CompTIA Security+ Certification Exam

Questions and Answers

PDF Questions PDF Answers

Which of the following security benefits do labeling laptops with asset inventory stickers and associating them with employee IDs provide? (Choose two)

The security team will be able to send user awareness training to the appropriate device.

User-based firewall policies can be correctly targeted to the appropriate laptops.

Company data can be accounted for when the employee leaves the organization. (correct)

Users can be mapped to their devices when configuring software MFA tokens.

When conducting penetration testing, the security team will be able to target the desired laptops.

If a security incident occurs on the device, the correct employee can be notified. (correct)

Which access control principle states that users and processes should only have the minimum level of access required to perform their tasks?

Least privilege

To best protect against a buffer overflow attack on an organization's internet-facing website, which security measure should be deployed?

NGFW

WAF (correct)

TLS

SD-WAN

What technique records all network traffic passing through a device for detailed analysis and investigation?

Full packet capture

What security concept emphasizes strict access controls and verification processes to create secure zones within a network?

Zero Trust

What method of verifying a user's identity by requiring more than one factor is effective in preventing unauthorized access?

Multifactor authentication

Which firewall ACLs would limit outbound DNS traffic to originate only from one device with the IP address 10.50.10.25? Access list outbound permit _ 0.0.0.0/0 port 53, Access list outbound deny _ 0.0.0.0/0 port 53

10.50.10.25/32, 0.0.0.0/0

Which of the following is a risk in a new system being deployed and supported by a SaaS provider?

Supply chain vendor

What technology solution can help reduce traffic on a VPN and internet circuit, provide encrypted tunnel access, and monitor remote employee internet traffic?

Deploying a SASE solution to remote employees

What type of social engineering attack involves fraudulent emails from trusted sources to obtain sensitive information?

Phishing

What vulnerability is associated with installing software outside of a manufacturer's approved repository?

Side loading

What strategy can a company use to mitigate weather-related risks to the server room and improve resilience?

Geographic dispersion

To quickly restrict access to confidential data on a file server, which of the following should be used?

Access control lists

Which document includes an estimate of the number of hours required for a penetration testing engagement?

SOW

What likely occurred when the hash of the cmd.exe file changed without patch updates on a system?

A rootkit was deployed

Why would a host-based firewall allowing connections from specific internal IP addresses be considered a compensating control?

Compensating control

Which security concept supports restricting permissions on a human resources fileshare to the principle of least privilege?

Confidentiality

Which of the following are the best responses to the situation described in the text? (Select two)

Add a smishing exercise to the annual company training

Which of the following attacks is most likely occurring based on the provided logs?

Password spraying

Which of the following must be considered when designing a high-availability network? (Select two)

Attack surface

A company needs to provide administrative access to internal resources while minimizing the traffic allowed through the security boundary. Which of the following methods is most secure?

Implementing a bastion host

A company is discarding a classified storage array and hires an outside vendor to complete the disposal. What should the company request from the vendor?

Certification

A systems administrator at a local hospital needs to ensure patient data is protected and secure. Which data classification should be used to secure patient data?

Sensitive

What is used to protect a computer from viruses, malware, and Trojans being installed and moving laterally across the network?

EDR

During a security incident, an IP address needs to be blocked from accessing the organization's network. Which rule should be implemented?

access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0

During an investigation, an incident response team attempts to understand the source of an incident. Which incident response activity describes this process?

Analysis

A network manager wants to protect the company's VPN by implementing multifactor authentication that includes something you know, something you have, and something you are. Which option accomplishes this goal?

Password, authentication token, thumbprint

What is the best way to consistently determine on a daily basis whether security settings on servers have been modified?

Automation

Which of the following factors are the most important to address when formulating a training curriculum plan for a security awareness program? (Select two)

Cadence and duration of training events

Which of the following is the most likely to be used to document risks, responsible parties, and thresholds?

Risk register

A cyber operations team informs a security analyst about a new tactic malicious actors are using to compromise networks. SIEM alerts have not yet been configured. Which of the following best describes what the security analyst should do to identify this behavior?

Threat hunting

A newly appointed board member with cybersecurity knowledge wants the board of directors to receive a quarterly report detailing the number of incidents that impacted the organization. The systems administrator is creating a way to present the data to the board of directors. Which of the following should the systems administrator use?

Dashboard

A systems administrator wants to prevent users from being able to access data based on their responsibilities. The administrator also wants to apply the required access structure via a simplified format. Which of the following should the administrator apply to the site recovery resource group?

RBAC

Which of the following threat actors is the most likely to be hired by a foreign government to attack critical systems located in other countries?

Organized crime

Which of the following is a primary security concern for a company setting up a BYOD program?

Jailbreaking

A security analyst locates a potentially malicious video file on a server and needs to identify both the creation date and the file's creator. Which of the following actions would most likely give the security analyst the information required?

Query the file's metadata

A security administrator would like to protect data on employees' laptops. Which of the following encryption techniques should the security administrator use?

Full disk

Which of the following must be considered when designing a high-availability network? (Choose two)

Attack surface

Which of the following can best protect against an employee inadvertently installing malware on a company system?

Application allow list

A company is expanding its threat surface program and allowing individuals to security test the company's internet-facing application. The company will compensate researchers based on the vulnerabilities discovered. Which of the following best describes the program the company is setting up?

Bug bounty

An employee receives a text message from an unknown number claiming to be the company's Chief Executive Officer and asking the employee to purchase several gift cards. Which of the following types of attacks does this describe?

Smishing

Which of the following best describes the form of security control where visitors to a secured facility are required to check in with a photo ID and enter the facility through an access control vestibule?

Physical

Which of the following best describes the type of attack when an administrator discovers that some files on a database server were recently encrypted, and the data was last accessed by a domain user?

Insider threat

What best describes the actions taken by an organization when they disabled unneeded services and placed a firewall in front of a business-critical legacy system?

Compensating controls

What is the best option for a technician to improve situational and environmental awareness of existing users transitioning from remote to in-office work?

Modify the content of recurring training

What should a database administrator use to access database servers if direct access from their workstation is prevented?

Jump server

What is the most important consideration for a web application allowing individuals to digitally report health emergencies during development?

Availability

What is the best way to block unknown programs from executing?

Application allow list

What would best mitigate a newly identified network access vulnerability in legacy IoT devices?

Segmentation

What describes the maximum allowance of accepted risk?

Risk threshold

What is most relevant for an analyst evaluating the Zero Trust principles within the data plane?

Secured zones

What is the best explanation for a security analyst discovering that an attacker is attempting to brute force a user account from domain activity logs?

An attacker is attempting to brute force Smith's account

Which automation use case would best enhance the security posture of an organization by rapidly updating permissions when employees leave?

Disabling access

What type of threat actor best describes ransomware-as-a-service in a report to the management team?

Organized crime

Which vulnerability is exploited when an attacker overwrites a register with a malicious address?

Buffer overflow

What best describes a scenario where end users cannot reach external websites due to unexpectedly high inbound traffic on a DNS server with minimal CPU or memory usage?

Reflected denial of service

Which logs should a security analyst use as a data source to obtain detailed information about an executable running on an employee's corporate laptop for an investigation?

Endpoint

What is Shadow IT?

Use of unauthorized or unapproved IT resources within an organization

What risk does Shadow IT pose to an organization?

All of the above

What should a security analyst recommend when discovering a host with a remote desktop that can access the production network?

Setting up a VPN and placing the jump server inside the firewall

What type of infection is associated with files having the extension .ryk?

Ransomware

What activity describes the act of ignoring detected activity in the future?

Tuning

What is the most important consideration when implementing FDE for laptops?

TPM presence

What access management concepts are likely being used to safeguard intranet accounts and grant access to multiple sites based on a user's intranet account?

Password complexity

According to the shared responsibility model, who is responsible for securing the company's database in an IaaS model for a cloud environment?

Client

What describes the process of concealing code or text inside a graphical image?

Steganography

What security technique explains the removal of special characters from variables set by forms in a web application?

Input validation

How can a company limit access to sensitive documents in a SaaS application from individuals in high-risk countries?

Geolocation policy

What strategy does a bank require to prevent data loss on stolen laptops?

Encryption at rest

What should a security consultant use for secure, remote access to a client environment?

IPSec

Before applying a high-priority patch to a production system, what step should be taken first?

Create a change control request

What data policy involves defining how long data should be stored and when it should be deleted or archived?

Retention

How could the spread of ransomware across a network be mitigated?

IPS

What would be a good use case for automating account creation for a large number of end users?

Orchestration

Users at a company are reporting they are unable to access the URL for a new retail website because it is flagged as gambling and is being blocked. What change would allow users to access the site?

Updating the categorization in the content filter

A company's web filter is configured to scan the URL for strings and deny access when matches are found. Which search string should be employed to prohibit access to non-encrypted websites?

http://

An organization wants a third-party vendor to do a penetration test targeting a specific device. What type of penetration test is this?

Partially known environment

What is a VPN primarily protecting?

Data in transit

When expanding data centers to new international locations, what should a cloud-hosting provider consider first?

Local data protection regulations

What strategy does purchasing cyber insurance to address items on the risk register represent?

Transfer

Which exercise should an organization use to improve its incident response process?

Tabletop

Which agreement type defines the time frame in which a vendor needs to respond?

SLA

Which security control type does an acceptable use policy best represent?

Preventive

What application security technique should be recommended to prevent a vulnerability where a web application form field is vulnerable to cross-site scripting?

Input validation

To enhance password security, a random string of 36 characters was added to a password. What technique was used?

Salting

What is the most likely outcome for a large bank failing an internal PCI DSS compliance assessment?

Fines

When planning a disaster recovery site, what should a company consider to prevent the complete loss of regulated backup data due to a natural disaster?

Geographic dispersion

Which action enables the use of an input field to manipulate data by running commands?

SQL injection

What tool collects system, application, and network logs from multiple sources in a centralized system for security alerting and monitoring?

SIEM

Which of the following is the most appropriate option for ensuring the authenticity of code created by a company?

Performing code signing on company-developed software

What is the most appropriate solution to prevent the unexpected use of the local administrator account for a company's VPN appliance?

Changing the default password

Which risk management strategy should an enterprise adopt first to address a critical legacy application without implemented preventive controls?

Mitigate

Which technology is best suited for constantly changing environments?

Containers

When a company sets up a SIEM system and assigns an analyst to review the logs on a weekly basis, what type of controls are being established?

Detective

For a low-cost cloud-based application-hosting solution, what option meets the requirements?

Serverless framework

Which type of phishing attack involves targeting high-profile individuals to trick them into performing certain actions?

Whaling

What method should a security administrator set up to secure data and track changes in an environment?

FIM

What is the next step a security manager should take after creating new documentation for security incident response?

Conduct a tabletop exercise with the team

To prevent a firewall misconfiguration issue that causes servers to become unreachable, what action should be taken?

Testing the policy in a non-production environment before enabling it in the production network

What incident response activity ensures that evidence is properly handled?

Chain of custody

Which best describes how security controls in a data center should be set up to protect data and human life considerations?

Safety controls should fail open

Given the vulnerability scanning report showing an open telnet service with insecure network protocol use, what would a security analyst conclude based on a subsequent test showing telnet encryption support?

It is a false positive

Which of the following scenarios best describes a possible business email compromise attack?

An employee receives a gift card request in an email that has an executive's name in the display field of the email

When developing a business continuity strategy, what step involves determining the required staff members to sustain the business during a disruption?

Capacity planning

Study Notes

High-Availability Network Design

• A high-availability network is designed to minimize downtime and ensure continuous operation of critical services and applications.
• Two important factors to consider when designing a high-availability network:
  • Ease of recovery: ability to quickly restore normal functionality after a failure, disruption, or disaster.
  • Attack surface: exposure of the network to potential threats and vulnerabilities.

Secure Access to Internal Resources

• A bastion host is a special-purpose server that provides secure access to internal resources while minimizing traffic allowed through the security boundary.
• A bastion host is usually placed on the edge of a network, acting as a gateway or proxy to the internal network.
• A bastion host can be configured to:
  • Allow only certain types of traffic.
  • Block all other traffic.
  • Run security software such as firewalls, intrusion detection systems, and antivirus programs.

Secure Data Disposal

• When discarding a classified storage array, it is essential to request a certification from the vendor that confirms the storage array has been disposed of securely and in compliance with the company's policies and standards.
• A certification provides evidence that the vendor has followed the proper procedures and methods to destroy the classified data and prevent unauthorized access or recovery.

Data Classification

• Patient data in a hospital setting typically falls under the category of sensitive data.
• Sensitive data classifications are used to indicate information that requires a higher level of protection due to its confidentiality, integrity, and/or availability concerns.

Endpoint Protection

• Endpoint detection and response (EDR) is a technology that monitors and analyzes the activity and behavior of endpoints, such as computers, laptops, mobile devices, and servers.
• EDR can help to detect and prevent malicious software, such as viruses, malware, and Trojans, from infecting the endpoints and spreading across the network.

Firewall Rules

• When creating an inbound firewall rule to block an IP address from accessing the organization's network:
  • Use "access-list inbound deny" to specify the source IP address and destination network.
  • Use "source" and "destination" to specify the IP addresses and subnets.

Incident Response

• Analysis is the incident response activity that describes the process of understanding the source of an incident.
• Analysis involves collecting and examining evidence, identifying the root cause, determining the scope and impact, and assessing the threat actor's motives and capabilities.

Multifactor Authentication

• Multifactor authentication uses a combination of authentication factors, such as:
  • Something you know: password, PIN, or security question.
  • Something you have: smart card, token, or smartphone.
  • Something you are: biometric characteristics, such as a fingerprint, face, or iris.

Security Automation

• Automation is the best way to consistently determine on a daily basis whether security settings on servers have been modified.
• Automation can help to improve the efficiency, accuracy, and consistency of security operations, as well as reduce human errors and costs.

Asset Management

• Labeling all laptops with asset inventory stickers and associating them with employee IDs can provide several security benefits, such as:
  • Notifying the correct employee in case of a security incident.
  • Accounting for company data when the employee leaves the organization.

Access Control

• The least privilege principle states that users and processes should only have the minimum level of access required to perform their tasks.
• Applying the least privilege principle can help to avoid security issues, such as failing to transfer a patch.

Web Application Security

• A web application firewall (WAF) can detect and block common web attacks, such as buffer overflows, SQL injections, and cross-site scripting (XSS).
• A WAF can provide a layer of protection for the web application, preventing attackers from exploiting its vulnerabilities and compromising its data.

Monitoring and Investigation

• Full packet capture is a technique that records all network traffic passing through a device, such as a router or firewall.
• Full packet capture can help to identify the source, destination, payload, and timing of an attack, as well as the impact on the server and database.### Zero Trust Access Control
• Enforce a company-wide access control policy to reduce the scope of threats
• Verify everything and anything trying to connect to the system before granting access

Multifactor Authentication

• A method of verifying a user's identity by requiring more than one factor
• Factors include: something the user knows (e.g., password), something the user has (e.g., token), or something the user is (e.g., biometric)
• MFA can prevent unauthorized access even if the user's password is compromised

Firewall Access Control Lists (ACLs)

• Rule-based access control system that determines which traffic is allowed or denied by the firewall
• Syntax: Access list [permit/deny] [source IP address] [destination IP address] [port number]
• Example: Allow only device with IP address 10.50.10.25 to send DNS requests to any destination on port 53

Intellectual Property Data Protection

• Employees in research and development (R&D) often work with intellectual property data
• Intellectual property refers to creations of the mind, such as inventions, designs, processes, or information
• Employees must understand how to best protect intellectual property data

Supply Chain Vendor Risks

• A supply chain vendor is a third-party entity that provides goods or services to an organization
• Supply chain vendors can pose a risk to the organization if they have poor security practices, breaches, or compromises
• Organizations should perform due diligence and establish a service level agreement with the vendor to mitigate this risk

Secure Access Service Edge (SASE)

• A cloud-based service that combines network and security functions into a single integrated solution
• SASE can help reduce traffic on the VPN and internet circuit, while providing secure and optimized access to the data center and cloud applications
• SASE can also monitor and enforce security policies on remote employee internet traffic

Phishing Attacks

• A type of social engineering attack that involves sending fraudulent emails that appear to be from legitimate sources
• The goal of phishing is to trick the recipient into clicking on malicious links, opening malicious attachments, or providing sensitive information

Side Loading Vulnerability

• The process of installing software outside of a manufacturer's approved software repository
• Side loading can expose the device to potential vulnerabilities, such as malware, spyware, or unauthorized access

Geographic Dispersion

• A strategy that involves distributing servers or data centers across different geographic locations
• Geographic dispersion can help mitigate the risk of weather events causing damage to the server room and downtime

Access Control Lists (ACLs)

• Rules that specify which users or groups can access which resources on a file server
• ACLs can help restrict access to confidential data by granting or denying permissions based on the identity or role of the user

Statement of Work (SOW)

• A document that defines the scope, objectives, deliverables, timeline, and costs of a project or service
• SOW includes an estimate of the number of hours required to complete the engagement

Rootkit Malware

• A type of malware that modifies or replaces system files or processes to hide its presence and activity
• Rootkits can change the hash of a file, such as cmd.exe, to avoid detection by antivirus or file integrity monitoring tools

Compensating Control

• A security measure that is implemented to mitigate the risk of a vulnerability or weakness
• Compensating control does not prevent or eliminate the vulnerability or weakness, but it can reduce the likelihood or impact of an attack

Disaster Recovery Plan (DRP)

• A set of policies and procedures that aim to restore the normal operations of an organization in the event of a system failure, natural disaster, or other emergency
• DRP is required for an organization to properly manage its restore process in the event of system failure

Data Exfiltration

• A technique used by attackers to steal sensitive data from a target system or network
• Data exfiltration can be detected by monitoring DNS queries and responses

Principle of Least Privilege

• A security concept that ensures data is protected from unauthorized access or disclosure
• The principle of least privilege is the best reason for permissions on a human resources file share to follow this principle

Memory Injection Vulnerability

• A type of vulnerability that allows unauthorized code or commands to be executed within a software program
• Memory injection vulnerabilities can be exploited by attackers to inject malicious code

Security Awareness Program

• A training program that aims to educate employees on security best practices and policies
• The program should address threat vectors based on the industry, and the cadence and duration of training events

Risk Register

• A document that records and tracks the risks associated with a project, system, or organization
• Risk register includes information such as risk description, risk owner, risk probability, risk impact, and risk level

Threat Hunting

• The process of proactively searching for signs of malicious activity or compromise in a network
• Threat hunting can help identify new tactics, techniques, and procedures (TTPs) used by malicious actors### Cybersecurity and IT
• A dashboard is a graphical user interface that provides a visual representation of key performance indicators, metrics, and trends related to security events and incidents.
• Role-Based Access Control (RBAC) is a method of restricting access to data and resources based on the roles or responsibilities of users.
• Organized crime is a type of threat actor that is motivated by financial gain and often operates across national borders.
• Jailbreaking is a primary security concern for a company setting up a BYOD (Bring Your Own Device) program, as it can compromise the security of the device and the data stored on it.
• Metadata is data that describes other data, such as its format, origin, creation date, author, and other attributes.
• Full disk encryption (FDE) is a technique that encrypts all the data on a hard drive, including the operating system, applications, and files.
• Ease of recovery and minimizing the attack surface are important considerations when designing a high-availability network.
• An application allow list is a security technique that specifies which applications are authorized to run on a system and blocks all other applications.
• A bug bounty is a program that rewards security researchers for finding and reporting vulnerabilities in an application or system.
• Smishing is a type of phishing attack that uses text messages or common messaging apps to trick victims into clicking on malicious links or providing personal information.
• Shadow IT is the term used to describe the use of unauthorized or unapproved IT resources within an organization.

Network Security

• A VPN (Virtual Private Network) is a virtual private network that creates a secure tunnel between two or more devices over a public network.
• A jump server is a server that acts as an intermediary between a user and a target server, such as a production server.
• Ransomware is a type of malware that encrypts the victim's files and demands a ransom for the decryption key.
• Tuning is the activity of adjusting the configuration or parameters of a security tool or system to optimize its performance and reduce false positives or false negatives.

Access Management

• Federation is an access management concept that allows users to authenticate once and access multiple resources or services across different domains or organizations.
• Password complexity is a security measure that requires users to create passwords that meet certain criteria, such as length, character types, and uniqueness.

Cloud Security

• According to the shared responsibility model, the client and the cloud provider have different roles and responsibilities for securing the cloud environment, depending on the service model.

Data Security

• Steganography is the process of hiding information within another medium, such as an image, audio, video, or text file.
• Input validation is a security technique that checks the user input for any malicious or unexpected data before processing it by the application.

Compliance and Governance

• Geolocation policy is a policy that restricts or allows access to data or resources based on the geographic location of the user or device.
• Data retention policy is a set of rules that defines how long data should be stored and when it should be deleted or archived.

Incident Response

• IPS (Intrusion Prevention System) is a network security device that monitors and blocks malicious traffic in real-time.
• Orchestration is the process of automating multiple tasks across different systems and applications.

Description

This quiz is designed to test your knowledge and skills in CompTIA Security+ certification, covering high-availability networks, patching, and more. Get ready to pass your exam with confidence!