CCNA Security Architecture Questions

75 of 76 questions · Page 1/2 · Security Architecture topic · Answers revealed

1
Multi-Selectmedium

A security architect is designing a hybrid cloud environment where a web application hosted in AWS needs to securely access an on-premises database. The architect wants to minimize exposure to the internet and ensure encryption in transit. Which TWO techniques should the architect consider? (Choose two.)

Select 2 answers
A.Establish an IPsec VPN tunnel between the AWS VPC and the on-premises network.
B.Use AWS Direct Connect to create a dedicated private network connection from on-premises to AWS.
C.Store database credentials in AWS Secrets Manager and retrieve them at runtime.
D.Configure VPC peering between the AWS VPC and the on-premises network.
E.Configure the web application to connect to the database using TLS encryption.
AnswersA, B

IPsec VPN provides encrypted tunnel over the internet, securing data in transit.

Why this answer

Option A is correct because an IPsec VPN tunnel creates an encrypted, site-to-site connection between the AWS VPC and the on-premises network, ensuring encryption in transit and minimizing internet exposure by using the VPN gateway as the endpoint. Option B is correct because AWS Direct Connect provides a dedicated, private network connection that bypasses the internet entirely, reducing exposure and supporting encryption via optional MACsec or IPsec, while maintaining low latency and consistent bandwidth.

Exam trap

The trap here is that candidates often confuse VPC peering with hybrid connectivity, not realizing it only works between VPCs within the same AWS region, or they assume TLS alone is sufficient for network-level security without addressing the underlying internet exposure.

2
MCQhard

An architect is designing a multi-factor authentication (MFA) solution for remote access. Which of the following is the STRONGEST form of second factor?

A.Email OTP
B.FIDO2 WebAuthn hardware token
C.SMS one-time code
D.Knowledge-based questions
AnswerB

FIDO2 uses public-key cryptography and is resistant to phishing.

Why this answer

FIDO2 WebAuthn hardware tokens are phishing-resistant and provide strong cryptographic authentication. SMS codes, email OTPs, and knowledge-based questions are vulnerable to phishing or interception.

3
Multi-Selecthard

A security architect is evaluating a new cloud-based application that will process sensitive customer data. The architect must ensure compliance with GDPR and PCI DSS. Which THREE of the following controls should be implemented? (Select THREE.)

Select 3 answers
A.Deploy geo-fencing to block access from non-EU countries.
B.Implement a process for customers to request deletion of their personal data.
C.Use data masking for customer data in development and testing environments.
D.Implement encryption at rest and in transit for all sensitive data.
E.Retain all access logs for a minimum of 7 years.
AnswersB, C, D

Right to erasure is a key GDPR requirement.

Why this answer

Option B is correct because GDPR grants data subjects the right to erasure (Article 17), also known as the 'right to be forgotten.' Implementing a process for customers to request deletion of their personal data is a mandatory control for GDPR compliance, directly addressing this regulatory requirement.

Exam trap

Cisco often tests the misconception that geo-fencing is a GDPR requirement, but GDPR focuses on the rights of data subjects and lawful processing, not on geographic blocking of access.

4
MCQeasy

A company is designing a new multi-tier web application. The security team recommends placing a web application firewall (WAF) in front of the web servers and a network firewall between the web and application tiers. Which security architecture principle does this represent?

A.Defense in depth
B.Separation of duties
C.Least privilege
D.Single point of failure
AnswerA

Multiple layers of defense (WAF and firewalls) exemplify defense in depth.

Why this answer

Defense in depth (layered security) uses multiple controls to protect assets. Option A is wrong because it is not just a single control. Option B is wrong because separation of duties is about dividing responsibilities.

Option D is wrong because least privilege limits access rights.

5
Multi-Selecthard

A security architect is reviewing the network security controls for a critical industrial control system (ICS) environment. The architect must select two controls that are most effective at preventing unauthorized access to the ICS network from the corporate IT network, while still allowing necessary monitoring traffic. Which TWO controls should be implemented? (Choose two.)

Select 2 answers
A.Configure a site-to-site VPN from the corporate network to the ICS network
B.Implement a network-based intrusion prevention system (IPS) on the ICS network
C.Deploy a unidirectional gateway (data diode) between the networks
D.Place a bastion host in a DMZ accessible from both networks for monitoring traffic
E.Segment the networks using VLANs only
AnswersC, D

Ensures traffic can only flow out, preventing inbound access.

Why this answer

A unidirectional gateway (data diode) physically enforces one-way data flow, ensuring that no traffic can originate from the corporate IT network into the ICS network. This prevents unauthorized access while allowing monitoring data (e.g., syslog, SNMP traps) to be sent out from the ICS side. It is the most effective control for preventing any inbound attack vectors while preserving outbound monitoring traffic.

Exam trap

The trap here is that candidates often choose a VPN (Option A) thinking encryption equals security, but encryption does not prevent unauthorized access—it only protects data in transit, and a VPN still allows bidirectional communication, which is the opposite of what is needed for ICS isolation.

6
MCQmedium

A company is migrating its on-premises ERP system to a public cloud IaaS environment. The ERP system contains sensitive financial data. Which of the following architectural changes best maintains data security during and after migration?

A.Leverage the cloud provider's default security groups and disable encryption
B.Encrypt the data at rest and in transit, and implement IAM policies
C.Migrate the ERP without changes and apply encryption after migration
D.Use a VPN to connect on-premises and cloud while keeping data unencrypted
AnswerB

This ensures data confidentiality during migration and in the cloud.

Why this answer

Encrypting the data at rest and in transit, combined with strict access controls, protects data in both environments. A VPN secures transit but does not address at-rest encryption. Relying on the cloud provider's default security may not suffice.

Disabling encryption during migration increases exposure.

7
MCQhard

A company wants to protect its intellectual property stored on a file server. The security architect proposes implementing rights management services (RMS) integrated with Active Directory. Which attack is this architecture primarily designed to mitigate?

A.Unauthorized distribution of sensitive documents outside the organization
B.Phishing attacks targeting user credentials
C.Malware infection on the file server
D.Buffer overflow attack on the file server
AnswerA

RMS restricts access and usage rights even after documents leave the server.

Why this answer

RMS encrypts documents and controls access even if the file is copied or emailed externally, mitigating data exfiltration. Option A is wrong because RMS does not prevent client-side attacks. Option B is wrong because phishing is a social engineering attack.

Option D is wrong because RMS does not prevent server-side exploits if the attacker gains server access.

8
Multi-Selecthard

A security architect is evaluating a new SIEM solution for a large enterprise. Which THREE of the following capabilities are CRITICAL for effective threat detection and response? (Choose three.)

Select 3 answers
A.Real-time correlation of events from multiple sources
B.Scheduled vulnerability scanning
C.Automated patch management
D.Integration with threat intelligence feeds
E.User and entity behavior analytics (UEBA)
AnswersA, D, E

Correlation is essential for identifying patterns and threats.

Why this answer

Real-time event correlation (A), UEBA (B), and threat intelligence integration (D) are core SIEM capabilities. Automated patch management (C) and scheduled vulnerability scanning (E) are typically separate tools, not built into SIEM.

9
MCQmedium

A security architect reviews the iptables firewall rules above. A new web server with IP 192.168.1.100 must be reachable from the internet on ports 80 and 443. Which of the following changes is necessary to allow inbound HTTPS while maintaining security?

A.Delete rule 3 and add a rule: ACCEPT tcp from any to 192.168.1.100 dpt 80,443
B.Change rule 3 source to 0.0.0.0/0 and restrict rule 2 to a management subnet
C.Change default INPUT policy to ACCEPT and rely on application security
D.Add a new rule before rule 5: ACCEPT tcp from any to 192.168.1.100 dpt 443
AnswerB

This allows global HTTPS and secures SSH to a trusted subnet.

Why this answer

The current rule 3 only allows HTTPS from the 192.168.1.0/24 subnet. To allow from the internet, the source must be changed to 0.0.0.0/0. However, the existing SSH rule (rule 2) already allows from any source, which is a risk.

The correct action is to change rule 3's source to 0.0.0.0/0 and also restrict rule 2 to management subnet. Option A is correct. Adding a new rule would work but leave rule 3 misconfigured.

10
MCQmedium

A security architect is designing a network segmentation strategy for a multi-tenant cloud environment. Which of the following is the MOST effective technique to isolate tenant workloads while maintaining manageability?

A.Host-based iptables
B.Stateful firewall rules
C.Virtual private clouds (VPCs) with separate subnets
D.VLAN tagging
AnswerC

VPCs provide scalable, logical isolation in cloud environments.

Why this answer

Virtual Private Clouds (VPCs) with separate subnets provide logical isolation at the cloud provider level, which is more manageable than VLAN tagging across physical networks. Stateful firewalls and host-based iptables are supplementary controls, not primary segmentation.

11
Multi-Selectmedium

A security architect is designing a secure enclave for processing classified data. Which TWO of the following controls are essential for ensuring data confidentiality in such an enclave? (Select TWO.)

Select 2 answers
A.Data diodes for one-way data transfer from the enclave to external networks
B.Full-disk encryption on all enclave workstations
C.Physical air gap between the enclave and other networks
D.Security Content Automation Protocol (SCAP) vulnerability scanning
E.Redundant power supplies and cooling
AnswersA, B

Data diodes ensure data cannot be extracted from the enclave.

Why this answer

Full-disk encryption protects data at rest if a device is lost; data diodes ensure one-way data flow, preventing exfiltration. Option B is misleading because air gaps are common but not a 'control' per se; the question asks for controls. Option D is not essential as SCAP is for compliance assessment.

Option E is about availability, not confidentiality.

12
MCQhard

A security architect is reviewing the network architecture of a financial trading system. The system uses a time-sensitive order matching engine that must process trades with minimal latency. The architect is concerned about the risk of a DDoS attack on the matching engine. Which of the following architectural changes would best mitigate DDoS risk while preserving low latency?

A.Use a cloud-based DDoS scrubbing service that only forwards clean traffic to the on-premises matching engine.
B.Deploy an intrusion prevention system (IPS) in inline mode in front of the matching engine.
C.Move the matching engine to a cloud provider with elastic scalability.
D.Implement a reverse proxy with rate limiting and IP blacklisting.
AnswerA

Scrubbing services filter attacks at the cloud edge, adding minimal latency if the provider is close to the origin; they preserve low latency for clean traffic.

Why this answer

A cloud-based DDoS scrubbing service (e.g., AWS Shield Advanced, Cloudflare Magic Transit) filters malicious traffic at the cloud edge before it reaches the on-premises matching engine. This preserves low latency because only clean, low-volume traffic is forwarded, and the scrubbing infrastructure is designed for high-throughput, low-latency processing without introducing inline inspection delays on the critical path.

Exam trap

The trap here is that candidates assume inline security controls (IPS, reverse proxy) are always appropriate, but for ultra-low-latency environments, any inline processing—even rate limiting—adds unacceptable delay, making cloud-based scrubbing the only viable option that offloads filtering without touching the critical path.

How to eliminate wrong answers

Option B is wrong because an inline IPS introduces processing latency (deep packet inspection, signature matching) that can exceed the sub-millisecond tolerance of a time-sensitive trading engine, potentially causing order timeouts. Option C is wrong because moving to a cloud provider with elastic scalability does not inherently mitigate DDoS; it only absorbs volumetric attacks by scaling out, but the matching engine itself remains a target and scaling introduces variable latency (e.g., cold starts, network jitter) unacceptable for low-latency trading. Option D is wrong because a reverse proxy with rate limiting and IP blacklisting adds a hop and processing overhead (connection termination, HTTP parsing) that increases latency, and it cannot handle large volumetric DDoS attacks without being overwhelmed itself.

13
MCQeasy

A security architect is evaluating cloud security architectures. The company requires that all data at rest in a public cloud object storage bucket be encrypted with a key that is managed by the company's own hardware security module (HSM) on-premises. Which encryption approach should the architect recommend?

A.Use envelope encryption where a cloud KMS wraps a data key, and the data key is used to encrypt the data.
B.Use server-side encryption with customer-provided keys (SSE-C).
C.Use server-side encryption with cloud provider-managed keys (SSE-S3).
D.Use client-side encryption where the application encrypts data before sending it to the cloud.
AnswerD

The company controls the encryption key entirely on-premises; the cloud only stores ciphertext.

Why this answer

Option D is correct because client-side encryption ensures the data is encrypted by the application before it is sent to the cloud, using a key managed by the company's own on-premises HSM. This approach guarantees that the cloud provider never has access to the encryption key or the plaintext data, meeting the requirement that all data at rest in the public cloud object storage bucket be encrypted with a key managed by the company's own HSM.

Exam trap

The trap here is that candidates often confuse 'customer-provided keys' (SSE-C) with true client-side key management, but SSE-C still exposes the key to the cloud provider during the encryption/decryption process, failing the requirement for the key to be managed solely by the company's own on-premises HSM.

How to eliminate wrong answers

Option A is wrong because envelope encryption with a cloud KMS still involves the cloud provider managing the key encryption key (KEK), which violates the requirement that the key be managed by the company's own on-premises HSM. Option B is wrong because server-side encryption with customer-provided keys (SSE-C) requires the customer to provide the key with each API call, but the key is temporarily stored in the cloud provider's memory for encryption/decryption, and the provider still has access to the key during the operation, failing the 'managed by the company's own HSM' requirement. Option C is wrong because server-side encryption with cloud provider-managed keys (SSE-S3) uses keys entirely managed by the cloud provider, which directly contradicts the requirement for the company to manage the key with its own HSM.

14
MCQeasy

A security administrator needs to secure remote access for employees using personal devices. The company requires that company data be encrypted and that the device be wiped if lost. Which solution best meets these requirements?

A.Use network access control (NAC) to allow only compliant devices onto the network.
B.Deploy a mobile device management (MDM) solution that enforces device encryption and supports remote wipe.
C.Require employees to connect via a corporate VPN and use two-factor authentication.
D.Implement remote desktop protocol (RDP) gateways for all remote access.
AnswerB

MDM can enforce encryption and perform remote wipe to protect company data.

Why this answer

Mobile device management (MDM) solutions are specifically designed to enforce security policies on personal devices, including mandatory device encryption (e.g., AES-256 for data at rest) and the ability to perform a remote wipe (factory reset) to destroy company data if the device is lost or stolen. This directly addresses the requirement to protect company data on unmanaged, employee-owned devices.

Exam trap

The trap here is that candidates often confuse network-level controls (NAC, VPN) or access methods (RDP) with device-level data protection, failing to recognize that only MDM provides the required encryption enforcement and remote wipe capabilities on the endpoint itself.

How to eliminate wrong answers

Option A is wrong because network access control (NAC) checks device compliance before granting network access but does not provide device-level encryption enforcement or remote wipe capabilities; it controls admission, not data protection on the device. Option C is wrong because requiring a corporate VPN and two-factor authentication secures the communication channel and verifies identity but does not enforce encryption of data stored on the device or allow remote wiping of the device. Option D is wrong because RDP gateways provide remote access to internal desktops or applications but do not enforce encryption of local device storage or support remote wipe of the personal device.

15
MCQhard

A company is migrating from a legacy three-tier architecture to a microservices architecture on Kubernetes. The security team wants to ensure that service-to-service communication is encrypted and mutually authenticated. Which approach best meets these requirements with minimal operational overhead?

A.Implement a service mesh with mutual TLS (mTLS) and automatic certificate management.
B.Deploy IPsec tunnels between each pair of services using pre-shared keys.
C.Establish a site-to-site VPN between the Kubernetes cluster and the legacy network, and route all service traffic through the VPN.
D.Configure each service to use TLS with self-signed certificates, and distribute the CA certificate to all services.
AnswerA

Service mesh provides automated mTLS, encryption, and mutual authentication with low operational overhead.

Why this answer

A service mesh with mutual TLS (mTLS) and automatic certificate management is the correct approach because it provides encrypted, mutually authenticated service-to-service communication with minimal operational overhead. The service mesh (e.g., Istio, Linkerd) transparently intercepts traffic via sidecar proxies, handles mTLS handshakes, and automates certificate issuance and rotation, eliminating the need for manual key distribution or application-level changes.

Exam trap

The trap here is that candidates may choose IPsec or VPN solutions because they are familiar with network-layer encryption, but they fail to recognize that these approaches do not scale to the dynamic, ephemeral nature of microservices and introduce prohibitive operational overhead compared to a service mesh's automated mTLS.

How to eliminate wrong answers

Option B is wrong because IPsec tunnels between each pair of services introduce significant operational overhead for key management and do not scale well in a dynamic microservices environment where service instances are ephemeral. Option C is wrong because a site-to-site VPN between the Kubernetes cluster and the legacy network secures only cross-network traffic, not internal service-to-service communication within the cluster, and routing all service traffic through the VPN adds unnecessary latency and complexity. Option D is wrong because distributing a CA certificate to all services for self-signed TLS still requires manual management of certificate distribution and does not automate certificate rotation, leading to high operational overhead and potential security gaps if certificates expire or are compromised.

16
MCQmedium

A security architect is designing a segmentation strategy for a multi-tier web application. The public-facing web servers must communicate only with application servers, and application servers must communicate only with database servers. The architect wants to use a firewall that can inspect application-layer traffic to prevent SQL injection attacks. Which firewall type should be deployed between the application tier and the database tier?

A.Packet filtering firewall
B.Next-generation firewall (NGFW) with intrusion prevention
C.Stateful firewall
D.Web application firewall (WAF)
AnswerB

NGFWs can perform deep packet inspection and use IPS signatures to detect SQL injection in database protocols.

Why this answer

A next-generation firewall (NGFW) with intrusion prevention is the correct choice because it can perform deep packet inspection (DPI) at the application layer, allowing it to detect and block SQL injection payloads within database queries. Unlike simpler firewalls, an NGFW integrates signature-based and behavioral IPS engines that can identify malicious SQL patterns (e.g., 'OR 1=1') in traffic between the application and database tiers, providing the required application-layer inspection.

Exam trap

The trap here is that candidates often confuse the WAF's ability to inspect HTTP traffic with the need for application-layer inspection between application and database tiers, forgetting that database protocols (e.g., SQL) are not HTTP-based and require a different inspection engine like an NGFW with IPS.

How to eliminate wrong answers

Option A is wrong because a packet filtering firewall operates only at Layers 3 and 4, inspecting source/destination IPs and ports without any application-layer awareness, so it cannot detect SQL injection attacks. Option C is wrong because a stateful firewall tracks connection states (e.g., TCP handshake) but still inspects only headers at Layers 3–4, not the payload content needed to identify SQL injection. Option D is wrong because a web application firewall (WAF) is designed to inspect HTTP/HTTPS traffic between clients and web servers, not the database protocol traffic (e.g., SQL queries over TCP port 1433 or 3306) between application and database servers; deploying a WAF between these tiers would not inspect the actual database protocol.

17
MCQhard

An organization plans to establish a cross-forest trust between two Active Directory forests to enable resource access. The security architect is concerned about the risk of privilege escalation from a compromised domain in one forest. Which design choice best mitigates this risk?

A.Remove the trust entirely and use individual local accounts
B.Configure the trust to use forest-wide authentication instead of selective
C.Enable SID filtering on both forest trusts
D.Use selective authentication and restrict the authorized accounts
AnswerD

Selective authentication ensures only specified users can access resources in the trusting forest, limiting exposure from a compromise.

Why this answer

Using selective authentication restricts what resources users from the trusting forest can access, ensuring that only specified accounts are allowed. Forest-level authentication would allow broader access. SID filtering is enabled by default for cross-forest trusts but is not sufficient alone; selective authentication provides an additional constraint.

Disabling the trust is not practical.

18
MCQeasy

A small business is designing a defense-in-depth strategy for its e-commerce website. The web server is hosted in a cloud provider and handles credit card transactions. Which of the following additional controls best complements the existing firewall and IDS?

A.Set up a security information and event management (SIEM) system
B.Add a load balancer with SSL termination
C.Implement a web application firewall (WAF)
D.Deploy a network-based antivirus on the web server
AnswerC

A WAF inspects HTTP/HTTPS traffic and blocks SQL injection, XSS, etc., adding a critical defense layer.

Why this answer

A web application firewall (WAF) adds a layer of protection against application-layer attacks, which complements the network-layer firewall and IDS. Antivirus is for endpoints, SIEM provides logging but not proactive defense, and load balancers distribute traffic but do not add security controls beyond resilience.

19
MCQmedium

An enterprise is adopting a DevOps model and wants to integrate security into the CI/CD pipeline. The security architect recommends adding automated security testing. Which phase of the pipeline should static application security testing (SAST) be introduced to minimize rework?

A.During the build phase after code commit
B.During the production deployment phase
C.After the code is promoted to production
D.During runtime in the staging environment
AnswerA

SAST analyzes source code, so running it in the build phase catches issues early.

Why this answer

SAST is most effective when run early, ideally during the build phase, so developers can fix vulnerabilities before deployment. In production, it's too late. During deployment might cause delays.

SAST is not typically run on running applications.

20
MCQhard

A large healthcare organization has implemented a zero-trust network architecture (ZTNA) to secure access to its electronic health record (EHR) system. The architecture uses a software-defined perimeter (SDP) where all users must authenticate and be authorized before accessing the EHR. The EHR system is hosted in a private cloud and communicates with a legacy billing system that cannot support modern authentication protocols. The billing system is accessed by a small number of finance employees via a dedicated VPN. Recently, an auditor discovered that a finance employee's credentials were compromised, and the attacker used the VPN to access the billing system and exfiltrate patient billing data. The security architect must prevent such lateral movement while maintaining access for legitimate users. Which of the following is the BEST course of action?

A.Apply micro-segmentation to isolate the billing system and allow only finance VLAN traffic
B.Remove the VPN and allow finance employees to access the billing system directly via RDP over the internet
C.Implement a jump server with multi-factor authentication (MFA) and session recording, and restrict the VPN to only allow access to the jump server
D.Upgrade the billing system to support OAuth 2.0 and integrate it with the ZTNA SDP
AnswerC

This adds an extra layer of security and auditability, preventing direct access to the billing system.

Why this answer

Option C is correct because a jump server with MFA and session recording creates a controlled, auditable choke point that prevents lateral movement from the VPN to the billing system. By restricting the VPN to only allow access to the jump server, the attacker cannot directly reach the billing system even with compromised VPN credentials, and MFA adds an additional layer of authentication. Session recording provides forensic evidence for post-incident analysis, addressing the auditor's concern without requiring the legacy billing system to support modern protocols.

Exam trap

The trap here is that candidates often choose micro-segmentation (Option A) thinking it prevents lateral movement, but they overlook that the compromised VPN credentials already provide authenticated access to the network segment, so micro-segmentation alone does not stop the attacker from reaching the billing system within the same VLAN.

How to eliminate wrong answers

Option A is wrong because micro-segmentation and VLAN isolation can reduce lateral movement but do not address the compromised VPN credentials; an attacker with valid VPN access could still move laterally within the finance VLAN to the billing system. Option B is wrong because removing the VPN and exposing the billing system directly via RDP over the internet dramatically increases the attack surface, bypassing all network segmentation and introducing significant security risks without any compensating controls. Option D is wrong because upgrading the legacy billing system to support OAuth 2.0 is often technically infeasible or cost-prohibitive, and the question explicitly states the system cannot support modern authentication protocols, making this option unrealistic.

21
MCQhard

A security architect finds this IAM policy attached to an S3 bucket. Which of the following best describes a critical security flaw in this policy?

A.The condition on the second statement uses StringEquals instead of IpAddress
B.The second statement allows public access from the 10.0.0.0/8 IP range
C.The first statement allows EC2 to assume any role in the account
D.The policy should use a NotPrincipal element to restrict access
AnswerB

Since Principal is "*", anyone on that IP range can access the bucket without authentication.

Why this answer

The second statement uses "Principal": "*" which allows any user or service to access the bucket if they meet the IP condition. Since "Effect": "Allow", it grants public access from the specified IP range. This is a major risk because the bucket is named "my-sensitive-bucket" and the IP range 10.0.0.0/8 is an internal private range that could be spoofed or used by anyone on that network.

The first statement is fine for EC2 assume role. The flaw is that the policy allows anonymous access from a broad private IP range.

22
MCQeasy

A security architect is designing a network segmentation strategy for a multi-tier web application. The web servers must be accessible from the internet, while the application and database servers must only be accessible from the web tier. Which architecture best meets these requirements?

A.Use a single VLAN with access control lists to restrict traffic between servers.
B.Place all servers in the same subnet and use host-based firewalls for isolation.
C.Deploy web servers in a DMZ, application servers in an internal network, and database servers in a separate restricted network with firewall rules allowing only necessary traffic.
D.Use a VPN concentrator for all external access and place all servers in a private subnet.
AnswerC

This provides defense in depth with proper segmentation and access controls.

Why this answer

Option C is correct because it implements a classic three-tier DMZ architecture: web servers in a DMZ (publicly accessible), application servers in an internal network (accessible only from the DMZ), and database servers in a restricted backend network (accessible only from the application tier). This layered segmentation enforces the principle of least privilege and uses firewall rules to control traffic between each tier, ensuring that internet-facing components cannot directly reach sensitive data stores.

Exam trap

The trap here is that candidates often confuse network segmentation with simple access control lists or host-based firewalls, failing to recognize that true segmentation requires separate network zones (DMZ, internal, restricted) with firewall-enforced traffic flows between them.

How to eliminate wrong answers

Option A is wrong because a single VLAN with ACLs does not provide true network segmentation; ACLs on a Layer 3 device can filter traffic but all servers remain in the same broadcast domain, increasing the attack surface and risk of lateral movement. Option B is wrong because placing all servers in the same subnet with host-based firewalls relies solely on endpoint security, which can be bypassed if a host is compromised, and does not provide network-level isolation or defense in depth. Option D is wrong because using a VPN concentrator for all external access and placing all servers in a private subnet would require all users to connect via VPN, which is impractical for a public web application and does not segment internal tiers from each other.

23
Multi-Selecthard

When evaluating the security architecture of a containerized application, which THREE of the following practices should be implemented to minimize the attack surface? (Select THREE.)

Select 3 answers
A.Encrypt sensitive data at rest within the container
B.Use minimal base images (e.g., Alpine Linux) instead of full OS images
C.Implement multi-factor authentication for container registries
D.Set container file systems to read-only where possible
E.Drop all capabilities except those required for the application
AnswersB, D, E

Smaller images have fewer packages and vulnerabilities.

Why this answer

Using minimal base images reduces vulnerabilities; read-only file system prevents malware persistence; dropping unnecessary capabilities limits kernel attack surface. Option B is not about attack surface reduction; it's about data protection. Option C is about authentication, not attack surface.

24
MCQhard

A large enterprise is migrating its critical financial applications to a public cloud provider. The security architecture team has designed a multi-region deployment to ensure availability and disaster recovery. The applications use TLS for data in transit and rely on a key management service (KMS) for encryption keys. During a penetration test, it was discovered that the KMS master keys are stored in a single region, creating a single point of failure. Additionally, the load balancer configuration exposes internal application health check ports to the internet. The security architect must remediate these issues while minimizing latency and cost. Which of the following is the BEST course of action?

A.Replace the TLS encryption with IPsec VPNs and use a third-party key management appliance in each region
B.Implement cross-region replication of KMS master keys and restrict health check ports to internal IP ranges only
C.Move all applications to a single region to simplify key management and use a single shared load balancer
D.Use client-side encryption with keys stored in the application code and disable the health checks entirely
AnswerB

Replication ensures key availability; restricting health check ports reduces attack surface.

Why this answer

Option A addresses both issues: cross-region replication ensures KMS availability, and restricting health check ports reduces exposure. Option B increases risk by consolidating to one region. Option C embeds keys in code, violating security best practices.

Option D replaces TLS with IPsec, which is unnecessary and adds complexity.

25
MCQhard

An organization has recently migrated its on-premises data center to a public cloud. The security team notices that several virtual machines (VMs) in the same subnet are communicating with each other without any restrictions. The company policy requires that only specific application traffic (e.g., database queries from web servers) be allowed between VMs, and all other inter-VM traffic must be blocked to comply with a zero-trust model. The cloud provider offers native security group and network ACL features. The architect must design a solution that enforces the policy with minimal administrative overhead and supports future expansion. Which of the following is the BEST course of action?

A.Move each application tier to a separate VPC and use VPC peering with strict routing policies
B.Place all VMs in the same subnet and configure security groups that only allow necessary inter-VM traffic (e.g., web-to-db), with a default deny rule
C.Place all VMs in the same subnet and configure network ACLs with explicit allow rules for required traffic and a deny-all rule for other traffic
D.Keep all VMs in the same subnet but deploy a third-party next-generation firewall as a virtual appliance to inspect and filter inter-VM traffic
AnswerB

Security groups are stateful and evaluated at the instance level; they allow fine-grained control with default deny.

Why this answer

Using security groups (instance-level firewalls) allows per-VM permit rules and denies by default, meeting zero-trust requirements. Option B is wrong because network ACLs are stateless and require rules for both directions, increasing complexity. Option C is wrong because moving to different VPCs breaks application connectivity unnecessarily.

Option D is wrong because a third-party firewall is an additional cost and complexity without clear benefit over native security groups.

26
Multi-Selecteasy

A company is implementing a software-defined perimeter (SDP) architecture. Which TWO of the following are key characteristics of SDP? (Select TWO.)

Select 2 answers
A.Network segmentation is implemented via VLANs
B.The infrastructure is invisible to unauthorized users
C.Peering between SDP components is done via BGP
D.All communications are encrypted using public key cryptography
E.Device authentication is required before granting network access
AnswersB, E

SDP uses a black cloud model, hiding assets until authentication.

Why this answer

SDP hides infrastructure from unauthorized users and enforces device authentication before granting access. Option A is wrong because SDP does not inherently use public keys; it can use various authentication methods. Option D is wrong because SDP uses a controller, not peering.

Option E is wrong because SDP is not based on VLANs.

27
MCQmedium

A security architect is evaluating a hardware security module (HSM) for key management. Which of the following is a PRIMARY benefit of using an HSM over software-based key storage?

A.Easier key rotation
B.Integration with cloud APIs
C.Tamper-resistant physical protection of keys
D.Lower cost
AnswerC

HSMs are designed to protect keys against physical tampering.

Why this answer

HSMs provide tamper-resistant physical protection for cryptographic keys, which is their primary advantage. They are typically more expensive, and key rotation may be more complex. Cloud integration is possible but not a primary benefit.

28
MCQeasy

A company wants to protect sensitive data stored in a public cloud bucket. Which of the following is the MOST effective control to prevent accidental public exposure?

A.Enable bucket logging
B.Implement lifecycle policies
C.Use server-side encryption
D.Apply resource-based policies with explicit deny for public access
AnswerD

Explicit deny prevents any public access, even if other permissions accidentally allow it.

Why this answer

Applying resource-based policies with an explicit deny for public access directly prevents public exposure. Bucket logging, encryption, and lifecycle policies are important but do not prevent accidental exposure.

29
MCQeasy

A security architect is designing a secure remote access solution for employees using personal devices (BYOD). The company requires that corporate data is separated from personal data and can be wiped remotely without affecting personal data. Which solution best meets these requirements?

A.Deploy a virtual desktop infrastructure (VDI) solution
B.Provide a full VPN client and remote wipe capability
C.Implement mobile device management (MDM) with containerization
D.Require employees to use company-owned devices only
AnswerC

MDM containerization isolates corporate data and allows selective wipe.

Why this answer

Containerization using MDM profiles creates a separate, encrypted workspace for corporate apps and data, allowing selective wipe. Full VPN gives access but not separation. Full device wipe is too aggressive.

VDI requires constant connectivity and may not support offline work.

30
MCQhard

A security architect at a financial institution is designing a cloud-native application using AWS. The application processes sensitive customer data and must comply with PCI DSS. Which of the following security architecture decisions best supports both compliance and operational efficiency?

A.Place all application resources in a VPC with no internet gateway and use VPC endpoints for AWS services
B.Use a cloud-based web application firewall (WAF) and enable logging for all API calls
C.Deploy the application on a single tenant dedicated instance and rely on the cloud provider's compliance certifications
D.Implement a cloud access security broker (CASB) and use customer-managed encryption keys (CMKs) for data at rest
AnswerD

CASB provides visibility and policy enforcement; CMKs meet PCI DSS encryption requirements.

Why this answer

Using a CASB provides visibility and control over cloud traffic, and encryption with customer-managed keys satisfies PCI DSS requirements. Option A is wrong because ignoring cloud risks is not acceptable. Option B is wrong because a cloud-based WAF is not specifically for data protection compliance.

Option D is wrong because VPC endpoints reduce exposure but do not address data protection requirements directly.

31
MCQeasy

During a security assessment, it is discovered that an organization's DMZ hosts can initiate outbound connections to the internal network. Which architectural change would best mitigate the risk of a DMZ compromise spreading to the internal network?

A.Allow only specific IPs in the DMZ to connect to internal servers
B.Replace the DMZ firewall with a next-generation firewall that includes IPS
C.Configure the DMZ firewall to block all outbound connections from DMZ to the internal network, and use a reverse proxy for inbound services
D.Move all DMZ services to a cloud provider and use a site-to-site VPN
AnswerC

This ensures that DMZ hosts cannot be used as a pivot point into the internal network.

Why this answer

Using a reverse proxy for inbound traffic and preventing DMZ hosts from initiating connections to internal networks enforces a trust direction. Option A is wrong because a stateful firewall alone does not enforce directionality if rules allow outbound from DMZ. Option B is wrong because DMZ hosts should not initiate internal connections.

Option D is wrong because a VPN does not prevent DMZ-to-internal traffic.

32
MCQmedium

A security architect is designing a secure remote access solution for a global workforce. The company requires that all remote connections be authenticated using certificates issued by the company's internal PKI, and that the connection be encrypted and integrity-protected. Additionally, the solution must support IP-based network access control to restrict access to specific internal subnets based on the user's role. Which of the following should the architect recommend?

A.Deploy SSH tunneling with certificate-based authentication and configure iptables rules on the bastion host.
B.Deploy an SSL/TLS VPN using client certificates and rely on the VPN client to enforce access policies.
C.Deploy a RDP gateway with certificate authentication and restrict access via group policies.
D.Deploy an IPsec VPN with certificate-based authentication and integrate with a RADIUS server for role-based access control.
AnswerD

IPsec provides network-layer access, RADIUS can enforce subnet restrictions based on user role.

Why this answer

Option D is correct because an IPsec VPN with certificate-based authentication satisfies the requirement for encrypted, integrity-protected connections using the company's internal PKI. Integrating with a RADIUS server enables role-based IP access control, allowing the VPN gateway to restrict access to specific internal subnets based on the user's role, which aligns with the need for IP-based network access control.

Exam trap

The trap here is that candidates often choose SSL/TLS VPN (Option B) because it is commonly associated with certificate authentication, but they overlook the critical requirement for IP-based network access control enforced by the server, not the client.

How to eliminate wrong answers

Option A is wrong because SSH tunneling provides only application-layer port forwarding, not full IP-based network access control, and iptables rules on a bastion host cannot dynamically enforce role-based subnet restrictions per user. Option B is wrong because relying on the VPN client to enforce access policies is a security flaw; policy enforcement must occur on the gateway, not the client, which can be compromised or misconfigured. Option C is wrong because an RDP gateway is designed for remote desktop sessions, not general IP-based network access, and group policies do not provide the granular role-based subnet restrictions required for a global workforce.

33
MCQeasy

An organization is deploying a new wireless network for employees and guests. The security policy requires that all wireless traffic be encrypted using AES-CCMP, and that clients must authenticate using 802.1X with EAP-TLS. Which of the following wireless security standards should be implemented?

A.WPA2-Personal
B.WEP
C.WPA3-Enterprise
D.WPA2-Enterprise
AnswerD

WPA2-Enterprise with AES-CCMP and 802.1X meets all requirements.

Why this answer

WPA2-Enterprise (D) is the correct choice because it supports AES-CCMP encryption and 802.1X authentication with EAP-TLS. WPA2-Enterprise uses a RADIUS server for centralized authentication, allowing per-user credentials via EAP methods, and mandates CCMP (AES-based) for data confidentiality and integrity, meeting all stated security policy requirements.

Exam trap

The trap here is that candidates often confuse WPA3-Enterprise with WPA2-Enterprise, assuming newer is always better, but the question explicitly requires AES-CCMP and 802.1X with EAP-TLS, which are core to WPA2-Enterprise, while WPA3-Enterprise introduces optional stronger ciphers (GCMP-256) and a different handshake (SAE), making it not the direct match for the given requirements.

How to eliminate wrong answers

Option A is wrong because WPA2-Personal uses a pre-shared key (PSK) for authentication, not 802.1X with EAP-TLS, and thus cannot meet the enterprise authentication requirement. Option B is wrong because WEP uses RC4 encryption with weak IVs and does not support AES-CCMP or 802.1X authentication; it is deprecated and insecure. Option C is wrong because WPA3-Enterprise, while it supports 802.1X and AES-CCMP (via GCMP-256 in some modes), is not the standard that matches the explicit requirement for AES-CCMP and 802.1X with EAP-TLS; WPA2-Enterprise is the established standard for these specific protocols, and WPA3 introduces SAE handshake and optional GCMP-256, which are not mandated here.

34
MCQmedium

A security architect is reviewing the architecture of a critical web application that handles sensitive financial transactions. The application is deployed across three tiers: a web server, an application server, and a database server. The application is protected by a web application firewall (WAF) and a network-based intrusion detection system (IDS). Recent penetration testing identified a SQL injection vulnerability in the application's search feature. The architect needs to propose a remediation that minimizes performance impact and maintains defense in depth. The development team is slow to fix code due to legacy dependencies. What should the security architect recommend as the MOST effective immediate control?

A.Disable the search feature until the code is fixed.
B.Isolate the database server on a separate network segment with strict firewall rules.
C.Add a WAF rule to block common SQL injection payloads and signatures.
D.Increase the IDS sensitivity to detect SQL injection attempts and automatically block them.
AnswerC

A WAF can provide virtual patching to mitigate the vulnerability until code fix is deployed.

Why this answer

Option D (Implement parameterized queries in the application code) is the most effective long-term fix, but since the development team is slow, the best immediate control is to add a WAF rule to block SQL injection patterns. Option A (Disable the search feature) is too disruptive. Option B (Increase IDS sensitivity) would only detect, not prevent.

Option C (Segment the database server) is good but does not address the vulnerability at the application layer.

35
MCQhard

A SOC analyst discovers unusual outbound traffic from a host in the production DMZ to an unknown IP address on the internet. The traffic consists of encrypted connections (HTTPS) to a domain that was registered three days ago. The host is a web server that has been fully patched and is configured with a default deny egress firewall policy, but this particular traffic is being allowed because a recently added rule permits outbound HTTPS to any destination for a specific application's updates. The security architect is called in to investigate and must determine the best course of action to identify the scope of the potential compromise and prevent further data exfiltration. The architect has access to network flow data, endpoint detection and response (EDR) telemetry, and firewall logs. What should the security architect do FIRST?

A.Enable full SSL inspection on the firewall to decrypt the traffic and analyze the contents.
B.Use EDR to identify the process or service generating the outbound connections on the web server.
C.Isolate the web server from the network to prevent further data exfiltration.
D.Immediately remove the outbound HTTPS rule to block the traffic.
AnswerB

EDR can pinpoint the root cause (e.g., a webshell or backdoor) for further investigation.

Why this answer

Option C (Check EDR telemetry on the host to identify the process making the outbound connections) is the best first step because it provides visibility into the exact source of the traffic. Option A (Block the outbound HTTPS rule immediately) may disrupt legitimate traffic and does not help identify the scope. Option B (Enable full SSL inspection on the firewall) is resource-intensive and can be deployed later.

Option D (Isolate the host from the network) is a containment step but should follow identification to ensure proper forensic collection.

36
MCQhard

An organization is migrating to a zero-trust architecture. Which of the following components is CRITICAL for enforcing policy decisions based on user identity, device health, and context?

A.Intrusion prevention system (IPS)
B.Web application firewall (WAF)
C.Policy enforcement point (PEP)
D.Network access control (NAC)
AnswerC

PEP is the decision point that enforces access policies based on identity and context.

Why this answer

The Policy Enforcement Point (PEP) is the component that makes access decisions in a zero-trust architecture, often integrating with a policy engine. NAC, WAF, and IPS are related but not the core enforcement component in zero-trust.

37
MCQhard

An organization's containerized application is deployed on Kubernetes. The security team wants to enforce that containers run with the least privilege and cannot access the host file system. Which Kubernetes security mechanism should be configured?

A.Secrets management with Vault
B.Role-based access control (RBAC) for service accounts
C.Network policies to restrict egress traffic
D.Pod Security Policy (PSP) with readOnlyRootFilesystem and runAsNonRoot
AnswerD

PSP enforces security contexts; readOnlyRootFilesystem prevents writes to host file system.

Why this answer

Pod Security Policies (now deprecated, but in CASP context is still valid) or Pod Security Standards control security contexts; readOnlyRootFilesystem and runAsNonRoot directly address the requirement. Option A is wrong because network policies control traffic, not file system. Option B is wrong because secrets management does not enforce file system restrictions.

Option D is wrong because RBAC controls API access, not container runtime privileges.

38
Multi-Selecthard

A security architect is planning the migration of a legacy application to a containerized microservices architecture on Kubernetes. The architect must ensure that the architecture supports secrets management, service-to-service authentication, and encryption of data in transit between microservices. Which THREE components should the architect include in the design? (Choose three.)

Select 3 answers
A.Deploy a TLS termination gateway (e.g., NGINX ingress) with certificate management.
B.Use Kubernetes Secrets mounted as volumes with integration to an external vault.
C.Apply Kubernetes network policies to restrict pod-to-pod communication.
D.Implement a service mesh such as Istio to handle mTLS between pods.
E.Configure RPM package signing for all container images.
AnswersA, B, D

Terminates external TLS and can re-encrypt internally; manages certificates for external-facing services.

Why this answer

Option A is correct because a TLS termination gateway (e.g., NGINX ingress) with certificate management provides encryption of data in transit between external clients and the Kubernetes cluster, fulfilling the requirement for encryption of data in transit at the edge. It terminates TLS at the ingress point, allowing secure HTTPS connections and centralized certificate lifecycle management.

Exam trap

Cisco often tests the distinction between network segmentation (network policies) and cryptographic controls (mTLS, TLS), leading candidates to mistakenly choose network policies as a solution for encryption or authentication.

39
Drag & Dropmedium

Drag and drop the steps to configure a RADIUS server for 802.1X authentication into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

RADIUS setup: install NPS, register in AD, add RADIUS client, configure connection policy, then network policy.

40
Multi-Selecteasy

A security architect is reviewing firewall rules for a new application tier. Which TWO of the following principles should be applied when designing the firewall policy? (Choose two.)

Select 2 answers
A.Log all denied traffic
B.Use static IP addresses for all servers
C.Implement stateful packet inspection
D.Default allow all traffic
E.Allow only necessary ports and protocols
AnswersC, E

Stateful inspection allows rules based on connection state, improving security.

Why this answer

Allowing only necessary ports and protocols (B) implements least privilege, and implementing stateful packet inspection (C) enables intelligent traffic filtering. Default allow (A) is insecure, static IPs (D) are not a principle, and logging (E) is operational, not a design principle.

41
MCQmedium

Refer to the exhibit. A security analyst notices that traffic from external clients to the web server at 10.0.0.10 port 80 is being blocked. Which of the following is the MOST likely cause?

A.The ACL lacks a log statement
B.The ACL is misordered (deny before permit)
C.The web server is using port 443
D.The destination IP is incorrect
AnswerB

The deny all rule (line 1) blocks all traffic before the permit rule is evaluated.

Why this answer

The ACL is processed top-down. The 'deny ip any any' rule matches all traffic before the permit rule, so all traffic is blocked. Misordering is the cause.

The web server using HTTPS (443) is possible but not indicated, and the destination IP appears correct. Lack of logging is not the cause.

42
MCQhard

An organization uses a multi-cloud strategy with workloads in AWS and Azure. The security architect needs to implement a single identity provider for all cloud resources while maintaining on-premises Active Directory as the authoritative source. Which architecture minimizes latency and complexity?

A.Use a third-party cloud-based identity provider and sync AD to it
B.Synchronize AD to Azure AD and then use Azure AD as an identity source for AWS via SAML
C.Create separate identity stores in AWS and Azure and sync from AD
D.Federate on-premises AD directly with both AWS and Azure using ADFS
AnswerD

ADFS can federate with both clouds using SAML, minimizing synchronization and complexity.

Why this answer

Using Azure AD Connect for Azure and AWS SSO with SAML federation from on-premises AD centralizes identity without synchronizing to two clouds separately. Direct federation from on-prem to each cloud is acceptable but using separate identity sources increases complexity. A third-party IdP could work but adds cost.

43
MCQmedium

A company is implementing a zero-trust network architecture. Which of the following components is essential for enforcing micro-segmentation?

A.Security information and event management (SIEM) system
B.Software-defined networking (SDN) with distributed firewalls
C.Multi-factor authentication (MFA)
D.Network access control (NAC)
AnswerB

SDN allows granular, policy-driven segmentation at the virtual network level.

Why this answer

Micro-segmentation divides the network into small zones, each with its own security controls. Software-defined networking (SDN) enables dynamic policy enforcement at the hypervisor level. Option A is wrong because NAC controls access but not segmentation.

Option B is wrong because MFA is an authentication mechanism. Option D is wrong because a SIEM correlates logs but does not enforce policies.

44
MCQeasy

A company is deploying a new cloud-based application that processes sensitive customer data. The security architect has proposed a zero-trust architecture to secure remote access. The architecture includes identity-aware proxies, microsegmentation, and continuous monitoring. During the transition, several remote users report being unable to access the application. The security architect verifies that the identity-aware proxy is correctly configured and that users are authenticated via SSO. However, access attempts are still failing. The architect suspects that the issue may be related to the microsegmentation rules. What should the security architect do FIRST to resolve the problem?

A.Deploy a VPN to provide a secure tunnel for remote users.
B.Reset the affected users' credentials and force them to re-authenticate.
C.Review the microsegmentation firewall rules to ensure that traffic to the application's subnet is permitted.
D.Increase logging verbosity on the identity-aware proxy to capture more details.
AnswerC

The architect suspects microsegmentation; reviewing rules is the logical first step.

Why this answer

Option B (Review microsegmentation firewall rules for the application's subnet) is the most direct step because the architect suspects the microsegmentation rules are blocking traffic. Option A (Deploy a VPN) would bypass zero-trust principles. Option C (Increase log verbosity) is a diagnostic step but not the first action.

Option D (Reset user credentials) is unrelated to the issue.

45
Multi-Selecteasy

A security architect is designing a zero-trust network architecture for a hybrid cloud environment. Which TWO principles should be implemented to enforce the "never trust, always verify" model?

Select 2 answers
A.Micro-segmentation between workloads
B.Trust based on network location
C.Implicit trust for internal IP ranges
D.Continuous authentication and authorization for every request
E.Use of a single VPN for all remote access
AnswersA, D

Micro-segmentation enforces least privilege.

Why this answer

Micro-segmentation and continuous authentication are core zero-trust principles. Options A and D imply implicit trust based on network location, which violates zero-trust. Option E is a technology, not a principle.

46
MCQhard

A security architect is evaluating a new cloud SaaS application that will handle sensitive customer data. The SaaS provider offers a shared responsibility model where the customer is responsible for data classification, access management, and encryption of data at rest using customer-managed keys. The architect must ensure that the organization retains the ability to revoke access to the data if the provider is compromised. Which key management strategy best meets this requirement?

A.Escrow the encryption key with a third-party and rely on legal agreements for revocation
B.Use the provider's default encryption with a customer-managed key stored in the provider's KMS
C.Use a cloud hardware security module (HSM) to generate and store keys
D.Implement bring-your-own-key (BYOK) with keys stored in a customer-controlled external KMS
AnswerD

BYOK with external KMS gives the customer full control to revoke access immediately.

Why this answer

Option D is correct because BYOK with keys stored in a customer-controlled external KMS ensures the organization retains full control over encryption keys, enabling immediate revocation of access to data at rest if the SaaS provider is compromised. This aligns with the shared responsibility model where the customer manages keys, and external KMS decouples key management from the provider's infrastructure, preventing the provider from accessing data after key revocation.

Exam trap

Cisco often tests the misconception that using a provider's KMS or HSM (even with customer-managed keys) provides sufficient separation, but the trap is that any key stored within the provider's boundary can be accessed by the provider if their security is breached, whereas BYOK with an external KMS ensures true customer-only control.

How to eliminate wrong answers

Option A is wrong because escrowing keys with a third-party and relying on legal agreements introduces latency and lacks technical immediacy for revocation; legal processes cannot guarantee instant access removal during a breach. Option B is wrong because storing a customer-managed key in the provider's KMS still places the key under the provider's control, as the provider's KMS is part of their trusted environment, allowing potential access if the provider is compromised. Option C is wrong because using a cloud HSM within the provider's ecosystem still ties key management to the provider's infrastructure; while HSMs offer hardware security, the provider retains administrative access to the HSM service, undermining customer-only revocation capability.

47
Multi-Selectmedium

A security architect is designing a network segmentation strategy for a data center to reduce the attack surface. Which TWO of the following are best practices for implementing effective network segmentation?

Select 2 answers
A.Deploy network access control (NAC) to authenticate devices before granting network access.
B.Place all external-facing services in a single shared DMZ segment.
C.Allow any-to-any communication within each security zone to avoid performance bottlenecks.
D.Use VLANs to logically isolate traffic between different security zones.
E.Implement microsegmentation using host-based firewalls or virtual networking to restrict east-west traffic.
AnswersD, E

VLANs provide Layer 2 isolation, which is a fundamental segmentation technique.

Why this answer

Option A (Use VLANs for isolation) is correct because VLANs provide logical separation at Layer 2. Option B (Implement microsegmentation with firewalls) is correct because microsegmentation uses granular firewall rules to isolate workloads. Option C is incorrect because a shared DMZ for all external services increases risk.

Option D is incorrect because NAC focuses on device authentication, not segmentation. Option E is incorrect because any-to-any traffic defeats segmentation.

48
MCQeasy

A company is implementing a microservices architecture and needs to ensure secure service-to-service communication. Which of the following BEST describes the recommended approach?

A.Basic HTTP authentication
B.Mutual TLS (mTLS) with certificate authentication
C.IP whitelisting
D.Shared API keys
AnswerB

mTLS provides mutual authentication and encryption, ideal for microservices.

Why this answer

Mutual TLS (mTLS) provides mutual authentication and encryption, making it the most secure and scalable option for microservices. Shared API keys are less secure, IP whitelisting is not scalable, and basic HTTP authentication lacks encryption.

49
MCQhard

A security analyst observes that SSH connections to the server are failing, but HTTP and HTTPS traffic works. Based on the exhibit, what is the most likely cause?

A.The HTTPS rule is overriding the SSH rule.
B.The SSH service is being blocked by a firewall rule that drops TCP port 22 traffic.
C.The SSH service is only allowed from the 10.0.0.0/8 subnet.
D.The SSH service is misconfigured and not listening on the correct interface.
AnswerB

The DROP rule for tcp dpt:22 is blocking SSH.

Why this answer

The exhibit shows a firewall rule that explicitly drops TCP port 22 traffic, which is the default port for SSH. Since HTTP (port 80) and HTTPS (port 443) are unaffected, the issue is isolated to SSH. This rule is the most direct cause of the connection failures, as it blocks all SSH traffic regardless of source or destination.

Exam trap

The trap here is that candidates may assume SSH is failing due to a service misconfiguration (Option D) or an overly restrictive allow rule (Option C), but the exhibit clearly shows a specific drop rule for port 22, which is the definitive cause.

How to eliminate wrong answers

Option A is wrong because HTTPS (port 443) and SSH (port 22) are different protocols and ports; firewall rules are evaluated in order, and unless the HTTPS rule explicitly matches SSH traffic (which it does not), it cannot override the SSH rule. Option C is wrong because the exhibit does not show any source subnet restriction for SSH; the rule simply drops all TCP port 22 traffic without any allow condition for 10.0.0.0/8. Option D is wrong because if the SSH service were misconfigured to listen on the wrong interface, the failure would be at the application layer, but the firewall rule explicitly drops the traffic before it reaches the SSH daemon, making a misconfiguration irrelevant to the observed symptom.

50
MCQmedium

During a merger, two companies need to integrate their networks securely. Company A uses RFC 1918 addresses (10.0.0.0/8) and Company B also uses 10.0.0.0/8. Which architectural solution prevents routing conflicts and maintains security?

A.Configure a site-to-site VPN with no address translation
B.Enable direct BGP peering between the two networks
C.Implement a firewall between the networks and allow all traffic
D.Deploy network address translation (NAT) on the border routers to translate one company's addresses to a unique range
AnswerD

NAT resolves IP overlap and allows secure communication.

Why this answer

NAT at the boundary translates overlapping addresses, allowing communication without conflict. Option A is wrong because it disrupts routing. Option B is wrong without NAT, traffic may not route correctly.

Option D is wrong as it does not address IP overlap.

51
MCQmedium

A company is adopting a DevOps model and wants to integrate security into CI/CD pipelines. Which of the following is the MOST effective approach?

A.Annual vulnerability scans
B.Post-deployment security testing
C.Manual security reviews before each release
D.Automated security scanning in the pipeline with fail-fast
AnswerD

Automation with fail-fast provides immediate feedback and prevents vulnerable code from progressing.

Why this answer

Automated security scanning with fail-fast ensures that vulnerabilities are caught early in the pipeline, aligning with DevOps speed. Manual reviews, annual scans, and post-deployment testing are too slow or reactive.

52
Matchingmedium

Match each error code or HTTP status code to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Forbidden

Not Found

Internal Server Error

Bad Gateway

Unauthorized

Why these pairings

HTTP status codes are important for web security and troubleshooting.

53
MCQhard

An organization is implementing a zero trust architecture (ZTA). The security architect proposes using a software-defined perimeter (SDP) to replace the traditional VPN for remote access. Which of the following best describes the primary security benefit of SDP over VPN in a zero trust model?

A.It provides deep packet inspection to detect malicious traffic.
B.It enforces multi-factor authentication for every session.
C.It reduces latency by establishing direct peer-to-peer connections.
D.It prevents unauthorized users from discovering the application infrastructure.
AnswerD

SDP uses a 'black cloud' approach where the application server is invisible until the user is authenticated and authorized, reducing the attack surface.

Why this answer

In a zero trust architecture, the primary security benefit of a software-defined perimeter (SDP) over a traditional VPN is that it hides the application infrastructure from unauthorized users. SDP uses a controller-based model where devices must authenticate and be authorized before they can even see the application servers, effectively creating a 'black cloud' that prevents discovery and reduces the attack surface. This aligns with the zero trust principle of 'never trust, always verify' and eliminates the network-level visibility that VPNs inherently provide to any connected client.

Exam trap

The trap here is that candidates confuse the 'direct' connection behavior of some SDP implementations with a security benefit, when in fact the core advantage is hiding infrastructure from unauthorized users, not reducing latency or enabling peer-to-peer connections.

How to eliminate wrong answers

Option A is wrong because deep packet inspection is a feature of next-generation firewalls or intrusion prevention systems, not a core or defining benefit of SDP; SDP focuses on access control and visibility hiding, not traffic inspection. Option B is wrong because multi-factor authentication is a common requirement in both SDP and modern VPN solutions; it is not unique to SDP and does not represent the primary security benefit over VPN. Option C is wrong because SDP typically uses a controller to broker connections and often routes traffic through a gateway or proxy, not direct peer-to-peer connections; reducing latency is not a primary security benefit, and direct connections can actually introduce security risks in a zero trust model.

54
MCQeasy

A network architect is designing a DMZ for a web application. Which of the following is the MOST appropriate placement for a reverse proxy?

A.In the management network
B.In the DMZ
C.In the database tier
D.Inside the internal network
AnswerB

The DMZ is the appropriate security zone for externally facing services.

Why this answer

A reverse proxy should be placed in the DMZ to handle external requests and provide an additional layer of security by buffering the internal web servers. Placing it inside the internal network, database tier, or management network would defeat its purpose.

55
MCQmedium

A company is designing a secure web application that processes credit card payments. The architect needs to ensure that the application is resilient against SQL injection attacks. Which of the following is the most effective defense?

A.Use stored procedures exclusively for database access.
B.Deploy a web application firewall (WAF) with SQL injection rules.
C.Use parameterized queries or prepared statements for all database interactions.
D.Implement client-side input validation and sanitize all user input.
AnswerC

Parameterized queries ensure data is treated as data, effectively preventing SQL injection.

Why this answer

Parameterized queries (prepared statements) are the most effective defense against SQL injection because they separate SQL logic from user-supplied data at the database driver level. This ensures that user input is always treated as a literal value, never as executable SQL code, regardless of any malicious content. This approach directly prevents the attacker from altering the query structure, which is the root cause of SQL injection.

Exam trap

The trap here is that candidates often choose stored procedures (Option A) thinking they are inherently safe, but Cisco tests the nuance that stored procedures are only safe if they use parameterized queries internally, not if they concatenate input into dynamic SQL.

How to eliminate wrong answers

Option A is wrong because stored procedures alone do not prevent SQL injection if they are called with dynamically concatenated SQL strings or if the stored procedure itself uses dynamic SQL without parameterization. Option B is wrong because a WAF is a reactive, signature-based defense that can be bypassed with encoding variations or novel attack patterns; it does not fix the underlying vulnerability in the application code. Option D is wrong because client-side validation is easily bypassed (e.g., by disabling JavaScript or using tools like Burp Suite), and server-side sanitization is error-prone and often insufficient against all injection vectors.

56
Multi-Selectmedium

A security engineer is reviewing the configuration of a web application firewall (WAF) that protects a critical e-commerce site. Which TWO settings should be enabled to defend against SQL injection attacks? (Select TWO.)

Select 2 answers
A.Enable SQL injection signature rules.
B.Enable input validation for all query parameters.
C.Enable rate limiting on login endpoints.
D.Enable IP reputation blocking.
E.Enable SSL/TLS inspection for all traffic.
AnswersA, B

Signature rules detect known SQL injection patterns.

Why this answer

Option A is correct because enabling SQL injection signature rules allows the WAF to inspect HTTP requests for known SQL injection patterns, such as UNION, OR 1=1, or comment sequences like '--', using a predefined rule set. Option B is correct because input validation for all query parameters ensures that user-supplied data is sanitized or rejected before reaching the application, preventing malicious SQL syntax from being interpreted by the database. Together, these controls provide both signature-based detection and behavioral prevention against SQL injection attacks.

Exam trap

The trap here is that candidates often confuse rate limiting or IP reputation as general security measures that would stop SQL injection, but these controls address different attack vectors (DoS and network-layer filtering) and do not inspect the content of requests for malicious SQL syntax.

57
MCQmedium

A security architect is designing a zero-trust network architecture for a hybrid cloud environment. The company uses on-premises servers and AWS. Which of the following best implements the principle of least privilege for inter-component communication?

A.Deploy an SD-WAN with dynamic path selection and encryption for all inter-site traffic.
B.Implement micro-segmentation with stateful firewalls and explicit allow rules between each workload.
C.Use network ACLs on the cloud VPC and on-premises routers to deny all traffic by default, then allow required ports.
D.Deploy a site-to-site VPN and route all inter-component traffic through a VPN concentrator.
AnswerB

Micro-segmentation with explicit allow rules ensures only necessary traffic is permitted, adhering to least privilege.

Why this answer

Option B is correct because micro-segmentation with stateful firewalls and explicit allow rules enforces least privilege at the workload level, ensuring that only explicitly permitted inter-component traffic is allowed. This approach is fundamental to zero-trust architectures, as it reduces the attack surface by preventing lateral movement, even within the same subnet or VPC.

Exam trap

Cisco often tests the misconception that network-layer controls like ACLs or VPNs are sufficient for zero-trust least privilege, when in fact they lack the workload-level granularity and stateful enforcement required for true micro-segmentation.

How to eliminate wrong answers

Option A is wrong because SD-WAN with dynamic path selection and encryption focuses on optimizing and securing inter-site connectivity, not on granular per-workload access control; it does not enforce least privilege between individual components. Option C is wrong because network ACLs and on-premises routers operate at the subnet or network layer, not at the workload level, and they lack stateful inspection, making them insufficient for fine-grained, per-component allow rules required for zero-trust. Option D is wrong because a site-to-site VPN with a concentrator creates a tunnel for all inter-component traffic but does not provide per-workload segmentation or explicit allow rules; it merely encrypts traffic without controlling which specific components can communicate.

58
MCQmedium

An incident responder notices that a compromised host is sending encrypted C2 traffic over TCP port 443. The existing firewall rule allows outbound HTTPS (443) to any destination. Which change to the security architecture would best detect this behavior while minimizing impact on legitimate traffic?

A.Deploy a forward proxy with SSL/TLS inspection
B.Block outbound TCP 443 and require users to use a VPN
C.Enable logging on the firewall for all outbound 443 traffic
D.Install a network-based IDS on the internal side of the firewall
AnswerA

A proxy can decrypt, inspect, and re-encrypt traffic to detect malicious payloads.

Why this answer

An SSL/TLS inspection proxy can decrypt outbound traffic for inspection, allowing detection of malicious content while still allowing legitimate HTTPS. Option A is wrong because blocking all outbound 443 breaks functionality. Option B is wrong because increasing logging does not detect encrypted content.

Option D is wrong because IDS cannot inspect encrypted traffic without decryption.

59
MCQhard

A large enterprise is designing a disaster recovery site that must support rapid failover with minimal data loss. The primary data center is 50 miles away. The RPO is 1 minute, and RTO is 15 minutes. Which replication strategy best meets these requirements?

A.Log shipping with a 5-minute delay.
B.Synchronous replication over dedicated low-latency fiber links.
C.Scheduled snapshot-based replication every 30 minutes.
D.Asynchronous replication with continuous data protection.
AnswerB

Synchronous replication ensures zero data loss and can meet the required RPO and RTO if latency is low enough.

Why this answer

Synchronous replication writes data to both the primary and secondary sites simultaneously before acknowledging the write to the application, ensuring zero data loss at the storage layer. With dedicated low-latency fiber links over 50 miles, the round-trip time can be kept under 1 ms, meeting the 1-minute RPO and enabling rapid failover within the 15-minute RTO. This strategy guarantees transactional consistency and immediate availability at the DR site.

Exam trap

The trap here is that candidates often choose asynchronous replication (Option D) thinking 'continuous data protection' implies zero data loss, but they overlook that asynchronous replication inherently introduces a write acknowledgment delay, which can still result in data loss during a failure, and the recovery process may not meet the aggressive RTO.

How to eliminate wrong answers

Option A is wrong because log shipping with a 5-minute delay introduces a recovery point of at least 5 minutes, exceeding the 1-minute RPO, and failover requires applying logs, which can take longer than 15 minutes. Option C is wrong because scheduled snapshot-based replication every 30 minutes creates a maximum data loss of 30 minutes, far exceeding the 1-minute RPO, and snapshots do not support rapid failover without additional recovery steps. Option D is wrong because asynchronous replication with continuous data protection (CDP) may reduce data loss to seconds but still risks some data loss due to the asynchronous write acknowledgment, and the recovery process for CDP can be complex and time-consuming, potentially exceeding the 15-minute RTO.

60
MCQmedium

A security architect is designing a new DMZ for an e-commerce platform. The DMZ must host a web server, an API gateway, and a database server. The architect needs to minimize the attack surface while ensuring the web server can communicate with the API gateway, and the API gateway can communicate with the database. Which network segmentation approach best meets these requirements?

A.Place all three services in the same DMZ subnet and use host-based firewalls to restrict traffic.
B.Create two DMZ subnets: one for the web server and API gateway, and another for the database server.
C.Place the web server in a DMZ subnet, the API gateway in a separate DMZ subnet, and the database server on the internal network.
D.Create three separate DMZ subnets: one for the web server, one for the API gateway, and one for the database server, with firewall rules allowing only required traffic.
AnswerD

This provides defense in depth; each tier is isolated, and only specific ports/protocols are allowed between them.

Why this answer

Option D is correct because it implements the principle of least privilege through network segmentation. By placing each service in its own DMZ subnet with firewall rules that allow only the required traffic (e.g., HTTP/HTTPS from web to API, SQL from API to database), the attack surface is minimized. This prevents lateral movement if one service is compromised, as an attacker cannot directly reach the database from the web server or the API gateway from the internet.

Exam trap

CompTIA often tests the misconception that placing the database server on the internal network (Option C) is acceptable, but in a DMZ design, any server that must be accessed from a DMZ should remain in the DMZ to avoid exposing internal network resources to potential compromise.

How to eliminate wrong answers

Option A is wrong because placing all three services in the same subnet allows unrestricted lateral movement; host-based firewalls can be bypassed if the host is compromised, and this approach does not provide network-level isolation. Option B is wrong because placing the web server and API gateway in the same subnet still exposes the API gateway to direct attack from the web server if the web server is compromised, and the database subnet is not isolated from the API gateway with sufficient granularity. Option C is wrong because placing the database server on the internal network violates the DMZ principle; the API gateway must traverse the internal firewall to reach the database, which increases the attack surface and exposes internal resources to DMZ traffic.

61
MCQeasy

A security architect reviews this Cisco router ACL configuration. The web server at 192.168.1.100 is accessible from the internet. What additional security measure should be implemented to protect the internal network (10.0.0.0/24)?

A.Remove the log statement from the deny rules to improve performance
B.Add an ACL on GigabitEthernet0/1 to limit outbound traffic to web ports only
C.Replace the ACLs with a stateful firewall that inspects connection states
D.Apply the same OUTSIDE_IN ACL to GigabitEthernet0/1 inbound
AnswerC

A stateful firewall provides deeper inspection and can prevent various attacks.

Why this answer

The INSIDE_OUT ACL allows all traffic from the internal network to any destination, including potentially malicious outbound connections. Implementing a stateful firewall would track connection states and provide better inspection. Egress filtering could be added, but stateful inspection is more comprehensive.

The OUTSIDE_IN ACL only allows inbound web traffic, which is good. The missing piece is stateful awareness to prevent internal hosts from initiating connections to malicious external hosts.

62
Multi-Selectmedium

A security architect is designing a cloud-native application that must comply with GDPR data residency requirements. Which TWO of the following measures should the architect implement? (Choose two.)

Select 2 answers
A.Deploy the application in a single region to simplify compliance
B.Store data only in approved geographical locations
C.Use data loss prevention (DLP) policies to monitor data transfers
D.Encrypt data at rest and in transit
E.Implement data classification and labeling
AnswersB, D

Ensuring data is stored only in approved regions directly enforces data residency.

Why this answer

Encrypting data at rest and in transit (C) and storing data only in approved geographical locations (E) are direct controls for GDPR data residency. DLP (A) is detective, single-region deployment (B) may affect availability, and data classification (D) is not specific to residency.

63
Multi-Selectmedium

A security architect is designing a secure wireless network for a government facility. Which TWO of the following measures should be implemented to ensure the highest level of security? (Select TWO.)

Select 2 answers
A.Use WPA2-PSK with a strong pre-shared key
B.Implement a captive portal with social login
C.Disable SSID broadcast on the access points
D.Use WPA3-Enterprise with EAP-TLS for authentication
E.Enable MAC address filtering on the access points
AnswersC, D

Disabling SSID broadcast can deter casual discovery, though it is not a primary control.

Why this answer

WPA3-Enterprise with EAP-TLS is the most secure for authentication and encryption, and disabling SSID broadcast hides the network from casual scanning, though it is not a strong security measure. MAC filtering is easily spoofed. WPA2-PSK is less secure.

Captive portals do not provide strong access control.

64
MCQeasy

Refer to the exhibit. A security architect is reviewing this S3 bucket policy. Which of the following security concerns is MOST evident?

A.The policy denies all write access
B.The policy allows public read access
C.The policy uses an outdated version
D.The policy lacks encryption
AnswerB

The wildcard principal '*' allows any anonymous user to read objects.

Why this answer

The policy allows anonymous principals ('*') to perform 's3:GetObject' on all objects in the bucket, making the bucket publicly readable. This is a serious data exposure risk. The policy version is 2012-10-17 which is current, and encryption is not addressed in this policy.

65
MCQhard

A company is designing a hybrid cloud architecture with AWS and an on-premises data center. They need to ensure that all data transmitted between environments is encrypted and that the connection is resilient. Which design should the architect choose?

A.Deploy a single MPLS connection with network-based encryption
B.Set up a single AWS Direct Connect connection and rely on the provider's encryption
C.Establish multiple redundant IPsec VPN tunnels to the VPC
D.Use an SSL VPN tunnel from the on-premises firewall to the VPC
AnswerC

Redundant IPsec tunnels provide both encryption and resilience.

Why this answer

A VPN tunnel using IPsec with IKEv2 provides encryption and authentication; redundant tunnels ensure failover. Direct Connect is private but often requires separate encryption. SSL tunnel would work but typically for web traffic.

MPLS is a carrier service, not inherently encrypted.

66
MCQmedium

A financial services company is implementing a zero-trust architecture. The security architect needs to ensure that all network traffic between application tiers is inspected and logged regardless of source location. Which of the following should be implemented?

A.Implement microsegmentation using a next-generation firewall
B.Deploy a site-to-site VPN across all tiers
C.Use a single, centralized firewall for all traffic
D.Place all application servers in a DMZ
AnswerA

Microsegmentation enables fine-grained security policies between individual workloads, supporting inspection and logging.

Why this answer

Microsegmentation enforces granular security policies between workloads, allowing full inspection and logging of east-west traffic, which aligns with zero-trust principles. A VPN concentrates traffic but does not provide per-application inspection. A DMZ is perimeter-oriented.

A firewall is necessary but microsegmentation provides a more refined control.

67
Multi-Selecteasy

Which TWO of the following are essential characteristics of a hardware security module (HSM)? (Select TWO.)

Select 2 answers
A.Hardware acceleration of cryptographic operations.
B.Tamper-resistant key storage.
C.Virtualization of the hardware root of trust.
D.Integration with public key infrastructure (PKI) to replace certificate authorities.
E.User authentication and authorization.
AnswersA, B

HSMs offload cryptographic processing from the main CPU.

Why this answer

Option A is correct because HSMs are dedicated hardware appliances that offload cryptographic operations from the main CPU, providing hardware acceleration for algorithms such as AES, RSA, and ECC. This acceleration is critical for high-throughput environments like TLS termination or code signing, where software-based cryptography would create a performance bottleneck.

Exam trap

Cisco often tests the distinction between 'essential characteristics' and 'common but non-essential features' — the trap here is that candidates confuse optional integration capabilities (like PKI support or user authentication) with the fundamental purpose of an HSM, which is tamper-resistant key storage and cryptographic acceleration.

68
Multi-Selectmedium

A network administrator is troubleshooting connectivity to a server at 192.168.1.100. The ACL shown is applied inbound on GigabitEthernet0/0. Which THREE statements are true regarding this ACL configuration? (Choose three.)

Select 3 answers
A.The ACL will block all traffic from the 192.168.1.0/24 network to 10.0.0.0/24
B.Traffic sourced from 192.168.1.100 going to the 10.0.0.0/24 network will be permitted
C.Traffic from the 10.0.0.0/24 network to 192.168.1.100 is not affected by this ACL
D.The implicit deny at the end of the ACL will block all other traffic not explicitly permitted
E.The ACL blocks SSH and RDP access to 192.168.1.100 from any source
AnswersB, C, E

The ACL does not filter traffic sourced from 192.168.1.100; it filters based on destination.

Why this answer

Option B is correct because the ACL, when applied inbound on GigabitEthernet0/0, evaluates traffic entering the interface. The permit statement allows traffic sourced from host 192.168.1.100 destined to the 10.0.0.0/24 network, so that specific traffic is explicitly permitted.

Exam trap

The trap here is that candidates often confuse the direction of ACL application, assuming an inbound ACL on an interface affects traffic destined to that interface's IP address, when in fact it only filters traffic entering the interface from the outside.

69
MCQmedium

A multinational corporation is deploying a new application that will be accessed by employees, partners, and customers. The security architecture must support single sign-on (SSO) across different identity providers (IdPs) while maintaining strict access control based on user attributes such as role, location, and device posture. The company uses Active Directory for employees, a cloud IdP for partners, and self-registration for customers. The architect needs to design a centralized policy enforcement point that can evaluate access requests from multiple IdPs and enforce dynamic access policies before granting access to the application. Which of the following is the BEST architectural approach?

A.Deploy a SAML/WS-Federation federation server that authenticates users and then passes the identity to the application for authorization
B.Have each IdP enforce its own access policies and pass the authorization decision via SAML assertions
C.Configure a reverse proxy to authenticate users from any IdP and pass their identity to the application
D.Implement an externalized authorization management system (e.g., OAuth 2.0 with OpenID Connect) using a policy decision point (PDP) and a policy enforcement point (PEP) at the application gateway
AnswerD

This separates authentication from authorization, allows centralized attribute-based policy, and works across IdPs.

Why this answer

A Policy Enforcement Point (PEP) integrated with a Policy Decision Point (PDP) can abstract authentication from authorization, allowing unified policy regardless of IdP. Option A is wrong because relying on each IdP for authorization leads to policy fragmentation. Option B is wrong because a SAML federation server handles authentication but not authorization.

Option D is wrong because a proxy alone does not provide the policy decision capabilities.

70
Multi-Selecteasy

A security architect is designing a secure remote access solution for contractors who need temporary access to a few internal applications. Which THREE of the following are best practices for controlling contractor access? (Select THREE.)

Select 3 answers
A.Allow contractors to use a shared account for simplicity
B.Implement just-in-time (JIT) temporary privilege elevation
C.Create time-limited accounts that expire automatically
D.Provide full network-level VPN access
E.Use a VPN with application-level access control
AnswersB, C, E

JIT provides access only when needed, reducing the risk of unused standing privileges.

Why this answer

Time-limited accounts enforce temporary access, application-level VPNs restrict access to specific applications, and just-in-time (JIT) privileges reduce standing access. Full VPN access provides too much network access, shared accounts lack accountability, and permanent accounts are against least privilege.

71
Multi-Selecthard

A company is implementing a hardware security module (HSM) to protect cryptographic keys. The security architect must ensure the solution meets FIPS 140-2 Level 3 requirements. Which TWO of the following features are required for Level 3?

Select 2 answers
A.Role-based authentication only
B.Tamper-evident coatings and seals
C.Identity-based authentication for operators
D.Ability to export keys in plaintext
E.Tamper resistance with automatic zeroization
AnswersB, C

Level 3 requires tamper evidence.

Why this answer

FIPS 140-2 Level 3 requires tamper-evident coatings or seals and identity-based authentication, along with physical security. Tamper resistance with zeroization is more Level 4. Role-based authentication is Level 3 but identity-based is more specific.

Plaintext key export is disallowed at Level 3.

72
MCQhard

An organization is implementing a secure software development lifecycle. Which of the following practices BEST ensures that security requirements are addressed early in the development process?

A.Security training for developers
B.Code analysis after development
C.Threat modeling during design phase
D.Penetration testing before release
AnswerC

Threat modeling identifies threats early, allowing mitigation in design.

Why this answer

Threat modeling during the design phase identifies potential security issues before development, shifting security left. Penetration testing and code analysis are later activities, and training is important but does not directly address requirements early.

73
MCQmedium

Refer to the exhibit. A security analyst notices that users from the internet can reach the web server at 10.0.1.100 on port 443, but they cannot reach it on port 8443. What is the most likely cause?

A.The ACL only permits traffic from specific source IPs
B.The firewall rule order is incorrect
C.The web server is not listening on port 8443
D.The firewall is blocking all traffic on port 8443
AnswerC

If the server is not configured for port 8443, it will not respond.

Why this answer

The firewall ACL permits both ports, so the firewall is not the issue. The most likely cause is that the web server is not listening on port 8443. Option A is incorrect because the ACL permits it.

Option C is incorrect because the ACL order is fine. Option D is incorrect because the ACL permits any source.

74
MCQhard

Refer to the exhibit. A web server is unable to connect to a local database socket. Which of the following actions would MOST likely resolve this issue?

A.Disable SELinux entirely
B.Restart the httpd service
C.Change the SELinux enforcing mode to permissive
D.Add an SELinux policy module to allow httpd_t to connectto unconfined_t
AnswerD

This creates a targeted policy rule to allow the specific connection while maintaining enforcement.

Why this answer

The SELinux denial indicates that the httpd process (in httpd_t domain) is not allowed to connect to a socket with context unconfined_t. Adding a custom SELinux policy module to allow this specific connection is the proper fix. Temporarily permissive mode or disabling SELinux is not a secure long-term solution.

Restarting the service will not change the policy.

75
MCQeasy

A security architect is evaluating a new identity management solution. The requirement is to allow users to authenticate using their existing social media accounts while maintaining corporate control over access policies. Which architecture best meets this requirement?

A.Privileged access management (PAM) solution
B.Single sign-on (SSO) using a corporate LDAP directory
C.Public Key Infrastructure (PKI) with digital signatures
D.Federated identity management using Security Assertion Markup Language (SAML)
AnswerD

Federation allows external IdPs like social media, while the enterprise controls policies.

Why this answer

Federated identity management allows external identity providers (e.g., social media) to be used, while the enterprise retains policy control through a federation server. Option A is wrong because it refers to non-repudiation. Option B is wrong because it describes SSO without federation.

Option D is wrong because it describes credential management.

Page 1 of 2 · 76 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Architecture questions.