Cybersecurity-Architecture-and-Engineering WGU Cybersecurity Architecture and Engineering (KFO1/D488) Free Practice Exam Questions (2025 Updated)

The correct answer is D — Federated authentication.

WGU Cybersecurity Architecture and Engineering (KFO1 / D488) explains that federated authentication allows two or more organizations to share identity information securely withoutneeding to maintain separate user accounts for external users. It supports cross-organizational access based on trusted identity providers.

Cloud identity providers (A) offer centralized authentication but don't address federation directly. SSO (B) simplifies authentication within an organization. MFA (C) adds security but does not enable cross-organization authentication.

Reference Extract from Study Guide:

"Federated authentication enables organizations to share identity information and trust external credentials without the need to manage separate accounts for external users."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Identity Federation and Single Sign-On Concepts

=============================================

The statement refers to the different types of media that can be used for data backup. Backup media encompasses various storage devices and methods used to store copies of data. Examples include:

CDs and DVDs: Optical storage media used for smaller-scale backups.

Hard drives: Mechanical or solid-state drives used for local and external backups.

Cloud storage: Online services providing remote storage and access to backups.

Choosing the appropriate backup media is crucial for ensuring data availability and recovery in case of data loss.

References

David M. Kroenke and Randall J. Boyle, "Using MIS," Pearson.

Curtis Preston, "Backup & Recovery: Inexpensive Backup Solutions for Open Systems," O'Reilly Media.

The correct answer is B — Password policies.

WGU Cybersecurity Architecture and Engineering (KFO1 / D488) emphasizes that strong password policies, including requirements for complexity, minimum length, expiration, and reuse restrictions, are essential for protecting user credentials from compromise.

Object storage (A) and removable storage (C) deal with data storage, not password management. Hardware key managers (D) manage cryptographic keys, not passwords directly.

Reference Extract from Study Guide:

"Implementing strong password policies enforces secure password practices among users, reducing the risk of credential compromise."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Identity and Access Management Controls

=============================================

A system administrator is responsible for managing, installing, and maintaining an organization's computer systems and networks. This role involves configuring new hardware, setting up user accounts, troubleshooting system and network issues, and ensuring the systems run efficiently.

The correct answer is D — Secure Shell (SSH).

WGU Cybersecurity Architecture and Engineering (KFO1 / D488) materials state that SSH provides strong encryption and authentication for remote access over unsecured networks. SSH ensures that sessions are confidential and that only authorized users can access remote systems.

HTTP (A) and FTP (B) transmit data in plaintext and do not provide encryption. Telnet (C) also transmits data in plaintext and is insecure for remote access.

Reference Extract from Study Guide:

"Secure Shell (SSH) is used for secure remote management, offering encrypted communications and authentication mechanisms to protect against unauthorized access and eavesdropping."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Secure Protocols and Communications

=============================================

Aproprietary software licensetypically grants a business or user theright to usethe software.

Unlike open-source licenses, proprietary licenses do not usually allow modification, redistribution, or reverse engineering.

The software remains the property of the company that created it, and the licensee is only granted specific, limited rights.

Examples:Many enterprise software applications come with proprietary licenses that specify the terms of use.

A Business Intelligence (BI) system is designed to analyze and present data in a way that supports decision-making processes. It helps organizations make informed, strategic decisions by providing insights through data analysis, visualization, and reporting. BI systems aggregate data from various sources, enabling a comprehensive view of the business that informs planning and strategy.

Packet sniffing is a technique used to capture and analyze network traffic, which can include intercepting passwords while they are in transit.

When data packets are transmitted over a network, a packet sniffer can capture these packets, and if they are not encrypted, it can read sensitive information like passwords.

The other options:

Buffer overflow is a type of attack that exploits a program's memory handling.

Phishing is a social engineering attack to deceive users into providing sensitive information.

Black hat refers to a hacker with malicious intent, not a specific technique.

Therefore, packet sniffing is the correct technique for obtaining passwords in transit.

The correct answer is D — Implementation of multifactor authentication for all user accounts.

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), multifactor authentication (MFA) strengthens identity verification by requiring multiple forms of credentials, significantly reducing the risk of identity theft.

Firewalls (A) and USB port controls (B) improve system security but do not directly prevent identity theft. Vulnerability scanning and patch management (C) address software weaknesses but not user authentication.

Reference Extract from Study Guide:

"Multifactor authentication (MFA) enhances user account security by requiring multiple verification factors, making it significantly harder for attackers to commit identity theft."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Identity and Access Management Best Practices

The correct answer is C — Strong authentication.

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488) materials, PCI DSS compliance requires strong access controls, including strong authentication mechanisms, especially when accessing environments containing cardholder data. SSH access must be protected with methods such as multi-factor authentication or strong, complex credentials to ensure that only authorized users gain access.

Patch management (A) maintains system security but is not specifically about authentication. Network segmentation (B) limits data exposure but does not directly relate to authentication. Vulnerability analysis (D) identifies weaknesses but does not address the need for strong authentication when connecting to sensitive environments.

Reference Extract from Study Guide:

"Strong authentication mechanisms are crucial to protect access to environments that store, process, or transmit cardholder data, in compliance with PCI DSS standards."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Regulatory Compliance and Access Control

=============================================

Big data refers to the use of large and complex data sets that traditional data-processing software cannot adequately handle. Businesses leverage big data to analyze and systematically extract information from large datasets, which helps them gain valuable insights, improve decision-making, enhance customer experiences, and optimize business processes. This capability is critical in today's data-driven world, where informed decision-making can significantly impact a company's success.

Access rights are critical components of access control mechanisms in information security. They specify what actions users or systems can perform on specific resources, limiting them to only permitted items.

Definition: Access rights, also known as permissions, are rules that define the allowed actions on a resource (e.g., read, write, execute).

Implementation: Access rights are typically implemented using Access Control Lists (ACLs), Role-Based Access Control (RBAC), or other access control models.

Purpose: The main goal is to enforce the principle of least privilege, ensuring that users can only access the resources necessary for their role.

References

NIST Special Publication 800-53

ISO/IEC 27001:2013

"Computer Security: Principles and Practice" by William Stallings

The correct answer is C — Implementation of role-based access controls and encryption of all sensitive data.

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), the combination of role-based access control (RBAC) and encryption protects sensitive health data by ensuring only authorized users can access necessary information, while encryption ensures the data remains secure both at rest and in transit.

Disabling USB ports (A) prevents data exfiltration but does not fulfill broad privacy requirements. Encrypting network traffic (B) protects in-transit data only. Firewalls (D) protect against unauthorized access but do not manage user roles or internal data privacy.

Reference Extract from Study Guide:

"Protecting sensitive health data requires a combination of access control models such as RBAC and encryption, ensuring both authorization and confidentiality."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Privacy and Data Protection Strategies

The correct answer is C — Encrypting data.

WGU Cybersecurity Architecture and Engineering (KFO1 / D488) states that encryption is the best defense against man-in-the-middle attacks because even if traffic is intercepted, the data remains unreadable without the appropriate decryption keys.

Disabling Wi-Fi (A) is not practical and does not eliminate MITM threats entirely. Password policies (B and D) strengthen account security but do not protect data transmission.

Reference Extract from Study Guide:

"Encryption ensures the confidentiality of data in transit, preventing unauthorized parties from accessing the content even during man-in-the-middle attacks."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Data Transmission Security

=============================================

The correct answer is A — Virtual private network (VPN).

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), a VPN creates an encrypted tunnel over public or private networks, ensuring confidentiality, integrity, and authentication of data transmitted between geographically dispersed offices.

SIEM (B) manages security events, not secure communications. PPTP (C) is an outdated and insecure VPN protocol. NAC (D) enforces endpoint security but does not establish secure tunnels.

Reference Extract from Study Guide:

"A virtual private network (VPN) provides a secure, encrypted tunnel between geographically separated networks, enabling confidential communication over untrusted networks."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Secure Remote Access Technologies

The feature in collaboration software that allows only one user to modify a document at a time ensures data integrity.

Data integrity refers to the accuracy and consistency of data over its lifecycle.

By restricting modification access to one user at a time, the system prevents concurrent changes that could lead to data conflicts or corruption.

The other options:

Data availability ensures data is accessible when needed.

Data confidentiality ensures data is protected from unauthorized access.

Data accessibility refers to the ease of accessing data.

Therefore, ensuring data integrity is the purpose of this feature.

The correct answer is C — Reverse proxy.

As per the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) course content, a reverse proxy server acts on behalf of web servers by caching static content (such as images, scripts, and HTML files), significantly reducing server load. It also provides an additional layer of protection by hiding the backend servers from direct exposure to clients and enabling centralized application of security policies such as SSL termination and Web Application Firewall (WAF) integration.

Firewall rule changes (A) manage access control but do not handle caching or reduce load. An IDS (B) monitors for intrusions but doesn’t offload traffic or cache content. NAT (D) translates IP addresses but doesn't cache content or add a protection layer.

Reference Extract from Study Guide:

"A reverse proxy server provides caching capabilities for static content and acts as a protective intermediary between client requests and backend servers, thus reducing server load and enhancing security."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Secure Network Design Concepts

=============================================

An algorithm is a defined set of step-by-step procedures or a set of rules to be followed to perform a specific task or solve a problem. Here are the characteristics that describe an algorithm:

Unambiguous rules: Each step of an algorithm must be clearly defined and unambiguous. There should be no confusion in interpreting the instructions.

Definiteness: The algorithm should have a clear starting and stopping point, leading to a precise output after a finite number of steps.

Finiteness: Algorithms must terminate after a finite number of steps. They cannot run indefinitely.

Input and Output: An algorithm should take zero or more inputs and produce at least one output.

Therefore, the correct answer is "Unambiguous rules," as it directly reflects the essential characteristic of an algorithm being precise and clear in its steps.

References

Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein, "Introduction to Algorithms," MIT Press.

Donald E. Knuth, "The Art of Computer Programming," Addison-Wesley.

The correct answer is B — Business impact analysis (BIA).

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), a BIA identifies and prioritizes critical business functions and assesses the impact of disruptions on those functions. It determines recovery priorities and establishes the framework for disaster recovery and business continuity planning.

BCP (A) is the broader planning effort. DR (C) focuses on restoring systems. IR (D) responds to specific incidents, not overall business impacts.

Reference Extract from Study Guide:

"Business impact analysis (BIA) determines the criticality of business processes by assessing thepotential impacts of disruptions, providing the foundation for prioritizing recovery efforts."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Business Continuity and Disaster Recovery Planning

=============================================