CompTIA Security+ Certification SYO-701 Exam Questions 2 Flashcards
A recent security audit found that your VPN allows split tunneling. The auditors preferred to require full tunneling on the VPN. What security risk are the auditors attempting to mitigate?
The user’s corporate Active Directory (AD) credentials can leak out of the split tunnel and be exposed to the Internet.
Attacks that come from the public network could be routed through the endpoint and potentially bypass network perimeter controls of the organization.
The VPN will bypass all network intrusion detection and prevention technologies as the host is on a trusted network segment.
Split-tunnel VPNs can avoid external email filtering by sending emails through directly to the main corporate email server.
** “Attacks that come from the public network…” is correct.**
A split-tunnel VPN can potentially allow an attack from the untrusted Internet to attack the endpoint and then potentially allow that compromise into the organization from an unexpected network location.
After recent phishing attacks through email, you decide to implement a solution internally where employees can be assured of the authenticity of messages from other employees. Which email feature should you implement?
Encryption
URL scanning
Digital signatures
Spam filtering
** “Digital signatures” is correct. **
Digital signatures are created with the sender’s private key. Recipients verify the signature validity with the sender’s related public key. Digital signatures assure the recipient that the message has not been tampered with and comes from who it says it came from.
Which term is defined as a weakness that can be exploited by a threat?
Vulnerability
Threat
Internal
Impact
** “Vulnerability” is correct.**
Vulnerability is a weakness that can be exploited by a threat.
Which of the following are two characteristics of strong passwords? (Select two choices)
Encryption strength
Password length
Authentication methods
Use of additional character space
** “Password length” ** and ** “Use of additional character space” ** are correct.
The password length and the use of additional character space are two important characteristics of password strength and complexity.
Which of the following is the name given to the process of assigning permissions or authorities to objects?
Quality assurance
Integrity measurement
Staging
Provisioning
** “Provisioning” is correct. **
This is a description of the provisioning process. Users can be provisioned into groups, and computer processes or threads can be provisioned to higher levels of authority when executing.
What is the name of an enclosure of conductive material that is grounded with no significant gap in the enclosure material, the purpose of which is to help shield EMI, especially in high radio frequency environments?
Faraday cage
Demilitarized zone enclosure
Vault
Air gap box
** “Faraday cage” is correct. **
This is a description of a Faraday cage. It can encompass an entire room or be the size of a specific item, such as a smaller cage that encases just a single smartphone.
Which phase of the incident response process involves restoring normal business operations?
Containment
Recovery
Eradication
Identification
** “Recovery” is correct. **
Recovery is the process of returning assets to their business function and restoring normal operations.
“Identification” is incorrect. Identification is when the team recognizes the incident and notifies the incident response team.
“Containment” is incorrect. Containment involves the actions taken to constrain the incident.
“Eradication” is incorrect. Eradication involves removing the problem.
What is the name given to parts of an organization that perform their own IT functions?
Clandestine IT
Mirror IT
Secondary IT
Shadow IT
** “Shadow IT” is correct. **
Shadow IT is the name given to the parts of an organization that perform their IT functions. These groups rise out of a desire to “get things done” when central IT does not respond in what the unit considers to be a reasonable timeframe.
You have fallen victim to a social media phishing scam. After receiving an email notification of a video of you from the past, you clicked the link, which played a generic stock video, and you realized it was a scam. What is the first thing you should do?
Run a full malware scan on your device.
Delete the email message.
Notify your company’s IT security officer.
Disconnect your device from the network.
** “Disconnect your device from the network” is correct. **
Clicking malicious links and executing programs or media files can infect a device. While many actions should take place to contain the potential malware, the easiest and first thing that should be done is to disconnect the device from all networks. All users should receive security awareness training that emphasizes this type of immediate response.
All of the following are characteristics of the RADIUS authentication protocol, except:
RADIUS encrypts user passwords during the authentication process.
RADIUS uses UDP port 1812.
RADIUS accepts earlier forms of authentication protocols, such as PAP.
RADIUS uses TCP port 1812.
** “RADIUS uses TCP port 1812” is correct. **
RADIUS does not use TCP.
Which of the following details the specific access levels that individuals or entities may have when interacting with objects?
Access control list
Metadata table
Rule-based access control
Access approval list
** “Access control list” is correct. **
An access control list (ACL) is a physical or logical list that details specific access levels individuals or entities may have when interacting with objects. An ACL is also used on network devices to determine how traffic from various users can enter and exit a network device and access internal hosts.
Which of the following terms indicates the amount of time it takes for a hardware component to recover from failure?
Mean time to failure
Mean time to replace
Mean time to recovery (MTTR)
Mean time between failures (MTBF)
** “Mean time to recovery” is correct. **
Mean time to recovery (MTTR) is the amount of time it takes for a hardware component to recover from failure.
All of the following are supporting elements of authorization, except:
Credential validation
Principle of least privilege
Separation of duties
Rights, permissions, and privileges
** “Credential validation” is correct. **
Validating credentials is an important aspect of authentication, not authorization.
Which of the following types of attacks can be prevented by using TLS 1.3?
Pass the hash
Driver manipulation
SSL stripping
DLL injection
** “SSL stripping” is correct. **
Secure Sockets Layer (SSL) stripping is an on-path (man-in-the-middle) attack against all SSL and early versions of TLS connections (TLS 1.0 and 1.1). The attack works by intercepting the initial connection request for HTTPS, redirecting it to an HTTP site, and meditating in the middle. TLS 1.3 has specific protections built into it to defeat SSL stripping and other man-in-the-middle attacks.
What is the initialization vector (IV) used for in a wireless communications protocol?
To ensure no other radios are operating on the same spectrum
As the starting port number for a network connection
To communicate the exact key length of the protocol
As the randomization element at the beginning of a
** “As the randomization element at the beginning of a connection” is correct. **
The initialization vector (IV) is used in wireless systems as the randomization element at the beginning of a connection. A good IV will help prevent attackers from decrypting the wireless traffic.
The process of verifying an identity previously established in a computer system is known as which of the following?
Auditability
Authorization
Accountability
Authentication
** “Authentication” is correct. **
This is a description of authentication. This is frequently confused with authorization, which describes what a user can do on the system.
Which of the following is not a recognized attack vector?
Firewalls
Supply chain
Direct access
** “Firewalls” is correct. **
Firewalls are defensive systems meant to protect an organization and are not an attack vector (or method)
“Direct access” is incorrect. Direct access refers to direct access to a target system. It is one of the most effective attack vectors, as there’s usually no barrier between the attacker and the targeted system.
“Email” is incorrect. Email is an attack vector often used in social engineering attacks such as phishing.
“Supply chain” is incorrect. A supply chain is an attack vector where the attacker attempts to compromise a component used in the system before the final product is assembled (for example, infecting hard drives before they are placed into servers by the manufacturer).
Your company hosts public web servers that allow connections directly to TCP port 80 over HTTP and are configured with public IPv4 addresses. You need to enable connections to company HTTP servers using HTTPS while hiding the true identities of the servers. Which security solutions should you implement? (Select two choices)
PKI certificate
Reverse proxy server
Source network address translation
VPN
** “PKI certificate”** and ** “Reverse proxy server”** are correct. Transport layer security (TLS) uses a public key infrastructure (PKI) certificate to secure network communications, such as an HTTPS web server over TCP port 443 by default.
Reverse proxy servers accept client requests for network services and route those to backend servers hidden behind the proxy; the true identities of backend servers are never
Which of the following statements about open permissions are true? (Select two choices)
The risk associated with open permissions is context-dependent.
A file with open permissions might be accessible to anyone, including guest accounts.
Only files can have open permissions.
Files with open permissions are always of little value.
** “A file with open permissions might be accessible to anyone, including guest accounts”** and ** “The risk associated with open permissions is context dependent” ** are correct. A file with open permissions is equivalent to a file with no access control protections, meaning it may be accessible by anyone with access to the system, including unauthorized, anonymous, and guest accounts. The risk associated with open permissions is context-dependent depend on the file or directory with the open permissions. A directory of memes with open permissions is low risk. A file containing accounts and passwords with open permissions is high risk.
Custom-built software running on an internal Windows server communicates over TCP port 4489.
You need to configure a firewall solution to allow traffic destined for port 4489 from the IP address range assigned to the sales team subnet.
Which type of firewall should you configure while minimizing administrative effort and cost?
SD-WAN
Layer 4 firewall
Content-filtering firewall
VPN
** “Layer 4 firewall” is correct.**
Layer 4 of the OSI model (the transport layer) applies to transport protocols such as TCP and UDP as well as port numbers used by network services. A layer 4 firewall implies the ability to also read packet headers at lower levels of the OSl model, including layer 3 (the network layer), which applies to IP addresses.
Senarios 1
IT Admin: That last attack did some real damage! We need to add systems that identify malicious activity on our network immediately.
**
Security Control Remediation Needed:
Technical
Functional Type Remediation Needed:
Detective
Control Remediation Needed:
Set up Firewall
**
Senario2
CEO: Our employees are visiting bad, unsecure websites way too often, but have we even stated that they shouldn’t be doing this yet?
**
Security Control Remediation Needed:
Operational
Functional Type Remediation Needed:
Directive
Control Remediation Needed:
Update Policy
**
Senario3
CIO: It appears that anyone could possibly walk into the server room. We need to evaluate and ensure only authorized people can enter.
**
Security Control Remediation Needed:
Physical
Functional Type Remediation Needed:
Preventive
Control Remediation Needed:
Install Keycard
**
A large multimedia company is experiencing a distributed denial of service (DDoS) attack that has led the company’s platform to become unresponsive.
Customers are submitting tickets complaining that they can no longer access the platform and cannot complete their work. What BEST describes what the company is going through?
A. Service disruption
B. Data exfiltration
C. Disinformation
D. Insider threat
** Correct Answer: A. Service disruption **
Service disruption prevents an organization from working as it usually does. This disruption could involve an attack on its website, such as a denial of service attack or using malware to block access to servers and employee workstations.
Data exfiltration refers to the attack where an actor transfers a copy of some valuable information from a computer or network without authorization.
Disinformation refers to falsifying a trusted resource, such as changing a website’s content, manipulating search engines to inject fake sites, or using bots to post false information on social media sites.
A large multimedia company is in the process of creating a new marketing campaign for a soon-to-be-released movie. However, before releasing the campaign, the company noticed an increase in fake accounts mimicking it online with a similar-looking campaign. What could the company do to mitigate this issue?
A. Check for typosquatting
B. Check for brand impersonation
C. Check for coercion
D. Check for consensus technique
** Correct Answer: B. Check for brand impersonation **
Brand impersonation occurs when the threat actor commits resources to accurately duplicating a company’s logos and formatting to make a phishing message or pharming website visually compelling.
Typosquatting means that the threat actor registers a domain name very similar to a real one, hoping that users will not notice the difference and assume they are browsing a trusted site.
Coercion or the use of urgency refers to the intimidation of the target with a bogus appeal to authority or penalty, such as getting fired or not acting quickly enough to prevent some dire outcome.
A security engineer discovered that an active employee copied sensitive information from the company’s shared drive and sold it online. What kind of actor describes this employee?
A. Insider threat
B. Nation-state
C. Hacktivist
D. Advanced persistent threat
** Correct Answer: D. Advanced Persistent Threat **
Cybercrime is the overarching term for the organized criminal activity occurring online.
An insider threat is someone within the company who intentionally or unintentionally increases risk or takes company data outside the organization’s security controls.
Hacktivists might attempt to use data exfiltrationito obtain and release confidential information to the public domain, perform service disruption attacks, or deface websites to spread disinformation.
Service disruption prevents an organization from working as it usually does. This disruption could involve an attack on its website or using malware to block access to servers and employee workstations.
An accountant received a phone call from an individual requesting information for an ongoing project. The call came from an unrecognized number, but the individual seemed believable and persuasive. Before giving the information over, what should the accountant protect against?
A. Social engineering
B. Coercion
C. Typosquatting
D. Brand impersonation
** Correct Answer: A. Social Engineering **
Social engineering refers to eliciting information from users or getting them to perform some action for the threat actor.
The governmental organization in charge of managing the personnel records of the country’s military service members reported that another country had accessed its database. Who BEST describes the adversary that breached the personnel records database?
A. Insider threat
B. Hacktivist
C. Nation-state
D. Advanced persistent threat
** Correct Answer: C. Nation State **
Nation-state actors are the root cause of many attacks, particularly on energy, health, and electoral systems. The goals of state actors are primarily disinformation and espionage for strategic advantage.
An insider threat is someone within the company who intentionally or unintentionally increases risk or takes company data outside the organization’s
security controls.
A managed service provider (MSP) company decided to delay the implementation of new antivirus software for its clients after discovering that the vendor could not patch its software automatically. Why might a company NOT want software that is unable to update automatically?
A. It can save the company money.
B. It may not fix newly found vulnerabilities on time.
C. It will require less effort not to purchase software.
D. It will require less effort to update software.
** Correct Answer: B **
The ability to automatically update is crucial in the cybersecurity landscape, where new threats emerge rapidly. Antivirus software that cannot update automatically may fail to address these new threats quickly, leaving clients’ systems exposed to emerging security risks.
While not purchasing software does save money, it is not necessarily the main concern for a third-party managed service provider. Instead, a managed service provider would focus on ensuring security while minimizing effort.
Less effort will occur when a company does not purchase the software. However, automation is the better solution to decrease efforts for a managed service provider.
More effort will occur, as the managed service provider will now need to find another comparable solution that fits its needs of automatic updating. However, this is not the ideal solution.
An employee reported seeing an individual outside the office drop a few thumb drives. The employee grabbed those devices and brought them to the information technology (IT) department. After conducting forensics on the devices using air-gapped machines, the IT team determined that the individual was trying to trick employees into plugging the devices into their computers to steal information. What was the malicious actor attempting on an unsuspecting employee?
A. The actor used an email lure.
B. The actor tried to improve the company’s security posture.
C. The actor used a physical lure.
D. The actor was not being malicious.
** Correct Answer: C. The actor used a physical lure **
A physical lure can occur when an attacker leaves something, such as a removal flash drive, in an area in which a targeted person would use the device in the environment.
Your office does not deal in classified or even sensitive data. You are concerned, however, with the loss of equipment, as you have had a few external drives and tablets stolen in the last 12 months. Which of the following would be most appropriate for your environment, considering that you want a low-cost solution?
Vault
Safe
Faraday cage
Locking/secure cabinet
** “Locking/secure cabinet” is correct. **
Sometimes, a safe is overkill, providing a higher level of security than is needed. A simpler solution is secure cabinets and enclosures.
In which phase of the incident response process is the incident response team first notified?
Containment
Identification
Preparation
Prevention
** “Identification” is correct. **
Identification is when the team recognizes the incident and notifies the incident response team.
What process is used to review and validate continuity of operations planning?
After-action reports
Failover
Exercises/tabletop
Alternate processing sites
** “Exercises/tabletop” is correct. **
Once a continuity of operations plan (COOP) is in place, a tabletop exercise should be performed to ensure all elements are covered.
Which of the following policy settings prevent a user from rapidly changing passwords and cycling through his or her password history to reuse a password?
Password history
Minimum password age
Maximum password age
Password complexity
** “Minimum password age” is correct. **
The minimum password age setting is used to force users to use a password for a minimum amount of time before they are allowed to change it. This prevents them from rapidly cycling through the password history to reuse an older password.
Your organization utilizes two different people to perform tasks that are necessary for entry into your building. Person 1 checks IDs, enters data in a log and can issue a visitor badge.
Person 2 controls the door access, so a failure by either person does not expose your organization.
Which of the following is this an example of?
Required badging
Access control vestibule
Guards
Two-person integrity/control
** “Two-person integrity/control” is correct. **
Having two people required to perform a task provides a means of checks and balances.
Which tool would you use to identify TCP connections?
cipher
Python
netstat
ping
** “netstat” is correct. netstat is used to display TCP network connections. **
“Python” is incorrect. Python is a programming language.
“ping” is incorrect. ping is used to test the reachability of a host.
“cipher” is incorrect. cipher is used to wipe free space.
If your organization is highly sensitive to sharing resources, you might consider using which of the following cloud models?
Hybrid
Public
Private
Community
** “Private” is correct. **
Private clouds are essentially reserved resources used only for your organization; thus no sharing will occur.
What type of attack places a layer of code between a driver and the operating system?
Replay attack
Pass the hash
Refactoring
Shimming
** “Shimming” is correct. Shimming is a process of putting a layer of code between the driver and the OS. **
Which phase of the incident response process involves assigning actions to correct weaknesses and ways to improve?
Recovery
Eradication
Prevention
Lessons Learned
** “Lessons Learned” is correct. **
During the Lessons Learned phase, actions to correct weaknesses are assigned, and ways to improve are suggested.
In discussions of threat hunting, what does the acronym IOA mean?
Indicators of attack
Indicators of access
Indicators of availability
Indicators of artifacts
** “Indicators of attack” is correct. **
In threat hunting, IOA is an acronym for indicators of attack, which is a series of actions an attacker must accomplish to perform an attack (such as creating an account, connecting to a command server, and exfiltrating data).
In cybersecurity, an Indicator of Attack (IOA) is a sign that a cyberattack is in progress or about to happen. IOAs are proactive and can help detect and stop attacks early.
Which of the following is not an element of mobile device management?
Geolocation
Application management
Remote wipe
SATCOM
** “SATCOM” is correct. **
Managing satellite communications is not an element of mobile device management.
Which of the following is information that can lead to specifically identifying a person?
PCI
NPP
PII
PED
** “PIl” is correct. **
Personally identifiable information (PIl) is information that can lead to specifically identifying a person.
You are compiling a list of cybersecurity incidents that occurred in the organization over the last year. The list will be published on an internal company website as a company newsletter for all employees to read. Under which category should you provide details related to phishing scam incidents?
Ransomware
Injection attacks
Buffer overflows
Social engineering
** “Social engineering” is correct. **
Phishing campaigns are a form of social engineering, which uses deceptive techniques to trick victims into divulging sensitive information or clicking links or file attachments that infect devices.
Which tool would you use to list a file’s contents to a pipe?
rmdir
grep
mv
cat
** “cat” is correct. cat lists files to a pipe or output. **
“mv” is incorrect. mv transfers a file from one folder to another.
“rmdir” is incorrect. mdir removes directories.
“grep” is incorrect. grep is used for searching plaintext files.
Which of the following mitigation techniques are the most effective in preventing and minimizing the impact of ransomware data encryption incidents? (Select two choices)
Identify network hosts that are not compliant with security baselines.
Store frequent backups offline.
Do a periodic review of layer 4 network perimeter firewall rules.
Do periodic updates of user training and awareness materials.
** “Store frequent backups offline” and “Do periodic updates of user training and awareness materials”** are correct.
Storing frequent backups offline means reimaging devices and restoring data from recent backups to get systems up, and running with current data as quickly as possible.
Storing backups offline also prevents ransomware from encrypting backed-up data. User awareness of scams and how malware can result in data loss can prevent ransomware attacks from occurring.
If you condensed the penetration process down into four phases, what might those phases be?
Planning, Discovery, Attack, Reporting
Planning, Discovery, Reporting, Briefing
Discovery, Attack, Reporting, Briefing
Planning, Discovery, Attack, Monitoring
** “Planning, Discovery, Attack, Reporting” is correct. **
If you condensed the penetration testing process down into four phases, they would be Planning, Discovery, Attack, and Reporting.
The technique of creating a mirror version of a database on which data modification techniques such as character shuffling, encryption, and word or character substitution are applied to change the data is known as which of the following?
Data masking
Encryption
Tokenization
Honeypot
** “Data masking” is correct. **
Data masking is used to make reverse engineering and detection impossible.
“Encryption” is incorrect. Encryption is the use of sophisticated mathematical techniques to prevent unauthorized reading of data by obscuring it. An encrypted piece of data will generally look like a bunch or random characters.
“Tokenization” is incorrect. Tokenization is the use of a random value to take the place of a data element that has traceable meaning.
“Honeypot” is incorrect. While data masking may be used in creating fake data for a honeypot, the two are not the same.
Which of the following are true statements about the dark web and deep web? (Select all that apply)
The dark web uses obfuscation methods to restrict access.
The deep web requires special software, such as Tor, to restrict access.
The deep web is not indexed by search engines and is usually restricted using logins.
The dark web is only used in legal activities to avoid government surveillance.
** “The dark web uses obfuscation methods to restrict access” and “The deep web is not indexed by search engines and is usually restricted using logins” are correct. **
The dark web uses obfuscation methods to restrict access. Dark web sites require Tor (free, open source software that enables anonymous communication). Because the dark web exists only in the realm of onion routing, dark web sites end with the extension onion, as opposed to .com, net, and so on. Deep web sites are not indexed by traditional search engines and require additional measures to access, such as a login.
Which of the following statements about highly structured threats is not true?
Some countries have regulations to prevent government workers from attacking companies for reasons of economic warfare.
They only target intelligence information and military data.
They usually have significant financial backing.
They are sometimes supported by nation-states and target other countries.
** “They only target intelligence information and military data” is correct. **
Highly structured threats may target companies, conduct corporate espionage, and steal intellectual property. They are not solely focused on government and military targets.
Which of the following scenarios define a fail-close situation? (Select two choices)
Electric hospital doors are not left open during a power outage in case of fire.
Firewall rules block disallowed traffic to an internal network.
Firewall logs reaching maximum configured capacity prevent firewall functionality.
Failed user authentication to a server prevents user resource access.
** “Firewall logs reaching maximum configured capacity prevent firewall functionality” and “Electric hospital doors are not left open during a power outage in case of fire” are correct. **
Fail-close applies when the normal functionality of a service or device is impaired and the service or device is closed automatically, such as a firewall blocking all traffic when logs are full, or when doors automatically close when power is out.
What is the purpose of DLP?
It serves to prevent sensitive data from leaving the network without notice.
It helps in the restoration of data lost as a result of a disaster.
It describes a protocol designed to facilitate the transmission of datagrams.
It is a process used in the design of networks that helps describe linkages between components.
** “It serves to prevent sensitive data from leaving the network without notice” is correct. **
Data loss prevention (DLP) solutions are designed to protect data in transit/motion, at rest, or in processing from unauthorized use or exfiltration.
Which approach to site resiliency consists of partially configured systems, usually having the peripherals and software but perhaps not the more expensive main processing computer?
Hot site
Offsite
Warm site
Cold site
** “Warm site” is correct. **
The goal of the “warm site” approach is to have the organization operational within a few days.
Which of the following roles is responsible for the day-to-day caretaking of data?
Data custodian/steward
Data privacy officer
Data owner
СМО
** “Data custodian/steward” is correct. **
The data custodian/steward is responsible for the day-to-day caretaking of data.
