This PDF contains a set of carefully selected practice questions for the

SY0-701 exam. These questions are designed to reflect the structure,

difficulty, and topics covered in the actual exam, helping you reinforce
your understanding and identify areas for improvement.

What's Inside:

1. Topic-focused questions based on the latest exam objectives

2. Accurate answer keys to support self-review
3. Designed to simulate the real test environment
4. Ideal for final review or daily practice

Important Note:

This material is for personal study purposes only. Please do not

redistribute or use for commercial purposes without permission.

For full access to the complete question bank and topic-wise explanations, visit:
CertQuestionsBank.com

Our YouTube: https://www.youtube.com/@CertQuestionsBank

FB page: https://www.facebook.com/certquestionsbank
Share some SY0-701 exam online questions below.
1.A security analyst finds a rogue device during a monthly audit of current endpoint assets that are
connected to the network. The corporate network utilizes 002.1X for access control. To be allowed on
the network, a device must have a Known hardware address, and a valid user name and password
must be entered in a captive portal.
The following is the audit report:

Which of the following is the most likely way a rogue device was allowed to connect?
A. A user performed a MAC cloning attack with a personal device.
B. A DMCP failure caused an incorrect IP address to be distributed
C. An administrator bypassed the security controls for testing.
D. DNS hijacking let an attacker intercept the captive portal traffic.
Answer: A

2.An analyst is evaluating the implementation of Zero Trust principles within the data plane.
Which of the following would be most relevant for the analyst to evaluate?
A. Secured zones
B. Subject role
C. Adaptive identity
D. Threat scope reduction
Answer: D
Explanation:
The data plane, also known as the forwarding plane, is the part of the network that carries user traffic
and data. It is responsible for moving packets from one device to another based on the routing and
switching decisions made by the control plane. The data plane is a critical component of the Zero
Trust architecture, as it is where most of the attacks and breaches occur. Therefore, implementing
Zero Trust principles within the data plane can help to improve the security and resilience of the
network.
One of the key principles of Zero Trust is to assume breach and minimize the blast radius and
segment access. This means that the network should be divided into smaller and isolated segments
or zones, each with its own security policies and controls. This way, if one segment is compromised,
the attacker cannot easily move laterally to other segments and access more resources or data. This
principle is also known as threat scope reduction, as it reduces the scope and impact of a potential
threat.
The other options are not as relevant for the data plane as threat scope reduction. Secured zones are
a concept related to the control plane, which is the part of the network that makes routing and
switching decisions. Subject role is a concept related to the identity plane, which is the part of the
network that authenticates and authorizes users and devices. Adaptive identity is a concept related to
the policy plane, which is the part of the network that defines and enforces the security policies and
rules.
Reference https://bing.com/search?qZero+Trust+data+plane
https://learn.microsoft.com/en-us/security/zero-trust/deploy/data

3.Which of the following is the primary purpose of a service that tracks log-ins and time spent using
the service?
A. Availability
B. Accounting
C. Authentication
D. Authorization
Answer: B
Explanation:
Accounting logs user activities such as log-ins and usage duration, which is part of the AAA
framework (Authentication, Authorization, and Accounting).

4.A systems administrator wants to prevent users from being able to access data based on their
responsibilities. The administrator also wants to apply the required access structure via a simplified
format.
Which of the following should the administrator apply to the site recovery resource group?
A. RBAC
B. ACL
C. SAML
D. GPO
Answer: A
Explanation:
RBAC stands for Role-Based Access Control, which is a method of restricting access to data and
resources based on the roles or responsibilities of users. RBAC simplifies the management of
permissions by assigning roles to users and granting access rights to roles, rather than to individual
users. RBAC can help enforce the principle of least privilege and reduce the risk of unauthorized
access or data leakage. The other options are not as suitable for the scenario as RBAC, as they
either do not prevent access based on responsibilities, or do not apply a simplified format.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 133 1

5.An administrator is Investigating an incident and discovers several users’ computers were Infected
with malware after viewing files mat were shared with them. The administrator discovers no degraded
performance in the infected machines and an examination of the log files does not show excessive
failed logins.
Which of the following attacks Is most likely the cause of the malware?
A. Malicious flash drive
B. Remote access Trojan
C. Brute-forced password
D. Cryptojacking
Answer: B
Explanation:
A Remote Access Trojan (RAT) is malware that allows an attacker to gain unauthorized access to a
computer remotely. In this scenario:
Malware was spread through shared files, indicating the attack vector was file-based.
The infected machines did not exhibit degraded performance or excessive login attempts, ruling out
cryptojacking (which consumes resources) and brute-forcing (which generates failed login logs).
A RAT could allow attackers to control the machines without significant local activity, making it the
most plausible cause.
Why not the other options?
A. Malicious flash drive: No evidence suggests the use of a physical device to infect systems; the
malware spread through shared files.
C. Brute-forced password: This attack would show signs of excessive failed logins in the logs, which
are explicitly absent.
D. Cryptojacking: This type of malware focuses on mining cryptocurrency, which would degrade
performance due to high CPU/GPU usage.

6.An administrator discovers that some files on a database server were recently encrypted. The
administrator sees from the security logs that the data was last accessed by a domain user.
Which of the following best describes the type of attack that occurred?
A. Insider threat
B. Social engineering
C. Watering-hole
D. Unauthorized attacker
Answer: A
Explanation:
An insider threat is a type of attack that originates from someone who has legitimate access to an
organization’s network, systems, or data. In this case, the domain user who encrypted the files on the
database server is an example of an insider threat, as they abused their access privileges to cause
harm to the organization. Insider threats can be motivated by various factors, such as financial gain,
revenge, espionage, or sabotage.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 1: General
Security Concepts, page 251. CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition,
Chapter 1: General Security Concepts, page 252.

7.A client demands at least 99.99% uptime from a service provider's hosted security services.
Which of the following documents includes the information the service provider should return to the
client?
A. MOA
B. SOW
C. MOU
D. SLA
Answer: D
Explanation:
A service level agreement (SLA) is a document that defines the level of service expected by a
customer from a service provider, indicating the metrics by which that service is measured, and the
remedies or penalties, if any, should the agreed-upon levels not be achieved. An SLA can specify the
minimum uptime or availability of a service, such as 99.99%, and the consequences for failing to meet
that standard. A memorandum of agreement (MOA), a statement of work (SOW), and a memorandum
of understanding (MOU) are other types of documents that can be used to establish a relationship
between parties, but they do not typically include the details of service levels and performance
metrics that an SLA does.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 16-17

8.A security administrator is addressing an issue with a legacy system that communicates data using
an unencrypted protocol to transfer sensitive data to a third party. No software updates that use an
encrypted protocol are available, so a compensating control is needed.
Which of the following are the most appropriate for the administrator to suggest? (Select two.)
A. Tokenization
B. Cryptographic downgrade
C. SSH tunneling
D. Segmentation
E. Patch installation
F. Data masking
Answer: C, D
Explanation:
SSH tunneling can secure the unencrypted protocol by encapsulating traffic in an encrypted tunnel.
Segmentation isolates the legacy system, reducing the risk of unauthorized access.
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 2: Threats, Section: "Compensating
Controls for Legacy Systems".

9.An employee in the accounting department receives an email containing a demand for payment tot
services performed by a vendor However, the vendor is not in the vendor management database.
Which of the following in this scenario an example of?
A. Pretexting
B. Impersonation
C. Ransomware
D. Invoice scam
Answer: D
Explanation:
The scenario describes an instance where an employee receives a fraudulent invoice from a vendor
that is not recognized in the company's vendor management system. This is a classic example of an
invoice scam, where attackers attempt to trick organizations into making payments for fake or non-
existent services. These scams often rely on social engineering tactics to bypass financial controls.
Reference: CompTIA Security+ SY0-701 study materials, particularly in the context of social
engineering attacks and common scams.

10.An employee recently resigned from a company. The employee was responsible for managing and
supporting weekly batch jobs over the past five years. A few weeks after the employee resigned. one
of the batch jobs talked and caused a major disruption.
Which of the following would work best to prevent this type of incident from reoccurring?
A. Job rotation
B. Retention
C. Outsourcing
D. Separation of duties
Answer: D

11.A systems administrator is auditing all company servers to ensure. They meet the minimum
security baseline While auditing a Linux server, the systems administrator observes the /etc/shadow
file has permissions beyond the baseline recommendation.
Which of the following commands should the systems administrator use to resolve this issue?
A. chmod
B. grep
C. dd
D. passwd
Answer: A
Explanation:
The chmod command is used to change file permissions on Unix and Linux systems. If the
/etc/shadow file has permissions beyond the baseline recommendation, the systems administrator
should use chmod to modify the file's permissions, ensuring it adheres to the security baseline and
limits access to authorized users only.
Reference: CompTIA Security+ SY0-701 study materials, focusing on system hardening and file
permissions management.

12.Which of the following would a security administrator use to comply with a secure baseline during
a patch update?
A. Information security policy
B. Service-level expectations
C. Standard operating procedure
D. Test result report
Answer: C
Explanation:
Standard operating procedures (SOPs) outline the steps to be followed to maintain a secure baseline,
such as testing and deploying patches while minimizing risk to the system.
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 4: Security Operations, Section:
"Patch Management and Baseline Compliance".

13.The Cruel Information Security Officer (CISO) asks a security analyst to install an OS update to a
production VM that has a 99% uptime SL
A. The CISO tells me analyst the installation must be done as quickly as possible.
Which of the following courses of action should the security analyst take first?
A. Log in to the server and perform a health check on the VM.
B. Install the patch Immediately.
C. Confirm that the backup service is running.
D. Take a snapshot of the VM.
Answer: D
Explanation:
Before applying any updates or patches to a production VM, especially one with a 99% uptime SLA, it
is crucial to first take a snapshot of the VM. This snapshot serves as a backup that can be quickly
restored in case the update causes any issues, ensuring that the system can be returned to its
previous state without violating the SLA. This step mitigates risk and is a standard best practice in
change management for critical systems.
Reference: CompTIA Security+ SY0-701 study materials, focusing on change management and
backup strategies.

14.A company is utilizing an offshore team to help support the finance department. The company
wants to keep the data secure by keeping it on a company device but does not want to provide
equipment to the offshore team.
Which of the following should the company implement to meet this requirement?
A. VDI
B. MDM
C. VPN
D. VPC
Answer: A
Explanation:
Virtual Desktop Infrastructure (VDI) is a technology that allows users to access a virtualized desktop
environment that is hosted on a centralized server.
This solution meets the company’s requirements because:
Keeps data secure: All data resides on the company’s servers and never leaves the secure
environment, ensuring that sensitive financial information remains protected.
No need to provide equipment: Offshore team members can use their own devices to access the
virtual desktop. These devices only serve as terminals, and no data is stored locally.
Centralized management: The company can control and monitor the virtual desktop environment,
enforce security policies, and restrict access as needed.
Why not the other options?
B. MDM (Mobile Device Management): MDM focuses on securing and managing mobile devices used
to access corporate resources. While it can help secure offshore team devices, it does not prevent
data from being stored locally or address the need for centralized data hosting.
C. VPN (Virtual Private Network): A VPN provides secure remote access to the company’s network
but does not address the requirement to ensure data remains on company devices. Offshore team
members could still download or store data locally.
D. VPC (Virtual Private Cloud): A VPC is a private, isolated section of a public cloud where resources
like servers can be hosted securely. While it can be part of a solution, it does not directly provide the
virtual desktop functionality required to meet the company’s needs. Conclusion:
VDI is the most appropriate technology for this scenario because it ensures data security by keeping
it on company-controlled devices while allowing offshore teams to use their own equipment to access
the environment.

15.Which of the following should a security administrator adhere to when setting up a new set of
firewall rules?
A. Disaster recovery plan
B. Incident response procedure
C. Business continuity plan
D. Change management procedure
Answer: D
Explanation:
A change management procedure is a set of steps and guidelines that a security administrator should
adhere to when setting up a new set of firewall rules. A firewall is a device or software that can filter,
block, or allow network traffic based on predefined rules or policies. A firewall rule is a statement that
defines the criteria and action for a firewall to apply to a packet or a connection. For example, a
firewall rule can allow or deny traffic based on the source and destination IP addresses, ports,
protocols, or applications. Setting up a new set of firewall rules is a type of change that can affect the
security, performance, and functionality of the network. Therefore, a change management procedure
is necessary to ensure that the change is planned, tested, approved, implemented, documented, and
reviewed in a controlled and consistent manner. A change management procedure typically includes
the following elements:
A change request that describes the purpose, scope, impact, and benefits of the change, as well as
the roles and responsibilities of the change owner, implementer, and approver.
A change assessment that evaluates the feasibility, risks, costs, and dependencies of the change, as
well as the alternatives and contingency plans.
A change approval that authorizes the change to proceed to the implementation stage, based on the
criteria and thresholds defined by the change policy.
A change implementation that executes the change according to the plan and schedule, and verifies
the results and outcomes of the change.
A change documentation that records the details and status of the change, as well as the lessons
learned and best practices.
A change review that monitors and measures the performance and effectiveness of the change, and
identifies any issues or gaps that need to be addressed or improved.
A change management procedure is important for a security administrator to adhere to when setting
up a new set of firewall rules, as it can help to achieve the following objectives:
Enhance the security posture and compliance of the network by ensuring that the firewall rules are
aligned with the security policies and standards, and that they do not introduce any vulnerabilities or
conflicts.
Minimize the disruption and downtime of the network by ensuring that the firewall rules are tested and
validated before deployment, and that they do not affect the availability or functionality of the network
services or applications.
Improve the efficiency and quality of the network by ensuring that the firewall rules are optimized and
updated according to the changing needs and demands of the network users and stakeholders, and
that they do not cause any performance or compatibility issues.
Increase the accountability and transparency of the network by ensuring that the firewall rules are
documented and reviewed regularly, and that they are traceable and auditable by the relevant
authorities and parties.
The other options are not correct because they are not related to the process of setting up a new set
of firewall rules. A disaster recovery plan is a set of policies and procedures that aim to restore the
normal operations of an organization in the event of a system failure, natural disaster, or other
emergency. An incident response procedure is a set of steps and guidelines that aim to contain,
analyze, eradicate, and recover from a security incident, such as a cyberattack, data breach, or
malware infection. A business continuity plan is a set of strategies and actions that aim to maintain
the essential functions and operations of an organization during and after a disruptive event, such as
a pandemic, power outage, or civil unrest.
Reference: CompTIA Security+ Study Guide (SY0-701), Chapter 7: Resilience and Recovery, page
325. Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 1.3: Security
Operations, video: Change Management (5:45).

16.An organization is leveraging a VPN between its headquarters and a branch location.
Which of the
following is the VPN protecting?
A. Data in use
B. Data in transit
C. Geographic restrictions
D. Data sovereignty
Answer: B
Explanation:
Data in transit is data that is moving from one location to another, such as over a network or through
the air. Data in transit is vulnerable to interception, modification, or theft by malicious actors. A VPN
(virtual private network) is a technology that protects data in transit by creating a secure tunnel
between two endpoints and encrypting the data that passes through it2.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 4, page 145.

17.A bank insists all of its vendors must prevent data loss on stolen laptops.
Which of the following strategies is the bank requiring?
A. Encryption at rest
B. Masking
C. Data classification
D. Permission restrictions
Answer: A
Explanation:
Encryption at rest is a strategy that protects data stored on a device, such as a laptop, by converting it
into an unreadable format that can only be accessed with a decryption key or password. Encryption at
rest can prevent data loss on stolen laptops by preventing unauthorized access to the data, even if
the device is physically compromised. Encryption at rest can also help comply with data privacy
regulations and standards that require data protection. Masking, data classification, and permission
restrictions are other strategies that can help protect data, but they may not be sufficient or applicable
for data stored on laptops. Masking is a technique that obscures sensitive data elements, such as
credit card numbers, with random characters or symbols, but it is usually used for data in transit or in
use, not at rest. Data classification is a process that assigns labels to data based on its sensitivity and
business impact, but it does not protect the data itself. Permission restrictions are rules that define
who can access, modify, or delete data, but they may not prevent unauthorized access if the laptop is
stolen and the security controls are bypassed.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 17-18, 372-373

18.A company needs to provide administrative access to internal resources while minimizing the
traffic allowed through the security boundary.
Which of the following methods is most secure?
A. Implementing a bastion host
B. Deploying a perimeter network
C. Installing a WAF
D. Utilizing single sign-on
Answer: A
Explanation:
A bastion host is a special-purpose server that is designed to withstand attacks and provide secure
access to internal resources. A bastion host is usually placed on the edge of a network, acting as a
gateway or proxy to the internal network. A bastion host can be configured to allow only certain types
of traffic, such as SSH or HTTP, and block all other traffic. A bastion host can also run security
software such as firewalls, intrusion detection systems, and antivirus programs to monitor and filter
incoming and outgoing traffic. A bastion host can provide administrative access to internal resources
by requiring strong authentication and encryption, and by logging all activities for auditing
purposes12.
A bastion host is the most secure method among the given options because it minimizes the traffic
allowed through the security boundary and provides a single point of control and defense. A bastion
host can also isolate the internal network from direct exposure to the internet or other untrusted
networks, reducing the attack surface and the risk of compromise3.
Deploying a perimeter network is not the correct answer, because a perimeter network is a network
segment that separates the internal network from the external network. A perimeter network usually
hosts public-facing services such as web servers, email servers, or DNS servers that need to be
accessible from the internet. A perimeter network does not provide administrative access to internal
resources, but rather protects them from unauthorized access. A perimeter network can also increase
the complexity and cost of network management and security4.
Installing a WAF is not the correct answer, because a WAF is a security tool that protects web
applications from common web-based attacks by monitoring, filtering, and blocking HTTP traffic. A
WAF can prevent attacks such as cross-site scripting, SQL injection, or file inclusion, among others. A
WAF does not provide administrative access to internal resources, but rather protects them from web
application vulnerabilities. A WAF is also not a comprehensive solution for network security, as it only
operates at the application layer and does not protect against other types of attacks or threats5.
Utilizing single sign-on is not the correct answer, because single sign-on is a method of authentication
that allows users to access multiple sites, services, or applications with one username and password.
Single sign-on can simplify the sign-in process for users and reduce the number of passwords they
have to remember and manage. Single sign-on does not provide administrative access to internal
resources, but rather enables access to various resources that the user is authorized to use. Single
sign-on can also introduce security risks if the user’s credentials are compromised or if the single
sign-on provider is breached6. Reference 1: Bastion host - Wikipedia, 2: 14 Best Practices to Secure
SSH Bastion Host - goteleport.com, 3: The Importance Of Bastion Hosts In Network Security, 4: What
is the network perimeter? | Cloudflare, 5: What is a WAF? | Web Application Firewall explained, 6:
[What is single sign-on (SSO)? - Definition from WhatIs.com]

19.Which of the following best describes the concept of information being stored outside of its country
of origin while still being subject to the laws and requirements of the country of origin?
A. Data sovereignty
B. Geolocation
C. Intellectual property
D. Geographic restrictions
Answer: A
Explanation:
Data sovereignty refers to the principle that data stored in another country remains subject to the
originating country’s laws. This is a common concern in cloud computing.
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 3: Security Architecture, Section:
"Data Sovereignty and Regulatory Compliance".

20.Several employees received a fraudulent text message from someone claiming to be the Chief
Executive Officer (CEO).
The message stated:
“I’m in an airport right now with no access to email. I need you to buy gift cards for employee
recognition awards. Please send the gift cards to following email address.”
Which of the following are the best responses to this situation? (Choose two).
A. Cancel current employee recognition gift cards.
B. Add a smishing exercise to the annual company training.
C. Issue a general email warning to the company.
D. Have the CEO change phone numbers.
E. Conduct a forensic investigation on the CEO's phone.
F. Implement mobile device management.
Answer: B, C
Explanation:
This situation is an example of smishing, which is a type of phishing that uses text messages (SMS)
to entice individuals into providing personal or sensitive information to cybercriminals. The best
responses to this situation are to add a smishing exercise to the annual company training and to issue
a general email warning to the company. A smishing exercise can help raise awareness and educate
employees on how to recognize and avoid smishing attacks. An email warning can alert employees to
the fraudulent text message and remind them to verify the identity and legitimacy of any requests for
information or money.
Reference: What Is Phishing | Cybersecurity | CompTIA, Phishing C SY0-601 CompTIA Security+:
1.1 - Professor Messer IT Certification Training Courses

21.Which of the following involves an attempt to take advantage of database misconfigurations?

A. Buffer overflow
B. SQL injection
C. VM escape
D. Memory injection
Answer: B
Explanation:
SQL injection is a type of attack that exploits a database misconfiguration or a flaw in the application
code that interacts with the database. An attacker can inject malicious SQL statements into the user
input fields or the URL parameters that are sent to the database server. These statements can then
execute unauthorized commands, such as reading, modifying, deleting, or creating data, or even
taking over the database server. SQL injection can compromise the confidentiality, integrity, and
availability of the data and the system.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 215 1

22.A website user is locked out of an account after clicking an email link and visiting a different
website Web server logs show the user's password was changed, even though the user did not
change the password.
Which of the following is the most likely cause?
A. Cross-sue request forgery
B. Directory traversal
C. ARP poisoning
D. SQL injection
Answer: A

23.A company's online shopping website became unusable shortly after midnight on January 30,
2023.
When a security analyst reviewed the database server, the analyst noticed the following code used
for backing up data:

Which of the following should the analyst do next?

A. Check for recently terminated DBAs.
B. Review WAF logs for evidence of command injection.
C. Scan the database server for malware.
D. Search the web server for ransomware notes.
Answer: B

24.Which of the following is the best way to provide secure remote access for employees while
minimizing the exposure of a company's internal network?
A. VPN
B. LDAP
C. FTP
D. RADIUS
Answer: A
Explanation:
A VPN (Virtual Private Network) is a secure method to provide employees with remote access to a
company's network. It encrypts data, protecting it from interception and ensuring secure
communication between the user and the internal network.
Reference: Security+ SY0-701 Course Content, Security+ SY0-601 Book.

25.A security manager created new documentation to use in response to various types of security
incidents.
Which of the following is the next step the manager should take?
A. Set the maximum data retention policy.
B. Securely store the documents on an air-gapped network.
C. Review the documents' data classification policy.
D. Conduct a tabletop exercise with the team.
Answer: D
Explanation:
A tabletop exercise is a simulated scenario that tests the effectiveness of a security incident response
plan. It involves gathering the relevant stakeholders and walking through the steps of the plan,
identifying any gaps or issues that need to be addressed. A tabletop exercise is a good way to
validate the documentation created by the security manager and ensure that the team is prepared for
various types of security incidents.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 6: Risk
Management,
page 2841. CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 6: Risk
Management, page 2842.

26.A security analyst and the management team are reviewing the organizational performance of a
recent phishing campaign. The user click-through rate exceeded the acceptable risk threshold, and
the management team wants to reduce the impact when a user clicks on a link in a phishing
message.
Which of the following should the analyst do?
A. Place posters around the office to raise awareness of common phishing activities.
B. Implement email security filters to prevent phishing emails from being delivered
C. Update the EDR policies to block automatic execution of downloaded programs.
D. Create additional training for users to recognize the signs of phishing attempts.
Answer: C
Explanation:
An endpoint detection and response (EDR) system is a security tool that monitors and analyzes the
activities and behaviors of endpoints, such as computers, laptops, mobile devices, and servers. An
EDR system can detect, prevent, and respond to various types of threats, such as malware,
ransomware, phishing, and advanced persistent threats (APTs). One of the features of an EDR
system is to block the automatic execution of downloaded programs, which can prevent malicious
code from running on the endpoint when a user clicks on a link in a phishing message. This can
reduce the impact of a phishing attack and protect the endpoint from compromise. Updating the EDR
policies to block automatic execution of downloaded programs is a technical control that can mitigate
the risk of phishing, regardless of the user’s awareness or behavior. Therefore, this is the best
answer among the given options.
The other options are not as effective as updating the EDR policies, because they rely on
administrative or physical controls that may not be sufficient to prevent or stop a phishing attack.
Placing posters around the office to raise awareness of common phishing activities is a physical
control that can increase the user’s knowledge of phishing, but it may not change their behavior or
prevent them from clicking on a link in a phishing message. Implementing email security filters to
prevent phishing emails from being delivered is an administrative control that can reduce the
exposure to phishing, but it may not be able to block all phishing emails, especially if they are crafted
to bypass the filters. Creating additional training for users to recognize the signs of phishing attempts
is an administrative control that can improve the user’s skills of phishing detection, but it may not
guarantee that they will always be vigilant or cautious when receiving an email. Therefore, these
options are not the best answer for this question.
Reference: Endpoint Detection and Response C CompTIA Security+ SY0-701 C 2.2, video at 5:30;
CompTIA Security+ SY0-701 Certification Study Guide, page 163.

27.Which of the following describes the maximum allowance of accepted risk?

A. Risk indicator
B. Risk level
C. Risk score
D. Risk threshold
Answer: D
Explanation:
Risk threshold is the maximum amount of risk that an organization is willing to accept for a given
activity or decision. It is also known as risk appetite or risk tolerance. Risk threshold helps an
organization to prioritize and allocate resources for risk management. Risk indicator, risk level, and
risk score are different ways of measuring or expressing the likelihood and impact of a risk, but they
do not describe the maximum allowance of accepted risk.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 34; Accepting Risk:
Definition, How It Works, and Alternatives

28.1.4.9. A security analyst is creating an inbound firewall rule to block the IP address from accessing
the organization’s network.
Which of the following fulfills this request?
A. access-list inbound deny ig source 0.0.0.0/0 destination 10.1.4.9/32
B. access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
C. access-list inbound permit ig source 10.1.4.9/32 destination 0.0.0.0/0
D. access-list inbound permit ig source 0.0.0.0/0 destination 10.1.4.9/32
Answer: B
Explanation:
A firewall rule is a set of criteria that determines whether to allow or deny a packet to pass through the
firewall. A firewall rule consists of several elements, such as the action, the protocol, the source
address, the destination address, and the port number. The syntax of a firewall rule may vary
depending on the type and vendor of the firewall, but the basic logic is the same. In this question, the
security analyst is creating an inbound firewall rule to block the IP address 10.1.4.9 from accessing
the organization’s network. This means that the action should be deny, the protocol should be any (or
ig for IP), the source address should be 10.1.4.9/32 (which means a single IP address), the
destination address should be 0.0.0.0/0 (which means any IP address), and the port number should
be any.
Therefore, the correct firewall rule is:
access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
This rule will match any packet that has the source IP address of 10.1.4.9 and drop it. The other
options are incorrect because they either have the wrong action, the wrong source address, or the
wrong destination address. For example, option A has the source and destination addresses
reversed, which means that it will block any packet that has the destination IP address of 10.1.4.9,
which is not the intended goal. Option C has the wrong action, which is permit, which means that it
will allow the packet to pass through the firewall, which is also not the intended goal. Option D has the
same problem as option A, with the source and destination addresses reversed.
Reference: Firewall Rules C CompTIA Security+ SY0-401: 1.2, Firewalls C SY0-601 CompTIA
Security+: 3.3, Firewalls C CompTIA Security+ SY0-501, Understanding Firewall Rules C CompTIA
Network+ N10-005: 5.5, Configuring Windows Firewall C CompTIA A+ 220-1102 C 1.6.

29.A security administrator is deploying a DLP solution to prevent the exfiltration of sensitive
customer data.
Which of the following should the administrator do first?
A. Block access to cloud storage websites.
B. Create a rule to block outgoing email attachments.
C. Apply classifications to the data.
D. Remove all user permissions from shares on the file server.
Answer: C
Explanation:
Data classification is the process of assigning labels or tags to data based on its sensitivity, value,
and risk. Data classification is the first step in a data loss prevention (DLP) solution, as it helps to
identify what data needs to be protected and how. By applying classifications to the data, the security
administrator can define appropriate policies and rules for the DLP solution to prevent the exfiltration
of sensitive customer data.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 8: Data Protection,
page 323. CompTIA Security+ Practice Tests: Exam SY0-701, 3rd Edition, Chapter 8: Data
Protection, page 327.

30.A systems administrator is auditing all company servers to ensure. They meet the minimum
security baseline. While auditing a Linux server, the systems administrator observes the /etc/shadow
file has permissions beyond the baseline recommendation.
Which of the following commands should the systems administrator use to resolve this issue?
A. chmod
B. grep
C. dd
D. passwd
Answer: A

31.Which of the following security concepts is the best reason for permissions on a human resources
fileshare to follow the principle of least privilege?
A. Integrity
B. Availability
C. Confidentiality
D. Non-repudiation
Answer: C
Explanation:
Confidentiality is the security concept that ensures data is protected from unauthorized access or
disclosure. The principle of least privilege is a technique that grants users or systems the minimum
level of access or permissions that they need to perform their tasks, and nothing more. By applying
the principle of least privilege to a human resources fileshare, the permissions can be restricted to
only those who have a legitimate need to access the sensitive data, such as HR staff, managers, or
auditors. This can prevent unauthorized users, such as hackers, employees, or contractors, from
accessing, copying, modifying, or deleting the data. Therefore, the principle of least privilege can
enhance the confidentiality of the data on the fileshare. Integrity, availability, and non-repudiation are
other security concepts, but they are not the best reason for permissions on a human resources
fileshare to follow the principle of least privilege. Integrity is the security concept that ensures data is
accurate and consistent, and protected from unauthorized modification or corruption. Availability is the
security concept that ensures data is accessible and usable by authorized users or systems when
needed. Non-repudiation is the security concept that ensures the authenticity and accountability of
data and actions, and prevents the denial of involvement or responsibility. While these concepts are
also important for data security, they are not directly related to the level of access or permissions
granted to users or systems.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 16-17, 372-373

32.Which of the following allows for the attribution of messages to individuals?

A. Adaptive identity
B. Non-repudiation
C. Authentication
D. Access logs
Answer: B
Explanation:
Non-repudiation is the ability to prove that a message or document was sent or signed by a particular
person, and that the person cannot deny sending or signing it. Non-repudiation can be achieved by
using cryptographic techniques, such as hashing and digital signatures, that can verify the
authenticity and integrity of the message or document. Non-repudiation can be useful for legal,
financial, or contractual purposes, as it can provide evidence of the origin and content of the message
or document.
Reference: Non-repudiation C CompTIA Security+ SY0-701 C 1.2, CompTIA Security+ SY0-301: 6.1
C Non-repudiation, CompTIA Security+ (SY0-701) Certification Exam Objectives, Domain 1.2, page
2.

33.Which of the following types of identification methods can be performed on a deployed application
during runtime?
A. Dynamic analysis
B. Code review
C. Package monitoring
D. Bug bounty
Answer: A
Explanation:
Dynamic analysis is performed on software during execution to identify vulnerabilities based on how
the software behaves in real-world scenarios. It is useful in detecting security issues that only appear
when the application is running.
Reference: CompTIA SY0-701 Course Content.

34.Which of the following allows a systems administrator to tune permissions for a file?
A. Patching
B. Access control list
C. Configuration enforcement
D. Least privilege
Answer: B
Explanation:
Access control lists (ACLs) allow administrators to fine-tune file permissions by specifying which
users or groups have access to a file and defining the level of access.
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 3: Security Architecture, Section:
"Access Control Mechanisms".

35.A security analyst is investigating a workstation that is suspected of outbound communication to a

command-and-control server. During the investigation, the analyst discovered that logs on the
endpoint were deleted.
Which of the following logs would the analyst most likely look at next?
A. IPS
B. Firewall
C. ACL
D. Windows security
Answer: B
Explanation:
Since the logs on the endpoint were deleted, the next best option for the analyst is to examine firewall
logs. Firewall logs can reveal external communication, including outbound traffic to a command-and-
control (C2) server. These logs would contain information about the IP addresses, ports, and
protocols used, which can help in identifying suspicious connections.
IPS logs may provide information about network intrusions, but firewall logs are better for tracking
communication patterns.
ACL logs (Access Control List) are useful for tracking access permissions but not for identifying C2
communication.
Windows security logs would have been ideal if they had not been deleted

36.Which of the following is most likely associated with introducing vulnerabilities on a corporate
network by the deployment of unapproved software?
A. Hacktivists
B. Script kiddies
C. Competitors
D. Shadow IT
Answer: D

37.Which of the following is the best reason to complete an audit in a banking environment?
A. Regulatory requirement
B. Organizational change
C. Self-assessment requirement
D. Service-level requirement
Answer: A
Explanation:
A regulatory requirement is a mandate imposed by a government or an authority that must be
followed by an organization or an individual. In a banking environment, audits are often required by
regulators to ensure compliance with laws, standards, and policies related to security, privacy, and
financial reporting. Audits help to identify and correct any gaps or weaknesses in the security posture
and the internal controls of the organization.
Reference: Official CompTIA Security+ Study Guide (SY0-701), page 507
Security+ (Plus) Certification | CompTIA IT Certifications 2

38.The marketing department set up its own project management software without telling the
appropriate departments.
Which of the following describes this scenario?
A. Shadow IT
B. Insider threat
C. Data exfiltration
D. Service disruption
Answer: A
Explanation:
Shadow IT is the term used to describe the use of unauthorized or unapproved IT resources within an
organization. The marketing department set up its own project management software without telling
the appropriate departments, such as IT, security, or compliance. This could pose a risk to the
organization’s security posture, data integrity, and regulatory compliance1.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 2, page 35.

39.1X is a network access control protocol that provides an authentication mechanism to devices
trying to connect to a LAN or WLAN. It supports the use of certificates for authentication, can
quarantine unapproved devices, and ensures that only approved and updated devices can access
network resources. This protocol best meets the requirements of securing both wired and wireless
networks with internal certificates.
Reference: CompTIA Security+ SY0-701 study materials, particularly in the domain of network
security and authentication protocols.

40.After a recent vulnerability scan, a security engineer needs to harden the routers within the
corporate network.
Which of the following is the most appropriate to disable?
A. Console access
B. Routing protocols
C. VLANs
D. Web-based administration
Answer: D
Explanation:
Web-based administration is a feature that allows users to configure and manage routers through a
web browser interface. While this feature can provide convenience and ease of use, it can also pose
a security risk, especially if the web interface is exposed to the internet or uses weak authentication or
encryption methods. Web-based administration can be exploited by attackers to gain unauthorized
access to the router’s settings, firmware, or data, or to launch attacks such as cross-site scripting
(XSS) or cross-site request forgery (CSRF). Therefore, disabling web-based administration is a good
practice to harden the routers within the corporate network. Console access, routing protocols, and
VLANs are other features that can be configured on routers, but they are not the most appropriate to
disable for hardening purposes. Console access is a physical connection to the router that requires
direct access to the device, which can be secured by locking the router in a cabinet or using a strong
password. Routing protocols are essential for routers to exchange routing information and maintain
network connectivity, and they can be secured by using authentication or encryption mechanisms.
VLANs are logical segments of a network that can enhance network performance and security by
isolating traffic and devices, and they can be secured by using VLAN access control lists (VACLs) or
private VLANs (PVLANs).
Reference: CCNA SEC: Router Hardening Your Router’s Security
Stinks: Here’s How to Fix It

41.Which of the following is a common source of unintentional corporate credential leakage in cloud
environments?
A. Code repositories
B. Dark web
C. Threat feeds
D. State actors
E. Vulnerability databases
Answer: A
Explanation:
Code repositories are a common source of unintentional corporate credential leakage, especially in
cloud environments. Developers may accidentally commit and push sensitive information, such as
API keys, passwords, and other credentials, to public or poorly secured repositories. These
credentials can then be accessed by unauthorized users, leading to security breaches. Ensuring that
repositories are properly secured and that sensitive data is never committed is critical for protecting
against this type of leakage.
Reference: CompTIA Security+ SY0-701 Course Content: Domain 03 Security Architecture.
CompTIA Security+ SY0-601 Study Guide: Chapter on Threats and Vulnerability Management.

42.Which of the following control types is AUP an example of?

A. Physical
B. Managerial
C. Technical
D. Operational
Answer: B
Explanation:
An Acceptable Use Policy (AUP) is an example of a managerial control. Managerial controls are
policies and procedures that govern an organization's operations, ensuring security through directives
and rules. The AUP defines acceptable behavior and usage of company resources, setting guidelines
for employees.
Physical controls refer to security measures like locks, fences, or security guards.
Technical controls involve security mechanisms such as firewalls or encryption.
Operational controls are procedures for maintaining security, such as backup and recovery plans.

43.Which of the following methods would most likely be used to identify legacy systems?
A. Bug bounty program
B. Vulnerability scan
C. Package monitoring
D. Dynamic analysis
Answer: B
Explanation:
A vulnerability scan is the most likely method to identify legacy systems. These scans assess an
organization's network and systems for known vulnerabilities, including outdated or unsupported
software (i.e., legacy systems) that may pose a security risk. The scan results can highlight systems
that are no longer receiving updates, helping IT teams address these risks.
Bug bounty programs are used to incentivize external researchers to find security flaws, but they are
less effective at identifying legacy systems.
Package monitoring tracks installed software packages for updates or issues but is not as
comprehensive for identifying legacy systems.
Dynamic analysis is typically used for testing applications during runtime to find vulnerabilities, but not
for identifying legacy systems.
44.Which of the following is the most likely to be included as an element of communication in a
security awareness program?
A. Reporting phishing attempts or other suspicious activities
B. Detecting insider threats using anomalous behavior recognition
C. Verifying information when modifying wire transfer data
D. Performing social engineering as part of third-party penetration testing
Answer: A
Explanation:
A security awareness program is a set of activities and initiatives that aim to educate and inform the
users and employees of an organization about the security policies, procedures, and best practices. A
security awareness program can help to reduce the human factor in security risks, such as social
engineering, phishing, malware, data breaches, and insider threats. A security awareness program
should include various elements of communication, such as newsletters, posters, videos, webinars,
quizzes, games, simulations, and feedback mechanisms, to deliver the security messages and
reinforce the security culture. One of the most likely elements of communication to be included in a
security awareness program is reporting phishing attempts or other suspicious activities, as this can
help to raise the awareness of the users and employees about the common types of cyberattacks and
how to respond to them. Reporting phishing attempts or other suspicious activities can also help to
alert the security team and enable them to take appropriate actions to prevent or mitigate the impact
of the attacks. Therefore, this is the best answer among the given options.
The other options are not as likely to be included as elements of communication in a security
awareness program, because they are either technical or operational tasks that are not directly
related to the security awareness of the users and employees. Detecting insider threats using
anomalous behavior recognition is a technical task that involves using security tools or systems to
monitor and analyze the activities and behaviors of the users and employees and identify any
deviations or anomalies that may indicate malicious or unauthorized actions. This task is usually
performed by the security team or the security operations center, and it does not require the
communication or participation of the users and employees. Verifying information when modifying
wire transfer data is an operational task that involves using verification methods, such as phone calls,
emails, or digital signatures, to confirm the authenticity and accuracy of the information related to wire
transfers, such as the account number, the amount, or the recipient. This task is usually performed by
the financial or accounting department, and it does not involve the security awareness of the users
and employees. Performing social engineering as part of third-party penetration testing is a technical
task that involves using deception or manipulation techniques, such as phishing,
vishing, or impersonation, to test the security posture and the vulnerability of the users and
employees to social engineering attacks. This task is usually performed by external security
professionals or consultants, and it does not require the communication or consent of the users and
employees. Therefore, these options are not the best answer for this question.
Reference: Security Awareness and Training C CompTIA Security+ SY0-701: 5.2, video at 0:00;
CompTIA Security+ SY0-701 Certification Study Guide, page 263.

45.An administrator has identified and fingerprinted specific files that will generate an alert if an
attempt is made to email these files outside of the organization.
Which of the following best describes the tool the administrator is using?
A. DLP
B. SNMP traps
C. SCAP
D. IPS
Answer: A
Explanation:
The administrator is using a Data Loss Prevention (DLP) tool, which is designed to identify, monitor,
and protect sensitive data. By fingerprinting specific files, DLP ensures that these files cannot be
emailed or sent outside the organization without triggering an alert or blocking the action. This is a
key feature of DLP systems, which prevent data exfiltration and ensure data security compliance.
SNMP traps are used for network management and monitoring, not data protection.
SCAP (Security Content Automation Protocol) is a set of standards for automating vulnerability
management and policy compliance, unrelated to file monitoring.
IPS (Intrusion Prevention System) blocks network-based attacks but does not handle file
fingerprinting.

46.A visitor plugs a laptop into a network jack in the lobby and is able to connect to the company's
network.
Which of the following should be configured on the existing network infrastructure to best prevent this
activity?
A. Port security
B. Web application firewall
C. Transport layer security
D. Virtual private network
Answer: A
Explanation:
Port security is the best solution to prevent unauthorized devices, like a visitor's laptop, from
connecting to the company’s network. Port security can limit the number of devices that can connect
to a network switch port and block unauthorized MAC addresses, effectively stopping unauthorized
access attempts.
Web application firewall (WAF) protects against web-based attacks, not unauthorized network
access.
Transport Layer Security (TLS) ensures encrypted communication but does not manage physical
network access.
Virtual Private Network (VPN) secures remote connections but does not control access through
physical network ports.

47.Which of the following is an example of a data protection strategy that uses tokenization?
A. Encrypting databases containing sensitive data
B. Replacing sensitive data with surrogate values
C. Removing sensitive data from production systems
D. Hashing sensitive data in critical systems
Answer: B
Explanation:
Tokenization replaces sensitive data with non-sensitive surrogate values that retain the necessary
format but are meaningless without access to the original data.
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 3: Security Architecture, Section:
"Data Masking and Tokenization".

48.An analyst is reviewing an incident in which a user clicked on a link in a phishing email.
Which of the following log sources would the analyst utilize to determine whether the connection was
successful?
A. Network
B. System
C. Application
D. Authentication
Answer: D

49.Which of the following considerations is the most important for an organization to evaluate as it
establishes and maintains a data privacy program?
A. Reporting structure for the data privacy officer
B. Request process for data subject access
C. Role as controller or processor
D. Physical location of the company
Answer: C
Explanation:
The most important consideration when establishing a data privacy program is defining the
organization's role as a controller or processor. These roles, as outlined in privacy regulations such as
the General Data Protection Regulation (GDPR), determine the responsibilities regarding the handling
of personal data. A controller is responsible for determining the purpose and means of data
processing, while a processor acts on behalf of the controller. This distinction is crucial for compliance
with data privacy laws.
Reporting structure for the data privacy officer is important, but it is a secondary consideration
compared to legal roles.
Request process for data subject access is essential for compliance but still depends on the
organization's role as controller or processor.
Physical location of the company can affect jurisdiction, but the role as controller or processor has a
broader and more immediate impact.

50.The application development teams have been asked to answer the following questions:
• Does this application receive patches from an external source?
• Does this application contain open-source code?
• is this application accessible by external users?
• Does this application meet the corporate password standard?
Which of the following are these questions port of?
A. Risk control self-assessment
B. Risk management strategy
C. Risk acceptance
D. Risk matrix
Answer: A
Explanation:
The questions listed are part of a Risk Control Self-Assessment (RCSA), which is a process where
teams evaluate the risks associated with their operations and assess the effectiveness of existing
controls. The questions focus on aspects such as patch management, the use of open-source code,
external access, and compliance with corporate standards, all of which are critical for identifying and
mitigating risks.
Reference: CompTIA Security+ SY0-701 Course Content: The course discusses various risk
management processes, including self-assessments that help in identifying and managing risks within
the organization.

51.Which of the following best describe why a process would require a two-person integrity security
control?
A. To Increase the chance that the activity will be completed in half of the time the process would take
only one user to complete
B. To permit two users from another department to observe the activity that is being performed by an
authorized user
C. To reduce the risk that the procedures are performed incorrectly or by an unauthorized user
D. To allow one person to perform the activity while being recorded on the CCTV camera
Answer: C
Explanation:
A two-person integrity security control is implemented to minimize the risk of errors or unauthorized
actions. This control ensures that at least two individuals are involved in critical operations, which
helps to verify the accuracy of the process and prevents unauthorized users from acting alone. It's a
security measure commonly used in sensitive operations, like financial transactions or access to
critical systems, to ensure accountability and accuracy.
Reference: CompTIA Security+ SY0-701 Course Content: Domain 05 Security Program Management
and Oversight.
CompTIA Security+ SY0-601 Study Guide: Chapter on Security Operations and Management.

52.A company is discarding a classified storage array and hires an outside vendor to complete the
disposal.
Which of the following should the company request from the vendor?
A. Certification
B. Inventory list
C. Classification
D. Proof of ownership
Answer: A
Explanation:
The company should request a certification from the vendor that confirms the storage array has been
disposed of securely and in compliance with the company’s policies and standards. A certification
provides evidence that the vendor has followed the proper procedures and methods to destroy the
classified data and prevent unauthorized access or recovery. A certification may also include details
such as the date, time, location, and method of disposal, as well as the names and signatures of the
personnel involved.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 3, page 1441

53.Which of the following roles, according to the shared responsibility model, is responsible for
securing the company’s database in an IaaS model for a cloud environment?
A. Client
B. Third-party vendor
C. Cloud provider
D. DBA
Answer: A
Explanation:
According to the shared responsibility model, the client and the cloud provider have different roles
and responsibilities for securing the cloud environment, depending on the service model. In an IaaS
(Infrastructure as a Service) model, the cloud provider is responsible for securing the physical
infrastructure, such as the servers, storage, and network devices, while the client is responsible for
securing the operating systems, applications, and data that run on the cloud infrastructure.
Therefore, the client is responsible for securing the company’s database in an IaaS model for a cloud
environment, as the database is an application that stores data. The client can use various security
controls, such as encryption, access control, backup, and auditing, to protect the database from
unauthorized access, modification, or loss. The third-party vendor and the DBA (Database
Administrator) are not roles defined by the shared responsibility model, but they may be involved in
the implementation or management of the database security.
Reference: CompTIA Security+ SY0-701 Certification Study Guide, page 263-264; Professor
Messer’s CompTIA SY0-701 Security+ Training Course, video 3.1 - Cloud and Virtualization, 5:00 -
7:40.

54.A company is changing its mobile device policy.

The company has the following requirements:
- Company-owned devices
- Ability to harden the devices
- Reduced security risk
- Compatibility with company resources
Which of the following would best meet these requirements?
A. BYOD
B. CYOD
C. COPE
D. COBO
Answer: C
Explanation:
COPE (Corporate-Owned, Personally Enabled) devices allow companies to manage and harden
company-owned devices while still enabling limited personal use, reducing security risks while
maintaining compatibility with corporate resources.
Reference: CompTIA Security+ SY0-701 Study
Guide, Domain 3: Security Architecture, Section: "Mobile Device Deployment Models".

55.Which of the following can best protect against an employee inadvertently installing malware on a
company system?
A. Host-based firewall
B. System isolation
C. Least privilege
D. Application allow list
Answer: D
Explanation:
An application allow list is a security technique that specifies which applications are authorized to run
on a system and blocks all other applications. An application allow list can best protect against an
employee inadvertently installing malware on a company system because it prevents the execution of
any unauthorized or malicious software, such as viruses, worms, trojans, ransomware, or spyware.
An application allow list can also reduce the attack surface and improve the performance of the
system.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 11: Secure
Application Development, page 551 1

56.Which of the following activities should a systems administrator perform to quarantine a potentially
infected system?
A. Move the device into an air-gapped environment.
B. Disable remote log-in through Group Policy.
C. Convert the device into a sandbox.
D. Remote wipe the device using the MDM platform.
Answer: A
Explanation:
Quarantining a potentially infected system by placing it into an air-gapped environment physically
disconnects it from the network. This prevents the spread of malware while maintaining the integrity of
forensic evidence.
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 4: Security Operations, Section:
"Incident Response and Containment".

57.A security audit of an organization revealed that most of the IT staff members have domain
administrator credentials and do not change the passwords regularly.
Which of the following solutions should the security learn propose to resolve the findings in the most
complete way?
A. Creating group policies to enforce password rotation on domain administrator credentials
B. Reviewing the domain administrator group, removing all unnecessary administrators, and rotating
all passwords
C. Integrating the domain administrator's group with an IdP and requiring SSO with MFA for all
access
D. Securing domain administrator credentials in a PAM vault and controlling access with role-based
access control
Answer: D
Explanation:
Using a Privileged Access Management (PAM) vault to secure domain administrator credentials and
enforcing role-based access control (RBAC) is the most comprehensive solution. PAM systems help
manage and control access to privileged accounts, ensuring that only authorized personnel can
access sensitive credentials. This approach also facilitates password rotation, auditing, and ensures
that credentials are not misused or left unchanged. Integrating PAM with RBAC ensures that access
is granted based on the user's role, further enhancing security.
Reference: CompTIA Security+ SY0-701 Course Content: Domain 05 Security Program Management
and Oversight.
CompTIA Security+ SY0-601 Study Guide: Chapter on Identity and Access Management.

58.Which of the following practices would be best to prevent an insider from introducing malicious
code into a company's development process?
A. Code scanning for vulnerabilities
B. Open-source component usage
C. Quality assurance testing
D. Peer review and approval
Answer: D
Explanation:
Peer review and approval is a practice that involves having other developers or experts review the
code before it is deployed or released. Peer review and approval can help detect and prevent
malicious code, errors, bugs, vulnerabilities, and poor quality in the development process. Peer
review and approval can also enforce coding standards, best practices, and compliance
requirements. Peer review and approval can be done manually or with the help of tools, such as code
analysis, code review, and code signing.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 11: Secure
Application Development, page 543 2

59.A group of developers has a shared backup account to access the source code repository.
Which of the following is the best way to secure the backup account if there is an SSO failure?
A. RAS
B. EAP
C. SAML
D. PAM
Answer: D
Explanation:
Privileged Access Management (PAM) solutions enhance security by enforcing strong authentication,
rotation of credentials, and access control for shared accounts. This is especially critical in scenarios
like SSO failures.
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 5: Security Program Management,
Section: "Privileged Access and Identity Management".

60.An organization would like to store customer data on a separate part of the network that is not
accessible to users on the main corporate network.
Which of the following should the administrator use to accomplish this goal?
A. Segmentation
B. Isolation
C. Patching
D. Encryption
Answer: A
Explanation:
Segmentation is a network design technique that divides the network into smaller and isolated
segments based on logical or physical boundaries. Segmentation can help improve network security
by limiting the scope of an attack, reducing the attack surface, and enforcing access control policies.
Segmentation can also enhance network performance, scalability, and manageability. To accomplish
the goal of storing customer data on a separate part of the network, the administrator can use
segmentation technologies such as subnetting, VLANs, firewalls, routers, or switches.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 308-309 1

61.A technician is opening ports on a firewall for a new system being deployed and supported by a
SaaS provider.
Which of the following is a risk in the new system?
A. Default credentials
B. Non-segmented network
C. Supply chain vendor
D. Vulnerable software
Answer: C
Explanation:
A supply chain vendor is a third-party entity that provides goods or services to an organization, such
as a SaaS provider. A supply chain vendor can pose a risk to the new system if the vendor has poor
security practices, breaches, or compromises that could affect the confidentiality, integrity, or
availability of the system or its data. The organization should perform due diligence and establish a
service level agreement with the vendor to mitigate this risk. The other options are not specific to the
scenario of using a SaaS provider, but rather general risks that could apply to any system.

62.Users at a company are reporting they are unable to access the URL for a new retail website
because it is flagged as gambling and is being blocked.
Which of the following changes would allow users to access the site?
A. Creating a firewall rule to allow HTTPS traffic
B. Configuring the IPS to allow shopping
C. Tuning the DLP rule that detects credit card data
D. Updating the categorization in the content filter
Answer: D
Explanation:
A content filter is a device or software that blocks or allows access to web content based on
predefined rules or categories. In this case, the new retail website is mistakenly categorized as
gambling by the content filter, which prevents users from accessing it. To resolve this issue, the
content filter’s categorization needs to be updated to reflect the correct category of the website, such
as shopping or retail. This will allow the content filter to allow access to the website instead of
blocking it.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 3: Technologies
and Tools, page 1221. CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 3:
Technologies and Tools, page 1222.

63.Which of the following must be considered when designing a high-availability network? (Choose
two).
A. Ease of recovery
B. Ability to patch
C. Physical isolation
D. Responsiveness
E. Attack surface
F. Extensible authentication
Answer: A, E
Explanation:
A high-availability network is a network that is designed to minimize downtime and ensure continuous
operation even in the event of a failure or disruption. A high-availability network must consider the
following factors12:
Ease of recovery: This refers to the ability of the network to restore normal functionality quickly and
efficiently after a failure or disruption. Ease of recovery can be achieved by implementing backup and
restore procedures, redundancy and failover mechanisms, fault tolerance and resilience, and disaster
recovery plans.
Attack surface: This refers to the amount of exposure and vulnerability of the network to potential
threats and attacks. Attack surface can be reduced by implementing security controls such as
firewalls, encryption, authentication, access control, segmentation, and hardening.
The other options are not directly related to high-availability network design:
Ability to patch: This refers to the process of updating and fixing software components to address
security issues, bugs, or performance improvements. Ability to patch is important for maintaining the
security and functionality of the network, but it is not a specific factor for high-availability network
design.
Physical isolation: This refers to the separation of network components or devices from other
networks or physical environments. Physical isolation can enhance the security and performance of
the network, but it can also reduce the availability and accessibility of the network resources.
Responsiveness: This refers to the speed and quality of the network’s performance and service
delivery. Responsiveness can be measured by metrics such as latency, throughput, jitter, and packet
loss. Responsiveness is important for ensuring customer satisfaction and user experience, but it is
not a specific factor for high-availability network design.
Extensible authentication: This refers to the ability of the network to support multiple and flexible
authentication methods and protocols. Extensible authentication can improve the security and
convenience of the network, but it is not a specific factor for high-availability network design.
 Reference 1: CompTIA Security+ SY0-701 Certification Study Guide, page 972: High Availability C
CompTIA Security+ SY0-701 C 3.4, video by Professor Messer.

Get SY0-701 exam dumps full version.

Powered by TCPDF (www.tcpdf.org)