Cybersecurity-Architecture-and-Engineering Exam Dumps - WGU Cybersecurity Architecture and Engineering (KFO1/D488)

Data encryptionprotects sensitive ERP system information by rendering the data unreadable to unauthorized users, even if the system is compromised. This is the most effective method to preserve confidentiality in a breach.

NIST SP 800-111 (Guide to Storage Encryption Technologies):

“Encryption ensures that even if data is exfiltrated or accessed by unauthorized individuals, it cannot be understood without the appropriate decryption keys.”

Backups and firewalls are important, butencryption directly protects data at restfrom unauthorized viewing.

🔹WGU Course Alignment:

Domain:System Security Engineering

Topic:Implement encryption controls for stored business data

The correct answer is C — Secure/Multipurpose Internet Mail Extensions (S/MIME).

As outlined in WGU Cybersecurity Architecture and Engineering (KFO1 / D488), S/MIME provides encryption, integrity, and authentication for email messages by using public key cryptography and digital signatures.

SMTP (A) is used for sending emails but does not secure them. PGP (B) also secures emails but is not a protocol; it is a program and standard. IPsec (D) secures network communications, not email specifically.

Reference Extract from Study Guide:

"Secure/Multipurpose Internet Mail Extensions (S/MIME) is a protocol used to encrypt and digitally sign email communications, ensuring confidentiality, integrity, and authenticity."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Secure Communication Technologies

=============================================

SHA-256is a widely usedcryptographic hash functionthat generates a fixed-size output(digest) from input data. It is designed to detect even the smallest change in the input, thereby ensuringdata integrity.

NIST FIPS PUB 180-4 (Secure Hash Standard):

“SHA-256 is used to verify the integrity of data by producing a hash value that is unique to the input, enabling detection of unauthorized changes.”

Unlike RSA and AES (used for encryption), hash algorithms are one-way functions used forintegrity verification.

🔹WGU Course Alignment:

Domain:Cryptography

Topic:Apply hashing techniques to ensure data integrity

Real-time transaction monitoringhelps detect and respond to fraudulent activities (e.g., unauthorized access, anomalous transactions) as they happen. It’s critical in high-risk environments likeonline banking systems.

FFIEC IT Examination Handbook (Retail Payment Systems):

“Real-time fraud detection systems monitor for suspicious or anomalous transactions that may indicate identity theft, account takeover, or credit card fraud.”

This is anactive, risk-aware controlthat’s far more effective than backups or email restrictions for this use case.

🔹WGU Course Alignment:

Domain:Security Operations and Monitoring

Topic:Implement real-time monitoring systems for financial fraud detection

The correct answer is A — They act as an initial defense layer for potential threats.

According to WGU Cybersecurity Architecture and Engineering (KFO1 / D488), security edge devices such as firewalls, secure web gateways, and intrusion prevention systems (IPS) are placed at the network perimeter to serve as the first layer of defense against external threats.

DDoS protection (B) may be part of a broader security solution but is not the main role of general edge devices. SIEM modules (C) collect and correlate logs, not defend at the perimeter. TPM devices (D) are hardware-based cryptographic modules, not network edge defenses.

Reference Extract from Study Guide:

"Security edge devices provide the first line of defense against external threats by monitoring, filtering, and blocking malicious traffic entering the corporate network."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Network Security and Perimeter Defense

The correct answer is C — Least privilege.

According to the WGU Cybersecurity Architecture and Engineering (KFO1 / D488) course material, the principle of least privilege ensures that users are granted only the minimum level of access required to perform their job functions. In this case, if the insider only had access to resources necessary for their user role, they would not have been able to access sensitive administrative information.

Password complexity (A) strengthens account security but does not prevent excessive access. Separation of duties (B) divides critical tasks but is not solely about limiting access. Job rotation (D) moves employees between roles but is not an access control measure.

Reference Extract from Study Guide:

"The principle of least privilege requires limiting user access rights to the minimum necessary to perform their tasks, reducing the risk of insider threats and unauthorized access to sensitive information."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Access Control Principles

=============================================

ChaChais a modern, high-performancestream cipherderived from Salsa20, known for its resistance to timing attacks and its use inTLS 1.3 and mobile securitydue to its efficiency and security. When paired withPoly1305, it provides bothencryption and authentication.

RFC 8439 (ChaCha20 and Poly1305 for IETF Protocols):

“ChaCha20 is a secure cipher designed for high-speed software implementations. It is robust against side-channel and cryptanalytic attacks and is used in conjunction with Poly1305 for authenticated encryption.”

CBC, ECB, and CTR are block cipher modes, not stream ciphers.

🔹WGU Course Alignment:

Domain:Cryptography

Topic:Identify secure and modern stream ciphers for real-time encryption

The correct answer is B — Elliptic Curve Diffie-Hellman (ECDH).

WGU Cybersecurity Architecture and Engineering (KFO1 / D488) material highlights that ECDH is an enhanced, more efficient form of the traditional Diffie-Hellman key exchange, using elliptic curve cryptography (ECC). It provides similar security with much smaller key sizes, improving performance and efficiency.

DH (A) is the traditional method but is less efficient. RSA (C) is primarily used for encryption and digital signatures. DSA (D) is used for digital signatures, not for key exchange.

Reference Extract from Study Guide:

"Elliptic Curve Diffie-Hellman (ECDH) enhances traditional key exchange by utilizing elliptic curve cryptography, offering higher security with smaller key sizes and improved efficiency."

— WGU Cybersecurity Architecture and Engineering (KFO1 / D488), Cryptographic Key Management