Certmaster CE Security+ Domain 3.0 Security Architecture Assessment
A company is considering changing its current network infrastructure. The employees are evaluating the benefits and drawbacks of having a network with a single main hub versus having functions distributed among various nodes. What network design principle are they considering?
A. Centralized/decentralized
An organization is trying to determine the appropriate level of access controls to put in place for a certain type of data. This data includes company financial reports that should only be accessible to the senior management team. How should the organization MOST accurately classify this data?
A. Confidential
A financial organization is currently handling a document that contains sensitive customer information, including financial details and social security numbers. According to data classifications, how should the financial organization categorize this data?
A. Confidential data
During a security audit in a financial institution, the auditor identifies a subset of data that, if breached, could severely impact the organization's operation. The financial institution has this data currently stored on nonoperational servers. How would the institution classify this data?
A. Critical
A multinational company is improving its data security strategy and asks an IT professional to apply different protective measures, ensuring that the data remains secure, whether stored, transferred, or processed. What concept is the IT professional primarily working with?
A. Data states
A nonprofit organization with limited funds needs a cost-effective disaster recovery plan that doesn't necessitate immediate resumption of services after a disaster. Which strategy is the MOST suitable?
A. Deploy a cold site
An organization is implementing an intrusion prevention system (IPS) as part of its efforts to secure its enterprise infrastructure. The IT manager is considering the failure modes of the IPS and is deciding between a fail-open and a fail-closed configuration. What are the implications of each configuration on network traffic in the event of a system failure?
A. Fail-open will allow all traffic; fail-closed will block all traffic.
An organization plans to implement a load balancer as part of its network infrastructure to manage the increased web traffic to its services. The organization tasks a network administrator with ensuring that the load balancer configures in line with best security practices to reduce the attack surface and secure the enterprise infrastructure. The network administrator's responsibilities include evaluating the network appliances, securing connectivity, and considering device placement. What is th
A. Implement a Web Application Firewall alongside the load balancer.
An organization is transitioning to an Infrastructure as a Service (IaaS) model with a third-party vendor. What should the organization's security officer do to ensure the security of deployed applications and data?
A. Implement user identity management and access controls to cloud resources
In a small office building, the operations team wants to automate various processes and enable real-time monitoring of systems over the internet. Which technology is best suited for this task?
A. IoT
An organization is preparing to file for a patent for its innovative product design. They have gathered all necessary information, including detailed descriptions of the design, how it differs from existing designs, and why it is eligible for patent protection. Under which data type would this information fall?
A. Legal and financial data
A systems engineer is designing a new IT infrastructure for a company that provides a highly used online service. The company wants to ensure that its service's communications are efficient and available around the clock. Which features should the engineer primarily consider during the design process? (Select the two best options.)
A. Load balancing B. Clustering
A global e-commerce company faces challenges with its legacy monolithic application. The application is becoming increasingly difficult to maintain due to its intertwined components and struggles to scale quickly enough to handle sudden traffic surges during big sales events. The company has already invested in cloud technology and on-premises infrastructure but still faces scalability and manageability issues. What would MOST effectively address these challenges?
A. Microservices
A company is developing a system that requires instantaneous response to certain inputs. The system will incorporate into a larger device and will not have many resources. What type of system is likely to be MOST suitable for this scenario?
A. Real-time operating system
A multinational corporation handles human-readable and non-human-readable data. What are the implications for security operations and controls?
A. Security measures for non-human-readable data: encryption, access controls, intrusion detection/prevention, and secure data exchange (incorrect) B. Security measures for human-readable data: monitoring, user awareness, encryption, and secure data exchange (incorrect)
A company is deploying a software service to monitor traffic and enforce security policies in its cloud environment. Considering the need for responsiveness, which technology should the company consider using?
A. Serverless platforms and software-defined networking (SDN)
As a financial institution implementing a new security control device to protect its network infrastructure, it wants to ensure that in the event of a failure, the confidentiality and integrity of its financial data take precedence over system availability. What should the financial institution set as the failure mode configuration for this security control device?
A. The security control device should be configured to fail-closed.
A hospital has implemented a security device that processes sensitive patient information. The hospital wants to ensure that in the event of a failure, the confidentiality and integrity of the patient data take priority over the system's availability. What should the hospital set as the failure mode configuration for this security device?
A. The security device should be configured to fail-closed.
A network engineer is segmenting a company's network to improve security. In terms of routing infrastructure, which of the following strategies would the engineer employ to segment different types of hosts attached to the same switch?
B. Assign each host to a different virtual local area network (VLAN).
A cloud administrator wants to directly connect a cloud server instance with another cloud server instance privately on Amazon Web Services (AWS). How can the administrator configure them without going through an internet gateway?
B. By using a virtual private cloud (VPC) peering connection
A small start-up has recently launched its first web application. To ensure high availability and to handle potential traffic spikes, the start-up decides to implement a load balancer in its network infrastructure. The network technician must secure the load balancer against basic threats. What is the fundamental step the network technician should take to secure the load balancer?
B. Disable unnecessary services on the load balancer.
A security specialist is evaluating several new systems for potential integration into the company's network. Which of the following criteria is MOST directly linked to the system's setup process and maintenance scheduling?
B. Ease of deployment
A global banking institution instructs its cybersecurity team to minimize the network's vulnerability to cyber threats. The team has divided the network into secure segments, initiated port security protocols, and physically segregated key servers. The team now wishes to manage the flow of traffic between the security segments to reduce the threat of attack. What approach should the cybersecurity team adopt?
B. Enforce role-based access control for traffic policies between zones.
A major e-commerce company is planning for a disaster recovery strategy that balances minimal data loss, quick recovery, and budget considerations. It needs a recovery site that does not necessitate instant recovery but restores critical systems promptly. Which option BEST suits the company's recovery site requirements?
B. Establishing a warm site
An organization implements a new network infrastructure and plans to use an intrusion prevention system (IPS) for security. The IT manager wants to ensure that the IPS will continue to let traffic flow if it fails. Which failure mode should the IT manager configure the IPS?
B. Fail-open
The security team at a multinational cloud services company is working on their port security. They implemented basic Media Access Control (MAC) address filtering on all switch ports, but they have concerns about the risk of MAC spoofing and the management overhead of maintaining a list of valid MAC addresses. To address these concerns, they now require strong authentication before a user can obtain full network access. Which of the following measures should the team implement next?
B. Implement EAP and RADIUS.
A large organization is planning to restructure its network infrastructure to create better security boundaries and enhance control over network traffic as it undergoes rapid expansion with an increasing number of remote employees. What should the company implement to meet these requirements?
B. Logical segmentation
A national park posts information about its flora and fauna on its website. This information does not contain any personally identifiable information or sensitive government data. How should the park service classify this data?
B. Public
A large multinational corporation is restructuring its IT division. The corporation defines roles, responsibilities, and levels of authority for different tasks across various teams. What type of tool is the corporation likely to use to document this information?
B. Responsibility matrix
A healthcare institution is building a new patient information system. It wants to ensure the system can handle the projected volume of patient records and requests, especially during peak hours, without compromising the accuracy of information and system performance. Which of the following is the MOST effective way to confirm the system's ability to manage the expected demand?
B. Running a simulation of the system
A hospital is putting measures in place to protect patient records. Which term BEST describes how the hospital should classify patient data?
B. Sensitive
A rock band wishes to set up a system for communicating with their fans upon arrival at concerts and providing them with relevant hashtags for participation. Which type of cloud service model would be MOST beneficial to recommend to the rock band?
B. Software as a service
A medium-sized organization elects to redesign its network security infrastructure. The IT manager is considering implementing a proxy server to enhance security and improve client performance. The organization's network includes a virtual private network (VPN) for remote access, multiple security zones, and a Unified Threat Management (UTM) system. Which of the following is the primary benefit of implementing a proxy server in this scenario?
B. The proxy server can perform application-layer filtering, enhancing network traffic security.
A network engineer is optimizing an existing cloud-based system. The primary goal is to ensure the system remains operational, minimizing downtime, even under adverse conditions or potential failure points. What key characteristic of system design should the engineer prioritize?
C. Availability
To address the escalating operational costs and complexities stemming from multiple standalone applications, an organization plans to restructure its software deployment process. They want to minimize overhead, increase flexibility in development environments, and enhance the efficient use of system resources. What approach would be the MOST effective?
C. Containerization
Planning to store data from various global branches, an international company is assessing the legal and regulatory compliance requirements for data storage and usage. What should the organization consider in its analysis of government requirements?
C. Data sovereignty
The IT manager of a medium-sized organization is designing a new network infrastructure to secure its enterprise infrastructure by implementing an Intrusion Prevention System (IPS) and an Intrusion Detection System (IDS). The manager is considering different deployment methods for the IPS/IDS to optimize their effectiveness. The organization's network includes multiple security zones, a virtual private network (VPN) for remote access, and a web application firewall (WAF). Which deployment method
C. Deploy the IPS/IDS devices in inline mode at the network perimeter.
A network security administrator's responsibilities include enhancing the enterprise's network infrastructure security posture. They deploy a Next Generation Firewall (NGFW) as part of their defense strategy. The enterprise mixes internal and external services, including a web application and a virtual private network (VPN) for remote access. Which of the following should the administrator primarily consider when implementing the NGFW to ensure effective security without disrupting normal operat
C. Deploy the NGFW in inline mode, ensuring it analyzes all traffic while maintaining connectivity.
A large organization is redesigning its network and is considering the placement of servers and networking equipment, and is enabling switch port security. The primary concern is maintaining the high availability of services and securing the network infrastructure from unauthorized access. What approach should the organization adopt to address these concerns?
C. Distribute servers across different secure locations for redundancy, disable unused ports, and implement 802.1X authentication.
A systems engineer must develop a design strategy for a new data center that provides services around-the-clock, and any disruptions must resolve quickly. Which of the following is a primary consideration in the engineer's design to meet these requirements?
C. Ease of recovery
An organization wants to improve the security of sensitive customer information stored on its servers. This sensitive customer information is "data at rest" and not currently accessed or processed. Which method should the organization consider for protecting this data?
C. Encryption
An organization is considering a hybrid cloud deployment to leverage the benefits of both private and public cloud resources. While reviewing third-party vendors, what critical aspect should the employees consider for a secure and effective transition?
C. Establish clear service level agreements
A rapidly growing e-commerce company is considering changes to its current on-premises network infrastructure to handle increasing workloads better and provide high availability. The company expresses concerns about the potential costs and complexity associated with scalability and ease of recovery from potential failures. Which infrastructure options should the company consider to address its needs?
C. Implement a hybrid solution with a mix of on-premises and cloud-based infrastructure.
A multinational corporation wants to standardize and automate the setup of its Information Technology (IT) infrastructure across various branches. This would reduce manual setup errors and allow for quicker deployment and scaling of resources as per demand. Which methodology should the corporation adopt to accomplish this?
C. Infrastructure as code
A large organization is redesigning its network infrastructure to increase security and reduce the potential attack surface. The organization considers implementing an Intrusion Prevention System (IPS) and an Intrusion Detection System (IDS) into its security zones. The IT manager wants to secure connectivity and considers different network appliances and port security measures. Which of the following options BEST describes the benefits and disadvantages of placing the IPS/IDS devices inline wit
C. Inline placement allows for active prevention measures but can become a single point of failure.
During an annual review, a health services company's leadership aims to scrutinize its disaster response and data recovery protocols. They focus on effectiveness, hidden weaknesses, and clarity of employee roles during a disaster. Which course of action would BEST serve these objectives?
C. Organizing tabletop exercises
A prominent e-commerce company experiencing significant business growth anticipates a sharp increase in website traffic during an upcoming annual sales event. The company is wary of potential system bottlenecks or downtimes that could disrupt sales and affect reputation. What primary strategy should the company use to ensure its systems can handle the upcoming event?
C. Rigorous capacity planning process
An organization wants to implement a hybrid cloud strategy and understand the security implications of its responsibility matrix. What should the organization consider in this analysis?
C. They should balance security duties between on-premises and cloud to ensure a clear definition in the responsibility matrix.
An organization is preparing to file for a patent for its innovative product design. They have gathered and completed all necessary procedural filing requirements, including detailed descriptions of the design, monetary valuation, how it differs from existing designs, and why it is eligible for patent protection. Under which data type would this information fall?
C. Trade Secret data (INCORRECT A: Legal and Financial data?
A financial services company tasks its IT security team with reducing the network's attack surface. They have segmented the network into security zones, put port security measures in place, and physically isolated critical servers. The IT security team wants to further reduce the risk of attack by managing traffic flow between security zones. Which of the following measures should the team implement?
D. Apply the principle of least privilege when defining traffic policies between zones.
A systems architect is designing a new data center. The architect looks at different factors such as equipment type, data center location, and power specifications. What is the primary concern during this stage of the process?
D. Considerations
An IT specialist working for a multinational confectionery company needs to fortify its network security. The firm has been dealing with intrusions where raw User Datagram Protocol (UDP) packets bypass open ports due to a virus. The specialist will analyze packet data to verify that the application protocol corresponds to the port. The company also wants to track the state of sessions and prevent fraudulent session initiations. Which of the following tools should the IT specialist prioritize deploying?
D. Deep packet inspection firewall
A logistics company is contemplating certain steps for its data centers in its quest to fortify its systems against long-term power outages. What is the MOST suitable measure the company could undertake?
D. Deploying onsite generators
A security engineer is updating the company's cyber security strategy. Which of the following strategies is the MOST effective in reducing the company's network attack surface?
D. Establish multiple control categories and functions to enforce multiple layers of protection.
A multinational corporation handles both human-readable and non-human-readable data. Which of the following statements accurately represent the recommended security measures for each type of data?
D. For non-human-readable data: encryption, access controls, intrusion detection/prevention, and secure data exchange.For human-readable data: monitoring, user awareness, encryption, and secure data exchange.
A company is redesigning its network architecture and wants to implement a zone-based security model. Which of the following is the MOST accurate statement about hosts within the same zone?
D. Hosts within the same zone should be subject to the same access control requirements.
A manufacturing firm is exploring implementing a network system for its plant floor operations to manage its large-scale, real-time processes and to ensure that the network is isolated from unauthorized or accidental communication with other networks. Which type of infrastructure will BEST fit the firm's needs?
D. ICS/SCADA infrastructure
A manufacturing firm is exploring the implementation of an isolated network system for its plant floor operations. The goal is to prevent any unauthorized or accidental communication with other networks. The firm plans to manage large-scale, real-time processes using this system. Which type of infrastructure will BEST fit the firm's needs?
D. ICS/SCADA infrastructure
A corporation is experiencing frequent power failures in its data center, which are causing downtime and resulting in high recovery costs. Which strategy could the corporation employ to minimize the impact of these power failures?
D. Implement a UPS system
A company is transmitting source code from its headquarters to a remote branch over the Internet. The network administrator wants to enhance the security of this code while it is in transit. While maintaining readability is not alarming for the organization, they have increased concerns about ensuring the code is difficult to understand if intercepted. Which technique should the administrator use?
D. Obfuscation
A systems administrator receives an alert for potential unauthorized access to sensitive data while in active memory on a server within the organization. The organization has tasked the systems administrator with enforcing stricter controls to prevent such breaches. What would be the MOST appropriate measure to implement?
D. Permission restrictions
A medium-sized organization is upgrading its network infrastructure to secure its enterprise infrastructure by implementing an intrusion prevention system (IPS) and an intrusion detection system (IDS). The organization has sensitive data in different security zones, and the IT manager has concerns regarding the attack surface and network connectivity. Which of the following placements of the IPS/IDS devices would be MOST effective in this scenario?
D. Place the IPS/IDS devices at the network perimeter to monitor inbound and outbound traffic.
A network administrator configures the security for data transmitted by employees working remotely. The data includes personal employee information such as addresses and phone numbers. Which category does this scenario BEST fit?
D. Private
The IT department of a healthcare provider maintains a database containing personal health information for its patients. Which classification BEST suits this type of data?
D. Regulated
A tech startup develops a unique algorithm that provides a significant competitive edge in the market. To maintain this edge, the startup needs to ensure the highest level of protection for this information. How should this startup categorize and handle this unique algorithm?
D. The startup should categorize the algorithm as a trade secret and protect it using non-disclosure agreements.