processing activities on the privacy of individuals and develops strategies to mitigate privacy risks."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Data Privacy and Protection Strategies

=============================================

AnEnd User License Agreement (EULA)is a legal contract between the software manufacturer and the user.

The primary purpose of a EULA is togrant the user the right to use the software.

It outlines the terms and conditions under which the software can be used.

This can include restrictions on installation, distribution, and modification.

The EULA helps protect the intellectual property rights of the software creator.

Federated authenticationallows two or more organizations to share access credentials based ontrusted identity providers. This enables users from one domain to access systems in another without creating separate accounts.

NIST SP 800-63C (Digital Identity Guidelines – Federation):

“Federated identity allows users to access multiple services across security domains using a single identity, reducing the administrative burden of account duplication.”

This is essential in B2B or inter-organizational environments likehealthcare information exchange.

????WGU Course Alignment:

Domain:Access Control and Identity Management

Topic:Implement federated identity systems for cross-organizational access

The statement refers to the different types of media that can be used for data backup. Backup media encompasses various storage devices and methods used to store copies of data. Examples include:

CDs and DVDs: Optical storage media used for smaller-scale backups.

Hard drives: Mechanical or solid-state drives used for local and external backups.

Cloud storage: Online services providing remote storage and access to backups.

Choosing the appropriate backup media is crucial for ensuring data availability and recovery in case of data loss.

References

David M. Kroenke and Randall J. Boyle, "Using MIS," Pearson.

Curtis Preston, "Backup & Recovery: Inexpensive Backup Solutions for Open Systems," O'Reilly Media.

The correct answer is B — Internet Protocol Security (IPsec).

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), IPsec provides secure communication over IP networks by encrypting and authenticating IP packets. It is widely used for site-to-site VPNs and ensures confidentiality, integrity, and authentication between different cloud environments like Azure and AWS.

TCP (A) is a transport layer protocol ensuring reliable delivery but not encryption. FTP (C) is used for file transfer and is insecure unless secured with extensions. SSH (D) secures remote terminal sessions but is not primarily used for network-wide secure communication.

Reference Extract from Study Guide:

"IPsec provides a secure method of communication across IP networks, ensuring data confidentiality, integrity, and authentication for VPN connections and hybrid cloud communications."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Secure Protocols for Hybrid Environments

=============================================

Next-Generation Firewalls (NGFWs)offer a unified solution that includes traditional packet filtering andadvanced detection featureslike Intrusion Detection and Prevention (IDPS). This makes them the most efficient and scalable option for replacing legacy firewalls in modern environments.

NIST SP 800-94 Rev. 1 (Guide to Intrusion Detection and Prevention Systems):

“NGFWs integrate IDS/IPS features with traffic inspection, enabling detection and prevention of attacks in real time.”

????WGU Course Alignment:

Domain:Security Operations

Topic:Implement detection and prevention solutions (e.g., NGFWs, IDS/IPS)

The development of scope creep is often signaled by the addition of many unplanned features to the original project. This indicates that the project scope is expanding beyond its initial boundaries. Key indicators include:

Uncontrolled changesto the project scope.

Continuous new requestsfrom stakeholders that were not part of the original requirements.

Increased project complexityand difficulty in managing the project timeline and resources.

Scope creep can lead to delays, budget overruns, and project failure if not managed properly.

References

Project Management Institute, "A Guide to the Project Management Body of Knowledge (PMBOK Guide)," PMI.

Harold Kerzner, "Project Management: A Systems Approach to Planning, Scheduling, and Controlling," Wiley.

The correct answer is A — Homomorphic encryption.

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), homomorphic encryption allows computations to be performed directly on encrypted data without needing to decrypt it first. This ensures the confidentiality of the data even during processing.

SFE (B) allows two parties to jointly compute a function without revealing inputs but is not the same. SSL (C) secures communication channels. PIR (D) is for retrieving information privately, not computing on encrypted data.

Reference Extract from Study Guide:

"Homomorphic encryption allows operations on encrypted data, enabling secure processing by third parties without exposing underlying data."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Advanced Encryption Techniques

=============================================

The employee needs to execute a program from the command line, which requires inputting commands into the computer.

The primary device for inputting commands is the keyboard.

Other options like the hard drive, speaker, and printer are not used for inputting commands.

The hard drive is used for data storage.

The speaker outputs sound.

The printer outputs documents.

Therefore, the correct peripheral device for this task is the keyboard.

The correct answer is B — Tabletop exercises.

WGU Cybersecurity Architecture and Engineering (KFO1 / D488) defines a tabletop exercise as a controlled simulation where participants discuss their roles during a simulated disaster scenario. It allows the evaluation of the plan without causing real disruption to operations.

Walk-throughs (A) review plans but are less interactive. Checklists (C) are passive validation. Full interruption tests (D) would disrupt operations, which the company wants to avoid.

Reference Extract from Study Guide:

"Tabletop exercises allow teams to simulate disaster scenarios in a controlled, discussion-based format, helping validate plans without impacting real-world operations."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Disaster Recovery Testing Methods

=============================================

ASecurity Information and Event Management (SIEM)system collects, normalizes, and correlates logs and security events from various devices across both on-premises and cloud environments. It enables centralizedthreat detection,incident response, andcompliance monitoring.

NIST SP 800-137 (Information Security Continuous Monitoring):

“SIEMs are essential for real-time incident detection and response by aggregating and analyzing logs from disparate systems.”

Hybrid cloud environmentsmake log correlation complex, and SIEMs are uniquely suited to bridge cloud and on-prem infrastructure.

????WGU Course Alignment:

Domain:Security Operations and Monitoring

Topic:Use SIEM for centralized monitoring and event correlation in hybrid architectures

The correct answer is B — Public key infrastructure (PKI).

According to the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) Study Guide, PKI is the framework that enables the issuance and management of digital certificates used for device authentication. By using certificates, devices can securely authenticate themselves to access corporate resources without relying solely on passwords.

VPNs (A) secure network connections but do not authenticate devices themselves. Certificate signing (C) is a part of PKI but not the complete infrastructure. Endpoint passwords (D) authenticate users, not necessarily the devices.

Reference Extract from Study Guide:

"Public key infrastructure (PKI) enables the issuance of digital certificates used for authenticating users, systems, and devices, ensuring secure access control."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Cryptography and PKI Concepts

=============================================

The correct answer is C — Symmetric algorithm.

According to the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) study material, symmetric encryption uses the same key for both encryption and decryption, offering high speed and lower computational overhead compared to asymmetric algorithms. This makes symmetric encryption ideal when both security and performance are important factors.

Block cipher (A) is a type of symmetric algorithm but not the broader category being asked. Hash functions (B) are for data integrity, not encryption/decryption. Asymmetric algorithms (D) are more secure for key exchange but have higher computational cost.

Reference Extract from Study Guide:

"Symmetric encryption algorithms use a single shared key for encryption and decryption, offering efficient and high-performance protection for sensitive data transmissions."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Cryptography Fundamentals

=============================================

The characteristic of quality data represented here is relevance. When an organization sends customers email messages based on their purchase patterns, it ensures that the information is relevant to the customers' interests and needs. Relevant data is tailored to the specific context in which it is used, enhancing its value and effectiveness.

DNSSEC (Domain Name System Security Extensions)is a security protocol that adds cryptographic validation to DNS responses, making it nearly impossible for attackers to spoof DNS responses or redirect users to malicious sites.

NIST SP 800-81 Rev. 2 (Secure Domain Name System (DNS) Deployment Guide):

“DNSSEC provides data origin authentication and data integrity to DNS responses using digital signatures, effectively mitigating spoofing and cache poisoning attacks.”

While patching and awareness are important, DNSSECdirectly mitigatesthe technical risk described.

????WGU Course Alignment:

Domain:System Security Engineering

Topic:Implement DNS hardening techniques such as DNSSEC

The correct answer is C — Tampering.

WGU Cybersecurity Architecture and Engineering (KFO1 / D488) materials explain that tampering refers to unauthorized modifications of systems or data. In this case, the website being altered to redirect users to a malicious landing page indicates that an attacker has tampered with the legitimate website code or its DNS settings.

Exfiltration (A) refers to stealing data. Phishing (B) involves tricking users but not modifying a website. Ransomware (D) encrypts systems for ransom, not cause redirection.

Reference Extract from Study Guide:

"Tampering involves the unauthorized modification of a system or its resources, often to redirect users to malicious destinations or to alter functionality in harmful ways."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Threat Categories and Impacts

=============================================

The SQL statementSELECT * FROM Customers WHERE State = 'Arizona';is used to select records from theCustomerstable.

TheSELECT *clause indicates that all columns from theCustomerstable should be returned.

TheWHEREclause filters the rows to only include those where theStatecolumn value is'Arizona'.

The result is a subset of theCustomerstable with all rows that match the condition.

A Business Intelligence (BI) system is designed to analyze and present data in a way that supports decision-making processes. It helps organizations make informed, strategic decisions by providing insights through data analysis, visualization, and reporting. BI systems aggregate data from various sources, enabling a comprehensive view of the business that informs planning and strategy.

Risk avoidanceinvolves eliminating the source of risk altogether. In this case, the organization chose todecommission the vulnerable systeminstead of patching or compensating — a clear example of avoiding risk.

NIST SP 800-30 Rev. 1 (Risk Assessment Guide):

“Risk avoidance involves not performing the action that gives rise to the risk or eliminating the risk cause or consequence.”

This strategy is ideal when the cost or complexity of mitigation is too high or when risk to the business is unacceptable.

????WGU Course Alignment:

Domain:Security Models and Design

Topic:Understand and apply risk response strategies (avoid, accept, transfer, mitigate)

Mandatory Access Control (MAC)is the access control model used in environments that manage classified information such as government or military systems. Under MAC, access is based onsecurity labels(e.g., Top Secret, Confidential), and userscannot changeaccess controls.

NIST SP 800-53 Rev. 5 – AC-3 (Access Enforcement):

“MAC policies enforce access based on system-enforced labels, without user discretion, and are ideal for high-security environments where strict data control is essential.”

MAC is theonly modelwhere access control decisions arecentrally controlled and enforced by a policy administrator, making it ideal for environments requiringdata labeling and user classification.

????WGU Course Alignment:

Domain:Access Control and Identity Management

Topic:Understand and apply MAC for high-security environments

An input device is any hardware component that allows a user to enter data into a computer.

A scanner is an input device that converts physical documents into digital format.

The other options:

Printer is an output device.

Flash drive is a storage device.

CD can be both storage and media for input/output depending on the context but is not primarily used for direct data input.

Therefore, a scanner is the correct answer for an input device.

The correct answer is C — Competitor.

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), competitors often attempt to steal intellectual property to gain a business advantage. Given the theft of valuable business assets (e-books and videos), the most likely actor is a competitor motivated by financial or market advantage, not ideology or random hacking.

An APT (A) is usually nation-state-sponsored and targets critical infrastructure. A novice hacker (B) might deface or cause damage but is less likely focused on IP theft. Hacktivists (D) are politically motivated, not financially.

Reference Extract from Study Guide:

"Competitors may engage in cyber espionage to steal intellectual property and gain market advantage, representing a significant threat to business assets."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Threat Actor Categories

AHost-based Intrusion Detection and Prevention System (HIDPS)can detect unauthorized activity or suspicious changesat the OS level, including those specifically targetingLinux kernel modules, services, or rootkits.

NIST SP 800-94 Rev. 1:

“HIDPS software runs on individual hosts or devices in the network, analyzing inbound and outbound packets and alerting administrators to suspicious activity.”

HIDPS is especially effective in server environments wherekernel-level visibilityis critical.

????WGU Course Alignment:

Domain:System Security Engineering

Topic:Implement and monitor HIDPS on enterprise Linux servers

Business continuity planning (BCP) is essential because it ensures that an organization can quickly resume its critical functions after a disruption. The key aspects include:

Minimizing downtime: Strategies to restore business operations as quickly as possible.

Risk management: Identifying potential threats and creating plans to mitigate their impact.

Data recovery: Ensuring that data can be restored quickly in the event of a loss.

Communication plans: Establishing protocols for communicating with employees, customers, and stakeholders during and after a disruption.

The primary goal of BCP is to ensure the quickest return to business operations, maintaining service levels and minimizing financial losses.

References

Andrew Hiles, "The Definitive Handbook of Business Continuity Management," Wiley.

Michael Wallace and Lawrence Webber, "The Disaster Recovery Handbook," AMACOM.

A system requirement that involves preventing unauthorized access to data is aSecurityrequirement. Security requirements ensure that the system:

Protects data integrity: Ensuring data is accurate and unchanged by unauthorized users.

Maintains confidentiality: Preventing unauthorized access to sensitive information.

Ensures availability: Making sure that data and resources are available to authorized users when needed.

Security requirements are critical for safeguarding the system against threats and vulnerabilities.

References

Dieter Gollmann, "Computer Security," Wiley.

Ross Anderson, "Security Engineering: A Guide to Building Dependable Distributed Systems," Wiley.

Data support an organization's business goals by providing crucial information that aids in making informed decisions. Analyzing data helps identify trends, measure performance, and uncover insights that drive strategic planning and operational improvements. This informed decision-making process is vital for achieving business goals and staying competitive in the market.

The correct answer is A — Implementing secure encrypted enclaves and Advanced Micro Devices (AMD) Secure Memory Encryption.

WGU Cybersecurity Architecture and Engineering (KFO1 / D488) explains that encryption at the memory level (such as AMD SME) and secure enclaves protect data in volatile memory, safeguarding it even if physical attacks occur.

Security training (B), antivirus (C), and password policies (D) improve security generally but do not specifically address data in volatile memory.

Reference Extract from Study Guide:

"Encrypted enclaves and secure memory encryption protect sensitive data in volatile storage, maintaining confidentiality and integrity even during advanced attacks."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Server and Memory Security Controls

=============================================

The correct answer is A — Expiration.

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), password expiration policies require users to change their passwords after a certain period, ensuring that long-term credential exposure risk is minimized.

Length (B) defines minimum password size. Recovery (C) relates to resetting forgotten passwords. Complexity (D) enforces character requirements, not age.

Reference Extract from Study Guide:

"Password expiration policies require users to update passwords regularly, minimizing the risk of long-term credential exposure."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Password Security Best Practices

=============================================

The correct answer is B — Sixteen characters with at least one letter, one number, and one symbol.

According to the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) Study Guide, strong password policies must enforce a minimum length (preferably 12 to 16 characters) and require complexity, including uppercase and lowercase letters, numbers, and special characters. Sixteen-character passwords that include varied character types greatly increase the difficulty for attackers using brute-force or dictionary attacks.

Options A, C, and D either lack complexity or have too few characters, making them vulnerable to attacks.

Reference Extract from Study Guide:

"A strong password should be at least 12–16 characters long and include a mix of uppercase letters, lowercase letters, numbers, and special characters to maximize resistance to brute-force attacks."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Identity and AccessManagement Concepts

=============================================

The correct answer is C — Impact.

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488) materials, when evaluating the severity of an incident, the immediate and potential impact on operations, patient care, finances, or reputation is the most critical factor. In this scenario, the interruption to patientcare due to encrypted records signifies a major operational impact, making it the most important consideration.

Threat actors (A) identify who is behind the attack, not the severity. Risk (B) encompasses impact and likelihood but is broader. Likelihood (D) concerns the probability of an event happening, not its current severity.

Reference Extract from Study Guide:

"Impact refers to the actual or potential harm that results from a security incident, including effects on operations, financial loss, or harm to individuals."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Incident Response and Management

=============================================

The correct answer is C — Cyber kill chain.

The Cyber Kill Chain, developed by Lockheed Martin, is a model that breaks down a cyber attack into seven distinct phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. According to the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) study materials, this model helps security teams understand and interrupt an attack at various stages.

While MITRE ATT&CK (B) and its ICS variant (A) provide detailed mappings of techniques used by attackers, they are not structured specifically into seven phases like the Cyber Kill Chain. The Diamond Model (D) is an analysis methodology, not a phase-based model.

Reference Extract from Study Guide:

"The Cyber Kill Chain model divides the sequence of a cyber attack into seven phases, providing a structured method for analyzing and disrupting attacks."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Attack Frameworks and Methodologies

The correct answer is C — Encrypting data.

WGU Cybersecurity Architecture and Engineering (KFO1 / D488) states that encryption is the best defense against man-in-the-middle attacks because even if traffic is intercepted, the data remains unreadable without the appropriate decryption keys.

Disabling Wi-Fi (A) is not practical and does not eliminate MITM threats entirely. Password policies (B and D) strengthen account security but do not protect data transmission.

Reference Extract from Study Guide:

"Encryption ensures the confidentiality of data in transit, preventing unauthorized parties from accessing the content even during man-in-the-middle attacks."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Data Transmission Security

=============================================

End-of-life (EOL) systemspose a significant security risk because they no longer receive patches or security updates. Themost effective and proactive hardening techniquein this case is tocompletely remove those systems from the network.

NIST SP 800-128 (Guide for Security-Focused Configuration Management):

“Systems no longer supported by vendors must be removed, replaced, or isolated as they pose unacceptable risks.”

Other controls are useful for broader protection, but if a system is inherently vulnerable and cannot be patched,removal is the only surefire solution.

????WGU Course Alignment:

Domain:System Security Engineering

Topic:Implement system hardening strategies and manage legacy systems

Regularlyreviewing and updatingthe Disaster Recovery Plan ensures it remains effective astechnology, processes, and risks evolve. It ensures that the DRP reflects current infrastructure, contacts, and business requirements.

NIST SP 800-34 Rev. 1:

“Plans should be reviewed and updated regularly to ensure accuracy and relevance. Failure to do so may result in ineffective or outdated procedures.”

Testing is important, butregular updates ensure long-term plan viability.

????WGU Course Alignment:

Domain:Business Continuity and Disaster Recovery

Topic:Maintain and periodically revise DRPs to reflect current risks and systems

Recovery Point Objective (RPO)defines themaximum acceptable amount of data lossmeasured in time. It determines how often backups should occur to avoid losing critical business data.

NIST SP 800-34 Rev. 1:

“RPO represents the point in time prior to an outage to which systems and data must be restored to resume business operations.”

CDP is a method; RPO is thestrategic planning metric.

????WGU Course Alignment:

Domain:Business Continuity and Disaster Recovery

Topic:Define RPO to support data resilience and backup planning

Encrypting stored (at rest) dataensures that even if the storage is compromised (e.g., stolen or accessed by unauthorized parties), the data remains unintelligible without the encryption keys.

NIST SP 800-111 (Guide to Storage Encryption Technologies):

“Data encryption provides confidentiality of information stored on media or storage systems, preventing unauthorized disclosure of sensitive data.”

Encryption is a core requirement forconfidentiality controls, especially for systems handling documents and records.

????WGU Course Alignment:

Domain:System Security Engineering

Topic:Apply data-at-rest encryption for secure information storage

An information system is a coordinated set of components designed to collect, store, and process data, and to deliver information, knowledge, and digital products. Organizations use information systems to support operations, management, and decision-making. This includes both the technical components (hardware, software, databases, and networks) and the human components (people and processes).

The correct answer is B — Regularly backing up the data stored in the POS system and having a disaster recovery plan can help ensure that the system is available in the event of a security incident or system failure.

As explained in WGU Cybersecurity Architecture and Engineering (KFO1 / D488), backing up critical systems and establishing a disaster recovery plan ensures business continuity and system availability even after incidents like hardware failures, cyberattacks, or data corruption.

While intrusion detection (A), access control (C), and patch management (D) contribute to overall security, backups and disaster recovery specifically ensure availability.

Reference Extract from Study Guide:

"Data backups and disaster recovery planning are essential controls to ensure system availability during and after a security incident or technical failure."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Business Continuity and Disaster Recovery

=============================================

The correct answer is D — Security information and event management (SIEM).

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), a SIEM collects and correlates event data from multiple sources (such as cloud and on-premisesenvironments) in real-time. It provides centralized visibility, analysis, and alerting, which is critical in hybrid cloud deployments.

File integrity monitoring (A) watches for unauthorized file changes, not event correlation. DLP (B) protects sensitive data but does not correlate events. IDS (C) detects network intrusions but does not combine event data centrally.

Reference Extract from Study Guide:

"Security information and event management (SIEM) systems collect, normalize, correlate, andanalyze security event data from multiple sources, providing centralized monitoring and alerting."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Security Monitoring and Event Management

=============================================

BIOS protectioninvolves enabling hardware security features such asfirmware password protection,secure boot, andwrite protection, which prevent unauthorized firmware modifications.

NIST SP 800-147 (BIOS Protection Guidelines):

“Proper BIOS protection mechanisms, including authenticated updates and access control, are critical to maintaining the integrity of the platform’s startup environment.”

This is apreventive control. BIOS monitoring is reactive; backups protect data, not firmware integrity.

????WGU Course Alignment:

Domain:System Security Engineering

Topic:Apply firmware and BIOS security controls to prevent low-level tampering

Processing is the operation that converts raw data into meaningful information. Input data is collected and then processed through various means such as calculations, comparisons, or formatting to produce output that can be interpreted and used by humans or other systems.

The correct answer is B — Redundant backups, a communication plan, and a designated off-site location for data storage and recovery.

WGU Cybersecurity Architecture and Engineering (KFO1 / D488) emphasizes that for effective business continuity and disaster recovery, companies must maintain redundant backups, establish a communication strategy for emergencies, and store critical backups in off-site or cloud locations to recover operations quickly.

While evacuation plans (A) and insurance policies (C) are important, they are not the core technical components for IT disaster recovery. Routine maintenance and remote work (D) are helpful but secondary.

Reference Extract from Study Guide:

"Redundant backups, off-site data storage, and an effective communication plan are key components of business continuity and disaster recovery strategies."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Business Continuity and Disaster Recovery Planning

=============================================

Application Software:

Application software refers to programs that help end users perform specific tasks. Examples include email clients, word processors, and spreadsheet programs.

These are designed to be used by people to perform tasks such as writing documents, managing data, or communicating.

Operating Systems:

Operating systems (OS) manage the hardware and software resources of a computer system. They provide a platform for application software to run.

Examples include Microsoft Windows, macOS, and Linux. The OS handles system-level tasks like memory management, process scheduling, and hardware interaction.

Key Differences:

Application software (B, C) is user-oriented, aimed at helping users complete tasks.

Operating systems (A, D) manage the computer's hardware and system resources.

The correct answer is B — Implementing domain name system security extensions (DNSSEC) to digitally sign DNS responses and prevent DNS spoofing attacks.

WGU Cybersecurity Architecture and Engineering (KFO1 / D488) teaches that DNSSEC protects the integrity and authenticity of DNS responses, thereby preventing DNS spoofing (also called DNS cache poisoning), which could redirect users to malicious sites.

Restricting DNS access (A) is not sufficient against spoofing. Increasing patching frequency (C) is good practice but does not specifically stop spoofing. Security awareness training (D) helps against phishing, not DNS vulnerabilities.

Reference Extract from Study Guide:

"DNSSEC digitally signs DNS data to ensure the integrity and authenticity of DNS responses, mitigating risks such as DNS spoofing and cache poisoning."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Secure Networking Protocols

=============================================

Packet sniffing is a technique used to capture and analyze network traffic, which can include intercepting passwords while they are in transit.

When data packets are transmitted over a network, a packet sniffer can capture these packets, and if they are not encrypted, it can read sensitive information like passwords.

The other options:

Buffer overflow is a type of attack that exploits a program's memory handling.

Phishing is a social engineering attack to deceive users into providing sensitive information.

Black hat refers to a hacker with malicious intent, not a specific technique.

Therefore, packet sniffing is the correct technique for obtaining passwords in transit.

The correct answer is C — Least privilege.

According to the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) course material, the principle of least privilege ensures that users are granted only the minimum level of access required to perform their job functions. In this case, if the insider only had access to resources necessary for their user role, they would not have been able to access sensitive administrative information.

Password complexity (A) strengthens account security but does not prevent excessive access. Separation of duties (B) divides critical tasks but is not solely about limiting access. Job rotation (D) moves employees between roles but is not an access control measure.

Reference Extract from Study Guide:

"The principle of least privilege requires limiting user access rights to the minimum necessary to perform their tasks, reducing the risk of insider threats and unauthorized access to sensitive information."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Access Control Principles

=============================================

Logging and monitoringendpoint activity enables early detection of unauthorized access, suspicious file changes, or user behavior anomalies that may indicate an insider threat or external breach.

NIST SP 800-137 (Information Security Continuous Monitoring):

“Endpoint logging and behavior monitoring are essential for detecting unauthorized access to sensitive information, especially in healthcare environments governed by HIPAA.”

This control supportsreal-time alerting,incident response, andcompliance auditingfor patient data (ePHI).

????WGU Course Alignment:

Domain:System Security Engineering

Topic:Implement endpoint monitoring and logging for healthcare compliance (e.g., HIPAA)

The correct answer is C — Replacing the legacy firewalls with next-generation firewalls (NGFWs).

WGU Cybersecurity Architecture and Engineering (KFO1 / D488) outlines that NGFWs integrate advanced features like intrusion detection and prevention, application control, and real-time threat intelligence. They are designed to detect and alert on inbound threats as required by the mandate.

SIEM appliances (A) collect logs and correlate events but do not replace firewall functionality. Load balancers (B) manage traffic distribution, not threat detection. Reverse proxies (D) secure and balance traffic for web servers, not general firewall traffic.

Reference Extract from Study Guide:

"Next-generation firewalls (NGFWs) provide integrated intrusion detection and prevention capabilities, fulfilling modern security requirements for real-time threat monitoring and alerting."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Firewall Technologies and Modern Security Controls

The correct answer is C — Host-based firewall.

According to the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) materials, a host-based firewall enforces traffic control policies at the endpoint level. It can allow or deny traffic based on application, port, IP address, and protocol rules, restricting access to only approved services and applications on a system.

Antivirus tools (A) detect malware but do not control network traffic. Two-factor authentication (B) secures user access but does not manage network traffic. HSMs (D) handle encryption keys, not network access control.

Reference Extract from Study Guide:

"Host-based firewalls restrict traffic at the system level, permitting only authorized services and applications, enhancing endpoint security."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Endpoint Protection and Firewalls

=============================================

The correct answer is C — Implementation of encryption for all data stored in the system.

WGU Cybersecurity Architecture and Engineering (KFO1 / D488) emphasizes that encrypting data at rest ensures that even if storage systems are compromised, the data remains confidential and secure.

Password changes (A) help secure user accounts but not stored data. Firewall policies (B) and VPNs (D) protect data in transit and access control but not the storage layer itself.

Reference Extract from Study Guide:

"Encrypting data at rest ensures that stored data remains confidential and protected from unauthorized access, even if storage devices are compromised."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Data Protection Strategies

=============================================

The correct answer is A — They act as an initial defense layer for potential threats.

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), security edge devices such as firewalls, secure web gateways, and intrusion prevention systems (IPS) are placed at the network perimeter to serve as the first layer of defense against external threats.

DDoS protection (B) may be part of a broader security solution but is not the main role of general edge devices. SIEM modules (C) collect and correlate logs, not defend at the perimeter. TPM devices (D) are hardware-based cryptographic modules, not network edge defenses.

Reference Extract from Study Guide:

"Security edge devices provide the first line of defense against external threats by monitoring, filtering, and blocking malicious traffic entering the corporate network."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Network Security and Perimeter Defense

Geo-IP filtering at the firewallis a well-established method of blocking traffic from regions that the organization does not do business with or has no legitimate presence in.

NIST SP 800-41 Rev. 1 (Guidelines on Firewalls):

“Firewalls can be configured to block traffic based on geolocation or IP ranges to reduce exposure to known hostile regions.”

Firewalls are thefirst line of defensein the network perimeter; adjusting SIEM rules doesn’t actively block access.

????WGU Course Alignment:

Domain:Network Security

Topic:Implement firewall filtering rules for geographic and IP-based restrictions

Theprinciple of least privilegedictates that backups—especially those containing sensitive or mission-critical data—should havestrict access controlsto prevent unauthorized access.

NIST SP 800-209 (Security Guidelines for Storage Infrastructure):

“Access to storage resources must be tightly controlled through identity management and access control policies to prevent compromise or misuse of sensitive data.”

While vulnerability scanning and auditing are goodfollow-upactions,immediate access restrictionis thefirst-line defense.

????WGU Course Alignment:

Domain:System Security Engineering

Topic:Secure cloud data storage and apply access control measures

To protect datain use(within memory), the provider must implementhardware-level memory encryptionandtrusted execution environments(secure enclaves), which protect against cold boot attacks, memory scraping, and unauthorized access.

NIST SP 800-207A (Hardware-Enabled Security: Enclaves):

“Trusted execution environments and memory encryption mechanisms help ensure that data remains protected even when systems are compromised at lower levels.”

This is amodern cloud security best practiceespecially useful forconfidential computingenvironments.

????WGU Course Alignment:

Domain:System Security Engineering / Cryptography

Topic:Protect data in use with hardware-based encryption and enclaves

Preventing unauthorized access and impersonation during exams or coursework is critical in e-learning platforms.Strong user authentication(e.g., MFA, CAPTCHA, secure login mechanisms) ensures that only authorized users access exams and coursework.

NIST SP 800-63B (Digital Identity Guidelines – Authentication):

“Secure user authentication ensures the identity of individuals accessing sensitive applications, reducing the risk of impersonation and credential misuse.”

Firewall rules and patching are important, but they don't directly addressuser-level fraud prevention.

????WGU Course Alignment:

Domain:Access Control and Identity Management

Topic:Secure authentication mechanisms for web platforms

Arelational databaseis structured to recognize relations among stored items of information.

Multiple tablesin a relational database can have interrelated fields.

These relationships are often managed throughforeign keys, which reference the primary keys of other tables.

This relational model allows for complex queries and data integrity across the database.

Example:Tables such asCustomers,Orders, andProductsin a sales database, whereOrderstable may reference bothCustomersandProductstables to establish relationships.

The correct answer is B — Access logs.

As outlined in the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) materials, access logs record who accessed which system components, when they did so, and what changes they made. These logs are vital for creating an audit trail that can be reviewed to detect unauthorized changes to applications or systems.

NetFlow logs (A) track network traffic flows but not system or application changes. Packet capture logs (C) deal with network data but are not specialized for auditing application-level events. Router logs (D) capture network device activity, not application access information.

Reference Extract from Study Guide:

"Access logs maintain detailed records of user actions within systems and applications, providing the necessary audit trail for tracking authorized and unauthorized activities."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Log Management Concepts

=============================================

Data is considered information when it has been processed and organized in a meaningful way. Raw data in its unprocessed state is not useful until it undergoes processing to become interpretable and actionable information. Processing can involve sorting, aggregating, and analyzing data to extract valuable insights.

The correct answer is B — Compare the unknown address to known IP addresses to determine if it is a threat.

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), proper threat analysis requires identifying and verifying whether an unknown source is malicious before taking action. Comparing the IP address against known threat databases or intelligence feeds allows the organization to make informed decisions.

Permanently blocking (A) or temporarily blocking (C) without analysis could cause disruption if the IP is legitimate. Rate limiting (D) reduces traffic but does not determine threat status.

Reference Extract from Study Guide:

"Effective incident analysis begins by verifying and classifying the suspicious activity, including checking unknown IP addresses against threat intelligence sources."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Threat Analysis and IncidentHandling

=============================================

Scope creep refers to the phenomenon where the scope of a project gradually increases over time due to small, incremental changes that were not initially planned or approved. This can happen when:

New featuresor requirements are added without proper evaluation or approval.

Stakeholderscontinuously request small changes or additions.

Lack of a clear scope definitionand change control process.

These small changes can accumulate, leading to significant deviations from the original project plan, affecting the project's schedule, budget, and overall success.

References

Project Management Institute, "A Guide to the Project Management Body of Knowledge (PMBOK Guide)," PMI.

Kathy Schwalbe, "Information Technology Project Management," Cengage Learning.