Chapter 55 Β· Quiz

Segmentation and Access Control Quiz

6 multiple-choice questions + 1 matching section. Select your answers, then click Submit.

Question 1 of 6
A security architect is designing a network for an organization that processes credit card payments. The architect creates a dedicated VLAN for point-of-sale terminals, payment servers, and the payment database β€” completely isolated from the corporate employee network. Which THREE benefits does this segmentation primarily provide?
Question 2 of 6
An access control list on a network device contains the following rules in order: (1) DENY src:192.168.1.0/24 dst:ANY port:ANY; (2) PERMIT src:192.168.1.50 dst:10.0.0.1 port:22. An administrator with IP 192.168.1.50 applies this ACL and immediately loses SSH access to the device at 10.0.0.1. What is the cause?
Question 3 of 6
A user's workstation is compromised by malware. The network uses a properly designed three-tier segmented architecture with firewall ACLs between each tier. Which statement BEST describes the attacker's ability to access the organization's database?
Question 4 of 6
An organization deploys antivirus software on all endpoints. A user opens a phishing email attachment containing a brand-new ransomware variant with no existing signatures. The ransomware executes and begins encrypting files. Which application control model would have prevented execution, and why?
Question 5 of 6
An organization uses AppLocker hash-based application control to permit their custom billing application. After the vendor releases a security update, all users find the billing application blocked on every workstation. What is the cause, and what is the correct long-term process to prevent recurrence?
Question 6 of 6
Which application control mechanism best prevents the common malware delivery pattern of dropping an executable in a user's Downloads or Temp folder and running it directly from there?

Matching β€” Segmentation and Access Control Concepts

Match each term on the left to its correct description on the right.

1. VLAN
2. Implicit Deny
3. Allow List
4. Application Hash Control
A. An application control mechanism that uses the cryptographic fingerprint of an executable binary to determine whether it is permitted to run β€” cannot be bypassed by renaming the file, but requires policy updates on every software version change
B. A logical network segmentation technology that creates isolated broadcast domains on shared physical switching infrastructure using IEEE 802.1Q frame tagging
C. The default action applied when no ACL rule matches an evaluated connection β€” typically blocks the traffic, enforcing a "deny unless explicitly permitted" security posture
D. An application control policy stance where nothing may execute unless it has been explicitly approved β€” blocks zero-day and unknown malware by default because they have no entry in the approved list