cascfas

Question 1

QUESTION 1
Which of the following would a security specialist be able to determine upon examination of a server’s certificate?
A. CA public key
B. Server private key
C. CSR
D. OID

Answer 1

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
OID is correct. You would not see the CA’s public key by examining the certificate. “Server’s public key” would be correct, but that is not an option.
https://www.examtopics.com/discussions/comptia/view/2536-exam-sy0-501-topic-1-question-4-discussion/
https://blogs.getcertifiedgetahead.com/whats-in-a-digital-certificate/

Question 2

QUESTION 2
Which of the following BEST describes an important security advantage yielded by implementing vendor diversity?
A. Sustainability
B. Homogeneity
C. Resiliency
D. Configurability

Answer 2

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 3

QUESTION 3
Which of the following characteristics differentiate a rainbow table attack from a brute force attack? (Select two.)
A. Rainbow table attacks greatly reduce compute cycles at attack time.
B. Rainbow tables must include precomputed hashes.
C. Rainbow table attacks do not require access to hashed passwords.
D. Rainbow table attacks must be performed on the network.
E. Rainbow table attacks bypass maximum failed login restrictions.

Answer 3

Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:

Question 4

QUESTION 4
Which of the following best describes routine in which semicolons, dashes, quotes, and commas are removed from a string?
A. Error handling to protect against program exploitation
B. Exception handling to protect against XSRF attacks.
C. Input validation to protect against SQL injection.
D. Padding to protect against string buffer overflows.

Answer 4

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 5

QUESTION 5
Which of the following explains why vendors publish MD5 values when they provide software patches for their customers to download over the Internet?
A. The recipient can verify integrity of the software patch.
B. The recipient can verify the authenticity of the site used to download the patch.
C. The recipient can request future updates to the software using the published MD5 value.
D. The recipient can successfully activate the new software patch.

Answer 5

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 6

QUESTION 6
A security analyst is reviewing the following output from an IPS:
[] [1:2467:7] EXPLOIT IGMP IGAP message overflow attempt []
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
07/30-19:45:02.238185 250.19.18.71 -> 250.19.18.22
IGMP TTL:255 TOS: OxO ID: 9742 IpLen:20 DgmLen: 502 MF
Frag offset: 0x1FFF Frag Size: 0x01E2
[Xref => http://cve.mitre.org/cgi-bin/cvename .cgi?name=2004-0367]
Given this output, which of the following can be concluded? (Select two.)
A. The source IP of the attack is coming from 250.19.18.22.
B. The source IP of the attack is coming from 250.19.18.71.
C. The attacker sent a malformed IGAP packet, triggering the alert.
D. The attacker sent a malformed TCP packet, triggering the alert.
E. The TTL value is outside of the expected range, triggering the alert.

Answer 6

Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:

Question 7

QUESTION 7
Despite having implemented password policies, users continue to set the same weak passwords and reuse old passwords. Which of the following technical controls would help prevent these policy violations? (Select two.)
A. Password expiration
B. Password length
C. Password complexity
D. Password history
E. Password lockout

Answer 7

Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:

Question 8

QUESTION 8
Which of the following types of cloud infrastructures would allow several organizations with similar structures and interests to realize the benefits of shared storage and resources?
A. Private
B. Hybrid
C. Public
D. Community

Answer 8

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 9

QUESTION 9
An auditor wants to test the security posture of an organization by running a tool that will display the following:
JIMS <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
JIMS <00> UNIQUE Registered
Which of the following commands should be used?
A. nbtstat
B. nc
C. arp
D. ipconfig

Answer 9

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 10

QUESTION 10
A botnet has hit a popular website with a massive number of GRE-encapsulated packets to perform a DDoS attack. News outlets discover a certain type of refrigerator was exploited and used to send outbound packets to the website that crashed. To which of the following categories does the refrigerator belong?
A. SoC
B. ICS
C. IoT
D. MFD

Answer 10

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 11

QUESTION 11
Users report the following message appears when browsing to the company’s secure site: This website cannot be trusted.Which of the following actions should a security analyst take to resolve these messages? (Select two.)
A. Verify the certificate has not expired on the server.
B. Ensure the certificate has a .pfx extension on the server.
C. Update the root certificate into the client computer certificate store.
D. Install the updated private key on the web server.
E. Have users clear their browsing history and relaunch the session.

Answer 11

Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:

Question 12

QUESTION 12
Joe, an employee, wants to show his colleagues how much he knows about smartphones. Joe demonstrates a free movie application that he installed from a third party on his corporate smartphone. Joe’s colleagues were unable to find the application in the app stores. Which of the following allowed Joe to install the application?(Select two.)
A. Near-field communication.
B. Rooting/jailbreaking
C. Ad-hoc connections
D. Tethering
E. Sideloading

Answer 12

Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/9878-exam-sy0-501-topic-1-question-32-discussion/

Question 13

QUESTION 13
Which of the following can be provided to an AAA system for the identification phase?
A. Username
B. Permissions
C. One-time token
D. Private certificate

Answer 13

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 14

QUESTION 14
Which of the following implements two-factor authentication?
A. A phone system requiring a PIN to make a call
B. At ATM requiring a credit card and PIN
C. A computer requiring username and password
D. A datacenter mantrap requiring fingerprint and iris scan

Answer 14

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 15

QUESTION 15
An organization is using a tool to perform a source code review. Which of the following describes the case in
which the tool incorrectly identifies the vulnerability?
A. False negative
B. True negative
C. False positive
D. True positive

Answer 15

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 16

QUESTION 16
A department head at a university resigned on the first day of the spring semester. It was subsequently determined that the department head deleted numerous files and directories from the server-based home directory while the campus was closed. Which of the following policies or procedures could have prevented this from occurring?
A. Time-of-day restrictions
B. Permission auditing and review
C. Offboarding
D. Account expiration

Answer 16

Correct Answer: C離職
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/1142-exam-sy0-501-topic-1-question-41-discussion/

Question 17

QUESTION 17
A database backup schedule consists of weekly full backups performed on Saturday at 12:00 a.m. and daily
differential backups also performed at 12:00 a.m. If the database is restored on Tuesday afternoon, which of
the following is the number of individual backups that would need to be applied to complete the database
recovery?
A. 1
B. 2
C. 3
D. 4

Answer 17

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 18

QUESTION 18
A security consultant discovers that an organization is using the PCL protocol to print documents, utilizing the default driver and print settings. Which of the following is the MOST likely risk in this situation?
A. An attacker can access and change the printer configuration.
B. SNMP data leaving the printer will not be properly encrypted.
C. An MITM attack can reveal sensitive information.
D. An attacker can easily inject malicious code into the printer firmware.
E. Attackers can use the PCL protocol to bypass the firewall of client computers.

Answer 18

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/2214-exam-sy0-501-topic-1-question-46-discussion/

Question 19

QUESTION 19
When performing data acquisition on a workstation, which of the following should be captured based on memory volatility? (Select two.)
A. USB-attached hard disk
B. Swap/pagefile
C. Mounted network storage
D. ROM
E. RAM

Answer 19

Correct Answer: BE
Section: (none)
Explanation

Question 20

QUESTION 20
A security administrator has found a hash in the environment known to belong to malware.
The administrator then finds this file to be in in the preupdate area of the OS, which indicates it was pushed from the central patch system.
File: winx86_adobe_flash_upgrade.exe
Hash: 99ac28bede43ab869b853ba62c4ea243
The administrator pulls a report from the patch management system with the following output:
Ingtall Date Package Name Target Devices Hash
10/10/2017 java_11.2_x64.exe HQ PC’ s 01ab28bbde63aa879b35bba62cde3283
10/10/2017 winx@6_adobe_flash_upgrade.exe HQ PC’ g 99ac28bede43ab869b853ba62c4ea243
Given the above outputs, which of the following MOST likely happened?
A. The file was corrupted after it left the patch system.
B. The file was infected when the patch manager downloaded it.
C. The file was not approved in the application whitelist system.
D. The file was embedded with a logic bomb to evade detection.

Answer 20

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
這文件在USER端跟WSUS端一樣
代表在WSUS就已經被感染惹
https://www.examtopics.com/discussions/comptia/view/6770-exam-sy0-501-topic-1-question-53-discussion/

Question 21

QUESTION 21
A network administrator at a small office wants to simplify the configuration of mobile clients connecting to an encrypted wireless network. Which of the following should be implemented in the administrator does not want to provide the wireless password or he certificate to the employees?
A. WPS
B. 802.1x
C. WPA2-PSK
D. TKIP

Answer 21

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
A. Wi-Fi Protected Setup (WPS) allows users to configure a wireless network without typing in the passphrase.
It tries to make connections between a router and wireless devices faster and easier. WPS works only for wireless networks that use a password that is encrypted with the WPA Personal or WPA2 Personal security protocols.
WPS is an obsolete technology that should not ever be implemented IRL.
https://www.examtopics.com/discussions/comptia/view/13393-exam-sy0-501-topic-1-question-54-discussion/

Question 22

QUESTION 22
When connected to a secure WAP, which of the following encryption technologies is MOST likely to be configured when connecting to WPA2-PSK?
A. DES
B. AES
C. MD5
D. WEP

Answer 22

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 23

QUESTION 23
A company has a data classification system with definitions for “Private” and “Public”. The company’s security policy outlines how data should be protected based on type. The company recently added the data type “Proprietary”.
Which of the following is the MOST likely reason the company added this data type?
A. Reduced cost
B. More searchable data
C. Better data classification
D. Expanded authority of the privacy officer

Answer 23

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
說明跟他們獲利有關

Question 24

QUESTION 24
A company is terminating an employee for misbehavior. Which of the following steps is MOST important in the process of disengagement from this employee?
A. Obtain a list of passwords used by the employee.
B. Generate a report on outstanding projects the employee handled.
C. Have the employee surrender company identification.
D. Have the employee sign an NDA before departing.

Answer 24

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
應該是指ID卡
https://www.examtopics.com/discussions/comptia/view/3923-exam-sy0-501-topic-1-question-61-discussion/

Question 25

QUESTION 25
A user clicked an email link that led to a website than infected the workstation with a virus. The virus encrypted all the network shares to which the user had access. The virus was not deleted or blocked by the company’s email filter, website filter, or antivirus. Which of the following describes what occurred?
A. The user’s account was over-privileged.
B. Improper error handling triggered a false negative in all three controls.
C. The email originated from a private email server with no malware protection.
D. The virus was a zero-day attack.

Answer 25

Correct Answer: D

Section: (none)

Question 26

QUESTION 26
An organization wishes to provide better security for its name resolution services. Which of the following technologies BEST supports the deployment of DNSSEC at the organization?
A. LDAP
B. TPM
C. TLS
D. SSL
E. PKI

Answer 26

Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/3924-exam-sy0-501-topic-1-question-65-discussion/

Question 27

QUESTION 27
A company hires a consulting firm to crawl its Active Directory network with a non-domain account looking for unpatched systems. Actively taking control of systems is out of scope, as is the creation of new administrator accounts. For which of the following is the company hiring the consulting firm?
A. Vulnerability scanning
B. Penetration testing
C. Application fuzzing
D. User permission auditing

Answer 27

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 28

QUESTION 28
An application team is performing a load-balancing test for a critical application during off-hours and has requested access to the load balancer to review which servers are up without having the administrator on call.
The security analyst is hesitant to give the application team full access due to other critical applications running on the load balancer. Which of the following is the BEST solution for security analyst to process the request?
A. Give the application team administrator access during off-hours.
B. Disable other critical applications before granting the team access.
C. Give the application team read-only access.
D. Share the account with the application team.

Answer 28

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 29

QUESTION 29
A security analyst is hardening an authentication server. One of the primary requirements is to ensure there is
mutual authentication and delegation. Given these requirements, which of the following technologies should the
analyst recommend and configure?
A. LDAP services
B. Kerberos services
C. NTLM services
D. CHAP services

Answer 29

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Only Kerberos that can do Mutual Auth and Delegation.

Question 30

QUESTION 30
Two users need to send each other emails over unsecured channels. The system should support the principle of non-repudiation. Which of the following should be used to sign the user’s certificates?
A. RA
B. CA
C. CRL
D. CSR

Answer 30

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 31

QUESTION 31
Which of the following attack types BEST describes a client-side attack that is used to manipulate an HTML
iframe with JavaScript code via a web browser?
A. Buffer overflow
B. MITM
C. XSS
D. SQLi

Answer 31

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 32

QUESTION 32
Which of the following network vulnerability scan indicators BEST validates a successful, active scan?
A. The scan job is scheduled to run during off-peak hours.
B. The scan output lists SQL injection attack vectors.
C. The scan data identifies the use of privileged-user credentials.
D. The scan results identify the hostname and IP address.

Answer 32

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 33

QUESTION 33
Which of the following is the BEST explanation of why control diversity is important in a defense-in-depth architecture?
A. Social engineering is used to bypass technical controls, so having diversity in controls minimizes the risk of demographic exploitation
B. Hackers often impact the effectiveness of more than one control, so having multiple copies of individual controls provides redundancy
C. Technical exploits to defeat controls are released almost every day; control diversity provides overlapping protection.
D. Defense-in-depth relies on control diversity to provide multiple levels of network hierarchy that allow user domain segmentation

Answer 33

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 34

QUESTION 34
An information security specialist is reviewing the following output from a Linux server.
user@server:-$ crontab -1
5****usr/local/bin/backup.sh
user@server: ~$ cat /usr/local/bin/backup.sh
#!/bin/bash
if ! grep - - quiet joeuser/etc/passwd
then rm -rf
fi
Based on the above information, which of the following types of malware was installed on the server?
A. Logic bomb
B. Trojan
C. Backdoor
D. Ransomware
E. Rootkit

Answer 34

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 35

QUESTION 35
In terms of encrypting data, which of the following is BEST described as a way to safeguard password data by adding random data to it in storage? 
A. Using salt
B. Using hash algorithms
C. Implementing elliptical curve
D. Implementing PKI

Answer 35

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 36

QUESTION 36
A system administrator wants to provide for and enforce wireless access accountability during events where external speakers are invited to make presentations to a mixed audience of employees and non-employees.
Which of the following should the administrator implement?
A. Shared accounts
B. Preshared passwords
C. Least privilege
D. Sponsored guest

Answer 36

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Sponsored guest means they have been authorized as such can be provided with a captive portal account to access wifi
https://www.examtopics.com/discussions/comptia/view/3247-exam-sy0-501-topic-1-question-86-discussion/

Question 37

QUESTION 37
Which of the following would MOST likely appear in an uncredentialed vulnerability scan? 
A. Self-signed certificates
B. Missing patches
C. Auditing parameters
D. Inactive local accounts

Answer 37

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
看文義，D是不用憑據就能掃，B是指缺少憑據沒辦法掃這個
https://www.examtopics.com/discussions/comptia/view/2220-exam-sy0-501-topic-1-question-87-discussion/

Question 38

QUESTION 38
A security analyst observes the following events in the logs of an employee workstation:
[1/23] [1:07:16] [865] [Access to C:\Users\user\ temp\oasdfkh.hta has been restricted by your administrator by the default restriction policy level.]
[1/23] [1:07:09] [1034] [The scan completed. No detections were found.]
The security analyst reviews the file system and observes the following:
C:> dir
C:\Usersluser’ttemp
1/23 1:07:02 oasdfkh.hta
1/23 1:07:02 update.bat
1/23 1:07:02 msg.txt
Given the information provided, which of the following MOST likely occurred on the workstation?
A. Application whitelisting controls blocked an exploit payload from executing.
B. Antivirus software found and quarantined three malware files.
C. Automatic updates were initiated but failed because they had not been approved.
D. The SIEM log agent was not tuned properly and reported a false positive.

Answer 38

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 39

QUESTION 39
When identifying a company’s most valuable assets as part of a BIA, which of the following should be the FIRST priority? 
A. Life
B. Intellectual property
C. Sensitive data
D. Public reputation

Answer 39

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/9980-exam-sy0-501-topic-1-question-89-discussion/

Question 40

QUESTION 40
An organization needs to implement a large PKI. Network engineers are concerned that repeated transmission of the OCSP will impact network performance. Which of the following should the security analyst recommend is lieu of an OCSP? 
A. CSR
B. CRL
C. CA
D. OID

Answer 40

Correct Answer: B
Section: (none)
Explanation

Question 41

QUESTION 41
When considering a third-party cloud service provider, which of the following criteria would be the BEST to include in the security assessment process? (Select two.)
A. Use of performance analytics
B. Adherence to regulatory compliance
C. Data retention policies
D. Size of the corporation
E. Breadth of applications support

Answer 41

Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:

Question 42

QUESTION 42
An organization's file server has been virtualized to reduce costs. Which of the following types of backups would be MOST appropriate for the particular file server? 
A. Snapshot
B. Full
C. Incremental
D. Differential

Answer 42

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/1462-exam-sy0-501-topic-1-question-94-discussion/

Question 43

QUESTION 43
A wireless network uses a RADIUS server that is connected to an authenticator, which in turn connects to a supplicant. Which of the following represents the authentication architecture in use? 
A. Open systems authentication
B. Captive portal
C. RADIUS federation
D. 802.1x

Answer 43

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/1950-exam-sy0-501-topic-1-question-95-discussion/

Question 44

QUESTION 44
Adhering to a layered security approach, a controlled access facility employs security guards who verify the authorization of all personnel entering the facility. Which of the following terms BEST describes the security control being employed? 
A. Administrative 
B. Corrective
C. Deterrent
D. Compensating

Answer 44

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/1951-exam-sy0-501-topic-1-question-97-discussion/

Question 45

QUESTION 45
A manager wants to distribute a report to several other managers within the company. Some of them reside in remote locations that are not connected to the domain but have a local server. Because there is sensitive data within the report and the size of the report is beyond the limit of the email attachment size, emailing the report is not an option. Which of the following protocols should be implemented to distribute the report securely? (Select three.)
A. S/MIME
B. SSH
C. SNMPv3
D. FTPS
E. SRTP
F. HTTPS
G. LDAPS

Answer 45

Correct Answer: BDF
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/13633-exam-sy0-501-topic-1-question-99-discussion/

Question 46

QUESTION 46
Which of the following must be intact for evidence to be admissible in court? 
A. Chain of custody
B. Order of volatility
C. Legal hold
D. Preservation

Answer 46

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/14296-exam-sy0-501-topic-1-question-101-discussion/

Question 47

QUESTION 47
A vulnerability scanner that uses its running service’s access level to better assess vulnerabilities across multiple assets within an organization is performing a: 
A. Credentialed scan.
B. Non-intrusive scan.
C. Privilege escalation test.
D. Passive scan.

Answer 47

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 48

QUESTION 48
A new firewall has been places into service at an organization. However, a configuration has not been entered on the firewall. Employees on the network segment covered by the new firewall report they are unable to access the network. Which of the following steps should be completed to BEST resolve the issue?
A. The firewall should be configured to prevent user traffic form matching the implicit deny rule.
B. The firewall should be configured with access lists to allow inbound and outbound traffic.
C. The firewall should be configured with port security to allow traffic.
D. The firewall should be configured to include an explicit deny rule.

Answer 48

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/3250-exam-sy0-501-topic-1-question-105-discussion/

Question 49

QUESTION 49
A security analyst is testing both Windows and Linux systems for unauthorized DNS zone transfers within a LAN on comptia.org from example.org. Which of the following commands should the security analyst use?(Select two.)
A. nslookup comptia.org set type=ANY ls-d example.org
B. nslookup comptia.org set type=MX example.org
C. dig -axfr comptia.org@example.org
D. ipconfig /flushDNS
E. ifconfig ethO down ifconfig eth0 up dhclient renew
F. dig @example.org comptia.org

Answer 49

Correct Answer: AC
Section: (none)
Explanation
https://www.examtopics.com/discussions/comptia/view/3856-exam-sy0-501-topic-1-question-106-discussion/

Question 50

QUESTION 50
A Chief Information Officer (CIO) drafts an agreement between the organization and its employees. The agreement outlines ramifications for releasing information without consent and/or approvals. Which of the following BEST describes this type of agreement? 
A. ISA
B. NDA
C. MOU
D. SLA

Answer 50

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 51

QUESTION 51
A manager suspects that an IT employee with elevated database access may be knowingly modifying financial transactions for the benefit of a competitor. Which of the following practices should the manager implement to validate the concern? 
A. Separation of duties
B. Mandatory vacations
C. Background checks
D. Security awareness training

Answer 51

Correct Answer: A or B
Section: (none)
Explanation
Explanation/Reference:

Question 52

QUESTION 52
Before an infection was detected, several of the infected devices attempted to access a URL that was similar to the company name but with two letters transposed. Which of the following BEST describes the attack vector used to infect the devices?
A. Cross-site scripting
B. DNS poisoning
C. Typo squatting
D. URL hijacking

Answer 52

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 53

QUESTION 53
Joe, a security administrator, needs to extend the organization’s remote access functionality to be used by staff while travelling. Joe needs to maintain separate access control functionalities for internal, external, and VOIP services. Which of the following represents the BEST access technology for Joe to use?
A. RADIUS
B. TACACS+
C. Diameter
D. Kerberos

Answer 53

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
separate access control functionalities
https://www.examtopics.com/discussions/comptia/view/3252-exam-sy0-501-topic-1-question-114-discussion/

Question 54

QUESTION 54
Which of the following are methods to implement HA in a web application server environment? (Select two.)
A. Load balancers
B. Application layer firewalls
C. Reverse proxies
D. VPN concentrators
E. Routers

Answer 54

Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:

Question 55

QUESTION 55
After an identified security breach, an analyst is tasked to initiate the IR process. Which of the following is the NEXT step the analyst should take? 
A. Recovery
B. Identification 
C. Preparation
D. Documentation
E. Escalation

Answer 55

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
事故發生前需要充足的準備
事故回應包括鑑識與進行辨識、調查、修理、記錄與調整(Adjusting)程序
https://www.examtopics.com/discussions/comptia/view/1506-exam-sy0-501-topic-1-question-121-discussion/

Question 56

QUESTION 56
During a monthly vulnerability scan, a server was flagged for being vulnerable to an Apache Struts exploit.
Upon further investigation, the developer responsible for the server informs the security team that Apache Struts is not installed on the server. Which of the following BEST describes how the security team should reach to this incident?
A. The finding is a false positive and can be disregarded
B. The Struts module needs to be hardened on the server
C. The Apache software on the server needs to be patched and updated
D. The server has been compromised by malware and needs to be quarantined.

Answer 56

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 57

QUESTION 57
A systems administrator wants to protect data stored on mobile devices that are used to scan and record assets in a warehouse. The control must automatically destroy the secure container of mobile devices if they leave the warehouse. Which of the following should the administrator implement? (Select two.) 
A. Geofencing
B. Remote wipe
C. Near-field communication
D. Push notification services
E. Containerization

Answer 57

Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:

Question 58

QUESTION 58
Which of the following vulnerability types would the type of hacker known as a script kiddie be MOST dangerous against?
A. Passwords written on the bottom of a keyboard
B. Unpatched exploitable Internet-facing services
C. Unencrypted backup tapes
D. Misplaced hardware token

Answer 58

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 59

QUESTION 59
A development team has adopted a new approach to projects in which feedback is iterative and multiple iterations of deployments are provided within an application’s full life cycle. Which of the following software development methodologies is the development team using? 
A. Waterfall
B. Agile
C. Rapid
D. Extreme

Answer 59

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 60

QUESTION 60
Joe, a user, wants to send Ann, another user, a confidential document electronically. Which of the following should Joe do to ensure the document is protected from eavesdropping?
A. Encrypt it with Joe’s private key
B. Encrypt it with Joe’s public key
C. Encrypt it with Ann’s private key
D. Encrypt it with Ann’s public key

Answer 60

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 61

QUESTION 61
To reduce disk consumption, an organization’s legal department has recently approved a new policy setting the data retention period for sent email at six months. Which of the following is the BEST way to ensure this goal is met?
A. Create a daily encrypted backup of the relevant emails.
B. Configure the email server to delete the relevant emails.
C. Migrate the relevant emails into an “Archived” folder.
D. Implement automatic disk compression on email servers.

Answer 61

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/3256-exam-sy0-501-topic-1-question-139-discussion/

Question 62

QUESTION 62
Which of the following types of attacks precedes the installation of a rootkit on a server? 
A. Pharming
B. DDoS
C. Privilege escalation
D. DoS

Answer 62

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 63

QUESTION 63
A security analyst receives an alert from a WAF with the following payload:
var data= “ < test test test > “ ++ < .. / .. / .. / .. / .. / .. / etc / passwd > “
Which of the following types of attacks is this?
A. Cross-site request forgery
B. Buffer overflow
C. SQL injection
D. JavaScript data insertion
E. Firewall evasion script

Answer 63

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://medium.com/secjuice/waf-evasion-techniques-718026d693d8
https://www.examtopics.com/discussions/comptia/view/617-exam-sy0-501-topic-1-question-143-discussion/

Question 64

QUESTION 64
A workstation puts out a network request to locate another system. Joe, a hacker on the network, responds before the real system does, and he tricks the workstation into communicating with him. Which of the following BEST describes what occurred?
A. The hacker used a race condition.
B. The hacker used a pass-the-hash attack.
C. The hacker-exploited improper key management.
D. The hacker exploited weak switch configuration.

Answer 64

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/3257-exam-sy0-501-topic-1-question-144-discussion/

Question 65

QUESTION 65
Audit logs from a small company’s vulnerability scanning software show the following findings:
Destinations scanned:
-Server001- Internal human resources payroll server
-Server101-Internet-facing web server
-Server201- SQL server for Server101
-Server301-Jumpbox used by systems administrators accessible from the internal network
Validated vulnerabilities found:
-Server001- Vulnerable to buffer overflow exploit that may allow attackers to install software
-Server101- Vulnerable to buffer overflow exploit that may allow attackers to install software
-Server201-OS updates not fully current
-Server301- Accessible from internal network without the use of jumpbox
-Server301-Vulnerable to highly publicized exploit that can elevate user privileges
Assuming external attackers who are gaining unauthorized information are of the highest concern, which of the following servers should be addressed FIRST?
A. Server001
B. Server101
C. Server201
D. Server301

Answer 65

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
外部優先處理
https://www.examtopics.com/discussions/comptia/view/4008-exam-sy0-501-topic-1-question-145-discussion/

Question 66

QUESTION 66
A security analyst wants to harden the company’s VoIP PBX. The analyst is worried that credentials may be
intercepted and compromised when IP phones authenticate with the BPX. Which of the following would best prevent this from occurring?
A. Implement SRTP between the phones and the PBX.
B. Place the phones and PBX in their own VLAN.
C. Restrict the phone connections to the PBX.
D. Require SIPS on connections to the PBX.

Answer 66

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 67

QUESTION 67
A security administrator suspects a MITM attack aimed at impersonating the default gateway is underway.
Which of the following tools should the administrator use to detect this attack? (Select two.)
A. Ping
B. Ipconfig
C. Tracert
D. Netstat
E. Dig
F. Nslookup

Answer 67

Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/3286-exam-sy0-501-topic-1-question-148-discussion/

Question 68

QUESTION 68
After a routine audit, a company discovers that engineering documents have been leaving the network on a particular port. The company must allow outbound traffic on this port, as it has a legitimate business use.
Blocking the port would cause an outage. Which of the following technology controls should the company implement?
A. NAC
B. Web proxy
C. DLP
D. ACL

Answer 68

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/13704-exam-sy0-501-topic-1-question-152-discussion/

Question 69

QUESTION 69
A security analyst has received the following alert snippet from the HIDS appliance:
PROTOCOL SIG SRC. PORT DST. PORT
TCP XMAS SCAN 192.168.1.1:1091 192.168.1.2:8891
TCP XMAS SCAN 192.168.1.1:649 192.168.1.2:9001
TCP XMAS SCAN 192.168.1.1:2264 192.168.1.2:6455
TCP XMAS SCAN 192.168.1.1:3464 192.168.1.2:8744
Given the above logs, which of the following is the cause of the attack?
A. The TCP ports on destination are all open
B. FIN, URG, and PSH flags are set in the packet header
C. TCP MSS is configured improperly
D. There is improper Layer 2 segmentation

Answer 69

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 70

QUESTION 70
A company’s AUP requires:
Passwords must meet complexity requirements.
Passwords are changed at least once every six months.
Passwords must be at least eight characters long.
An auditor is reviewing the following report:
Username Last login Last changed
Carol 2 hours 90 days
David 2 hours 30 days
Ann 1 hour 247 days
Joe 0.5 hours 7 days
Which of the following controls should the auditor recommend to enforce the AUP?
A. Account lockout thresholds
B. Account recovery
C. Password expiration
D. Prohibit password reuse

Answer 70

Correct Answer: C

Question 71

QUESTION 71
An organization’s primary datacenter is experiencing a two-day outage due to an HVAC malfunction. The node located in the datacenter has lost power and is no longer operational, impacting the ability of all users to connect to the alternate datacenter. Which of the following BIA concepts BEST represents the risk described in this scenario?
A. SPoF
B. RTO
C. MTBF
D. MTTR

Answer 71

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
盡量不要讓您的基礎設施有拖垮整個系統
或網路的單一失效點(Single Point Of 
Failure，SPOF) 。

Question 72

QUESTION 72
A security analyst notices anomalous activity coming from several workstations in the organizations. Upon identifying and containing the issue, which of the following should the security analyst do NEXT?
A. Document and lock the workstations in a secure area to establish chain of custody
B. Notify the IT department that the workstations are to be reimaged and the data restored for reuse
C. Notify the IT department that the workstations may be reconnected to the network for the users to continue working
D. Document findings and processes in the after-action and lessons learned report

Answer 72

Correct Answer: B(答案給D，我覺得是B
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/4013-exam-sy0-501-topic-1-question-157-discussion/

Question 73

QUESTION 73
An employee receives an email, which appears to be from the Chief Executive Officer (CEO), asking for a
report of security credentials for all users.
Which of the following types of attack is MOST likely occurring?
A. Policy violation
B. Social engineering
C. Whaling
D. Spear phishing

Answer 73

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/4337-exam-sy0-501-topic-1-question-158-discussion/

Question 74

QUESTION 74
A copy of a highly confidential salary report was recently found on a printer in the IT department. The human resources department does not have this specific printer mapped to its devices, and it is suspected that an employee in the IT department browsed to the share where the report was located and printed it without authorization. Which of the following technical controls would be the BEST choice to immediately prevent this from happening again?
A. Implement a DLP solution and classify the report as confidential, restricting access only to human resources staff
B. Restrict access to the share where the report resides to only human resources employees and enable auditing
C. Have all members of the IT department review and sign the AUP and disciplinary policies
D. Place the human resources computers on a restricted VLAN and configure the ACL to prevent access from
the IT department

Answer 74

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 75

QUESTION 75
A company is developing a new system that will unlock a computer automatically when an authorized user sits in front of it, and then lock the computer when the user leaves. The user does not have to perform any action for this process to occur. Which of the following technologies provides this capability?
A. Facial recognition
B. Fingerprint scanner
C. Motion detector
D. Smart cards

Answer 75

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 76

QUESTION 76
A security analyst accesses corporate web pages and inputs random data in the forms. The response received includes the type of database used and SQL commands that the database accepts. Which of the following should the security analyst use to prevent this vulnerability?
A. Application fuzzing
B. Error handling
C. Input validation
D. Pointer dereference

Answer 76

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/4014-exam-sy0-501-topic-1-question-164-discussion/

Question 77

QUESTION 77
A security administrator is trying to encrypt communication. For which of the following reasons should administrator take advantage of the Subject Alternative Name (SAN) attribute of a certificate?
A. It can protect multiple domains
B. It provides extended site validation
C. It does not require a trusted certificate authority
D. It identifiers many subdomains

Answer 77

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The subject alternative name (SAN)extension field is structured to represent
different types of identifiers, including domain names. If a certificate is configured with a SAN, the browser should validate that, and ignore the CN value. It is still safer to put
the FQDN is the CN as well, because not all browsers and implementations stay up-todate with the standards.
The SAN field also allows a certificate to represent different subdomains, such as www.comptia.organd members.comptia.org.
https://www.examtopics.com/discussions/comptia/view/4441-exam-sy0-501-topic-1-question-169-discussion/

Question 78

QUESTION 78
A new mobile application is being developed in-house. Security reviews did not pick up any major flaws, however vulnerability scanning results show fundamental issues at the very end of the project cycle.
Which of the following security activities should also have been performed to discover vulnerabilities earlier in the lifecycle?
A. Architecture review
B. Risk assessment
C. Protocol analysis
D. Code review

Answer 78

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
協定分析儀(Protocol analyzers)
– Tcpdump
• Linux 系統上的封包嗅探器(packet sniffer)。
• tcpdump -i eth0
– Wireshark
https://www.examtopics.com/discussions/comptia/view/18320-exam-sy0-501-topic-1-question-171-discussion/

Question 79

QUESTION 79
The security administrator receives an email on a non-company account from a coworker stating that some reports are not exporting correctly. Attached to the email was an example report file with several customers’ names and credit card numbers with the PIN.
Which of the following is the BEST technical controls that will help mitigate this risk of disclosing sensitive data?
A. Configure the mail server to require TLS connections for every email to ensure all transport data is encrypted
B. Create a user training program to identify the correct use of email and perform regular audits to ensure
compliance
C. Implement a DLP solution on the email gateway to scan email and remove sensitive data or files
D. Classify all data according to its sensitivity and inform the users of data that is prohibited to share

Answer 79

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
這不是好題目，但如果看technical controls的話AC選一個

Question 80

QUESTION 80
A security administrator has been assigned to review the security posture of the standard corporate system image for virtual machines. The security administrator conducts a thorough review of the system logs, installation procedures, and network configuration of the VM image. Upon reviewing the access logs and user accounts, the security administrator determines that several accounts will not be used in production.
Which of the following would correct the deficiencies?
A. Mandatory access controls
B. Disable remote login
C. Host hardening
D. Disabling services

Answer 80

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/4448-exam-sy0-501-topic-1-question-176-discussion/

Question 81

QUESTION 81
Company policy requires the use if passphrases instead if passwords.
Which of the following technical controls MUST be in place in order to promote the use of passphrases?
A. Reuse
B. Length
C. History
D. Complexity

Answer 81

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/4096-exam-sy0-501-topic-1-question-182-discussion/

Question 82

QUESTION 82
During a routine audit, it is discovered that someone has been using a stale administrator account to log into a seldom used server. The person has been using the server to view inappropriate websites that are prohibited to end users.
Which of the following could best prevent this from occurring again?
A. Credential management
B. Group policy management
C. Acceptable use policy
D. Account expiration policy

Answer 82

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/6970-exam-sy0-501-topic-1-question-183-discussion/

Question 83

QUESTION 83
Which of the following works by implanting software on systems but delays execution until a specific set of
conditions is met?
A. Logic bomb
B. Trojan
C. Scareware
D. Ransomware

Answer 83

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 84

QUESTION 84
A web application is configured to target browsers and allow access to bank accounts to siphon money to a foreign account.
This is an example of which of the following attacks?
A. SQL injection
B. Header manipulation
C. Cross-site scripting
D. Flash cookie exploitation

Answer 84

Correct Answer: C(爛題目
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/4454-exam-sy0-501-topic-1-question-186-discussion/

Question 85

QUESTION 85
Technicians working with servers hosted at the company’s datacenter are increasingly complaining of electric shocks when touching metal items which have been linked to hard drive failures.
Which of the following should be implemented to correct this issue?
A. Decrease the room temperature
B. Increase humidity in the room
C. Utilize better hot/cold aisle configurations
D. Implement EMI shielding

Answer 85

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 86

QUESTION 86
A security administrator must implement a system to ensure that invalid certificates are not used by a custom developed application. The system must be able to check the validity of certificates even when internet access is unavailable.
Which of the following MUST be implemented to support this requirement?
A. CSR
B. OCSP
C. CRL
D. SSH

Answer 86

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/9295-exam-sy0-501-topic-1-question-189-discussion/

Question 87

QUESTION 87
The Chief Security Officer (CISO) at a multinational banking corporation is reviewing a plan to upgrade the
entire corporate IT infrastructure. The architecture consists of a centralized cloud environment hosting the
majority of data, small server clusters at each corporate location to handle the majority of customer transaction
processing, ATMs, and a new mobile banking application accessible from smartphones, tablets, and the Internet via HTTP. The corporation does business having varying data retention and privacy laws.
Which of the following technical modifications to the architecture and corresponding security controls should be implemented to provide the MOST complete protection of data?
A. Revoke exiting root certificates, re-issue new customer certificates, and ensure all transactions are digitally
signed to minimize fraud, implement encryption for data in-transit between data centers
B. Ensure all data is encryption according to the most stringent regulatory guidance applicable, implement
encryption for data in-transit between data centers, increase data availability by replicating all data,
transaction data, logs between each corporate location
C. Store customer data based on national borders, ensure end-to end encryption between ATMs, end users, and servers, test redundancy and COOP plans to ensure data is not inadvertently shifted from one legal
jurisdiction to another with more stringent regulations
D. Install redundant servers to handle corporate customer processing, encrypt all customer data to ease the transfer from one country to another, implement end-to-end encryption between mobile applications and the cloud.

Answer 87

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/21812-exam-sy0-501-topic-1-question-191-discussion/

Question 88

QUESTION 88
A user of the wireless network is unable to gain access to the network. The symptoms are:
1.) Unable to connect to both internal and Internet resources
2.) The wireless icon shows connectivity but has no network access
The wireless network is WPA2 Enterprise and users must be a member of the wireless security group to authenticate.
Which of the following is the MOST likely cause of the connectivity issues?
A. The wireless signal is not strong enough
B. A remote DDoS attack against the RADIUS server is taking place
C. The user’s laptop only supports WPA and WEP
D. The DHCP scope is full
E. The dynamic encryption key did not update while the user was offline

Answer 88

Correct Answer: C or D
Section: (none)
Explanation
Explanation/Reference:

Question 89

QUESTION 89
A mobile device user is concerned about geographic positioning information being included in messages sent between users on a popular social network platform. The user turns off the functionality in the application, but wants to ensure the application cannot re-enable the setting without the knowledge of the user.
Which of the following mobile device capabilities should the user disable to achieve the stated goal?
A. Device access control
B. Location based services
C. Application control
D. GEO-Tagging

Answer 89

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/13150-exam-sy0-501-topic-1-question-197-discussion/

Question 90

QUESTION 90
A member of a digital forensics team, Joe arrives at a crime scene and is preparing to collect system data.
Before powering the system off, Joe knows that he must collect the most volatile date first.
Which of the following is the correct order in which Joe should collect the data?
A. CPU cache, paging/swap files, RAM, remote logging data
B. RAM, CPU cache. Remote logging data, paging/swap files
C. Paging/swap files, CPU cache, RAM, remote logging data
D. CPU cache, RAM, paging/swap files, remote logging data

Answer 90

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 91

QUESTION 91
An organization has hired a penetration tester to test the security of its ten web servers. The penetration tester is able to gain root/administrative access in several servers by exploiting vulnerabilities associated with the implementation of SMTP, POP, DNS, FTP, Telnet, and IMAP.
Which of the following recommendations should the penetration tester provide to the organization to better protect their web servers in the future?
A. Use a honeypot
B. Disable unnecessary services
C. Implement transport layer security
D. Increase application event logging

Answer 91

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 92

QUESTION 92
A security engineer is faced with competing requirements from the networking group and database administrators. The database administrators would like ten application servers on the same subnet for ease of administration, whereas the networking group would like to segment all applications from one another.
Which of the following should the security administrator do to rectify this issue?
A. Recommend performing a security assessment on each application, and only segment the applications with the most vulnerability
B. Recommend classifying each application into like security groups and segmenting the groups from one another
C. Recommend segmenting each application, as it is the most secure approach
D. Recommend that only applications with minimal security features should be segmented to protect them

Answer 92

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/12488-exam-sy0-501-topic-1-question-200-discussion/

Question 93

QUESTION 93
An attacker wearing a building maintenance uniform approached a company’s receptionist asking for access to a secure area. The receptionist asks for identification, a building access badge and checks the company’s list approved maintenance personnel prior to granting physical access to the secure are.
The controls used by the receptionist are in place to prevent which of the following types of attacks?
A. Tailgating
B. Shoulder surfing
C. Impersonation
D. Hoax

Answer 93

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 94

QUESTION 94
A security administrator is tasked with conducting an assessment made to establish the baseline security posture of the corporate IT infrastructure. The assessment must report actual flaws and weaknesses in the infrastructure. Due to the expense of hiring outside consultants, the testing must be performed using in-house or cheaply available resource. There cannot be a possibility of any requirement being damaged in the test.
Which of the following has the administrator been tasked to perform?
A. Risk transference
B. Penetration test
C. Threat assessment
D. Vulnerability assessment

Answer 94

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/12734-exam-sy0-501-topic-1-question-203-discussion/

Question 95

QUESTION 95
Which of the following use the SSH protocol?
A. Stelnet
B. SCP
C. SNMP
D. FTPS
E. SSL
F. SFTP

Answer 95

Correct Answer: BF
Section: (none)
Explanation
Explanation/Reference:

Question 96

QUESTION 96
Which of the following is the GREATEST risk to a company by allowing employees to physically bring their personal smartphones to work?
A. Taking pictures of proprietary information and equipment in restricted areas.
B. Installing soft token software to connect to the company’s wireless network.
C. Company cannot automate patch management on personally-owned devices.
D. Increases the attack surface by having more target devices on the company’s campus

Answer 96

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/20507-exam-sy0-501-topic-1-question-206-discussion/

Question 97

QUESTION 97
Which of the following is the summary of loss for a given year?
A. MTBF
B. ALE
C. SLA
D. ARO

Answer 97

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 98

QUESTION 98
A Security Officer on a military base needs to encrypt several smart phones that will be going into the field.
Which of the following encryption solutions should be deployed in this situation?
A. Elliptic curve
B. One-time pad
C. 3DES
D. AES-256

Answer 98

Correct Answer: A(?D?
Section: (none)
Explanation
Explanation/Reference:

Question 99

QUESTION 99
An organization relies heavily on an application that has a high frequency of security updates. At present, the security team only updates the application on the first Monday of each month, even though the security updates are released as often as twice a week.
Which of the following would be the BEST method of updating this application?
A. Configure testing and automate patch management for the application.
B. Configure security control testing for the application.
C. Manually apply updates for the application when they are released.
D. Configure a sandbox for testing patches before the scheduled monthly update.

Answer 99

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/23709-exam-sy0-501-topic-1-question-209-discussion/

Question 100

QUESTION 100
A software development company needs to share information between two remote servers, using encryption to protect it. A programmer suggests developing a new encryption protocol, arguing that using an unknown protocol with secure, existing cryptographic algorithm libraries will provide strong encryption without being susceptible to attacks on other known protocols.
Which of the following summarizes the BEST response to the programmer’s proposal?
A. The newly developed protocol will only be as secure as the underlying cryptographic algorithms used.
B. New protocols often introduce unexpected vulnerabilities, even when developed with otherwise secure and tested algorithm libraries.
C. A programmer should have specialized training in protocol development before attempting to design a new encryption protocol.
D. The obscurity value of unproven protocols against attacks often outweighs the potential for introducing new vulnerabilities.

Answer 100

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 101

QUESTION 101
A supervisor in your organization was demoted on Friday afternoon. The supervisor had the ability to modify the contents of a confidential database, as well as other managerial permissions. On Monday morning, the database administrator reported that log files indicated that several records were missing from the database.
Which of the following risk mitigation strategies should have been implemented when the supervisor was demoted?
A. Incident management
B. Routine auditing
C. IT governance
D. Monthly user rights reviews

Answer 101

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/4471-exam-sy0-501-topic-1-question-213-discussion/

Question 102

QUESTION 102
Which of the following attack types is being carried out where a target is being sent unsolicited messages via
Bluetooth?
A. War chalking
B. Bluejacking
C. Bluesnarfing
D. Rogue tethering

Answer 102

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e., for bluedating or bluechat) to another Bluetooth-enabled device via the OBEX protocol.

Question 103

QUESTION 103
Recently several employees were victims of a phishing email that appeared to originate from the company president. The email claimed the employees would be disciplined if they did not click on a malicious link in the message.
Which of the following principles of social engineering made this attack successful?
A. Authority
B. Spamming
C. Social proof
D. Scarcity

Answer 103

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
President = Authority
https://www.examtopics.com/discussions/comptia/view/23741-exam-sy0-501-topic-1-question-216-discussion/

Question 104

QUESTION 104
An employee uses RDP to connect back to the office network.
If RDP is misconfigured, which of the following security exposures would this lead to?
A. A virus on the administrator’s desktop would be able to sniff the administrator’s username and password.
B. Result in an attacker being able to phish the employee’s username and password.
C. A social engineering attack could occur, resulting in the employee’s password being extracted.
D. A man in the middle attack could occur, resulting the employee’s username and password being captured.

Answer 104

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 105

QUESTION 105
Joe, the security administrator, sees this in a vulnerability scan report:
“The server 10.1.2.232 is running Apache 2.2.20 which may be vulnerable to a
mod_cgi exploit.”
Joe verifies that the mod_cgi module is not enabled on 10.1.2.232. This message is an example of:
A. a threat.
B. a risk.
C. a false negative.
D. a false positive.

Answer 105

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 106

QUESTION 106
A security guard has informed the Chief Information Security Officer that a person with a tablet has been
walking around the building. The guard also noticed strange white markings in different areas of the parking lot.
The person is attempting which of the following types of attacks?
A. Jamming
B. War chalking
C. Packet sniffing
D. Near field communication

Answer 106

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 107

QUESTION 107
A system administrator is configuring a site-to-site VPN tunnel.
Which of the following should be configured on the VPN concentrator during the IKE phase?
A. RIPEMD
B. ECDHE
C. Diffie-Hellman
D. HTTPS

Answer 107

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/4979-exam-sy0-501-topic-1-question-225-discussion/

Question 108

QUESTION 108
A network operations manager has added a second row of server racks in the datacenter. These racks face the opposite direction of the first row of racks.
Which of the following is the reason the manager installed the racks this way?
A. To lower energy consumption by sharing power outlets
B. To create environmental hot and cold isles
C. To eliminate the potential for electromagnetic interference
D. To maximize fire suppression capabilities

Answer 108

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 109

QUESTION 109
Phishing emails frequently take advantage of high-profile catastrophes reported in the news.
Which of the following principles BEST describes the weakness being exploited?
A. Intimidation
B. Scarcity
C. Authority
D. Social proof

Answer 109

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 110

QUESTION 110
An administrator discovers the following log entry on a server:
Nov 12 2013 00:23:45 httpd[2342]: GET
/app2/prod/proc/process.php?input=change;cd%20../../../etc;cat%20shadow
Which of the following attacks is being attempted?
A. Command injection
B. Password attack
C. Buffer overflow
D. Cross-site scripting

Answer 110

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 111

QUESTION 111
A security team wants to establish an Incident Response plan. The team has never experienced an incident.
Which of the following would BEST help them establish plans and procedures?
A. Table top exercises
B. Lessons learned
C. Escalation procedures
D. Recovery procedures

Answer 111

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Tabletop exercises are discussion-based sessions where team members meet in an informal, classroom setting to discuss their roles during an emergency and their responses to a particular emergency situation. A facilitator guides participants through a discussion of one or more scenarios.

Question 112

QUESTION 112
Which of the following would verify that a threat does exist and security controls can easily be bypassed without actively testing an application?
A. Protocol analyzer
B. Vulnerability scan
C. Penetration test
D. Port scanner

Answer 112

Correct Answer: A(B三小
Section: (none)
Explanation
Explanation/Reference:
"Vulnerability scanner—A tool used to detect vulnerabilities. A scan typically identifies vulnerabilities, misconfigurations, and a lack of security controls. It passively tests security controls" Gibson book. IT's say PASSIVELY

Question 113

QUESTION 113
Which of the following technologies would be MOST appropriate to utilize when testing a new software patch before a company-wide deployment?
A. Cloud computing
B. Virtualization
C. Redundancy
D. Application control

Answer 113

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Virtualization is used to host one or more operating systems in the memory of a single host computer and
allows multiple operating systems to run simultaneously on the same hardware, reducing costs. Virtualization
offers the flexibility of quickly and easily making backups of entire virtual systems, and quickly recovering the virtual system when errors occur. Furthermore, malicious code compromises of virtual systems rarely affect the host system, which allows for safer testing and experimentation.

Question 114

QUESTION 114
A security administrator receives notice that a third-party certificate authority has been compromised, and new certificates will need to be issued. 
Which of the following should the administrator submit to receive a new certificate?
A. CRL
B. OSCP
C. PFX
D. CSR
E. CA

Answer 114

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The process of getting a certificate isn’t a user making her own and then somehow the third party fills in a blank line of the certificate. The person who a user trusts must make the certificate. A user generates a certificate signing request (CSR) and sends the CSR as part of an application for a new certificate. The third party uses the CSR to make a digital certificate and sends the new certificate to the user. (Mike Meyer’s CompTIA Security+ p. 456)
https://www.examtopics.com/discussions/comptia/view/7555-exam-sy0-501-topic-1-question-235-discussion/

Question 115

QUESTION 115
A company wants to host a publicly available server that performs the following functions:
- Evaluates MX record lookup
- Can perform authenticated requests for A and AAA records
- Uses RRSIG
Which of the following should the company use to fulfill the above requirements?
A. DNSSEC
B. SFTP
C. nslookup
D. dig
E. LDAPS

Answer 115

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
DNS Security Extensions (DNSSEC) provides, among other things, cryptographic authenticity of responses
using Resource Record Signatures (RRSIG) and authenticated denial of existence using Next-Secure (NSEC) and Hashed-NSEC records (NSEC3).

Question 116

QUESTION 116
A security administrator is developing training for corporate users on basic security principles for personal email accounts.
Which of the following should be mentioned as the MOST secure way for password recovery?
A. Utilizing a single Qfor password recovery
B. Sending a PIN to a smartphone through text message
C. Utilizing CAPTCHA to avoid brute force attacks
D. Use a different e-mail address to recover password

Answer 116

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/23747-exam-sy0-501-topic-1-question-238-discussion/

Question 117

QUESTION 117
A computer on a company network was infected with a zero-day exploit after an employee accidently opened
an email that contained malicious content. The employee recognized the email as malicious and was attempting to delete it, but accidently opened it.
Which of the following should be done to prevent this scenario from occurring again in the future?
A. Install host-based firewalls on all computers that have an email client installed
B. Set the email program default to open messages in plain text
C. Install end-point protection on all computers that access web email
D. Create new email spam filters to delete all messages from that sender

Answer 117

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/7557-exam-sy0-501-topic-1-question-240-discussion/

Question 118

QUESTION 118
A company wants to ensure that the validity of publicly trusted certificates used by its web server can be determined even during an extended internet outage.
Which of the following should be implemented?
A. Recovery agent
B. Ocsp
C. Crl
D. Key escrow

Answer 118

Correct Answer:C
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/2577-exam-sy0-501-topic-1-question-241-discussion/

Question 119

QUESTION 119
During a data breach cleanup, it is discovered that not all of the sites involved have the necessary data wiping tools. The necessary tools are quickly distributed to the required technicians, but when should this problem BEST be revisited?
A. Reporting
B. Preparation
C. Mitigation
D. Lessons Learned

Answer 119

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/5883-exam-sy0-501-topic-1-question-251-discussion/

Question 120

QUESTION 120
Joe, a technician, is working remotely with his company provided laptop at the coffee shop near his home. Joe is concerned that another patron of the coffee shop may be trying to access his laptop.
Which of the following is an appropriate control to use to prevent the other patron from accessing Joe’s laptop directly?
A. full-disk encryption
B. Host-based firewall
C. Current antivirus definitions
D. Latest OS updates

Answer 120

Correct Answer: B

https://www.examtopics.com/discussions/comptia/view/12746-exam-sy0-501-topic-1-question-254-discussion/

Question 121

QUESTION 121
An organization is moving its human resources system to a cloud services provider.
The company plans to continue using internal usernames and passwords with the service provider, but the security manager does not want the service provider to have a company of the passwords.
Which of the following options meets all of these requirements?
A. Two-factor authentication
B. Account and password synchronization
C. Smartcards with PINS
D. Federated authentication

Answer 121

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 122

QUESTION 122
A penetration testing is preparing for a client engagement in which the tester must provide data that proves and validates the scanning tools’ results.
Which of the following is the best method for collecting this information?
A. Set up the scanning system’s firewall to permit and log all outbound connections
B. Use a protocol analyzer to log all pertinent network traffic
C. Configure network flow data logging on all scanning system
D. Enable debug level logging on the scanning system and all scanning tools used.

Answer 122

Correct Answer: B(勉勉強強
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/7106-exam-sy0-501-topic-1-question-258-discussion/

Question 123

QUESTION 123
An administrator is testing the collision resistance of different hashing algorithms.
Which of the following is the strongest collision resistance test?
A. Find two identical messages with different hashes
B. Find two identical messages with the same hash
C. Find a common has between two specific messages
D. Find a common hash between a specific message and a random message

Answer 123

Correct Answer: D
Section: (none)
Explanation
https://www.examtopics.com/discussions/comptia/view/4712-exam-sy0-501-topic-1-question-261-discussion/

Question 124

QUESTION 124
After a merger, it was determined that several individuals could perform the tasks of a network administrator in the merged organization. Which of the following should have been performed to ensure that employees have proper access?
A. Time-of-day restrictions
B. Change management
C. Periodic auditing of user credentials
D. User rights and permission review

Answer 124

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 125

QUESTION 125
Which of the following is the proper way to quantify the total monetary damage resulting from an exploited
vulnerability?
A. Calculate the ALE
B. Calculate the ARO
C. Calculate the MTBF
D. Calculate the TCO

Answer 125

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 126

QUESTION 126
The chief Security Officer (CSO) has reported a rise in data loss but no break ins have occurred.
By doing which of the following is the CSO most likely to reduce the number of incidents?
A. Implement protected distribution
B. Empty additional firewalls
C. Conduct security awareness training
D. Install perimeter barricades

Answer 126

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 127

QUESTION 127
Having adequate lighting on the outside of a building is an example of which of the following security controls?
A. Deterrent 
B. Compensating 
C. Detective 
D. Preventative

Answer 127

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 128

QUESTION 128
During a recent audit, it was discovered that several user accounts belonging to former employees were still active and had valid VPN permissions.
Which of the following would help reduce the amount of risk the organization incurs in this situation in the future?
A. Time-of-day restrictions
B. User access reviews
C. Group-based privileges
D. Change management policies

Answer 128

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 129

QUESTION 129
A security administrator wants to implement a company-wide policy to empower data owners to manage and enforce access control rules on various resources.
Which of the following should be implemented?
A. Mandatory access control
B. Discretionary access control
C. Role based access control
D. Rule-based access control

Answer 129

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 130

QUESTION 130
Which of the following BEST describes an attack where communications between two parties are intercepted and forwarded to each party with neither party being aware of the interception and potential modification to the communications? 
A. Spear phishing 
B. Main-in-the-middle 
C. URL hijacking 
D. Transitive access

Answer 130

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 131

QUESTION 131
A security administrator wishes to implement a secure a method of file transfer when communicating with outside organizations. 
Which of the following protocols would BEST facilitate secure file transfers? (Select TWO) 
A. SCP 
B. TFTP 
C. SNMP 
D. FTP 
E. SMTP 
F. FTPS

Answer 131

Correct Answer: AF
Section: (none)
Explanation
Explanation/Reference:

Question 132

QUESTION 132
Malware that changes its binary pattern on specific dates at specific times to avoid detection is known as a (n): 
A. armored virus 
B. logic bomb 
C. polymorphic virus 
D. Trojan

Answer 132

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 133

QUESTION 133
Which of the following is a document that contains detailed information about actions that include how something will be done, when the actions will be performed, and penalties for failure? 
A. MOU 
B. ISA 
C. BPA 
D. SLA

Answer 133

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 134

QUESTION 134
Which of the following are MOST susceptible to birthday attacks? 
A. Hashed passwords 
B. Digital certificates 
C. Encryption passwords 
D. One time passwords

Answer 134

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/14100-exam-sy0-501-topic-1-question-282-discussion/

Question 135

QUESTION 135
Joe a computer forensic technician responds to an active compromise of a database server. Joe first collects information in memory, then collects network traffic and finally conducts an image of the hard drive.
Which of the following procedures did Joe follow?
A. Order of volatility
B. Chain of custody
C. Recovery procedure
D. Incident isolation

Answer 135

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 136

QUESTION 136
Given the log output:
Max 15 00:15:23.431 CRT: #SEC_LOGIN-5-LOGIN_SUCCESS:
Login Success [user: msmith] [Source: 10.0.12.45]
[localport: 23] at 00:15:23:431 CET Sun Mar 15 2015
Which of the following should the network administrator do to protect data security?
A. Configure port security for logons
B. Disable telnet and enable SSH
C. Configure an AAA server
D. Disable password and enable RSA authentication

Answer 136

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 137

QUESTION 137
The firewall administrator is adding a new certificate for the company’s remote access solution. The solution requires that the uploaded file contain the entire certificate chain for the certificate to load properly. The administrator loads the company certificate and the root CA certificate into the file. The file upload is rejected.
Which of the following is required to complete the certificate chain?
A. Certificate revocation list
B. Intermediate authority
C. Recovery agent
D. Root of trust

Answer 137

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 138

QUESTION 138
Which of the following is commonly used for federated identity management across multiple organizations? 
A. SAML 
B. Active Directory 
C. Kerberos 
D. LDAP

Answer 138

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 139

QUESTION 139
A security administrator is evaluating three different services: radius, diameter, and Kerberos.
Which of the following is a feature that is UNIQUE to Kerberos?
A. It provides authentication services
B. It uses tickets to identify authenticated users
C. It provides single sign-on capability
D. It uses XML for cross-platform interoperability

Answer 139

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 140

QUESTION 140
Which of the following can affect electrostatic discharge in a network operations center? 
A. Fire suppression 
B. Environmental monitoring 
C. Proximity card access 
D. Humidity controls

Answer 140

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 141

QUESTION 141
A company would like to prevent the use of a known set of applications from being used on company computers. 
Which of the following should the security administrator implement? 
A. Whitelisting 
B. Anti-malware 
C. Application hardening 
D. Blacklisting 
E. Disable removable media

Answer 141

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 142

QUESTION 142
A consultant has been tasked to assess a client’s network. The client reports frequent network outages. Upon viewing the spanning tree configuration, the consultant notices that an old and slow performing edge switch on the network has been elected to be the root bridge.
Which of the following explains this scenario?
A. The switch also serves as the DHCP server
B. The switch has the lowest MAC address
C. The switch has spanning tree loop protection enabled
D. The switch has the fastest uplink port

Answer 142

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
To elect the root bridge in the LAN, first check the priority value. The switch having the lowest priority will win the election process. If Priority Value is the same then it checks the MAC Address; the switch having the lowest MAC Address will become the root bridge.
the lowest MAC addresses, the slow and old switch is elected to be the root and is not able to manage up connection
https://www.examtopics.com/discussions/comptia/view/4771-exam-sy0-501-topic-1-question-304-discussion/

Question 143

QUESTION 143
An organization is trying to decide which type of access control is most appropriate for the network. The current access control approach is too complex and requires significant overhead.
Management would like to simplify the access control and provide user with the ability to determine what
permissions should be applied to files, document, and directories. The access control method that BEST
satisfies these objectives is:
A. Rule-based access control
B. Role-based access control
C. Mandatory access control
D. Discretionary access control

Answer 143

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 144

QUESTION 144
A security administrator determined that users within the company are installing unapproved software.
Company policy dictates that only certain applications may be installed or ran on the user’s computers without exception.
Which of the following should the administrator do to prevent all unapproved software from running on the user’s computer?
A. Deploy antivirus software and configure it to detect and remove pirated software
B. Configure the firewall to prevent the downloading of executable files
C. Create an application whitelist and use OS controls to enforce it
D. Prevent users from running as administrator so they cannot install software.

Answer 144

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 145

QUESTION 145
A security administrator is tasked with implementing centralized management of all network devices. Network administrators will be required to logon to network devices using their LDAP credentials. All command executed by network administrators on network devices must fall within a preset list of authorized commands and must be logged to a central facility.
Which of the following configuration commands should be implemented to enforce this requirement?
A. LDAP server 10.55.199.3
B. CN=company, CN=com, OU=netadmin, DC=192.32.10.233
C. SYSLOG SERVER 172.16.23.50
D. TACAS server 192.168.1.100

Answer 145

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/4433-exam-sy0-501-topic-1-question-308-discussion/

Question 146

QUESTION 146
A website administrator has received an alert from an application designed to check the integrity of the company's website. The alert indicated that the hash value for a particular MPEG file has changed. Upon further investigation, the media appears to be the same as it was before the alert.
Which of the following methods has MOST likely been used? 
A. Cryptography 
B. Time of check/time of use 
C. Man in the middle 
D. Covert timing 
E. Steganography

Answer 146

Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:

Question 147

QUESTION 147
Many employees are receiving email messages similar to the one shown below:
From IT department
To employee
Subject email quota exceeded
Pease click on the following link http:www.website.info/email.php?quota=1Gb and provide your username and
password to increase your email quota. Upon reviewing other similar emails, the security administrator realized
that all the phishing URLs have the following common elements; they all use HTTP, they all come from .info
domains, and they all contain the same URI.
Which of the following should the security administrator configure on the corporate content filter to prevent
users from accessing the phishing URL, while at the same time minimizing false positives?
A. BLOCK http://www..info/”
B. DROP http://”website.info/email.php?
C. Redirect http://www,. Info/email.php?quota=TOhttp://company.com/corporate_polict.html
D. DENY http://*.info/email.php?quota=1Gb

Answer 147

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/13838-exam-sy0-501-topic-1-question-311-discussion/

Question 148

QUESTION 148
A security analyst is reviewing the following packet capture of an attack directed at a company’s server located in the DMZ:
10:55:24.126586 IP 192.168. 1. 10.5000 > 172.31.67.4.21: Flags [S]
10:55:24.126596 IP 192.168.1.10.5001 > 172.31.67.4.22: Flags [S]
10:55:24.126601 IP 192.168. 1. 10.5002 > 172.31.67.4.25: Flags [S]
10:55:24. 126608 IP 192.168. 1.10.5003 > 172.31.67.4.37: Flags [S]
Which of the following ACLs provides the BEST protection against the above attack and any further attacks
from the same IP, while minimizing service interruption?
A. DENY TCO From ANY to 172.31.64.4
B. Deny UDP from 192.168.1.0/24 to 172.31.67.0/24
C. Deny IP from 192.168.1.10/32 to 0.0.0.0/0
D. Deny TCP from 192.168.1.10 to 172.31.67.4

Answer 148

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 149

QUESTION 149
The IT department needs to prevent users from installing untested applications.
Which of the following would provide the BEST solution?
A. Job rotation
B. Least privilege
C. Account lockout
D. Antivirus

Answer 149

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 150

QUESTION 150
An attack that is using interference as its main attack to impede network traffic is which of the following?
A. Introducing too much data to a targets memory allocation
B. Utilizing a previously unknown security flaw against the target
C. Using a similar wireless configuration of a nearby network
D. Inundating a target system with SYN requests

Answer 150

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
wireless jamming
https://www.examtopics.com/discussions/comptia/view/4430-exam-sy0-501-topic-1-question-314-discussion/

Question 151

QUESTION 151
A network technician is trying to determine the source of an ongoing network based attack.
Which of the following should the technician use to view IPv4 packet data on a particular internal network segment?
A. Proxy
B. Protocol analyzer
C. Switch
D. Firewall

Answer 151

Correct Answer: B(打錯字?
Section: (none)
Explanation
Explanation/Reference:
Key word is ongoing = packet analyzer the rest are storing logs.

Question 152

QUESTION 152
A security administrator suspects that data on a server has been exhilarated as a result of un- authorized remote access.
Which of the following would assist the administrator in con-firming the suspicions? (Select TWO) 
A. Networking access control
B. DLP alerts 
C. Log analysis 
D. File integrity monitoring 
E. Host firewall rules

Answer 152

Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:

Question 153

QUESTION 153
A company is deploying a new VoIP phone system. They require 99.999% uptime for their phone service and are concerned about their existing data network interfering with the VoIP phone system. The core switches in the existing data network are almost fully saturated.
Which of the following options will provide the best performance and availability for both the VoIP traffic, as well as the traffic on the existing data network?
A. Put the VoIP network into a different VLAN than the existing data network.
B. Upgrade the edge switches from 10/100/1000 to improve network speed
C. Physically separate the VoIP phones from the data network
D. Implement flood guards on the data network

Answer 153

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
他們的理由是LAN要分開
https://www.examtopics.com/discussions/comptia/view/4478-exam-sy0-501-topic-1-question-324-discussion/

Question 154

QUESTION 154
A server administrator needs to administer a server remotely using RDP, but the specified port is closed on the outbound firewall on the network.
The access the server using RDP on a port other than the typical registered port for the RDP protocol?
A. TLS
B. MPLS
C. SCP
D. SSH

Answer 154

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
看看就好
https://www.examtopics.com/discussions/comptia/view/4479-exam-sy0-501-topic-1-question-325-discussion/

Question 155

QUESTION 155
Company XYZ has decided to make use of a cloud-based service that requires mutual, certificate- based authentication with its users. The company uses SSL-inspecting IDS at its network boundary and is concerned about the confidentiality of the mutual authentication.
Which of the following model prevents the IDS from capturing credentials used to authenticate users to the new service or keys to decrypt that communication?
A. Use of OATH between the user and the service and attestation from the company domain
B. Use of active directory federation between the company and the cloud-based service
C. Use of smartcards that store x.509 keys, signed by a global CA
D. Use of a third-party, SAML-based authentication service for attestation

Answer 155

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/4482-exam-sy0-501-topic-1-question-327-discussion/

Question 156

QUESTION 156
Six months into development, the core team assigned to implement a new internal piece of software must
convene to discuss a new requirement with the stake holders. A stakeholder identified a missing feature critical to the organization, which must be implemented. The team needs to validate the feasibility of the newly introduced requirement and ensure it does not introduce new vulnerabilities to the software and other applications that will integrate with it.
Which of the following BEST describes what the company?
A. The system integration phase of the SDLC
B. The system analysis phase of SSDSLC
C. The system design phase of the SDLC
D. The system development phase of the SDLC

Answer 156

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
examtopics.com/discussions/comptia/view/8591-exam-sy0-501-topic-1-question-328-discussion/
https://ithelp.ithome.com.tw/articles/10196866

Question 157

QUESTION 157
A security administrator needs an external vendor to correct an urgent issue with an organization’s physical access control system (PACS). The PACS does not currently have internet access because it is running a legacy operation system.
Which of the following methods should the security administrator select the best balances security and efficiency?
A. Temporarily permit outbound internet access for the pacs so desktop sharing can be set up
B. Have the external vendor come onsite and provide access to the PACS directly
C. Set up VPN concentrator for the vendor and restrict access to the PACS using desktop sharing
D. Set up a web conference on the administrator’s pc; then remotely connect to the pacs

Answer 157

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/4485-exam-sy0-501-topic-1-question-330-discussion/

Question 158

QUESTION 158
A datacenter manager has been asked to prioritize critical system recovery priorities.
Which of the following is the MOST critical for immediate recovery?
A. Communications software
B. Operating system software
C. Weekly summary reports to management
D. Financial and production software

Answer 158

Correct Answer: B(?D? BIA概念，但SEE SEE就好
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/12585-exam-sy0-501-topic-1-question-331-discussion/

Question 159

QUESTION 159
When designing a web based client server application with single application server and database cluster backend, input validation should be performed: 
A. On the client 
B. Using database stored procedures 
C. On the application server 
D. Using HTTPS

Answer 159

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 160

QUESTION 160
Which of the following delineates why it is important to perform egress filtering and monitoring on Internet
connected security zones of interfaces on a firewall?
A. Egress traffic is more important than ingress traffic for malware prevention
B. To rebalance the amount of outbound traffic and inbound traffic
C. Outbound traffic could be communicating to known botnet sources
D. To prevent DDoS attacks originating from external network

Answer 160

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 161

QUESTION 161
The help desk is receiving numerous password change alerts from users in the accounting department. These
alerts occur multiple times on the same day for each of the affected users’ accounts.
Which of the following controls should be implemented to curtail this activity?
A. Password Reuse
B. Password complexity
C. Password History
D. Password Minimum age

Answer 161

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 162

QUESTION 162
An administrator thinks the UNIX systems may be compromised, but a review of system log files provides no useful information. After discussing the situation with the security team, the administrator suspects that the attacker may be altering the log files and removing evidence of intrusion activity.
Which of the following actions will help detect attacker attempts to further alter log files?
A. Enable verbose system logging
B. Change the permissions on the user’s home directory
C. Implement remote syslog
D. Set the bash_history log file to “read only”

Answer 162

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/12875-exam-sy0-501-topic-1-question-341-discussion/

Question 163

QUESTION 163
A global gaming console manufacturer is launching a new gaming platform to its customers.
Which of the following controls reduces the risk created by malicious gaming customers attempting to circumvent control by way of modifying consoles? (TWO)
A. Firmware version control 
B. Manual software upgrades 
C. Vulnerability scanning 
D. Automatic updates 
E. Network segmentation 
F. Application firewalls

Answer 163

Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/5890-exam-sy0-501-topic-1-question-342-discussion/

Question 164

QUESTION 164
An audit has revealed that database administrators are also responsible for auditing database changes and backup logs.
Which of the following access control methodologies would BEST mitigate this concern?
A. Time of day restrictions
B. Principle of least privilege
C. Role-based access control
D. Separation of duties

Answer 164

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 165

QUESTION 165
A security administrator receives an alert from a third-party vendor that indicates a certificate that was installed in the browser has been hijacked at the root of a small public CA. The security administrator knows there are at least four different browsers in use on more than a thousand computers in the domain worldwide. 
Which of the following solutions would be BEST for the security administrator to implement to most efficiently
assist with this issue?
A. SSL
B. CRL
C. PKI
D. ACL

Answer 165

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 166

QUESTION 166
Due to regulatory requirements, a security analyst must implement full drive encryption on a Windows file server.
Which of the following should the analyst implement on the system to BEST meet this requirement? (Choose two.)
A. Enable and configure EFS on the file system.
B. Ensure the hardware supports TPM, and enable it in the BIOS.
C. Ensure the hardware supports VT-X, and enable it in the BIOS.
D. Enable and configure BitLocker on the drives.
E. Enable and configure DFS across the file system.

Answer 166

Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/12056-exam-sy0-501-topic-1-question-347-discussion/

Question 167

QUESTION 167
Which of the following penetration testing concepts is being used when an attacker uses public Internet databases to enumerate and learn more about a target?
A. Reconnaissance
B. Initial exploitation
C. Pivoting
D. Vulnerability scanning
E. White box testing

Answer 167

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 168

QUESTION 168
While performing a penetration test, the technicians want their efforts to go unnoticed for as long as possible while they gather useful data about the network they are assessing.
Which of the following would be the BEST choice for the technicians?
A. Vulnerability scanner
B. Offline password cracker
C. Packet sniffer
D. Banner grabbing

Answer 168

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/13880-exam-sy0-501-topic-1-question-350-discussion/

Question 169

QUESTION 169
A security analyst is investigating a security breach. Upon inspection of the audit an access logs, the analyst notices the host was accessed and the /etc/passwd file was modified with a new entry for username “gotcha” and user ID of 0. Which of the following are the MOST likely attack vector and tool the analyst should use to determine if the attack is still ongoing? (Select TWO)
A. Logic bomb
B. Backdoor
C. Keylogger
D. Netstat
E. Tracert
F. Ping

Answer 169

Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
They meant - What is the attack vector used and what tool analyst would use to see if the attack is still prevelant.
https://www.examtopics.com/discussions/comptia/view/4831-exam-sy0-501-topic-1-question-352-discussion/

Question 170

QUESTION 170
A company recently replaced its unsecure email server with a cloud-based email and collaboration solution that is managed and insured by a third party. Which of the following actions did the company take regarding risks related to its email and collaboration services?
A. Transference
B. Acceptance
C. Mitigation
D. Deterrence

Answer 170

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 171

QUESTION 171
A security administrator is reviewing the following network capture:
192.168.20.43:2043 -> 10.234.66.21:80
POST “192 .168 .20.43 https:// www. banksite .com < ENTER > JoeUsr < BACKSPACE > erPassword”
Which of the following malware is MOST likely to generate the above information?
A. Keylogger
B. Ransomware
C. Logic bomb
D. Adware

Answer 171

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 172

QUESTION 172
A network administrator adds an ACL to allow only HTTPS connections form host 192.168.2.3 to web server 192.168.5.2. After applying the rule, the host is unable to access the server. The network administrator runs the output and notices the configuration below:
accesslist 102 permit tcp host 192.168.2.6 eq 3389 host 192.168.5.2
accesslist 102 deny ip any any log
accesslist 102 permit top host 192.1682.3 eq 443 host 192.168.5.2
Which of the following rules would be BEST to resolve the issue?
A.accesslist 102 permit tcp host 192.168.2.3 host 192.168.5.2 eq 443
accesslist 102 permit top host 192.168.2.6 host 192.168.5.2 eg 3389
accesslist 102 deny ip any any log
B.accesslist 102 permit tcp host 192.168.2.6 host 192.168.5.2 eq 3389
accesslist 102 deny ip any any log
accessiist i02 permit top host i92.168.2.3 host 192.168.5.2 eq 443
C.accesslist 102 permit tcp host 192.168.2.3 eq 443 host 192.168.5.2
accesslist 102 deny ip any any log
accesslist 102 permit top host 192.168.2.6 eq 3389 host 192.168.5.2
D.accesslist 102 permit tcp host 192.168.2.3 host 192.168.5.2
accesslist 102 permit tcp host 192.168.2.6 eq 3389 host 192.168.5.2
accesslist 102 deny ip any any log

Answer 172

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 173

QUESTION 173
A datacenter recently experienced a breach. When access was gained, an RF device was used to access an air-gapped and locked server rack. Which of the following would BEST prevent this type of attack?
A. Faraday cage
B. Smart cards
C. Infrared detection
D. Alarms

Answer 173

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 174

QUESTION 174
Which of the following would allow for the QUICKEST restoration of a server into a warm recovery site in a case in which server data mirroring is not enabled?
A. Full backup
B. Incremental backup
C. Differential backup
D. Snapshot

Answer 174

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Full = F
Differential = D
Incremental = I
**************
B = Backup
R = Restore
**************
1 = Fastest
2 = Faster
3 = Slowest
**************
B R
F 3 1
D 2 2
I 1 3
https://www.examtopics.com/discussions/comptia/view/4787-exam-sy0-501-topic-1-question-358-discussion/

Question 175

QUESTION 175
The computer resource center issued smartphones to all first-level and above managers. The managers have
the ability to install mobile tools. Which of the following tools should be implemented to control the types of tools the managers install?
A. Download manager
B. Content manager
C. Segmentation manager
D. Application manager

Answer 175

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 176

QUESTION 176
A security administrator wants to configure a company’s wireless network in a way that will prevent wireless clients from broadcasting the company’s SSID. Which of the following should be configured on the company’s access points?
A. Enable ESSID broadcast
B. Enable protected management frames
C. Enable wireless encryption
D. Disable MAC authentication
E. Disable WPS
F. Disable SSID broadcast

Answer 176

Correct Answer: F
Section: (none)
Explanation
Explanation/Reference:

Question 177

QUESTION 177
A wireless network has the following design requirements:
Authentication must not be dependent on enterprise directory service
It must allow background reconnection for mobile users
It must not depend on user certificates
Which of the following should be used in the design to meet the requirements? (Choose two.)
A. PEAP
B. PSK
C. Open systems authentication
D. EAP-TLS
E. Captive portals

Answer 177

Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/4805-exam-sy0-501-topic-1-question-364-discussion/

Question 178

QUESTION 178
Which of the following strategies should a systems architect use to minimize availability risks due to insufficient storage capacity?
A. High availability
B. Scalability
C. Distributive allocation
D. Load balancing

Answer 178

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 179

QUESTION 179
A security engineer wants to implement a site-to-site VPN that will require SSL certificates for mutual authentication. Which of the following should the engineer implement if the design requires client MAC address to be visible across the tunnel?
A. Tunnel mode IPSec
B. Transport mode VPN IPSec
C. L2TP
D. SSL VPN

Answer 179

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/12755-exam-sy0-501-topic-1-question-366-discussion/

Question 180

QUESTION 180
Security administrators attempted corrective action after a phishing attack. Users are still experiencing trouble logging in, as well as an increase in account lockouts. Users’ email contacts are complaining of an increase in spam and social networking requests. Due to the large number of affected accounts, remediation must be accomplished quickly.
Which of the following actions should be taken FIRST? (Select TWO)
A. Disable the compromised accounts
B. Update WAF rules to block social networks
C. Remove the compromised accounts with all AD groups
D. Change the compromised accounts’ passwords
E. Disable the open relay on the email server
F. Enable sender policy framework

Answer 180

Correct Answer: EF
Section: (none)
Explanation
Explanation/Reference:
Explanation:
#First deal with issues that cause problems for outside, then deal with problems inside.
Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain’s administrators.
n a Small Business Server environment, you may have to prevent your Microsoft Exchange Server-based server from being used as an open relay SMTP server for unsolicited commercial e-mail messages, or spam.
You may also have to clean up the Exchange server’s SMTP queues to delete the unsolicited commercial email messages.
If your Exchange server is being used as an open SMTP relay, you may experience one or more of the following symptoms:
The Exchange server cannot deliver outbound SMTP mail to a growing list of e-mail domains.
Internet browsing is slow from the server and from local area network (LAN) clients.
Free disk space on the Exchange server in the location of the Exchange information store databases or the Exchange information store transaction logs is reduced more rapidly than you expect.
The Microsoft Exchange information store databases spontaneously dismount. You may be able to manually mount the stores by using Exchange System Manager, but the stores may dismount on their own after they run for a short time. For more information, click the following article number to view the article in the Microsoft Knowledge Base.

Question 181

QUESTION 181
Which of the following allows an auditor to test proprietary-software compiled code for security flaws?
A. Fuzzing
B. Static review
C. Code signing
D. Regression testing

Answer 181

Correct Answer: A莫名其妙
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/5308-exam-sy0-501-topic-1-question-369-discussion/

Question 182

QUESTION 182
Ann, a user, states that her machine has been behaving erratically over the past week. She has experienced
slowness and input lag and found text files that appear to contain pieces of her emails or online conversations
with coworkers. The technician runs a standard virus scan but detects nothing.
Which of the following types of malware has infected the machine?
A. Ransomware
B. Rootkit
C. Backdoor
D. Keylogger

Answer 182

Correct Answer: D
Section: (none)
Explanation

Question 183

QUESTION 183
A security administrator wants to implement a logon script that will prevent MITM attacks on the local LAN.
Which of the following commands should the security administrator implement within the script to accomplish this task?
A. arp - s 192.168.1.1 00-3a-d1-fa-b1-06
B. dig - x@192.168.1.1 mypc.comptia.com
C. nmap - A - T4 192.168.1.1
D. tcpdump - lnv host 192.168.1.1 or either 00:3a:d1:fa:b1:06

Answer 183

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference
This command creates a static entry in your ARP cache.
MiTM Mitigation:
Adding static ARP entries into the cache is one method of mitigating ARP cache poisoning attacks. This method prevents attackers from using ARP requests and replies as the devices in the network will rely on the local cache instead.
https://www.examtopics.com/discussions/comptia/view/12690-exam-sy0-501-topic-1-question-371-discussion/

Question 184

QUESTION 184
An actor downloads and runs a program against a corporate login page. The program imports a list of usernames and passwords, looking for a successful attempt.
Which of the following terms BEST describes the actor in this situation?
A. Script kiddie
B. Hacktivist
C. Cryptologist
D. Security auditor

Answer 184

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 185

QUESTION 185
An organization wants to utilize a common, Internet-based third-party provider for authorization and authentication. The provider uses a technology based on OAuth 2.0 to provide required services. To which of the following technologies is the provider referring?
A. Open ID Connect
B. SAML
C. XACML
D. LDAP

Answer 185

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 186

QUESTION 186
A penetration tester harvests potential usernames from a social networking site. The penetration tester then uses social engineering to attempt to obtain associated passwords to gain unauthorized access to shares on a network server.
Which of the following methods is the penetration tester MOST likely using?
A. Escalation of privilege
B. SQL injection
C. Active reconnaissance
D. Proxy server

Answer 186

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 187

QUESTION 187
Which of the following is the BEST choice for a security control that represents a preventive and
corrective logical control at the same time?
A. Security awareness training
B. Antivirus
C. Firewalls
D. Intrusion detection system

Answer 187

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 188

QUESTION 188
A web developer improves client access to the company’s REST API. Authentication needs to be tokenized but not expose the client’s password.
Which of the following methods would BEST meet the developer’s requirements?
A. SAML
B. LDAP
C. OAuth
D. Shibboleth

Answer 188

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
這題不太好是把東西混在一起，最佳解是OPENID
單就關鍵字authen那就是SAML
Web開發人員可以改善客戶端對公司REST API的訪問權限。身份驗證需要進行令牌化，但不能公開客戶端的密碼。
以下哪種方法最能滿足開發人員的要求？
https://www.examtopics.com/discussions/comptia/view/3342-exam-sy0-501-topic-1-question-378-discussion/

Question 189

QUESTION 189
A vulnerability scan is being conducted against a desktop system. The scan is looking for files, versions, and registry values known to be associated with system vulnerabilities. Which of the following BEST describes the type of scan being performed?
A. Non-intrusive
B. Authenticated
C. Credentialed
D. Active

Answer 189

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
A Credentialed scan provides more detailed information about potential vulnerabilities. For example, a credentialed scan of a Windows workstation looks for vulnerable application files and allows the registry to be probed for security vulnerabilities.
https://www.examtopics.com/discussions/comptia/view/4799-exam-sy0-501-topic-1-question-379-discussion/

Question 190

QUESTION 190
A security analyst is updating a BIA document. The security analyst notices the support vendor's time to replace a server hard drive went from eight hours to two hours.
Given these new metrics, which of the following can be concluded? (Select TWO)
A. The MTTR is faster.
B. The MTTR is slower.
C. The RTO has increased.
D. The RTO has decreased.
E. The MTTF has increased.
F. The MTTF has decreased.

Answer 190

Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:

Question 191

QUESTION 191
A third-party penetration testing company was able to successfully use an ARP cache poison technique to gain root access on a server. The tester successfully moved to another server that was not in the original network.
Which of the following is the MOST likely method used to gain access to the other host?
A. Backdoor
B. Pivoting
C. Persistance
D. Logic bomp

Answer 191

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 192

QUESTION 192
Ann, a security administrator, wants to ensure credentials are encrypted in transit when implementing a RADIUS server for SSO.
Which of the following are needed given these requirements? (Select TWO)
A. Public key
B. Shared key
C. Elliptic curve
D. MD5
E. Private key
F. DES

Answer 192

Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:

Question 193

QUESTION 193
To determine the ALE of a particular risk, which of the following must be calculated? (Select two.)
A. ARO
B. ROI
C. RPO
D. SLE
E. RTO

Answer 193

Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:

Question 194

QUESTION 194
A company is evaluating cloud providers to reduce the cost of its internal IT operations. The company's aging systems are unable to keep up with customer demand. Which of the following cloud models will the company MOST likely select?
A. PaaS
B. SaaS
C. IaaS
D. BaaS

Answer 194

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 195

QUESTION 195
A user needs to send sensitive information to a colleague using PKI.
Which of the following concepts apply when a sender encrypts the message hash with the sender's private key? (Select TWO)
A. Non-repudiation
B. Email content encryption
C. Steganography
D. Transport security
E. Message integrity

Answer 195

Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
Digital signature/Private Key
Message is hashed to provide integrity, hash encrypted with sender’s private key, Public key can decript. Supports non-repudiation and message integrity.
https://www.examtopics.com/discussions/comptia/view/8229-exam-sy0-501-topic-1-question-394-discussion/

Question 196

QUESTION 196
A web server, which is configured to use TLS with AES-GCM-256, SHA-384, and ECDSA, recently suffered an information loss breach.
Which of the following is MOST likely the cause?
A. Insufficient key bit length
B. Weak cipher suite
C. Unauthenticated encryption method
D. Poor implementation

Answer 196

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
橢圓曲線數位簽章算法（英語：Elliptic Curve Digital Signature Algorithm，縮寫：ECDSA）是一種基於橢圓曲線密碼學的公開金鑰加密算法。
https://www.examtopics.com/discussions/comptia/view/16619-exam-sy0-501-topic-1-question-396-discussion/

Question 197

QUESTION 197
A vice president at a manufacturing organization is concerned about desktops being connected to the network.
Employees need to log onto the desktops’ local account to verify that a product is being created within specifications; otherwise, the desktops should be as isolated as possible. Which of the following is the BEST way to accomplish this?
A. Put the desktops in the DMZ.
B. Create a separate VLAN for the desktops.
C. Air gap the desktops.
D. Join the desktops to an ad-hoc network.

Answer 197

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
air gapping is a security measure to ensure that a computer network is physically isolated from unsecured networks like the internet and local area networks.

Question 198

QUESTION 198
An in-house penetration tester has been asked to evade a new DLP system. The tester plans to exfiltrate data
through steganography.
Discovery of which of the following would help catch the tester in the act?
A. Abnormally high numbers of outgoing instant messages that contain obfuscated text
B. Large-capacity USB drives on the tester’s desk with encrypted zip files
C. Outgoing emails containing unusually large image files
D. Unusual SFTP connections to a consumer IP address

Answer 198

Correct Answer: C
Section: (none)
Explanation

Question 199

QUESTION 199
A security analyst is inspecting the results of a recent internal vulnerability scan that was performed against intranet services.
The scan reports include the following critical-rated vulnerability: Title: Remote Command Execution
vulnerability in web server Rating: Critical (CVSS 10.0)
Threat actor: any remote user of the web server
Confidence: certain
Recommendation: apply vendor patches
Which of the following actions should the security analyst perform FIRST?
A. Escalate the issue to senior management.
B. Apply organizational context to the risk rating.
C. Organize for urgent out-of-cycle patching.
D. Exploit the server to check whether it is a false positive.

Answer 199

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/7780-exam-sy0-501-topic-1-question-402-discussion/

Question 200

QUESTION 200
An organization identifies a number of hosts making outbound connections to a known malicious IP over port
TCP 80. The organization wants to identify the data being transmitted and prevent future connections to this IP.
Which of the following should the organization do to achieve this outcome?
A. Use a protocol analyzer to reconstruct the data and implement a web-proxy.
B. Deploy a web-proxy and then blacklist the IP on the firewall.
C. Deploy a web-proxy and implement IPS at the network edge.
D. Use a protocol analyzer to reconstruct the data and blacklist the IP on the firewall.

Answer 200

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 201

QUESTION 201
Legal authorities notify a company that its network has been compromised for the second time in two years.
The investigation shows the attackers were able to use the same vulnerability on different systems in both attacks.
Which of the following would have allowed the security team to use historical information to protect against the second attack?
A. Key risk indicators
B. Lessons learned
C. Recovery point objectives
D. Tabletop exercise

Answer 201

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 202

QUESTION 202
During a routine vulnerability assessment, the following command was successful:
echo “vrfy ‘perl -e ‘print “hi” x 500 ‘ ‘ “ | nc www.company.com 25
Which of the following vulnerabilities is being exploited?
A. Buffer overflow directed at a specific host MTA
B. SQL injection directed at a web server
C. Cross-site scripting directed at www.company.com
D. Race condition in a UNIX shell script

Answer 202

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/4935-exam-sy0-501-topic-1-question-410-discussion/

Question 203

QUESTION 203
A forensic investigator has run into difficulty recovering usable files from a SAN drive. Which of the following SAN features might have caused the problem?
A. Storage multipaths
B. Deduplication
C. iSCSI initiator encryption
D. Data snapshots

Answer 203

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Storage multipaths will not cause difficulty for the investigator in finding a usable file. it is a fault-tolerant feature. so A would not be the answer. "deduplication" gets rid of duplicates and could get rid of a bad file that is saved with the same file name as a legitimate file which will leave the investigator scratching his/her head.

Question 204

QUESTION 204
A company offers SaaS, maintaining all customers’ credentials and authenticating locally. Many large customers have requested the company offer some form of federation with their existing authentication infrastructures.
Which of the following would allow customers to manage authentication and authorizations from within their existing organizations?
A. Implement SAML so the company’s services may accept assertions from the customers’ authentication servers.
B. Provide customers with a constrained interface to manage only their users’ accounts in the company’s active directory server.
C. Provide a system for customers to replicate their users’ passwords from their authentication service to the company’s.
D. Use SOAP calls to support authentication between the company’s product and the customers’ authentication servers.

Answer 204

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 205

QUESTION 205
A software development manager is taking over an existing software development project. The team currently suffers from poor communication due to a long delay between requirements documentation and feature delivery. This gap is resulting in an above average number of security-related bugs making it into production.
Which of the following development methodologies is the team MOST likely using now?
A. Agile
B. Waterfall
C. Scrum
D. Spiral

Answer 205

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 206

QUESTION 206
Following the successful response to a data-leakage incident, the incident team lead facilitates an exercise that focuses on continuous improvement of the organization's incident response capabilities. Which of the following activities has the incident team lead executed?
A. Lessons learned review
B. Root cause analysis
C. Incident audit
D. Corrective action exercise

Answer 206

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 207

QUESTION 207
A security analyst is attempting to break into a client's secure network. The analyst was not given prior information about the client, except for a block of public IP addresses that are currently in use. After network enumeration, the analyst's NEXT step is to perform: 
A. a risk analysis.
B. a vulnerability assessment.
C. a gray-box penetration test.
D. an external security audit.
E. a red team exercise.

Answer 207

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/4978-exam-sy0-501-topic-1-question-415-discussion/

Question 208

QUESTION 208
After a recent internal breach, a company decided to regenerate and reissue all certificates used in the transmission of confidential information. The company places the greatest importance on confidentiality and non-repudiation, and decided to generate dual key pairs for each client. Which of the following BEST describes how the company will use these certificates?
A. One key pair will be used for encryption and decryption. The other will be used to digitally sign the data.
B. One key pair will be used for encryption. The other key pair will provide extended validation.
C. Data will be encrypted once by each key, doubling the confidentiality and non-repudiation strength.
D. One key pair will be used for internal communication, and the other will be used for external communication.

Answer 208

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
non-repudiation is keyword. You’ll use the key to digitally sign the data.
https://www.examtopics.com/discussions/comptia/view/5815-exam-sy0-501-topic-1-question-417-discussion/

Question 209

QUESTION 209
A security manager is creating an account management policy for a global organization with sales personnel who must access corporate network resources while traveling all over the world.
Which of the following practices is the security manager MOST likely to enforce with the policy? (Select TWO)
A. Time-of-day restrictions
B. Password complexity
C. Location-based authentication
D. Group-based access control
E. Standard naming convention

Answer 209

Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/13269-exam-sy0-501-topic-1-question-418-discussion/

Question 210

QUESTION 210
A security administrator learns that PII, which was gathered by the organization, has been found in an open forum. As a result, several C-level executives found their identities were compromised, and they were victims of a recent whaling attack.
Which of the following would prevent these problems in the future? (Select TWO).
A. Implement a reverse proxy.
B. Implement an email DLP.
C. Implement a spam filter.
D. Implement a host-based firewall.
E. Implement a HIDS.

Answer 210

Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:

Question 211

QUESTION 211
Ann is the IS manager for several new systems in which the classification of the systems' data are being decided. She is trying to determine the sensitivity level of the data being processed. Which of the following people should she consult to determine the data classification?
A. Steward
B. Custodian
C. User
D. Owner

Answer 211

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 212

QUESTION 212
Which of the following controls allows a security guard to perform a post-incident review?
A. Detective
B. Preventive
C. Corrective
D. Deterrent

Answer 212

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 213

QUESTION 213
Attackers have been using revoked certificates for MITM attacks to steal credentials from employees of Company.com.
Which of the following options should Company.com implement to mitigate these attacks?
A. Captive portal
B. OCSP stapling
C. Object identifiers
D. Key escrow
E. Extended validation certificate

Answer 213

Correct Answer: B
Section: (none)
Explanation

Question 214

QUESTION 214
A security analyst is securing smartphones and laptops for a highly mobile workforce.
Priorities include:
Remote wipe capabilities
Geolocation services
Patch management and reporting
Mandatory screen locks
Ability to require passcodes and pins
Ability to require encryption
Which of the following would BEST meet these requirements?
A. Implementing MDM software
B. Deploying relevant group policies to the devices
C. Installing full device encryption
D. Removing administrative rights to the devices

Answer 214

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 215

QUESTION 215
A CSIRT has completed restoration procedures related to a breach of sensitive data is creating documentation used to improve the organization’s security posture. The team has been specifically tasked to address logical controls in their suggestions. Which of the following would be MOST beneficial to include in lessons learned documentation? (Choose two.)
A. A list of policies, which should be revised to provide better clarity to employees regarding acceptable use
B. Recommendations relating to improved log correlation and alerting tools
C. Data from the organization’s IDS/IPS tools, which show the timeline of the breach and the activities executed by the attacker
D. A list of potential improvements to the organization’s NAC capabilities, which would improve AAA within the environment
E. A summary of the activities performed during each phase of the incident response activity
F. A list of topics that should be added to the organization’s security awareness training program based on weaknesses exploited during the attack

Answer 215

Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/8832-exam-sy0-501-topic-2-question-7-discussion/

Question 216

QUESTION 216
An organization plans to implement multifactor authentication techniques within the enterprise network
architecture. Each authentication factor is expected to be a unique control.
Which of the following BEST describes the proper employment of multifactor authentication?
A. Proximity card, fingerprint scanner, PIN
B. Fingerprint scanner, voice recognition, proximity card
C. Smart card, user PKI certificate, privileged user certificate
D. Voice recognition, smart card, proximity card

Answer 216

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 217

QUESTION 217
Which of the following is the BEST reason to run an untested application is a sandbox?
A. To allow the application to take full advantage of the host system’s resources and storage
B. To utilize the host systems antivirus and firewall applications instead of running it own protection
C. To prevent the application from acquiring escalated privileges and accessing its host system
D. To increase application processing speed so the host system can perform real-time logging

Answer 217

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 218

QUESTION 218
A security administrator is diagnosing a server where the CPU utilization is at 100% for 24 hours. The main culprit of CPU utilization is the antivirus program.
Which of the following issue could occur if left unresolved? (Select TWO)
A. MITM attack
B. DoS attack
C. DLL injection
D. Buffer overflow
E. Resource exhaustion

Answer 218

Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/13058-exam-sy0-501-topic-1-question-439-discussion/

Question 219

QUESTION 219
When it comes to cloud computing, if one of the requirements for a project is to have the most control over the
systems in the cloud, which of the following is a service model that would be BEST suited for this goal?
A. Infrastructure
B. Platform
C. Software
D. Virtualization

Answer 219

Correct Answer: A

Section: (none)

Question 220

QUESTION 220
A security analyst is acquiring data from a potential network incident.
Which of the following evidence is the analyst MOST likely to obtain to determine the incident?
A. Volatile memory capture
B. Traffic and logs
C. Screenshots
D. System image capture

Answer 220

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 221

QUESTION 221
A cybersecurity analyst is looking into the payload of a random packet capture file that was selected for
analysis. The analyst notices that an internal host had a socket established with another internal host over a
non-standard port.
Upon investigation, the origin host that initiated the socket shows this output:
usera@host history
mkdir ocal/usr/bin/ somedirectory
nc -1 192.168.5.1 -p 9856
ping -c 30 8.8.8.8 -a 600
rm /etc/dir2/somefile
m -rm /etc/dir2/
traceroute 8.8.8.8
pakill pid 9487
usera@host>
Given the above output, which of the following commands would have established the questionable socket?
A. traceroute 8.8.8.8
B. ping -1 30 8.8.8.8 -a 600
C. nc -1 192.168.5.1 -p 9856
D. pskill pid 9487

Answer 221

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 222

QUESTION 222
A network administrator needs to allocate a new network for the R&D group. The network must not be accessible from the Internet regardless of the network firewall or other external misconfigurations. Which of the following settings should the network administrator implement to accomplish this?
A. Configure the OS default TTL to 1
B. Use NAT on the R&D network
C. Implement a router ACL
D. Enable protected ports on the switch

Answer 222

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/4874-exam-sy0-501-topic-1-question-448-discussion/

Question 223

QUESTION 223
To help prevent one job role from having sufficient access to create, modify, and approve payroll data, which of the following practices should be employed?
A. Least privilege
B. Job rotation
C. Background checks
D. Separation of duties

Answer 223

Correct Answer: D
Section: (none)
Explanation
https://www.examtopics.com/discussions/comptia/view/23635-exam-sy0-501-topic-1-question-449-discussion/

Question 224

QUESTION 224
When attackers use a compromised host as a platform for launching attacks deeper into a company's network, it is said that they are:
A. escalating privilege
B. becoming persistent
C. fingerprinting
D. pivoting

Answer 224

Correct Answer: D
Section: (none)
Pivoting is a technique used to route traffic through a compromised host on a penetration test.

Question 225

QUESTION 225
The help desk received a call after hours from an employee who was attempting to log into the payroll server remotely. When the help desk returned the call the next morning, the employee was able to log into the server remotely without incident. However, the incident occurred again the next evening.
Which of the following BEST describes the cause of the issue?
A. The password expired on the account and needed to be reset
B. The employee does not have the rights needed to access the database remotely
C. Time-of-day restrictions prevented the account from logging in
D. The employee’s account was locked out and needed to be unlocked

Answer 225

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:.

Question 226

QUESTION 226
A security engineer must install the same x.509 certificate on three different servers. The client application that connects to the server performs a check to ensure the certificate matches the host name. Which of the following should the security engineer use?
A. Wildcard certificate
B. Extended validation certificate
C. Certificate chaining
D. Certificate utilizing the SAN file

Answer 226

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
SAN = Subject Alternate Names.
"The Subject Alternative Name (SAN) is an extension to the X.509 specification that allows users to specify additional host names for a single SSL certificate. The use of the SAN extension is standard practice for SSL certificates, and it's on its way to replacing the use of the common name."
https://www.examtopics.com/discussions/comptia/view/12842-exam-sy0-501-topic-1-question-454-discussion/

6. What extension field is used with a web server certificate to support the identification of the server
   by multiple specific subdomain labels?
   The subject alternative name (SAN) field. A wildcard certificate will match any subdomain label.

Question 227

QUESTION 227
Which of the following refers to the term used to restore a system to its operational state?
A. MTBF
B. MTTR
C. RTO
D. RPO

Answer 227

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:.
– 平均故障間隔(Mean Time Between Failures，MTBF)
• 計算元件預期壽命。
• 如果冷卻系統的MTBF 是一年，可以預估該系統至少可維持一年，這意味著應該每年要重建或替換一次。
#多久會故障，所以多久要換
– 平均故障時間（Mean Time to Failure，MTTF）
• 類似MTBF，MTTF 是不可修復系統的平均故障時間。
#沒辦法修的壞掉時間
– 平均回復時間(Mean Time to Restore，MTTR)
• 評量一旦發生故障後需要多久才能修復系統或元件（有時又稱為平均修復時間）。
• 如果MTTR 是24 小時，表示故障之後通常需要24 小時才能修好。
#還有救的壞掉時間
– 復原時間目標(Recovery Time Objective，RTO)
• 是能夠承受的最大停機或停止服務時間。
• 中斷超過這個時間會對業務產生負面影響。
• RTO 應該在建構BIA 時設置。
#可以忍受的最大壞掉時間
– 復原點目標(Recovery Point Objective，RPO)
• 定義系統復原的時間點。
• 可以是當機點的兩天前(從備份資料還原)，或當機前五分鐘(需要完整的冗餘備援設施)。
#可以忍受的損失資料時間

Question 228

QUESTION 228
A Chief Information Officer (CIO) recently saw on the news that a significant security flaws exists with a specific version of a technology the company uses to support many critical application. The CIO wants to know if this reported vulnerability exists in the organization and, if so, to what extent the company could be harmed.
Which of the following would BEST provide the needed information?
A. Penetration test
B. Vulnerability scan
C. Active reconnaissance
D. Patching assessment report

Answer 228

Correct Answer: A
Section: (none)
Explanation.

Question 229

QUESTION 229
An organization is expanding its network team. Currently, it has local accounts on all network devices, but with growth, it wants to move to centrally managed authentication. Which of the following are the BEST solutions for the organization? (Select TWO)
A. TACACS+
B. CHAP
C. LDAP
D. RADIUS
E. MSCHAPv2

Answer 229

Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:.
Either RADIUS or TACACS+ for centrally managed authentication, authorization, and accounting (AAA).
https://www.examtopics.com/discussions/comptia/view/14107-exam-sy0-501-topic-1-question-457-discussion/

Question 230

QUESTION 230
An active/passive configuration has an impact on:
A. confidentiality
B. integrity
C. availability
D. non-repudiation

Answer 230

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/5082-exam-sy0-501-topic-1-question-458-discussion/

Question 231

QUESTION 231
Which of the following would provide additional security by adding another factor to a smart card?
A. Token
B. Proximity badge
C. Physical key
D. PIN

Answer 231

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 232

QUESTION 232
Which of the following uses precomputed hashes to guess passwords?
A. Iptables
B. NAT tables
C. Rainbow tables
D. ARP tables

Answer 232

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 233

QUESTION 233
A Chief Information Security Officer (CISO) has tasked a security analyst with assessing the security posture of an organization and which internal factors would contribute to a security compromise. The analyst performs a walk-through of the organization and discovers there are multiple instances of unlabeled optical media on office desks. Employees in the vicinity either do not claim ownership or disavow any knowledge concerning who owns the media. Which of the following is the MOST immediate action to be taken?
A. Confiscate the media and dispose of it in a secure manner as per company policy.
B. Confiscate the media, insert it into a computer, find out what is on the disc, and then label it and return it to where it was found.
C. Confiscate the media and wait for the owner to claim it. If it is not claimed within one month, shred it.
D. Confiscate the media, insert it into a computer, make a copy of the disc, and then return the original to where it was found.

Answer 233

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:.
https://www.examtopics.com/discussions/comptia/view/6315-exam-sy0-501-topic-1-question-543-discussion/

Question 234

QUESTION 234
A security analyst is investigating a potential breach. Upon gathering, documenting, and securing the evidence, which of the following actions is the NEXT step to minimize the business impact?
A. Launch an investigation to identify the attacking host
B. Initiate the incident response plan
C. Review lessons learned captured in the process
D. Remove malware and restore the system to normal operation

Answer 234

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 235

QUESTION 235
A company wants to ensure confidential data from storage media is sanitized in such a way that the drive cannot be reused. Which of the following method should the technician use?
A. Shredding
B. Wiping
C. Low-level formatting
D. Repartitioning
E. Overwriting

Answer 235

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
the drive cannot be reused
https://www.examtopics.com/discussions/comptia/view/4916-exam-sy0-501-topic-1-question-467-discussion/

Question 236

QUESTION 236
A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure.
Given the requirement, which of the following should the security analyst do to MINIMIZE the risk?
A. Enable CHAP
B. Disable NTLM
C. Enable Kerebos
D. Disable PAP

Answer 236

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The NTLM protocol uses one or both of two hashed password values, both of which are also stored on the server (or domain controller), and which through a lack of salting are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password.
https://www.examtopics.com/discussions/comptia/view/12994-exam-sy0-501-topic-1-question-472-discussion/

Question 237

QUESTION 237
A software developer is concerned about DLL hijacking in an application being written. Which of the following is the MOST viable mitigation measure of this type of attack?
A. The DLL of each application should be set individually
B. All calls to different DLLs should be hard-coded in the application
C. Access to DLLs from the Windows registry should be disabled
D. The affected DLLs should be renamed to avoid future hijacking

Answer 237

Correct Answer: B(意義上有點差，但可以
Section: (none)
Explanation
Explanation/Reference:
就是你要執行甚麼，寫死，寫固定
https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
https://www.examtopics.com/discussions/comptia/view/5139-exam-sy0-501-topic-1-question-479-discussion/

Question 238

QUESTION 238
An application was recently compromised after some malformed data came in via web form. Which of the following would MOST likely have prevented this?
A. Input validation
B. Proxy server
C. Stress testing
D. Encoding

Answer 238

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 239

QUESTION 239
While working on an incident, Joe, a technician, finished restoring the OS and applications on a workstation from the original media. Joe is about to begin copying the user’s files back onto the hard drive.
Which of the following incident response steps is Joe working on now?
A. Recovery
B. Eradication
C. Containment
D. Identification

Answer 239

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 240

QUESTION 240
A systems administrator found a suspicious file in the root of the file system. The file contains URLs,
usernames, passwords, and text from other documents being edited on the system. Which of the following types of malware would generate such a file?
A. Keylogger
B. Rootkit
C. Bot
D. RAT

Answer 240

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference
https://www.examtopics.com/discussions/comptia/view/29671-exam-sy0-501-topic-1-question-482-discussion/

Question 241

QUESTION 241
A security administrator installed a new network scanner that identifies new host systems on the network.
Which of the following did the security administrator install?
A. Vulnerability scanner
B. Network-based IDS
C. Rogue system detection
D. Configuration compliance scanner

Answer 241

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/12997-exam-sy0-501-topic-1-question-486-discussion/

Question 242

QUESTION 242
A technician is investigating a potentially compromised device with the following symptoms:
Browser slowness
Frequent browser crashes
Hourglass stuck
New search toolbar
Increased memory consumption
Which of the following types of malware has infected the system?
A. Man-in-the-browser
B. Spoofer
C. Spyware
D. Adware

Answer 242

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/5155-exam-sy0-501-topic-1-question-488-discussion/

Question 243

QUESTION 243
A penetration tester has written an application that performs a bit-by-bit XOR 0xFF operation on binaries prior to transmission over untrusted media. Which of the following BEST describes the action performed by this type of application?
A. Hashing
B. Key exchange
C. Encryption
D. Obfusication

Answer 243

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/9342-exam-sy0-501-topic-1-question-489-discussion/

Question 244

QUESTION 244
A company has two wireless networks utilizing captive portals. Some employees report getting a trust error in their browsers when connecting to one of the networks.
Both captive portals are using the same server certificate for authentication, but the analyst notices the following differences between the two certificate details:
Certificate 1
Certificate Path:
Geotrust Global CA
*company.com
Certificate 2
Certificate Path:
*company.com
Which of the following would resolve the problem?
A. Use a wildcard certificate.
B. Use certificate chaining.
C. Use a trust model.
D. Use an extended validation certificate.

Answer 244

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/5768-exam-sy0-501-topic-1-question-493-discussion/

Question 245

QUESTION 245
An external attacker can modify the ARP cache of an internal computer.
Which of the following types of attacks is described?
A. Replay
B. Spoofing
C. DNS poisoning
D. Client-side attack

Answer 245

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 246

QUESTION 246
A systems administrator has isolated an infected system from the network and terminated the malicious process from executing.
Which of the following should the administrator do NEXT according to the incident response process?
A. Restore lost data from a backup.
B. Wipe the system.
C. Document the lessons learned.
D. Determine the scope of impact.

Answer 246

Correct Answer: A
Section: (none)
Explanation

Question 247

QUESTION 247
A security analyst is hardening a WiFi infrastructure.
The primary requirements are the following:
The infrastructure must allow staff to authenticate using the most secure method.
The infrastructure must allow guests to use an “open” WiFi network that logs valid email addresses before
granting access to the Internet.
Given these requirements, which of the following statements BEST represents what the analyst should
recommend and configure?
A. Configure a captive portal for guests and WPS for staff.
B. Configure a captive portal for staff and WPA for guests.
C. Configure a captive portal for staff and WEP for guests.
D. Configure a captive portal for guest and WPA2 Enterprise for staff

Answer 247

Correct Answer: D
Section: (none)
Explanation

Question 248

QUESTION 248
Which of the following threats has sufficient knowledge to cause the MOST danger to an organization?
A. Competitors
B. Insiders
C. Hacktivists
D. Script kiddies

Answer 248

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference

Question 249

QUESTION 249
Which of the following locations contain the MOST volatile data?
A. SSD
B. Paging file
C. RAM
D. Cache memory

Answer 249

Correct Answer: D
Section: (none)
Explanation
https://www.examtopics.com/discussions/comptia/view/12902-exam-sy0-501-topic-1-question-509-discussion/

Question 250

QUESTION 250
Every morning, a systems administrator monitors failed login attempts on the company’s log management server. The administrator notices the DBAdmin account has five failed username and/or password alerts during a ten-minute window. The systems administrator determines the user account is a dummy account used to attract attackers.
Which of the following techniques should the systems administrator implement?
A. Role-based access control
B. Honeypot
C. Rule-based access control
D. Password cracker

Answer 250

Correct Answer: B

Section: (none)

Question 251

QUESTION 251
A systems administrator is configuring a system that uses data classification labels.
Which of the following will the administrator need to implement to enforce access control?
A. Discretionary access control
B. Mandatory access control
C. Role-based access control
D. Rule-based access control

Answer 251

Correct Answer: B
Section: (none)
Explanation

Question 252

QUESTION 252
A security analyst is reviewing patches on servers. One of the servers is reporting the following error message in the WSUS management console:
The computer has not reported status in 30 days.
Given this scenario, which of the following statements BEST represents the issue with the output above?
A. The computer in question has not pulled the latest ACL policies for the firewall.
B. The computer in question has not pulled the latest GPO policies from the management server.
C. The computer in question has not pulled the latest antivirus definitions from the antivirus program.
D. The computer in question has not pulled the latest application software updates.

Answer 252

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference

Question 253

QUESTION 253
A security administrator is reviewing the following PowerShell script referenced in the Task Scheduler on a database server:
$members = GetADGroupMemeber -Identity “Domain Admins” -Recursive Select - ExpandProperty name
if (Smembers-notcontains “JohnDoe”){
Remove-Item -path C:Database -recurse -force
}
Which of the following did the security administrator discover?
A. Ransomeware
B. Backdoor
C. Logic bomb
D. Trojan

Answer 253

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 254

QUESTION 254
A company stores highly sensitive data files used by the accounting system on a server file share.
The accounting system uses a service account named accounting-svc to access the file share.
The data is protected will a full disk encryption, and the permissions are set as follows:
File system permissions: Users = Read Only
Share permission: accounting-svc = Read Only
Given the listed protections are in place and unchanged, to which of the following risks is the data still subject?
A. Exploitation of local console access and removal of data
B. Theft of physical hard drives and a breach of confidentiality
C. Remote exfiltration of data using domain credentials
D. Disclosure of sensitive data to third parties due to excessive share permissions

Answer 254

Correct Answer: A
Section: (none)
Explanation
https://www.examtopics.com/discussions/comptia/view/4656-exam-sy0-501-topic-1-question-521-discussion/

Question 255

QUESTION 255
A company wants to implement an access management solution that allows employees to use the same usernames and passwords for multiple applications without having to keep multiple credentials synchronized.
Which of the following solutions would BEST meet these requirements?
A. Multifactor authentication
B. SSO
C. Biometrics
D. PKI
E. Federation

Answer 255

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference

Question 256

QUESTION 256
Which of the following metrics are used to calculate the SLE? (Select TWO)
A. ROI
B. ARO
C. ALE
D. MTBF
E. MTTF
F. TCO

Answer 256

Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:

Question 257

QUESTION 257
Due to regulatory requirements, server in a global organization must use time synchronization. Which of the following represents the MOST secure method of time synchronization?
A. The server should connect to external Stratum 0 NTP servers for synchronization
B. The server should connect to internal Stratum 1 NTP servers for synchronization
C. The server should connect to external Stratum 1 NTP servers for synchronization
D. The server should connect to external Stratum 1 NTP servers for synchronization

Answer 257

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Stratum 的意思是 NTP 層數，由 0 至 16，從下圖可見，數值 0 代表時鐘源頭，其後 1 至 15 數字越小代表越接近源頭，Stratum 16 則被定義為「無法同步」。如 Client 同時收到不同的 NTP 時間，只會選擇 Stratum 值最小的進行同步，此基制限制了時間同步的單向性 (從上游到下游)，防止 Loop 發生。以上面的設定為例，由於 Google Time Server 是 Stratum 1，R1 是 Client 從 Stratum 1 拿到時間，順理成章便是 Stratum 2 了。
1) Use Public NTP for external hosts.
2) Configure your own Internal NTP hierarchical service for your network. It is possible to purchase Stratum 1 or Stratum 0 NTP appliances to use internally for less than the cost of a typical server.
By setting up an internal NTP service on the latest revision of stable code and standardizing its use, the viability of time-based network attacks or processes that are dependent on time are harder to co-opt.
The identification of the order of events in a compromise becomes easier because the times in the logs can now be systems of record. For law enforcement and other investigative agencies, accurate NTP services can be very constructive in evaluating evidence and sequencing a chain of events.
https://www.examtopics.com/discussions/comptia/view/13078-exam-sy0-501-topic-1-question-529-discussion/
https://www.jannet.hk/zh-Hant/post/network-time-protocol-ntp/

Question 258

QUESTION 258
Which of the following scenarios BEST describes an implementation of non-repudiation?
A. A user logs into a domain workstation and access network file shares for another department
B. A user remotely logs into the mail server with another user’s credentials
C. A user sends a digitally signed email to the entire finance department about an upcoming meeting
D. A user access the workstation registry to make unauthorized changes to enable functionality within an application

Answer 258

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 259

QUESTION 259
An office manager found a folder that included documents with various types of data relating to corporate clients. The office manager notified the data included dates of birth, addresses, and phone numbers for the clients. The office manager then reported this finding to the security compliance officer. Which of the following portions of the policy would the security officer need to consult to determine if a breach has occurred?
A. Public
B. Private
C. PHI
D. PII

Answer 259

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 260

QUESTION 260
Which of the following is an asymmetric function that generates a new and separate key every time it runs?
A. RSA
B. DSA
C. DHE
D. HMAC
E. PBKDF2

Answer 260

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 261

QUESTION 261
Which of the following would be considered multifactor authentication?
A. Hardware token and smart card
B. Voice recognition and retina scan
C. Strong password and fingerprint
D. PIN and security questions

Answer 261

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 262

QUESTION 262
A security auditor is testing perimeter security in a building that is protected by badge readers. Which of the following types of attacks would MOST likely gain access?
A. Phishing
B. Man-in-the-middle
C. Tailgating
D. Watering hole
E. Shoulder surfing

Answer 262

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Question 263

QUESTION 263
An organization wants to upgrade its enterprise-wide desktop computer solution. The organization currently has 500 PCs active on the network. the Chief Information Security Officer (CISO) suggests that the organization employ desktop imaging technology for such a large scale upgrade. Which of the following is a security benefit of implementing an imaging solution?
A. it allows for faster deployment
B. it provides a consistent baseline
C. It reduces the number of vulnerabilities
D. It decreases the boot time

Answer 263

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Question 264

QUESTION 264
An organization has implemented an IPSec VPN access for remote users.
Which of the following IPSec modes would be the MOST secure for this organization to implement?
A. Tunnel mode
B. Transport mode
C. AH-only mode
D. ESP-only mode

Answer 264

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
In both ESP and AH cases with IPSec Transport mode, the IP header is exposed. The IP header is not exposed in IPSec Tunnel mode.
https://www.examtopics.com/discussions/comptia/view/33589-exam-sy0-501-topic-1-question-538-discussion/

Question 265

QUESTION 265
Several workstations on a network are found to be on OS versions that are vulnerable to a specific attack.
Which of the following is considered to be a corrective action to combat this vulnerability?
A. Install an antivirus definition patch
B. Educate the workstation users
C. Leverage server isolation
D. Install a vendor-supplied patch
E. Install an intrusion detection system

Answer 265

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/24230-exam-sy0-501-topic-1-question-539-discussion/

Question 266

QUESTION 266
A security administrator has configured a RADIUS and a TACACS+ server on the company’s network. Network devices will be required to connect to the TACACS+ server for authentication and send accounting information to the RADIUS server. Given the following information: 
RADIUS IP: 192.168.20.45
TACACS+ IP: 10.23.65.7
Which of the following should be configured on the network clients? (Select two.)
A. Accounting port: TCP 389
B. Accounting port: UDP 1812
C. Accounting port: UDP 1813 
D. Authentication port: TCP 49 
E. Authentication port: TCP 88 
F. Authentication port: UDP 636

Answer 266

Correct Answer: CD
Section: (none)
Explanation
TACACS uses (either TCP or UDP) port 49 by default
RADIUS UDP (1812 and 1645 for authentication, and 1813 and 1646 for accounting
https://www.examtopics.com/discussions/comptia/view/3348-exam-sy0-501-topic-1-question-541-discussion/

Question 267

QUESTION 267
A security analyst receives a notification from the IDS after working hours, indicating a spike in network traffic.
Which of the following BEST describes this type of IDS?
A. Anomaly-based
B. Stateful
C. Host-based
D. Signature-based

Answer 267

Correct Answer: A
Section: (none)
Explanation

Question 268

QUESTION 268
An instructor is teaching a hands-on wireless security class and needs to configure a test access point to show students an attack on a weak protocol. Which of the following configurations should the instructor implement?
A. WPA2
B. WPA
C. EAP
D. WEP

Answer 268

Correct Answer: D
Section: (none)
Explanation

Question 269

QUESTION 269
A company recently experienced data exfiltration via the corporate network. In response to the breach, a
security analyst recommends deploying an out-of-band IDS solution. The analyst says the solution can be
implemented without purchasing any additional network hardware. Which of the following solutions will be used to deploy the IDS?
A. Network tap
B. Network proxy
C. Honeypot
D. Port mirroring

Answer 269

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 270

QUESTION 270
An organization wants to implement a solution that allows for automated logical controls for network defense.
An engineer plans to select an appropriate network security component, which automates response actions based on security threats to the network. Which of the following would be MOST appropriate based on the engineer’s requirements?
A. NIPS
B. HIDS
C. Web proxy
D. Elastic load balancer
E. NAC

Answer 270

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Question 271

QUESTION 271
A group of developers is collaborating to write software for a company. The developers need to work in subgroups and control who has access to their modules. Which of the following access control methods is considered user-centric?
A. Time-based
B. Mandatory
C. Rule-based
D. Discretionary

Answer 271

Correct Answer: D
Section: (none).
DAC can be user-base sometimes call user-centric
https://books.google.com/books?id=5-jJDwAAQBAJ&printsec=frontcover#v=onepage&q=user-centric&f=false​
https://www.examtopics.com/discussions/comptia/view/13018-exam-sy0-501-topic-2-question-15-discussion/

Question 272

QUESTION 272
Which of the following BEST explains why sandboxing is a best practice for testing software from an untrusted vendor prior to an enterprise deployment?
A. It allows the software to run in an unconstrained environment with full network access.
B. It eliminates the possibility of privilege escalation attacks against the local VM host.
C. It facilitates the analysis of possible malware by allowing it to run until resources are exhausted.
D. It restricts the access of the software to a contained logical space and limits possible damage.

Answer 272

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

Question 273

QUESTION 273
A small- to medium-sized company wants to block the use of USB devices on its network. Which of the following is the MOST cost-effective way for the security analyst to prevent this?
A. Implement a DLP system
B. Apply a GPO
C. Conduct user awareness training
D. Enforce the AUP.

Answer 273

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/13558-exam-sy0-501-topic-2-question-18-discussion/

Question 274

QUESTION 274
A call center company wants to implement a domain policy primarily for its shift workers. The call center has large groups with different user roles. Management wants to monitor group performance. Which of the following is the BEST solution for the company to implement?
A. Reduced failed logon attempts
B. Mandatory password changes
C. Increased account lockout time
D. Time-of-day restrictions

Answer 274

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/16718-exam-sy0-501-topic-2-question-21-discussion/

Question 275

QUESTION 275
Users are attempting to access a company’s website but are transparently redirected to another websites. The users confirm the URL is correct. Which of the following would BEST prevent this issue in the futue?
A. DNSSEC
B. HTTPS
C. IPSec
D. TLS/SSL

Answer 275

Correct Answer: A
Section: (none)
Explanation

Question 276

QUESTION 276
A consumer purchases an exploit from the dark web. The exploit targets the online shopping cart of a popular website, allowing the shopper to modify the price of an item as checkout. Which of the following BEST describes this type of user?
A. Insider
B. Script kiddie
C. Competitor
D. Hacktivist
E. APT

Answer 276

Correct Answer: B
Section: (none)
Explanation

Question 277

NO.1A nuclear plant was the victim of a recent attack, and all the networks were air gapped. A subsequent investigation revealed a worm as the source of the issue. Which of the following BEST explains what happened?
A.A local machine has a RAT installed.
B.A malicious USB was introduced by an unsuspecting employee.
C.The ICS firmware was outdated
D.The HVAC was connected to the maintenance vendor.

Answer 277

Answer:B

Question 278

NO.2An organization just experienced a major cyberattack modem. The attack was well coordinated sophisticated and highly skilled. Which of the following targeted the organization?
A.An advanced persistent threat
B.Shadow IT
C.A hacktivist
D.An insider threat

Answer 278

Answer:A

Question 279

NO.3A company processes highly sensitive data and senior management wants to protect the sensitive data by utilizing classification labels. Which of the following access control schemes would be BEST for the company to implement?
A.Role-based
B.Discretionary
C.Rule-based
D.Mandatory

Answer 279

Answer:D

Question 280

NO.4A cybersecurity department purchased o new PAM solution. The team is planning to randomize the service account credentials of the Windows server first. Which of the following would be the BEST method to increase the security on the Linux server?
A.Use only guest accounts to connect.
B.Randomize the shared credentials
C.Use SSH keys and remove generic passwords
D.Remove all user accounts.

Answer 280

Answer:C

Question 281

NO.5Which of the following will MOST likely adversely impact the operations of unpatched traditional programmable-logic controllers, running a back-end LAMP server and OT systems with human-management interfaces that are accessible over the Internet via a web interface? (Choose two.)
A.Cross-site scripting
B.Weak encryption
C.SQL injection
D.Poor system logging
E.Server-side request forgery
F.Data exfiltration

Answer 281

Answer:B,E

Question 282

NO.6Company engineers regularly participate in a public Internet forum with other engineers throughout the industry. Which of the following tactics would an attacker MOST likely use in this scenario?
A.Pharming
B.Hybrid warfare
C.Credential harvesting
D.Watering-hole attack

Answer 282

Answer:D

Question 283

NO.7An incident response technician collected a mobile device during an investigation. Which of the following should the technician do to maintain chain of custody?
A.Record the collection in a blockchain-protected public ledger.
B.Document the collection and require a sign-off when possession changes.
C.Lock the device in a safe or other secure location to prevent theft or alteration.
D.Place the device in a Faraday cage to prevent corruption of the data.

Answer 283

Answer:B

Question 284

NO.8A security analyst needs to complete an assessment. The analyst is logged into a server and
must use native tools to map services running on it to the server’s listening ports. Which of the following tools can BEST accomplish this talk?
A.Nessus
B.Nmap
C.Netcat
D.Netstat

Answer 284

Answer:D

Question 285

NO.9Joe, a user at a company, clicked an email link led to a website that infected his workstation.
Joe, was connected to the network, and the virus spread to the network shares. The protective measures failed to stop this virus, and It has continues to evade detection. Which of the following should administrator implement to protect the environment from this malware?
A.Install a definition-based antivirus.
B.Implement an IDS/IPS
C.Implement CASB to protect the network shares.
D.Implement a heuristic behavior-detection solution.

Answer 285

Answer:D
https://www.examtopics.com/discussions/comptia/view/38875-exam-sy0-501-topic-2-question-404-discussion/

Question 286

NO.10After a ransomware attack a forensics company needs to review a cryptocurrency transaction between the victim and the attacker. Which of the following will the company MOST likely review to trace this transaction?
A.The NetFlow data
B.A checksum
C.The event log
D.The public ledger

Answer 286

Answer:A

不要理這題

Question 287

NO.11A security analyst needs to implement an MDM solution for BYOD users that will allow the company to retain control over company emails residing on the devices and limit data exfiltration that might occur if the devices are lost or stolen. Which of the following would BEST meet these requirements? (Select TWO).
A.Containerization
B.Application whitelisting
C.Full-device encryption
D.Network usage rules
E.Remote control
F.Geofencing

Answer 287

Answer:A,C
By running an application in a container, it isolates and protects the application, including any of its data.This is very useful when an organization allows employees to use their own devices. It’s possible to encrypt the container to protect it without encrypting the entire device.

Question 288

NO.12A network engineer notices the VPN concentrator overloaded and crashes on days when there are a lot of remote workers. Senior management has placed greater importance on the availability of VPN resources for the remote workers than the security of the end users' traffic. Which of the following would be BEST to solve this issue?
A.Always On
B.L2TP
C.iPSec
D.Split tunneling

Answer 288

Answer:A or D?

Question 289

NO.13A symmetric encryption algorithm Is BEST suited for:
A.protecting large amounts of data.
B.providing hashing capabilities,
C.implementing non-repudiation.
D.key-exchange scalability.

Answer 289

Answer:A

Question 290

O.14A security analyst receives a SIEM alert that someone logged in to the appadmin test account, which is only used for the early detection of attacks. The security analyst then reviews the following application log:
[03/06/20xx:17:20:18] system 127.0.0.1 Findxpath=//User[Username/text()=’foo’ or 7=7 or ‘o’=’o’ And Password/text=’bar’]
[03/06/20xx : 17:21:18] appaamin 194.28. 114. 102 action: login result: success
[03/06/20xx:17:22:18] appadmin 194.28. 114.102 action: open . account (12345) result: fail
[03/06/20xx:17:23:18] appadmin 194.28. 114.102 action: open . account (23456) result: fail
[03/06/20xx: 17:23:18] appadmin 194.28. 114, 102 action: open . account (23456) result:fail
[03/06/20xx:17:23:18] appadmin 194.28.114.102 action: open account (45678) result: fail
Which of the following can the security analyst conclude?
A.An injection attack is being conducted against a user authentication system.
B.A replay attack is being conducted against the application.
C.A service account password may have been changed, resulting in continuous failed logins within
the application.
D.A credentialed vulnerability scanner attack is testing several CVEs against the application.

Answer 290

Answer:C

Question 291

NO.15A smart retail business has a local store and a newly established and growing online storefront. A recent storm caused a power outage to the business and the local ISP, resulting in several hours of lost sales and delayed order processing. The business owner now needs to ensure two things:
* Protection from power outages
* Always-available connectivity In case of an outage
The owner has decided to implement battery backups for the computer equipment Which of the following would BEST fulfill the owner’s second need?
A.Lease a point-to-point circuit to provide dedicated access.
B.Purchase services from a cloud provider for high availability
D Replace the business’s wired network with a wireless network.
C.Connect the business router to its own dedicated UPS.

Answer 291

Answer:B

Question 292

NO.16A security analyst is reviewing a new website that will soon be made publicly available. The analyst sees the following in the URL:
http://dev-site.comptia.org/home/show.php?sessionID=77276554&loc=us
The analyst then sends an internal user a link to the new website for testing purposes, and when the user clicks the link, the analyst is able to browse the website with the following URL:
http://dev-site.comptia.org/home/show.php?sessionID=98988475&loc=us
Which of the following application attacks is being tested?
A.Object deference
B.Pass-the-hash
C.Session replay
D.Cross-site request forgery

Answer 292

Answer:C

Question 293

NO.17An organization is concerned that is hosted web servers are not running the most updated version of the software. Which of the following would work BEST to help identify potential vulnerabilities?
A.nslookup -port=80 comtia.org
B.Hping3 -s comptia, org -p 80
C.Nc -1 -v comptia, org -p 80
D.nmp comptia, org -p 80 -aV

Answer 293

Answer:D

Question 294

NO.18Employees are having issues accessing the company's website. Some employees report very slow performance, while others cannot the website at all. The web and security administrators search the logs and find millions of half-open connections to port 443 on the web server. Further analysis reveals thousands of different source IPs initiating this traffic. Which of the following attacks is MOST likely occurring?
A.MAC flooding
B.Man-in-the-middle
C.Domain hijacking
D.DDoS

Answer 294

Answer:D

Question 295

Which of the following will MOST likely adversely impact the operations of unpatched traditional programmable-logic controllers, running a back-end LAMP server and OT systems with human-management interfaces that are accessible over the Internet via a web interface? (Choose two.)
A. Cross-site scripting
B. Data exfiltration
C. Poor system logging
D. Weak encryption
E. SQL injection
F. Server-side request forgery

Answer 295

DF(??

https://www.examtopics.com/discussions/comptia/view/39864-exam-sy0-601-topic-1-question-4-discussion/

Question 296

A company recently transitioned to a strictly BYOD culture due to the cost of replacing lost or damaged corporate-owned mobile devices. Which of the following technologies would be BEST to balance the BYOD culture while also protecting the company's data?
A. Containerization
B. Geofencing
C. Full-disk encryption
D. Remote wipe

Answer 296

A

https://www.examtopics.com/discussions/comptia/view/40502-exam-sy0-601-topic-1-question-5-discussion/

Question 297

A Chief Security Office’s (CSO’s) key priorities are to improve preparation, response, and recovery practices to minimize system downtime and enhance organizational resilience to ransomware attacks. Which of the following would BEST meet the CSO’s objectives?
A. Use email-filtering software and centralized account management, patch high-risk systems, and restrict administration privileges on fileshares.
B. Purchase cyber insurance from a reputable provider to reduce expenses during an incident.
C. Invest in end-user awareness training to change the long-term culture and behavior of staff and executives, reducing the organization’s susceptibility to phishing attacks.
D. Implement application whitelisting and centralized event-log management, and perform regular testing and validation of full backups.

Answer 297

D

Question 298

A network engineer has been asked to investigate why several wireless barcode scanners and wireless computers in a warehouse have intermittent connectivity to the shipping server. The barcode scanners and computers are all on forklift trucks and move around the warehouse during their regular use. Which of the following should the engineer do to determine the issue? (Choose two.)
A. Perform a site survey
B. Deploy an FTK Imager
C. Create a heat map
D. Scan for rogue access points
E. Upgrade the security protocols
F. Install a captive portal

Answer 298

AC

Question 299

Which of the following is MOST likely to outline the roles and responsibilities of data controllers and data processors?
A. SSAE SOC 2
B. PCI DSS
C. GDPR
D. ISO 31000

Answer 299

C

Question 300

Phishing and spear-phishing attacks have been occurring more frequently against a company’s staff. Which of the following would MOST likely help mitigate this issue?
A. DNSSEC and DMARC
B. DNS query logging
C. Exact mail exchanger records in the DNS
D. The addition of DNS conditional forwarders

Answer 300

C(?

Question 301

On which of the following is the live acquisition of data for forensic analysis MOST dependent? (Choose two.)
A. Data accessibility
B. Legal hold
C. Cryptographic or hash algorithm
D. Data retention legislation
E. Value and volatility of data
F. Right-to-audit clauses

Answer 301

EF(?

Question 302

Which of the following incident response steps involves actions to protect critical systems while maintaining business operations?
A. Investigation
B. Containment
C. Recovery
D. Lessons learned

Answer 302

B

https://www.examtopics.com/discussions/comptia/view/34078-exam-sy0-501-topic-2-question-337-discussion/

Question 303

A security auditor is reviewing vulnerability scan data provided by an internal security team. Which of the following BEST indicates that valid credentials were used?
A. The scan results show open ports, protocols, and services exposed on the target host
B. The scan enumerated software versions of installed programs
C. The scan produced a list of vulnerabilities on the target host
D. The scan identified expired SSL certificates

Answer 303

B

Question 304

Which of the following BEST explains the difference between a data owner and a data custodian?
A. The data owner is responsible for adhering to the rules for using the data, while the data custodian is responsible for determining the corporate governance regarding the data
B. The data owner is responsible for determining how the data may be used, while the data custodian is responsible for implementing the protection to the data
C. The data owner is responsible for controlling the data, while the data custodian is responsible for maintaining the chain of custody when handling the data
D. The data owner grants the technical permissions for data access, while the data custodian maintains the database access controls to the data

Answer 304

B

Question 305

A network engineer needs to build a solution that will allow guests at the company's headquarters to access the Internet via WiFi. This solution should not allow access to the internal corporate network, but it should require guests to sign off on the acceptable use policy before accessing the Internet. Which of the following should the engineer employ to meet these requirements?
A. Implement open PSK on the APs
B. Deploy a WAF
C. Configure WIPS on the APs
D. Install a captive portal

Answer 305

D

Question 306

A network administrator needs to build out a new datacenter, with a focus on resiliency and uptime. Which of the following would BEST meet this objective?
(Choose two.)
A. Dual power supply
B. Off-site backups
C. Automatic OS upgrades
D. NIC teaming
E. Scheduled penetration testing
F. Network-attached storage

Answer 306

AB

Question 307

An organization is developing an authentication service for use at the entry and exit ports of country borders. The service will use data feeds obtained from passport systems, passenger manifests, and high-definition video feeds from CCTV systems that are located at the ports. The service will incorporate machine- learning techniques to eliminate biometric enrollment processes while still allowing authorities to identify passengers with increasing accuracy over time. The more frequently passengers travel, the more accurately the service will identify them. Which of the following biometrics will MOST likely be used, without the need for enrollment? (Choose two.)
A. Voice
B. Gait
C. Vein
D. Facial
E. Retina
F. Fingerprint

Answer 307

BD

Question 308

An organization is developing an authentication service for use at the entry and exit ports of country borders. The service will use data feeds obtained from passport systems, passenger manifests, and high-definition video feeds from CCTV systems that are located at the ports. The service will incorporate machine- learning techniques to eliminate biometric enrollment processes while still allowing authorities to identify passengers with increasing accuracy over time. The more frequently passengers travel, the more accurately the service will identify them. Which of the following biometrics will MOST likely be used, without the need for enrollment? (Choose two.)
A. Voice
B. Gait
C. Vein
D. Facial
E. Retina
F. Fingerprint

Answer 308

BD

Question 309

An organization needs to implement more stringent controls over administrator/root credentials and service accounts. Requirements for the project include:
✑ Check-in/checkout of credentials
✑ The ability to use but not know the password
✑ Automated password changes
✑ Logging of access to credentials
Which of the following solutions would meet the requirements?
A. OAuth 2.0
B. Secure Enclave
C. A privileged access management system
D. An OpenID Connect authentication system

Answer 309

D

Question 310

An organization needs to implement more stringent controls over administrator/root credentials and service accounts. Requirements for the project include:
✑ Check-in/checkout of credentials
✑ The ability to use but not know the password
✑ Automated password changes
✑ Logging of access to credentials
Which of the following solutions would meet the requirements?
A. OAuth 2.0
B. Secure Enclave
C. A privileged access management system
D. An OpenID Connect authentication system

Answer 310

D

https://www.examtopics.com/discussions/comptia/view/41862-exam-sy0-601-topic-1-question-21-discussion/

Question 311

Several employees return to work the day after attending an industry trade show. That same day, the security manager notices several malware alerts coming from each of the employee’s workstations. The security manager investigates but finds no signs of an attack on the perimeter firewall or the NIDS. Which of the following is MOST likely causing the malware alerts?
A. A worm that has propagated itself across the intranet, which was initiated by presentation media
B. A fileless virus that is contained on a vCard that is attempting to execute an attack
C. A Trojan that has passed through and executed malicious code on the hosts
D. A USB flash drive that is trying to run malicious code but is being blocked by the host firewall

Answer 311

A

https://www.examtopics.com/discussions/comptia/view/42680-exam-sy0-601-topic-1-question-22-discussion/

Question 312

After reading a security bulletin, a network security manager is concerned that a malicious actor may have breached the network using the same software flaw.
The exploit code is publicly available and has been reported as being used against other industries in the same vertical. Which of the following should the network security manager consult FIRST to determine a priority list for forensic review?
A. The vulnerability scan output
B. The IDS logs
C. The full packet capture data
D. The SIEM alerts

Answer 312

A??

Question 313

A financial organization has adopted a new secure, encrypted document-sharing application to help with its customer loan process. Some important PII needs to be shared across this new platform, but it is getting blocked by the DLP systems. Which of the following actions will BEST allow the PII to be shared with the secure application without compromising the organization’s security posture?
A. Configure the DLP policies to allow all PII
B. Configure the firewall to allow all ports that are used by this application
C. Configure the antivirus software to allow the application
D. Configure the DLP policies to whitelist this application with the specific PII
E. Configure the application to encrypt the PII

Answer 313

D

Question 314

An auditor is performing an assessment of a security appliance with an embedded OS that was vulnerable during the last two assessments. Which of the following BEST explains the appliance’s vulnerable state?
A. The system was configured with weak default security settings.
B. The device uses weak encryption ciphers.
C. The vendor has not supplied a patch for the appliance.
D. The appliance requires administrative credentials for the assessment.

Answer 314

C

Question 315

A company’s bank has reported that multiple corporate credit cards have been stolen over the past several weeks. The bank has provided the names of the affected cardholders to the company’s forensics team to assist in the cyber-incident investigation.
An incident responder learns the following information:
✑ The timeline of stolen card numbers corresponds closely with affected users making Internet-based purchases from diverse websites via enterprise desktop PCs.
✑ All purchase connections were encrypted, and the company uses an SSL inspection proxy for the inspection of encrypted traffic of the hardwired network.
Purchases made with corporate cards over the corporate guest WiFi network, where no SSL inspection occurs, were unaffected.
Which of the following is the MOST likely root cause?
A. HTTPS sessions are being downgraded to insecure cipher suites
B. The SSL inspection proxy is feeding events to a compromised SIEM
C. The payment providers are insecurely processing credit card charges
D. The adversary has not yet established a presence on the guest WiFi network

Answer 315

C(?

https://www.examtopics.com/discussions/comptia/view/40969-exam-sy0-601-topic-1-question-26-discussion/

Question 316

A pharmaceutical sales representative logs on to a laptop and connects to the public WiFi to check emails and update reports. Which of the following would be BEST to prevent other devices on the network from directly accessing the laptop? (Choose two.)
A. Trusted Platform Module
B. A host-based firewall
C. A DLP solution
D. Full disk encryption
E. A VPN
F. Antivirus software

Answer 316

BE(AB?

Question 317

A company is implementing MFA for all applications that store sensitive data. The IT manager wants MFA to be non-disruptive and user friendly. Which of the following technologies should the IT manager use when implementing MFA?
A. One-time passwords
B. Email tokens
C. Push notifications
D. Hardware authentication

Answer 317

C
With push authentication, access requests are sent via out-of-band notifications to an associated mobile device that a user then approves or denies. its is user friendly and widely used nowadays by companies
https://www.examtopics.com/discussions/comptia/view/30047-exam-sy0-501-topic-2-question-348-discussion/

Question 318

The CSIRT is reviewing the lessons learned from a recent incident. A worm was able to spread unhindered throughout the network and infect a large number of computers and servers. Which of the following recommendations would be BEST to mitigate the impacts of a similar incident in the future?
A. Install a NIDS device at the boundary.
B. Segment the network with firewalls.
C. Update all antivirus signatures daily.
D. Implement application blacklisting.

Answer 318

B

Question 319

A company is adopting a BYOD policy and is looking for a comprehensive solution to protect company information on user devices. Which of the following solutions would BEST support the policy?
A. Mobile device management
B. Full-device encryption
C. Remote wipe
D. Biometrics

Answer 319

A

Question 320

A development team employs a practice of bringing all the code changes from multiple team members into the same development project through automation. A tool is utilized to validate the code and track source code through version control. Which of the following BEST describes this process?
A. Continuous delivery
B. Continuous integration
C. Continuous validation
D. Continuous monitoring

Answer 320

B

Question 321

A cybersecurity administrator needs to add disk redundancy for a critical server. The solution must have a two-drive failure for better fault tolerance. Which of the following RAID levels should the administrator select?
A. 0
B. 1
C. 5
D. 6

Answer 321

D

https://www.examtopics.com/discussions/comptia/view/39135-exam-sy0-601-topic-1-question-32-discussion/

Question 322

Which of the following BEST explains the reason why a server administrator would place a document named password.txt on the desktop of an administrator account on a server?
A. The document is a honeyfile and is meant to attract the attention of a cyberintruder.
B. The document is a backup file if the system needs to be recovered.
C. The document is a standard file that the OS needs to verify the login credentials.
D. The document is a keylogger that stores all keystrokes should the account be compromised.

Answer 322

A

https://www.examtopics.com/discussions/comptia/view/32782-exam-sy0-501-topic-2-question-360-discussion/

Question 323

A small company that does not have security staff wants to improve its security posture. Which of the following would BEST assist the company?
A. MSSP
B. SOAR
C. IaaS
D. PaaS

Answer 323

A
MSSP是把資安委外
SOAR代表安全協調，自動化和響應。該術語用於描述三種軟件功能–威脅和漏洞管理，安全事件響應和安全操作自動化。SOAR使公司可以從各種來源收集與威脅相關的數據，並自動對低級別威脅做出響應。
https://www.fireeye.com/products/helix/what-is-soar.html
Security as a Service The breadth of technologies requiring specialist security knowledge and configuration makes it likely that companies will need to depend on third-party support at some point. You can classify such support in three general “tiers”:
• Consultants—the experience and perspective of a third-party professional can be hugely useful in improving security awareness and capabilities in any type of organization (small to large). Consultants could be used for “big picture” framework analysis and alignment or for more specific or product-focused projects (pen testing, SIEM rollout, and so on). It is also fairly simple to control costs when using consultants if they are used to develop capabilities rather than implement them. Where consultants come to “own” the security function, it can be difficult to change or sever the relationship.
• Managed Security Services Provider (MSSP)—a means of fully outsourcing responsibility for information assurance to a third party. This type of solution is expensive but can be a good fit for an SME that has experienced rapid growth and has no in-house security capability. Of course, this type of outsourcing places a huge amount of trust in the MSSP. Maintaining effective oversight of the MSSP requires a good degree of internal security awareness and expertise. There could also be significant challenges in industries exposed to high degrees of regulation in terms of information processing.
• Security as a Service (SECaaS)—can mean lots of different things, but is typically distinguished from an MSSP as being a means of implementing a particular security control, such as virus scanning or SIEM-like functionality, in the cloud. Typically, there would be a connector to the cloud service installed locally. For example, an antivirus agent would scan files locally but be managed and updated from the cloud provider; similarly a log collector would submit events to the cloud service for aggregation and correlation. Examples include Cloudflare, Mandiant/FireEye, and SonicWall.

Question 324

An organization's help desk is flooded with phone calls from users stating they can no longer access certain websites. The help desk escalates the issue to the security team, as these websites were accessible the previous day. The security analysts run the following command: ipconfig /flushdns, but the issue persists. Finally, an analyst changes the DNS server for an impacted machine, and the issue goes away. Which of the following attacks MOST likely occurred on the original DNS server?
A. DNS cache poisoning
B. Domain hijacking
C. Distributed denial-of-service
D. DNS tunneling

Answer 324

B

https://www.examtopics.com/discussions/comptia/view/41318-exam-sy0-601-topic-1-question-35-discussion/

Question 325

cybersecurity manager has scheduled biannual meetings with the IT team and department leaders to discuss how they would respond to hypothetical cyberattacks. During these meetings, the manager presents a scenario and injects additional information throughout the session to replicate what might occur in a dynamic cybersecurity event involving the company, its facilities, its data, and its staff. Which of the following describes what the manager is doing?
A. Developing an incident response plan
B. Building a disaster recovery plan
C. Conducting a tabletop exercise
D. Running a simulation exercise

Answer 325

C

https://www.examtopics.com/exams/comptia/sy0-601/view/9/

Question 326

A RAT that was used to compromise an organization’s banking credentials was found on a user’s computer. The RAT evaded antivirus detection. It was installed by a user who has local administrator rights to the system as part of a remote management tool set. Which of the following recommendations would BEST prevent this from reoccurring?
A. Create a new acceptable use policy.
B. Segment the network into trusted and untrusted zones.
C. Enforce application whitelisting.
D. Implement DLP at the network boundary.

Answer 326

C

Question 327

A security analyst is reviewing a new website that will soon be made publicly available. The analyst sees the following in the URL: http://dev-site.comptia.org/home/show.php?sessionID=77276554&loc=us
The analyst then sends an internal user a link to the new website for testing purposes, and when the user clicks the link, the analyst is able to browse the website with the following URL: http://dev-site.comptia.org/home/show.php?sessionID=98988475&loc=us
Which of the following application attacks is being tested?
A. Pass-the-hash
B. Session replay
C. Object deference
D. Cross-site request forgery

Answer 327

B

Question 328

A network administrator has been asked to install an IDS to improve the security posture of an organization. Which of the following control types is an IDS?
A. Corrective
B. Physical
C. Detective
D. Administrative

Answer 328

C

Question 329

A startup company is using multiple SaaS and IaaS platforms to stand up a corporate infrastructure and build out a customer-facing web application. Which of the following solutions would be BEST to provide security, manageability, and visibility into the platforms?
A. SIEM
B. DLP
C. CASB
D. SWG

Answer 329

C

https://secbuzzer.co/post/172

Question 330

A root cause analysis reveals that a web application outage was caused by one of the company's developers uploading a newer version of the third-party libraries that were shared among several applications. Which of the following implementations would be BEST to prevent the issue from reoccurring?
A. CASB
B. SWG
C. Containerization
D. Automated failover

Answer 330

C

Question 331

A company has drafted an insider-threat policy that prohibits the use of external storage devices. Which of the following would BEST protect the company from data exfiltration via removable media?
A. Monitoring large data transfer transactions in the firewall logs
B. Developing mandatory training to educate employees about the removable media policy
C. Implementing a group policy to block user access to system files
D. Blocking removable-media devices and write capabilities using a host-based security tool

Answer 331

D

Question 332

A network administrator has been alerted that web pages are experiencing long load times. After determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command, and receives the following output:
CPU O percent busy, from 300 sec ago
1 sec ave: 99 percent busy
5 sec ave: 97 percent busy
1 min ave: 83 percent busy
Which of the following is the router experiencing?
A. DDoS attack
B. Memory leak
C. Buffer overflow
D. Resource exhaustion

Answer 332

D(?

https://www.examtopics.com/exams/comptia/sy0-601/view/12/

Question 333

A company provides mobile devices to its users to permit access to email and enterprise applications. The company recently started allowing users to select from several different vendors and device models. When configuring the MDM, which of the following is a key security implication of this heterogeneous device approach?
A. The most common set of MDM configurations will become the effective set of enterprise mobile security controls.
B. All devices will need to support SCEP-based enrollment; therefore, the heterogeneity of the chosen architecture may unnecessarily expose private keys to adversaries.
C. Certain devices are inherently less secure than others, so compensatory controls will be needed to address the delta between device vendors.
D. MDMs typically will not support heterogeneous deployment environments, so multiple MDMs will need to be installed and configured.

Answer 333

C

Question 334

An organization with a low tolerance for user inconvenience wants to protect laptop hard drives against loss or data theft. Which of the following would be the MOST acceptable?
A. SED
B. HSM
C. DLP
D. TPM

Answer 334

A(?

Seagate Self-Encrypting Drive (SED)

Question 335

A security analyst receives a SIEM alert that someone logged in to the appadmin test account, which is only used for the early detection of attacks. The security analyst then reviews the following application log:
[03/06120xx:17:20:18]system 127.0.0.1 Findxpath=//User(Username/text()=’foo’ or 7=7 or ‘o’=’o’ And Password/text=’bar’]
[03/06/20xx:17:21:18] appaamin 194.28.114.102 action: login result: success
[03/06/20xx: 17:22:18] appadmin 194.28.114. 102 action: open account (12345) result:fail
[03/06/20xx : 17 :23:18] appadmin 194 . 28. 114 . 102 action: open . account (23456) result: fail
[03/06/20xx:17:23:18] appadmin 194.28.114. 102 action : open . account (23456) result:fail
[03/06/20xx: 17 :23:18] appadmin 194.28. 114. 102 action : open . account (45678) result:fail
Which of the following can the security analyst conclude?
A. A replay attack is being conducted against the application.
B. An injection attack is being conducted against a user authentication system.
C. A service account password may have been changed, resulting in continuous failed logins within the application.
D. A credentialed vulnerability scanner attack is testing several CVEs against the application.

Answer 335

C

Question 336

In which of the following situations would it be BEST to use a detective control type for mitigation?
A. A company implemented a network load balancer to ensure 99.999% availability of its web application.
B. A company designed a backup solution to increase the chances of restoring services in case of a natural disaster.
C. A company purchased an application-level firewall to isolate traffic between the accounting department and the information technology department.
D. A company purchased an IPS system, but after reviewing the requirements, the appliance was supposed to monitor, not block, any traffic.
E. A company purchased liability insurance for flood protection on all capital assets.

Answer 336

D

Question 337

The IT department’s on-site developer has been with the team for many years. Each time an application is released, the security team is able to identify multiple vulnerabilities. Which of the following would BEST help the team ensure the application is ready to be released to production?
A. Limit the use of third-party libraries.
B. Prevent data exposure queries.
C. Obfuscate the source code.
D. Submit the application to QA before releasing it.

Answer 337

D

Question 338

A cybersecurity analyst needs to implement secure authentication to third-party websites without users' passwords. Which of the following would be the BEST way to achieve this objective?
A. OAuth
B. SSO
C. SAML
D. PAP

Answer 338

C
Security Assertion Markup Language (SAML)is a markup language, much like HTML. It uses tags, but rather than defining web page elements (as HTML does), it defines security authorization.
SAML is used to exchange authentication and authorization information between identity providers and service providers. It is often used in web browser single sign-on implementations.
Shibbolethis a single sign-on system used widely on the Internet. The name derives from a bible story where the word shibbolethwas used as a password. The Shibboleth system uses SAML.
https://support.google.com/a/answer/6262987?hl=zh-Hant

Question 339

A remote user recently took a two-week vacation abroad and brought along a corporate-owned laptop. Upon returning to work, the user has been unable to connect the laptop to the VPN. Which of the following is the MOST likely reason for the user’s inability to connect the laptop to the VPN?
A. Due to foreign travel, the user’s laptop was isolated from the network.
B. The user’s laptop was quarantined because it missed the latest path update.
C. The VPN client was blacklisted.
D. The user’s account was put on a legal hold.

Answer 339

A意義不明

Question 340

In which of the following common use cases would steganography be employed?
A. Obfuscation
B. Integrity
C. Non-repudiation
D. Blockchain

Answer 340

A

Question 341

To secure an application after a large data breach, an e-commerce site will be resetting all users’ credentials. Which of the following will BEST ensure the site’s users are not compromised after the reset?
A. A password reuse policy
B. Account lockout after three failed attempts
C. Encrypted credentials in transit
D. A geofencing policy based on login history

Answer 341

C(??????????

Question 342

An organization has implemented a policy requiring the use of conductive metal lockboxes for personal electronic devices outside of a secure research lab. Which of the following did the organization determine to be the GREATEST risk to intellectual property when creating this policy?
A. The theft of portable electronic devices
B. Geotagging in the metadata of images
C. Bluesnarfing of mobile devices
D. Data exfiltration over a mobile hotspot

Answer 342

D. Data exfiltration over a mobile hotspot

https://www.examtopics.com/discussions/comptia/view/41051-exam-sy0-601-topic-1-question-57-discussion/

Question 343

A security analyst is using a recently released security advisory to review historical logs, looking for the specific activity that was outlined in the advisory. Which of the following is the analyst doing?
A. A packet capture
B. A user behavior analysis
C. Threat hunting
D. Credentialed vulnerability scanning

Answer 343

C

Question 344

Which of the following would MOST likely support the integrity of a voting machine?
A. Asymmetric encryption
B. Blockchain
C. Transport Layer Security
D. Perfect forward secrecy

Answer 344

B(?

Question 345

The IT department at a university is concerned about professors placing servers on the university network in an attempt to bypass security controls. Which of the following BEST represents this type of threat?
A. A script kiddie
B. Shadow IT
C. Hacktivism
D. White-hat

Answer 345

B

Question 346

A commercial cyber-threat intelligence organization observes IoCs across a variety of unrelated customers.
Prior to releasing specific threat intelligence to other paid subscribers, the organization is MOST likely obligated by contracts to:
A. perform attribution to specific APTs and nation-state actors.
B. anonymize any PII that is observed within the IoC data.
C. add metadata to track the utilization of threat intelligence reports.
D. assist companies with impact assessments based on the observed data.

Answer 346

B

Question 347

While checking logs, a security engineer notices a number of end users suddenly downloading files with the .tar.gz extension. Closer examination of the files reveals they are PE32 files. The end users state they did not initiate any of the downloads. Further investigation reveals the end users all clicked on an external email containing an infected MHT file with an href link a week prior. Which of the following is MOST likely occurring?
A. A RAT was installed and is transferring additional exploit tools.
B. The workstations are beaconing to a command-and-control server.
C. A logic bomb was executed and is responsible for the data transfers.
D. A fireless virus is spreading in the local network environment.

Answer 347

A(?

https://www.examtopics.com/discussions/comptia/view/40835-exam-sy0-501-topic-2-question-409-discussion/

Question 348

Which of the following is the purpose of a risk register?
A. To define the level or risk using probability and likelihood
B. To register the risk with the required regulatory agencies
C. To identify the risk, the risk owner, and the risk measures
D. To formally log the type of risk mitigation strategy the organization is using

Answer 348

C
項目管理中的風險登記的目的是記錄已識別的所有風險的詳細信息，以及其分析以及如何處理這些風險的計劃。
https://www.simplilearn.com/risk-management-framework-article

Question 349

A university with remote campuses, which all use different service providers, loses Internet connectivity across all locations. After a few minutes, Internet and VoIP services are restored, only to go offline again at random intervals, typically within four minutes of services being restored. Outages continue throughout the day, impacting all inbound and outbound connections and services. Services that are limited to the local LAN or WiFi network are not impacted, but all WAN and VoIP services are affected.
Later that day, the edge-router manufacturer releases a CVE outlining the ability of an attacker to exploit the SIP protocol handling on devices, leading to resource exhaustion and system reloads. Which of the following BEST describe this type of attack? (Choose two.)
A. DoS
B. SSL stripping
C. Memory leak
D. Race condition
E. Shimming
F. Refactoring

Answer 349

AD

Question 350

The Chief Financial Officer (CFO) of an insurance company received an email from Ann, the company's Chief Executive Officer (CEO), requesting a transfer of $10,000 to an account. The email states Ann is on vacation and has lost her purse, containing cash and credit cards. Which of the following social-engineering techniques is the attacker using?
A. Phishing
B. Whaling
C. Typo squatting
D. Pharming

Answer 350

B

Question 351

An employee has been charged with fraud and is suspected of using corporate assets. As authorities collect evidence, and to preserve the admissibility of the evidence, which of the following forensic techniques should be used?
A. Order of volatility
B. Data recovery
C. Chain of custody
D. Non-repudiation

Answer 351

C

Question 352

A company wants to deploy PKI on its Internet-facing website. The applications that are currently deployed are:
✑ www.company.com (main website)
✑ contactus.company.com (for locating a nearby location)
✑ quotes.company.com (for requesting a price quote)
The company wants to purchase one SSL certificate that will work for all the existing applications and any future applications that follow the same naming conventions, such as store.company.com. Which of the following certificate types would BEST meet the requirements?
A. SAN
B. Wildcard
C. Extended validation
D. Self-signed

Answer 352

B

Question 353

A Chief Security Officer (CSO) is concerned about the amount of PII that is stored locally on each salesperson's laptop. The sales department has a higher-than- average rate of lost equipment. Which of the following recommendations would BEST address the CSO's concern?
A. Deploy an MDM solution.
B. Implement managed FDE.
C. Replace all hard drives with SEDs.
D. Install DLP agents on each laptop.

Answer 353

B

https://www.examtopics.com/exams/comptia/sy0-601/view/19/

Question 354

A user contacts the help desk to report the following:
✑ Two days ago, a pop-up browser window prompted the user for a name and password after connecting to the corporate wireless SSID. This had never happened before, but the user entered the information as requested.
✑ The user was able to access the Internet but had trouble accessing the department share until the next day.
✑ The user is now getting notifications from the bank about unauthorized transactions.
Which of the following attack vectors was MOST likely used in this scenario?
A. Rogue access point
B. Evil twin
C. DNS poisoning
D. ARP poisoning

Answer 354

B
#connecting to the corporate wireless SSID
https://www.examtopics.com/discussions/comptia/view/41123-exam-sy0-601-topic-1-question-74-discussion/

Question 355

A recently discovered zero-day exploit utilizes an unknown vulnerability in the SMB network protocol to rapidly infect computers. Once infected, computers are encrypted and held for ransom. Which of the following would BEST prevent this attack from reoccurring?
A. Configure the perimeter firewall to deny inbound external connections to SMB ports.
B. Ensure endpoint detection and response systems are alerting on suspicious SMB connections.
C. Deny unauthenticated users access to shared network folders.
D. Verify computers are set to install monthly operating system, updates automatically.

Answer 355

A(? will check

Question 356

Which of the following refers to applications and systems that are used within an organization without consent or approval?
A. Shadow IT
B. OSINT
C. Dark web
D. Insider threats

Answer 356

A

Question 357

A company processes highly sensitive data and senior management wants to protect the sensitive data by utilizing classification labels. Which of the following access control schemes would be BEST for the company to implement?
A. Discretionary
B. Rule-based
C. Role-based
D. Mandatory

Answer 357

D

Question 358

Which of the following policies would help an organization identify and mitigate potential single points of failure in the company's IT/security operations?
A. Least privilege
B. Awareness training
C. Separation of duties
D. Mandatory vacation

Answer 358

C

https://www.examtopics.com/discussions/comptia/view/36948-exam-sy0-501-topic-2-question-386-discussion/

Question 359

Which of the following would be the BEST method for creating a detailed diagram of wireless access points and hotspots?
A. Footprinting
B. White-box testing
C. A drone/UAV
D. Pivoting

Answer 359

A