WGU Cybersecurity Architecture and Engineering 시험

Question No : 1

A company has recently experienced a data breach from an insider threat and wants to implement a policy to reduce the risk of similar incidents in the future. During the incident, the insider threat accessed sensitive information stored in the administrator account from their user account. The insider threat was not in a supervisory role at the time of the incident.
Which policy should the company implement?

• A.Password complexity policy
• B.Separation of duties
• C.Least privilege
• D.Job rotation

답을 확인하기

정답:
Explanation:
The correct answer is C ― Least privilege.
According to the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) course material, the principle of least privilege ensures that users are granted only the minimum level of access required to perform their job functions. In this case, if the insider only had access to resources necessary for their user role, they would not have been able to access sensitive administrative information.
Password complexity (A) strengthens account security but does not prevent excessive access. Separation of duties (B) divides critical tasks but is not solely about limiting access. Job rotation (D) moves employees between roles but is not an access control measure.
Reference Extract from Study Guide:
"The principle of least privilege requires limiting user access rights to the minimum necessary to perform their tasks, reducing the risk of insider threats and unauthorized access to sensitive information."
― WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Access Control Principles

Question No : 2

A project manager is working on a project that involves securing the network of a tall building. The manager is tasked with managing these risks effectively to ensure the successful completion of the project within a given time frame and budget. The manager identified multiple potential risks associated with the project.
What is the next step in the risk management life cycle?

• A.Identify
• B.Review
• C.Assess
• D.Control

답을 확인하기

정답:
Explanation:
The correct answer is C ― Assess.
As per WGU Cybersecurity Architecture and Engineering (KFO1 / D488) materials, after risks have been identified, the next step in the risk management life cycle is to assess them. Assessment involves analyzing and prioritizing the risks based on their potential impact and likelihood. Only after assessment can proper strategies be formulated for controlling and mitigating the risks.
Identification (A) occurs before assessment, while reviewing (B) and controlling (D) happen later in the process.
Reference Extract from Study Guide:
"Following the identification of risks, the risk management process proceeds to risk assessment, where risks are analyzed and prioritized based on likelihood and impact to guide mitigation efforts."
― WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Risk Management Process

Question No : 3

The cybersecurity analyst at a hardware company conducted a vulnerability assessment to identify potential security risks to the organization and discovered multiple vulnerabilities on the company's webpage. The analyst then provided the results to the chief information security officer (CISO), who then decided to decommission the website and create a new page with increased security controls.
Which risk mitigation strategy is demonstrated in this scenario?

• A.Accept
• B.Avoid
• C.Transfer
• D.Mitigate

답을 확인하기

정답:
Explanation:
The correct answer is B ― Avoid.
WGU Cybersecurity Architecture and Engineering (KFO1 / D488) materials explain that risk avoidance involves eliminating the source of risk entirely. In this scenario, by decommissioning the vulnerable website and starting anew, the organization is removing the risky environment instead of trying to fix or transfer the risk, which is a clear example of risk avoidance.
Accepting (A) would mean tolerating the risk without action. Transferring (C) would involve shifting the risk to a third party (like insurance). Mitigating (D) would involve reducing the risk without removing the vulnerable system.
Reference Extract from Study Guide:
"Risk avoidance entails eliminating the conditions that expose the organization to a threat, thereby completely removing the associated risk."
― WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Risk Response Strategies

Question No : 4

An insurance agency is concerned that some employees could be mishandling funds and covering it up. The agency wants to temporarily block these employees from working and ensure that operations continue.
Which strategy should the agency implement?

• A.Separation of duties
• B.Mandatory vacation
• C.Job rotation
• D.Least privilege

답을 확인하기

정답:
Explanation:
The correct answer is B ― Mandatory vacation.
According to the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) coursework, mandatory vacation policies require employees to take time off, during which their duties are either paused or performed by others. This break can reveal fraudulent activities, as the original employee cannot cover up their misconduct during their absence.
Separation of duties (A) prevents a single person from controlling critical processes but is not about temporarily removing an employee. Job rotation (C) moves employees between roles regularly but doesn't enforce a break. Least privilege (D) restricts access but does not address uncovering hidden
misconduct.
Reference Extract from Study Guide:
"Mandatory vacations help detect fraudulent activities, as employee absence can expose irregularities that would otherwise remain hidden through continuous control over processes."
― WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Administrative Security Controls

Question No : 5

A cybersecurity analyst at a healthcare organization was tasked with analyzing the indicators of compromise (IOCs) to identify potential threats and vulnerabilities within the enterprise. Theanalyst notices unknown users logging on to the company's wireless local-area network (WLAN).
What is a potential vulnerability the healthcare organization is facing based on the IOCs identified?

• A.Unsecured wireless access points
• B.Up-to-date anti-malware software
• C.A strong password policy
• D.Regular security awareness training for employees

답을 확인하기

정답:
Explanation:
The correct answer is A ― Unsecured wireless access points.
WGU Cybersecurity Architecture and Engineering (KFO1 / D488) explains that unauthorized logins to a WLAN often indicate poorly secured wireless access points, such as those lacking strong encryption (e.g., WPA2/WPA3), not using strong passwords, or having open access without authentication. This
vulnerability can allow attackers to access internal systems and sensitive data.
Up-to-date anti-malware software (B), a strong password policy (C), and regular security training (D) are good security practices but do not directly explain unauthorized WLAN access.
Reference Extract from Study Guide:
"Unauthorized wireless access often results from unsecured wireless configurations, including weak encryption, open networks, or default credentials, posing significant risks to organizational assets."
― WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Wireless Security Concepts

Question No : 6

An IT team has been tasked with improving an organization's security posture to defend against potential malicious actors.
What is the first step when hunting for potential threats?

• A.Deploy an anti-malware solution
• B.Implement an intrusion detection system
• C.Form an incident response team
• D.Establish a baseline for normal activity

답을 확인하기

정답:
Explanation:
The correct answer is D ― Establish a baseline for normal activity.
According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488) materials, the first step
in threat hunting is to understand what constitutes normal behavior within the environment. Establishing a baseline allows analysts to detect anomalies and deviations that could indicate malicious activity. Without a clear understanding of normal operations, it is extremely difficult to identify potential threats.
Deploying anti-malware solutions (A) and implementing intrusion detection systems (B) are important security measures but are not the first step in proactive threat hunting. Forming an incident response team (C) is essential for handling incidents but does not directly initiate threat hunting.
Reference Extract from Study Guide:
"Threat hunting begins with establishing a baseline of normal network, system, and user activity, enabling the detection of anomalies that may indicate potential threats."
― WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Threat Hunting and Detection

Question No : 7

A company with a hybrid cloud deployment needs to identify all possible threat types that could impact production systems.
Which threat hunting technique should be used to identify potential attacks that have already occurred?

• A.Honeypots
• B.Log analysis
• C.Social engineering
• D.Penetration testing

답을 확인하기

정답:
Explanation:
The correct answer is B ― Log analysis.
According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488) curriculum, log analysis is critical for retrospective threat hunting ― reviewing system, network, and application logs to identify signs of compromise or unauthorized activities that might have gone unnoticed in real-time. This technique helps uncover attacks that have already occurred in hybrid or cloud environments.
Honeypots (A) are proactive traps to detect future attacks. Social engineering (C) involves manipulating people, not hunting threats. Penetration testing (D) is used to find vulnerabilities, not to review past incidents.
Reference Extract from Study Guide:
"Threat hunting through log analysis involves systematically reviewing collected logs to uncover evidence of past or ongoing compromises, enabling organizations to identify and respond to threats that may have bypassed preventive controls."
― WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Threat Detection and Hunting Concepts
Of course!
Here are the verified and properly formatted answers for your next set of questions, strictly following your instructions and the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) official course materials:

Question No : 8

A company's website is suddenly redirecting users to a suspicious landing page asking for personal information.
What is the most likely cause of the issue?

• A.Exfiltration
• B.Phishing
• C.Tampering
• D.Ransomware

답을 확인하기

정답:
Explanation:
The correct answer is C ― Tampering.
WGU Cybersecurity Architecture and Engineering (KFO1 / D488) materials explain that tampering refers to unauthorized modifications of systems or data. In this case, the website being altered to redirect users to a malicious landing page indicates that an attacker has tampered with the legitimate website code or its DNS settings.
Exfiltration (A) refers to stealing data. Phishing (B) involves tricking users but not modifying a website. Ransomware (D) encrypts systems for ransom, not cause redirection.
Reference Extract from Study Guide:
"Tampering involves the unauthorized modification of a system or its resources, often to redirect users to malicious destinations or to alter functionality in harmful ways."
― WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Threat Categories and Impacts

Question No : 9

A security engineer has been asked to audit unapproved changes that have recently taken place in a corporate application.
Which logging mechanism will create an audit trail?

• A.NetFlow logs
• B.Access logs
• C.Packet capture logs
• D.Router logs

답을 확인하기

정답:
Explanation:
The correct answer is B ― Access logs.
As outlined in the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) materials, access logs record who accessed which system components, when they did so, and what changes they made. These logs are vital for creating an audit trail that can be reviewed to detect unauthorized changes to applications or systems.
NetFlow logs (A) track network traffic flows but not system or application changes. Packet capture logs (C) deal with network data but are not specialized for auditing application-level events. Router logs (D) capture network device activity, not application access information.
Reference Extract from Study Guide:
"Access logs maintain detailed records of user actions within systems and applications, providing the necessary audit trail for tracking authorized and unauthorized activities."
― WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Log Management Concepts

Question No : 10

The security operations center (SOC) team has been alerted about malicious traffic on the corporate network and is concerned about a distributed denial of service (DDoS) attack. An analyst has been tasked with inspecting network traffic in the on-premises data center to investigate the issue.
Which type of file should the analyst use to inspect the traffic?

• A.Web server access log
• B.Syslog messages
• C.Operating system event log
• D.Packet capture

답을 확인하기

정답:
Explanation:
The correct answer is D ― Packet capture.
According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488) content, packet captures (PCAP files) allow analysts to inspect individual network packets to understand traffic patterns, detect anomalies, and investigate attacks like DDoS. A packet capture provides complete network session data, enabling in-depth analysis of traffic behavior at the packet level.
Web server access logs (A) only capture web activity. Syslog messages (B) primarily record system events but not raw traffic data. Operating system event logs (C) focus on system-level actions, not network flows.
Reference Extract from Study Guide:
"Packet captures record the full network traffic and are essential for investigating network-based attacks such as DDoS incidents by analyzing traffic flows, protocols, and payloads."
― WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Network Security Monitoring Concepts

Question No : 11

A company is moving its applications to the cloud and is concerned about cyber security threats. The security team has been tasked with providing a comprehensive view of how attackers gain access, move through networks, and carry out attacks.
Which framework identifies the seven phases of an attack, from initial infiltration to post-exploitation?

• A.Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) for industrial control systems (ICS)
• B.MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
• C.Cyber kill chain
• D.Diamond Model of Intrusion Analysis

답을 확인하기

정답:
Explanation:
The correct answer is C ― Cyber kill chain.
The Cyber Kill Chain, developed by Lockheed Martin, is a model that breaks down a cyber attack into seven distinct phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. According to the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) study materials, this model helps security teams understand and interrupt an attack at various stages.
While MITRE ATT&CK (B) and its ICS variant (A) provide detailed mappings of techniques used by attackers, they are not structured specifically into seven phases like the Cyber Kill Chain. The Diamond Model (D) is an analysis methodology, not a phase-based model.
Reference Extract from Study Guide:
"The Cyber Kill Chain model divides the sequence of a cyber attack into seven phases, providing a structured method for analyzing and disrupting attacks."
― WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Attack Frameworks and Methodologies

Question No : 12

An on-call security engineer has been notified after business hours that a possible threat could be impacting production applications.
Which type of threat intelligence should be used by first responders?

• A.Tactical
• B.Commodity malware
• C.Operational
• D.Strategic

답을 확인하기

정답:
Explanation:
The correct answer is A ― Tactical.
Based on WGU Cybersecurity Architecture and Engineering (KFO1 / D488) study material, tactical threat intelligence provides technical details such as indicators of compromise (IOCs), IP addresses, file hashes, domain names, and other evidence needed to detect and respond to threats immediately. This type of intelligence is used by security teams to perform real-time monitoring and incident response.
Operational intelligence (C) addresses campaigns or actor behavior but is not immediately actionable. Strategic intelligence (D) provides high-level, long-term threat trends. Commodity malware (B) refers to low-level malware types, not intelligence classifications.
Reference Extract from Study Guide:
"Tactical threat intelligence focuses on technical indicators of compromise (IOCs) and immediate actionable information that responders use to detect and contain active threats."
― WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Threat Intelligence Concepts

Question No : 13

An organization's board of directors is reviewing the risk register and attempting to evaluate whether there is too much risk for the organization.
Which metric should the board review?

• A.Risk appetite
• B.Risk evaluation plan
• C.Risk treatment plan
• D.Risk tolerance

답을 확인하기

정답:
Explanation:
The correct answer is A ― Risk appetite.
As per the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) coursework, risk appetite defines the amount and type of risk an organization is willing to accept in pursuit of its objectives. It is a strategic-level metric used by executive leadership and boards to determine if the current level of risk exceeds what the organization is comfortable handling.
Risk evaluation plans (B) outline how risks are assessed, treatment plans (C) describe mitigation actions, and risk tolerance (D) is more operational, defining acceptable variation from the appetite but not the overall strategic limit.
Reference Extract from Study Guide:
"Risk appetite represents the amount of risk an organization is willing to pursue or retain and is established by senior leadership as part of governance activities."
― WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Risk Management Concepts

Question No : 14

The security team has been tasked with selecting a password complexity policy for the organization.
Which password complexity policy option should be recommended?

• A.Twelve characters with no symbols or numbers
• B.Sixteen characters with at least one letter, one number, and one symbol
• C.Four characters with at least one letter or one number
• D.Eight characters with no symbols or numbers

답을 확인하기

정답:
Explanation:
The correct answer is B ― Sixteen characters with at least one letter, one number, and one symbol.
According to the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) Study Guide, strong password policies must enforce a minimum length (preferably 12 to 16 characters) and require complexity, including uppercase and lowercase letters, numbers, and special characters. Sixteen-character passwords that include varied character types greatly increase the difficulty for attackers using brute-force or dictionary attacks.
Options A, C, and D either lack complexity or have too few characters, making them vulnerable to attacks.
Reference Extract from Study Guide:
"A strong password should be at least 12C16 characters long and include a mix of uppercase letters, lowercase letters, numbers, and special characters to maximize resistance to brute-force attacks."
― WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Identity and Access Management Concepts

Question No : 15

An IT team must allow on-premises users to log in to the Azure portal using their corporate credentials.
Which strategy should be used to enable identity federation in this scenario?

• A.Encrypting with Transport Layer Security (TLS)
• B.Deploying a hardware-based two-factor authentication (2FA) solution
• C.Integrating with lightweight directory access protocol (LDAP)
• D.Configuring third-party authentication with Security Assertion Markup Language (SAML)

답을 확인하기

정답:
Explanation:
The correct answer is D ― Configuring third-party authentication with Security Assertion Markup Language (SAML).
According to the WGU KFO1 / D488 Study Guide, SAML enables Single Sign-On (SSO) and federated identity across different domains by securely exchanging authentication and authorization data between an identity provider (such as an organization's Active Directory Federation Services) and a service provider (such as Azure). This allows on-premises users to log into cloud services using their existing corporate credentials.
TLS (A) provides secure communication but does not manage identity federation. 2FA (B) strengthens authentication but is not about identity federation setup. LDAP (C) is a protocol for accessing directory services, not specifically designed for federation across cloud platforms.
Reference Extract from Study Guide:
"SAML is used to implement Single Sign-On (SSO) and federated identity management, allowing organizations to extend on-premises authentication capabilities to cloud services seamlessly."
― WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Identity and Access Management Concepts