Chapter 3: Architecture and Design Flashcards
(30 cards)
Question: What is a key security implication of “Cloud” architecture, particularly regarding data management?
A) Full control over infrastructure
B) Reduced reliance on third-party services
C) Shared responsibility, with user data management typically being the user’s responsibility
D) Increased physical isolation
Answer: C) Shared responsibility, with user data management typically being the user’s responsibility
Question: True or False: Infrastructure as Code (IaC) automation can speed deployment, but can also propagate errors or vulnerabilities quickly.
Answer: True
Question: What is the security implication of “Serverless” architecture?
Answer: Reduced infrastructure overhead but increased reliance on third-party services.
Question: What is the security implication of “Microservices” architecture regarding breach scope?
Answer: Isolation of services can limit breach scope, but increased inter-service communication can introduce new vulnerabilities.
Question: Which network infrastructure design involves no external network connections, reducing external threats?
A) Logical Segmentation
B) Software-defined Networking (SDN)
C) Physical Isolation (Air-gapped)
D) High Availability
Answer: C) Physical Isolation (Air-gapped)
Question: In the context of architecture models, what is the security implication of “On-premises” infrastructure?
Answer: Full control over infrastructure but also full responsibility for all aspects of security.
Question: What is the security implication of “IoT” (Internet of Things) devices?
Answer: Expanded attack surface with many devices, often with limited security features.
Question: Which consideration when evaluating architecture models refers to whether the system can recover from attacks or failures?
A) Availability
B) Cost
C) Resilience
D) Scalability
Answer: C) Resilience
Question: When securing enterprise infrastructure, what is the purpose of creating “Security Zones” like DMZs?
Answer: To isolate public-facing services and segregate them from internal networks.
Question: In the context of device placement and attack surface, what should be minimised to reduce potential entry points for attackers?
A) Necessary services
B) Unnecessary services, ports, and software
C) Secure connections
D) Critical devices
Answer: B) Unnecessary services, ports, and software
Question: Which “Failure Mode” defaults to allowing traffic when a security device fails, and is used where availability is crucial?
A) Fail-closed
B) Fail-open
C) Active
D) Passive
Answer: B) Fail-open
Question: True or False: An “Inline” network appliance observes traffic without direct interaction, while a “Tap/Monitor” device is part of the traffic flow and can block malicious activity.
Answer: False (Inline devices are part of the traffic flow and can block; Tap/Monitor devices observe without direct interaction.)
Question: Which network appliance filters and monitors web requests?
A) Jump Server
B) IPS/IDS
C) Load Balancer
D) Proxy Server
Answer: D) Proxy Server
Question: Which port security protocol is a network access control using EAP over Ethernet?
A) EAP
B) 802.1X
C) TLS
D) IPSec
Answer: B) 802.1X
Question: Which firewall type protects web applications by inspecting HTTP/HTTPS traffic?
A) UTM
B) NGFW
C) WAF
D) Layer 4 Firewall
Answer: C) WAF
Question: What is the purpose of a “Jump Server” in securing enterprise infrastructure?
Answer: A secure, intermediate host that manages access to another host in a network.
Question: Which data type is subject to specific laws and regulations, such as personal data under GDPR or health data under HIPAA?
A) Trade Secret
B) Intellectual Property
C) Regulated Data
D) Financial Information
Answer: C) Regulated Data
Question: True or False: “Public” data has no confidentiality requirements and is available to everyone.
Answer: True
Question: What is “Data at rest”?
Answer: Stored data, such as files on a hard drive.
Question: Which data state refers to data being actively processed or accessed?
A) Data at rest
B) Data in transit
C) Data in use
D) Data sovereignty
Answer: C) Data in use
Question: What does “Data Sovereignty” refer to?
Answer: Digital data being subject to the laws of the country in which it’s located.
Question: Which method to secure data involves replacing sensitive data with non-sensitive placeholders?
A) Encryption
B) Hashing
C) Masking
D) Tokenisation
Answer: D) Tokenisation
Question: What is the purpose of “Obfuscation” as a data security method?
Answer: Deliberate act of creating source or machine code that’s difficult for humans to understand.
Question: What is the difference between “Load balancing” and “Clustering” in ensuring high availability?
Answer: Load balancing distributes incoming network traffic across multiple servers to prevent overload, while clustering links multiple servers so if one fails, others take over its workload.
