CompTIA SEC+ SY0-701 Exam V1 Flashcards

Question 1

Q

Which of the following would be BEST for a technician to review to determine the total risk an organization can bear when assessing a “cloud-first” adoption strategy?

A. Risk matrix
B. Risk tolerance
C. Risk register
D. Risk appetite

Answer

A

Risk tolerance

To determine the total risk an organization can bear, a technician should review the organization’s risk tolerance, which is the amount of risk the organization is willing to accept. This information will help determine the organization’s “cloud-first” adoption strategy.

Question 2

Q

A company wants to modify its current backup strategy to minimize the number of backups that would need to be restored in case of data loss. Which of the following would be the BEST backup strategy

A. Incremental backups followed by differential backups
B. Full backups followed by incremental backups
C. Delta backups followed by differential backups
D. Incremental backups followed by delta backups
E. Full backup followed by different backups

Answer

A

Full backups followed by incremental backups

This strategy allows for a complete restoration of data by restoring the most recent full backup followed by the most recent incremental backup.

Question 3

Q

A security analyst notices several attacks are being blocked by the network intrusion protection system (NIPS) but does not see anything on the boundary firewall logs. The attack seems to have been thwarted. Which of the following resiliency techniques was applied to the network to prevent this attack?

A. NIC Teaming
B. Port mirroring
C. Defense in depth
D. High availability
E. Geographic dispersal

Network Intrusion Protection System (NIPS)
Network Interface Card (NIC)

Answer

A

Defense in depth

A resiliency technique that involves implementing multiple layers of security controls to protect against different types of threats. In this scenario, the NIPS likely provided protection at a different layer than the boundary firewall, demonstrating the effectiveness of defense in depth.

Question 4

Q

A company is required to continue using legacy software to support a critical service. Which of the following BEST explains a risk of this practice?

A. Default system configuration
B. Unsecure protocols
C. Lack of vendor support
D. Weak encryption

Answer

A

Lack of vendor support

Using legacy software to support a critical service poses a risk due to lack of vendor support. Legacy software is often outdated and unsupported, which means that security patches and upgrades are no longer available. This can leave the system vulnerable to exploitation by attackers who may exploit known vulnerabilities in the software to gain unauthorized access to the system.

Question 5

Q

Which of the following is a risk that is specifically associated with hosting applications in the public cloud?

A. Unsecured root accounts
B. Zero day
C. Shared tenancy
D. Insider threat

Answer

A

Shared tenancy

When hosting applications in the public cloud, there is a risk of shared tenancy, meaning that multiple organizations are sharing the same infrastructure. This can potentially allow one tenant to access another tenant’s data, creating a security risk.

Question 6

Q

After a hardware incident, an unplanned emergency maintenance activity was conducted to rectify the issue. Multiple alerts were generated on the SIEM during this period of time. Which of the following BEST explains what happened?

A. The unexpected traffic correlated against multiple rules, generating multiple alerts.
B. Multiple alerts were generated due to an attack occurring at the same time.
C. An error in the correlation rules triggered multiple alerts.
D. The SIEM was unable to correlate the rules, triggering the alerts.

Security information and event management (SIEM)

Answer

A

The unexpected traffic correlated against multiple rules, generating multiple alerts.

The SIEM generates alerts when it detects an event that matches a rule in its rulebase. If the event matches multiple rules, the SIEM will generate multiple alerts

Question 7

Q

A security administrator is setting up a SIEM to help monitor for notable events across the enterprise. Which of the following control types does this BEST represent?

A. Preventive
B. Compensating
C. Corrective
D. Detective

Security information and event management (SIEM)

Answer

A

Detective

A SIEM is a security solution that helps detect security incidents by monitoring for notable events across the enterprise. A detective control is a control that is designed to detect security incidents and respond to them. Therefore, a SIEM represents a detective control.

Question 8

Q

A network analyst is setting up a wireless access point for a home office in a remote, rural location. The requirement is that users need to connect to the access point securely but do not want to have to remember passwords. Which of the following should the network analyst enable to meet the requirement?

A. MAC address filtering
B. 802.1X
C. Captive portal
D. WPS

Media Access Control (MAC)
Wi-Fi Protected Setup (WPS)

Answer

A

WPS

The network analyst should enable Wi-Fi Protected Setup (WPS) to allow users to connect to the wireless access point securely without having to remember passwords. WPS allows users to connect to a wireless network by pressing a button or entering a PIN instead of entering a password.

Question 9

Q

Which of the following environments utilizes dummy data and is MOST likely to be installed locally on a system that allows code to be assessed directly and modified easily with each build?

A. Production
B. Test
C. Staging
D. Development

Answer

A

Development

An environment that is used to develop and test software. It is typically installed locally on a system that allows code to be assessed directly and modified easily with each build. In this environment, dummy data is often utilized to test the software’s functionality.

Question 10

Q

While reviewing pcap data, a network security analyst is able to locate plain text usernames and passwords being sent from workstations to network switches. Which of the following is the security analyst MOST likely observing?

A. SNMP traps
B. A Telnet session
C. An SSH connection
D. SFTP traffic

Packet Capture (PCAP)
Simple Network Management Protocol (SNMP)
Secure Shell (SSH)
Secure File Transfer Protocol (SFTP)

Answer

A

A Telnet session

The security analyst is likely observing a Telnet session, as Telnet transmits data in plain text format, including usernames and passwords.

Question 11

Q

A client sent several inquiries to a project manager about the delinquent delivery status of some critical reports. The project manager claimed the reports were previously sent via email, but then quickly generated and backdated the reports before submitting them as plain text within the body of a new email message thread. Which of the following actions MOST likely supports an investigation for fraudulent submission?

A. Establish chain of custody.
B. Inspect the file metadata.
C. Reference the data retention policy.
D. Review the email event logs

Answer

A

Review the email event logs

Can support an investigation for fraudulent submission, as these logs can provide details about the history of emails, including the message content, timestamps, and sender/receiver information.

Question 12

Q

A new vulnerability in the SMB protocol on the Windows systems was recently discovered, but no patches are currently available to resolve the issue. The security administrator is concerned if servers in the company’s DMZ will be vulnerable to external attack; however, the administrator cannot disable the service on the servers, as SMB is used by a number of internal systems and applications on the LAN. Which of the following TCP ports should be blocked for all external inbound connections to the DMZ as a workaround to protect the servers? (Select TWO).

A. 135
B. 139
C. 143
D. 161
E. 443
F. 445

Server Message Block (SMB)
De-Militarized Zone (DMZ)
Local Area Network (LAN)
Transmission Control Protocol (TCP)

Answer

A

139 & 445

To protect the servers in the company’s DMZ from external attack due to the new vulnerability in the SMB protocol on the Windows systems, the security administrator should block TCP ports 139 and 445 for all external inbound connections to the DMZ. SMB uses TCP port 139 and 445. Blocking these ports will prevent external attackers from exploiting the vulnerability in SMB protocol on Windows systems.
Port 135 is also associated with SMB, but it is not commonly used. Ports 143 and 161 are associated with other protocols and services.

Question 13

Q

When planning to build a virtual environment, an administrator needs to achieve the following:

Establish polices and limit who can create new VMs
Allocate resources according to actual utilization‘
Require justification for requests outside of the standard requirements.
Create standardized categories based on size and resource requirements

Which of the following is the administrator MOST likely trying to do?

A. Implement IaaS replication
B. Product against VM escape
C. Deploy a PaaS
D. Avoid VM sprawl

Virtual Machine (VM)
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)

Answer

A

Avoid VM sprawl

The administrator is most likely trying to avoid VM sprawl, which occurs when too many VMs are created and managed poorly, leading to resource waste and increased security risks. The listed actions can help establish policies, resource allocation, and categorization to prevent unnecessary VM creation and ensure proper management.

Question 14

Q

A security analyst wants to verify that a client-server (non-web) application is sending encrypted traffic. Which of the following should the analyst use?

A. openssl
B. hping
C. netcat
D. tcpdump

Answer

A

openssl

To verify that a client-server (non-web) application is sending encrypted traffic, a security analyst can use OpenSSL. OpenSSL is a software library that provides cryptographic functions, including encryption and decryption, in support of various security protocols, including SSL/TLS. It can be used to check whether a client-server application is using encryption to protect traffic.

Secure Sockets Layer (SSL)
Transport Layer Security (TLS)

Question 15

Q

Ann, a customer, received a notification from her mortgage company stating her PII may be shared with partners, affiliates, and associates to maintain day-to-day business operations. Which of the following documents did Ann receive?

A. An annual privacy notice
B. A non-disclosure agreement
C. A privileged-user agreement
D. A memorandum of understanding

Personal Identifiable Information (PII)

Answer

A

An annual privacy notice

Ann received an annual privacy notice from her mortgage company. An annual privacy notice is a statement from a financial institution or creditor that outlines the institution’s privacy policy and explains how the institution collects, uses, and shares customers’ personal information. It informs the customer about their rights under the Gramm-Leach-Bliley Act (GLBA) and the institution’s practices for protecting their personal information.

Question 16

Q

A large enterprise has moved all its data to the cloud behind strong authentication and encryption. A sales director recently had a laptop stolen, and later, enterprise data was found to have been compromised from a local database. Which of the following was MOST likely the cause?

A. Shadow IT
B. Credential stuffing
C. SQL injection
D. Man in the browser
E. Bluejacking

Structured Query Language (SQL)

Answer

A

Shadow IT

The most likely cause of the enterprise data being compromised from a local database is Shadow IT. Shadow IT is the use of unauthorized applications or devices by employees to access company resources. In this case, the sales director’s laptop was stolen, and the attacker was able to use it to access the local database, which was not secured properly, allowing unauthorized access to sensitive data.

Question 17

Q

A security analyst must enforce policies to harden an MDM infrastructure. The requirements are as follows:

Ensure mobile devices can be tracked and wiped.
Confirm mobile devices are encrypted.

Which of the following should the analyst enable on all the devices to meet these requirements?

A. Geofencing
B. Biometric authentication
C. Geolocation
D. Geotagging

Mobile Device Management (MDM)

Answer

A

Geofencing

A technology used in mobile device management (MDM) to allow administrators to define geographical boundaries within which mobile devices can operate. This can be used to
enforce location-based policies, such as ensuring that devices can be tracked and wiped if lost or stolen. Additionally, encryption can be enforced on the devices to ensure the protection of sensitive data in the event of theft or loss.

Question 18

Q

A company installed several crosscut shredders as part of increased information security practices targeting data leakage risks. Which of the following will this practice reduce?

A. Dumpster diving
B. Shoulder surfing
C. Information elicitation
D. Credential harvesting

Answer

A

Dumpster diving

Dumpster diving is a method of retrieving sensitive information from paper waste by searching through discarded documents.

Question 19

Q

Which of the following conditions impacts data sovereignty?

A. Rights management
B. Criminal investigations
C. Healthcare data
D. International operations

Answer

A

International operations

Data sovereignty refers to the legal concept that data is subject to the laws and regulations of the country in which it is located. International operations can impact data sovereignty as companies operating in multiple countries may need to comply with different laws and regulations.

Question 20

Q

A company uses a drone for precise perimeter and boundary monitoring. Which of the following should be MOST concerning to the company?

A. Privacy
B. Cloud storage of telemetry data
C. GPS spoofing
D. Weather events

Global Positioning System (GPS)

Answer

A

Privacy

The use of a drone for perimeter and boundary monitoring can raise privacy concerns, as it may capture video and images of individuals on or near the monitored premises. The company should take measures to ensure that privacy rights are not violated.

Question 21

Q

The security team received a report of copyright infringement from the IP space of the corporate network. The report provided a precise time stamp for the incident as well as the name of the copyrighted files. The analyst has been tasked with determining the infringing source machine and instructed to implement measures to prevent such incidents from occurring again. Which of the following is MOST capable of accomplishing both tasks?

A. HIDS
B. Allow list
C. TPM
D. NGFW

Host-Based Intrusion Detection System (HIDS)
Trusted Platform Module (TPM)
Next-Generation Firewalls (NGFWs)

Answer

A

NGFW

Next-Generation Firewalls (NGFWs) are designed to provide advanced threat protection by combining traditional firewall capabilities with intrusion prevention, application control, and other security features. NGFWs can detect and block unauthorized access attempts, malware infections, and other suspicious activity. They can also be used to monitor file access and detect unauthorized copying or distribution of copyrighted material.
A next-generation firewall (NGFW) can be used to detect and prevent copyright infringement by analyzing network traffic and blocking unauthorized transfers of copyrighted material. Additionally, NGFWs can be configured to enforce access control policies that prevent unauthorized access to sensitive resources.

Question 22

Q

A financial institution would like to store its customer data in a cloud but still allow the data to be accessed and manipulated while encrypted. Doing so would prevent the cloud service provider from being able to decipher the data due to its sensitivity. The financial institution is not concerned about computational overheads and slow speeds. Which of the following cryptographic techniques would BEST meet the requirement?

A. Asymmetric
B. Symmetric
C. Homomorphic
D. Ephemeral

Answer

A

Symmetric

Allows data to be encrypted and decrypted using the same key. This is useful when the data needs to be accessed and manipulated while still encrypted.

Question 23

Q

A company reduced the area utilized in its data center by creating virtual networking through automation and by creating provisioning routes and rules through scripting. Which of the following does this example describe?

A. laC
B. MSSP
C. Containers
D. IaaS

Infrastructure as Code (IaC)
Managed Security Service Provider (MSSP)
Infrastructure as a Service (IaaS)

Answer

A

laaS (Infrastructure as a Service)

Allows the creation of virtual networks, automation, and scripting to reduce the area utilized in a data center.

Question 24

Q

A global company is experiencing unauthorized logging due to credential theft and account lockouts caused by brute-force attacks. The company is considering implementing a third-party identity provider to help mitigate these attacks. Which of the following would be the BEST control for the company to require from prospective vendors?

A. IP restrictions
B. Multifactor authentication (MFA)
C. A banned password list
D. A complex password policy

Answer

A

Multifactor authentication

The best control to require from a third-party identity provider to help mitigate attacks such as credential theft and brute-force attacks.

Question 25

Q

An organization wants to integrate its incident response processes into a workflow with automated decision points and actions based on predefined playbooks. Which of the following should the organization implement?

A. SIEM
B. SOAR
C. EDR
D. CASB

Security Information and Event Management (SIEM)
Security Orchestration, Automation and Response (SOAR)
Endpoint Detection and Response (EDR)
Cloud Access Security Broker (CASB)

Answer

A

SOAR

Should be implemented to integrate incident response processes into a workflow with automated decision points and actions based on predefined playbooks.

Question 26

Q

Which of the following must be in place before implementing a Cybersecurity Business Continuity Plan (BCP)?

A. SLA
B. AUP
C. NDA
D. BIA

Service Level Agreement (SLA)
Acceptable Use Policy (AUP)
Non-Disclosure Agreement (NDA)
Business Impact Analysis (BIA)

Answer

A

BIA

A Business Impact Analysis (BIA) is a critical component of a Business Continuity Plan (BCP). It identifies and prioritizes critical business functions and determines the impact of their disruption.

Question 27

Q

An organization wants seamless authentication to its applications. Which of the following should the organization employ to meet this requirement?

A. SOAP
B. SAML
C. SSO
D. Kerberos

Simple Object Access Protocol (SOAP)
Security Assertion Markup Language (SAML)
Single Sign-On (SSO)

Answer

A

SSO

Single Sign-On (SSO) is a mechanism that allows users to access multiple applications with a single set of login credentials.

Question 28

Q

A security analyst is running a vulnerability scan to check for missing patches during a suspected security incident. During which of the following phases of the response process is this activity MOST likely occurring?

A. Containment
B. Identification
C. Recovery
D. Preparation

Answer

A

Identification

Vulnerability scanning is a proactive security measure used to identify vulnerabilities in the network and systems.

Question 29

Q

Which of the following cryptographic concepts would a security engineer utilize while implementing non-repudiation? (Select TWO)

A. Block cipher
B. Hashing
C. Private key
D. Perfect forward secrecy
E. Salting
F. Symmetric keys

Answer

A

Hashing & Private key

Non-repudiation is the ability to ensure that a party cannot deny a previous action or event. Cryptographic concepts that can be used to implement non-repudiation include hashing and digital signatures, which use a private key to sign a message and ensure that the signature is unique to the signer.

Question 30

Q

The SIEM at an organization has detected suspicious traffic coming from a workstation in its internal network. An analyst in the SOC workstation discovers malware that is associated with a botnet is installed on the device. A review of the logs on the workstation reveals that the privileges of the local account were escalated to a local administrator. To which of the following groups should the analyst report this real-world event?

A. The NOC team
B. The vulnerability management team
C. The CIRT
D. The Red team

Security Information and Event Management (SIEM)
Network operations center (NOC)
Computer Incident Response Team (CIRT)

Answer

A

The CIRT

The Computer Incident Response Team (CIRT) is responsible for handling incidents and ensuring that the incident response plan is followed.

Question 31

Q

Which of the following environments would MOST likely be used to assess the execution of component parts of a system at both the hardware and software levels and to measure performance
characteristics?

A. Test
B. Staging
C. Development
D. Production

Answer

A

Test

The test environment is used to assess the execution of component parts of a system at both the hardware and software levels and to measure performance characteristics.

Question 32

Q

A company is implementing a new SIEM to log and send alerts whenever malicious activity is blocked by its antivirus and web content filters. Which of the following is the primary use case for this scenario?

A. Implementation of preventive controls
B. Implementation of detective controls
C. Implementation of deterrent controls
D. Implementation of corrective controls

Security Information and Event Management (SIEM)

Answer

A

Implementation of detective controls

A Security Information and Event Management (SIEM) system is a tool that collects and analyzes security-related data from various sources to detect and respond to security incidents.

Question 33

Q

Which of the following in a forensic investigation should be priorities based on the order of volatility? (Select TWO).

A. Page files
B. Event logs
C. RAM
D. Cache
E. Stored files
F. HDD

Random Access Memory (RAM)
Hard Disk Drives (HDD)

Answer

A

RAM & Cache

In a forensic investigation, volatile data should be collected first, based on the order of volatility. RAM and Cache are examples of volatile data.

Question 34

Q

Which of the following would produce the closest experience of responding to an actual incident response scenario?

A. Lessons learned
B. Simulation
C. Walk-through
D. Tabletop

Answer

A

Simulation

A simulation exercise is designed to create an experience that is as close as possible to a real-world incident response scenario. It involves simulating an attack or other security incident and then having security personnel respond to the situation as they would in a real incident.

Question 35

Q

A security analyst was deploying a new website and found a connection attempting to authenticate on the site’s portal. While Investigating the incident, the analyst identified the following Input in the username field:

“admin’ or 1=1–”

Which of the following BEST explains this type of attack?

A. DLL injection to hijack administrator services
B. SQLi on the field to bypass authentication
C. Execution of a stored XSS on the website
D. Code to execute a race condition on the server

Dynamic Link Libraries (DLL)
Structured Query Language Injection (SQLi)
Cross-Site Scripting (XSS)

Answer

A

SQLi on the field to bypass authentication

The input “admin’ or 1=1–” in the username field is an example of SQL injection (SQLi) attack. In this case, the attacker is attempting to bypass authentication by injecting SQL code into the username field that will cause the authentication check to always return true.

Question 36

Q

The Chief Information Security Officer directed a risk reduction in shadow IT and created a policy requiring all unsanctioned high-risk SaaS applications to be blocked from user access. Which of the following is the BEST security solution to reduce this risk?

A. CASB
B. VPN concentrator
C. MFA
D. VPC endpoint

Software as a Service (SaaS)
Cloud Access Security Broker (CASB)
Multi-Factor Authentication (MFA)
Virtual Private Cloud (VPC)

Answer

A

CASB

A Cloud Access Security Broker (CASB) can be used to monitor and control access to cloud-based applications, including unsanctioned SaaS applications. It can help enforce policies that prevent access to high-risk SaaS applications and provide visibility into the use of such applications by employees.

Question 37

Q

After a WiFi scan of a local office was conducted, an unknown wireless signal was identified. Upon investigation, an unknown Raspberry Pi device was found connected to an Ethernet port using a single connection. Which of the following BEST describes the purpose of this device?

A. loT sensor
B. Evil twin
C. Rogue access point
D. On-path attack

Wireless Fidelity (WiFi)
Internet of Things (IoT)

Answer

A

Rogue access point

A Raspberry Pi device connected to an Ethernet port could be configured as a rogue access point, allowing an attacker to intercept and analyze network traffic or perform other malicious activities.

Question 38

Q

The Chief Information Security Officer wants to pilot a new adaptive, user-based authentication method. The concept Includes granting logical access based on physical location and proximity. Which of the following Is the BEST solution for the pilot?

A. Geofencing
B. Self-sovereign identification
C. PKl certificates
D. SSO

Public key infrastructure (PKI)
Single sign-on (SSO)

Answer

A

Geofencing

A location-based technology that allows an organization to define and enforce logical access control policies based on physical location and proximity. Geofencing can be used to grant or restrict access to systems, data, or facilities based on an individual’s location, and it can be integrated into a user’s device or the infrastructure. This makes it a suitable solution for the pilot project to test the adaptive, user-based authentication method that includes granting logical access based on physical location and proximity.

Question 39

Q

A systems analyst determines the source of a high number of connections to a web server that were initiated by ten different IP addresses that belong to a network block in a specific country. Which of the following techniques will the systems analyst MOST likely implement to address this issue?

A. Content filter
B. SIEM
C. Firewall rules
D. DLP

Security Information and Event Manager (SIEM)
Data Loss Prevention (DLP)

Answer

A

Firewall rules

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. The systems analyst can use firewall rules to block connections from the ten IP addresses in question, or from the entire network block in the specific country. This would be a quick and effective way to address the issue of high connections to the web server initiated by these IP addresses.

Question 40

Q

During an investigation, the incident response team discovers that multiple administrator accounts were suspected of being compromised. The host audit logs indicate a repeated brute-force attack on a single administrator account followed by suspicious logins from unfamiliar geographic locations. Which of the following data sources would be BEST to use to assess the accounts impacted by this attack?

A. User behavior analytics
B. Dump files
C. Bandwidth monitors
D. Protocol analyzer output

Answer

A

User behavior analytics

User behavior analytics (UBA) would be the best data source to assess the accounts impacted by the attack, as it can identify abnormal activity, such as repeated brute-force attacks and logins from unfamiliar geographic locations, and provide insights into the behavior of the impacted accounts.

Question 41

Q

Which of the following provides a catalog of security and privacy controls related to the United States federal information systems?

A. GDPR
B. PCI DSS
C. ISO 27000
D. NIST 800-53

General Data Protection Regulation (GDPR)
Payment Card Industry Data Security Standard (PCI DSS)
International Organization for Standardization (ISO)
National Institute of Standards and Technology (NIST)

Answer

A

NIST 800-53

NIST 800-53 provides a catalog of security and privacy controls related to the United States federal information systems.

Question 42

Q

As part of the lessons-learned phase, the SOC is tasked with building methods to detect if a previous incident is happening again. Which of the following would allow the security analyst to alert the SOC if an event is reoccurring?

A. Creating a playbook within the SOAR
B. Implementing rules in the NGFW
C. Updating the DLP hash database
D. Publishing a new CRL with revoked certificates

Security Operation Center (SOC)
Security Orchestration, Automation and Response (SOAR)
next-generation firewall (NGFW)
Data Loss Prevention (DLP)
Certification Revocation List (CRL)

Answer

A

Creating a playbook within the SOAR

Creating a playbook within the Security Orchestration, Automation and Response (SOAR) tool would allow the security analyst to detect if an event is reoccurring by triggering automated actions based on the previous incident’s characteristics. This can help the SOC to respond quickly and effectively to the incident.

Question 43

Q

A software company is analyzing a process that detects software vulnerabilities at the earliest stage possible. The goal is to scan the source looking for insecure practices and weaknesses before the application is deployed in a runtime environment. Which of the following would BEST assist the company with this objective?

A. Use fuzzing testing
B. Use a web vulnerability scanner
C. Use static code analysis
D. Use a penetration-testing OS

Answer

A

Use static code analysis

This method involves analyzing the source code without actually running the software, which can identify security vulnerabilities that may not be detected by other testing methods.

Question 44

Q

A systems engineer is building a new system for production. Which of the following is the FINAL step to be performed prior to promoting to production?

A. Disable unneeded services.
B. Install the latest security patches.
C. Run a vulnerability scan.
D. Encrypt all disks.

Answer

A

Run a vulnerability scan.

Running a vulnerability scan is the final step to be performed prior to promoting a system to production. This allows any remaining security issues to be identified and resolved before the system is put into production.

Question 45

Q

An application owner reports suspicious activity on an internal financial application from various internal users within the past 14 days. A security analyst notices the following:

Financial transactions were occurring during irregular time frames and outside of business hours by unauthorized users.
Internal users in question were changing their passwords frequently during that time period.
A jump box that several domain administrator users use to connect to remote devices was recently compromised.
The authentication method used in the environment is NTLM.

Which of the following types of attacks is MOST likely being used to gain unauthorized access?

A. Pass-the-hash
B. Brute-force
C. Directory traversal
D. Replay

New Technology LAN Manager (NTLM)

Answer

A

Pass-the-hash

The suspicious activity reported by the application owner, combined with the recent compromise of the jump box and the use of NTLM authentication, suggests that an attacker is likely using a pass-the-hash attack to gain unauthorized access to the financial application. This type of attack involves stealing hashed passwords from memory and then using them to authenticate as the compromised user without needing to know the user’s plaintext password.

Question 46

Q

The Chief information Security Officer has directed the security and networking team to retire the use of shared passwords on routers and switches. Which of the following choices BEST meets the requirements?

A. SAML
B. TACACS+
C. Password vaults
D. OAuth

Security Assertion Markup Language (SAML)
Terminal Access Controller Access Control System Plus (TACACS+)
Open Authorization (OAuth)

Answer

A

TACACS+

TACACS+ is a protocol used for remote authentication, authorization, and accounting (AAA) that can be used to replace shared passwords on routers and switches. It provides a more secure method of authentication that allows for centralized management of access control policies.

Question 47

Q

The Chief Information Security Officer (CISO) has decided to reorganize security staff to concentrate on incident response and to outsource outbound Internet URL categorization and filtering to an outside company. Additionally, the CISO would like this solution to provide the same protections even when a company laptop or mobile device is away from a home office. Which of the following should the CISO choose?

A. CASB
B. Next-generation SWG
C. NGFW
D. Web-application firewall

Cloud Access Security Broker (CASB)
Next-generation Secure Web Gateway (SWG)
next-generation firewall (NGFW)

Answer

A

Next-generation SWG

The solution that the CISO should choose is Next-generation Secure Web Gateway (SWG), which provides URL filtering and categorization to prevent users from accessing malicious sites, even when they are away from the office. NGFWs are typically cloud-based and offer multiple security layers, including malware detection, intrusion prevention, and data loss prevention.

Question 48

Q

A store receives reports that shoppers’ credit card information is being stolen. Upon further analysis, those same shoppers also withdrew money from an ATM in that store. The attackers are using the targeted shoppers’ credit card information to make online purchases. Which of the following attacks is the MOST probable cause?

A. Identity theft
B. RFID cloning
C. Shoulder surfing
D. Card skimming

Radio Frequency Identification (RFID)

Answer

A

Card skimming

The attackers are using card skimming to steal shoppers’ credit card information, which they use to make online purchases.

Question 49

Q

During a security assessment, a security finds a file with overly permissive permissions. Which of the following tools will allow the analyst to reduce the permission for the existing users and groups and remove the set-user-ID from the file?

A. 1s
B. chflags
C. chmod
D. lsof
E. setuid

Answer

A

chmod

The chmod command is used to change the permissions of a file or directory. The analyst can use chmod to reduce the permissions for existing users and groups and remove the set-user-ID bit from the file.

Question 50

Q

Which of the following controls would be the MOST cost-effective and time-efficient to deter intrusions at the perimeter of a restricted, remote military training area? (Select TWO).

A. Barricades
B. Thermal sensors
C. Drones
D. Signage
E. Motion sensors
F. Guards
G. Bollards

Answer

A

Barricades & Signage

Barricades and signage are the most cost-effective and time-efficient controls to deter intrusions at the perimeter of a restricted, remote military training area.

Question 51

Q

A Chief Information Officer is concerned about employees using company-issued laptops to steal data when accessing network shares. Which of the following should the company Implement?

A. DLP
B. CASB
C. HIDS
D. EDR
E. UEFI

Data Loss Prevention (DLP)
Cloud Access Security Broker (CASB)
host-based intrusion detection system (HIDS)
Endpoint Detection and Response (EDR)
Unified Extensible Firmware Interface (UEFI)

Answer

A

DLP

The company should implement Data Loss Prevention (DLP) to prevent employees from stealing data when accessing network shares. DLP can also detect and block attempts to transfer sensitive data outside of the organization, such as via email, file transfer, or cloud storage.

Question 52

Q

Certain users are reporting their accounts are being used to send unauthorized emails and conduct suspicious activities. After further investigation, a security analyst notices the following:

All users share workstations throughout the day.
Endpoint protection was disabled on several workstations throughout the network.
Travel times on logins from the affected users are impossible.
Sensitive data is being uploaded to external sites.
All user account passwords were forced to be reset and the issue continued.

Which of the following attacks is being used to compromise the user accounts?

A. Brute-force
B. Keylogger
C. Dictionary
D. Rainbow

Answer

A

Keylogger

The symptoms suggest a keylogger is being used to compromise the user accounts, allowing the attackers to obtain the users’ passwords and other sensitive information.

Question 53

Q

An organization is moving away from the use of client-side and server-side certificates for EAP. The company would like for the new EAP solution to have the ability to detect rogue access points. Which of the following would accomplish these requirements?

A. PEAP
B. EAP-FAST
C. EAP-TLS
D. EAP-TTLS

Export Administration Regulations (EAR)
Protected Extensible Authentication Protocol (PEAP)
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)
Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS)

Answer

A

EAP-FAST

Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) supports mutual authentication and is designed to simplify the deployment of strong, password-based authentication. EAP-FAST includes a mechanism for detecting rogue access points.

Question 54

Q

A company Is planning to install a guest wireless network so visitors will be able to access the Internet. The stakeholders want the network to be easy to connect to so time is not wasted during meetings. The WAPs are configured so that power levels and antennas cover only the conference rooms where visitors will attend meetings. Which of the following would BEST protect the company’s Internal wireless network against visitors accessing company resources?

A. Configure the guest wireless network to be on a separate VLAN from the company’s internal wireless network
B. Change the password for the guest wireless network every month.
C. Decrease the power levels of the access points for the guest wireless network.
D. Enable WPA2 using 802.1X for logging on to the guest wireless network

Wireless Application Protocol (WAP)
virtual local area network (VLAN)
Wi-Fi Protected Access 2 (WPA2)

Answer

A

Configure the guest wireless network to be on a separate VLAN from the company’s internal wireless network.

Configuring the guest wireless network on a separate VLAN from the company’s internal wireless network will prevent visitors from accessing company resources.

Question 55

Q

A security manager needs to assess the security posture of one of the organization’s vendors. The contract with the vendor does not allow for auditing of the vendor’s security controls. Which of the following should the manager request to complete the assessment?

A. A service-level agreement
B. A business partnership agreement
C. A SOC 2 Type 2 report
D. A memorandum of understanding

Service Organization Control 2 (SOC 2)

Answer

A

A SOC 2 Type 2 report

SOC 2 (Service Organization Control 2) is a type of audit report that evaluates the controls of service providers to verify their compliance with industry standards for security, availability, processing
integrity, confidentiality, and privacy.

A Type 2 report is based on an audit that tests the effectiveness
of the controls over a period of time, unlike a Type 1 report which only evaluates the design of the controls at a specific point in time.

A SOC 2 Type 2 report would provide evidence of the vendor’s security controls and how effective they are over time, which can help the security manager assess the vendor’s security posture despite the vendor not allowing for a direct audit.

The security manager should request a SOC 2 Type 2 report to assess the security posture of the
vendor.

Question 56

Q

A security administrator has discovered that workstations on the LAN are becoming infected with malware. The cause of the infections appears to be users receiving phishing emails that are bypassing the current email-filtering technology. As a result, users are being tricked into clicking on malicious URLs, as no internal controls currently exist in the environment to evaluate their safety. Which of the following would be BEST to implement to address the issue?

A. Forward proxy
B. HIDS
C. Awareness training
D. A jump server
E. IPS

local area network (LAN)
uniform resource locator (URL)
Host-Based Intrusion Detection System (HIDS)
Intrusion Prevention System (IPS)

Answer

A

Awareness training

Awareness training should be implemented to educate users on the risks of clicking on malicious URLs.

Question 57

Q

A company’s public-facing website, “https://www.organization.com”, has an IP address of 166.18.75.6. However, over the past hour the SOC has received reports of the site’s homepage displaying incorrect information. A quick nslookup search shows “hitps://;www.organization.com” is pointing to 151.191.122.115. Which of the following is occurring?

A. DoS attack
B. ARP poisoning
C. DNS spoofing
D. NXDOMAIN attack

Security Operation Center (SOC)
Denial of service (DoS)
Address Resolution Protocol (ARP)
domain name system (DNS)

Answer

A

DNS spoofing

The issue is DNS spoofing, where the DNS resolution has been compromised and is pointing to a malicious IP address.

Question 58

Q

A dynamic application vulnerability scan identified code injection could be performed using a web form. Which of the following will be BEST remediation to prevent this vulnerability?

A. Implement input validations
B. Deploy MFA
C. Utilize a WAF
D. Configure HIPS

Multi-factor Authentication (MFA)
Web Application Firewall (WAF)
Host Intrusion Prevention System (HIPS)

Answer

A

Implement input validations

Implementing input validations will prevent code injection attacks by verifying the type and format of user input.

Question 59

Q

A junior security analyst is reviewing web server logs and identifies the following pattern in the log file:
“http://comptia.org/../../../etc/passwd”

Which of the following types of attacks is being attempted and how can it be mitigated?

A. XSS. Implement a SIEM
B. CSRF. Implement an IPS
C. Directory traversal, Implement a WAF
D. SQL infection, Implement an IDS

Cross-Site Scripting (XSS)
Security Information and Event Manager (SIEM)
Cross-Site Request Forgery (CSRF)
Intrusion Prevention System (IPS)
Web Application Firewall (WAF)
Structured Query Language (SQL)
Intrusion Detection System (IDS)

Answer

A

Directory traversal, Implement a WAF

The attack being attempted is directory traversal, which is a web application attack that allows an attacker to access files and directories outside of the web root directory. A WAF can help
mitigate this attack by detecting and blocking attempts to access files outside of the web root directory.

Question 60

Q

A security analyst has been tasked with creating a new WiFi network for the company. The requirements received by the analyst are as follows:

Must be able to differentiate between users connected to WiFi
The encryption keys need to change routinely without interrupting the users or forcing
re-authentication
Must be able to integrate with RADIUS
Must not have any open SSIDs

Which of the following options BEST accommodates these requirements?

A. WPA2-Enterprise
B. WPA3-PSK
C. 802.11n
D. WPS

Wireless Fidelity (WiFi)
service set identifier (SSID)
Wi-Fi Protected Access 2 (WPA2)
Wi-Fi Protected Setup (WPS)

Answer

A

WPA2-Enterprise

WPA2-Enterprise can accommodate all of the requirements listed. WPA2-Enterprise uses 802.1X authentication to differentiate between users, supports the use of RADIUS for authentication, and allows for the use of dynamic encryption keys that can be changed without disrupting the users or requiring re-authentication. Additionally, WPA2-Enterprise does not allow for open SSIDs.

Question 61

Q

Which of the following incident response steps occurs before containment?

A. Eradication
B. Recovery
C. Lessons learned
D. Identification

Answer

A

Identification

Identification is the first step in the incident response process, which involves recognizing that an incident has occurred. Containment is the second step, followed by eradication, recovery, and lessons learned.

Question 62

Q

A network engineer and a security engineer are discussing ways to monitor network operations. Which of the following is the BEST method?

A. Disable Telnet and force SSH.
B. Establish a continuous ping.
C. Utilize an agent-less monitor
D. Enable SNMPv3 With passwords.

Secure Shell (SSH)
Simple Network Management Protocol version 3 (SNMPv3)

Answer

A

Utilize an agent-less monitor

An agent-less monitor is the best method to monitor network operations because it does not require any software or agents to be installed on the devices being monitored, making it less intrusive and less likely to disrupt network operations. This method can monitor various aspects of network operations, such as traffic, performance, and security.

Question 63

Q

Which of the following BEST describes data streams that are compiled through artificial intelligence that provides insight on current cyber intrusions, phishing, and other malicious cyber activity?

A. Intelligence fusion
B. Review reports
C. Log reviews
D. Threat feeds

Answer

A

Intelligence fusion

Intelligence fusion is a process that involves aggregating and analyzing data from multiple sources, including artificial intelligence, to provide insight on current cyber intrusions, phishing, and other malicious cyber activity.

Question 64

Q

Which of the technologies is used to actively monitor for specific file types being transmitted on the network?

A. File integrity monitoring
B. Honey nets
C. TCP replay
D. Data loss prevention

Answer

A

Data loss prevention

Data loss prevention (DLP) is a technology used to actively monitor for specific file types being transmitted on the network. DLP solutions can prevent the unauthorized transfer of sensitive information, such as credit card numbers and social security numbers, by monitoring data in motion.

Answer 65

A

NIST Risk Management Framework

The CISO is using the NIST Risk Management Framework (RMF) to evaluate the environment for the new ERP system. The RMF is a structured process for managing risks that involves categorizing the system, selecting controls, implementing controls, assessing controls, and authorizing the system.

Answer 66

A

.cer

A user should choose the .cer file format to share a public key for secure communication. A .cer file is a public key certificate that can be shared with third parties to enable secure communication.

A public key is a cryptographic key that can be used to encrypt or verify data. A public key file is a file that contains one or more public keys in a specific format.

Answer 67

A

Phishing campaign

A phishing campaign is a simulated attack that tests a user’s ability to recognize attacks over the organization’s email system. Phishing campaigns can be used to train users on how to identify and report suspicious emails.

Answer 68

A

RPO

Recovery Point Objective (RPO) is the maximum duration of time that an organization can tolerate data loss in the event of an outage. It identifies the point in time when data recovery must
begin, and any data loss beyond that point is considered unacceptable.

Answer 69

A

Initiate the organization’s incident response plan.

An incident response plan is a set of procedures and guidelines that defines how an organization should respond to a security incident. An incident response plan typically includes the following phases: preparation, identification, containment, eradication, recovery, and lessons learned.

If the help desk has received calls from users in multiple locations who are unable to access core network services, it could indicate that a network outage or a denial-of-service attack has occurred.
The network team has identified and turned off the network switches using remote commands, which could be a containment measure to isolate the affected devices and prevent further damage.

The next action that the network team should take is to initiate the organization’s incident response plan, which would involve notifying the appropriate stakeholders, such as management, security team, legal team, etc., and following the predefined steps to investigate, analyze, document, and resolve the incident.

Answer 70

A

Access control vestibule

Access control vestibules, also known as mantraps or airlocks, are physical security features that require individuals to pass through two or more doors to enter a secure area. They are effective at
preventing tailgating, as only one person can pass through each door at a time.

Answer 71

A

S/MIME

S/MIME (Secure/Multipurpose Internet Mail Extensions) is a protocol that enables secure email messages to be sent and received. It provides email encryption, as well as digital signatures, which
can be used to verify the authenticity of the sender. S/MIME can be used with a variety of email protocols, including POP and IMAP.

point-of-presence (POP)

Answer 72

A

Security patches were uninstalled due to user impact.

A security patch is a software update that fixes a vulnerability or bug that could be exploited by attackers. Security patches are essential for maintaining the security and functionality of systems and applications.

If the vulnerability that was used to exploit the server is present in historical vulnerability scan reports, and a patch is available for the vulnerability, it means that the patch was either not applied or was uninstalled at some point. A possible reason for uninstalling a security patch could be user impact, such as performance degradation, compatibility issues, or functionality loss.

Answer 73

A

MITRE ATT&CK

The researcher is most likely using the MITRE ATT&CK framework. MITRE ATT&CK is a globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-
world observations. It helps security teams better understand and track adversaries by creating a named group, which aligns with the scenario described in the question.

Answer 74

A

Configure MDM for FDE without enabling the lock screen.

MDM software is a type of remote asset-management software that runs from a central server. It is used by businesses to optimize the functionality and security of their mobile devices, including
smartphones and tablets. It can monitor and regulate both corporate-owned and personally owned devices to the organization’s policies.

FDE stands for full disk encryption, which is a method of encrypting all data on a device’s storage. FDE can protect data from unauthorized access in case the device is lost or stolen.
If a company decides to allow its employees to use their personally owned devices for work tasks, it should configure MDM software to enforce FDE on those devices. This way, the company can protect
its data from being exposed if the device falls into the wrong hands.
However, employees may be concerned about the loss of personal data if the company also enables the remote-wiping option in the MDM software.

Remote wiping is a feature that allows the company
to erase all data on a device remotely in case of theft or loss. Remote wiping can also affect personal
data on the device, which may not be acceptable to employees.
Therefore, a possible compromise is to configure MDM for FDE without enabling the lock screen. This
means that the device will be encrypted, but it will not require a password or PIN to unlock it. This
way, employees can access their personal data easily, while the company can still protect its data
with encryption.

Answer 75

A

Data protection officer

A data protection officer (DPO) is a role that oversees the data protection strategy and compliance of an organization. A DPO is responsible for ensuring that the organization follows data protection laws and regulations, such as the General Data Protection Regulation (GDPR), and protects the privacy rights of data subjects. A DPO also acts as a liaison between the organization and data protection authorities, as well as data subjects and other stakeholders.

Answer 76

A

Containerization & Application whitelisting

MDM solutions emerged to solve problems created by BYOD. With MDM, IT teams can remotely wipe devices clean if they are lost or stolen. MDM also makes the life of an IT administrator a lot easier as it allows them to enforce corporate policies, apply software updates, and even ensure that password protection is used on each device. Containerization and application whitelisting are two features of MDM that can help retain control over company emails residing on the devices and limit data exfiltration that might occur if the devices are lost or stolen.

Containerization is a technique that creates a separate and secure space on the device for work- related data and applications. This way, personal and corporate data are isolated from each other, and IT admins can manage only the work container without affecting the user’s privacy. Containerization also allows IT admins to remotely wipe only the work container if needed, leaving the personal data intact.

Application whitelisting is a technique that allows only authorized applications to run on the device. This way, IT admins can prevent users from installing or using malicious or unapproved applications that might compromise the security of corporate data. Application whitelisting also allows IT admins to control which applications can access corporate resources, such as email servers or cloud storage.

Answer 77

A

DLP

DLP stands for data loss prevention, which is a set of tools and processes that aim to prevent unauthorized access, use, or transfer of sensitive data. DLP can help mitigate the risk of data exfiltration by disgruntled employees or external attackers by monitoring and controlling data flows across endpoints, networks, and cloud services. DLP can also detect and block attempts to copy, print, email, upload, or download sensitive data based on predefined policies and rules.

Answer 78

A

Installing a managed PDU

A managed Power Distribution Unit (PDU) allows you to monitor and control power outlets on the rack. This will allow the security team to identify which devices are drawing power and from which outlets, which can help to identify any unauthorized devices. Moreover, with a managed PDU, you can also control the power to outlets, turn off outlets that are not in use, and set up alerts if an outlet is overloaded. This will help to mitigate the issue of power consumption overloads without compromising the number of outlets available.

Answer 79

A

Phishing

Phishing is a type of social engineering attack that uses fraudulent emails or other forms of communication to trick users into revealing sensitive information, such as passwords, credit card numbers, or personal details. Phishing emails often impersonate legitimate entities, such as banks, online services, or lottery organizations, and entice users to click on malicious links or attachments that lead to fake websites or malware downloads. Phishing emails usually target a large number of users indiscriminately, hoping that some of them will fall for the scam.

Answer 80

A

Salting

A technique that adds random data to a password before hashing it. This makes the hash output more unique and unpredictable, and prevents attackers from using pre-computed tables (such as rainbow tables) to crack the password hash. Salting also reduces the risk of collisions, which occur when different passwords produce the same hash.

Answer 81

A

Create an automated, monthly attestation process that removes access if an employee’s

Create an automated, monthly attestation process that removes access if an employee’s supervisor denies the approval. This option ensures that appropriate access is not disrupted but unneeded access is removed in a reasonable time frame by requiring supervisors to approve or deny the exceptions on a regular basis. It also reduces the manual workload of the security team and improves the compliance with the
company policy.

Answer 82

A

Password, fingerprint scan, and physical token

Three-factor authentication combines three types of authentication methods: something you know (password), something you have (physical token), and something you are (fingerprint scan).

Option C satisfies these requirements, as it uses a password (something you know), a physical token (something you have), and a fingerprint scan (something you are) for authentication.

Answer 83

A

To provide data to quantify risk based on the organization’s systems

An effective asset management policy helps an organization understand and manage the systems, hardware, and software it uses, and how they are used, including their vulnerabilities and risks. This information is crucial for accurately identifying and assessing risks to the organization, and making informed decisions about how to mitigate those risks. This is the best reason to maintain an effective asset management policy.

Answer 84

A

Data processor

A data processor is an organization that processes personal data on behalf of a data controller. In this scenario, the company that owns the e-commerce website is the data controller, as it determines the purposes and means of processing personal data (e.g. credit card information). The payment company is a data processor, as it processes personal data on behalf of the e-commerce company
(i.e. it processes credit card transactions).

Answer 85

A

Configuring a service account to run the processes

A service account is a user account that is created specifically to run automated processes and services. These accounts are typically not associated with an individual user, and are used for running background services and scheduled tasks. By configuring a service account to run the automated processes, you can ensure that the account will not be disabled due to password complexity requirements and other user-related issues.

Answer 86

A

Improper or weak patch management

The reason for this is that older versions of Windows may have known vulnerabilities that have been patched in more recent versions. If a company is not regularly patching their systems, they are leaving those vulnerabilities open to exploit, which can allow malware to infect the systems. It is important to regularly update and patch systems to address known vulnerabilities and protect against potential malware infections. This is an important aspect of proper security management.

Properly configuring and maintaining software, including patch management, is critical to protecting systems and data.

Answer 87

A

SLA

A service level agreement (SLA) is a contract between a service provider and a customer that outlines the services that are to be provided and the expected levels of performance. It is used to define the requirements for the service, including any attestations and reports that must be generated, and the timescales in which these must be completed. It also outlines any penalties for failing to meet these requirements. SLAs are essential for ensuring that third-party services are meeting the agreed upon performance levels.

Answer 88

A

Time stamps & Time offset

A server farm’s logs are records of events that occur on a group of servers that provide the same service or function. Logs can contain information such as date, time, source, destination, message, error code, and severity level. Logs can help administrators monitor the performance, security, and availability of the servers and troubleshoot any issues. To determine the sequence of a server farm’s logs, the administrator should consider the following
factors:

Time stamps: Time stamps are indicators of when an event occurred on a server. Time stamps can help administrators sort and correlate events across different servers based on chronological order.
However, time stamps alone may not be sufficient to determine the sequence of events if the servers have different time zones or clock settings.

Time offset: Time offset is the difference between the local time of a server and a reference time, such as Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). Time offset can help
administrators adjust and synchronize the time stamps of different servers to a common reference time and eliminate any discrepancies caused by time zones or clock settings.

Brainscape's Knowledge GenomeTM

CompTIA SEC+ SY0-701 Exam V1 Flashcards

Brainscape's Knowledge Genome^TM