Random Question 20 - 40 Flashcards
CompTIA Security+ SY0-701 Part 1
Question 21:
A security analyst is reviewing the following firewall configuration snippet:
“*yaml
- action: allow
source: 192.168.1.0/24
destination: any
service: ssh
- action: deny
- source: any
- destination: 10.0.0.5
service: http
…
Which TWO of the following statements accurately describe the effects of this configuration?
A. SSH connections from the 192.168.1.0/24 network are permitted to any destination.
B. All HTTP traffic to the IP address 10.0.0.5 is blocked.
C. The firewall allows all incoming SSH connections.
D. HTTP connections from 10.0.0.5 are denied to any destination.
E. The configuration prevents all traffic to the 10.0.0.0/24 network.
Correct Answer: A, B
Explanation:
The first rule (A) allows SSH connections from the 192.168.1.0/24 network to any destination.
The second rule (B) denies all HTTP traffic to the specific IP 10.0.0.5. Options C, D, and E are incorrect interpretations of the given configuration.
Question 22:
In the context of a Zero Trust security model, which of the following best describes the relationship between the Control Plane and the Data Plane?
A. The Control Plane manages user authentication, while the Data Plane handles data encryption.
B. The Control Plane defines security policies, while the Data Plane enforces those policies on network traffic.
C. The Control Plane is responsible for physical security, while the Data Plane manages digital assets.
D. The Control Plane handles north-south traffic, while the Data Plane manages east-west traffic.
Correct Answer: B
Explanation: In a Zero Trust model, the Control Plane is responsible for defining security policies and making access decisions, while the Data Plane enforces these policies on actual network traffic and data flow.
Question 23:
An organization has implemented a comprehensive security awareness program. Despite this, they experience a successful whaling attack where the CFO is tricked into transferring a large sum of money to a fraudulent account. During the incident response, which of the following should be the FIRST step in the “Lessons Learned” phase?
A. Conduct a root cause analysis of the incident.
B. Update the security awareness training materials.
C. Implement stricter email filters and verification processes.
D. Discipline the CFO for falling for the attack.
** Correct Answer: A **
Explanation: The first step should be to conduct a root cause analysis. This helps understand how the attack succeeded despite existing measures, informing subsequent improvements to security processes and training.
01 - Conduct Root Cause Analysis
02 - Identify Vulnerbilities
03 - Update Security Processes
04 - Revise Training Programs
05 - Implmenet Improved Measures
Question 24:
A security analyst is reviewing the following YAML configuration for a cloud-based security control:
*yaml
policy:
enforce: true
actions:
- encrypt_data
- log_access
conditions:
location: “!= internal_network”
data_type: “sensitive”
Which TWO of the following statements accurately describe the effects of this configuration?
A. The policy encrypts sensitive data when accessed from outside the internal network.
B. All data access is logged regardless of the user’s location.
C. The policy is applied only to data classified as sensitive.
D. Data encryption occurs for all access attempts, both internal and external.
E. The policy enforces encryption but does not log access for sensitive data.
**Correct Answer: A, C **
Explanation: The configuration enforces encryption and logging for sensitive data (C) when accessed from outside the internal network (A). It doesn’t apply to all data or all locations, and it does include logging, contrary to options B, D, and E.
Question 25:
In the context of physical security measures, which of the following combinations would be most effective in preventing tailgating at a high-security facility’s main entrance?
A. Bollards and fencing
B. Access control vestibule and pressure sensors
C. Video surveillance and lighting
D. Security guard and access badges
Correct Answer: B
Explanation: An access control vestibule (mantrap) combine with pressure sensors is the most effective in preventing tailgating. The vestibule ensures only one person enters at time, while pressure sensors can detect if more than one person is present in the
Question 26:
A company implements a new security awareness program focusing on social engineering threats. Which of the following metrics would be MOST effective in measuring the program’s impact on the organization’s security posture?
A. Number of employees who completed the training
B. Reduction in successful phishing attempts reported by the IT department
C. Increase in password complexity across user accounts
D. Frequency of security policy updates
Correct Answer: B
Explanation: The reduction in successful phishing attempts directly measures the effectiveness of the social engineering awareness program. It shows the practical application of the knowledge gained, unlike options A, C, and D, which don’t directly correlate with improved resilience against social engineering threats.
Question 27:
A security team is implementing a new intrusion detection system (IDS) in their network. They want to ensure it can detect both known and unknown threats while minimizing false positives. Which TWO of the following configurations would be most effective in achieving this goal?
A. Implement signature-based detection for known threats.
B. Enable anomaly-based detection for identifying unusual network behavior.
C. Configure the IDS to block all traffic from external networks.
D. Set up honeypots within the network to attract and study potential attackers.
E. Disable all alerts for internal network traffic.
Correct Answer: A, B
Explanation: Signature-based detection (A) effectively identifies known threats, while anomaly-based detection
(B) can catch unknown or zero-day threats by identifying unusual behavior. This combination provides comprehensive coverage while minimizing false positives
Question 28:
An organization is implementing a Zero-Trust architecture. Which of the following best describes how the principle of least privilege should be applied in this context?
A. Grant users full access to all resources and monitor their activities closely.
B. Provide access to all resources but require multi-factor authentication for each access attempt.
C. Grant minimal access rights necessary for users to perform their job functions and regularly review these permissions.
D. Deny all access requests by default and manually approve each request as needed.
Correct Answer: C
Explanation: In a Zero Trust model, the principle of least privilege means granting users only the minimum access rights needed for their roles (C). This approach reduces the attack surface while still allowing necessary functionality, unlike the other options which are either too permissive or
Question 9:
A security analyst is reviewing the following log entry from a web application firewall:
‘json
“timestamp”: “2024-12-21T15:30:22Z”,
“source_ip”: “203.0.113.15”,
“request _uri”: “/admin/config.php?action=view&id=1 OR 1=1”
“user _agent”: “Mozilla/5.0”,
“status_code”: 403
What type of attack was likely attempted, and what was the outcome?
A. Cross-Site Scripting (XSS) attack, successfully blocked
B. SQL Injection attempt, successfully blocked
C. Directory Traversal attack, the attack succeeded
D. Buffer Overflow exploit, attack
Correct Answer: B
Explanation: The log shows an SQL Injection attempt (“OR 1=1” in the URI) which was blocked by the firewall (status code 403 indicates “Forbidden”). This demonstrates successful mitigation of a common web application
Question 20:
A security analyst is reviewing the following YAML configuration for a cloud-based access control policy:
*yaml
policy:
name: “Sensitive_Data_Access”
rules:
- condition:
user _group: “executives” time: “business_hours”
allow: true
- condition:
data_classification: “confidential”
location: “!= office_network”
allow: false
…
Which TWO of the following allow: false .
A. Executives can access sensitive data only during business hours.
B. All users are denied access to confidential data from outside the office network.
C. The policy allows unrestricted access to sensitive data for executives.
D. Non-executive users can access confidential data from the office network.
E. The policy prevents all remote access to company data.
**Correct Answer: A, B **
Explanation: The configuration allows executives to access sensitive data during business hours (A) and denies access to confidential data from outside the office network for all users (B).
It doesn’t grant unrestricted access to executives doesn’t specifically allow non-executives to access confidential data on-site, and doesn’t prevent all remote
Question 21:
An organization is implementing a comprehensive third-party risk management program. Which of the following actions would be MOST effective in continuously monitoring and mitigating risks associated with third-party vendors?
A. Conducting annual security audits of all third-party vendors.
B. Implementing real-time monitoring of third-party access to internal systems.
C. Requiring vendors to sign a yearly compliance statement.
D. Limiting all third-party access to non-critical systems only.
**Correct Answer: B **
Explanation: Real-time monitoring of third-party access provides continuous visibility into potential risks and allows for immediate response to suspicious activities.
This approach is more effective than periodic audits, compliance statements, or blanket access restrictions in managing ongoing third-party risks.
Question 22:
In the context of deception and disruption technologies, which of the following best describes the primary difference between a honeypot and a honeytoken?
A. A honeypot is a physical decoy system, while a honeytoken is a virtual decoy.
B. A honeypot contains real data, while a honeytoken contains fake data.
C. A honeypot is a network of decoy systems, while a honeytoken is a single decoy file or resource.
D. A honeypot is used for external threats, while a honeytoken is used for internal threats only.
Correct Answer: C
Explanation: A honeypot is typically a decoy system or network designed to attract attackers, while a honeytoken is a specific piece of fake data (like a database entry or file) used to detect unauthorized access or data breaches. The key difference is in their scope and implementation.
Question 23:
A security analyst is reviewing the following intrusion detection system (IDS)
rule:
’’’
alert tcp any any -> 192.168.1.0/24 80 (msg:”Potential SQL Injection”;
content:”%27”; sid: 1000001;)
‘’’
Which TWO of the following statements accurately describe the functionality of this rule?
A. It generates an alert for all HTTP traffic to the 192.168.1.0/24 network.
B. The rule detects potential SQL injection attempts containing a single quote (%27).
C. It blocks all traffic containing the string “%27” to port 80.
D. The rule applies to both incoming and outgoing traffic on the network.
E. It only alerts on TCP traffic destined for port 80 on the specified network.
Correct Answer: B, E
Explanation: The rule detects potential SQL injection attempts by looking for the encoded single quote (%27) in TCP traffic (B) specifically destined for port 80 on the 192.168.1.0/24 network (E). It doesn’t block traffic or apply to all HTTP traffic, and it’s not bidirectional.
Question 24:
In the context of cloud security and shared responsibility models, which of the following is typically the cloud service provider’s responsibility in a Platform as a Service (PaaS) deployment?
A. Configuring application-level access controls.
B. Patching and updating the underlying operating system.
C. Encrypting data at rest within the application.
D. Managing user authentication for custom applications.
Correct Answer: B
Explanation: In a PaaS model, the cloud service provider is typically responsible for maintaining and patching the underlying infrastructure, including the operating system.
The customer is responsible for the applications and data, including access controls, encryption, and user
Question 25:
An organization is implementing a new security awareness training program. Which of the following metrics would be MOST effective in measuring the long-term impact of the program on the organization’s security posture?
A. Number of employees who completed the training modules
B. Average score on post-training quizzes
C. Reduction in successful social engineering attacks over time
D. Increase in reported security incidents by employees
**Correct Answer: C **
Explanation: A reduction in successful social engineering attacks over time directly demonstrates the effectiveness of the awareness program in improving the organization’s security posture. This metric shows practical application of knowledge, unlike completion rates or quiz scores, and is more indicative of positive change than an increase in reported incidents.
Question 26:
Your organization is implementing a zero trust architecture. You’re tasked with configuring the control plane for a critical application. Which two of the following JSON configurations would best align with zero trust principles? (Choose two)
{
“authentication”: “multi-factor”,
“authorization”: “least-privilege”
“data_encryption”: “end-to-end”,
“network_segmentation”: “micro-segmentation”,
“monitoring”: “continuous”
}
Options:
A. “authentication”: “multi-factor” and “authorization”: “role-based”
B. “data_encryption”: “end-to-end” and “network_segmentation”: “micro-segmentation”.
C. “authentication”: “single-factor” and “monitoring”: “periodic”.
D. “authorization”: “least-privilege” and “monitoring”: “continuous”.
E. “network_segmentation”: “perimeter-based” and “data _encryption”: “at-rest-only”.
Correct Answer: B, D
Explanation: In a zero trust model, end-to-end encryption (B) ensures data security throughout its lifecycle, while micro-segmentation (B) minimizes the attack surface. Least-privilege authorization (D) and continuous monitoring (D) are also crucial zero trust principles, providing strict access control and real-time threat detection.
Question 27:
During a security audit, you discover that a critical business application is vulnerable to SQL injection attacks. Which of the following represents the most effective corrective control to address this vulnerability?
A. Implement a web application firewall (WAF).
B. Conduct regular penetration testing.
C. Use prepared statements and parameterized queries in the application code.
D. Encrypt the database.
Correct Answer: C
Explanation: Using prepared statements and parameterized queries is the most effective way to prevent SQL injection attacks by separating SQL logic from user input, making it impossible for malicious input to alter the query’s intent.
Question 28:
Your incident response team has detected a potential data breach. Upon investigation, they discover the following log entry:
…
2023-05-15 02:34:18 UTC [192.168.1.100] POST /api/data HTTP/1.1 200 {“action”:”exfiltrate”, “destination” “10.20.30.40”, “size”:”1.5GB”}
…
Which of the following best describes the next step in the incident response process?
A. Eradication: Remove the malicious actor from the system
B. Recovery: Restore affected systems to normal operation
C. Containment: Isolate the affected systems and block the destination IP
D. Lessons Learned: Document the incident for future reference
Correct Answer: C
Explanation: The log shows active data exfiltration. The immediate next step should be containment, isolating affected systems. and blocking the destination IP (10.20.30.40) to prevent further data loss, aligning with the incident response process.
Question 29:
Your organization is implementing a new cloud-based security information and event management (SIEM) system. Which two of the following configurations would best align with both zero trust principles and effective security monitoring? (Choose two)
“*yaml
siem_config:
data _ingestion:
sources: [“network_logs”, “application_logs”, “auth _logs”]
authentication:
method: “multi i_factor”
access_control:
model: “least_privilege”
encryption:
data_at_rest: “AES-256”
data_in_transit: “TLS 1.3”
alert_mechanism: type: “real-time”
Options:
A. data_ingestion sources and real_time alert mechanism
B. multi_factor authentication and least_privilege access control
C. AES-256 encryption for data at rest and TLS 1.3 for data in transit
D. network_logs as the sole data source and periodic alert mechanism
E. single_factor authentication and role-based access control
Correct Answer: A, B
Explanation: Comprehensive data ingestion (A) enables effective security monitoring, while real-time alerts (A) allow for quick threat response.
Multi-factor authentication (B) and least-privilege access control (B) are core zero trust principles, enhancing security in the cloud environment.
Question 30:
During a security assessment, you discover that an employee’s access badge was used to enter a restricted area outside of normal business hours. Upon further investigation, you find that the employee was on vacation at the time. Which of the following best describes this situation in terms of security controls and potential threats?
A. A failure of a detective control, indicating a possible insider threat
B. A successful implementation of a corrective control, mitigating a social engineering attack
C. An example of a compensating control, addressing a physical security vulnerability
D. A breakdown of a preventive control, suggesting a potential tailgating incident
Correct Answer: A
Explanation: This scenario demonstrates a failure of a detective control (access logs). The unauthorized use of the badge during the employee’s absence indicates a possible insider threat or stolen credentials, which the system detected but did not prevent.
Question 31:
Your organization is developing a new web application and wants to ensure secure coding practices. Which of the following represents the most effective approach to prevent cross-site scripting (XSS) attacks?
A. Implement strong encryption for all data transmissions
B. Use prepared statements for database queries
C. Apply input validation and output encoding
D. Enable HTTP Strict Transport Security (HSTS)
Correct Answer: C
Explanation: Input validation and output encoding are the most effective methods to prevent XSS attacks. They ensure that user input is properly sanitized before processing and that any output to the browser is properly encoded to prevent script
Question 32:
Your organization is implementing a new security awareness training program. You want to assess its effectiveness using metrics. Which two of the following metrics would best indicate the program’s success in improving the organization’s security posture? (Choose two)
Options:
A. Number of employees who completed the training
B. Reduction in successful phishing attempts
C. Increase in reported suspicious emails
D. Number of security policy violations
E. Time taken to complete the training modules
Correct Answer: B, C
Explanation: A reduction in successful phishing attempts
(B) directly shows improved employee vigilance. An increase in reported suspicious emails (C) indicates heightened awareness and proactive security behavior.
Both metrics demonstrate the practical application of the training, unlike completion rates or time spent, which don’t necessarily reflect improved security practices.
Question 23:
You’re reviewing the following YAML configuration for a cloud-based application:
*yaml
security:
authentication:
method: “OAuth2.0”
mfa: true
authorization:
type: “RBAC”
data_protection:
encryption: “AES-256”
key_management: “HSM”
Which security principle does this configuration best exemplify?
A. Least privilege
B. Defense in depth
C. Separation of duties
D. Non-repudiation
Correct Answer: B
Explanation: This configuration demonstrates defense in depth by implementing multiple layers of security.
It includes strong authentication (Auth2.0 with MFA), authorization (RBAC), and data protection (encryption with secure key management), creating a multi-layered security approach.
Question 34:
During a security audit, you discover that a critical business application is vulnerable to SQL injection attacks. The development team suggests implementing input validation as a solution. Which of the following represents a potential limitation of this approach?
A. It may introduce significant performance overhead
B. It could lead to false positives, blocking legitimate queries
C. It doesn’t address the root cause of the vulnerability
D. It requires constant updates to the validation rules
** Correct Answer: C **
Explanation: While input validation is beneficial, it doesn’t address the root cause of SQL injection vulnerabilities, which is the improper handling of user input in SQL queries. A more comprehensive solution would involve using parameterized queries or prepared statements to fundamentally prevent SQL
Question 35:
Your organization is implementing a new security architecture. You’re reviewing the following JSON configuration for a critical system:
“json
{
“network”: {
“segmentation”: “micro”,
“encryption”: “end-to-end”
},
“access”: {
“authentication”: “mfa”,
“authorization”: “just-in-time”
},
“monitoring”: “continuous”
}
‘’’’
Which two principles of zero trust are best represented by this configuration? (Choose two)
A. Assume breach
B. Verify explicitly
C. Use least privilege access
D. Implement defense in depth
E. Trust but verify
Correct Answer: A, B
Explanation: The configuration exemplifies “Assume breach” (A) through micro-segmentation and continuous monitoring, preparing for potential compromises.
“Verify explicitly” (B) is demonstrated by multi-factor authentication and just-in-time authorization, ensuring thorough verification before granting access.
Question 36:
During a security assessment, you discover an employee using a
deception technology that creates fake network shares containing seemingly sensitive information. Which of the following best describes this technology and its primary purpose?
A. Honeypot - to detect and analyze potential insider threats.
B. Honeytoken - to track unauthorized access attempts.
C. Honeynet - to simulate a complete network environment.
D. Honeyfile - to identify and alert on potential data exfiltration.
Correct Answer: D
Explanation: This scenario describes a honeyfile, which is a fake file or document planted to attract attention and trigger alerts when accessed. Its primary purpose is identifying potential data exfiltration attempts or unauthorized access to sensitive information.
Question 37:
Your organization is developing its incident response plan. The CEO insists on immediately shutting down all systems at the first sign of a breach. As the security lead, which of the following responses best addresses this approach while aligning with incident response best practices?
A. Agree with the CEO, as shutting down systems quickly prevents further damage.
B. Suggest a staged shutdown process to maintain some operational capacity.
C. Recommend against immediate shutdown, proposing instead to isolate and investigate affected systems first.
D. Advise creating multiple plans for different scenarios, each with predefined shutdown criteria.
Correct Answer: C
Explanation: Immediate shutdown can destroy valuable evidence and disrupt business operations unnecessarily.
Best practices involve isolating affected systems, preserving evidence, and conducting a thorough investigation to understand the breach’s scope and nature before taking drastic measures like complete shutdown.
Question 38:
Your organization is implementing a new physical security system. You’re reviewing the following YAML configuration:
“yaml
entrance:
primary:
- access_control_vestibule
- badge_reader
secondary:
- biometric_scanner
perimeter:
- bollards
- fencing
- infrared_sensors
monitoring:
- CCTV
- security_guards
Which two physical security principles are best exemplified by this configuration?
(Choose two)
A. Defense in depth
B. Principle of least privilege
C. Separation of duties
D. Deterrence
E. Non-repudiation
Correct Answer: A, D
Explanation: Immediate shutdown can destroy valuable evidence and disrupt business operations unnecessarily.
Best practices involve first isolating affected systems, preserving evidence, and conducting a thorough investigation to understand the breach’s scope and nature before taking drastic measures like complete shutdown.
Question 39:
During a third-party risk assessment, you discover that a critical vendor has recently suffered a data breach. The vendor claims they’ve addressed the issue, but you’re concerned about potential ongoing risks. Which of the following actions would be most appropriate in this situation?
A. Immediately terminate the contract with the vendor.
B. Require the vendor to undergo an independent security audit.
C. Increase monitoring of the vendor’s access to your systems.
D. Accept the vendor’s assurance and continue business as usual.
Correct Answer: B
Explanation: Requiring an independent security audit is the most appropriate action. It provides an objective assessment of the vendor’s security posture post-breach, helping to verify their claims and identify any remaining vulnerabilities or risks that could affect your organization.
Question 40:
You’re analyzing a recent security incident where an attacker gained unauthorized access to sensitive data. The investigation reveals that the attacker exploited a vulnerability in an outdated software component. Which of the following best describes the control that failed in this scenario?
A. Detective control
B. Corrective control
C. Compensating control
D. Preventive control
Correct Answer: D
Explanation: This scenario indicates a failure of a preventive control. Keeping software up-to-date and patching known vulnerabilities are preventive measures designed to stop unauthorized access before it occurs. The exploitation of an outdated software component suggests that this preventive control was not properly implemented or maintained
Question 41:
Your organization is implementing a new cloud-based security solution. You’re reviewing the following JSON configuration:
‘'’json
“data_protection”: {
“encryption”: “AES-256”,
“key_management”: “BYOK”
},
“access_control”: {
“authentication”: “MFA”
“authorization”: “ABAC”
},
“monitoring”: {
“log_analysis”; “Al-powered”
“alert_mechanism”: “real-time”
}
‘’’’
Which two security principles are best exemplified by this configuration? (Choose two)
A. Principle of least privilege
B. Defense in depth
C. Separation of duties
D. Zero trust
E. Non-repudiation
Correct Answer: B, D
Explanation:
This scenario indicates a failure of a preventive control. Keeping software up-to-date and patching known vulnerabilities are preventive measures designed to stop unauthorized access before it occurs. The exploitation of an outdated software component suggests that this preventive control was not properly implemented or maintained.
Question 42:
During a security assessment, you discover that an employee fell victim to a sophisticated phishing attack that mimicked a trusted partner’s email. The attacker gained access to sensitive data by exploiting the trust relationship.
Which of the following best describes this type of attack?
A. Whaling
B. Vishing
C. Spear phishing
D. Business Email Compromise
Correct Answer: D
Explanation: This scenario describes a Business Email Compromise (BEC) attack. BEC attacks typically involve impersonating a trusted partner or executive to exploit established business relationships and processes, often leading to unauthorized access to sensitive data or fraudulent
financial transactions.
Question 43:
Your organization is developing a new web application and wants to ensure secure coding practices. Which of the following represents the most effective approach to prevent Server-Side Request Forgery (SSRF) attacks?
A. Implement input validation on all user-supplied URLs
B. Use prepared statements for all database queries
C. Enable Content Security Policy (CSP) headers
D. Implement Auth 2.0 for authentication
Correct Answer: A
Explanation: To prevent SSRF attacks, implementing strict input validation on all user-supplied URLs is crucial.
This includes validating and sanitizing any user input that could be used to make server-side requests, ensuring that only intended and safe URLs are processed by the server.
Question 44:
A security analyst is reviewing the following YAML configuration snippet from a Zero Trust implementation:
’'’yaml
control_plane:
authentication:
mfa_required: true
session _timeout: 1800
data_access:
default_deny: true
just in_time: enabled
‘’’
Which TWO of the following accurately describe the security implications of this configuration? (Choose TWO)
Options:
A. The configuration enforces a 30-minute session timeout for authenticated users.
B. All data access requests are denied by default unless explicitly permitted.
C. Multi-factor authentication is optional for high-privilege accounts.
D. Just-in-time access provisioning is disabled for resource requests.
E. The control plane operates in a legacy trust-but-verify model.
Correct Answer: A, B
Explanation: The configuration shows MFA requirement (true), session timeout of 1800 seconds (30 minutes), and default deny with JIT access enabled. Options A and B directly correspond to these settings - 1800 seconds equals 30 minutes timeout, and default_deny: true implements zero-trust’s principle of denying all access by default.
Question 45:
During a security audit, an analyst discovers that despite having standard security controls, sensitive data was exfiltrated. Upon investigation, it’s found that an attacker used a file that appeared legitimate but contained a beacon to track access. Which deception technology was likely deployed by the attacker, and what’s the MOST appropriate countermeasure?
Options:
A. Honeytoken; Implement file integrity monitoring
B. Honeypot; Deploy network segmentation
C. Honeyfile; Enable enhanced logging
D. Honeynet; Increase IDS sensitivity
Correct Answer: A
Explanation: A honeytoken is a tracked digital entity (like a file) used to detect unauthorized access. The scenario describes a honeytoken being used maliciously. File integrity monitoring would detect modifications and access to such files, making it the most effective
Question 46:
An organization implements the following loC detection rule:
‘'’ison
{
“alert_type”: “high”,
“match”: {
“process_name”: “svchost.exe”,
“network_conn”: “*.onion”,
“parent_process”: “!”
}
}
Which of the following attacks is this rule MOST likely designed to detect?
Options:
A. DNS tunneling attack
B. Tor-based malware communication
C. SQL injection attempt
D. Pass-the-hash attack
Correct Answer: B
Explanation: The rule monitors schost.exe making connections to onion domains (Tor network) with an unusual parent process. This pattern typically indicates malware using Tor network for command and control communication, making option B correct.
Question 47:
A security analyst is investigating multiple failed authentication attempts across different systems. The following pattern is observed in the logs:
‘’‘*json
{
“auth_type”: “basic”,
“attempts”: [“admin”, “root”, “system”],
“timing”: “0.5s_interval”
“source_ips”: [“rotating”]
}
‘’’
Which TWO of the following controls would be MOST effective in mitigating this attack? (Choose TWO)
Options:
A. Implement account lockout after three failed attempts
B. Enable password complexity requirements
C. Deploy adaptive multi-factor authentication
D. Configure SSL certificate validation
E. Enable verbose logging on all systems
Correct Answer: A, C
Explanation: The pattern shows automated password attacks using common admin accounts with rapid attempts from rotating IPs.
Account lockout (A) prevents brute force attempts, while adaptive MFA (C) adds an additional authentication layer that automated tools can’t easily bypass.
Question 48:
During a physical security assessment of a data center, an auditor notices that the facility has implemented bollards, security guards, and microwave sensors, but employees frequently hold doors open for others. Which security control principle is being violated, and what type of control is MOST needed?
Options:
A. Defense in depth; Corrective control
B. Separation of duties; Detective control
C. Principle of least privilege; Preventive control
D. Zero trust; Directive control
Correct Answer: D
Explanation: The scenario shows a breakdown of zero trust principles where physical access is granted based on courtesy rather than verification. A Directive control (security policies and training) is needed to address the human behavior undermining existing security measures.
Question 49:
A security team discovers unusual network traffic with the following characteristics:
’'’yaml
traffic:
destination: internal_servers
protocol: ICMP
size: oversized
frequency: periodic
content: encrypted
‘’’
What type of attack is MOST likely occurring?
Options:
A. DNS Cache Poisoning
B. ICMP Tunneling
C. ARP Spoofing
D. TCP SYN Flood
Correct Answer: B
Explanation: The traffic pattern shows oversized ICMP packets with encrypted content and periodic frequency, classic indicators of ICMP tunneling where ICMP protocol is misused to create a covert channel for data exfiltration.
Question 40:
During a security incident, the following deception technology configuration was active:
’'’yaml
deception:
type: honeynet
services:
- ssh_emulation
- web_admin
logging: enhanced
alert_threshold: low
‘’’
Which TWO of the following accurately describe the purpose and effectiveness of this configuration? (Choose TWO)
Options:
A. It primarily prevents lateral movement within the network
B. It provides early warning of attacker techniques and tactics
C. It automatically blocks all suspicious connections
D. It ensures data integrity of production systems
E. It captures detailed information about attack patterns
Correct Answer: B, E
Explanation:
The honeynet configuration with enhanced logging and multiple emulated services is designed for early attack detection (B) and detailed attack pattern analysis (E).
The low alert threshold and service emulation focus on intelligence gathering rather than prevention or blocking.
In implementing a Zero Trust architecture, which of the following best represents the fundamental principle of the Data Plane?
Options:
A. Manages authentication and authorization decisions.
B. Handles the actual movement of data packets.
C. Implements security policies and procedures.
D. Monitors user access patterns.
** Correct Answer: B **
Explanation: The Data Plane in Zero Trust architecture is responsible for the actual movement and processing of data packets after access decisions have been made by the Control Plane.
In a complex network scenario, an organization needs to ensure that sensitive data stored in the cloud is protected. Which two measures should be implemented?
Options:
A. Data loss prevention (DLP) policies
B. Regular security audits
C. Multi-factor authentication (MFA)
D. Data encryption at rest and in transit
E. Intrusion detection systems (IDS)
** Correct Answer: D, A **
Explanation: Implementing data encryption and DLP policies ensures that sensitive data is protected both when stored, and when transmitted.
Data Protection Strategies
Encrypted database storage
– Safeguards stored data using encryption techniques.
Secure email encryption
– Protects data in transit through robust encryption methods.
DLP policy implementation
– Prevents data loss by enforcing DLP policies on stored data.
Secure file transfer protocols
– Ensures secure transmission of data using DLP strategies.
Implementing secure authentication mechanisms is crucial for maintaining system integrity. You are tasked with configuring a multi-factor authentication (MFA) solution using Auth 2.0 for your organization’s web application.
{
“auth_mechanism”: “OAuth 2.0”,
“factors”: [
{
“factor_id”: “email”,
“description”: “Email verification”
},
{
“factor_id”: “top”,
“description”: “One-time password via SMS”
}
]
}
Options:
A. Use the ‘auth_mechanism’ field to specify OAuth 2.0.
B. Set up email as a factor for authentication.
C. Enable one-time passwords (OTP) through SMS as an additional factor.
D. Configure biometric factors like fingerprint scans.
E. Integrate with third-party MFA providers.
** Correct Answer: A, B, C **
Explanation: The ‘auth_mechanism’ field must specify OAuth 2.0 for the MFA solution. Email and OTP via SMS are valid factors that can be configured as part of the MFA process.
Multi-Factor Authentication Setup
Specify OAuth 2.0
– Set the auth_mechanism” field to Auth 2.0
Configure Email Factor
– Set up email as an authentication factor
Enable SMS ОТР
– Enable one-time passwords via SMS
You need to secure a web application from common attack vectors like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). Which of the following measures should you implement?
Options:
A. Use parameterized queries in database interactions.
B. Implement input validation for all user inputs.
C. Set up a Content Security Policy (CSP) header.
D. Regularly update server software to patch known vulnerabilities.
E. Disable HTTP access logs.
In a complex network scenario, an organization needs to ensure that only authorized users from specific departments can access certain resources. Which two strategies should be implemented?
Options:
A. Enforcing multi-factor authentication (MFA) for all users.
B. Implementing role-based access control (RBAC).
C. Regularly changing default passwords.
D. Deploying a web application firewall (WAF).
E. Conducting security awareness training.
** Correct Answer: B, A **
Explanation: Role-based access control ensures that only authorized users have access to specific resources based on their roles within the organization. Multi-factor authentication adds an extra layer of security by requiring more than one method of verification.
Enhancing Security with MFA and RBAC Systems
Multi-Factor Authentication
– Adds an extra layer of security by requiring multiple verification methods.
Role-Based Access Control
– Restricts resource access based on user roles within the organization.
Your organization is transitioning to a Zero Trust Architecture.
You are asked to implement least privilege access controls for a critical application.
{
“access_control”: {
“application_id”: “app1”,
“permissions”: [ {“user_role”: “admin”, “allowed _actions”: [“read”
“write”] },
{“user _role”: “viewer”, “allowed _actions”: [“read”] }
]
}
}
Options:
A. Assign admin role to all users.
B. Restrict access based on user roles and necessary permissions.
C. Allow read/write actions for everyone.
D. Grant write-only permissions to users who need them.
E. Remove all permissions and re-evaluate every request.
** Correct Answer: B, D **
Explanation: Least privilege requires granting only the minimum necessary permissions; the admin role should have both read and write access while viewers should have only read access. Write-only permissions can be granted as needed but must align with the principle of least privilege.
A company is configuring a multi-factor authentication system for its remote employees using Azure Active Directory (Azure AD). The configuration requires setting up an application proxy and configuring the authentication settings.
{
“settings”: {
“applicationProxy”: true,
“authenticationMethods”: [
“mfa”,
“SMS”
]
}
}
Options:
A. Enable Azure AD Application Proxy.
B. Disable multi-factor authentication for remote access.
C. Configure the SMS as an additional MFA method.
D. Set up a custom domain for email services.
E. Disable application proxy and use on-premises servers only.
** Correct Answer: A, C **
Explanation: To enable multi-factor authentication (MFA) with Azure AD Application Proxy for remote employees, both the application proxy must be enabled and SMS as an additional MFA method should be configured.
How to enable MFA with Azure AD Application Proxy?
Enable Application Proxy
– This choice allows for secure remote access to applications.
Configure SMS MFA
– This choice adds a layer of security through SMS verification.
An organization has a policy that requires all data transmitted between their web server and clients to be encrypted. They are using HTTPS but want to implement stronger security measures.
{
“settings” : {
“sslVersion”: “TLSv1.3”,
“cipherSuite”: [“ECDHE-ECDSA-AES256-GCM-SHA384”,
“ECDHE-RSA-AES256-GCM-SHA384”]
}
}
Options:
A. Upgrade SSL/TLS version to TLS 1.3.
B. Use weaker encryption ciphers like AES128.
C. Disable HTTP Strict Transport Security (HSTS).
D. Configure a reverse proxy for load balancing.
E. Enable plaintext fallbacks.
** Correct Answer: A **
Explanation: To enhance the security of data transmitted between the web server and clients, upgrading the SSL/TLS version to TLS 1.3 is necessary as it provides better security compared to older versions.
Enhancing Web Server Security with TLS 1.3
Security Protocols
– Vulnerabilities in older protocols
– Outdated encryption methods
Client-Server Communication
– Intercepted data transmissions
– Man-in-the-middle attacks
Data Encryption
– Lack of forward secrecy
– Weak cipher suites
Compliance Standards
– Industry best practices
– Regulatory requirements
A network administrator needs to secure a remote access solution that involves multiple layers of authentication and encryption for securing communications.
Options:
A. Use SSH with public key authentication.
B. Implement a simple username/password login.
C. Configure WPA2 on the Wi-Fi network for better security.
D. Enable two-factor authentication (2FA) using RSA tokens.
E. Disable all non-essential services to minimize attack surface.
** Correct Answer: A, D **
Explanation: For securing remote access with multiple layers of authentication and encryption, using SSH with public key authentication and enabling two-factor authentication using RSA tokens are recommended practices as they provide strong security measures.
Securing Remote Access
– Initiate SSH Connection
– Authenticate with Public Key
– Enable Two-Factor Authentication
– Access Granted
In a recent update of CompTIA Security+ (SYO-701), which two-factor authentication methods are now emphasized as critical for securing network access?
Options:
A. Biometric Fingerprint Scanning and USB Tokens
B. SMS One-Time Password (OTP) and FIDO2
C. Email Verification and Smart Cards
D. Physical Keys and Static Passwords
E. QR Code Authentication and Bluetooth Low Energy Tags
** Correct Answer: B **
Explanation: The current CompTIA Security+ exam highlights the importance of modern authentication methods like SMS OTP and FIDO2 for secure network access.
Choose the most secure authentication method for network access
SMS OTP
– Provides temporary access with mobile verification
FID02
– Offers passwordless and phishing-resistant authentication
An organization needs to implement a threat intelligence platform. Which two components should be prioritized based on current CISSP exam standards?
Options:
A. Web filtering
B. User behavior analytics (UBA)
C. Intrusion detection systems (IDS)
D. Security information and event management (SIEM)
E. Antivirus software
** Correct Answer: B, D **
Explanation: UBA and SIEM are critical for advanced threat detection and monitoring.
Cycle of Threat Detection and Monitoring
– Analyze User Behavior –> Collect Security Data –> Correlate Events –> Detect Threats –> Monitor Continuously
A company is configuring its network to enhance security. Which two protocols should be used to secure file transfers over the internet?
Options:
А. НТТР
B. HTTPS
C. FTP
D. SFTP
E. SMTP
** Correct Answer: B, D **
Explanation: Secure Hypertext Transfer Protocol (HTTPS) and Secure File Transfer Protocol (SFTP) ensure data integrity and confidentiality during file transfers.
Ensuring Secure Data Transfers
HTTPS
– Protects data integrity and confidentiality in web communications
SFTP
– Secures file transfers by encrypting data during transit
The network administrator needs to configure a firewall rule for a new application server that requires outbound traffic only to a specific external IP address. Which configuration should be used?
Options:
A. Allow all inbound traffic
B. Deny all inbound traffic
C. Allow all outbound traffic
D. Allow outbound traffic to < external_|P>
E. Deny outbound traffic
** Correct Answer: D **
Explanation: The rule should allow outbound traffic only to the specific external IP address.
Allowing Outbound Traffic to External IP
Outbound Rule
– Allows specific traffic
Enhanced Security
– Limits exposure to threats
An organization is facing frequent phishing attacks. Which two strategies should be implemented to mitigate this risk?
Options:
A. Email Filtering
B. Strong password policies
C. Multi-factor authentication (MFA)
D. Regular patch management
E. Employee training
** Correct Answer: A, E **
Explanation: Implementing email filtering and providing regular employee training can significantly reduce the incidence of phishing attacks.
Reducing Phishing Attacks
Implement Email Filtering
– Block malicious emails
Conduct Employee Training
– Educate on phishing risks
A company wants to implement a Zero Trust Architecture (ZTA) for its cloud services. Which two components are essential in ZTA?
Options:
A. Multi-factor authentication (MFA)
B. Network segmentation
C. Continuous monitoring
D. Intrusion detection systems (IDS)
E. Regular security audits
** Correct Answer: A, B **
Explanation: MFA and network segmentation are fundamental to Zero Trust Architecture, ensuring that only authorized entities can access resources.
Which security measure is essential for Zero Trust Architecture?
Multi-factor Authentication
– Ensures that only authorized users can access resources by requiring multiple forms of verification.
Network Segmentation
– Limits access to resources by dividing the network into smaller, controlled segments.
During a security assessment, a security analyst discovers multiple instances where sensitive data is being transmitted between internal networks using an unencrypted protocol. The organization has a strict policy requiring encryption for all sensitive data transmission, but implementing encryption would require significant infrastructure changes. Which TWO control types would be most appropriate to implement immediately while planning for a long-term solution?
Options:
A. Detective controls to monitor data transmission patterns.
B. Compensating controls to provide alternative security measures.
C. Directive controls to enforce new security policies.
D. Corrective controls to fix the encryption issues.
E. Deterrent controls to discourage unauthorized access.
** Correct Answer: A, B **
Explanation: Detective controls monitor transmissions to identify potential breaches, while compensating controls provide alternative security measures when primary controls cannot be immediately implemented. These are most suitable as temporary solutions while planning infrastructure changes.
