Acronyms

Question 1

ECDHE

Answer 1

Elliptic Curve Diffie-Hellman Ephemeral

Overall Explanation:

The Elliptic Curve Diffie-Hellman Ephemeral, or ECDHE, option is the only method for sharing encryption keys over a public network. Cipher Block Chaining is a mode of operation for a block cipher. Triple DES (3DES) is a symmetric encryption algorithm, and RSA is an asymmetric encryption algorithm. When seeing DH as part of this one, try to remember the Diffie-Hellman key exchange.

Question 2

OCSP

Answer 2

Online Certificate Status Protocol

Overall Explanation:

The online certificate status protocol allows for interactively checking a certificate’s status. Another method used to validate a certificate’s status is a certificate revocation list, or CRL, which downloads the list of revoked certificates from the certificate authority. While she would be deploying a certificate authority, the question is really which method she will use for certificate status checking.

Question 3

AAA

Answer 3

Authentication, Authorization, Accounting

and….

Accounting, Aggregation, Auditing

Question 4

SASE

Answer 4

Secure Access Service Edge

Is a cloud-delivered framework that combines networking and security functions into a single platform, streamlining access and enhancing security for users and applications regardless of location.

A form of cloud architecture that combines a number of services as a single service. By providing services like Software-defined wide are network (SD-WAN), firewalls as a service, secure web gateways, and zero-trust network access, SASE will reduce cost and simplify management while improving security. The integrated nature of the architecture means the technologies used will work together efficiently. It may include a packet analyzer, but that isn’t the focus of the architecture.

Question 5

KRI

Answer 5

Key Risk Indicators

Overall explanation:
OBJ: 5.2 - KRIs are metrics that provide early warnings of increasing risk exposures, enabling organizations’ leadership to manage these risks proactively.

Question 6

OSI

Answer 6

Open Systems Interconnection

Is a conceptual framework that divides network communication functions into seven layers to help understand how applications communicate over a network.

“Please Do Not Throw Sausage Pizza Away”

The 7 Layers of the OSI Model:

Physical Layer 1:
This is the lowest layer, responsible for transmitting raw data bits over a physical medium (e.g., cables, wireless signals).

Function: Handles the physical transmission of data, including encoding, signal levels, and physical connections.

Protocols: IEEE 802.3, IEEE 802.11, RS-232, V.35, USB, DSL

Data Link Layer 2:
Provides reliable data transfer between two directly connected network nodes, including error detection and correction.

Function: Frames data for transmission and manages access to the physical medium.

Protocols: Wi-Fi, PPP, HDCL, Ethernet (MAC)

Network Layer 3:
Responsible for routing data packets across networks, using logical addressing (e.g., IP addresses).

Function: Determines the best path for data packets to travel from source to destination.

Protocols: IP, IPv6

Transport Layer 4:
Provides reliable and efficient data transfer between applications, including error control and flow control.

Function: Ensures data arrives at the destination in the correct order and without errors.

Protocols: TCP, UDP, SSH, SCTP, DCCP

Session Layer 5:
Establishes, manages, and terminates sessions between applications.

Function: Facilitates communication between applications, including authentication and authorization.

Protocols: NetBIOS, RPC, PPTP, SMB, AFP

Presentation Layer 6:
Handles data formatting, encryption, and compression to ensure data is presented in a usable format.

Function: Ensures data is presented in a way that applications can understand.

Protocols: ASCII, EBCDIC, SSL/TLS

Application Layer 7:
Provides network services to applications, allowing them to access network resources.

Function: The interface for applications to interact with the network, including protocols like HTTP and FTP.

Protocols: HTTP, SMTP, FTP, DNS, POP3, IMAP, Telnet, SQL

Question 7

NAC

Answer 7

Network Access Control

A security technology that provides visibility and control over devices accessing a corporate network, ensuring only authorized and compliant devices are allowed access.

Question 8

PMK

Answer 8

Pairwise Master Key

A cryptographic key shared between a wireless client and an access point (AP) for secure communication, is derived from the network’s passphrase and used to generate session-specific keys.

Question 9

ECC

Answer 9

Elliptic Curve Cryptography

ECC offers comparable security to algorithms like RSA and DSA with shorter key lengths, resulting in faster and more efficient cryptographic operations, especially in resource-constrained environments.

Elliptic Curve Cryptography (ECC)
● Efficient, secure and uses an algebraic structure of elliptical curves
● Commonly used in mobile devices and low-power computing
● Six times more efficient than RSA for equivalent security
● Variants include
○ ECDH (Elliptic Curve Diffie-Hellman)
○ ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)
○ ECDSA (Elliptic Curve Digital Signature Algorithm)

Question 10

SDLC

Answer 10

Software Development Life Cycle

Overall explanation:
OBJ: 5.1 - An SDLC ensures that security is a focal point in all stages of software development, from design to maintenance. While certain SDLC models, like Agile, prioritize quick deliveries, they don’t overlook security. SDLC integrates security throughout its phases, not just during testing. Even with a robust SDLC, software may still require updates and patches post-deployment.

Domain:
Security Program Management and Oversight

Question 11

ALE

Answer 11

Annualized Loss Expectancy

● Expected annual loss from a risk
● Calculated as SLE x ARO

Question 12

SLE

Answer 12

Single Loss Expectancy

● Monetary value expected to be lost in a single event
● Calculated as Asset Value x Exposure Factor (EF)

Question 13

ARO

Answer 13

Annualized Rate of Occurrence

● Estimated frequency of threat occurrence within a year
● Provides a yearly probability
● Calculate as ALE / SLE ($10,000 a year / $250 per device) = 40 devices a year.

Question 14

DAC

Answer 14

Discretionary Access Control

Is an authorization model where the owner of the resource decides who is allowed to access it.

Question 15

MAC

Answer 15

Mandatory Access Control

Is an authorization model where access to resources is determined by a set of rules defined by a central authority.

Question 16

RBAC

Answer 16

Role-Based Access Control

Is an authorization model that assigns permissions to roles, rather than individual users.

Question 17

ABAC

Answer 17

Attribute Based Access Control

Determines access through a combination of contexts and system wide attributes.

Question 18

WPS

Answer 18

Wi-Fi Protected Setup

It uses a very weak PIN as part of the connection configuration.

Question 19

APT

Answer 19

Advanced Persistent Threat

In an advanced persistent threat, the actor is able to gain access to a system and then continues to maintain that access or increase their level of access to more resources with a goal of remaining undetected for as long as possible.

Question 20

802.1x

Answer 20

Authentication

■ Provides port-based authentication for wired and wireless
networks.

■ Requires three roles
● Supplicant
● Authenticator
● Authentication server

■ Utilizes RADIUS or TACACS+ for actual authentication

■ Prevents rogue device access

Question 21

DRP

Answer 21

Disaster Recovery Plan

● Focuses on plans and processes for disaster response
● Subset of the BC Plan
● Focuses on faster recovery after disasters
● Addresses specific events like hurricanes, fires, or flood

Question 22

WAF

Answer 22

Web Application Firewall

● Focuses on inspecting HTTP traffic
● Prevents common web application attacks like cross-site scripting and SQL injections
● Can be placed
○ In-line (live attack prevention)
■ Device sits between the network firewall and the web servers
○ Out of band (detection)
■ Device receives a mirrored copy of web server traffic

Question 23

HIPS

Answer 23

Host-based Intrusion Protection System

HIPS protects your system from malware and unwanted activity attempting to negatively affect your computer. HIPS utilizes advanced behavioral analysis coupled with the detection capabilities of network filtering to monitor running processes, files and registry keys.

Question 24

BPDU Guard

Answer 24

Bridge Protocol Data Unit

A type of network packet used by the Spanning Tree Protocol (STP) to exchange information between switches, ensuring a loop-free network topology.

BPDU Guard:
BPDU Guard is a security feature that protects ports from receiving BPDUs, preventing rogue devices from potentially disrupting the spanning tree topology.

Overall explanation:
BPDU guard is a configuration setting on a switch that tells it that only end user devices should be connected to a particular port, so it will ignore any messages that switches use to communicate with each other, such as those used to determine the spanning tree configuration.

Domain:
3.2 - Given a scenario, apply security principles to secure

Question 25

PaaS

Answer 25

Platform as a Service Focus: Provides a platform for developers to build, deploy, and manage applications. Control: Users have less control over the underlying infrastructure but more control over the application's runtime and deployment environment. Management: The PaaS provider manages the infrastructure, including servers, storage, and networking, allowing developers to focus on application development. Examples: Heroku, Azure App Service, Google App Engine.

Question 26

IaaS

Answer 26

Infrastructure as a Service Focus: Provides basic building blocks of cloud IT, including networking, computing (virtual or dedicated hardware), and storage. Control: Users have the most control over their IT resources, including operating systems, middleware, and applications. Management: Users are responsible for managing the infrastructure, including servers, storage, and networking. Examples: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP).

Question 27

SCADA

Answer 27

Supervisory Control and Data Acquisition SCADA systems are designed to gather, analyze, and process real-time data from various sensors and devices across an industrial environment, then transmit this data to a central location for monitoring and control. How it works: Data Acquisition: SCADA systems collect data from field devices like sensors, meters, and controllers. Communication: This data is then transmitted over a network to a central control room or server. Monitoring and Control: Operators can monitor the data through a graphical user interface (GUI) and make adjustments or take actions to control the process remotely.

Question 28

PAT

Answer 28

Port Address Translation Overall Explanation: Port address translation is typically used on home and SOHO routers where only one IP address is assigned by the Internet service provider. It is able to translate between multiple internal IP addresses and the single external IP address assigned by the ISP. A type of Network Address Translation (NAT) that allows multiple devices on a private network to share a single public IP address by translating both IP addresses and port numbers Domain: 4.1 - Given a scenario, apply common security techniques to computing resources. How it works: When a device on the private network wants to connect to the internet, the PAT device (usually a router) translates the device's private IP address and port number to the public IP address and a unique port number. This allows multiple devices to connect to the internet using the same public IP address, as each device is assigned a unique port number. When the internet sends a response back to the public IP address and port, the PAT device uses its translation table to determine which device on the private network the response should be sent to.

Question 29

MAC

Answer 29

Madatory Access Control Overall explanation: Mandatory access control uses classifications for data where the user must have a certain level of access such as secret or top secret, in order to view the contents. Role-Based Access Control is where users are assigned to a group based upon their role or job responsibilities and then the group is assigned permissions to a file or object. Discretionary access control is where the owner of an object can give permissions to individual users directly for a file or object. TAC is not a valid access control model. Domain: 4.6 - Given a scenario, implement and maintain identity and access management.

Question 30

DAC

Answer 30

Discretionary Access Control Discretionary Access Control (DAC) is a type of access control mechanism in which the owner or creator of a resource (such as a file, folder, or system) has the discretion or authority to determine who can access or modify that resource. In DAC systems, permissions are typically assigned by the owner, and they can include read, write, or execute rights.

Question 31

TOTP

Answer 31

(Time-Based One-Time Password) is a method of two-factor authentication (2FA) that generates a one-time password (OTP) based on the current time. It adds an additional layer of security when accessing systems, accounts, or services. How TOTP Works: Time Synchronization: TOTP is based on the current time, typically using a shared secret key and the current timestamp. The time is divided into intervals (e.g., 30 seconds), and a unique OTP is generated for each time interval. Shared Secret Key: When a user registers for TOTP-based authentication, both the client (user’s device) and the server share a secret key (usually a randomly generated string). This key is used to generate and verify the one-time passwords. OTP Generation: The TOTP algorithm combines the shared secret key and the current time (in intervals) to generate a 6–8 digit OTP. Each OTP is valid only for a limited time (usually 30 seconds). User Login Process: The user enters their username and password (first factor). The user is then prompted to enter the TOTP generated on their device (second factor). The server uses the same shared secret and time to verify the OTP entered by the user. If the OTP matches, the user is authenticated.

Question 32

TGT

Answer 32

Ticket Granting Ticket (TGT) In Kerberos authentication, a TGT is issued by the Key Distribution Center (KDC) after a user successfully authenticates with their password. The TGT is then used to request access to various network services by obtaining service tickets from the KDC. This process allows users to authenticate once and gain access to multiple services without needing to re-enter credentials each time.

Question 33

DLP

Answer 33

Data Loss Prevention. It refers to a set of technologies, policies, and strategies used by organizations to prevent the unauthorized access, misuse, or loss of sensitive data. DLP tools are designed to detect and prevent data breaches, exfiltration, or unwanted destruction of confidential information, such as personally identifiable information (PII), financial records, intellectual property, and more. DLP solutions work by monitoring and controlling the movement of data across the network, endpoints, and storage systems. They use various methods like content inspection, contextual analysis, and pattern matching to identify sensitive data and enforce security policies. Here are some key aspects of DLP: Content Inspection: Analyzing the content of emails, documents, and other files to detect sensitive information like credit card numbers, social security numbers, or other PII. Policy Enforcement: Setting rules and guidelines for how sensitive data can be accessed, transferred, or shared within an organization, and blocking any actions that violate these policies. Endpoint Protection: Ensuring that sensitive data on devices (like laptops, smartphones, and desktops) is properly protected and cannot be copied or transferred without permission. Network Monitoring: Observing network traffic to detect and block the transmission of sensitive data outside the organization. Incident Response: Providing alerts and logs to security teams when sensitive data is potentially being misused or exposed. DLP solutions are often used in regulated industries (such as healthcare, finance, and legal) where protecting sensitive data is critical.

Question 34

CCMP

Answer 34

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol CCMP is an AES-based encryption protocol used in wireless networks, specifically in Wi-Fi Protected Access 2 (WPA2). It provides both data encryption and message integrity by combining: AES (Advanced Encryption Standard) for encryption. CCM (Counter with CBC-MAC) mode, which is a combination of Counter Mode (CTR) for encryption and Cipher Block Chaining Message Authentication Code (CBC-MAC) for message authentication. CCMP ensures that the data transmitted over wireless networks is both encrypted and authenticated, preventing eavesdropping and tampering. It is considered much more secure than the older WEP (Wired Equivalent Privacy) and TKIP (Temporal Key Integrity Protocol) used in previous Wi-Fi security protocols.

Question 35

PAP

Answer 35

Password Authentication Protocol (PAP) is a network authentication protocol that sends passwords in cleartext, meaning anyone who can sniff network packets can read them. Explanation: Cleartext transmission: This means passwords are sent without any encryption, making them easily readable by anyone who intercepts the network traffic. Vulnerability: Using PAP exposes passwords to potential attackers who can eavesdrop on the network. Key points about PAP: Outdated protocol: While still supported in some systems, PAP is considered insecure due to its cleartext password transmission. Secure alternatives: More secure authentication protocols like CHAP (Challenge Handshake Authentication Protocol) and EAP (Extensible Authentication Protocol) encrypt passwords during transmission, preventing eavesdropping

Question 36

DIG

Answer 36

Domain Information Groper. It is a command-line tool used for querying DNS (Domain Name System) servers to obtain information about domain names, including IP addresses and other DNS records. The dig tool is widely used by network administrators, system administrators, and developers to troubleshoot and investigate DNS-related issues. It can be used to perform a variety of DNS lookups and is available on Unix-based systems (like Linux and macOS) and Windows (via third-party software or Windows Subsystem for Linux). Common Uses of DIG: Querying DNS Records: Retrieve information about DNS records for a domain, such as A (Address) records, MX (Mail Exchange) records, CNAME (Canonical Name) records, etc. Troubleshooting DNS: Determine if a domain is resolving correctly and check if DNS servers are responding. DNS Lookup Types: Look up different types of records like A, AAAA, MX, NS, TXT, and others.

Question 37

IRP

Answer 37

Incident Response Plan Overall Explanation: An incident response policy would define how a variety of different types of incidents can be handled and dealt with when they occur and is a good idea to have in place within organizations that have an IT department. A disaster recovery plan is also a good idea, but a virus is typically considered an incident, not a disaster. Domain: 5.1 - Summarize elements of effective security governance.

Question 38

AUP

Answer 38

Acceptable Use Policy Overall Explanation: An acceptable usage policy, or AUP, is an agreement that many organizations require new employees to sign stating that they understand what is allowed and what is not allowed in regards to the usage of company owned systems and devices. The other three options non-disclosure agreement; authentication, authorization, and accounting; and service-level agreement are not relevant. Domain: 5.1 - Summarize elements of effective security governance.

Question 39

MTBF

Answer 39

Mean Time Before Failure Overall Explanation: The mean time between failures is the average amount of time between incidents where a component fails. The mean time to recovery describes the average amount of time that it takes to recover from an incident. The total cost of ownership is how much a particular device or service costs to deliver inclusive of licenses and support costs. The address resolution protocol resolves an IPv4 address to a MAC address. Domain: 5.2 - Explain elements of the risk management process.

Question 40

ITIL

Answer 40

Information Technology Infrastructure Library Overall Explanation: The Information Technology Infrastructure Library, or ITIL, is a set of best practices that IT organizations can implement to efficiently deliver services to their end users. Domain: 5.1 - Summarize elements of effective security governance.

Question 41

OUI

Answer 41

Organizationally Unique Identifier "OUI" refers to the Organizationally Unique Identifier, a 24-bit part of a MAC address that identifies the manufacturer of a network device, allowing for device identification and potentially aiding in security analysis. What is an OUI? The OUI is the first three bytes (or 24 bits) of a Media Access Control (MAC) address, which is a unique identifier assigned to a network interface controller (NIC). The Institute of Electrical and Electronics Engineers (IEEE) assigns these OUIs to organizations that manufacture network devices. Manufacturers then combine their OUI with a unique 24-bit identifier to create the full 48-bit MAC address for each device.

Question 42

OSI Layer 7

Answer 42

Application Layer Provides interfaces for user applications to access network services, such as web browsers and email clients. Protocols - HTTP, SMTP, FTP, DNS, POP3, IMAP, Telnet, SQL

Question 43

OSI Layer 6

Answer 43

Presentation Layer Focuses on data translation, encryption, and compression for application-layer compatibility. Protocols - ASCII, EBCDIC, SSL/TLS

Question 44

OSI Layer 5

Answer 44

Session Layer Manages session establishment, maintenance, and termination between applications. Protocols - NetBIOS, RPC, PPTP, SMB, AFP

Question 45

OSI Layer 4

Answer 45

Transport Layer Ensures reliable end-to-end communication, data segmentation, and flow control. Protocols - TCP, UDP, SSH, SCTP, DCCP

Question 46

OSI Layer 3

Answer 46

Network Layer Handles routing and logical addressing to facilitate data packet forwarding between different networks. Protocols - IP, IPv6

Question 47

OSI Layer 2

Answer 47

Data Link Layer Responsible for data farming, error detection, and addressing on the local network segment. Protocols - Wi-Fi, PPP, HDLC, Ethernet (MAC)

Question 48

OSI Layer 1

Answer 48

Physical Link Layer Manages the physical connection and transmission of data over the network medium. Protocol - IEEE 802.3, IEEE, 802.11, RS-232, V.35, USB, DSL

Question 49

EAP

Answer 49

Extensible Authentication Protocol ■ A framework for various authentication methods ■ Has different variants that have their own features

Question 50

IKE

Answer 50

Internet Key Exchange A key management protocol used to establish secure communication channels, particularly for Virtual Private Networks (VPNs) and other secure connections, by managing encryption and authentication processes within the Internet Protocol Security (IPsec) framework.

Question 51

IaC

Answer 51

Infrastructure as Code The practice of managing security risks when using code to manage applications, cloud infrastructure, and other resources. It involves scanning code repositories and infrastructure configurations for security vulnerabilities and compliance violations.

Question 52

AH

Answer 52

Authentication Header Offers connectionless data integrity and data origin authentication for IP datagrams using cryptographic hashes as identification information.

Question 53

ESP

Answer 53

Encapsulating Security Payload ● Provides confidentiality, integrity, and encryption ● Provides replay protection ● Encrypts the packet’s payload

Question 54

IAAA

Answer 54

Identification, Authentication, Authorization, and Accounting

Question 55

IAM

Answer 55

Identity and Access Management ○ Identity and Access Management (IAM) ■ Ensures the right individuals have the proper access to the right resources for the right reasons ■ Components ● Password Management ● Network Access Control ● Digital Identity Management

Question 56

SAML

Answer 56

Security Assertion Markup Language ● Standard for logging users into applications based on sessions in another context ● Redirects users to an identity provider for authentication ● Eliminates the need for services to authenticate users directly ● Decouples services from identity providers, enhancing security and flexibility

Question 56

LDAP

Answer 56

Lightweight Directory Access Protocol It is a protocol that helps users find and manage information about users, devices, and other resources. It's used in many corporate environments for authentication and user management. What it does Stores and manages data about users, devices, and other resources How it works Uses a client-server model to allow users to search, update, and authenticate What it's used for Centralized authentication, user management, and security How it's implemented Uses a hierarchical structure to organize data What it's compatible with Works with TCP/IP and integrates with other protocols like SAML and OAuth 2.0

Question 57

PAM

Answer 57

Privileged Access Management ■ Solution that restricts and monitors privileged access within an IT environment ■ The policies, procedures, and technical controls that are used to prevent malicious abuse of privileged accounts ■ Crucial for preventing data breaches and ensuring the least privileged access is granted for specific tasks or roles

Question 58

TCO

Answer 58

Total Cost of Ownership Explanation: OBJ 4.3: Cyber liability insurance is designed to help organizations cover the costs and potential legal consequences of cybersecurity breaches. This is especially beneficial in situations where vulnerabilities lead to data breaches.

Question 59

CASB

Answer 59

Cloud Access Security Broker A security solution that acts as an intermediary between cloud users and cloud-based applications, enforcing an organization's security policies and practices. It provides visibility, data protection, threat protection, and compliance management across cloud services. CASBs help secure cloud-hosted services like SaaS, IaaS, and PaaS, protecting them from cyberattacks and data leaks.

Question 60

AES

Answer 60

Advanced Encryption Standard A symmetric key encryption algorithm—meaning the same key is used to encrypt and decrypt the data. It was adopted by the U.S. government in 2001 to replace the older DES (Data Encryption Standard). AES is the most suitable algorithm for securing data at rest because it is a symmetric encryption algorithm that is fast and secure. It also has no known practical attacks against it when implemented correctly.

Question 61

FIM

Answer 61

File Integrity Monitoring FIM is a security control that detects changes to files and systems especially critical files like: System binaries (e.g., /bin, /usr/sbin) Configuration files (e.g., /etc/passwd, registry settings) Application files Log files Basically, it monitors who changed what and when, and whether that change was authorized. FIM is the most suitable option for detecting unauthorized changes to system configurations and files due to its focus on monitoring and alerting on modifications to theses resources.

Question 62

RPO

Answer 62

Recover Point Objective In cybersecurity, RPO stands for Recovery Point Objective. It's the maximum tolerable amount of data loss that can occur during a disruptive event like a cyberattack, natural disaster, or system failure. RPO is measured in terms of time: the period between the last known good backup and the point of failure. A lower RPO indicates a more frequent backup schedule, meaning less data can be lost in case of an incident.

Question 63

RTO

Answer 63

Recovery Time Objective In cybersecurity, RTO stands for Recovery Time Objective. It represents the maximum acceptable downtime for a system or application after a disruptive event like a cyberattack, before the impact becomes unacceptable for the organization. Essentially, it's a goal for how quickly systems can be restored to normal operation after a failure.

Question 64

CA

Answer 64

Certificate Authority A CA is a trusted third party responsible for issuing digital certificates, which are used to authenticate the identity of web servers and establish secure connections.

Question 65

FIM

Answer 65

File Integrity Monitoring In cybersecurity, FIM stands for File Integrity Monitoring. It's a process and technology that monitors critical files, like operating system components, application files, and databases, to detect any unauthorized or unexpected changes. Essentially, it ensures the integrity of these files by comparing their current state to a known, secure baseline

Question 66

EDR

Answer 66

Endpoint Detection and Response In cybersecurity, EDR stands for Endpoint Detection and Response. It's a solution that continuously monitors endpoint devices (like laptops, desktops, and servers) for malicious activities, detects threats, and automatically responds to neutralize them. EDR systems leverage real-time monitoring, data analytics, and automated response capabilities to protect against advanced cyber threats

Question 67

SDN

Answer 67

Software-Defined Networking It's a modern approach to designing, building, and managing networks that separates the control plane (which decides where traffic is sent) from the data plane (which actually forwards traffic). Key Concepts: Control Plane: Managed centrally by a software-based controller. Data Plane: The physical switches and routers that forward traffic. Controller: The brain of SDN—like OpenDaylight or ONOS—that communicates with switches using protocols like OpenFlow. Benefits: Centralized Management: One controller can manage the whole network. Programmability: Networks can be dynamically adjusted with code. Agility: Makes it easier to deploy and scale apps and services. Automation: Reduces manual configuration and errors.