Domain 3 Capstone: Security Architecture and Engineering
Domain 3 – Capstone Questions
Question 1
An organization is designing a new system that will process both public web content and internal confidential records in the same application. A security architect proposes separating the public-facing components from the confidential data processing using different security domains with controlled interfaces between them.
Which security design principle is the architect applying?
A. Security domain separation — isolating components that process data at different classification levels with controlled communication paths
B. Defense in depth — layering multiple controls to protect the confidential data
C. Least privilege — restricting the public-facing components to only the data they need
D. Fail-secure — ensuring that if the public component fails, confidential data is not exposed
Answer & reasoning
Correct: A
The architect is applying security domain separation by creating distinct processing environments for different classification levels with controlled interfaces. This prevents unauthorized data flow between the public and confidential domains. While defense in depth, least privilege, and fail-secure are all relevant supporting principles, the primary design decision being made is domain separation.
Question 2
A healthcare organization encrypts patient records using AES-256. The encryption keys are stored on the same server as the encrypted data, protected by file system permissions. A penetration test reveals that an attacker who gains administrative access to the server can read both the encrypted data and the keys.
What cryptographic management principle has been violated?
A. The encryption algorithm is insufficient for healthcare data
B. The key length should be increased to 512 bits
C. Key storage must be separated from the data the keys protect — a hardware security module (HSM) or separate key management system should hold the keys
D. The data should use asymmetric encryption instead of symmetric
Answer & reasoning
Correct: C
Storing encryption keys on the same server as the encrypted data means that anyone who compromises the server gains access to both. Key management requires separation of keys from data. An HSM or dedicated key management system ensures that even if the data server is compromised, the keys remain protected. AES-256 is appropriate for healthcare data, and 512-bit AES does not exist.
Question 3
A government agency implements the Bell-LaPadula model for a classified information system. An analyst with Secret clearance needs to create a report that combines information from both Confidential and Secret sources.
Under Bell-LaPadula, at what level must the report be classified?
A. Confidential, because the analyst should write down to the lower classification
B. Secret, because Bell-LaPadula’s “no write down” (star property) prevents a Secret-cleared subject from writing to a lower classification level
C. The analyst can choose either classification level based on the content
D. Unclassified, because the report is a new document
Answer & reasoning
Correct: B
The Bell-LaPadula star property (no write down) prevents a subject from writing information to a lower classification level. An analyst operating at the Secret level cannot create a document at the Confidential level because doing so would effectively write Secret-level information down to a less protected container. The report must be classified at the Secret level or higher.
Question 4
An organization discovers that its web application is vulnerable to a buffer overflow attack. The development team patches the specific vulnerability, but a security architect recommends implementing Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) across the entire application platform.
Why does the architect recommend platform-wide protections beyond the specific patch?
A. ASLR and DEP are required by compliance regulations for all web applications
B. The specific patch only fixes one instance; other buffer overflow vulnerabilities may exist
C. Platform-wide protections are less expensive than patching individual vulnerabilities
D. ASLR and DEP provide defense in depth by mitigating entire classes of memory-based attacks, not just the single vulnerability that was discovered
Answer & reasoning
Correct: D
ASLR randomizes memory addresses, making it harder for attackers to predict where code and data reside. DEP marks memory regions as non-executable, preventing injected code from running. Together, they mitigate entire classes of memory-based attacks (buffer overflows, heap sprays, return-oriented programming) rather than addressing a single vulnerability. This is defense in depth at the platform level.
Question 5
A financial services firm needs to implement digital signatures for regulatory filings. The signatures must provide non-repudiation, and the firm must be able to verify the signer’s identity months after the document is signed.
What cryptographic infrastructure is required?
A. A public key infrastructure (PKI) with a certificate authority that binds the signer’s identity to their public key, combined with timestamping to establish when the signature was created
B. A symmetric encryption system with shared keys distributed to all authorized signers
C. A hash function applied to the document with the hash stored in a secure database
D. A message authentication code (MAC) generated with a shared secret key
Answer & reasoning
Correct: A
Digital signatures that provide non-repudiation require asymmetric cryptography where the signer uses their private key (which only they possess) to sign, and anyone can verify using the corresponding public key. PKI binds the signer’s identity to their public key through certificates issued by a trusted CA. Timestamping establishes the signing time for long-term verification. Symmetric keys and MACs cannot provide non-repudiation because the shared secret is known to multiple parties.
Question 6
An e-commerce company’s system processes credit card transactions and also serves as the customer support portal. A security assessment reveals that the payment processing module and the support portal share the same database, the same application server, and the same network segment.
Which security architecture principle is MOST directly violated?
A. Fail-secure design
B. Separation of duties and least privilege — the support portal should not have access to the payment processing infrastructure, and the systems should be segmented
C. Defense in depth — there should be multiple firewalls between the systems
D. Open design — the architecture should be publicly documented
Answer & reasoning
Correct: B
The support portal has no business need for access to payment card data, yet the shared infrastructure gives it implicit access. Separation requires isolating systems that process different sensitivity levels onto different infrastructure. This is also a PCI DSS requirement — cardholder data environments must be segmented from other systems. The violation is fundamentally about separating functions and restricting access to what each component needs.
Question 7
An organization uses TLS 1.3 for all external web traffic. A security audit reveals that internal services communicate using unencrypted HTTP because “the internal network is trusted.” An attacker who compromises a single internal host could monitor all inter-service traffic.
What security architecture principle does the “trusted internal network” assumption violate?
A. Separation of duties
B. Fail-secure design
C. Zero trust — the assumption that the internal network is inherently safe ignores the possibility of lateral movement after an initial compromise
D. Least common mechanism
Answer & reasoning
Correct: C
Zero trust architecture assumes no implicit trust based on network location. Treating the internal network as trusted means that any internal compromise immediately exposes all inter-service communication. Zero trust requires authentication and encryption for all communication regardless of network segment, eliminating the assumption that internal traffic is safe from interception.
Question 8
A data center has both a pre-action sprinkler system and an FM-200 gas suppression system in the server room. The FM-200 system activates during a small electrical fire and successfully suppresses it. However, the pre-action system also activates 30 seconds later, flooding the room with water and causing more damage than the fire would have.
What design error caused the water damage?
A. FM-200 should not be installed alongside water-based systems
B. The FM-200 system should have been replaced with a CO2 system
C. Pre-action systems should never be installed in server rooms
D. The suppression systems were not properly interlocked — successful activation of the gas system should have inhibited the pre-action system from discharging
Answer & reasoning
Correct: D
When a facility has both gas and water suppression, the systems must be interlocked so that they operate in a coordinated sequence, not independently. The gas system should be the primary response for the server room, and the water system should only activate if the gas system fails to suppress the fire. Without interlocking, both systems activate independently, and the water system negates the advantage of having a clean agent system.
Question 9
An organization implements a security kernel that mediates all access between subjects and objects. During testing, a developer discovers that a specific API call bypasses the kernel and accesses a database directly.
Which security architecture principle is violated?
A. Complete mediation — the reference monitor must mediate every access request without exception
B. Least privilege — the API should have fewer permissions
C. Economy of mechanism — the kernel is too complex
D. Open design — the bypass should be documented
Answer & reasoning
Correct: A
Complete mediation requires that the reference monitor (security kernel) check every access to every object every time. An API that bypasses the kernel creates an unmediated access path that circumvents all access control policies. The principle demands no exceptions — if any path exists that avoids the reference monitor, the entire security model is undermined because an attacker only needs to find one unmediated path.
Question 10
An organization stores its most sensitive intellectual property in a vault-like room requiring badge, PIN, and retinal scan for entry. However, the HVAC ductwork leading into the room is large enough for a person to crawl through and has no barriers or sensors.
What physical security failure does this represent?
A. The biometric system should use fingerprint instead of retinal scan
B. Defense in depth failure — the access controls at the door are bypassed by an unprotected alternate entry path through the HVAC system
C. The room should use a security vestibule instead of a single door
D. CCTV should be installed inside the HVAC duct
Answer & reasoning
Correct: B
Strong access controls at the entrance are meaningless if an alternate physical entry path exists with no controls. The HVAC ductwork creates a bypass that renders the three-factor authentication at the door irrelevant. Defense in depth requires considering all possible paths of entry, not just the primary door. Duct barriers, sensors, or reducing duct size to prevent human entry are appropriate mitigations.
Question 11
A system processes data at multiple classification levels simultaneously. Users with different clearance levels access the system concurrently. The system enforces mandatory access controls that prevent users from accessing data above their clearance level.
What type of system is this?
A. A dedicated security mode system
B. A system-high security mode system
C. A compartmented security mode system
D. A multilevel security (MLS) system that enforces MAC to allow users with different clearance levels to process data at different classification levels simultaneously
Answer & reasoning
Correct: D
A multilevel security system processes data at multiple classification levels and allows users with different clearances to access the system simultaneously. MAC enforcement prevents unauthorized access to higher-classified data. Dedicated mode requires all users to have clearance and need-to-know for all data. System-high requires all users to have clearance for the highest level but not need-to-know for all data. Compartmented requires clearance for the highest level plus formal approval for specific compartments.
Question 12
An organization’s web application uses client-side JavaScript validation to check that uploaded files are under 10 MB and are only PDF or DOCX format. A security tester bypasses the JavaScript validation and uploads a 50 MB executable file that the server processes without question.
What secure design principle was violated?
A. Open design
B. Least privilege
C. Never trust client-side validation — all security-relevant validation must be enforced server-side because client-side controls can be bypassed by any user
D. Fail-secure
Answer & reasoning
Correct: C
Client-side validation improves user experience but provides no security because the client is under the user’s control. Any validation that enforces a security boundary must be performed server-side where the application controls the execution environment. This is a fundamental principle of secure application design: the server must validate all input regardless of what the client claims to have checked.
Question 13
A security architect is designing a system that must remain functional even when individual components fail. The architect implements redundant servers, redundant network paths, and automatic failover. However, when a failover actually occurs, the backup server comes online with debug logging enabled and administrative ports open — a less secure configuration than the primary.
What principle was violated in the failover design?
A. Fail-secure — when a system fails, it should default to a secure state, not a degraded security posture
B. Complete mediation — the failover should check all access requests
C. Separation of duties — the failover should be managed by a different team
D. Economy of mechanism — the failover system is too simple
Answer & reasoning
Correct: A
Fail-secure (or fail-safe) means that when a system fails or transitions to a backup, the resulting state must maintain security controls. A backup server with debug logging and open administrative ports is in a less secure state than the primary. The failover configuration should mirror the production security baseline. Failing into a degraded security posture turns a component failure into a security exposure.
Question 14
An organization uses a Tier II data center (redundant capacity components, single distribution path). The CTO proposes upgrading to Tier IV (fault tolerant, multiple active distribution paths) to support a new high-availability trading platform. The CFO argues that Tier III (concurrently maintainable) is sufficient.
What factor should drive this decision?
A. The cost difference between Tier III and Tier IV facilities
B. The trading platform’s availability requirement — if the platform cannot tolerate any single fault causing downtime, Tier IV is required; if it can tolerate brief maintenance windows, Tier III may suffice
C. The number of servers the trading platform requires
D. Whether the data center is owned or leased
Answer & reasoning
Correct: B
Data center tier selection is driven by the availability requirements of the systems it hosts. Tier III provides concurrent maintainability (no downtime for planned maintenance) but has a single active distribution path. Tier IV provides fault tolerance with multiple active paths, surviving any single failure without impact. The decision depends on whether the trading platform’s availability requirements demand fault tolerance or just concurrent maintainability.
Question 15
A development team completes a web application and schedules a penetration test before deployment. The test reveals a SQL injection vulnerability in the login form, an insecure direct object reference in the document retrieval API, and missing rate limiting on the authentication endpoint.
What does the variety of these findings indicate about the development process?
A. The penetration test was overly aggressive
B. The application should be rewritten from scratch
C. The development team used outdated programming tools
D. Security was not integrated into earlier lifecycle phases — threat modeling, secure coding standards, and code review would have caught these issues before they reached the penetration testing stage
Answer & reasoning
Correct: D
SQL injection, insecure direct object references, and missing rate limiting are well-known vulnerability categories that should be addressed during design (threat modeling) and development (secure coding standards, code review, static analysis). Finding all three at the penetration testing stage indicates that security activities were absent from earlier lifecycle phases. The later in the lifecycle that vulnerabilities are discovered, the more they cost to fix.
Question 16
An organization builds a new office with glass-walled conference rooms visible from the lobby. Executives regularly display confidential financial projections and M&A plans on the conference room screens during board meetings. A visitor in the lobby can read the screens from 30 feet away.
Which combination of controls BEST addresses this exposure?
A. Install CCTV in the lobby to identify anyone who might be reading the screens
B. Restrict board meetings to after-hours when no visitors are present
C. Apply privacy film to the conference room glass and implement a screen positioning policy that faces displays away from public areas
D. Replace the screens with smaller monitors that cannot be read from a distance
Answer & reasoning
Correct: C
Privacy film restricts the viewing angle so that screens are not visible from outside the room. Combined with screen positioning that faces displays away from the lobby, this addresses the visual exposure without requiring schedule changes or infrastructure replacement. CCTV detects observation after the fact but does not prevent the data exposure. Restricting meeting times is impractical. Smaller monitors reduce readability but do not eliminate the exposure.
Question 17
An organization uses a stream cipher to encrypt real-time voice communications. A cryptanalyst discovers that the same keystream has been used for two different communication sessions due to a key management error.
What is the PRIMARY cryptographic risk?
A. An attacker can XOR the two ciphertexts together to eliminate the keystream, revealing information about both plaintexts — a known vulnerability called keystream reuse
B. The voice quality will degrade due to the repeated keystream
C. The stream cipher should be replaced with a block cipher
D. The key length is insufficient for voice encryption
Answer & reasoning
Correct: A
Stream cipher security depends entirely on the keystream being unique for every session. When the same keystream encrypts two different messages, an attacker can XOR the two ciphertexts together to cancel out the keystream, leaving only the XOR of the two plaintexts. With known or guessable content in either message, the other message can be recovered. This is a fundamental stream cipher vulnerability that key management must prevent.
Question 18
A security team is reviewing the physical access control system for a research facility. The biometric fingerprint readers at the entrance have a False Acceptance Rate (FAR) of 1 in 10,000 and a False Rejection Rate (FRR) of 1 in 50. Authorized researchers complain about frequent access denials.
What should the security team recommend?
A. Replace fingerprint readers with iris scanners, which have no false rejections
B. Adjust the biometric sensitivity threshold to reduce the FRR, accepting that the FAR will increase, and determine if the resulting FAR is acceptable for the facility’s risk profile
C. Remove biometric authentication entirely and rely on badge-only access
D. Add a second fingerprint reader so users can try twice without delay
Answer & reasoning
Correct: B
Biometric sensitivity is a trade-off between FAR and FRR. The current system is tuned for very low FAR (high security) at the cost of high FRR (frequent legitimate denials). Adjusting the sensitivity reduces FRR but increases FAR. The governance decision is whether the resulting FAR is acceptable for the facility’s classification level. No biometric system has zero false rejections. Removing biometrics degrades the security posture.
Question 19
An organization’s Authorizing Official grants an ATO for a new cloud-based HR system. Eight months later, the cloud provider migrates the system to a different geographic region to improve performance, moving the data to servers in a country with different privacy regulations.
What should happen to the ATO?
A. The ATO remains valid because the cloud provider made the change, not the organization
B. The ATO is automatically revoked whenever data crosses international borders
C. The ATO must be reassessed because the geographic relocation changes the risk profile — different jurisdictional regulations, data sovereignty considerations, and potentially different physical security controls at the new facility
D. The cloud provider’s existing certification covers the change
Answer & reasoning
Correct: C
An ATO is based on a specific risk assessment. When the conditions underlying that assessment change significantly — such as data moving to a different legal jurisdiction — the authorization must be reassessed. The geographic relocation introduces regulatory, sovereignty, and physical security variables that were not evaluated in the original authorization. The Authorizing Official must determine whether the new risk profile is acceptable.
Question 20
A security architect reviews an application design that stores user session tokens in URL parameters (visible in browser history, server logs, and referrer headers). The architect also notes that the application performs authorization checks only at login, not on subsequent requests.
How many distinct security design flaws does this description contain, and what categories do they fall into?
A. One flaw — both issues relate to inadequate session management
B. Two flaws — insecure session token storage and missing input validation
C. Three flaws — token storage, authorization bypass, and logging exposure
D. Two flaws — insecure session token transmission (tokens in URLs expose them through multiple channels) and incomplete authorization (checking only at login, not on each request, allows session hijacking to bypass access controls)
Answer & reasoning
Correct: D
There are two distinct flaws. First, session tokens in URL parameters are exposed through browser history, server logs, referrer headers, and shoulder surfing — this is insecure token transmission. Second, authorization only at login means that once a session is established (legitimately or through hijacking), no further access checks occur. These are separate flaws requiring different mitigations: tokens should be in secure, HTTP-only cookies, and authorization must be checked on every request.
Executive Pattern Summary
Domain 3 covers the engineering and architectural foundations that determine whether security controls actually work. Before reviewing your results, internalize these six decision patterns that connect every topic in this domain:
- Design determines destiny. Architectural decisions made during design constrain every security control that follows. A system designed without security domains, proper mediation, or fail-secure behavior cannot be fixed with add-on controls. When a scenario describes a fundamental design weakness, the answer involves redesign, not additional layers on a flawed foundation.
- Cryptography is about key management, not algorithms. The algorithm choice matters, but most cryptographic failures occur in key management: weak key generation, improper key storage, key reuse, and failure to rotate or destroy keys. When a crypto question describes a failure, check the key management practices before questioning the algorithm.
- Physical security mirrors logical security. Zones, access controls, defense in depth, and least privilege apply to buildings the same way they apply to networks. A zone mismatch in a facility is the same governance failure as sensitive data on an unprotected network segment. Match the physical control level to the asset classification.
- Proportionality governs everything. The right control is not the strongest control — it is the one proportional to the risk. Vault-level physical security for a break room wastes resources. Single-factor authentication for a nuclear facility is negligent. Every answer on the exam is measured against whether the response matches the risk.
- The lifecycle never stops. Authorization is not a one-time event. Configuration baselines drift. Threats evolve. Systems reach end of life. The correct answers always account for ongoing governance: continuous monitoring, periodic reassessment, change control, and proper disposal. A system that was secure at deployment is not automatically secure today.
- Separation prevents cascading failure. Whether it is security domains in a system architecture, network segmentation between processing environments, or physical separation between classification zones, the principle is the same: a failure in one domain should not compromise another. When a scenario describes cross-domain contamination, the answer involves separation.