CompTIA SEC+ SY0-701 Exam V3 Flashcards

Question 1

Q

Recent changes to a company’s BYOD policy require all personal mobile devices to use a two-factor authentication method that is not something you know or have. Which of the following will meet this requirement?

A. Facial recognition
B. Six-digit PIN
C. PKI certificate
D. Smart card

Public key infrastructure (PKI)

Answer

A

Facial recognition

A type of bio-metric authentication that uses the unique features of a person’s face to verify their identity. Facial recognition is not something you know or have, but something you are, which is one of the three factors of authentication. Facial recognition can provide a convenient and secure way to authenticate users on personal mobile devices, as it does not require any additional hardware or input from the user. Facial recognition can also be used in conjunction with other factors, such as passwords or tokens, to provide multi-factor authentication.

Question 2

Q

A dynamic application vulnerability scan identified that code injection could be performed using a web form. Which of the following will be the best remediation to prevent this vulnerability?

A. Implement input validations
B. Deploy UFA
C. Utilize a WAF
D. Conjure HIPS

Host Intrusion Prevention System (HIPS)
Web Application Firewall (WAF)

Answer

A

Utilize a WAF

A web application firewall (WAF) is a security solution that monitors and filters the traffic between a web application and the internet. It can prevent code injection attacks by blocking malicious requests that contain code snippets or commands that could compromise the web application. A WAF can also enforce input validation rules and sanitize user inputs to prevent code injection.

Question 3

Q

A security analyst has been tasked with ensuring all programs that are deployed into the enterprise have been assessed in a runtime environment. Any critical issues found in the program must be sent back to the developer for verification and remediation. Which of the following most describes the type of assessment taking place?

A. Input validation
B. Dynamic code analysis
C. Fuzzing
D. Manual code review

Answer

A

Dynamic code analysis

A technique that tests and analyzes an application during runtime to identify potential vulnerabilities, errors, or performance issues. Dynamic code analysis can detect problems that may not be visible in the source code or during static analysis, such as memory leaks, buffer overflows, or input validation errors. Dynamic code analysis can also simulate real-world scenarios and user inputs to evaluate the behavior and functionality of the application.

Question 4

Q

Which of the following best describes the risk that is present once mitigations are applied?

A. Control risk
B. Residual risk
C. Inherent risk
D. Risk awareness

Answer

A

Residual risk

The risk that remains after applying risk mitigation measures, such as controls, policies, or procedures. It reflects the level of uncertainty and potential impact that cannot be completely eliminated by risk management efforts. Residual risk is calculated by subtracting the risk reduction from the inherent risk, or by multiplying the inherent risk by the risk control effectiveness. Residual risk should be compared to the acceptable level of risk to determine if further action is needed or if the risk can be accepted by the management.

Question 5

Q

Which of the following is a reason why a forensic specialist would create a plan to preserve data after an incident and prioritize the sequence for performing forensic analysis?

A. Order of volatility
B. Preservation of event logs
C. Chain of custody
D. Compliance with legal hold

Answer

A

Order of volatility

The order in which a forensic specialist should collect evidence based on how quickly the data can be lost or altered. The most volatile data, such as CPU registers and cache, should be collected first, followed by less volatile data, such as disk drives and archival media.

Question 6

Q

In which of the following scenarios is tokenization the best privacy technique to use?

A. Providing pseudo-anonymization for social media user accounts
B. Serving as a second factor for authentication requests
C. Enabling established customers to safely store credit card information
D. Masking personal information inside databases by segmenting data

Answer

A

Enabling established customers to safely store credit card information

Tokenization is a privacy technique that replaces sensitive data elements, such as credit card numbers, with non-sensitive equivalents, called tokens, that have no intrinsic or exploitable value.
Tokenization can be used to enable established customers to safely store credit card information without exposing their actual card numbers to potential theft or misuse.

Question 7

Q

An organization is concerned about intellectual property theft by employees who leave the organization. Which of the following should the organization most likely implement?

A. CBT
B. NDA
C. MOU
D. AUP

Non-Disclosure Agreement (NDA)
Memorandum of Understanding (MOU)
Acceptable Use Policy (AUP)

Answer

A

NDA

A legally binding contract that establishes a confidential relationship between two or more parties. An NDA can be used to prevent intellectual property theft by employees who leave the organization by prohibiting them from disclosing or using any sensitive information they may have obtained during their employment.

Question 8

Q

Local guidelines require that all information systems meet a minimum security baseline to be compliant. Which of the following can security administrators use to assess their system
configurations against the baseline?

A. SOAR playbook
B. Security control matrix
C. Risk management framework
D. Benchmarks

Security Orchestration, Automation and Response (SOAR)

Answer

A

Benchmarks

Predefined sets of configuration standards or best practices for securing information systems and networks. Benchmarks can be used to assess system configurations against the minimum security baseline required by local guidelines or industry regulations.

Question 9

Q

A Chief Security Officer (CSO) is concerned that cloud-based services are not adequately protected from advanced threats and malware. The CSO believes there is a high risk that a data breach could occur in the near future due to the lack of detective and preventive controls. Which of the following should be implemented to best address the CSO’s concerns? (Select two).

A. AWAF
B. CASB
C. NG-SWG
D. Segmentation
E. Encryption
F. Containerization

Advanced Web Application Firewall (AWAF)
Cloud Access Security Broker (CASB)
Next Generation Secure Web Gateway

Answer

A

A CASB & Encryption

A CASB (Cloud Access Security Broker) and encryption are two solutions that can address the CSO’s concerns about cloud-based services security. A CASB is a software tool or service that acts as an intermediary between users and cloud service providers, enforcing security policies and providing visibility and control over cloud activities. A CASB can help detect and prevent advanced threats and malware by applying data loss prevention, threat protection, anomaly detection, and encryption capabilities to cloud data and traffic.

Encryption is a process of transforming data into an
unreadable format using a secret key or algorithm, making it inaccessible to unauthorized parties. Encryption can help protect cloud data from breaches by ensuring that only authorized users with the correct key can decrypt and access the data. Encryption can be applied to data at rest (stored in the cloud) or data in transit (moving between the cloud and users).

Question 10

Q

A new vulnerability enables a type of malware that allows the unauthorized movement of data from a system. Which of the following would detect this behavior?

A. Implementing encryption
B. Monitoring outbound traffic
C. Using default settings
D. Closing all open ports

Answer

A

Monitoring outbound traffic

A technique that can detect the behavior of malware that allows the unauthorized movement of data from a system. Outbound traffic refers to the data that leaves a system or network and goes to an external destination, such as another network, server, or website.
Monitoring outbound traffic can help identify any suspicious or anomalous patterns, such as large volumes of data being sent to unknown or malicious destinations, which could indicate a malware infection or a data exfiltration attempt.

Question 11

Q

A systems administrator is auditing all company servers to ensure they meet the minimum security baseline. While auditing a Linux server the systems administrator observes the /etc/shadow file has permissions beyond the baseline recommendation. Which of the following commands should the systems administrator use to resolve this issue?

A. chmod
B. grep
C. dd
D. passwd

Answer

A

chmod

chmod is a Linux command that can be used to change or modify the permissions of files and directories. The /etc/shadow file is a system file that stores the encrypted passwords of user accounts in Linux. The /etc/shadow file should have restricted permissions to prevent unauthorized access or modification of the passwords.

The recommended permissions for the /etc/shadow file are
read/write for root user only (600). If the systems administrator observes that the /etc/shadow file has permissions beyond the baseline recommendation, they can use the chmod command to resolve this issue by setting the appropriate permissions for the file. For example, chmod 600 /etc/shadow would set the permissions of the /etc/shadow file to read/write for root user only.

Question 12

Q

A security analyst is investigating a malware incident at a company, the malware is accessing a command-and-control website at www.comptia.com. All outbound internet traffic is logged to a syslog server and stored in /logfiles/messages. Which of the following commands would be best for the analyst to use on the syslog server to search for recent traffic to the command-and-control website?

A. head -500 www.comptia.com | grep /logfiles/messages
B. cat /logfiles/messages I tail -500 www.comptia.com
C. tail -500 /logfiles/messages I grep www.comptia.com
D. grep -500 /logfiles/messages I cat www.comptia.com

Answer

A

tail -500 /logfiles/messages I grep www.comptia.com

tail is a Linux command that can be used to display the last part of a file. grep is a Linux command that can be used to search for a pattern in a file or input.
The pipe symbol (|) is used to connect two
commands and pass the output of one command as the input of another command.
The best command for the analyst to use on the syslog server to search for recent traffic to the command-and-control website is “tail -500 /logfiles/messages | grep www.comptia.com”
This command would display the last 500 lines of the /logfiles/messages file and filter them by the pattern www.comptia.com, which is the domain name of the command-and-control website. This way, the analyst can see any syslog messages that contain the domain name of the malicious website and investigate them further.

Question 13

Q

Which of the following environments can be stood up in a short period of time, utilizes either dummy data or actual data, and is used to demonstrate and model system capabilities and functionality for a fixed, agreed-upon duration of time?

A. PoC
B. Production
C. Test
D. Development

Proof of Concept (PoC)

Answer

A

PoC

A proof of concept (PoC) environment can be stood up quickly and is used to demonstrate and model system capabilities and functionality for a fixed, agreed-upon duration of time. This environment can utilize either dummy data or actual data.

Question 14

Q

After segmenting the network, the network manager wants to control the traffic between the segments. Which of the following should the manager use to control the network traffic?

A. A DMZ
B. A VPN
C. A VLAN
D. An ACL

De-Militarized Zone (DMZ)
Virtual Private Network (VPN)
Virtual Local Area Network (VLAN)
Access Control List (ACL)

Answer

A

An ACL

After segmenting the network, a network manager can use an access control list (ACL) to control the traffic between the segments. An ACL is a set of rules that permit or deny traffic based on it’s characteristics, such as the source and destination IP addresses, protocol type, and port number.

Question 15

Q

A security engineer needs to create a network segment that can be used for servers that require connections from untrusted networks. Which of the following should the engineer implement?

A. An air gap
B. A hot site
C. A VLAN
D. A screened subnet

Virtual Local Area Network (VLAN)

Answer

A

A screened subnet

A screened subnet is a network segment that can be used for servers that require connections from untrusted networks. It is placed between two firewalls, with one firewall facing the untrusted network and the other facing the trusted network. This setup provides an additional layer of security by screening the traffic that flows between the two networks.

Question 16

Q

Which of the following should be addressed first on security devices before connecting to the network?

A. Open permissions
B. Default settings
C. API integration configuration
D. Weak encryption

Application Programming Interface (API)

Answer

A

Default settings

Before connecting security devices to the network, it is crucial to address default settings first. Manufacturers often ship devices with default settings that include default usernames, passwords, and configurations. These settings are widely known and can be easily exploited by attackers. Changing default settings helps to secure the device and prevent unauthorized access.

Question 17

Q

Which of the following is required in order for an IDS and a WAF to be effective on HTTPS traffic?

A. Hashing
B. DNS sinkhole
C. TLS inspection
D. Data masking

Intrusion Detection System (IDS)
Web Application Firewall (WAF)
Domain Name System (DNS)
Transport Layer Security (TLS)

Answer

A

TLS inspection

TLS (Transport Layer Security) is a protocol that is used to encrypt data sent over HTTPS (Hypertext Transfer Protocol Secure). In order for an intrusion detection system (IDS) and a web application firewall (WAF) to be effective on HTTPS traffic, they must be able to inspect the encrypted traffic. TLS inspection allows the IDS and WAF to decrypt and inspect the traffic, allowing them to detect any malicious activity.

Question 18

Q

During a recent security assessment, a vulnerability was found in a common OS. The OS vendor was unaware of the issue and promised to release a patch within the next quarter. Which of the following best describes this type of vulnerability?

A. Legacy operating system
B. Weak configuration
C. Zero day
D. Supply chain

Answer

A

Zero day

A zero-day vulnerability is a security flaw that is unknown to the vendor and the public, and therefore has no patch or fix available. A zero-day attack is an exploit that takes advantage of a zero-day vulnerability before the vendor or the security community becomes aware of it. A zero-day attack can cause serious damage to a system or network, as there is no defense against it until a patch is released.

Question 19

Q

Which of the following would most likely include language prohibiting end users from accessing personal email from a company device?

A. SLA
B. BPA
C. NDA
D. AUP

Service-level Agreement (SLA)
Business Partnership Agreement (BPA)
Non-Disclosure Agreement (NDA)
Acceptable Use Policy (AUP)

Answer

A

AUP

AUP or Acceptable Use Policy is a document that defines the rules and guidelines for using a company’s IT resources, such as devices, networks, internet, email, etc. It usually includes language prohibiting end users from accessing personal email from a company device, as well as other activities that may compromise security or productivity.

Question 20

Q

Which of the following can be used to calculate the total loss expected per year due to a threat targeting an asset?

A. EF x asset value
B. ALE / SLE
C. MTBF x impact
D. SLE x ARO

Exposure Factor (EF)
Annualized Loss Expectancy (ALE)
Single Loss Expectancy (SLE)
Mean Time Between Failures (MTBF)
Annualized Rate of Occurrence (ARO)

Answer

A

SLE x ARO

The total loss expected per year due to a threat targeting an asset can be calculated using the Single Loss Expectancy (SLE) multiplied by the Annualized Rate of Occurrence (ARO). SLE is the monetary loss expected from a single event, while ARO is the estimated frequency of that event occurring in a year.

Question 21

Q

An organization is repairing the damage after an incident. Which of the following controls is being implemented?

A. Detective
B. Preventive
C. Corrective
D. Compensating

Answer

A

Corrective

A corrective control is a type of security control that is designed to mitigate the damage caused by a security incident or to restore the normal operations after an incident. A corrective control can include actions such as restoring from backups, applying patches, isolating infected systems, or implementing new policies and procedures. A corrective control is different from a preventive control, which aims to stop an incident from happening, or a detective control, which aims to identify and record an incident.

Question 22

Q

A security professional wants to enhance the protection of a critical environment that is used to store and manage a company’s encryption keys. The selected technology should be tamper resistant. Which of the following should the security professional implement to achieve the goal?

A. DLP
B. HSM
C. CA
D. FIM

Data Loss Prevention (DLP)
hardware security module (HSM)
Certificate Authenticity (CA)
File Integrity Monitoring (FIM)

Answer

A

HSM

HSM stands for hardware security module, which is a physical device that is used to store and manage cryptographic keys in a secure and tamper-resistant manner. HSMs can provide high-performance encryption and decryption operations, as well as key generation, backup, and recovery.
HSMs can also prevent unauthorized access or extraction of the keys, even by the cloud service provider or the HSM vendor. HSMs can enhance the protection of a critical environment that is used to store and manage encryption keys for a financial institution or any other organization that deals with sensitive data.

Question 23

Q

Which of the following tools can assist with detecting an employee who has accidentally emailed a file containing a customer’s Pll?

A. SCAP
B. NetFlow
C. Antivirus
D. DLP

Personally Identifiable Information (PII)
Security Content Automation Protocol
Data Loss Prevention (DLP)

Answer

A

DLP

DLP stands for Data Loss Prevention, which is a technology that can monitor, detect and prevent the unauthorized transmission of sensitive data, such as PII (Personally Identifiable Information). DLP can be implemented on endpoints, networks, servers or cloud services to protect data in motion, in use or at rest. DLP can also block or alert on data transfers that violate predefined policies or rules. DLP is the best tool to assist with detecting an employee who has accidentally emailed a file containing a customer’s PII, as it can scan the email content and attachments for any data that matches the criteria of PII and prevent the email from being sent or notify the administrator of the incident

Question 24

Q

Which of the following best reduces the security risks introduced when running systems that have expired vendor support and lack an immediate replacement?

A. Implement proper network access restrictions.
B. Initiate a bug bounty program.
C. Classify the system as shadow IT.
D. Increase the frequency of vulnerability scans.

Answer

A

Implement proper network access restrictions.

Network access restrictions can limit the exposure of systems that have expired vendor support and lack an immediate replacement, as they can prevent unauthorized or unnecessary access to those systems from other devices or networks. Network access restrictions can include firewalls, network segmentation, VPNs, access control lists, and other methods that can filter or block traffic based on predefined rules or policies. Network access restrictions can reduce the security risks introduced by running systems that have expired vendor support, as they can mitigate the impact of potential vulnerabilities or exploits that may affect those systems.

Question 25

Q

A company recently suffered a breach in which an attacker was able to access the internal mail servers and directly access several user inboxes. A large number of email messages were later posted online. Which of the following would best prevent email contents from being released should another breach occur?

A. Implement S/MIME to encrypt the emails at rest.
B. Enable full disk encryption on the mail servers.
C. Use digital certificates when accessing email via the web.
D. Configure web traffic to only use TLS-enabled channels.

Secure/Multipurpose Internet Mail Extensions (S/MIME)
Transport Layer Security (TLS)

Answer

A

Implement S/MIME to encrypt the emails at rest.

S/MIME stands for Secure/Multipurpose Internet Mail Extensions, which is a standard for encrypting and digitally signing email messages. S/MIME can provide confidentiality, integrity, authentication and non-repudiation for email communications. S/MIME can encrypt the emails at rest, which means that the email contents are protected even if they are stored on the mail servers or the user inboxes. S/MIME can prevent email contents from being released should another breach occur, as the attacker would not be able to decrypt or read the encrypted emails without the proper keys or certificates.

Question 26

Q

Recent changes to a company’s BYOD policy require all personal mobile devices to use a two-factor authentication method that is not something you know or have. Which of the following will meet this requirement?

A. Facial recognition
B. Six-digit PIN
C. PKI certificate
D. Smart card

Bring Your Own Device (BYOD)
Public Key Infrastructure (PKI)

Answer

A

Facial recognition

Facial recognition is a type of biometric authentication that uses the unique features of a person’s face to verify their identity. Facial recognition is not something you know or have, but something you are, which is one of the three factors of authentication. Facial recognition can use various methods and technologies, such as 2D or 3D images, infrared sensors, machine learning and more, to capture, analyze and compare facial data. Facial recognition can provide a convenient and secure way to authenticate users on personal mobile devices, as it does not require any additional hardware or
input from the user. Facial recognition can also be used in conjunction with other factors, such as passwords or tokens, to provide multi-factor authentication.

Question 27

Q

After a phishing scam for a user’s credentials, the red team was able to craft payload to deploy on a server. The attack allowed the installation of malicious software that initiates a new remote session. Which of the following types of attacks has occurred?

A. Privilege escalation
B. Session replay
C. Application programming interface
D. Directory traversal

Answer

A

Privilege escalation

Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. In this scenario, the red team was able to install malicious software, which would require elevated privileges to access and install. Therefore, the type of attack that occurred is privilege escalation.

Question 28

Q

A cybersecurity administrator needs to implement a Layer 7 security control on a network and block potential attacks. Which of the following can block an attack at Layer 7? (Select TWO).

A. HIDS
B. NIPS
C. HSM
D. WAF
E. NAC
F. NIDS
G. Stateless firewall

Host-Based Instrusion Detection System (HIDS)
Network Intrusion Prevention System (NIPS)
Hardware Security Module (HSM)
Web Application Firewall (WAF)
Network Access Control (NAC)
Network Intrusion Detection System (NIDS)

Answer

A

WAF & NIDS

A WAF (Web Application Firewall) and NIDS (Network Intrusion Detection System) are both examples of Layer 7 security controls. A WAF can block attacks at the application layer (Layer 7) of the OSI model by filtering traffic to and from a web server. NIDS can also detect attacks at Layer 7 by monitoring network traffic for suspicious patterns and behaviors.

Question 29

Q

During an incident, a company’s CIRT determines it is necessary to observe the continued network-based transactions between a callback domain and the malware running on an enterprise PC. Which of the following techniques would be BEST to enable this activity while reducing the risk of lateral spread and the risk that the adversary would notice any changes?

A. Physically move the PC to a separate Internet point of presence.
B. Create and apply microsegmentation rules,
C. Emulate the malware in a heavily monitored DMZ segment
D. Apply network blacklisting rules for the adversary domain

Computer Incident Response Team (CIRT)
De-Militarized Zone (DMZ)

Answer

A

Emulate the malware in a heavily monitored DMZ segment

Emulating the malware in a heavily monitored DMZ segment is the best option for observing network-based transactions between a callback domain and the malware running on an enterprise PC. This approach provides an isolated environment for the malware to run, reducing the risk of lateral spread and detection by the adversary. Additionally, the DMZ can be monitored closely to gather intelligence on the adversary’s tactics and techniques.

Question 30

Q

A business is looking for a cloud service provider that offers a la carte services, including cloud backups, VM elasticity, and secure networking. Which of the following cloud service provider types should business engage?

A. laaS
B. PaaS
C. XaaS
D. SaaS

Infrastructure as a Software (IaaS)
Platform as a Software (PaaS)
Anything as a Software (XaaS)
Services as a Software (SaaS)

Answer

A

laaS

Infrastructure as a Service (IaaS) providers offer a la carte services, including cloud backups, VM elasticity, and secure networking. With IaaS, businesses can rent infrastructure components such as virtual machines, storage, and networking from a cloud service provider.

Question 31

Q

A security analyst is responding to an alert from the SIEM. The alert states that malware was discovered on a host and was not automatically deleted. Which of the following would be BEST for the analyst to perform?

A. Add a deny-all rule to that host in the network ACL.
B. Implement a network-wide scan for other instances of the malware.
C. Quarantine the host from other parts of the network.
D. Revoke the client’s network access certificates.

Security Information and Event Management (SIEM)
Access Control List (ACL)

Answer

A

Quarantine the host from other parts of the network

When malware is discovered on a host, the best course of action is to quarantine the host from other parts of the network. This prevents the malware from spreading and potentially infecting other hosts. Adding a deny-all rule to the host in the network ACL may prevent legitimate traffic from being processed, implementing a network-wide scan is time-consuming and may not be necessary, and revoking the client’s network access certificates is an extreme measure that may not be warranted.

Question 32

Q

An analyst is working on an email security incident in which the target opened an attachment containing a worm. The analyst wants to implement mitigation techniques to prevent further spread. Which of the following is the BEST course of action for the analyst to take?

A. Apply a DLP solution.
B. Implement network segmentation
C. Utilize email content filtering
D. Isolate the infected attachment.

Data Loss Prevention (DLP)

Answer

A

Implement network segmentation

Network segmentation is the BEST course of action for the analyst to take to prevent further spread of the worm. Network segmentation helps to divide a network into smaller segments, isolating the infected attachment from the rest of the network. This helps to prevent the worm from spreading to other devices within the network. Implementing email content filtering or DLP solution might help in preventing the email from reaching the target or identifying the worm, respectively, but will not stop the spread of the worm.

Question 33

Q

An enterprise needs to keep cryptographic keys in a safe manner. Which of the following network appliances can achieve this goal?

A. HSM
B. CASB
C. TPM
D. DLP

Hardware Security Module (HSM)
Cloud Access Security Broker (CASB)
Trusted Platform Module (TPM)
Data Loss Prevention (DLP)

Answer

A

HSM

Hardware Security Module (HSM) is a network appliance designed to securely store cryptographic keys and perform cryptographic operations. HSMs provide a secure environment for key management and can be used to keep cryptographic keys safe from theft, loss, or unauthorized access. Therefore, an enterprise can achieve the goal of keeping cryptographic keys in a safe manner by using an HSM appliance.

Question 34

Q

A company would like to provide flexibility for employees on device preference. However, the company is concerned about supporting too many different types of hardware. Which of the following deployment models will provide the needed flexibility with the GREATEST amount of control and security over company data and infrastructure?

A. BYOD
B. VDI
C. COPE
D. CYOD

Bring Your Own Device (BYOD)
Virtual Desktop Infrastructure (VDI)
Corporate-Owned Personally Enabled (COPE)
Choose Your Own Device (CYOD)

Answer

A

CYOD

Choose Your Own Device (CYOD) is a deployment model that allows employees to select from a predefined list of devices. It provides employees with flexibility in device preference while allowing the company to maintain control and security over company data and infrastructure. CYOD deployment model provides a compromise between the strict control provided by Corporate-Owned Personally Enabled (COPE) deployment model and the flexibility provided by Bring Your Own Device (BYOD) deployment model.

Question 35

Q

A security analyst reports a company policy violation in a case in which a large amount of sensitive data is being downloaded after hours from various mobile devices to an external site. Upon further investigation, the analyst notices that successful login attempts are being conducted with impossible
travel times during the same time periods when the unauthorized downloads are occurring. The analyst also discovers a couple of WAPs are using the same SSID, but they have non-standard DHCP configurations and an overlapping channel. Which of the following attacks is being conducted?

A. Evil twin
B. Jamming
C. DNS poisoning
D. Bluesnarfing
E. DDoS

Wireless Access Point (WAP)
Service Set Identifier (SSID)
Dynamic Host Configuration Protocol (DHCP)
Domain Name System (DNS)
Distributed-Denial of Service (DDoS)

Answer

A

Evil twin

The attack being conducted is an Evil twin attack. An Evil twin attack involves creating a rogue wireless access point (WAP) with the same Service Set Identifier (SSID) as a legitimate WAP to trick users into connecting to it. Once connected, the attacker can intercept traffic or steal login credentials. The successful login attempts with impossible travel times suggest that an attacker is using a stolen or compromised credential to access the external site to which the sensitive data is being downloaded. The non-standard DHCP configurations and overlapping channels of the WAPs suggest that the attacker is using a rogue WAP to intercept traffic.

Question 36

Q

A security assessment found that several embedded systems are running unsecure protocols. These systems were purchased two years ago and the company that developed them is no longer in business. Which of the following constraints BEST describes the reason the findings cannot be remediated?

A. inability to authenticate
B. Implied trust
C. Lack of computing power
D. Unavailable patch

Answer

A

Unavailable patch

If the systems are running unsecure protocols and the company that developed them is no longer in business, it is likely that there are no patches available to remediate the issue.

Question 37

Q

Which of the following uses six initial steps that provide basic control over system security by including hardware and software inventory, vulnerability management, and continuous monitoring to minimize risk in all network environments?

A. ISO 27701
B. The Center for Internet Security
C. SSAE SOC 2
D. NIST Risk Management Framework

International Organization for Standardization (ISO)
Statement on Standards for Attestation Engagements Service and Organization Controls (SSAE SOC 2)
National Institute of Standards & Technology (NIST)

Answer

A

The Center for Internet Security

The Center for Internet Security (CIS) uses six initial steps that provide basic control over system security, including hardware and software inventory, vulnerability management, and continuous monitoring to minimize risk in all network environments.

Question 38

Q

The Chief Executive Officer announced a new partnership with a strategic vendor and asked the Chief Information Security Officer to federate user digital identities using SAML-based protocols. Which of the following will this enable?

A. SSO
B. MFA
C. PKI
D. OLP

Security Assertions Markup Language (SAML)
Single Sign-On (SSO)
Multi-Factor Authentication
Public Key Infrastructure (PKI)

Answer

A

SSO

Federating user digital identities using SAML-based protocols enables Single Sign-On (SSO), which allows users to log in once and access multiple applications without having to enter their credentials for each one.

Question 39

Q

Which of the following describes a maintenance metric that measures the average time required to troubleshoot and restore failed equipment?

A. RTO
B. MTBF
C. MTTR
D. RPO

Recovery Time Objective (RTO)
Mean Time Between Failures (MTBF)
Mean Time To Repair (MTTR)
Recovery Point Objective (RPO)

Answer

A

MTTR

Mean Time To Repair (MTTR) is a maintenance metric that measures the average time required to troubleshoot and restore failed equipment.

Question 40

Q

Which of the following should a technician consider when selecting an encryption method for data that needs to remain confidential for a specific length of time?

A. The key length of the encryption algorithm
B. The encryption algorithm’s longevity
C. A method of introducing entropy into key calculations
D. The computational overhead of calculating the encryption key

Answer

A

The encryption algorithm’s longevity

When selecting an encryption method for data that needs to remain confidential for a specific length of time, the longevity of the encryption algorithm should be considered to ensure that the data remains secure for the required period.

Question 41

Q

A security analyst is investigating a phishing email that contains a malicious document directed to the company’s Chief Executive Officer (CEO). Which of the following should the analyst perform to understand the threat and retrieve possible IoCs?

A. Run a vulnerability scan against the CEOs computer to find possible vulnerabilities
B. Install a sandbox to run the malicious payload in a safe environment
C. Perform a traceroute to identify the communication path
D. Use netstat to check whether communication has been made with a remote host

Indicators of Compromise (IoC)

Answer

A

Install a sandbox to run the malicious payload in a safe environment

To understand the threat and retrieve possible Indicators of Compromise (IoCs) from a phishing email containing a malicious document, a security analyst should install a sandbox to run the malicious payload in a safe environment.

Question 42

Q

An organization’s Chief Information Security Officer is creating a position that will be responsible for implementing technical controls to protect data, including ensuring backups are properly maintained. Which of the following roles would MOST likely include these responsibilities?

A. Data protection officer
B. Data owner
C. Backup administrator
D. Data custodian
E. Internal auditor

Answer

A

Data custodian

The responsibilities of ensuring backups are properly maintained and implementing technical controls to protect data are the responsibilities of the data custodian role.

Question 43

Q

Which of the following would MOST likely be identified by a credentialed scan but would be missed by an uncredentialed scan?

A. Vulnerabilities with a CVSS score greater than 6.9.
B. Critical infrastructure vulnerabilities on non-IP protocols.
C. CVEs related to non-Microsoft systems such as printers and switches.
D. Missing patches for third-party software on Windows workstations and servers.

Common Vulnerability Scoring System (CVSS)
Common Vulnerabilities and Exposures (CVE)

Answer

A

Missing patches for third-party software on Windows workstations and servers.

An uncredentialed scan would miss missing patches for third-party software on Windows workstations and servers. A credentialed scan, however, can scan the registry and file system to determine the patch level of third-party applications.

Question 44

Q

Which of the following are the MOST likely vectors for the unauthorized inclusion of vulnerable code in a software company’s final software release? (Select TWO.)

A. Unsecure protocols
B. Use of penetration-testing utilities
C. Weak passwords
D. Included third-party libraries
E. Vendors/supply chain
F. Outdated anti-malware software

Answer

A

Included third-party libraries & Vendors/supply chain

The most likely vectors for the unauthorized inclusion of vulnerable code in a software company’s final software release are included third-party libraries and vendors/supply chain.

Question 45

Q

After gaining access to a dual-homed (i.e.. wired and wireless) multifunction device by exploiting a vulnerability in the device’s firmware, a penetration tester then gains shell access on another networked asset This technique is an example of:

A. privilege escalation
B. footprinting
C. persistence
D. pivoting

Answer

A

pivoting

The technique of gaining access to a dual-homed multifunction device and then gaining shell access on another networked asset is an example of pivoting.

Question 46

Q

A backdoor was detected on the containerized application environment. The investigation detected that a zero-day vulnerability was introduced when the latest container image version was downloaded from a public registry. Which of the following is the BEST solution to prevent this type of incident from occurring again?

A. Enforce the use of a controlled trusted source of container images
B. Deploy an IPS solution capable of detecting signatures of attacks targeting containers
C. Define a vulnerability scan to assess container images before being introduced on the environment
D. Create a dedicated VPC for the containerized environment

Answer

A

Enforce the use of a controlled trusted source of container images

Enforcing the use of a controlled trusted source of container images is the best solution to prevent incidents like the introduction of a zero-day vulnerability through container images from occurring again.

Question 47

Q

A Chief Information Officer receives an email stating a database will be encrypted within 24 hours unless a payment of $20,000 is credited to the account mentioned In the email. This BEST describes a scenario related to:

A. whaling.
B. smishing.
C. spear phishing
D. vishing

Answer

A

spear phishing

The scenario of receiving an email stating a database will be encrypted unless a payment is made is an example of spear phishing.

Question 48

Q

Which of the following environments typically hosts the current version configurations and code, compares user-story responses and workflow, and uses a modified version of actual data for testing?

A. Development
B. Staging
C. Production
D. Test

Answer

A

Staging

Staging is an environment in the software development lifecycle that is used to test a modified version of the actual data, current version configurations, and code. This environment compares user-story responses and workflow before the software is released to the production environment.

Question 49

Q

Which of the following best describes the situation where a successfully onboarded employee who is using a fingerprint reader is denied access at the company’s gate?

A. Crossover error rate
B. False match raw
C. False rejection
D. False positive

Answer

A

False rejection

Occurs when a biometric system fails to recognize an authorized user and denies access. This can happen due to poor quality of the biometric sample, environmental factors, or system errors.

Question 50

Q

A company that provides an online streaming service made its customers’ personal data including names and email addresses publicly available in a cloud storage service. As a result, the company experienced an increase in the number of requests to delete user accounts. Which of the following
best describes the consequence of this data disclosure?

A. Regulatory fines
B. Reputation damage
C. Increased insurance costs
D. Financial loss

Answer

A

Reputation damage

Reputation damage is the loss of trust or credibility that a company suffers when its customers’ personal data is exposed or breached. This can lead to customer dissatisfaction, loss of loyalty, and requests to delete user accounts.

Question 51

Q

A cybersecurity analyst at Company A is working to establish a secure communication channel with a counterpart at Company B, which is 3,000 miles (4.828 kilometers) away. Which of the following concepts would help the analyst meet this goal in a secure manner?

A. Digital signatures
B. Key exchange
C. Salting
D. PPTP

Point-to-Point Tunneling Protocol (PPTP)

Answer

A

Key exchange

Key exchange is the process of securely sharing cryptographic keys between two parties over a public network. This allows them to establish a secure communication channel and encrypt their messages. There are different methods of key exchange, such as Diffie-Hellman or RSA.

Rivest, Shamir, & Adleman (RSA)

Question 52

Q

The new Chief Information Security Officer at a company has asked the security learn to implement stronger user account policies. The new policies require:

Users to choose a password unique to their last ten passwords
Users to not log in from certain high-risk countries

Which of the following should the security team implement? (Select two).

A. Password complexity
B. Password history
C. Geolocation
D. Geospatial
E. Geotagging
F. Password reuse

Answer

A

Password history & Geolocation

Password history is a policy that prevents users from reusing their previous passwords. This can reduce the risk of password cracking or compromise. Geolocation is a policy that restricts users from logging in from certain locations based on their IP address. This can prevent unauthorized access
from high-risk countries or regions.

Question 53

Q

A Chief Information Security Officer (CISO) wants to implement a new solution that can protect against certain categories of websites, whether the employee is in the office or away. Which of the following solutions should the CISO implement?

A. WAF
B. SWG
C. VPN
D. WDS

Web Application Firewall (WAF)
secure web gateway (SWG)
Virtual Private Network (VPN)
wireless distribution system (WDS)

Answer

A

SWG

A secure web gateway (SWG) is a solution that can filter and block malicious or inappropriate web traffic based on predefined policies. It can protect users from web-based threats, such as malware, phishing, or ransomware, whether they are in the office or away. An SWG can be deployed as a hardware appliance, a software application, or a cloud service.

Question 54

Q

Which of the following is a security implication of newer ICS devices that are becoming more common in corporations?

A. Devices with celular communication capabilities bypass traditional network security controls
B. Many devices do not support elliptic-curve encryption algorithms due to the overhead they require.
C. These devices often lade privacy controls and do not meet newer compliance regulations
D. Unauthorized voice and audio recording can cause loss of intellectual property

Industrial control systems (ICS)

Answer

A

Unauthorized voice and audio recording can cause loss of intellectual property

Industrial control systems (ICS) are devices that monitor and control physical processes, such as power generation, manufacturing, or transportation. Newer ICS devices may have voice and audio capabilities that can be exploited by attackers to eavesdrop on sensitive conversations or capture confidential information. This can result in the loss of intellectual property or trade secrets.

Question 55

Q

A security investigation revealed that malicious software was installed on a server using a server administrator credentials. During the investigation the server administrator explained that Telnet was regularly used to log in. Which of the following most likely occurred?

A. A spraying attack was used to determine which credentials to use
B. A packet capture tool was used to steal the password
C. A remote-access Trojan was used to install the malware
D. A directory attack was used to log in as the server administrator

Answer

A

A packet capture tool was used to steal the password

Telnet is an insecure protocol that transmits data in cleartext over the network. This means that anyone who can intercept the network traffic can read the data, including the username and password of the server administrator. A packet capture tool is a software or hardware device that can capture and analyze network packets. An attacker can use a packet capture tool to steal the password and use it to install malicious software on the server.

Question 56

Q

A security administrator needs to provide secure access to internal networks for external partners, the administrator has given the PSK and other parameters to the third-party security administrator. Which of the following is being used to establish this connection?

A. Kerberos
B. SSL/TLS
C. IPSec
D. SSH

Pre-shared key (PSK)
Secure Sockets Layer/Transport Layer Security (SSL/TLS)
Internet Protocol Security (IPSec)
Secure Shell (SSH)

Answer

A

IPSec

IPSec is a protocol suite that provides secure communication over IP networks. It uses encryption, authentication, and integrity mechanisms to protect data from unauthorized access or modification.
IPSec can operate in two modes: transport mode and tunnel mode. In tunnel mode, IPSec can create a virtual private network (VPN) between two endpoints, such as external partners and internal networks. To establish a VPN connection, IPSec requires a pre-shared key (PSK) or other parameters
to negotiate the security association.

Question 57

Q

An account was disabled atter several failed and successful login connections were made from various parts of the world at various times. A security analysts is investigating the issue. Which of the following account policies most likely triggered the action to disable the account.

A. Time based logins
B. Password history
C. Geofencing
D. Impossible travel time

Answer

A

Impossible travel time

Impossible travel time is a policy that detects and blocks login attempts from locations that are geographically impossible to reach from the previous login location within a certain time frame. For example, if a user logs in from New York and then tries to log in from Tokyo within an hour, the policy would flag this as impossible travel time and disable the account.

Question 58

Q

A systems integrator is installing a new access control system for a building. The new system will need to connect to the company’s AD server in order to validate current employees. Which of the following should the systems integrator configure to be the most secure?

A. HTTPS
B. SSH
C. SFTP
D. LDAPS

Active Directory (AD)
Hypertext Transfer Protocol Secure (HTTPS)
Secure Shell (SSH)
SSH File Transfer Protocol (SFTP)
Lightweight Directory Access Protocol Secure (LDAPS)

Answer

A

LDAPS

LDAPS (Lightweight Directory Access Protocol Secure) is the most secure protocol to use for connecting to an Active Directory server, as it encrypts the communication between the client and the server using SSL/TLS.

Question 59

Q

Which of the following can be used by an authentication application to validate a user’s credentials without the need to store the actual sensitive data?

A. Salt string
B. Private Key
C. Password hash
D. Cipher stream

Answer

A

Password hash

Password hash is a method of storing a user’s credentials without the need to store the actual sensitive data. A password hash is a one-way function that transforms the user’s password into a fixed-length string of characters that cannot be reversed.

Question 60

Q

A security engineer updated an application on company workstations. The application was running before the update, but it is no longer launching successfully. Which of the following most likely needs to be updated?

A. Blocklist
B. Deny list
C. Quarantine list
D. Approved list

Answer

A

Approved list

Approved list is a list of applications or programs that are allowed to run on a system or network. An approved list can prevent unauthorized or malicious software from running and compromising the security of the system or network. An approved list can also help with patch management and compatibility issues.

Question 61

Q

A user is trying unsuccessfully to send images via SMS. The user downloaded the images from a corporate email account on a work phone. Which of the following policies is preventing the user from completing this action?

A. Application management
B. Content management
C. Containerization
D. Full disk encryption

Answer

A

Content management

Content management is a policy that controls what types of data can be accessed, modified, shared, or transferred by users or applications. Content management can prevent data leakage or exfiltration by blocking or restricting certain actions, such as copying, printing, emailing, or sending data via SMS.

Question 62

Q

A company recently completed the transition from data centers to the cloud. Which of the following solutions will best enable the company to detect security threats in applications that run in isolated environments within the cloud environment?

A. Security groups
B. Container security
C. Virtual networks
D. Segmentation

Answer

A

Container security

Container security is a solution that can enable the company to detect security threats in applications that run in isolated environments within the cloud environment. Containers are units of software that package code and dependencies together, allowing applications to run quickly and reliably across different computing environments. Container security involves securing the container images, the container runtime, and the container orchestration platforms.

Question 63

Q

A manager for the development team is concerned about reports showing a common set of vulnerabilities. The set of vulnerabilities is present on almost all of the applications developed by the team. Which of the following approaches would be most effective for the manager to use to address this issue?

A. Tune the accuracy of fuzz testing.
B. Invest in secure coding training and application security guidelines.
C. Increase the frequency of dynamic code scans to detect issues faster.
D. Implement code signing to make code immutable.

Answer

A

Invest in secure coding training and application security guidelines.

Invest in secure coding training and application security guidelines is the most effective approach for the manager to use to address the issue of common vulnerabilities in the applications developed by the team. Secure coding training can help the developers learn how to write code that follows security best practices and avoids common mistakes or flaws that can introduce vulnerabilities. Application security guidelines can provide a set of standards and rules for developing secure applications that meet the company’s security requirements and policies.

Question 64

Q

A company is focused on reducing risks from removable media threats. Due to certain primary applications, removable media cannot be entirely prohibited at this time. Which of the following best describes the company’s approach?

A. Compensating controls
B. Directive control
C. Mitigating controls
D. Physical security controls

Answer

A

Mitigating controls

Mitigating controls are designed to reduce the impact or severity of an event that has occurred or is likely to occur. They do not prevent or detect the event, but rather limit the damage or consequences of it. For example, a backup system is a mitigating control that can help restore data after a loss or
corruption.

Answer 65

A

Provisioning

Provisioning is the process of creating and setting up IT infrastructure, and includes the steps required to manage user and system access to various resources . Provisioning can be done for servers, cloud environments, users, networks, services, and more. In this case, the security administrator wants to ensure that all cloud servers will have software preinstalled for facilitating vulnerability scanning and continuous monitoring. This means that the administrator needs to provision the cloud servers with the necessary software and configuration before they are deployed or used by customers or end users. Provisioning can help automate and standardize the process of setting up cloud servers and reduce the risk of human errors or inconsistencies.

Answer 66

A

Snapshot

A snapshot backup is a type of backup that captures the state of a system at a point in time. It is highly time- and storage-efficient because it only records the changes made to the system since the last backup. It also has no impact on production systems because it does not require them to be offline or paused during the backup process.

Answer 67

A

Acceptance

Acceptance is a risk management strategy that involves acknowledging the existence and potential impact of a risk, but deciding not to take any action to reduce or eliminate it. This strategy is usually adopted when the cost of implementing controls outweighs the benefit of mitigating the risk, or when the risk is deemed acceptable or unavoidable. In this case, the organization decided not to put controls in place because of the high cost compared to the potential fine, which means they accepted the risk.

Answer 68

A

Least privilege

Least privilege is a security principle that states that users and processes should only have the minimum level of access and permissions required to perform their tasks. This reduces the risk of insider threats by limiting the potential damage that a malicious or compromised user or process can cause to the system or data.

Answer 69

A

CPU cache, memory, temporary file systems, disk

The correct order of evidence from most to least volatile in forensic analysis is based on how quickly the evidence can be lost or altered if not collected or preserved properly. CPU cache is the most volatile type of evidence because it is stored in a small amount of memory on the processor and can be overwritten or erased very quickly. Memory is the next most volatile type of evidence because it is stored in RAM and can be lost when the system is powered off or rebooted. Temporary file systems are less volatile than memory because they are stored on disk, but they can still be deleted or overwritten by other processes or users. Disk is the least volatile type of evidence because it is stored on permanent storage devices and can be recovered even after deletion or formatting, unless overwritten by new data.

Random Access Memory (RAM)

Answer 70

A

The last incremental backup that was conducted 72 hours ago

The last incremental backup that was conducted 72 hours ago would be the best option to restore the services to a secure state, as it would contain the most recent data before the ransomware infection. Incremental backups only store the changes made since the last backup, so they are faster and use less storage space than full backups. Restoring from an incremental backup would also minimize the data loss and downtime caused by the ransomware attack.

Answer 71

A

HSM

HSM stands for hardware security module, which is a physical device that is used to store and manage cryptographic keys in a secure and tamper-resistant manner. HSMs can provide high-performance encryption and decryption operations, as well as key generation, backup, and recovery.
HSMs can also prevent unauthorized access or extraction of the keys, even by the cloud service provider or the HSM vendor. HSMs can enhance the protection of a critical environment that is used to store and manage encryption keys for a financial institution or any other organization that deals with sensitive data.

Answer 72

A

Isolate the infected attachment.

Isolating the infected attachment is the best course of action for the analyst to take to prevent further spread of the worm. A worm is a type of malware that can self-replicate and infect other devices without human interaction. By isolating the infected attachment, the analyst can prevent the worm from spreading to other devices or networks via email, file-sharing, or other means. Isolating the infected attachment can also help the analyst to analyze the worm and determine its source, behavior, and impact.

Answer 73

A

Intrusion prevention system

An intrusion prevention system (IPS) is the best solution to implement on the company’s network to detect and prevent suspicious attempts to access company resources. An IPS is a network security technology that continuously monitors network traffic for malicious or anomalous activity and takes automated actions to block or mitigate it. An IPS can also alert the system administrators of any potential threats and provide detailed logs and reports of the incidents. An IPS can help the company to improve its security posture and prevent data breaches, unauthorized access, or denial-of-service attacks.

Answer 74

A

Deterrent

A deterrent control is a type of security control that is designed to discourage potential intruders from attempting to access or harm a system or network. A deterrent control relies on the perception or fear of negative consequences rather than the actual enforcement of those consequences. A deterrent control can also be used to influence the behavior of authorized users by reminding them of their obligations and responsibilities. An example of a deterrent control is placing fake cameras around the building, as it can create the illusion of surveillance and deter potential intruders from trying to break in. Other examples of deterrent controls are warning signs, security guards, or audit trails.

Answer 75

A

Compensating control

A compensating control is a type of security control that is implemented in lieu of a recommended security measure that is deemed too difficult or impractical to implement at the present time. A compensating control must provide equivalent or comparable protection for the system or network and meet the intent and rigor of the original security requirement. An example of a compensating control is using a host-based firewall on a legacy Linux system to allow connections from only specific internal IP addresses, as it can provide a similar level of defense as a network firewall that may not be compatible with the system.

Answer 76

A

Hacktivist

A Hacktivist is a threat actor who is most likely to be motivated by ideology. A hacktivist is a person or group who uses hacking skills and techniques to promote a political or social cause. Hacktivists may target government, corporate, or religious entities that they disagree with or oppose. Hacktivists
may use various methods to achieve their goals, such as defacing websites, leaking sensitive data, launching denial-of-service attacks, or spreading propaganda. Hacktivists are not motivated by financial gain or personal benefit, but rather by their beliefs and values.

Answer 77

A

DLP

DLP stands for Data Loss Prevention, which is a technology that can monitor, detect and prevent the unauthorized transmission of sensitive data, such as PII (Personally Identifiable Information). DLP can be implemented on endpoints, networks, servers or cloud services to protect data in motion, in use or at rest. DLP can also block or alert on data transfers that violate predefined policies or rules. DLP is the best tool to assist with detecting an employee who has accidentally emailed a file containing a customer’s PII, as it can scan the email content and attachments for any data that matches the criteria of PII and prevent the email from being sent or notify the administrator of the incident.

Answer 78

A

Implement proper network access restrictions.

Network access restrictions can limit the exposure of systems that have expired vendor support and lack an immediate replacement, as they can prevent unauthorized or unnecessary access to those systems from other devices or networks. Network access restrictions can include firewalls, network segmentation, VPNs, access control lists, and other methods that can filter or block traffic based on predefined rules or policies. Network access restrictions can reduce the security risks introduced by running systems that have expired vendor support, as they can mitigate the impact of potential vulnerabilities or exploits that may affect those systems.

Brainscape's Knowledge GenomeTM

CompTIA SEC+ SY0-701 Exam V3 Flashcards

Brainscape's Knowledge Genome^TM