CompTIA Security+ Practice Questions: Architecture & Design

Explanation: RAID 1 provides fault tolerance by maintaining an exact copy (mirror) of all data on two or more disks. Learn more.

Explanation: Mantraps are physical security controls that prevent unauthorized individuals from following authorized personnel into secure areas. Learn more.

Explanation: NAC verifies device compliance with security policies before allowing network connectivity. Learn more.

Explanation: Firewalls enforce access control policies between networks by filtering traffic. Learn more.

Explanation: Cloud-based DDoS protection services can absorb massive attack traffic before it reaches your infrastructure. Learn more.

Explanation: Faraday cages block electromagnetic fields, preventing wireless signal leakage. Learn more.

Explanation: TPM chips provide secure cryptographic operations and key storage. Learn more.

Explanation: Bastion hosts are specially hardened systems designed to withstand attacks from external networks. Learn more.

Explanation: Jump servers act as intermediary access points to tightly controlled network segments. Learn more.

Explanation: Air gaps provide maximum security by eliminating network connections to protected systems. Learn more.

Explanation: Privacy screens limit viewing angles to prevent visual information theft. Learn more.

Explanation: Faraday bags block all radio signals to/from contained devices. Learn more.

Explanation: Proxies act as intermediaries that filter and forward client requests. Learn more.

Explanation: Mantraps physically prevent unauthorized personnel from following authorized individuals. Learn more.

Explanation: VPN concentrators handle large numbers of simultaneous secure remote connections. Learn more.

Explanation: NGFWs add application awareness and control to traditional firewall functions. Learn more.

Explanation: DMZs provide a semi-protected zone between internal networks and the internet. Learn more.

Explanation: WAFs specifically protect web apps by filtering malicious HTTP traffic. Learn more.

Explanation: Defense in depth (or layered security) involves implementing multiple, overlapping security controls. The idea is that if one layer is breached, subsequent layers will provide additional protection, slowing down or stopping an attacker. Learn more.

Explanation: Zero Trust is a security model based on the principle of 'never trust, always verify.' It requires strict identity verification for every person and device trying to access resources, regardless of whether they are inside or outside the network perimeter, and continuously validates trust. Learn more.

Explanation: The key difference is that an IDS monitors traffic and alerts on potential threats, whereas an IPS is placed inline and can take active measures to block or prevent detected threats from reaching their target. Learn more.

Explanation: Misconfigured permissions on cloud storage services like Amazon S3 buckets can inadvertently make sensitive data publicly accessible, leading to data breaches. Proper access control and regular audits are crucial. Learn more.

Explanation: Many IoT devices ship with default credentials that are widely known or have hardcoded credentials that cannot be changed. They also often lack robust mechanisms for firmware updates, making them vulnerable to exploitation. Learn more.

Explanation: A CASB sits between users and cloud applications to monitor activity and enforce security policies like data loss prevention and access control. Learn more.

Explanation: Containerization creates a secure, encrypted area on a personal device for business apps and data, isolating it from personal content. Learn more.

Explanation: Hot and cold aisle containment arranges server racks so that cool air intakes face each other (cold aisle) and hot air exhausts face each other (hot aisle) to improve cooling efficiency. Learn more.

Explanation: Secure Boot is a feature of UEFI that prevents 'unauthorized' operating systems and software from loading during the startup process. Learn more.

Explanation: SASE (Secure Access Service Edge) combines wide area networking (WAN) with comprehensive security functions (SWG, CASB, FWaaS, ZTNA) to support dynamic, secure access needs. Learn more.

Explanation: SAST (Static Application Security Testing) analyzes source code, byte code, or binaries for security vulnerabilities while the application is in a non-running state (white-box testing). Learn more.

Explanation: Edge computing brings computation and data storage closer to the location where it is needed (the 'edge' of the network), improving response times and saving bandwidth. Learn more.

Explanation: A demilitarized zone hosts externally reachable services while separating them from the internal network. Learn more.

Explanation: Zero Trust assumes no implicit trust based on location and requires continuous verification and least privilege. Learn more.

Explanation: In IaaS, the customer typically manages operating systems, applications, identities, and data controls. Learn more.

Explanation: Zero Trust assumes compromise is possible and applies segmentation, verification, and least privilege. Learn more.

Explanation: Cloud misconfigurations such as public storage exposure are common causes of data leakage. Learn more.