SYO-601 V40.65 Flashcards

Question 1

Q

A company would like to set up a secure way to transfer data between users via their mobile phones The company’s top priority is utilizing technology that requires users to be in as close proximity as possible to each other. Which of the following connection methods would BEST fulfill this need?
A. Cellular
B. NFC
C. Wi-Fi
D. Bluetooth

Answer

A

NFC (near field communication)

Question 2

Q

A grocery store is expressing security and reliability concerns regarding the on-site backup strategy currently being performed by locally attached disks. The main concerns are the physical security of the backup media and the durability of the data stored on these devices Which of the following is a cost-effective approach to address these concerns?
A. Enhance resiliency by adding a hardware RAID.
B. Move data to a tape library and store the tapes off-site
C. Install a local network-attached storage.
D. Migrate to a cloud backup solution

Answer

A

Migrate to a cloud backup solution

Question 3

Q

Developers are writing code and merging it into shared repositories several times a day, where it is tested automatically. Which of the following concepts does this BEST represent?
A. Functional testing
B. Stored procedures
C. Elasticity
D. Continuous integration

Answer

A

Continuous integration

Question 4

Q

During a Chief Information Security Officer (CISO) convention to discuss security awareness, the attendees are provided with a network connection to use as a resource. As the convention progresses, one of the attendees starts to notice delays in the connection, and the HIIPS site requests are reverting to HTTP Which of the following BEST describes what is happening?
A. Birthday collision on the certificate key
B. DNS hijacking to reroute traffic
C. Brute force to the access point
D. ASSLILS downgrade

Answer

A

DNS hijacking to reroute traffic

Question 5

Q

Which of the following can be used by an authentication application to validate a user’s credentials without the need to store the actual sensitive data?
A. Salt string
B. Private Key
C. Password hash
D. Cipher stream

Answer

A

Password hash

Question 6

Q

Leveraging the information supplied below, complete the CSR for the server to set up TLS (HTTPS)
* Hostname: ws01
* Domain: comptia.org
* IPv4: 10.1.9.50
* IPV4: 10.2.10.50
* Root: home.aspx
* DNS CNAME:homesite.
Instructions:
Drag the various data points to the correct locations within the CSR. Extension criteria belong in the let hand column and values belong in the corresponding row in the right hand column.

Question 7

Q

Sales team members have been receiving threatening voicemail messages and have reported these incidents to the IT security team. Which of the following would be MOST appropriate for the IT security team to analyze?
A. Access control
B. Syslog
C. Session Initiation Protocol traffic logs
D. Application logs

Answer

A

Syslog
Syslogs are log files that are generated by devices on the network and contain information about network activity, including user logins, device connections, and other events. By analyzing these logs, the IT security team can identify the source of the threatening voicemail messages and take the necessary steps to address the issue

Question 8

Q

Which of the following environments can be stood up in a short period of time, utilizes either dummy data or actual data, and is used to demonstrate and model system capabilities and functionality for a fixed, agreed-upon duration of time?
A. PoC
B. Production
C. Test
D. Development

Answer

A

PoC (Proof of Concept)
A proof of concept (PoC) environment can be stood up quickly and is used to demonstrate and model system capabilities and functionality for a fixed, agreed-upon duration of time. This environment can utilize either dummy data or actual data. References: CompTIA Security+ Certification Guide, Exam SY0-501

Question 9

Q

Graphical user interface, application Description automatically generated

A security administrator needs to add fault tolerance and load balancing to the connection from the file server to the backup storage. Which of the following is the best choice to achieve this objective?
A. Multipathing
B. RAID
C. Segmentation
D. 8021.1

Answer

A

Multipathing

Multipathing is a technique that allows multiple physical paths or network connections between two endpoints. It provides fault tolerance by creating redundant paths, ensuring that if one path fails or becomes unavailable, the traffic can automatically be rerouted through an alternate path.

Question 10

Q

An engineer recently deployed a group of 100 web servers in a cloud environment. Per the security policy, all web-server ports except 443 should be disabled. Which of the following can be used to accomplish this task?
A. Application allow list
B. Load balancer
C. Host-based firewall
D. VPN

Answer

A

Host-based firewall

A host-based firewall is a software application that runs on each individual host and controls the incoming and outgoing network traffic based on a set of rules. A host-based firewall can be used to block or allow specific ports, protocols, IP addresses, or applications.
An engineer can use a host-based firewall to accomplish the task of disabling all web-server ports except 443 on a group of 100 web servers in a cloud environment. The engineer can configure the firewall rules on each web server to allow only HTTPS traffic on port 443 and deny any other traffic. Alternatively, the engineer can use a centralized management tool to deploy and enforce the firewall rules across all web servers.

Question 11

Q

An organization is concerned about hackers potentially entering a facility and plugging in a remotely accessible Kali Linux box. Which of the following should be the first lines of defense against such an attack?
(Select TWO)
A. MAC filtering
B. Zero trust segmentation
C. Network access control
D. Access control vestibules
E. Guards
F. Bollards

Answer

A

NAC and Guards

Network access control (NAC) is a technique that restricts access to a network based on the identity, role, device, location, or other criteria of the users or devices. NAC can prevent unauthorized or malicious devices from connecting to a network and accessing sensitive data or resources.
Guards are physical security personnel who monitor and control access to a facility. Guards can prevent unauthorized or malicious individuals from entering a facility and plugging in a remotely accessible device.

Question 12

Q

A network analyst is setting up a wireless access point for a home office in a remote, rural location. The requirement is that users need to connect to the access point securely but do not want to have to remember passwords Which of the following should the network analyst enable to meet the requirement?
A. MAC address filtering
B. 802.1X
C. Captive portal
D. WPS

Answer

A

The correct answer is D, WPS.

Wi-Fi Protected Setup (WPS) is a feature that allows users to connect to a wireless network without having to enter a password. Instead, they can simply press a button on the router or enter a PIN code. This makes it much easier for users to connect to the network, and it also helps to improve security by making it more difficult for unauthorized users to access the network.

Question 13

Q

If a current private key is compromised, which of the following would ensure it cannot be used to decrypt ail historical data?
A. Perfect forward secrecy
B. Elliptic-curve cryptography
C. Key stretching
D. Homomorphic encryption

Answer

A

A. Perfect forward secrecy

Perfect forward secrecy would ensure that it cannot be used to decrypt all historical data. Perfect forward secrecy (PFS) is a security protocol that generates a unique session key for each session between two parties.
This ensures that even if one session key is compromised, it cannot be used to decrypt other sessions.

Question 14

Q

A security researcher is tracking an adversary by noting its attacks and techniques based on its capabilities, infrastructure, and victims. Which of the following is the researcher MOST likely using?
A. The Diamond Model of Intrusion Analysis
B. The Cyber Kill Chain
C. The MITRE CVE database
D. The incident response process

Answer

A

The Diamond Model of Intrusion Analysis

The Diamond Model of Intrusion Analysis is a framework used for tracking and analyzing cyber threats. It focuses on understanding the adversary’s capabilities, infrastructure, and victims by examining four key elements: adversary, infrastructure, capability, and victim. This model helps the researcher in organizing and correlating data related to the attacker’s techniques, tactics, and procedures (TTPs) used during their attacks

Question 15

Q

As part of the lessons-learned phase, the SOC is tasked with building methods to detect if a previous incident is happening again. Which of the following would allow the security analyst to alert the SOC if an event is reoccurring?
A. Creating a playbook within the SOAR
B. Implementing rules in the NGFW
C. Updating the DLP hash database
D. Publishing a new CRL with revoked certificates

Answer

A

Creating a playbook within the SOAR

Creating a playbook within the Security Orchestration, Automation and Response (SOAR) tool would allow the security analyst to detect if an event is reoccurring by triggering automated actions based on the previous incident’s characteristics. This can help the SOC to respond quickly and effectively to the incident. References:
CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 7: Incident Response, pp. 352-354

Question 16

Q

After installing a patch On a security appliance. an organization realized a massive data exfiltration occurred.
Which Of the following describes the incident?
A. Supply chain attack
B. Ransomware attack
C. Cryptographic attack
D. Password attack

Answer

A

Supply chain attack

A supply chain attack is a type of attack that involves compromising a trusted third-party provider or vendor and using their products or services to deliver malware or gain access to the target organization. The attacker can exploit the trust and dependency that the organization has on the provider or vendor and bypass their security controls. In this case, the attacker may have tampered with the patch for the security appliance and used it to exfiltrate data from the organization.

Question 17

Q

A security analyst receives an alert that indicates a user’s device is displaying anomalous behavior The analyst suspects the device might be compromised Which of the following should the analyst do first?
A. Reboot the device
B. Set the host-based firewall to deny an incoming connection
C. Update the antivirus definitions on the device
D. Isolate the device

Answer

A

Isolate the device

Isolating the device is the first thing that a security analyst should do if they suspect that a user’s device might be compromised. Isolating the device means disconnecting it from the network or placing it in a separate network segment to prevent further communication with potential attackers or malicious hosts. Isolating the device can help contain the incident, limit the damage or data loss, preserve the evidence, and facilitate the investigation and remediation.
References: https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://resources.infosecinstitute.com/topic/incident-response-process/

Question 18

Q

A company installed several crosscut shredders as part of increased information security practices targeting data leakage risks. Which of the following will this practice reduce?
A. Dumpster diving
B. Shoulder surfing
C. Information elicitation
D. Credential harvesting

Answer

A

Dumpster diving

Crosscut shredders are used to destroy paper documents and reduce the risk of data leakage through dumpster diving. Dumpster diving is a method of retrieving sensitive information from paper waste by searching through discarded documents.
References:
CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 2

Question 19

Q

An organization recently released a software assurance policy that requires developers to run code scans each night on the repository. After the first night, the security team alerted the developers that more than 2,000 findings were reported and need to be addressed. Which of the following is the MOST likely cause for the high number of findings?
A. The vulnerability scanner was not properly configured and generated a high number of false positives
B. Third-party libraries have been loaded into the repository and should be removed from the codebase.
C. The vulnerability scanner found several memory leaks during runtime, causing duplicate reports for the same issue.
D. The vulnerability scanner was not loaded with the correct benchmarks and needs to be updated.

Answer

A

The vulnerability scanner was not properly configured and generated a high number of false positives

The most likely cause for the high number of findings is that the vulnerability scanner was not properly configured and generated a high number of false positives. False positive results occur when a vulnerability scanner incorrectly identifies a non-vulnerable system or application as being vulnerable. This can happen due to incorrect configuration, over-sensitive rule sets, or outdated scan databases.
https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/sy0-601-comptia-security-plus-course/

Question 20

Q

Which of the following is a solution that can be used to stop a disgruntled employee from copying confidential data to a USB drive?
A. DLP
B. TLS
C. AV
D. IDS

Answer

A

DLP (Data Loss Prevention)

DLP stands for data loss prevention, which is a set of tools and processes that aim to prevent unauthorized access, use, or transfer of sensitive data. DLP can help mitigate the risk of data exfiltration by disgruntled employees or external attackers by monitoring and controlling data flows across endpoints, networks, and cloud services. DLP can also detect and block attempts to copy, transfer, or upload sensitive data to a USB drive or other removable media based on predefined policies and rules.
References: https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.microsoft.com/en-us/security/business/security-101/what-is-data-loss-prevention-dlp

Question 21

Q

An attacker replaces a digitally signed document with another version that goes unnoticed Upon reviewing the document’s contents the author notices some additional verbiage that was not originally in the document but cannot validate an integrity issue. Which of the following attacks was used?
A. Cryptomalware
B. Hash substitution
C. Collision
D. Phishing

Answer

A

Hash substitution

Hash substitution is an attack where an attacker replaces a digitally signed document with a modified version while keeping the original digital signature intact. In this case, the attacker modified the document by adding additional verbiage, but the author was unable to validate an integrity issue because the digital signature remained valid.

The digital signature provides integrity and authenticity to a document. It is generated by applying a cryptographic hash function to the document, creating a unique hash value, and encrypting that hash value with the private key of the signer. When the document is verified, the digital signature is decrypted with the corresponding public key, and the computed hash value of the document is compared to the decrypted hash value.

However, in the case of hash substitution, the attacker modifies the document, creating a different hash value, and then recalculates a new digital signature for the modified document using the same private key of the original signer. The modified document appears to be valid and retains the original digital signature, making it difficult to detect the tampering without additional checks.

Question 22

Q

Employees at a company are receiving unsolicited text messages on their corporate cell phones. The unsolicited text messages contain a password reset Link. Which of the attacks is being used to target the company?
A. Phishing
B. Vishing
C. Smishing
D. Spam

Answer

A

Smishing

Smishing is a type of phishing attack which begins with an attacker sending a text message to an individual.
The message contains social engineering tactics to convince the person to click on a malicious link or send sensitive information to the attacker. Criminals use smishing attacks for purposes like:
Learn login credentials to accounts via credential phishing
Discover private data like social security numbers
Send money to the attacker
Install malware on a phone
Establish trust before using other forms of contact like phone calls or emails Attackers may pose as trusted sources like a government organization, a person you know, or your bank. And messages often come with manufactured urgency and time-sensitive threats. This can make it more difficult for a victim to notice a scam.
Phone numbers are easy to spoof with VoIP texting, where users can create a virtual number to send and receive texts. If a certain phone number is flagged for spam, criminals can simply recycle it and use a new one.

Question 23

Q

Remote workers in an organization use company-provided laptops with locally installed applications and locally stored data Users can store data on a remote server using an encrypted connection. The organization discovered data stored on a laptop had been made available to the public Which of the following security solutions would mitigate the risk of future data disclosures?
A. FDE
B. TPM
C. HIDS
D. VPN

Answer

A

FDE (full disk encryption)

Full disk encryption (FDE) is a security measure that encrypts all data on a hard drive, including the operating system, applications, and data files. This makes it much more difficult for unauthorized users to access the data on the drive, even if they have physical access to the device.

The other options are incorrect because they do not provide the same level of protection as FDE. TPM is a security chip that can be used to store encryption keys, but it does not encrypt the data on the drive itself. HIDS is a security system that monitors for malicious activity on a device, but it does not prevent unauthorized users from accessing the data on the drive. VPN is a security system that encrypts data as it is transmitted over a network, but it does not encrypt the data on the drive itself.

FDE is the best option for mitigating the risk of future data disclosures because it encrypts all data on the drive, including the operating system, applications, and data files. This makes it much more difficult for unauthorized users to access the data on the drive, even if they have physical access to the device.

Question 24

Q

A network analyst is investigating compromised corporate information. The analyst leads to a theory that network traffic was intercepted before being transmitted to the internet. The following output was captured on an internal host:

Based on the IoCS, which of the following was the MOST likely attack used to compromise the network communication?

Answer

A

ARP poisoning

ARP poisoning is a type of attack where an attacker sends forged ARP messages onto a local area network. This causes the network devices to update their ARP tables with the attacker’s MAC address instead of the correct MAC address. This allows the attacker to intercept network traffic that is intended for other devices on the network.

Question 25

Q

A company is concerned about individuals driving a car into the building to gain access. Which of the following security controls would work BEST to prevent this from happening?
A. Bollard
B. Camera
C. Alarms
D. Signage
E. Access control vestibule

Answer

A

Bollard

Bollards are posts designed to prevent vehicles from entering an area. They are usually made of steel or concrete and are placed close together to make it difficult for vehicles to pass through. In addition to preventing vehicles from entering an area, bollards can also be used to protect buildings and pedestrians from ramming attacks. They are an effective and cost-efficient way to protect buildings and pedestrians from unauthorized access.

Question 26

Q

A security analyst reports a company policy violation in a case in which a large amount of sensitive data is being downloaded after hours from various mobile devices to an external site. Upon further investigation, the analyst notices that successful login attempts are being conducted with impossible travel times during the same time periods when the unauthorized downloads are occurring. The analyst also discovers a couple of WAPs are using the same SSID, but they have non-standard DHCP configurations and an overlapping channel.
Which of the following attacks is being conducted?
A. Evil twin
B. Jamming
C. DNS poisoning
D. Bluesnarfing
E. DDoS

Answer

A

Evil twin

The attack being conducted is an Evil twin attack. An Evil twin attack involves creating a rogue wireless access point (WAP) with the same Service Set Identifier (SSID) as a legitimate WAP to trick users into connecting to it. Once connected, the attacker can intercept traffic or steal login credentials. The successful login attempts with impossible travel times suggest that an attacker is using a stolen or compromised credential to access the external site to which the sensitive data is being downloaded. The non-standard DHCP configurations and overlapping channels of the WAPs suggest that the attacker is using a rogue WAP to intercept traffic. References: CompTIA Security+ Certification Exam Objectives, Exam Domain 1.0: Attacks, Threats, and Vulnerabilities, 1.4 Compare and contrast types of attacks, p. 8

Question 27

Q

Which of the following BEST describes the team that acts as a referee during a penetration-testing exercise?
A. White team
B. Purple team
C. Green team
D. Blue team
E. Red team

Answer

A

White team

During a penetration testing exercise, the white team is responsible for acting as a referee and providing oversight and support to ensure that the testing is conducted safely and effectively. They may also be responsible for determining the rules and guidelines of the exercise, monitoring the progress of the teams, and providing feedback and insights on the strengths and weaknesses of the organization’s security measures

Question 28

Q

A security analyst must enforce policies to harden an MDM infrastructure. The requirements are as follows:
* Ensure mobile devices can be tracked and wiped.
* Confirm mobile devices are encrypted.
Which of the following should the analyst enable on all the devices to meet these requirements?
A. Geofencing
B. Biometric authentication
C. Geolocation
D. Geotagging

Answer

A

Geofencing

Geofencing is a technology used in mobile device management (MDM) to allow administrators to define geographical boundaries within which mobile devices can operate. This can be used to enforce location-based policies, such as ensuring that devices can be tracked and wiped if lost or stolen. Additionally, encryption can be enforced on the devices to ensure the protection of sensitive data in the event of theft or loss. References:
CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 7

Question 29

Q

A security administrator is seeking a solution to prevent unauthorized access to the internal network. Which of the following security solutions should the administrator choose?
A. MAC filtering
B. Anti-malware
C. Translation gateway
D. VPN

Answer

A

VPN

A VPN (virtual private network) is a secure tunnel used to encrypt traffic and prevent unauthorized access to the internal network. It is a secure way to extend a private network across public networks, such as the Internet, and can be used to allow remote users to securely access resources on the internal network.
Additionally, a VPN can be used to prevent malicious traffic from entering the internal network.

Question 30

Q

Which of the following function as preventive, detective, and deterrent controls to reduce the risk of physical theft? (Select TWO).
A. Mantraps
B. Security guards
C. Video surveillance
D. Fences
E. Bollards
F. Antivirus

Answer

A

Mantraps
Security guards

Question 31

Q

A security manager is attempting to meet multiple security objectives in the next fiscal year. The security manager has proposed the purchase of the following four items:
Vendor A:
1- Firewall
1-12 switch
Vendor B:
1- Firewall
1-12 switch
Which of the following security objectives is the security manager attempting to meet? (Select two).
A. Simplified patch management
B. Scalability
C. Zero-day attack tolerance
D. Multipath
E. Replication
F. Redundancy

Answer

A

Replication and Redundancy

Redundancy aims to ensure the availability and resilience of systems and data by having backup or alternative components or resources that can take over in case of a failure. By having duplicate firewalls and switches from different vendors, the security manager is creating redundancy for the network devices, reducing the risk of a single point of failure, and enhancing the overall availability of the network.

Replication aims to ensure the integrity and availability of data by creating copies or duplicates of the data across different locations or devices. By having two firewalls and two switches from different vendors, the security manager enables replication of the network traffic and data across different paths and devices, enhancing the resilience and fault tolerance of the network.

Question 32

Q

A small, local company experienced a ransomware attack. The company has one web-facing server and a few workstations. Everything is behind an ISP firewall. A single web-facing server is set up on the router to forward all ports so that the server is viewable from the internet. The company uses an older version of third-party software to manage the website. The assets were never patched. Which of the following should be done to prevent an attack like this from happening again? (Select three).
A. Install DLP software to prevent data loss.
B. Use the latest version of software.
C. Install a SIEM device.
D. Implement MDM.
E. Implement a screened subnet for the web server.
F. Install an endpoint security solution.
G. Update the website certificate and revoke the existing ones.
H. Deploy additional network sensors.

Answer

A

Use the latest version of software.
Implement a screened subnet for the web server.
Install an endpoint security solution.

Use the latest version of software: Running outdated software can leave vulnerabilities that attackers can exploit. Upgrading to the latest version of the third-party software used to manage the website is essential to ensure that known security vulnerabilities have been addressed.

mplement a screened subnet for the web server: Placing the web server in a screened subnet, also known as a demilitarized zone (DMZ), helps isolate it from the internal network. This adds an extra layer of protection by segregating the web server from other internal resources.

Install an endpoint security solution: Endpoint security solutions help protect individual workstations and servers from malware, including ransomware. By installing an effective endpoint security solution, the company can detect and block malicious activities on the endpoints, reducing the risk of ransomware infections.

Question 33

Q

Which of the following environments typically hosts the current version configurations and code, compares user-story responses and workflow, and uses a modified version of actual data for testing?
A. Development
B. Staging
C. Production
D. Test

Answer

A

Staging

Staging is an environment in the software development lifecycle that is used to test a modified version of the actual data, current version configurations, and code. This environment compares user-story responses and workflow before the software is released to the production environment. References: CompTIA Security+ Study Guide, Sixth Edition, Sybex, pg. 496

Question 34

Q

Cloud security engineers are planning to allow and deny access to specific features in order to in-crease data security. Which of the following cloud features is the most appropriate to ensure ac-cess is granted properly?
A. API integrations
B. Auditing
C. Resource policies
D. Virtual networks

Answer

A

Resource policies

Resource policies are cloud features that allow and deny access to specific features in order to increase data security. Resource policies are rules or statements that define what actions can be performed on a particular resource by which entities under what conditions. Resource policies can be attached to cloud resources such as virtual machines, storage accounts, databases, or functions. Resource policies can help enforce security best practices, compliance requirements, and cost management. Resource policies can also help implement the principle of least privilege, which grants users only the minimum level of access they need to perform their tasks.

Question 35

Q

Which of the following BEST describes the method a security analyst would use to confirm a file that is downloaded from a trusted security website is not altered in transit or corrupted using a verified checksum?
A. Hashing
B. Salting
C. Integrity
D. Digital signature

Answer

A

Hashing

Hashing is a cryptographic function that produces a unique fixed-size output (i.e., hash value) from an input (i.e., data). The hash value is a digital fingerprint of the data, which means that if the data changes, so too does the hash value. By comparing the hash value of the downloaded file with the hash value provided by the security website, the security analyst can verify that the file has not been altered in transit or corrupted.

Question 36

Q

Which of the following environments utilizes dummy data and is MOST likely to be installed locally on a system that allows code to be assessed directly and modified easily with each build?
A. Production
B. Test
C. Staging
D. Development

Answer

A

Development

The environment that utilizes dummy data and is most likely to be installed locally on a system, allowing code to be assessed directly and modified easily with each build, is D. Development.

The development environment is where software development and coding activities take place. It is typically installed locally on developers’ systems and provides a controlled environment for writing, testing, and modifying code. In the development environment, dummy data or simulated data may be used for testing purposes.

Developers have direct access to the codebase and can make changes easily with each build. This environment allows them to assess the code directly, debug it, and make necessary modifications as part of the development process. The focus is on building and refining the software before moving to higher environments for testing and deployment.

In contrast, the other options are defined as follows:

Production environment is the live environment where the final application or system is deployed and used by end-users. Production environments typically host the fully functional and released version of the software, using real data and serving actual users.

test environment is used for various types of testing, including unit testing, integration testing, and system testing. It aims to replicate the production environment as closely as possible to validate the functionality, performance, and compatibility of the software. Test environments may use real or representative data, but they are not specifically focused on easy code modification.

Staging environment is a pre-production environment that closely mirrors the production environment. It is used for final testing and validation before deploying changes to the production environment. Staging environments typically use real data and configurations, but they are not primarily intended for easy code modification.

Therefore, the environment that utilizes dummy data and is most likely to be installed locally on a system, allowing easy code assessment and modification with each build, is D. Development.

Question 37

Q

A network administrator needs to determine Ihe sequence of a server farm’s logs. Which of the following should the administrator consider? (Select TWO).
A. Chain of custody
B. Tags
C. Reports
D. Time stamps
E. Hash values
F. Time offset

Answer

A

Time Stamps and Time offset

To determine the sequence of a server farm’s logs, the network administrator should consider the following:

D. Time stamps: Logs typically contain time stamps that indicate the exact time when an event occurred. By examining the time stamps in the logs, the administrator can establish the chronological order of events and understand the sequence of activities within the server farm.

F. Time offset: Time offset refers to the difference in time between different devices or systems within the server farm. It is important to account for any time discrepancies or variations among the systems generating the logs. The administrator should consider the time offset between different devices to ensure accurate sequencing of the logs.

Question 38

Q

A security assessment found that several embedded systems are running unsecure protocols. These Systems were purchased two years ago and the company that developed them is no longer in business Which of the following constraints BEST describes the reason the findings cannot be remediated?
A. inability to authenticate
B. Implied trust
C. Lack of computing power
D. Unavailable patch

Answer

A

Unavailable patch

If the systems are running unsecure protocols and the company that developed them is no longer in business, it is likely that there are no patches available to remediate the issue. References:
CompTIA Security+ Certification Exam Objectives 1.6: Given a scenario, implement secure protocols.
CompTIA Security+ Study Guide, Sixth Edition, pages 35-36

Question 39

Q

Which of the following procedures would be performed after the root cause of a security incident has been identified to help avoid future incidents from occurring?
A. Walk-throughs
B. Lessons learned
C. Attack framework alignment
D. Containment

Answer

A

Lessons learned

After the root cause of a security incident has been identified, it is important to take the time to analyze what went wrong and how it could have been prevented. This process is known as “lessons learned” and allows organizations to identify potential improvements to their security processes and protocols. Lessons learned typically involve a review of the incident and the steps taken to address it, a review of the security systems and procedures in place, and an analysis of any potential changes that can be made to prevent similar incidents from occurring in the future.

Question 40

Q

A security analyst is running a vulnerability scan to check for missing patches during a suspected security indident. During which of the following phases of the response process is this activity MOST likely occurring?
A. Containment
B. Identification
C. Recovery
D. Preparation

Answer

A

Identification

Vulnerability scanning is a proactive security measure used to identify vulnerabilities in the network and systems. References: CompTIA Security+ Study Guide 601, Chapter 4

Question 41

Q

While researching a data exfiltration event, the security team discovers that a large amount of data was transferred to a file storage site on the internet. Which of the following controls would work best to reduce the risk of further exfiltration using this method?
A. Data loss prevention
B. Blocking IP traffic at the firewall
C. Containerization
D. File integrity monitoring

Answer

A

DLP (Data loss prevention)

Data loss prevention (DLP) is a set of tools and processes that aim to prevent unauthorized access, use, or transfer of sensitive data. DLP can help reduce the risk of further exfiltration using file storage sites on the internet by monitoring and controlling data flows across endpoints, networks, and cloud services. DLP can also detect and block attempts to copy, upload, or download sensitive data to or from file storage sites based on predefined policies and rules.
References: https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.microsoft.com/en-us/security/business/security-101/what-is-data-loss-prevention-dlp

Question 42

Q

Which of the following incident response steps occurs before containment?
A. Eradication
B. Recovery
C. Lessons learned
D. Identification

Answer

A

Identification

Identification is the first step in the incident response process, which involves recognizing that an incident has occurred. Containment is the second step, followed by eradication, recovery, and lessons learned.
References: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 10: Incident Response and Recovery, pp. 437-441.

Question 43

Q

A corporate security team needs to secure the wireless perimeter of its physical facilities to ensure only authorized users can access corporate resources. Which of the following should the security team do? (Refer the answer from CompTIA SY0-601 Security+ documents or guide at comptia.org)
A. Identify rogue access points.
B. Check for channel overlaps.
C. Create heat maps.
D. Implement domain hijacking.

Answer

A

Identify rogue access points.

Based on CompTIA SY0-601 Security+ guide, the answer to the question is A. Identify rogue access points.
To secure the wireless perimeter of its physical facilities, the corporate security team should focus on identifying rogue access points, which are unauthorized access points that have been set up by employees or outsiders to bypass security controls. By identifying and removing these rogue access points, the team can ensure that only authorized users can access corporate resources through the wireless network.
https://www.comptia.org/training/books/security-sy0-601-study-guide

Question 44

Q

A network-connected magnetic resonance imaging (MRI) scanner at a hospital is controlled and operated by an outdated and unsupported specialized Windows OS. Which of the following is most likely preventing the IT manager at the hospital from upgrading the specialized OS?
A. The time needed for the MRI vendor to upgrade the system would negatively impact patients.
B. The MRI vendor does not support newer versions of the OS.
C. Changing the OS breaches a support SLA with the MRI vendor.
D. The IT team does not have the budget required to upgrade the MRI scanner.

Answer

A

The MRI vendor does not support newer versions of the OS.

This option is the most likely reason for preventing the IT manager at the hospital from upgrading the specialized OS. The MRI scanner is a complex and sensitive device that requires a specific OS to control and operate it. The MRI vendor may not have developed or tested newer versions of the OS for compatibility and functionality with the scanner. Upgrading the OS without the vendor’s support may cause the scanner to malfunction or stop working altogether.

Question 45

Q

An organization recently acquired an ISO 27001 certification. Which of the following would MOST likely be considered a benefit of this certification?
A. It allows for the sharing of digital forensics data across organizations
B. It provides insurance in case of a data breach
C. It provides complimentary training and certification resources to IT security staff.
D. It certifies the organization can work with foreign entities that require a security clearance
E. It assures customers that the organization meets security standards

Answer

A

It assures customers that the organization meets security standards

ISO 27001 is an international standard that outlines the requirements for an Information Security Management System (ISMS). It provides a framework for managing and protecting sensitive information using risk management processes. Acquiring an ISO 27001 certification assures customers that the organization meets security standards and follows best practices for information security management. It helps to build customer trust and confidence in the organization’s ability to protect their sensitive information. References: CompTIA Security+ Certification Exam Objectives, Exam Domain 1.0: Attacks, Threats, and Vulnerabilities, 1.2 Given a scenario, analyze indicators of compromise and determine the type of malware, p. 7

Question 46

Q

A security engineer is hardening existing solutions to reduce application vulnerabilities. Which of the following solutions should the engineer implement FIRST? (Select TWO)
A. Auto-update
B. HTTP headers
C. Secure cookies
D. Third-party updates
E. Full disk encryption
F. Sandboxing
G. Hardware encryption

Answer

A

Auto-update and Sandboxing

Auto-update can help keep the app up-to-date with the latest security fixes and enhancements, and reduce the risk of exploitation by attackers who target outdated or vulnerable versions of the app.
Sandboxing can help isolate the app from other processes and resources on the system, and limit its access and permissions to only what is necessary. Sandboxing can help prevent the app from being affected by or affecting other applications or system components, and contain any potential damage in case of a breach.

Question 47

Q

A network engineer and a security engineer are discussing ways to monitor network operations. Which of the following is the BEST method?
A. Disable Telnet and force SSH.
B. Establish a continuous ping.
C. Utilize an agentless monitor
D. Enable SNMPv3 With passwords.

Answer

A

Utilize an agentless monitor

The best method to monitor network operations is to utilize an agentless monitor. An agentless monitor is a type of network monitoring system that does not require the installation of any software or agents on the devices being monitored. This makes it a very scalable and efficient way to monitor large networks.

Agentless monitors typically use a variety of methods to collect data from the devices being monitored, including SNMP, WMI, and syslog. This data is then analyzed by the monitor to identify any potential problems.

Agentless monitors are a very effective way to monitor network operations. They are scalable, efficient, and easy to use. They can be used to monitor a wide variety of devices and systems, and they can provide a comprehensive view of the network.

Question 48

Q

A security researcher has alerted an organization that its sensitive user data was found for sale on a website.
Which of the following should the organization use to inform the affected parties?
A. An incident response plan
B. A communications plan
C. A business continuity plan
D. A disaster recovery plan

Answer

A

A communications plan

The organization should use a communications plan to inform the affected parties. A communications plan is a document that outlines how an organization will communicate with internal and external stakeholders during a crisis or incident. It should include details such as who will be responsible for communicating with different stakeholders, what channels will be used to communicate, and what messages will be communicated.
An incident response plan is a document that outlines the steps an organization will take to respond to a security incident or data breach. A business continuity plan is a document that outlines how an organization will continue to operate during and after a disruption. A disaster recovery plan is a document that outlines how an organization will recover its IT infrastructure and data after a disaster.

Question 49

Q

An organization would like to remediate the risk associated with its cloud service provider not meeting its advertised 99.999% availability metrics. Which of the following should the organization consult for the exact requirements for the cloud provider?
A. SLA
B. BPA
C. NDA
D. MOU

Answer

A

SLA (service level agreement)

The Service Level Agreement (SLA) is a contract between the cloud service provider and the organization that stipulates the exact requirements for the cloud provider. It outlines the level of service that the provider must deliver, including the minimum uptime percentage, support response times, and the remedies and penalties for failing to meet the agreed-upon service levels.

Question 50

Q

A security analyst was deploying a new website and found a connection attempting to authenticate on the site’s portal. While Investigating The incident, the analyst identified the following Input in the username field:

Which of the following BEST explains this type of attack?
A. DLL injection to hijack administrator services
B. SQLi on the field to bypass authentication
C. Execution of a stored XSS on the website
D. Code to execute a race condition on the server

Answer

A

SQLi on the field to bypass authentication

The input “admin’ or 1=1–” in the username field is an example of SQL injection (SQLi) attack. In this case, the attacker is attempting to bypass authentication by injecting SQL code into the username field that will cause the authentication check to always return true. References: CompTIA Security+ SY0-601 Exam Objectives: 3.1 Given a scenario, use appropriate software tools to assess the security posture of an organization.

Question 51

Q

Which of the following provides a catalog of security and privacy controls related to the United States federal information systems?

A. GDPR
B. PCI DSS
C. ISO 27000
D. NIST 800-53

Answer

A

NIST 800-53

NIST 800-53 provides a catalog of security and privacy controls related to the United States federal information systems. Reference: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 3: Architecture and Design, pp. 123-125

Question 52

Q

A security analyst reviews a company’s authentication logs and notices multiple authentication failures. The authentication failures are from different usernames that share the same source IP address. Which of the password attacks is MOST likely happening?
A. Dictionary
B. Rainbow table
C. Spraying
D. Brute-force

Answer

A

Spraying

Detailed Password spraying is an attack where an attacker tries a small number of commonly used passwords against a large number of usernames. The goal of password spraying is to avoid detection by avoiding too many failed login attempts for any one user account. The fact that different usernames are being attacked from the same IP address is a strong indication that a password spraying attack is underway.

Question 53

Q

Which of the following are common VoIP-associated vulnerabilities? (Select two).
A. SPIM
B. Vishing
C. VLAN hopping
D. Phishing
E. DHCP snooping
F. Tailgating

Answer

A

A. SPIM
B. Vishing

SPIM (Spam over Internet Messaging) is a type of VoIP-associated vulnerability that involves sending unsolicited or fraudulent messages over an internet messaging service, such as Skype or WhatsApp. It can trick users into clicking on malicious links, downloading malware, providing personal or financial information, etc., by impersonating a legitimate entity or creating a sense of urgency or curiosity. Vishing (Voice Phishing) is a type of VoIP-associated vulnerability that involves making unsolicited or fraudulent phone calls over an internet telephony service, such as Google Voice or Vonage. It can trick users into disclosing personal or financial information, following malicious instructions, transferring money, etc., by using voice spoofing, caller ID spoofing, or interactive voice response systems.

Question 54

Q

An organization wants to integrate its incident response processes into a workflow with automated decision points and actions based on predefined playbooks. Which of the following should the organization implement?
A. SIEM
B. SOAR
C. EDR
D. CASB

Answer

A

SOAR

Security Orchestration, Automation, and Response (SOAR) should be implemented to integrate incident response processes into a workflow with automated decision points and actions based on predefined playbooks. Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 9

Question 55

Q

The Chief Executive Officer announced a new partnership with a strategic vendor and asked the Chief Information Security Officer to federate user digital identities using SAML-based protocols. Which of the following will this enable?
A. SSO
B. MFA
C. PKI
D. OLP

Answer

A

SSO
Explanation:
Federating user digital identities using SAML-based protocols enables Single Sign-On (SSO), which allows users to log in once and access multiple applications without having to enter their credentials for each one. Reference:
CompTIA Security+ Certification Exam Objectives 1.3: Explain authentication and access controls.
CompTIA Security+ Study Guide, Sixth Edition, pages 41-42

Question 56

Q

Which of the following function as preventive, detective, and deterrent controls to reduce the risk of physical theft? (Select TWO).
A. Mantraps
B. Security guards
C. Video surveillance
D. Fences
E. Bollards
F. Antivirus

Answer

A

A. Mantraps
B. Security guards

A - a mantrap can trap those personnal with bad intension(preventive), and kind of same as detecting, since you will know if someone is trapped there(detective), and it can deter those personnal from approaching as well(deterrent) B - security guards can sure do the same thing as above, preventing malicious personnal from entering(preventive+deterrent), and notice those personnal as well(detective

Question 57

Q

Law enforcement officials sent a company a notification that states electronically stored information and paper documents cannot be destroyed. Which of the following explains this process?
A. Accountability
B. Legal hold
C. Chain of custody
D. Data breach notification

Answer

A

B. Legal Hold

A legal hold is a process that requires an organization to preserve electronically stored information and paper documents that are relevant to a pending or anticipated litigation or investigation. It suspends the normal retention and destruction policies and procedures for such information and documents until the legal hold is lifted or released.

Question 58

Q

A store receives reports that shoppers’ credit card information is being stolen. Upon further analysis, those same shoppers also withdrew money from an ATM in that store.
The attackers are using the targeted shoppers’ credit card information to make online purchases. Which of the following attacks is the MOST probable cause?
A. Identity theft
B. RFID cloning
C. Shoulder surfing
D. Card skimming

Answer

A

D. Card Skimming

Explanation:
The attackers are using card skimming to steal shoppers’ credit card information, which they use to make online purchases. Reference:
CompTIA Security+ Study Guide Exam SY0-601, Chapter

Question 59

Q

A network-connected magnetic resonance imaging (MRI) scanner at a hospital is controlled and operated by an outdated and unsupported specialized Windows OS. Which of the following is most likely preventing the IT manager at the hospital from upgrading the specialized OS?
A. The time needed for the MRI vendor to upgrade the system would negatively impact patients.
B. The MRI vendor does not support newer versions of the OS.
C. Changing the OS breaches a support SLA with the MRI vendor.
D. The IT team does not have the budget required to upgrade the MRI scanner.

Answer

A

B. The MRI vendor does not support newer versions of the OS

This option is the most likely reason for preventing the IT manager at the hospital from upgrading the specialized OS. The MRI scanner is a complex and sensitive device that requires a specific OS to control and operate it. The MRI vendor may not have developed or tested newer versions of the OS for compatibility and functionality with the scanner. Upgrading the OS without the vendor’s support may cause the scanner to malfunction or stop working altogether.

Question 60

Q

During a forensic investigation, a security analyst discovered that the following command was run on a compromised host:

crackapemxb smb 912.168.10.232 -u localhost -H 0A3CE8D078747563

Which of the following attacks occurred?
A. Buffer overflow
B. Pass the hash
C. SQL injection
D. Replay attack

Answer

A

Pass the Hash

Pass the hash is an attack technique that allows an attacker to authenticate to a remote server or service by using the hashed version of a user’s password, rather than requiring the plaintext password

Question 61

Q

A security researcher is using an adversary’s infrastructure and TTPs and creating a named group to track those targeted Which of the following is the researcher MOST likely using?
A. The Cyber Kill Chain
B. The incident response process
C. The Diamond Model of Intrusion Analysis
D. MITRE ATT&CK

Answer

A

MITRE ATT&CK

Explanation:
The researcher is most likely using the MITRE ATT&CK framework. MITRE ATT&CK is a globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. It helps security teams better understand and track adversaries by creating a named group, which aligns with the scenario described in the question. The framework is widely recognized and referenced in the cybersecurity industry, including in CompTIA Security+ study materials. Reference: 1. CompTIA Security+ Certification Exam Objectives (SY0-601): https://www.comptia.jp/pdf/Security%2B%20SY0-601%20Exam%20Objectives.pdf 2. MITRE ATT&CK: https://attack.mitre.org/ MITRE ATT&CK is a knowledge base of adversary tactics, techniques, and procedures (TTPs) that are observed in real-world cyberattacks. MITRE ATT&CK provides a common framework and language for describing and analyzing cyber threats and their behaviors. MITRE ATT&CK also allows security researchers to create named groups that track specific adversaries based on their TTPs.
The other options are not correct because:
a) The Cyber Kill Chain is a model that describes the stages of a cyberattack from reconnaissance to exfiltration. The Cyber Kill Chain does not provide a way to create named groups based on adversary TTPs.
b) The incident response process is a set of procedures and guidelines that defines how an organization should respond to a security incident. The incident response process does not provide a way to create named groups based on adversary TTPs.
c) The Diamond Model of Intrusion Analysis is a framework that describes the four core features of any intrusion: adversary, capability, infrastructure, and victim. The Diamond Model of Intrusion Analysis does not provide a way to create named groups based on adversary TTPs.
According to CompTIA Security+ SY0-601 Exam Objectives 1.1 Compare and contrast different types of social engineering techniques:
“MITRE ATT&CK is a knowledge base of adversary tactics, techniques, and procedures (TTPs) that are observed in real-world cyberattacks. MITRE ATT&CK provides a common framework and language for describing and analyzing cyber threats and their behaviors.”

Question 62

Q

A company has hired an assessment team to test the security of the corporate network and employee vigilance. Only the Chief Executive Officer and Chief Operating Officer are aware of this exercise, and very little information has been provided to the assessors. Which of the following is taking place?
A. A red-team test
B. A white-team test
C. A purple-team test
D. A blue-team test

Answer

A

A. A red-team test

A red-team test is a type of security assessment that simulates a real-world attack on an organization’s network, systems, applications, and people. The goal of a red-team test is to evaluate the organization’s security posture, identify vulnerabilities and gaps, and test the effectiveness of its detection and response capabilities. A red-team test is usually performed by a group of highly skilled security professionals who act as adversaries and use various tools and techniques to breach the organization’s defenses. A red-team test is often conducted without the knowledge or consent of most of the organization’s staff, except for a few senior executives who authorize and oversee the exercise.

Question 63

Q

A security analyst notices an unusual amount of traffic hitting the edge of the network. Upon examining the logs, the analyst identifies a source IP address and blocks that address from communicating with the network. Even though the analyst is blocking this address, the attack is still ongoing and coming from a large number of different source IP addresses. Which of the following describes this type of attack?
A. DDoS
B. Privilege escalation
C. DNS poisoning
D. Buffer overflow

Answer

A

A. DDoS

A distributed denial-of-service (DDoS) attack is an attempt to make a computer or network resource unavailable to its intended users. This is accomplished by overwhelming the target with a flood of traffic from multiple sources.
In the scenario described, the security analyst identified a source IP address and blocked it from communicating with the network. However, the attack was still ongoing and coming from a large number of different source IP addresses. This indicates that the attack was a DDoS attack.
Privilege escalation is an attack that allows an attacker to gain unauthorized access to a system or network. DNS poisoning is an attack that modifies the DNS records for a domain name, causing users to be redirected to a malicious website. A buffer overflow is an attack that occurs when a program attempts to store more data in a buffer than it is designed to hold.
Therefore, the most likely type of attack in the scenario described is a DDoS attack

Question 64

Q

An information security officer at a credit card transaction company is conducting a framework-mapping exercise with the internal controls. The company recently established a new office in Europe. To which of the following frameworks should the security officer map the existing controls’ (Select two).
A. ISO
B. PCI DSS
C. SOC
D. GDPR
E. CSA
F. NIST

Answer

A

B. PCI DSS
D. GDPR

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards and requirements for organizations that store, process, or transmit payment card data. It aims to protect cardholder data and prevent fraud and data breaches. GDPR (General Data Protection Regulation) is a regulation that governs the collection, processing, and transfer of personal data of individuals in the European Union. It aims to protect the privacy and rights of data subjects and impose obligations and penalties on data controllers and processors. These are the frameworks that the security officer should map the existing controls to, as they are relevant for a credit card transaction company that has a new office in Europe

Answer 64

A

A. Dumpster Diving

Crosscut shredders are used to destroy paper documents and reduce the risk of data leakage through dumpster diving. Dumpster diving is a method of retrieving sensitive information from paper waste by searching through discarded documents.
Reference:
CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 2

Answer 65

A

A. Containment

Containment is the phase where the incident response team tries to isolate and stop the spread of the incident12. Before containing the incident, the team should collect and preserve any evidence that may be useful for analysis and investigation12. This includes documenting the incident details, such as date, time, location, source, and impact12. It also includes establishing a chain of custody, which is a record of who handled the evidence, when, where, how, and why3. A chain of custody ensures the integrity and admissibility of the evidence in court or other legal proceedings3.

Answer 66

A

A. The Diamond Model of Intrusion Analysis

The Diamond Model is a framework for analyzing cyber threats that focuses on four key elements: adversary, capability, infrastructure, and victim. By analyzing these elements, security researchers can gain a better understanding of the threat landscape and develop more effective security strategies.

Answer 67

A

D. NGFW

Explanation:
Next-Generation Firewalls (NGFWs) are designed to provide advanced threat protection by combining traditional firewall capabilities with intrusion prevention, application control, and other security features. NGFWs can detect and block unauthorized access attempts, malware infections, and other suspicious activity. They can also be used to monitor file access and detect unauthorized copying or distribution of copyrighted material.
A next-generation firewall (NGFW) can be used to detect and prevent copyright infringement by analyzing network traffic and blocking unauthorized transfers of copyrighted material. Additionally, NGFWs can be configured to enforce access control policies that prevent unauthorized access to sensitive resources. Reference:
CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 6

Answer 68

A

B. Salting

Salting is a technique that adds random data to a password before hashing it. This makes the hash output more unique and unpredictable, and prevents attackers from using precomputed tables (such as rainbow tables) to crack the password hash. Salting also reduces the risk of collisions, which occur when different passwords produce the same hash.

Answer 69

A

D. Using a cable lock on the hardware

Using cable locks on the hardware can be an effective way to secure a desktop computer and deter future theft. Cable locks are physical security devices that attach to the computer case and to a nearby stationary object, such as a desk or wall. This makes it more difficult for a thief to remove the computer without damaging it or attracting attention.
Installing proximity card readers on all entryway doors can enhance physical security by limiting access to authorized individuals. Deploying motion sensor cameras in the lobby can also help deter theft by capturing images of any unauthorized individuals entering the premises or attempting to steal the computer. Encrypting the hard drive on the replacement desktop can also help protect sensitive data in the event of theft, but it does not provide physical security for the device itself.

Answer 70

A

C. Identity provider
D. Service provider

An identity provider (IdP) is responsible for authenticating users and generating security tokens containing user information. A service provider (SP) is responsible for accepting security tokens and granting access to resources based on the user’s identity.

Answer 71

A

D. WPS

The network analyst should enable Wi-Fi Protected Setup (WPS) to allow users to connect to the wireless access point securely without having to remember passwords. WPS allows users to connect to a wireless network by pressing a button or entering a PIN instead of entering a password.

Answer 72

A

B. Hover the mouse over the CIO’s email address to verify the email address

The “From” line in the email header can be easily spoofed or manipulated by an attacker to make it look like the email is coming from the CIO’s email address. However, this does not mean that the email address is actually valid or that the email is actually sent by the CIO. A better way to check the email address is to hover over it and see if it matches the CIO’s email address exactly. This can help to spot any discrepancies or typos that might indicate a phishing attempt. For example, if the CIO’s email address is cio@company.com, but when you hover over it, it shows cio@compnay.com, then you know that the email is not authentic and likely a phishing attempt.

Answer 73

A

A. High availability

High availability refers to the ability of a system or service to remain operational and available to users with minimal downtime. By ensuring high availability, the company can maintain good performance and ensure that users have access to the network services they need. High availability can also improve security, as it helps to prevent disruptions that could potentially be caused by security incidents or other issues.

Answer 74

A

D. Avoid a VM sprawl

The administrator is most likely trying to avoid VM sprawl, which occurs when too many VMs are created and managed poorly, leading to resource waste and increased security risks. The listed actions can help establish policies, resource allocation, and categorization to prevent unnecessary VM creation and ensure proper management. Reference: CompTIA Security+ Certification Exam Objectives, Exam SY0-601, 3.6 Given a scenario, implement the appropriate virtualization components.

Answer 75

A

D. Phishing campaign

A phishing campaign is a simulated attack that tests a user’s ability to recognize attacks over the organization’s email system. Phishing campaigns can be used to train users on how to identify and report suspicious emails.

Answer 76

A

A. It examines and documents how well the team responded discovers what caused the incident, and determines how the incident can be avoided in the future

The final phase of an incident response plan is the post-incident activity, which involves examining and documenting how well the team responded, discovering what caused the incident, and determining how the incident can be avoided in the future. Reference: CompTIA Security+ Certification Exam Objectives - 2.5 Given a scenario, analyze potential indicators to determine the type of attack. Study Guide: Chapter 5, page 225.

Answer 77

A

C. The software was not added to the application whitelist.

The most likely cause of the document-scanning software program not responding when launched by the end user is that the software was not added to the application whitelist. An application whitelist is a list of approved software applications that are allowed to run on a system. If the software is not on the whitelist, it may be blocked from running by the system’s security policies. Adding the software to the whitelist should resolve the issue and allow the program to run. Reference: https://www.techopedia.com/definition/31541/application-whitelisting

Answer 78

A

D. in monitoring mode

A DLP solution in monitoring mode is a good first step to deploy for data loss prevention. It allows the IT team to observe and analyze the data flows and activities without blocking or interfering with them. It helps to identify the sources and destinations of sensitive data, the types and volumes of data involved, and the potential risks and violations. It also helps to fine-tune the DLP policies and rules before switching to blocking mode, which can disrupt business operations if not configured properly.

Answer 79

A

D. Identification

Identification is the first step in the incident response process, which involves recognizing that an incident has occurred. Containment is the second step, followed by eradication, recovery, and lessons learned.

Answer 80

A

B. Tainted training data

Tainted training data is a type of data poisoning attack that involves modifying or injecting malicious data into the training dataset of a machine learning or artificial intelligence system. It can cause the system to learn incorrect or biased patterns and produce inaccurate or malicious outcomes. It is the most likely reason for the inaccuracy of the system that is using information collected from third-party providers that have been compromised by an attacker.

Answer 81

A

B. Shredding

Shredding may be the most secure and cost-effective way to destroy electronic data in any media that contain hard drives or solid-state drives and have reached their end-of-life1. Shredding reduces electronic devices to pieces no larger than 2 millimeters2. Therefore, shredding is the most secure but least expensive data destruction method for data that is stored on hard drives.

Answer 82

A

D. SSH key

SSH key is a pair of cryptographic keys that can be used for authentication and encryption when connecting to a remote Linux server via SSH protocol. SSH key authentication does not require a password and is more secure than password-based authentication. SSH key authentication also does not require additional software installation on the client or the server, as SSH is a built-in feature of most Linux distributions. A business partner can generate an SSH key pair on their own computer and send the public key to the company, who can then add it to the authorized_keys file on the Linux server. This way, the business partner can access the Linux server without entering a password or installing any software

Answer 83

A

C. Think Client

Answer 84

A

A. Watering-hole attack

Answer 85

A

C. chmod
Explanation
The chmod command is used to change the permissions of a file or directory. The analyst can use chmod to reduce the permissions for existing users and groups and remove the set-user-ID bit from the file. References:
CompTIA Security+ Study Guide Exam SY0-601, Chapter 6

Answer 86

A

B. Use the latest version of software.
E. Implement a screened subnet for the web server.
F. Install an endpoint security solution.

Answer 87

A

B. Lessons Learned

Explanation
After the root cause of a security incident has been identified, it is important to take the time to analyze what went wrong and how it could have been prevented. This process is known as “lessons learned” and allows organizations to identify potential improvements to their security processes and protocols. Lessons learned typically involve a review of the incident and the steps taken to address it, a review of the security systems and procedures in place, and an analysis of any potential changes that can be made to prevent similar incidents from occurring in the future.

Answer 88

A

D. Rainbow table

Explanation
Rainbow table is a type of attack that should concern a security administrator when reviewing the /etc/shadow file. The /etc/shadow file is a file that stores encrypted passwords of users in a Linux system. A rainbow table is a precomputed table of hashes and their corresponding plaintext values that can be used to crack hashed passwords. If an attacker obtains a copy of the /etc/shadow file, they can use a rainbow table to find the plaintext passwords of users.
References: https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.geeksforgeeks.org/rainbow-table-in-cryptography/

Answer 89

A

E. It assures customers that the organization meets security standards

Explanation
ISO 27001 is an international standard that outlines the requirements for an Information Security Management System (ISMS). It provides a framework for managing and protecting sensitive information using risk management processes. Acquiring an ISO 27001 certification assures customers that the organization meets security standards and follows best practices for information security management. It helps to build customer trust and confidence in the organization’s ability to protect their sensitive information. References: CompTIA Security+ Certification Exam Objectives, Exam Domain 1.0: Attacks, Threats, and Vulnerabilities, 1.2 Given a scenario, analyze indicators of compromise and determine the type of malware, p. 7

Answer 90

A

IPSec

Explanation
IPSec is a protocol suite that provides secure communication over IP networks. It uses encryption, authentication, and integrity mechanisms to protect data from unauthorized access or modification. IPSec can operate in two modes: transport mode and tunnel mode. In tunnel mode, IPSec can create a virtual private network (VPN) between two endpoints, such as external partners and internal networks. To establish a VPN connection, IPSec requires a pre-shared key (PSK) or other parameters to negotiate the security association.
References: https://www.comptia.org/content/guides/what-is-vpn

Answer 91

A

C. Surveillance Systems

Explanation
Surveillance systems are constantly scanned by internet bots and have the highest risk of attack in the case of the default configurations because they are often connected to the internet and use weak or default passwords that can be easily guessed or cracked by malicious bots. Internet bots are software applications that run automated tasks over the internet, usually with the intent to imitate human activity or exploit vulnerabilities.
Some bots are used for legitimate purposes, such as web crawling or indexing, but others are used for malicious purposes, such as spamming, phishing, denial-of-service attacks, or credential stuffing. Security misconfigurations are one of the most common gaps that criminal hackers look to exploit. Therefore, it is important to secure the configuration of surveillance systems by changing the default passwords, updating the firmware, disabling unnecessary services, and enabling encryption and authentication.
https://www.cctvcameraworld.com/setup-ip-camera-system-on-network/

Answer 92

A

D. Phishing Campaign

Answer 93

A

D. Threat feeds

Explanation
Threat feeds, also known as threat intelligence feeds, are a source of information about current and emerging threats, vulnerabilities, and malicious activities targeting organizations. Security analysts use threat feeds to gather information about attacks and threats targeting their industry or sector. These feeds are typically provided by security companies, research organizations, or industry-specific groups. By using threat feeds, analysts can identify trends, patterns, and potential threats that may target their own organization, allowing them to take proactive steps to protect their systems.
References:
1. CompTIA Security+ Certification Exam Objectives (SY0-601):
https://www.comptia.jp/pdf/Security%2B%20SY0-601%20Exam%20Objectives.pdf
2. SANS Institute: Threat Intelligence: What It Is, and How to Use It Effectively:
https://www.sans.org-room/whitepapers/analyst/threat-intelligence-is-effectively-36367

Answer 94

A

A. Auto-update
F. Sandboxing

Explanation
Auto-update can help keep the app up-to-date with the latest security fixes and enhancements, and reduce the risk of exploitation by attackers who target outdated or vulnerable versions of the app.
Sandboxing can help isolate the app from other processes and resources on the system, and limit its access and permissions to only what is necessary. Sandboxing can help prevent the app from being affected by or affecting other applications or system components, and contain any potential damage in case of a breach.

Answer 95

A

B. Risk register

Explanation
A risk register is a tool used by an organization to identify, log, and track any potential risks and corresponding risk information. It helps to document the risks, their likelihood, impact, mitigation strategies, and status. A risk register is an essential part of risk management and can be used for projects or organizations.

Answer 96

A

A. MITRE ATT&CK

Explanation
MITRE ATT&CK is a knowledge base and framework that analyzes and categorizes threat actors and real-world events based on their tactics, techniques and procedures. It can help improve the incident response team’s process by providing a common language and reference for identifying, understanding and mitigating threats

Answer 97

A

B. Symmetric

Explanation
Symmetric encryption allows data to be encrypted and decrypted using the same key. This is useful when the data needs to be accessed and manipulated while still encrypted. References: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 6

Answer 98

A

D. Approved list

Explanation
Approved list is a list of applications or programs that are allowed to run on a system or network. An approved list can prevent unauthorized or malicious software from running and compromising the security of the system or network. An approved list can also help with patch management and compatibility issues. If the security engineer updated an application on the company workstations, the application may need to be added or updated on the approved list to be able to launch successfully. References: 1 CompTIA Security+ Certification Exam Objectives, page 10, Domain 2.0: Architecture and Design, Objective 2.4: Explain the importance of embedded and specialized systems security 2 CompTIA Security+ Certification Exam Objectives, page 12, Domain 3.0: Implementation, Objective 3.1: Implement secure network architecture concepts 3
https://www.comptia.org/blog/what-is-application-whitelisting

Answer 99

A

A. Shadow IT

Explanation
shadow IT is the use of IT-related hardware or software by a department or individual without the knowledge or approval of the IT or security group within the organization12. Shadow IT can encompass cloud services, software, and hardware. The main area of concern today is the rapid adoption of cloud-based services1.
According to one source3, shadow IT helps you know and identify which apps are being used and what your risk level is. 80% of employees use non-sanctioned apps that no one has reviewed, and may not be compliant with your security and compliance policies.

Answer 100

A

D. SOC 2 report

Explanation
A SOC 2 report is a document that provides an independent assessment of a service organization’s controls related to the Trust Services Criteria of Security, Availability, Processing Integrity, Confidentiality, or Privacy. A SOC 2 report can help a security practitioner evaluate the current security posture of a vendor that provides cloud services1.

Answer 101

A

B. WAF
C. Load Balancer

Explanation
A web application firewall (WAF) is a solution that inspects traffic to a cluster of web servers in a cloud environment and protects them from common web-based attacks, such as SQL injection, cross-site scripting, and denial-of-service1. A WAF can be deployed as a cloud service or as a virtual appliance in front of the web servers. A load balancer is a solution that distributes traffic among multiple web servers in a cloud environment and improves their performance, availability, and scalability2. A load balancer can also perform health checks on the web servers and route traffic only to the healthy ones. The other options are not relevant to this scenario. A CASB is a cloud access security broker, which is a solution that monitors and controls the use of cloud services by an organization’s users3. A VPN is a virtual private network, which is a solution that creates a secure and encrypted connection between two networks or devices over the internet. TLS is Transport Layer Security, which is a protocol that provides encryption and authentication for data transmitted over a network. DAST is dynamic application security testing, which is a method of testing web applications for vulnerabilities by simulating attacks on them.
References: 1: https://www.imperva.com/learn/application-security/what-is-a-web-application-firewall-waf/ 2:
https://www.imperva.com/learn/application-security/load-balancing/ 3:
https://www.imperva.com/learn/application-security/cloud-access-security-broker-casb/ :
https://www.imperva.com/learn/application-security/vpn-virtual-private-network/ :
https://www.imperva.com/learn/application-security/transport-layer-security-tls/ :
https://www.imperva.com/learn/application-security/dynamic-application-security-testing-dast/ :
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-traffic-ins: https://docs.microsoft.com/en-us/azure/private-link/inspect-traffic-with-azure-firewall :
https://docs.microsoft.com/en-us/azure/architecture/example-scenario/gateway/application-gateway-before-azure

Answer 102

A

A. FDE

Explanation
Based on these definitions, the best security solution to mitigate the risk of future data disclosures from a laptop would be FDE123. FDE would prevent unauthorized access to the data stored on the laptop even if it is stolen or lost. FDE can also use TPM to store the encryption key and ensure that only trusted software can decrypt the data3. HIDS and VPN are not directly related to data encryption, but they can provide additional security benefits by detecting intrusions and protecting network traffic respectively.

Answer 103

A

A. Drop

Explanation
the difference between drop and reject in firewall is that the drop target sends nothing to the source, while the reject target sends a reject response to the source. This can affect how the source handles the connection attempt and how fast the port scanning is. In this context, a human might say that the best action to block a TCP connection using the corporate firewall is A. Drop, because it does not send back an RST packet and it may slow down the port scanning and protect against DoS attacks.

Answer 104

A

D. Snapshot

Explanation
A snapshot backup is a type of backup that captures the state of a system at a point in time. It is highly time- and storage-efficient because it only records the changes made to the system since the last backup. It also has no impact on production systems because it does not require them to be offline or paused during the backup process. References: https://www.comptia.org/blog/what-is-a-snapshot-backup

Answer 105

A

A. Provisioning

Explanation
Provisioning is the process of creating and setting up IT infrastructure, and includes the steps required to manage user and system access to various resources . Provisioning can be done for servers, cloud environments, users, networks, services, and more .
In this case, the security administrator wants to ensure that all cloud servers will have software preinstalled for facilitating vulnerability scanning and continuous monitoring. This means that the administrator needs to provision the cloud servers with the necessary software and configuration before they are deployed or used by customers or end users. Provisioning can help automate and standardize the process of setting up cloud servers and reduce the risk of human errors or inconsistencies.

Answer 106

A

A. Create an automated, monthly attestation process that removes access if an employee’s supervisor denies the approval

Explanation
According to the CompTIA Security+ SY0-601 documents, the correct answer option is A. Create an automated, monthly attestation process that removes access if an employee’s supervisor denies the approval12.
This option ensures that appropriate access is not disrupted but unneeded access is removed in a reasonable time frame by requiring supervisors to approve or deny the exceptions on a regular basis. It also reduces the manual workload of the security team and improves the compliance with the company policy.

Answer 107

A

C. False positive

Explanation
A false positive is a type of alert that indicates a security incident when there is none. It can be caused by misconfigured or overly sensitive security tools or systems that generate false or irrelevant alerts. In this case, the alert from the company’s SIEM that Mimikatz attempted to run on the remote systems was a false positive because it was triggered by a legitimate vulnerability scanning tool that uses Mimikatz as part of its functionality.

Answer 108

A

B. SSH was turned off instead of modifying the configuration file

Explanation:
Explanation
Disabling remote logins to the NAS likely involved turning off SSH instead of modifying the configuration file. This would prevent users from using SCP to transfer files to the NAS, even though the data is still viewable from the users’ PCs. Source: TechTarget

Answer 109

A

B. Round-robin

Explanation
The administrator should use a round-robin algorithm to split the number of connections on each server in half. Round-robin is a load-balancing algorithm that distributes incoming requests to the available servers one by one in a cyclical order. This helps to evenly distribute the load across all of the servers, ensuring that no single server is overloaded.

Answer 110

A

D. Private

Explanation
A private cloud model would best suit the company’s priorities of control and security over cost and ease of management. In a private cloud, the infrastructure is dedicated to a single organization, providing greater control over the environment and the ability to implement strict security measures. This is in contrast to public, community, or hybrid cloud models, where resources are shared among multiple organizations, potentially compromising control and security. While private clouds can be more expensive and more difficult to manage, they the highest level of control and security for the company.
Reference:
- CompTIA Security+ Certification Exam Objectives (SY0-601), Section 3.2: “Explain the importance of secure staging deployment concepts.”
- Cisco: Private Cloud - https://www.cisco.com/c/en/us/solutions/cloud/private-cloud.html

Answer 111

A

C. Version Control

Explanation
Version control is a solution that can help a development team to analyze the deletion or editing of data sets without affecting the original copy. Version control is a system that records changes to a file or set of files over time so that specific versions can be recalled later. Version control can help developers track and manage changes to code, data, or documents, as well as collaborate with other developers and resolve conflicts.
References: https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.atlassian.com/git/tutorials/what-is-version-control

Answer 112

A

D. Continuous integration

Continuous integration (CI) is a software development practice where developers frequently integrate their code changes into a shared repository. The main goal of continuous integration is to detect integration issues early by merging code changes into the main codebase as soon as they are written.

Answer 113

A

C. Tabletop exercise

Explanation
A tabletop exercise is a type of security exercise that involves a simulated scenario of a security incident and a discussion of how the security team would respond to it1. A tabletop exercise is a low-impact and cost-effective way to test the security team’s preparedness, identify gaps and areas for improvement, and enhance communication and coordination among team members2. A tabletop exercise is different from a red-team exercise, which is a simulated attack by an authorized group of ethical hackers to test the security defenses and response capabilities of an organization3. A business continuity plan testing is a process of verifying that an organization can continue its essential functions and operations in the event of a disaster or disruption4. A functional exercise is a type of security exercise that involves a realistic simulation of a security incident and requires the security team to perform their roles and responsibilities as if it were a real event.
References: 1:
https://www.isaca.org/resources/isaca-journal/issues/2022/volume-1/cybersecurity-incident-response-exercise-gu
2: https://www.linuxjournal.com/content/security-exercises 3:
https://www.imperva.com/learn/application-security/red-team-blue-team/ 4:
https://www.ready.gov/business-continuity-plan : https://www.ready.gov/exercises

Answer 114

A

D. Jailbreaking

Explanation
Jailbreaking is a process of bypassing or removing the manufacturer-imposed restrictions on a mobile device’s operating system, allowing users to install unauthorized applications, modify settings, etc. It is a primary security concern for setting up a BYOD program because it can expose the device and its data to malware, vulnerabilities, unauthorized access, etc

Answer 115

A

A. PoC

Explanation
A proof of concept (PoC) environment can be stood up quickly and is used to demonstrate and model system capabilities and functionality for a fixed, agreed-upon duration of time. This environment can utilize either dummy data or actual data. References: CompTIA Security+ Certification Guide, Exam SY0-501

Answer 116

A

D. SQLi

Explanation
SQLi stands for SQL injection, which is a type of web security vulnerability that allows an attacker to execute malicious SQL statements on a database server. SQLi can result in data theft, data corruption, denial of service, or remote code execution.
The attacker in the web server log is trying to exploit a SQLi vulnerability by sending a malicious GET request that contains a UNION ALL SELECT statement. This statement is used to combine the results of two or more SELECT queries into a single result set. The attacker is attempting to retrieve user login, user pass, and user email from the wp users table, which is a WordPress database table that stores user information. The attacker may use this information to compromise the WordPress site or the users’ accounts.

Answer 117

A

B. SQL injection

Explanation
SQL injection is a web application attack that involves inserting malicious SQL statements into an input field, such as a web form, to manipulate or access the database behind the application. SQL injection can be used to perform various actions, such as reading, modifying, or deleting data, executing commands on the database server, or bypassing authentication. In this scenario, the attacker is trying to use a SQL statement “SELECT * FROM customername” to retrieve all data from the customername table in the database.

Answer 118

A

C. Preventive

Explanation
The scenario describes preventive controls, which are designed to stop malicious actors from gaining access to the organization’s servers. This includes using multiple access points, such as a lobby, an access control vestibule, and multiple doors leading to the server floor, as well as caging the organization’s hardware.
According to the CompTIA Security+ SY0-601 document, preventive controls are “designed to stop malicious actors from performing a malicious activity or gaining access to an asset.” These controls can include technical solutions, such as authentication and access control systems, physical security solutions, such as locks and barriers, and administrative solutions such as policy enforcement.

Answer 119

A

C. Resource Policies

Explanation
Resource policies are cloud features that allow and deny access to specific features in order to increase data security. Resource policies are rules or statements that define what actions can be performed on a particular resource by which entities under what conditions. Resource policies can be attached to cloud resources such as virtual machines, storage accounts, databases, or functions. Resource policies can help enforce security best practices, compliance requirements, and cost management. Resource policies can also help implement the principle of least privilege, which grants users only the minimum level of access they need to perform their tasks.

Brainscape's Knowledge GenomeTM

SYO-601 V40.65 Flashcards

Brainscape's Knowledge Genome^TM