CompTIA Security+ Certification Exam SY0-701 Practice Test 6 Flashcards
Which of the following answers can be used to describe self-signed digital certificates? (Select 3 answers)
A) Backed by a well-known and trusted third party
B) Not trusted by default by web browsers and other applications
C) Used in trusted environments, such as internal networks and development environments
D) Suitable for websites and other applications that are accessible to the public
E) Trusted by default by web browsers and other applications
F) Not backed by a well-known and trusted third party
B) Not trusted by default by web browsers and other applications
C) Used in trusted environments, such as internal networks and development environments
F) Not backed by a well-known and trusted third party
A self-signed digital certificate is also referred to as:
A) Client certificate
B) EV certificate
C) Server certificate
D) Wildcard certificate
E) None of the above
E) None of the above
Third-party digital certificates, issued by trusted CAs, are automatically trusted by most browsers and operating systems, involve a cost, and require validation of the applicant’s identity. In contrast, self-signed certificates, issued by the entity to itself, are not automatically trusted, are free to create and use, and do not require validation by a CA.
A) True
B) False
A) True
In the context of digital certificates, the term “Root of trust” refers to the highest level of trust within a PKI system. It is typically represented by a root CA, which is a trusted third party that serves as the foundation for the entire PKI. All other entities in the PKI hierarchy, including intermediate CAs and end-entities (such as web servers, email servers, user devices, IoT devices, and individual users), derive their trust from this root. When a certificate is issued and signed by an intermediate CA, it gains trust through a chain of trust back to the root CA. This hierarchical trust model allows users and systems to trust certificates presented by websites, services, or individuals because they can trace the trust back to the well-established root of trust.
A) True
B) False
Which of the answers listed below refers to a PKI trust model?
A) Single CA model
B) Hierarchical model (root CA + intermediate CAs)
C) Mesh model (cross-certifying CAs)
D) Web of trust model (all CAs function as root CAs)
E) Chain of trust model (multiple CAs in a sequential chain)
F) Bridge model (cross-certifying between separate PKIs)
G) Hybrid model (combining aspects of different models)
H) All of the above
H) All of the above
Which of the following answers refers to a cryptographic file generated by an entity requesting a digital certificate from a CA?
A) OID
B) CSR
C) DN
D) CRL
B) CSR
A type of digital certificate that can be used to secure multiple subdomains within a primary domain is known as:
A) Root signing certificate
B) Subject Alternative Name (SAN) certificate
C) Extended Validation (EV) certificate
D) Wildcard certificate
D) Wildcard certificate
Which of the answers listed below refers to an identifier used for PKI objects?
A) OID
B) DN
C) SAN
D) GUID
A) OID
In IT security, the term “Shadow IT” is used to describe the practice of using IT systems, software, or services within an organization without the explicit approval or oversight of the organization’s IT department.
A) True
B) False
A) True
Choose an answer from the drop-down list on the right to match a threat actor type on the left with its common attack vector attribute.
1) External
2) Internal/External
3) Internal
Nation-state
Unskilled attacker
Hacktivist
Insider threat
Organized crime
Shadow IT
Nation-state = External
Unskilled attacker = Internal/External
Hacktivist = External
Insider threat = Internal
Organized crime = External
Shadow IT = Internal
Match each threat actor type with its corresponding resources/funding attribute. Using
1) High resources and funding
2) Low resources and funding
3) Low to medium resources and funding
4) Low to high resources and funding
5) Medium to high resources and funding
6) Low to medium resources and funding
Nation-state
Unskilled attacker
Hacktivist
Insider threat
Organized crime
Shadow IT
Nation-state = High resources and funding
Unskilled attacker = Low resources and funding
Hacktivist = Low to medium resources and funding
Insider threat = Low to high resources and funding
Organized crime = Medium to high resources and funding
Shadow IT = Low to medium resources and funding
Assign the level of sophistication attribute to each threat actor type listed below.
1) High level of sophistication
2) Low level of sophistication
3) Low to medium level of sophistication
4) Low to high level of sophistication
5) Medium to high level of sophistication
6) Low to medium level of sophistication
Nation-state
Unskilled attacker
Hacktivist
Insider threat
Organized crime
Shadow IT
Nation-state = High level of sophistication
Unskilled attacker = Low level of sophistication
Hacktivist = Low to medium level of sophistication
Insider threat = Low to high level of sophistication
Organized crime = Medium to high level of sophistication
Shadow IT = Low to medium level of sophistication
From the drop-down list on the right, select the typical motivations behind the actions of each threat actor type.
1) Espionage, political/philosophical beliefs, disruption/chaos, war
2) Disruption/chaos, financial gain, revenge
3) Ethical beliefs, philosophical/political beliefs, disruption/chaos
4) Revenge, financial gain, service disruption
5) Financial gain, data exfiltration, extortion
6) Convenience, lack of awareness of security risks, meeting specific needs
Nation-state
Unskilled attacker
Hacktivist
Insider threat
Organized crime
Shadow IT
Nation-state = Espionage, political/philosophical beliefs, disruption/chaos, war
Unskilled attacker = Disruption/chaos, financial gain, revenge
Hacktivist = Ethical beliefs, philosophical/political beliefs, disruption/chaos
Insider threat = Revenge, financial gain, service disruption
Organized crime = Financial gain, data exfiltration, extortion
Shadow IT = Convenience, lack of awareness of security risks, meeting specific needs
Which of the following terms is used to describe sophisticated and prolonged cyberattacks often carried out by well-funded and organized groups, such as nation-states?
A) MitM
B) APT
C) XSRF
D) DDoS
C) XSRF
An attack surface is the sum of all the potential points (vulnerabilities) through which an attacker can interact with or compromise a system or network, indicating the overall exposure to potential threats. Examples of attack surfaces can be all software, hardware, and network interfaces with known security flaws. A threat vector represents the method or means through which a cyber threat is introduced or delivered to a target system. It outlines the pathway or avenue used by attackers to exploit vulnerabilities. Common threat vector types include phishing emails, malware, drive-by downloads, and social engineering techniques.
A) True
B) False
A) True
Which of the answers listed below refers to an email-based threat vector?
A) Spoofing
B) Phishing
C) BEC attacks
D) Malicious links
E) Malware attachments
F) All of the above
F) All of the above
Which of the following terms refers to a threat vector commonly associated with SMS-based communication?
A) Phishing
B) Vishing
C) Smishing
D) Pharming
C) Smishing
Which of the following answers refer to examples of image-based threat vectors? (Select 3 answers)
A) Steganography
B) BEC attacks
C) Image spoofing (deepfakes)
D) Brand impersonation
E) Malware-embedded images
A) Steganography
C) Image spoofing
E) Malware-embedded images
Which of the answers listed below refers to an example of a potential threat vector in IM-based communication?
A) Phishing attack
B) Malware distribution
C) Spoofing attack
D) Eavesdropping
E) Account hijacking
F) Malicious link/attachment
G) All of the above
G) All of the above
Which of the answers listed below refers to a file-based threat vector?
A) PDF exploits
B) Malicious macros in documents
C) Compressed files (ZIP, RAR)
D) Malicious scripts in web pages
E) Infected images
F) Malicious executables
G) All of the above
G) All of the above
Which of the following answer choices is an example of a threat vector type that is typical for voice communication?
A) Smishing
B) Pharming
C) Vishing
D) Phishing
C) Vishing
Examples of threat vectors directly related to the use of removable devices include: (Select 2 answers)
A)Pretexting
B) Malware delivery
C) Watering hole attacks
D) Data exfiltration
E) Social engineering attacks
B) Malware delivery
D) Data exfiltration
Which of the answers listed below refer(s) to client-based software threat vector(s)? (Select all that apply)
A) Drive-by download via web browser
B) Malicious macro
C) Vulnerability in a network protocol or device
D) USB-based attack
E) Infected executable file
F) Malicious attachment in email application
A) Drive-by download via web browser
B) Malicious macro
D) USB-based attack
E) Infected executable file
F) Malicious attachment in email application
Which of the following answers refer to agentless software threat vectors? (Select 2 answers)
A) Phishing email
B) Malicious USB drive
C) Network protocol vulnerability
D) Infected macro
E)Packet sniffing
C) Network protocol vulnerability
E)Packet sniffing
Which digital certificate type allows to secure multiple domain names or subdomains with a single certificate?
A) Extended Validation (EV) certificate
B) Wildcard certificate
C) Subject Alternative Name (SAN) certificate
D) Root signing certificate
C) Subject Alternative Name (SAN) certificate