Sy0-701 9
Sy0-701 9
Get the Full SY0-701 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/SY0-701-exam-dumps.html (0 New Questions)
CompTIA
Exam Questions SY0-701
CompTIA Security+ Exam
NEW QUESTION 1
Employees in the research and development business unit receive extensive training to ensure they understand how to best protect company data. Which of the
following is the type of data these employees are most likely to use in day-to-day work activities?
A. Encrypted
B. Intellectual property
C. Critical
D. Data in transit
Answer: B
Explanation:
Intellectual property is a type of data that consists of ideas, inventions, designs, or other creative works that have commercial value and are protected by law.
Employees in the research and development business unit are most likely to use intellectual property data in their day-to-day work activities, as they are involved in
creating new products or services for the company. Intellectual property data needs to be protected from unauthorized use, disclosure, or theft, as it can give the
company a competitive advantage in the market. Therefore, these employees receive extensive training to ensure
they understand how to best protect this type of data. References = CompTIA Security+ SY0-701 Certification Study Guide, page 90; Professor Messer’s
CompTIA SY0-701 Security+ Training Course, video 1.2 - Security Concepts, 7:57 - 9:03.
NEW QUESTION 2
Which of the following agreement types defines the time frame in which a vendor needs to respond?
A. SOW
B. SLA
C. MOA
D. MOU
Answer: B
Explanation:
A service level agreement (SLA) is a type of agreement that defines the expectations and responsibilities between a service provider and a customer. It usually
includes the quality, availability, and performance metrics of the service, as well as the time frame in which the provider needs to respond to service requests,
incidents, or complaints. An SLA can help ensure that the customer receives the desired level of service and that the provider is accountable for meeting the
agreed-upon standards.
References:
? Security+ (Plus) Certification | CompTIA IT Certifications, under “About the exam”, bullet point 3: “Operate with an awareness of applicable regulations and
policies, including principles of governance, risk, and compliance.”
? CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 1, page 14: “Service Level Agreements (SLAs) are contracts between a service
provider and a customer that specify the level of service expected from the service provider.”
NEW QUESTION 3
Which of the following must be considered when designing a high-availability network? (Choose two).
A. Ease of recovery
B. Ability to patch
C. Physical isolation
D. Responsiveness
E. Attack surface
F. Extensible authentication
Answer: AE
Explanation:
A high-availability network is a network that is designed to minimize downtime and ensure continuous operation even in the event of a failure or disruption. A high-
availability network must consider the following factors12:
? Ease of recovery: This refers to the ability of the network to restore normal functionality quickly and efficiently after a failure or disruption. Ease of recovery can
be achieved by implementing backup and restore procedures, redundancy and failover mechanisms, fault tolerance and resilience, and disaster recovery plans.
? Attack surface: This refers to the amount of exposure and vulnerability of the network to potential threats and attacks. Attack surface can be reduced by
implementing security controls such as firewalls, encryption, authentication, access control, segmentation, and hardening.
The other options are not directly related to high-availability network design:
? Ability to patch: This refers to the process of updating and fixing software components to address security issues, bugs, or performance improvements. Ability to
patch is important for maintaining the security and functionality of the network, but it is not a specific factor for high-availability network design.
? Physical isolation: This refers to the separation of network components or devices from other networks or physical environments. Physical isolation can enhance
the security and performance of the network, but it can also reduce the availability and accessibility of the network resources.
? Responsiveness: This refers to the speed and quality of the network’s performance and service delivery. Responsiveness can be measured by metrics such as
latency, throughput, jitter, and packet loss. Responsiveness is important for ensuring customer satisfaction and user experience, but it is not a specific factor for
high-availability network design.
? Extensible authentication: This refers to the ability of the network to support multiple and flexible authentication methods and protocols. Extensible authentication
can improve the security and convenience of the network, but it is not a specific factor for high-availability network design.
References = 1: CompTIA Security+ SY0-701 Certification Study Guide, page 972: High Availability – CompTIA Security+ SY0-701 – 3.4, video by Professor
Messer.
NEW QUESTION 4
An engineer needs to find a solution that creates an added layer of security by preventing unauthorized access to internal company resources. Which of the
following would be the best solution?
A. RDP server
B. Jump server
C. Proxy server
D. Hypervisor
Answer: B
Explanation:
= A jump server is a server that acts as an intermediary between a user and a target system. A jump server can provide an added layer of security by preventing
unauthorized access to internal company resources. A user can connect to the jump server using a secure protocol, such as SSH, and then access the target
system from the jump server. This way, the target system is isolated from the external network and only accessible through the jump server. A jump server can
also enforce security policies, such as authentication, authorization, logging, and auditing, on the user’s connection. A jump server is also known as a bastion host
or a jump box. References = CompTIA Security+ Certification Exam Objectives, Domain 3.3: Given a scenario, implement secure network architecture concepts.
CompTIA Security+ Study Guide (SY0-701), Chapter 3: Network Architecture and Design, page 101. Other Network Appliances – SY0-601 CompTIA Security+ :
3.3, Video 3:03. CompTIA Security+ Certification Exam SY0-701 Practice Test 1, Question 2.
NEW QUESTION 5
Which of the following can be used to identify potential attacker activities without affecting production servers?
A. Honey pot
B. Video surveillance
C. Zero Trust
D. Geofencing
Answer: A
Explanation:
A honey pot is a system or a network that is designed to mimic a real production server and attract potential attackers. A honey pot can be used to identify the
attacker’s methods, techniques, and objectives without affecting the actual production servers. A honey pot can also divert the attacker’s attention from the real
targets and waste their time and resources12.
The other options are not effective ways to identify potential attacker activities without affecting production servers:
? Video surveillance: This is a physical security technique that uses cameras and monitors to record and observe the activities in a certain area. Video surveillance
can help to deter, detect, and investigate physical intrusions, but it does not directly identify the attacker’s activities on the network or the servers3.
? Zero Trust: This is a security strategy that assumes that no user, device, or network is trustworthy by default and requires strict verification and validation for
every request and transaction. Zero Trust can help to improve the security posture and reduce the attack surface of an organization, but it does not directly identify
the attacker’s activities on the network or the servers4.
? Geofencing: This is a security technique that uses geographic location as a criterion to restrict or allow access to data or resources. Geofencing can help to
protect the data sovereignty and compliance of an organization, but it does not directly identify the attacker’s activities on the network or the servers5.
References = 1: CompTIA Security+ SY0-701 Certification Study Guide, page 542: Honeypots and Deception – SY0-601 CompTIA Security+ : 2.1, video by
Professor Messer3: CompTIA Security+ SY0-701 Certification Study Guide, page 974: CompTIA Security+ SY0-701 Certification Study Guide, page 985:
CompTIA Security+ SY0-701 Certification Study Guide, page 99.
NEW QUESTION 6
Which of the following can best protect against an employee inadvertently installing malware on a company system?
A. Host-based firewall
B. System isolation
C. Least privilege
D. Application allow list
Answer: D
Explanation:
An application allow list is a security technique that specifies which applications are authorized to run on a system and blocks all other applications. An application
allow list can best protect against an employee inadvertently installing malware on a company system because it prevents the execution of any unauthorized or
malicious software, such as viruses, worms, trojans, ransomware, or spyware. An application allow list can also reduce the attack surface and improve the
performance of the
system. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 11: Secure Application Development, page 551 1
NEW QUESTION 7
Which of the following would be best suited for constantly changing environments?
A. RTOS
B. Containers
C. Embedded systems
D. SCADA
Answer: B
Explanation:
Containers are a method of virtualization that allows applications to run in isolated environments with their own dependencies, libraries, and configurations.
Containers are best suited for constantly changing environments because they are lightweight, portable, scalable, and easy to deploy and update. Containers can
also support microservices architectures, which enable faster and more frequent delivery of software features. References: CompTIA Security+ Study Guide: Exam
SY0-701, 9th Edition, Chapter 10: Mobile Device Security, page 512 1
NEW QUESTION 8
Security controls in a data center are being reviewed to ensure data is properly protected and that human life considerations are included. Which of the following
best describes how the controls should be set up?
Answer: C
Explanation:
Safety controls are security controls that are designed to protect human life and physical assets from harm or damage. Examples of safety controls include fire
alarms, sprinklers, emergency exits, backup generators, and surge protectors. Safety controls should fail open, which means that they should remain operational
or allow access when a failure or error occurs. Failing open can prevent or minimize the impact of a disaster, such as a fire, flood, earthquake, or power outage, on
human life and physical assets. For example, if a fire alarm fails, it should still trigger the sprinklers and unlock the emergency exits, rather than remain silent and
locked. Failing open can also ensure that essential services, such as healthcare, transportation, or communication, are available during a crisis. Remote access
points, logging controls, and logical security controls are other types of security controls, but they should not fail open in a data center. Remote access points are
security controls that allow users or systems to access a network or a system from a remote location, such as a VPN, a web portal, or a wireless access point.
Remote access points should fail closed, which means that they should deny access when a failure or error occurs. Failing closed can prevent unauthorized or
malicious access to the data center’s network or systems, such as by hackers, malware, or rogue devices. Logging controls are security controls that record and
monitor the activities and events that occur on a network or a system, such as user actions, system errors, security incidents, or performance metrics. Logging
controls should also fail closed, which means that they should stop or suspend the activities or events when a failure or error occurs. Failing closed can prevent
data loss, corruption, or tampering, as well as ensure compliance with regulations and standards. Logical security controls are security controls that use software
or code to protect data and systems from unauthorized or malicious access, modification, or destruction, such as encryption, authentication, authorization, or
firewall. Logical security controls should also fail closed, which means that they should block or restrict access when a failure or error occurs. Failing closed can
prevent data breaches, cyberattacks, or logical flaws, as well as ensure confidentiality, integrity, and availability of data and systems. References: CompTIA
Security+ Study Guide: Exam SY0-701, 9th Edition, page 142-143, 372-373, 376-377
NEW QUESTION 9
A security operations center determines that the malicious activity detected on a server is normal. Which of the following activities describes the act of ignoring
detected activity in the future?
A. Tuning
B. Aggregating
C. Quarantining
D. Archiving
Answer: A
Explanation:
Tuning is the activity of adjusting the configuration or parameters of a security tool or system to optimize its performance and reduce false positives or false
negatives. Tuning can help to filter out the normal or benign activity that is detected by the security tool or system, and focus on the malicious or anomalous activity
that requires further investigation or response. Tuning can also help to improve the efficiency and effectiveness of the security operations center by reducing the
workload and alert fatigue of
the analysts. Tuning is different from aggregating, which is the activity of collecting and combining data from multiple sources or sensors to provide a
comprehensive view of the security posture. Tuning is also different from quarantining, which is the activity of isolating a potentially infected or compromised device
or system from the rest of the network to prevent further damage or spread. Tuning is also different from archiving, which is the activity of storing and preserving
historical data or records for future reference or compliance. The act of ignoring detected activity in the future that is deemed normal by the security operations
center is an example of tuning, as it involves modifying the settings or rules of the security tool or system to exclude the activity from the detection scope.
Therefore, this is the best answer among the given options. References = Security Alerting and Monitoring Concepts and Tools – CompTIA Security+ SY0-701:
4.3, video at
7:00; CompTIA Security+ SY0-701 Certification Study Guide, page 191.
NEW QUESTION 10
A client asked a security company to provide a document outlining the project, the cost, and the completion time frame. Which of the following documents should
the company provide to the client?
A. MSA
B. SLA
C. BPA
D. SOW
Answer: D
Explanation:
An ISOW is a document that outlines the project, the cost, and the completion time frame for a security company to provide a service to a client. ISOW stands for
Information Security Operations Work, and it is a type of contract that specifies the scope, deliverables, milestones, and payment terms of a security project. An
ISOW is usually used for one-time or short-term projects that have a clear and defined objective and outcome. For example, an ISOW can be used for a security
assessment, a penetration test, a security audit, or a security training.
The other options are not correct because they are not documents that outline the project, the cost, and the completion time frame for a security company to
provide a service to a client. A MSA is a master service agreement, which is a type of contract that establishes the general terms and conditions for a long-term or
ongoing relationship between a security company and a client. A MSA does not specify the details of each individual project, but rather sets the framework for
future projects that will be governed by separate statements of work (SOWs). A SLA is a service level agreement, which is a type of contract that defines the
quality and performance standards for a security service provided by a security company to a client. A SLA usually includes the metrics, targets, responsibilities,
and penalties for measuring and ensuring the service level. A BPA is a business partnership agreement, which is a type of contract that establishes the roles and
expectations for a strategic alliance between two or more security companies that collaborate to provide a joint service to a client. A BPA usually covers the
objectives, benefits, risks, and obligations
of the partnership. References = CompTIA Security+ Study Guide (SY0-701), Chapter 8: Governance, Risk, and Compliance, page 387. Professor Messer’s
CompTIA SY0-701 Security+ Training Course, Section 8.2: Compliance and Controls, video: Contracts and Agreements (5:12).
NEW QUESTION 10
Which of the following vulnerabilities is exploited when an attacker overwrites a register with a malicious address?
A. VM escape
B. SQL injection
C. Buffer overflow
D. Race condition
Answer: C
Explanation:
A buffer overflow is a vulnerability that occurs when an application writes more data to a memory buffer than it can hold, causing the excess data to overwrite
adjacent memory locations. A register is a small storage area in the CPU that holds temporary data or instructions. An attacker can exploit a buffer overflow to
overwrite a register with a malicious address that points to a shellcode, which is a piece of code that gives the attacker control over the system. By doing so, the
attacker can bypass the normal execution flow of the application and execute arbitrary commands.
References: CompTIA Security+ SY0-701 Certification Study Guide, Chapter 2: Threats, Attacks, and Vulnerabilities, Section 2.3: Application Attacks, Page 76 1;
Buffer Overflows - CompTIA Security+ SY0-701 - 2.3 2
NEW QUESTION 15
An analyst is evaluating the implementation of Zero Trust principles within the data plane. Which of the following would be most relevant for the analyst to
evaluate?
A. Secured zones
B. Subject role
C. Adaptive identity
D. Threat scope reduction
Answer: D
Explanation:
The data plane, also known as the forwarding plane, is the part of the network that carries user traffic and data. It is responsible for moving packets from one
device to another based on the routing and switching decisions made by the control plane. The data plane is a critical component of the Zero Trust architecture, as
it is where most of the attacks and breaches occur. Therefore, implementing Zero Trust principles within the data plane can help to improve the security and
resilience of the network.
One of the key principles of Zero Trust is to assume breach and minimize the blast radius and segment access. This means that the network should be divided into
smaller and isolated segments or zones, each with its own security policies and controls. This way, if one segment is compromised, the attacker cannot easily
move laterally to other segments and access more resources or data. This principle is also known as threat scope reduction, as it reduces the scope and impact of
a potential threat.
The other options are not as relevant for the data plane as threat scope reduction. Secured zones are a concept related to the control plane, which is the part of
the network that makes routing and switching decisions. Subject role is a concept related to the identity plane, which is the part of the network that authenticates
and authorizes users and devices. Adaptive identity is a concept related to the policy plane, which is the part of the network that defines and enforces the security
policies and rules.
References = https://bing.com/search?q=Zero+Trust+data+plane https://learn.microsoft.com/en-us/security/zero-trust/deploy/data
NEW QUESTION 16
A technician is opening ports on a firewall for a new system being deployed and supported by a SaaS provider. Which of the following is a risk in the new system?
A. Default credentials
B. Non-segmented network
C. Supply chain vendor
D. Vulnerable software
Answer: C
Explanation:
A supply chain vendor is a third-party entity that provides goods or services to an organization, such as a SaaS provider. A supply chain vendor can pose a risk to
the new system if the vendor has poor security practices, breaches, or compromises that could affect the confidentiality, integrity, or availability of the system or its
data. The organization should perform due diligence and establish a service level agreement with the vendor to mitigate this risk. The other options are not specific
to the scenario of using a SaaS provider, but rather general risks that could apply to any system.
NEW QUESTION 20
A security administrator needs a method to secure data in an environment that includes some form of checks so that the administrator can track any changes.
Which of the following should the administrator set up to achieve this goal?
A. SPF
B. GPO
C. NAC
D. FIM
Answer: D
Explanation:
FIM stands for File Integrity Monitoring, which is a method to secure data by detecting any changes or modifications to files, directories, or registry keys. FIM can
help a security administrator track any unauthorized or malicious changes to the data, as well as verify the integrity and compliance of the data. FIM can also alert
the administrator of any potential breaches or incidents involving the data.
Some of the benefits of FIM are:
? It can prevent data tampering and corruption by verifying the checksums or hashes of the files.
? It can identify the source and time of the changes by logging the user and system actions.
? It can enforce security policies and standards by comparing the current state of the data with the baseline or expected state.
? It can support forensic analysis and incident response by providing evidence and audit trails of the changes.
References:
? CompTIA Security+ SY0-701 Certification Study Guide, Chapter 5: Technologies and Tools, Section 5.3: Security Tools, p. 209-210
? CompTIA Security+ SY0-701 Certification Exam Objectives, Domain 2: Technologies and Tools, Objective 2.4: Given a scenario, analyze and interpret output
from security technologies, Sub-objective: File integrity monitor, p. 12
NEW QUESTION 25
A hacker gained access to a system via a phishing attempt that was a direct result of a user clicking a suspicious link. The link laterally deployed ransomware,
which laid dormant for multiple weeks, across the network. Which of the following would have mitigated the spread?
A. IPS
B. IDS
C. WAF
D. UAT
Answer: A
Explanation:
IPS stands for intrusion prevention system, which is a network security device that monitors and blocks malicious traffic in real time. IPS is different from IDS,
which only detects and alerts on malicious traffic, but does not block it. IPS would have mitigated the spread of ransomware by preventing the hacker from
accessing the system via the phishing link, or by stopping the ransomware from communicating with its command and control server or encrypting the files.
NEW QUESTION 30
An organization disabled unneeded services and placed a firewall in front of a business- critical legacy system. Which of the following best describes the actions
taken by the organization?
A. Exception
B. Segmentation
C. Risk transfer
D. Compensating controls
Answer: D
Explanation:
Compensating controls are alternative security measures that are implemented when the primary controls are not feasible, cost-effective, or sufficient to mitigate
the risk. In this case, the organization used compensating controls to protect the legacy system from potential attacks by disabling unneeded services and placing
a firewall in front of it. This reduced the attack surface and the likelihood of exploitation.
References:
? Official CompTIA Security+ Study Guide (SY0-701), page 29
? Security Controls - CompTIA Security+ SY0-701 - 1.1 1
NEW QUESTION 35
A security consultant needs secure, remote access to a client environment. Which of the following should the security consultant most likely use to gain access?
A. EAP
B. DHCP
C. IPSec
D. NAT
Answer: C
Explanation:
IPSec is a protocol suite that provides secure communication over IP networks. IPSec can be used to create virtual private networks (VPNs) that encrypt and
authenticate the data exchanged between two or more parties. IPSec can also provide data integrity, confidentiality, replay protection, and access control. A
security consultant can use IPSec to gain secure, remote access to a client environment by establishing a VPN tunnel with the client’s network. References:
CompTIA Security+ Study Guide: Exam SY0- 701, 9th Edition, Chapter 8: Secure Protocols and Services, page 385 1
NEW QUESTION 39
A security engineer is implementing FDE for all laptops in an organization. Which of the following are the most important for the engineer to consider as part of the
planning process? (Select two).
A. Key escrow
B. TPM presence
C. Digital signatures
D. Data tokenization
E. Public key management
F. Certificate authority linking
Answer: AB
Explanation:
? Key escrow is a method of storing encryption keys in a secure location, such as a trusted third party or a hardware security module (HSM). Key escrow is
important for FDE because it allows the recovery of encrypted data in case of lost or forgotten passwords, device theft, or hardware failure. Key escrow also
enables authorized access to encrypted data for legal or forensic purposes.
? TPM presence is a feature of some laptops that have a dedicated chip for storing encryption keys and other security information. TPM presence is important for
FDE because it enhances the security and performance of encryption by generating and protecting the keys within the chip, rather than relying on software or
external devices. TPM presence also enables features such as secure boot, remote attestation, and device authentication.
NEW QUESTION 41
A security analyst is reviewing the following logs:
A. Password spraying
B. Account forgery
C. Pass-t he-hash
D. Brute-force
Answer: A
Explanation:
Password spraying is a type of brute force attack that tries common passwords across several accounts to find a match. It is a mass trial-and-error approach that
can bypass account lockout protocols. It can give hackers access to personal or business accounts and information. It is not a targeted attack, but a high-volume
attack tactic that uses a dictionary or a list of popular or weak passwords12.
The logs show that the attacker is using the same password ("password123") to attempt to log in to different accounts ("admin", "user1", "user2", etc.) on the same
web server. This is a typical pattern of password spraying, as the attacker is hoping that at least one of the accounts has a weak password that matches the one
they are trying. The attacker is also using a tool called Hydra, which is one of the most popular brute force tools, often used in cracking passwords for network
authentication3.
Account forgery is not the correct answer, because it involves creating fake accounts or credentials to impersonate legitimate users or entities. There is no
evidence of account forgery in the logs, as the attacker is not creating any new accounts or using forged credentials.
Pass-the-hash is not the correct answer, because it involves stealing a hashed user credential and using it to create a new authenticated session on the same
network. Pass- the-hash does not require the attacker to know or crack the password, as they use the stored version of the password to initiate a new session4.
The logs show that the attacker is using plain text passwords, not hashes, to try to log in to the web server.
Brute-force is not the correct answer, because it is a broader term that encompasses different types of attacks that involve trying different variations of symbols or
words until the correct password is found. Password spraying is a specific type of brute force attack that uses a single common password against multiple
accounts5. The logs show that the attacker is using password spraying, not brute force in general, to try to gain access to the web server. References = 1:
Password spraying: An overview of password spraying attacks … - Norton, 2: Security: Credential Stuffing vs. Password Spraying -
Baeldung, 3: Brute Force Attack: A definition + 6 types to know | Norton, 4: What is a Pass- the-Hash Attack? - CrowdStrike, 5: What is a Brute Force Attack? |
Definition, Types &
How It Works - Fortinet
NEW QUESTION 46
An administrator was notified that a user logged in remotely after hours and copied large amounts of data to a personal device.
Which of the following best describes the user’s activity?
A. Penetration testing
B. Phishing campaign
C. External audit
D. Insider threat
Answer: D
Explanation:
An insider threat is a security risk that originates from within the organization, such as an employee, contractor, or business partner, who has authorized access to
the organization’s data and systems. An insider threat can be malicious, such as stealing, leaking, or sabotaging sensitive data, or unintentional, such as falling
victim to phishing or social engineering. An insider threat can cause significant damage to the organization’s reputation, finances, operations, and legal
compliance. The user’s activity of logging in remotely after hours and copying large amounts of data to a personal device is an example of a malicious insider
threat, as it violates the organization’s security policies and compromises the confidentiality and integrity of the data. References = Insider Threats – CompTIA
Security+ SY0-701: 3.2, video at 0:00; CompTIA Security+ SY0-701 Certification Study Guide, page 133.
NEW QUESTION 49
A company decided to reduce the cost of its annual cyber insurance policy by removing the coverage for ransomware attacks.
Which of the following analysis elements did the company most likely use in making this decision?
A. IMTTR
B. RTO
C. ARO
D. MTBF
Answer: C
Explanation:
ARO (Annualized Rate of Occurrence) is an analysis element that measures the frequency or likelihood of an event happening in a given year. ARO is often used
in risk assessment and management, as it helps to estimate the potential loss or impact of an event. A company can use ARO to calculate the annualized loss
expectancy (ALE) of an event, which is the product of ARO and the single loss expectancy (SLE). ALE represents the expected cost of an event per year, and can
be used to compare with the cost of implementing a security control or purchasing an insurance policy.
The company most likely used ARO in making the decision to remove the coverage for ransomware attacks from its cyber insurance policy. The company may
have estimated the ARO of ransomware attacks based on historical data, industry trends, or threat intelligence, and found that the ARO was low or negligible. The
company may have also calculated the ALE of ransomware attacks, and found that the ALE was lower than the cost of the insurance policy. Therefore, the
company decided to reduce the cost of its annual cyber insurance policy by removing the coverage for ransomware attacks, as it deemed the risk to be acceptable
or manageable.
IMTTR (Incident Management Team Training and Readiness), RTO (Recovery Time Objective), and MTBF (Mean Time Between Failures) are not analysis
elements that the company most likely used in making the decision to remove the coverage for ransomware attacks from its cyber insurance policy. IMTTR is a
process of preparing and training the incident management team to respond effectively to security incidents. IMTTR does not measure the frequency or impact of
an event, but rather the capability and readiness of the team. RTO is a metric that defines the maximum acceptable time for restoring a system or service after a
disruption. RTO does not measure the frequency or impact of an event, but rather the availability and continuity of the system or service. MTBF is a metric that
measures the average time between failures of a system or component. MTBF does not measure the frequency or impact of an event, but rather the reliability and
performance of the system or component.
References = CompTIA Security+ SY0-701 Certification Study Guide, page 97-
98; Professor Messer’s CompTIA SY0-701 Security+ Training Course, video 5.2 - Risk Management, 0:00 - 3:00.
NEW QUESTION 54
A company’s web filter is configured to scan the URL for strings and deny access when matches are found. Which of the following search strings should an
analyst employ to prohibit access to non-encrypted websites?
A. encryption=off\
B. http://
C. www.*.com
D. :443
Answer: B
Explanation:
A web filter is a device or software that can monitor, block, or allow web traffic based on predefined rules or policies. One of the common methods of web filtering
is to scan the URL for strings and deny access when matches are found. For example, a web filter can block access to websites that contain the words
“gambling”, “porn”, or “malware” in their URLs. A URL is a uniform resource locator that identifies the location and protocol of a web resource. A URL typically
consists of the following components: protocol://domain:port/path?query#fragment. The protocol specifies the communication method used to access the web
resource, such as HTTP, HTTPS, FTP, or SMTP. The domain is the name of the web server that hosts the web resource, such as www.google.com or
www.bing.com. The port is an optional number that identifies the specific service or application running on the web server, such as 80 for HTTP or 443 for HTTPS.
The path is the specific folder or file name of the web resource, such as /index.html or /images/logo.png. The query is an optional string that contains additional
information or parameters for the web resource, such as ?q=security or ?lang=en. The fragment is an optional string that identifies a specific part or section of the
web resource, such as #introduction or #summary.
To prohibit access to non-encrypted websites, an analyst should employ a search string that matches the protocol of non-encrypted web traffic, which is HTTP.
HTTP stands for hypertext transfer protocol, and it is a standard protocol for transferring data between web servers and web browsers. However, HTTP does not
provide any encryption or security for the data, which means that anyone who intercepts the web traffic can read or modify the data. Therefore, non-encrypted
websites are vulnerable to eavesdropping, tampering, or spoofing attacks. To access a non-encrypted website, the URL usually starts with http://, followed by the
domain name and optionally the port number. For example, http://www.example.com or http://www.example.com:80. By scanning the URL for the string http://, the
web filter can identify and block non-encrypted websites.
The other options are not correct because they do not match the protocol of non-encrypted web traffic. Encryption=off is a possible query string that indicates the
encryption status of the web resource, but it is not a standard or mandatory parameter. Https:// is the protocol of encrypted web traffic, which uses hypertext
transfer protocol secure (HTTPS) to provide encryption and security for the data. Www.*.com is a possible domain name that matches any website that starts with
www and ends with .com, but it does not specify the protocol.
:443 is the port number of HTTPS, which is the protocol of encrypted web traffic. References = CompTIA Security+ Study Guide (SY0-701), Chapter 2: Securing
Networks, page 69. Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 2.1: Network Devices and Technologies, video: Web Filter (5:16).
NEW QUESTION 58
One of a company's vendors sent an analyst a security bulletin that recommends a BIOS update. Which of the following vulnerability types is being addressed by
the patch?
A. Virtualization
B. Firmware
C. Application
D. Operating system
Answer: B
Explanation:
Firmware is a type of software that is embedded in hardware devices, such as BIOS, routers, printers, or cameras. Firmware controls the basic functions and
operations of the device, and can be updated or patched to fix bugs, improve performance, or enhance security. Firmware vulnerabilities are flaws or weaknesses
in the firmware code that can be exploited by attackers to gain unauthorized access, modify settings, or cause damage to the device or the network. A BIOS
update is a patch that addresses a firmware vulnerability in the basic input/output system of a computer, which is responsible for booting the operating system and
managing the communication between the hardware and the software. The other options are not types of vulnerabilities, but rather categories of software or
technology.
NEW QUESTION 62
Which of the following would be the best ways to ensure only authorized personnel can access a secure facility? (Select two).
A. Fencing
B. Video surveillance
C. Badge access
D. Access control vestibule
E. Sign-in sheet
F. Sensor
Answer: CD
Explanation:
Badge access and access control vestibule are two of the best ways to ensure only authorized personnel can access a secure facility. Badge access requires the
personnel to present a valid and authenticated badge to a reader or scanner that grants or denies access based on predefined rules and permissions. Access
control vestibule is a physical security measure that consists of a small room or chamber with two doors, one leading to the outside and one leading to the secure
area. The personnel must enter the vestibule and wait for the first door to close and lock before the second door can be opened. This prevents tailgating or
piggybacking by unauthorized individuals. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 4, pages 197-1981
NEW QUESTION 67
A company is required to use certified hardware when building networks. Which of the following best addresses the risks associated with procuring counterfeit
hardware?
Answer: A
Explanation:
Counterfeit hardware is hardware that is built or modified without the authorization of the original equipment manufacturer (OEM). It can pose serious risks to
network quality, performance, safety, and reliability12. Counterfeit hardware can also contain malicious components that can compromise the security of the
network and the data that flows through it3. To address the risks associated with procuring counterfeit hardware, a company should conduct a thorough analysis of
the supply chain, which is the network of entities involved in the production, distribution, and delivery of the hardware. By analyzing the supply chain, the company
can verify the origin, authenticity, and integrity of the hardware, and identify any potential sources of counterfeit or tampered products. A thorough analysis of the
supply chain can include the following steps:
? Establishing a trusted relationship with the OEM and authorized resellers
? Requesting documentation and certification of the hardware from the OEM or authorized resellers
? Inspecting the hardware for any signs of tampering, such as mismatched labels, serial numbers, or components
? Testing the hardware for functionality, performance, and security
? Implementing a tracking system to monitor the hardware throughout its lifecycle
? Reporting any suspicious or counterfeit hardware to the OEM and law enforcement agencies References = 1: Identify Counterfeit and Pirated Products -
Cisco, 2: What Is Hardware Security? Definition, Threats, and Best Practices, 3: Beware of Counterfeit Network Equipment - TechNewsWorld, : Counterfeit
Hardware: The Threat and How to Avoid It
NEW QUESTION 72
A U.S.-based cloud-hosting provider wants to expand its data centers to new international locations. Which of the following should the hosting provider consider
first?
Answer: A
Explanation:
Local data protection regulations are the first thing that a cloud-hosting provider should consider before expanding its data centers to new international locations.
Data protection regulations are laws or standards that govern how personal or sensitive data is collected, stored, processed, and transferred across borders.
Different countries or regions may have different data protection regulations, such as the General Data Protection Regulation (GDPR) in the European Union, the
Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, or the California Consumer Privacy Act (CCPA) in the United States. A cloud-
hosting provider must comply with the local data protection regulations of the countries or regions where it operates or serves customers, or else it may face legal
penalties, fines, or reputational damage. Therefore, a cloud-hosting provider should research and understand the local data protection regulations of the new
international locations before expanding its data centers there. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam
SY0-701, 9th Edition, Chapter 7, page 269. CompTIA Security+ SY0-701 Exam Objectives, Domain 5.1, page 14.
NEW QUESTION 74
An employee receives a text message that appears to have been sent by the payroll department and is asking for credential verification. Which of the following
social engineering techniques are being attempted? (Choose two.)
A. Typosquatting
B. Phishing
C. Impersonation
D. Vishing
E. Smishing
F. Misinformation
Answer: BE
Explanation:
Smishing is a type of social engineering technique that uses text messages (SMS) to trick victims into revealing sensitive information, clicking malicious links, or
downloading malware. Smishing messages often appear to come from legitimate sources, such as banks, government agencies, or service providers, and use
urgent or threatening language to persuade the recipients to take action12. In this scenario, the text message that claims to be from the payroll department is an
example of smishing.
Impersonation is a type of social engineering technique that involves pretending to be someone else, such as an authority figure, a trusted person, or a colleague,
to gain the trust or cooperation of the target. Impersonation can be done through various channels, such as phone calls, emails, text messages, or in-person visits,
and can be used to obtain information, access, or money from the victim34. In this scenario, the text message that pretends to be from the payroll department is an
example of impersonation.
* A. Typosquatting is a type of cyberattack that involves registering domain names that are similar to popular or well-known websites, but with intentional spelling
errors or different extensions. Typosquatting aims to exploit the common mistakes that users make when typing web addresses, and redirect them to malicious or
fraudulent sites that may steal their information, install malware, or display ads56. Typosquatting is not related to text messages or credential verification.
* B. Phishing is a type of social engineering technique that uses fraudulent emails to trick recipients into revealing sensitive information, clicking malicious links, or
downloading malware. Phishing emails often mimic the appearance and tone of legitimate organizations, such as banks, retailers, or service providers, and use
deceptive or urgent language to persuade the recipients to take action78. Phishing is not related to text messages or credential verification.
* D. Vishing is a type of social engineering technique that uses voice calls to trick victims into revealing sensitive information, such as passwords, credit card
numbers, or bank account details. Vishing calls often appear to come from legitimate sources, such as law enforcement, government agencies, or technical
support, and use scare tactics or false promises to persuade the recipients to comply9 . Vishing is not related to text messages or credential verification.
* F. Misinformation is a type of social engineering technique that involves spreading false or misleading information to influence the beliefs, opinions, or actions of
the target. Misinformation can be used to manipulate public perception, create confusion, damage reputation, or promote an agenda . Misinformation is not related
NEW QUESTION 79
A software development manager wants to ensure the authenticity of the code created by the company. Which of the following options is the most appropriate?
Answer: B
Explanation:
Code signing is a technique that uses cryptography to verify the authenticity and integrity of the code created by the company. Code signing involves applying a
digital signature to the code using a private key that only the company possesses. The digital signature can be verified by anyone who has the corresponding
public key, which can be distributed through a trusted certificate authority. Code signing can prevent unauthorized modifications, tampering, or malware injection
into the code, and it can also assure the users that the code is from a legitimate source. References = CompTIA Security+ Study Guide with over 500 Practice Test
Questions: Exam SY0-701, 9th Edition, Chapter 2, page 74. CompTIA Security+ (SY0-701) Certification Exam Objectives, Domain 3.2, page 11. Application
Security – SY0-601 CompTIA Security+ : 3.2
NEW QUESTION 83
After a company was compromised, customers initiated a lawsuit. The company's attorneys have requested that the security team initiate a legal hold in response
to the lawsuit. Which of the following describes the action the security team will most likely be required to take?
A. Retain the emails between the security team and affected customers for 30 days.
B. Retain any communications related to the security breach until further notice.
C. Retain any communications between security members during the breach response.
D. Retain all emails from the company to affected customers for an indefinite period of time.
Answer: B
Explanation:
A legal hold (also known as a litigation hold) is a notification sent from an organization’s legal team to employees instructing them not to delete electronically
stored information (ESI) or discard paper documents that may be relevant to a new or imminent legal case. A legal hold is intended to preserve evidence and
prevent spoliation, which is the intentional or negligent destruction of evidence that could harm a party’s case. A legal hold can be triggered by various events,
such as a lawsuit, a regulatory investigation, or a subpoena12 In this scenario, the company’s attorneys have requested that the security team initiate a legal hold
in response to the lawsuit filed by the customers after the company was compromised. This means that the security team will most likely be required to retain any
communications related to the security breach until further notice. This could include emails, instant messages, reports, logs, memos, or any other documents that
could be relevant to the lawsuit. The security team should also inform the relevant custodians (the employees who have access to or control over the ESI) of their
preservation obligations and monitor their compliance. The security team should also document the legal hold process and its scope, as well as take steps to
protect the ESI from alteration, deletion, or loss34
References:
1: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 6: Risk Management, page 303 2: CompTIA Security+ Certification Kit: Exam SY0-701,
7th Edition, Chapter 6: Risk Management, page 305 3: Legal Hold (Litigation Hold) - The Basics of E-Discovery - Exterro 5 4: The Legal Implications and
Consequences of a Data Breach 6
NEW QUESTION 85
Which of the following is used to quantitatively measure the criticality of a vulnerability?
A. CVE
B. CVSS
C. CIA
D. CERT
Answer: B
Explanation:
CVSS stands for Common Vulnerability Scoring System, which is a framework that provides a standardized way to assess and communicate the severity and risk
of vulnerabilities. CVSS uses a set of metrics and formulas to calculate a numerical score ranging from 0 to 10, where higher scores indicate higher criticality.
CVSS can help organizations prioritize remediation efforts and compare vulnerabilities across different systems and vendors. The other options are not used to
measure the criticality of a
vulnerability, but rather to identify, classify, or report them. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 39
NEW QUESTION 89
An organization is building a new backup data center with cost-benefit as the primary requirement and RTO and RPO values around two days. Which of the
following types of sites is the best for this scenario?
A. Real-time recovery
B. Hot
C. Cold
D. Warm
Answer: C
Explanation:
A cold site is a type of backup data center that has the necessary infrastructure to support IT operations, but does not have any pre-configured hardware or
software. A cold site is the cheapest option among the backup data center types, but it also has the longest recovery time objective (RTO) and recovery point
objective (RPO) values. A cold site is suitable for scenarios where the cost-benefit is the primary requirement and the RTO and RPO values are not very stringent.
A cold site can take up to two days or more to restore the normal operations after a disaster. References = CompTIA Security+ SY0-701 Certification Study Guide,
page 387; Backup Types – SY0-601 CompTIA Security+ : 2.5, video at 4:50.
NEW QUESTION 93
A security analyst is reviewing alerts in the SIEM related to potential malicious network traffic coming from an employee’s corporate laptop. The security analyst
has determined that additional data about the executable running on the machine is necessary to continue the investigation. Which of the following logs should the
analyst use as a data source?
A. Application
B. IPS/IDS
C. Network
D. Endpoint
Answer: D
Explanation:
An endpoint log is a file that contains information about the activities and events that occur on an end-user device, such as a laptop, desktop, tablet, or
smartphone. Endpoint logs can provide valuable data for security analysts, such as the processes running on the device, the network connections established, the
files accessed or modified, the user actions performed, and the applications installed or updated. Endpoint logs can also record the details of any executable files
running on the device, such as the name, path, size, hash, signature, and permissions of the executable.
An application log is a file that contains information about the events that occur within a software application, such as errors, warnings, transactions, or
performance metrics. Application logs can help developers and administrators troubleshoot issues, optimize performance, and monitor user behavior. However,
application logs may not provide enough information about the executable files running on the device, especially if they are malicious or unknown.
An IPS/IDS log is a file that contains information about the network traffic that is monitored and analyzed by an intrusion prevention system (IPS) or an intrusion
detection system (IDS). IPS/IDS logs can help security analysts identify and block potential attacks, such as exploit attempts, denial-of-service (DoS) attacks, or
malicious scans. However, IPS/IDS logs may not provide enough information about the executable files running on the device, especially if they are encrypted,
obfuscated, or use legitimate protocols.
A network log is a file that contains information about the network activity and communication that occurs between devices, such as IP addresses, ports, protocols,
packets, or bytes. Network logs can help security analysts understand the network topology, traffic patterns, and bandwidth usage. However, network logs may not
provide enough information about the executable files running on the device, especially if they are hidden, spoofed, or use proxy servers.
Therefore, the best log type to use as a data source for additional information about the executable running on the machine is the endpoint log, as it can provide
the most relevant and detailed data about the executable file and its behavior.
References = https://www.crowdstrike.com/cybersecurity-101/observability/application-log/
https://owasp.org/www-project-proactive-controls/v3/en/c9-security-logging
NEW QUESTION 94
A client demands at least 99.99% uptime from a service provider's hosted security services. Which of the following documents includes the information the service
provider should return to the client?
A. MOA
B. SOW
C. MOU
D. SLA
Answer: D
Explanation:
A service level agreement (SLA) is a document that defines the level of service expected by a customer from a service provider, indicating the metrics by which
that service is measured, and the remedies or penalties, if any, should the agreed-upon levels not be achieved. An SLA can specify the minimum uptime or
availability of a service, such as 99.99%, and the consequences for failing to meet that standard. A memorandum of agreement (MOA), a statement of work
(SOW), and a memorandum of understanding (MOU) are other types of documents that can be used to establish a relationship between parties, but they do not
typically include the details of service levels and performance metrics that an SLA does. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition,
page 16-17
NEW QUESTION 95
A security analyst and the management team are reviewing the organizational performance of a recent phishing campaign. The user click-through rate exceeded
the acceptable risk threshold, and the management team wants to reduce the impact when a user clicks on a link in a phishing message. Which of the following
should the analyst do?
A. Place posters around the office to raise awareness of common phishing activities.
B. Implement email security filters to prevent phishing emails from being delivered
C. Update the EDR policies to block automatic execution of downloaded programs.
D. Create additional training for users to recognize the signs of phishing attempts.
Answer: C
Explanation:
An endpoint detection and response (EDR) system is a security tool that monitors and analyzes the activities and behaviors of endpoints, such as computers,
laptops, mobile devices, and servers. An EDR system can detect, prevent, and respond to various types of threats, such as malware, ransomware, phishing, and
advanced persistent threats (APTs). One of the features of an EDR system is to block the automatic execution of downloaded programs, which can prevent
malicious code from running on the endpoint when a user clicks on a link in a phishing message. This can reduce the impact of a phishing attack and protect the
endpoint from compromise. Updating the EDR policies to block automatic execution of downloaded programs is a technical control that can mitigate the risk of
phishing, regardless of the user’s awareness or behavior. Therefore, this is the best answer among the given options.
The other options are not as effective as updating the EDR policies, because they rely on administrative or physical controls that may not be sufficient to prevent or
stop a phishing attack. Placing posters around the office to raise awareness of common phishing activities is a physical control that can increase the user’s
knowledge of phishing, but it may not change their behavior or prevent them from clicking on a link in a phishing message. Implementing email security filters to
prevent phishing emails from being delivered is an administrative control that can reduce the exposure to phishing, but it may not be able to block all phishing
emails, especially if they are crafted to bypass the filters. Creating additional training for users to recognize the signs of phishing attempts is an administrative
control that can improve the user’s skills of phishing detection, but it may not guarantee that they will always be vigilant or cautious when receiving an email.
Therefore, these options are not the best answer for this question. References = Endpoint Detection and Response – CompTIA Security+ SY0-701 – 2.2, video at
5:30; CompTIA Security+ SY0- 701 Certification Study Guide, page 163.
A. Fines
B. Audit findings
C. Sanctions
D. Reputation damage
Answer: A
Explanation:
PCI DSS is the Payment Card Industry Data Security Standard, which is a set of security requirements for organizations that store, process, or transmit cardholder
data. PCI DSS aims to protect the confidentiality, integrity, and availability of cardholder data and prevent fraud, identity theft, and data breaches. PCI DSS is
enforced by the payment card brands, such as Visa, Mastercard, American Express, Discover, and JCB, and applies to all entities involved in the payment card
ecosystem, such as merchants, acquirers, issuers, processors, service providers, and payment applications.
If a large bank fails an internal PCI DSS compliance assessment, the most likely outcome is that the bank will face fines from the payment card brands. An internal
PCI DSS compliance assessment is a self-assessment that the bank performs to evaluate its own compliance with the PCI DSS requirements. The bank must
submit the results of the internal assessment to the payment card brands or their designated agents, such as acquirers or qualified security assessors (QSAs). If
the internal assessment reveals that the bank is not compliant with the PCI DSS requirements, the payment card brands may impose fines on the bank as a
penalty for violating the PCI DSS contract. The amount and frequency of the fines may vary depending on the severity and duration of the non- compliance, the
number and type of cardholder data compromised, and the level of cooperation and remediation from the bank. The fines can range from thousands to millions of
dollars per month, and can increase over time if the non-compliance is not resolved.
The other options are not correct because they are not the most likely outcomes if a large bank fails an internal PCI DSS compliance assessment. B. Audit
findings. Audit findings are the results of an external PCI DSS compliance assessment that is performed by a QSA or an approved scanning vendor (ASV). An
external assessment is required for certain entities that handle a large volume of cardholder data or have a history of non-compliance. An external assessment
may also be triggered by a security incident or a request from the payment card brands. Audit findings may reveal the gaps and weaknesses in the bank’s security
controls and recommend corrective actions to achieve compliance. However, audit findings are not the outcome of an internal assessment, which is performed by
the bank itself. C. Sanctions. Sanctions are the measures that the payment card brands may take against the bank if the bank fails to pay the fines or comply with
the PCI DSS requirements. Sanctions may include increasing the fines, suspending or terminating the bank’s ability to accept or process payment cards, or
revoking the bank’s PCI DSS certification. Sanctions are not the immediate outcome of an internal assessment, but rather the possible
consequence of prolonged or repeated non-compliance. D. Reputation damage. Reputation damage is the loss of trust and credibility that the bank may suffer
from its customers, partners, regulators, and the public if the bank fails an internal PCI DSS compliance assessment. Reputation damage may affect the bank’s
brand image, customer loyalty, market share, and profitability. Reputation damage is not a direct outcome of an internal assessment, but rather a potential risk that
the bank may face if the non-compliance is exposed or exploited by malicious actors. References = CompTIA Security+ Study Guide (SY0-701), Chapter 8:
Governance, Risk, and Compliance, page 388. Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 8.2: Compliance and Controls, video:
PCI DSS (5:12). PCI Security Standards Council, PCI DSS Quick Reference Guide, page 4. PCI Security Standards Council, PCI DSS FAQs, question 8. PCI
Security Standards Council, PCI DSS FAQs, question 9. [PCI Security Standards Council], PCI DSS FAQs, question 10. [PCI Security Standards Council], PCI
DSS FAQs, question 11. [PCI Security Standards Council], PCI DSS FAQs, question 12. [PCI Security Standards Council], PCI DSS FAQs, question 13. [PCI
Security Standards Council], PCI DSS FAQs, question 14. [PCI Security Standards Council], PCI DSS FAQs, question 15. [PCI Security Standards Council], PCI
DSS FAQs, question 16. [PCI Security Standards Council], PCI DSS FAQs, question 17. [PCI Security Standards Council], PCI DSS FAQs, question 18. [PCI
Security Standards Council], PCI DSS FAQs, question 19. [PCI Security Standards Council], PCI DSS FAQs, question 20. [PCI Security Standards Council], PCI
DSS FAQs, question 21. [PCI Security Standards Council], PCI DSS FAQs, question 22. [PCI Security Standards Council], PCI DSS FAQs, question 23. [PCI
Security Standards Council], PCI DSS FAQs, question 24. [PCI Security Standards Council], PCI DSS FAQs, question 25. [PCI Security Standards Council], PCI
DSS FAQs, question 26. [PCI Security Standards Council], PCI DSS FAQs, question 27. [PCI Security Standards Council], PCI DSS FAQs, question 28. [PCI
Security Standards Council], PCI DSS FAQs, question 29. [PCI Security Standards Council], PCI DSS FAQs, question 30. [PCI Security Standards Council]
A. Smishing
B. Disinformation
C. Impersonating
D. Whaling
Answer: D
Explanation:
Whaling is a type of phishing attack that targets high-profile individuals, such as executives, celebrities, or politicians. The attacker impersonates someone with
authority or influence and tries to trick the victim into performing an action, such as transferring money, revealing sensitive information, or clicking on a malicious
link. Whaling is also called CEO fraud or business email compromise2.
References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 3, page 97.
A. Insider threat
B. Hacktivist
C. Nation-state
D. Organized crime
Answer: D
Explanation:
Ransomware-as-a-service is a type of cybercrime where hackers sell or rent ransomware tools or services to other criminals who use them to launch attacks and
extort money from victims. This is a typical example of organized crime, which is a group of criminals who work together to conduct illegal activities for profit.
Organized crime is different from other types of threat actors, such as insider threats, hacktivists, or nation-states, who may have different motives, methods, or
targets. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 17 1
A. Firmware version
B. Buffer overflow
C. SQL injection
D. Cross-site scripting
Answer: A
Explanation:
Firmware is a type of software that is embedded in a hardware device, such as a router, a printer, or a BIOS chip. Firmware controls the basic functions and
operations of the device, and it can be updated or modified by the manufacturer or the user. Firmware version is a hardware-specific vulnerability, as it can expose
the device to security risks if it is outdated, corrupted, or tampered with. An attacker can exploit firmware vulnerabilities to gain unauthorized access, modify device
settings, install malware, or cause damage to the device or the network. Therefore, it is important to keep firmware updated and verify its integrity and authenticity.
References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701, 9th Edition, Chapter 2, page 67. CompTIA Security+
SY0-701 Exam Objectives, Domain 2.1, page 10.
A. Off-the-shelf software
B. Orchestration
C. Baseline
D. Policy enforcement
Answer: B
Explanation:
Orchestration is the process of automating multiple tasks across different systems and applications. It can help save time and reduce human error by executing
predefined workflows and scripts. In this case, the systems administrator can use orchestration to create accounts for a large number of end users without having
to manually enter their information and assign permissions. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 457 1
A. Analysis
B. Lessons learned
C. Detection
D. Containment
Answer: A
Explanation:
Analysis is the incident response activity that describes the process of understanding the source of an incident. Analysis involves collecting and examining
evidence, identifying the root cause, determining the scope and impact, and assessing the threat actor’s motives and capabilities. Analysis helps the incident
response team to formulate an appropriate response strategy, as well as to prevent or mitigate future incidents. Analysis is usually performed after detection and
before containment, eradication, recovery, and lessons learned. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam
SY0-701, 9th Edition, Chapter 6, page 223. CompTIA Security+ SY0-701 Exam Objectives, Domain 4.2, page 13.
A. Conduct an audit.
B. Initiate a penetration test.
C. Rescan the network.
D. Submit a report.
Answer: C
Explanation:
After completing a vulnerability assessment and remediating the identified vulnerabilities, the next step is to rescan the network to verify that the vulnerabilities
have been successfully fixed and no new vulnerabilities have been introduced. A vulnerability assessment is a process of identifying and evaluating the
weaknesses and exposures in a network, system, or application that could be exploited by attackers. A vulnerability assessment typically involves using automated
tools, such as scanners, to scan the network and generate a report of the findings. The report may include information such as the severity, impact, and
remediation of the vulnerabilities. The operations team is responsible for applying the appropriate patches, updates, or configurations to address the vulnerabilities
and reduce the risk to the network. A rescan is necessary to confirm that the remediation actions have been effective and that the network is secure.
Conducting an audit, initiating a penetration test, or submitting a report are not the next steps after completing a vulnerability assessment and remediating the
vulnerabilities. An audit is a process of reviewing and verifying the compliance of the network with the established policies, standards, and regulations. An audit
may be performed by internal or external auditors, and it may use the results of the vulnerability assessment as part of the evidence. However, an audit is not a
mandatory step after a vulnerability assessment, and it does not validate the effectiveness of the remediation actions.
A penetration test is a process of simulating a real-world attack on the network to test the security defenses and identify any gaps or weaknesses. A penetration
test may use the results of the vulnerability assessment as a starting point, but it goes beyond scanning and involves exploiting the vulnerabilities to gain access or
cause damage. A penetration test may be performed after a vulnerability assessment, but only with the proper authorization, scope, and rules of engagement. A
penetration test is not a substitute for a rescan, as it does not verify that the vulnerabilities have been fixed.
Submitting a report is a step that is done after the vulnerability assessment, but before the remediation. The report is a document that summarizes the findings and
recommendations of the vulnerability assessment, and it is used to communicate the results to the stakeholders and the operations team. The report may also
include a follow-up plan and a timeline for the remediation actions. However, submitting a report is not the final step after the remediation, as it does not confirm
that the network is secure.
References = CompTIA Security+ SY0-701 Certification Study Guide, page 372- 375; Professor Messer’s CompTIA SY0-701 Security+ Training Course, video 4.1
- Vulnerability Scanning, 0:00 - 8:00.
A. Partition
B. Asymmetric
C. Full disk
D. Database
Answer: C
Explanation:
Full disk encryption (FDE) is a technique that encrypts all the data on a hard drive, including the operating system, applications, and files. FDE protects the data
from unauthorized access in case the laptop is lost, stolen, or disposed of without proper sanitization. FDE requires the user to enter a password, a PIN, a smart
card, or a biometric factor to unlock the drive and boot the system. FDE can be implemented by using software solutions, such as BitLocker, FileVault, or
VeraCrypt, or by using hardware solutions, such as self-encrypting drives (SEDs) or Trusted Platform Modules (TPMs). FDE is a recommended encryption
technique for laptops and other mobile devices that store sensitive data.
Partition encryption is a technique that encrypts only a specific partition or volume on a hard drive, leaving the rest of the drive unencrypted. Partition encryption is
less secure than FDE, as it does not protect the entire drive and may leave traces of data on unencrypted areas. Partition encryption is also less convenient than
FDE, as it requires the user to mount and unmount the encrypted partition manually.
Asymmetric encryption is a technique that uses a pair of keys, one public and one private, to encrypt and decrypt data. Asymmetric encryption is mainly used for
securing communication, such as email, web, or VPN, rather than for encrypting data at rest. Asymmetric encryption is also slower and more computationally
intensive than symmetric encryption, which is the type of encryption used by FDE and partition encryption.
Database encryption is a technique that encrypts data stored in a database, such as tables, columns, rows, or cells. Database encryption can be done at the
application level, the database level, or the file system level. Database encryption is useful for protecting data from unauthorized access by database
administrators, hackers, or malware, but it does not protect the data from physical theft or loss of the device that hosts the database. References = Data Encryption
– CompTIA Security+ SY0-401: 4.4, CompTIA Security+Cheat Sheet and PDF | Zero To Mastery, CompTIA Security+ SY0-601 Certification Course
- Cybr, Application Hardening – SY0-601 CompTIA Security+ : 3.2.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Based on the logs, it seems that the host that originated the infection is 192.168.10.22. This host has a suspicious process named svchost.exe running on port
443, which is unusual for a Windows service. It also has a large number of outbound connections to different IP addresses on port 443, indicating that it is part of a
botnet.
The firewall log shows that this host has been communicating with 10.10.9.18, which is another infected host on the engineering network. This host also has a
suspicious process named svchost.exe running on port 443, and a large number of outbound connections to different IP addresses on port 443.
The other hosts on the R&D network (192.168.10.37 and192.168.10.41) are clean, as they do not have any suspicious processes or connections.
A. Processor
B. Custodian
C. Subject
D. Owner
Answer: C
Explanation:
According to the CompTIA Security+ SY0-701 Certification Study Guide, data subjects are the individuals whose personal data is collected, processed, or stored
by an organization. Data subjects have certain rights and expectations regarding how their data is handled, such as the right to access, correct, delete, or restrict
their data. Data subjects are different from data owners, who are the individuals or entities that have the authority and responsibility to determine how data is
classified, protected, and used. Data subjects are also different from data processors, who are the individuals or entities that perform operations on data on behalf
of the data owner, such as collecting, modifying, storing, or transmitting data. Data subjects are also different from data custodians, who are the individuals or
entities that implement the security controls and procedures specified by the data owner to protect data while in transit and at rest.
ReferencesCompTIA Security+ SY0-701 Certification Study Guide, Chapter 2: Data Security, page 511
A. Access list outbound permit 0.0.0.0 0 0.0.0.0/0 port 53 Access list outbound deny 10.50.10.25 32 0.0.0.0/0 port 53
B. Access list outbound permit 0.0.0.0/0 10.50.10.25 32 port 53 Access list outbound deny 0.0.0.0 0 0.0.0.0/0 port 53
C. Access list outbound permit 0.0.0.0 0 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 10.50.10.25 32 port 53
D. Access list outbound permit 10.50.10.25 32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0.0.0.0.0.0/0 port 53
Answer: D
Explanation:
The correct answer is D because it allows only the device with the IP address 10.50.10.25 to send outbound DNS requests on port 53, and denies all other
devices from doing so. The other options are incorrect because they either allow all devices to send outbound DNS requests (A and C), or they allow no devices to
send outbound DNS requests (B). References = You can learn more about firewall ACLs and DNS in the following resources:
? CompTIA Security+ SY0-701 Certification Study Guide, Chapter 4: Network Security1
? Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 3.2: Firewall Rules2
? TOTAL: CompTIA Security+ Cert (SY0-701) | Udemy, Section 6: Network Security, Lecture 28: Firewall Rules3
A. Segmentation
B. Isolation
C. Hardening
D. Decommissioning
Answer: C
Explanation:
A legacy server is a server that is running outdated or unsupported software or hardware, which may pose security risks and compatibility issues. A critical
business application is an application that is essential for the operation and continuity of the business, such as accounting, payroll, or inventory management. A
legacy server running a critical business application may be difficult to replace or upgrade, but it should not be left unsecured or exposed to potential threats.
One of the best ways to handle a legacy server running a critical business application is to harden it. Hardening is the process of applying security measures and
configurations to a system to reduce its attack surface and vulnerability. Hardening a legacy server may involve steps such as:
? Applying patches and updates to the operating system and the application, if available
? Removing or disabling unnecessary services, features, or accounts
? Configuring firewall rules and network access control lists to restrict inbound and outbound traffic
? Enabling encryption and authentication for data transmission and storage
? Implementing logging and monitoring tools to detect and respond to anomalous or malicious activity
? Performing regular backups and testing of the system and the application Hardening a legacy server can help protect the critical business application from
unauthorized access, modification, or disruption, while maintaining its functionality and availability. However, hardening a legacy server is not a permanent
solution, and it may not be sufficient to address all the security issues and challenges posed by the outdated or unsupported system. Therefore, it is advisable to
plan for the eventual decommissioning or migration of the legacy server to a more secure and modern platform, as soon as possible. References: CompTIA
Security+ SY0-701 Certification Study Guide, Chapter 3: Architecture and Design, Section 3.2: Secure System Design, Page 133 1; CompTIA Security+
Certification Exam Objectives, Domain 3: Architecture and Design, Objective 3.2: Explain the importance of secure system design, Subobjective: Legacy systems
2
A. Data in use
B. Data in transit
C. Geographic restrictions
D. Data sovereignty
Answer: B
Explanation:
Data in transit is data that is moving from one location to another, such as over a network or through the air. Data in transit is vulnerable to interception,
modification, or theft by malicious actors. A VPN (virtual private network) is a technology that protects data in transit by creating a secure tunnel between two
endpoints and encrypting the data that passes through it2.
References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 4, page 145.
A. Insider threat
B. Social engineering
C. Watering-hole
D. Unauthorized attacker
Answer: A
Explanation:
An insider threat is a type of attack that originates from someone who has legitimate access to an organization’s network, systems, or data. In this case, the
domain user who encrypted the files on the database server is an example of an insider threat, as they abused their access privileges to cause harm to the
organization. Insider threats can be motivated by various factors, such as financial gain, revenge, espionage, or sabotage. References: CompTIA Security+ Study
Guide: Exam SY0-701, 9th Edition, Chapter 1: General Security Concepts, page 251. CompTIA Security+ Certification Kit: Exam SY0- 701, 7th Edition, Chapter 1:
General Security Concepts, page 252.
A. Key stretching
B. Data masking
C. Steganography
D. Salting
Answer: D
Explanation:
Salting is the process of adding extra random data to a password or other data before applying a one-way data transformation algorithm, such as a hash function.
Salting increases the complexity and randomness of the input data, making it harder for attackers to guess or crack the original data using precomputed tables or
brute force methods. Salting also helps prevent identical passwords from producing identical hash values, which could reveal the passwords to attackers who have
access to the hashed data. Salting is commonly used to protect passwords stored in databases or transmitted over networks. References =
? Passwords technical overview
? Encryption, hashing, salting – what’s the difference?
? Salt (cryptography)
A. Automation
B. Compliance checklist
C. Attestation
D. Manual audit
Answer: A
Explanation:
Automation is the best way to consistently determine on a daily basis whether security settings on servers have been modified. Automation is the process of using
software, hardware, or other tools to perform tasks that would otherwise require human intervention or manual effort. Automation can help to improve the
efficiency, accuracy, and consistency of security operations, as well as reduce human errors and costs. Automation can be used to monitor, audit, and enforce
security settings on servers, such as firewall rules, encryption keys, access controls, patch levels, and configuration files. Automation can also alert security
personnel of any changes or anomalies that may indicate a security breach or compromise12.
The other options are not the best ways to consistently determine on a daily basis whether security settings on servers have been modified:
? Compliance checklist: This is a document that lists the security requirements, standards, or best practices that an organization must follow or adhere to. A
compliance checklist can help to ensure that the security settings on servers are aligned with the organizational policies and regulations, but it does not
automatically detect or report any changes or modifications that may occur on a daily basis3.
? Attestation: This is a process of verifying or confirming the validity or accuracy of a statement, claim, or fact. Attestation can be used to provide assurance or
evidence that the security settings on servers are correct and authorized, but it does not continuously monitor or audit any changes or modifications that may occur
on a daily basis4.
? Manual audit: This is a process of examining or reviewing the security settings on servers by human inspectors or auditors. A manual audit can help to identify
and correct any security issues or discrepancies on servers, but it is time-consuming, labor-intensive, and prone to human errors. A manual audit may not be
feasible or practical to perform on a daily basis.
References = 1: CompTIA Security+ SY0-701 Certification Study Guide, page 1022: Automation and Scripting – CompTIA Security+ SY0-701 – 5.1, video by
Professor Messer3: CompTIA Security+ SY0-701 Certification Study Guide, page 974: CompTIA Security+ SY0-701 Certification Study Guide, page 98. :
CompTIA Security+ SY0-701 Certification Study Guide, page 99.
Which of the following is the most common data loss path for an air-gapped network?
A. Bastion host
B. Unsecured Bluetooth
C. Unpatched OS
D. Removable devices
Answer: D
Explanation:
An air-gapped network is a network that is physically isolated from other networks, such as the internet, to prevent unauthorized access and data leakage.
However, an air-gapped network can still be compromised by removable devices, such as USB drives, CDs, DVDs, or external hard drives, that are used to
transfer data between the air-gapped network and other networks. Removable devices can carry malware, spyware, or other malicious code that can infect the air-
gapped network or exfiltrate data from
it. Therefore, removable devices are the most common data loss path for an air-gapped network. References: CompTIA Security+ Study Guide: Exam SY0-701,
9th Edition, Chapter 9: Network Security, page 449 1
A. Hardening
B. Employee monitoring
C. Configuration enforcement
D. Least privilege
Answer: D
Explanation:
The principle of least privilege is a security concept that limits access to resources to the minimum level needed for a user, a program, or a device to perform a
legitimate function. It is a cybersecurity best practice that protects high-value data and assets from compromise or insider threat. Least privilege can be applied to
different abstraction layers of a computing environment, such as processes, systems, or connected devices. However, it is rarely implemented in practice.
In this scenario, the IT manager is setting up the principle of least privilege by restricting access to the administrator console of the help desk software to only two
authorized users: the IT manager and the help desk lead. This way, the IT manager can prevent unauthorized or accidental changes to the software configuration,
data, or functionality by other help desk staff. The other help desk staff will only have access to the normal user interface of the software, which is sufficient for
them to perform their job functions.
The other options are not correct. Hardening is the process of securing a system by reducing its surface of vulnerability, such as by removing unnecessary
software, changing default passwords, or disabling unnecessary services. Employee monitoring is the surveillance of workers’ activity, such as by tracking web
browsing, application use, keystrokes, or screenshots. Configuration enforcement is the process of ensuring that a system adheres to a predefined set of security
settings, such as by applying a patch, a policy, or a template.
References = https://en.wikipedia.org/wiki/Principle_of_least_privilege https://en.wikipedia.org/wiki/Principle_of_least_privilege
A. It is a false positive.
B. A rescan is required.
C. It is considered noise.
D. Compensating controls exist.
Answer: A
Explanation:
A false positive is a result that indicates a vulnerability or a problem when there is none. In this case, the vulnerability scanning report shows that the telnet service
on port 23 is open and uses an insecure network protocol. However, the security analyst performs a test using nmap and a script that checks for telnet encryption
support. The result shows that the telnet server supports encryption, which means that the data transmitted between the client and the server can be protected
from eavesdropping. Therefore, the reported vulnerability is a false positive and does not reflect the actual security posture of the server. The security analyst
should verify the encryption settings of the telnet server and client and ensure that they are configured properly3. References: 3: Telnet Protocol - Can You Encrypt
Telnet?
A. Active
B. Passive
C. Defensive
D. Offensive
Answer: A
Explanation:
Active reconnaissance is a type of reconnaissance that involves sending packets or requests to a target and analyzing the responses. Active reconnaissance can
reveal information such as open ports, services, operating systems, and vulnerabilities. However, active reconnaissance is also more likely to be detected by the
target or its security devices, such as firewalls or intrusion detection systems. Port and service scans are examples of active reconnaissance techniques, as they
involve probing the target for specific information. References = CompTIA Security+ Certification Exam Objectives, Domain 1.1: Given a scenario, conduct
reconnaissance using appropriate techniques and tools. CompTIA Security+ Study Guide (SY0-701), Chapter 2: Reconnaissance and Intelligence Gathering, page
47. CompTIA Security+ Certification Exam SY0-701 Practice Test 1, Question 1.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Web serverBotnet Enable DDoS protectionUser RAT Implement a host-based IPS Database server Worm Change the default application passwordExecutive
KeyloggerDisable vulnerable servicesApplication Backdoor Implement 2FA using push notification
Answer: C
Explanation:
The correct answer is C. Password, authentication token, thumbprint. This combination of authentication factors satisfies the manager’s goal of implementing
multifactor authentication that uses something you know, something you have, and something you are.
? Something you know is a type of authentication factor that relies on the user’s knowledge of a secret or personal information, such as a password, a PIN, or a
security question. A password is a common example of something you know that can be used to access a VPN12
? Something you have is a type of authentication factor that relies on the user’s possession of a physical object or device, such as a smart card, a token, or a
smartphone. An authentication token is a common example of something you have that can be used to generate a one-time password (OTP) or a code that can be
used to access a VPN12
? Something you are is a type of authentication factor that relies on the user’s biometric characteristics, such as a fingerprint, a face, or an iris. A thumbprint is a
common example of something you are that can be used to scan and verify the user’s identity to access a VPN12
References:
1: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 4: Identity and Access Management, page 177 2: CompTIA Security+ Certification Kit:
Exam SY0-701, 7th Edition, Chapter 4: Identity and Access Management, page 179
A. Private
B. Confidential
C. Public
D. Operational
E. Urgent
F. Restricted
Answer: BF
Explanation:
Data classification is the process of assigning labels to data based on its sensitivity and business impact. Different organizations and sectors may have different
data classification schemes, but a common one is the following1:
? Public: Data that can be freely disclosed to anyone without any harm or risk.
? Private: Data that is intended for internal use only and may cause some harm or risk if disclosed.
? Confidential: Data that is intended for authorized use only and may cause significant harm or risk if disclosed.
? Restricted: Data that is intended for very limited use only and may cause severe harm or risk if disclosed.
In this scenario, the company is developing a critical system for the government and storing project information on a fileshare. This data is likely to be classified as
confidential and restricted, because it is not meant for public or private use, and it may cause serious damage to national security or public safety if disclosed. The
government may also have specific requirements or regulations for handling such data, such as encryption, access control, and auditing2. References: 1:
CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 16-17 2: Data Classification Practices: Final Project Description Released
* SY0-701 Most Realistic Questions that Guarantee you a Pass on Your FirstTry
* SY0-701 Practice Test Questions in Multiple Choice Formats and Updatesfor 1 Year