Full Transcript

Professor Messer’s CompTIA SY0-701 Security+ Practice Exams by James “Professor” Messer http://www.ProfessorMesser.com Professor Messer’s CompTIA SY0-701 Security+ Practice Exams Written by James “Professor” Messer Copyright © 2023 by Messer Studios, LLC https://www.ProfessorMes...

Professor Messer’s CompTIA SY0-701 Security+ Practice Exams by James “Professor” Messer http://www.ProfessorMesser.com Professor Messer’s CompTIA SY0-701 Security+ Practice Exams Written by James “Professor” Messer Copyright © 2023 by Messer Studios, LLC https://www.ProfessorMesser.com All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher. First Edition: November 2023 This is version 1.1 Trademark Acknowledgments All product names and trademarks are the property of their respective owners, and are in no way associated or affiliated with Messer Studios LLC. “Professor Messer” is a registered trademark of Messer Studios LLC. “CompTIA” and “Security+” are registered trademarks of CompTIA, Inc. Warning and Disclaimer This book is designed to provide information about the CompTIA Security+ certification exam. However, there may be typographical and/or content errors. Therefore, this book should serve only as a general guide and not as the ultimate source of subject information. The author shall have no liability or responsibility to any person or entity regarding any loss or damage incurred, or alleged to have incurred, directly or indirectly, by the information contained in this book. Contents Introduction The CompTIA SY0-701 Security+ Certification  i How to Use This Book  ii Practice Exam A Performance-Based Questions  1 Multiple Choice Questions  5 Multiple Choice Quick Answers  33 Detailed Answers  35 Practice Exam B Performance-Based Questions  131 Multiple Choice Questions  135 Multiple Choice Quick Answers  161 Detailed Answers  163 Practice Exam C Performance-Based Questions  257 Multiple Choice Questions  261 Multiple Choice Quick Answers  289 Detailed Answers  291 About the Author James "Professor" Messer is an information technology veteran whose career has included supercomputer operations, system administration, network management, and IT security. James is also the f ounder and CEO of Messer Studios, a leading publisher of training materials for IT certification exams. With over 185 million videos viewed and over 850,000 subscribers, Professor Messer's training has helped thousands of students realize their goals of a profession in information technology. Introduction The process of answering a test question is our ultimate test of knowledge. After hours of video watching, book reading, and note taking, do you really know the material? If you're trying to prove yourself, nothing beats getting the right answer. This book contains three sample exams containing performance-based and multiple-choice questions for the Security+ exam. I've personally curated every question to make sure this Q&A matches the expectations of the SY0-701 Security+ exam. I hope this book will help you be the smartest one in the room. Best of luck with your studies! - Professor Messer The CompTIA SY0-701 Security+ Certification CompTIA's Security+ certification is the entry point for IT security professionals. If you're planning on securing the data and networks on the world's largest networks, then you're in the right place. Earning the Security+ certification requires the completion of one exam covering a broad range of security topics. After completing the certification, a CompTIA Security+ certified professional will have an understanding of attack types, network security technologies, secure network architecture concepts, cryptography, and much more. Here's the breakdown of each domain and the percentage of each topic on the SY0-701 exam: Domain 1.0 - General Security Concepts - 12% Domain 2.0 - Threats, Vulnerabilities, and Mitigations - 22% Domain 3.0 - Security Architecture - 18% Domain 4.0 - Security Operations - 28% Domain 5.0 - Security Program Management and Oversight - 20% i How to Use This Book This book contains three separate 90-question practice exams; Exam A, Exam B, and Exam C. The exams are designed to emulate the format and difficulty level of the actual Security+ exam. Take one exam at a time. The difficulty levels are similar between exam, so it doesn't matter which exam you take first. The actual Security+ exam is 90 minutes in length, so try setting a timer when you start your practice exam. Time management is an important part of the exam. The first section of each practice exam is the list of questions. There's a link after every question that will jump immediately to the quick answer page or the detailed answer page. If you're using the digital version, your PDF reader keys can quickly jump back to the question page. Adobe Reader in Windows uses Alt-Left arrow and macOS Preview uses Command-[ to move back to the previous view. Be sure to check your PDF reader for specific navigation options. The quick answer page is a consolidated list of the answers without any detail or explanation. If you want to quickly check your answer sheet, this is the page for you. A detailed answer is available for each exam question. This section repeats the question, the possible answers, and shows the answer with a detailed explanation. This section is formatted to show only one answer per page to avoid giving away the answer to any other questions. Digital readers can use your PDF reader's back button to quickly jump back to the questions. As you go through the exam, write down the answers on a separate sheet of paper or separate text editor window. Many PDF readers also support on-screen annotation. You can check the answers after the 90 minutes have elapsed. You can grade your results against the quick answer page. Be sure to check the detailed answer pages for information on why certain answers were considered correct or incorrect. After each detailed answer, a video link is available for more information on the topic. You can click the link in your PDF or use your camera to view the QR (Quick Response) code on the page. Your camera app will provide a notification message that will launch the video page in your browser. The URL is also provided for manual entry. ii You have the option of using each practice test as a 90 minute timed exam, or as a casual Q&A. Try stepping through each question, picking an answer, and then jumping to the detailed explanation to learn more about each possible answer. How to score the practice exams Broadly speaking, the purpose of this book is to determine your readiness for the Security+ exam. Although we've worked hard to provide you with a similar experience as the actual exam, we're not trying to reverse-engineer CompTIA's scoring system. CompTIA doesn't share the details of their scoring system, so any attempt at recreating an actual exam score would be speculative and almost certainly incorrect. Many of the questions in this book have a single answer. If you get the question right, you would obviously give yourself one point. Some of the exam questions require multiple answers, and this is especially common with performance- based questions. With these questions, you could potentially get part of a question correct and other parts of the question incorrect. Our recommendation is to count each question as one point, but you could also give yourself partial credit if that helps provide a better measurement of your readiness. You ultimately don't have any control over the scoring on the actual exam, so we would recommend you focus on the content and let the score provide a relative measurement of your success. Here's a scoring chart: Less than 63 questions correct / 70% and lower - Use the exam objectives at the end of each detailed answer to determine where you might need some additional help. 63 to 72 questions correct / 70% to 80% - You're so close! Keep working on the areas you're missing and fill in those gaps. 73 to 81 questions correct / 80% to 90% - This is a strong showing, but some additional studying will help you earn points on the real exam. Although the actual Security+ exam does not calculate the final score as a percentage, getting an 85% on the practice exam can be reasonably considered a passing grade. More than 81 questions correct / over 90% - You're ready for the real thing! Book your exam and earn your Security+ certification! The detailed answer pages break down every correct answer and every incorrect answer. Although it's useful to know when you got a question right, it's probably more important if you understand exactly why a question was marked wrong. If you understand all of the technologies on these sample exams, then you'll be ready for the actual exam. iii Practice Exam A Performance-Based Questions A1. Match the description with the most accurate attack type. Not all attack types will be used. Attack Types: On-path RFID cloning Keylogger Vishing Rootkit DDoS Injection Supply chain Attacker obtains bank account number and birth date by calling the victim Select an Attack Type Attacker accesses a database directly from a web browser Select an Attack Type Attacker intercepts all communication between a client and a web server Select an Attack Type Multiple attackers overwhelm a web server Select an Attack Type Attacker obtains a list of all login credentials used over the last 24 hours Select an Attack Type Answer Page: 35 Practice Exam A - Questions 1 A2. The security team at a manufacturing company is creating a set of security standards for employees and visitors. Select the BEST security control for each location. All of the available security controls will be used once. Fencing Authentication token Available Security Controls: Access control vestibule Biometrics Access badge Security guard Lighting Location Description Security Controls Outside Parking and Building Visitor drop-off Reception Building lobby Data Entrance from Center inside building Door Authentication to Server server console Administration in the data center Answer Page: 37 2 Practice Exam A - Questions A3. Select the most appropriate security category. Some categories may be used more than once. Technical Managerial Operational Physical A guard checks the identification of all visitors All returns must be approved by a Vice President A generator is used during a power outage Building doors can be unlocked with an access card System logs are transferred automatically to a SIEM Answer Page: 39 A4. Match the appropriate authentication factor to each description. Each authentication factor will be used once. Something you know Something you have Something you are Somewhere you are Description Authentication Factor During the login process, your phone receives a text message with a one-time passcode You enter your PIN to make a deposit into an ATM You can use your fingerprint to unlock the door to the data center Your login will not work unless you are connected to the VPN Answer Page: 40 Practice Exam A - Questions 3 A5. Configure the following stateful firewall rules: Block HTTP sessions between the Web Server and the Database Server Allow the Storage Server to transfer files to the Video Server over HTTPS Allow the Management Server to use a secure terminal on the File Server DMZ File Server Video Server Web Server 10.1.1.3 10.1.1.7 10.1.1.2 DMZ Switch Internet Firewall Internal Switch Internal Network Storage Server Management Server Database Server 10.2.1.33 10.2.1.47 10.2.1.20 Destination Protocol Allow/ Rule # Source IP Port # IP (TCP/UDP) Block 1 2 3 Answer Page: 41 4 Practice Exam A - Questions Practice Exam A Multiple Choice Questions A6. A company has hired a third-party to gather information about the company’s servers and data. This third-party will not have direct access to the company's internal network, but they can gather information from any other source. Which of the following would BEST describe this approach? ❍ A. Vulnerability scanning Quick Answer: 33 ❍ B. Passive reconnaissance ❍ C. Supply chain analysis The Details: 43 ❍ D. Regulatory audit A7. A company's email server has received an email from a third-party, but the origination server does not match the list of authorized devices. Which of the following would determine the disposition of this message? Quick ❍ A. SPF Answer: 33 ❍ B. NAC The Details: 44 ❍ C. DMARC ❍ D. DKIM A8. Which of these threat actors would be MOST likely to attack systems for direct financial gain? ❍ A. Organized crime Quick Answer: 33 ❍ B. Hacktivist ❍ C. Nation state The Details: 45 ❍ D. Shadow IT A9. A security administrator has examined a server recently compromised by an attacker, and has determined the system was exploited due to a known operating system vulnerability. Which of the following would BEST describe this finding? Quick ❍ A. Root cause analysis Answer: 33 ❍ B. E-discovery The Details: 46 ❍ C. Risk appetite ❍ D. Data subject Practice Exam A - Questions 5 A10. A city is building an ambulance service network for emergency medical dispatching. Which of the following should have the highest priority? ❍ A. Integration costs Quick Answer: 33 ❍ B. Patch availability ❍ C. System availability The Details: 47 ❍ D. Power usage A11. A system administrator receives a text alert when access rights are changed on a database containing private customer information. Which of the following would describe this alert? Quick ❍ A. Maintenance window Answer: 33 ❍ B. Attestation and acknowledgment ❍ C. Automation The Details: 48 ❍ D. External audit A12. A security administrator is concerned about the potential for data exfiltration using external storage drives. Which of the following would be the BEST way to prevent this method of data exfiltration? ❍ A. Create an operating system security policy Quick to block the use of removable media Answer: 33 ❍ B. Monitor removable media usage in The Details: 49 host-based firewall logs ❍ C. Only allow applications that do not use removable media ❍ D. Define a removable media block rule in the UTM 6 Practice Exam A - Questions A13. A company creates a standard set of government reports each calendar quarter. Which of the following would describe this type of data? ❍ A. Data in use Quick Answer: 33 ❍ B. Obfuscated ❍ C. Trade secrets The Details: 50 ❍ D. Regulated A14. An insurance company has created a set of policies to handle data breaches. The security team has been given this set of requirements based on these policies: Access records from all devices must be saved and archived Any data access outside of normal working hours must be immediately reported Data access must only occur inside of the country Access logs and audit reports must be created from a single database Which of the following should be implemented by the security team to meet these requirements? (Select THREE) ❍ A. Restrict login access by IP address and Quick GPS location Answer: 33 ❍ B. Require government-issued identification The Details: 51 during the onboarding process ❍ C. Add additional password complexity for accounts that access data ❍ D. Conduct monthly permission auditing ❍ E. Consolidate all logs on a SIEM ❍ F. Archive the encryption keys of all disabled accounts ❍ G. Enable time-of-day restrictions on the authentication server Practice Exam A - Questions 7 A15. Rodney, a security engineer, is viewing this record from the firewall logs: UTC 04/05/2023 03:09:15809 AV Gateway Alert 136.127.92.171 80 -> 10.16.10.14 60818 Gateway Anti-Virus Alert: XPACK.A_7854 (Trojan) blocked. Which of the following can be observed from this log information? ❍ A. The victim's IP address is 136.127.92.171 Quick Answer: 33 ❍ B. A download was blocked from a web server ❍ C. A botnet DDoS attack was blocked The Details: 53 ❍ D. The Trojan was blocked, but the file was not A16. A user connects to a third-party website and receives this message: Your connection is not private. NET::ERR_CERT_INVALID Which of the following attacks would be the MOST likely reason for this message? Quick ❍ A. Brute force Answer: 33 ❍ B. DoS The Details: 54 ❍ C. On-path ❍ D. Deauthentication A17. Which of the following would be the BEST way to provide a website login using existing credentials from a third-party site? ❍ A. Federation Quick Answer: 33 ❍ B. 802.1X ❍ C. EAP The Details: 55 ❍ D. SSO 8 Practice Exam A - Questions A18. A system administrator is working on a contract that will specify a minimum required uptime for a set of Internet- facing firewalls. The administrator needs to know how often the firewall hardware is expected to fail between repairs. Which of the following would BEST describe this information? ❍ A. MTBF Quick Answer: 33 ❍ B. RTO ❍ C. MTTR The Details: 56 ❍ D. RPO A19. An attacker calls into a company’s help desk and pretends to be the director of the company’s manufacturing department. The attacker states that they have forgotten their password and they need to have the password reset quickly for an important meeting. What kind of attack would BEST describe this phone call? ❍ A. Social engineering Quick Answer: 33 ❍ B. Supply chain ❍ C. Watering hole The Details: 57 ❍ D. On-path A20. Two companies have been working together for a number of months, and they would now like to qualify their partnership with a broad formal agreement between both organizations. Which of the following would describe this agreement? ❍ A. SLA Quick Answer: 33 ❍ B. SOW ❍ C. MOA The Details: 58 ❍ D. NDA Practice Exam A - Questions 9 A21. Which of the following would explain why a company would automatically add a digital signature to each outgoing email message? ❍ A. Confidentiality Quick Answer: 33 ❍ B. Integrity ❍ C. Authentication The Details: 59 ❍ D. Availability A22. The embedded OS in a company’s time clock appliance is configured to reset the file system and reboot when a file system error occurs. On one of the time clocks, this file system error occurs during the startup process and causes the system to constantly reboot. Which of the following BEST describes this issue? ❍ A. Memory injection Quick Answer: 33 ❍ B. Resource consumption ❍ C. Race condition The Details: 60 ❍ D. Malicious update A23. A recent audit has found that existing password policies do not include any restrictions on password attempts, and users are not required to periodically change their passwords. Which of the following would correct these policy issues? (Select TWO) ❍ A. Password complexity Quick Answer: 33 ❍ B. Password expiration ❍ C. Password reuse The Details: 61 ❍ D. Account lockout ❍ E. Password managers 10 Practice Exam A - Questions A24. What kind of security control is associated with a login banner? ❍ A. Preventive Quick Answer: 33 ❍ B. Deterrent ❍ C. Corrective The Details: 62 ❍ D. Detective ❍ E. Compensating ❍ F. Directive A25. An internal audit has discovered four servers that have not been updated in over a year, and it will take two weeks to test and deploy the latest patches. Which of the following would be the best way to quickly Quick Answer: 33 respond to this situation in the meantime? ❍ A. Purchase cybersecurity insurance The Details: 63 ❍ B. Implement an exception for all data center services ❍ C. Move the servers to a protected segment ❍ D. Hire a third-party to perform an extensive audit A26. A business manager is documenting a set of steps for processing orders if the primary Internet connection fails. Which of these would BEST describe these steps? ❍ A. Platform diversity Quick Answer: 33 ❍ B. Continuity of operations ❍ C. Cold site recovery The Details: 64 ❍ D. Tabletop exercise A27. A company would like to examine the credentials of each individual entering the data center building. Which of the following would BEST facilitate this requirement? ❍ A. Access control vestibule Quick Answer: 33 ❍ B. Video surveillance ❍ C. Pressure sensors The Details: 65 ❍ D. Bollards Practice Exam A - Questions 11 A28. A company stores some employee information in encrypted form, but other public details are stored as plaintext. Which of the following would BEST describe this encryption strategy? ❍ A. Full-disk Quick Answer: 33 ❍ B. Record ❍ C. Asymmetric The Details: 66 ❍ D. Key escrow A29. A company would like to minimize database corruption if power is lost to a server. Which of the following would be the BEST strategy to follow? ❍ A. Encryption Quick Answer: 33 ❍ B. Off-site backups ❍ C. Journaling The Details: 67 ❍ D. Replication A30. A company is creating a security policy for corporate mobile devices: All mobile devices must be automatically locked after a predefined time period. The location of each device needs to be traceable. All of the user’s information should be completely separate from company data. Which of the following would be the BEST way to establish these security policy rules? ❍ A. Segmentation Quick Answer: 33 ❍ B. Biometrics The Details: 68 ❍ C. COPE ❍ D. MDM 12 Practice Exam A - Questions A31. A security engineer runs a monthly vulnerability scan. The scan doesn’t list any vulnerabilities for Windows servers, but a significant vulnerability was announced last week and none of the servers are patched yet. Which of the following best describes this result? ❍ A. Exploit Quick Answer: 33 ❍ B. Compensating controls ❍ C. Zero-day attack The Details: 69 ❍ D. False negative A32. An IT help desk is using automation to improve the response time for security events. Which of the following use cases would apply to this process? ❍ A. Escalation Quick Answer: 33 ❍ B. Guard rails ❍ C. Continuous integration The Details: 70 ❍ D. Resource provisioning A33. A network administrator would like each user to authenticate with their corporate username and password when connecting to the company's wireless network. Which of the following should the network administrator configure on the wireless access points? ❍ A. WPA3 Quick ❍ B. 802.1X Answer: 33 ❍ C. PSK The Details: 71 ❍ D. MFA A34. A company's VPN service performs a posture assessment during the login process. Which of the following mitigation techniques would this describe? ❍ A. Encryption Quick Answer: 33 ❍ B. Decommissioning The Details: 72 ❍ C. Least privilege ❍ D. Configuration enforcement Practice Exam A - Questions 13 A35. A user has assigned individual rights and permissions to a file on their network drive. The user adds three additional individuals to have read-only access to the file. Which of the following would describe this access control model? ❍ A. Discretionary Quick Answer: 33 ❍ B. Mandatory The Details: 73 ❍ C. Attribute-based ❍ D. Role-based A36. A remote user has received a text message with a link to login and confirm their upcoming work schedule. Which of the following would BEST describe this attack? ❍ A. Brute force Quick ❍ B. Watering hole Answer: 33 ❍ C. Typosquatting The Details: 74 ❍ D. Smishing A37. A company is formalizing the design and deployment process used by their application programmers. Which of the following policies would apply? ❍ A. Business continuity Quick Answer: 33 ❍ B. Acceptable use policy ❍ C. Incident response The Details: 75 ❍ D. Development lifecycle A38. A security administrator has copied a suspected malware executable from a user's computer and is running the program in a sandbox. Which of the following would describe this part of the incident response process? ❍ A. Eradication Quick Answer: 33 ❍ B. Preparation ❍ C. Recovery The Details: 76 ❍ D. Containment 14 Practice Exam A - Questions A39. A server administrator at a bank has noticed a decrease in the number of visitors to the bank's website. Additional research shows that users are being directed to a different IP address than the bank's web server. Which of the following would MOST likely describe this attack? ❍ A. Deauthentication Quick Answer: 33 ❍ B. DDoS ❍ C. Buffer overflow The Details: 77 ❍ D. DNS poisoning A40. Which of the following considerations are MOST commonly associated with a hybrid cloud model? ❍ A. Microservice outages Quick ❍ B. IoT support Answer: 33 ❍ C. Network protection mismatches The Details: 78 ❍ D. Containerization backups A41. A company hires a large number of seasonal employees, and their system access should normally be disabled when the employee leaves the company. The security administrator would like to verify that their systems cannot be accessed by any of the former employees. Which of the following would be the BEST way to provide this verification? Quick ❍ A. Confirm that no unauthorized accounts have Answer: 33 administrator access The Details: 79 ❍ B. Validate the account lockout policy ❍ C. Validate the offboarding processes and procedures ❍ D. Create a report that shows all authentications for a 24-hour period Practice Exam A - Questions 15 A42. Which of the following is used to describe how cautious an organization might be to taking a specific risk? ❍ A. Risk appetite Quick Answer: 33 ❍ B. Risk register ❍ C. Risk transfer The Details: 80 ❍ D. Risk reporting A43. A technician is applying a series of patches to fifty web servers during a scheduled maintenance window. After patching and rebooting the first server, the web service fails with a critical error. Which of the following should the technician do NEXT? ❍ A. Contact the stakeholders regarding the outage Quick Answer: 33 ❍ B. Follow the steps listed in the backout plan ❍ C. Test the upgrade process in the lab The Details: 81 ❍ D. Evaluate the impact analysis associated with the change A44. An attacker has discovered a way to disable a server by sending specially crafted packets from many remote devices to the operating system. When the packet is received, the system crashes and must be rebooted to restore normal operations. Which of the following would BEST describe this attack? Quick Answer: 33 ❍ A. Privilege escalation ❍ B. SQL injection The Details: 82 ❍ C. Replay attack ❍ D. DDoS A45. A data breach has occurred in a large insurance company. A security administrator is building new servers and security systems to get all of the financial systems back online. Which part of the incident response process would BEST describe these actions? ❍ A. Lessons learned Quick Answer: 33 ❍ B. Containment The Details: 83 ❍ C. Recovery ❍ D. Analysis 16 Practice Exam A - Questions A46. A network team has installed new access points to support an application launch. In less than 24 hours, the wireless network was attacked and private company information was accessed. Which of the following would be the MOST likely reason for this breach? ❍ A. Race condition Quick Answer: 33 ❍ B. Jailbreaking ❍ C. Impersonation The Details: 84 ❍ D. Misconfiguration A47. An organization has identified a significant vulnerability in an Internet-facing firewall. The firewall company has stated the firewall is no longer available for sale and there are no plans to create a patch for this vulnerability. Which of the following would BEST describe this issue? ❍ A. End-of-life Quick Answer: 33 ❍ B. Improper input handling ❍ C. Improper key management The Details: 85 ❍ D. Incompatible OS A48. A company has decided to perform a disaster recovery exercise during an annual meeting with the IT directors and senior directors. A simulated disaster will be presented, and the participants will discuss the logistics and processes required to resolve the disaster. Which of the following would BEST describe this exercise? ❍ A. Capacity planning Quick Answer: 33 ❍ B. Business impact analysis ❍ C. Continuity of operations The Details: 86 ❍ D. Tabletop exercise Practice Exam A - Questions 17 A49. A security administrator needs to block users from visiting websites hosting malicious software. Which of the following would be the BEST way to control this access? ❍ A. Honeynet Quick Answer: 33 ❍ B. Data masking The Details: 87 ❍ C. DNS filtering ❍ D. Data loss prevention A50. A system administrator has been called to a system with a malware infection. As part of the incident response process, the administrator has imaged the operating system to a known-good version. Which of these incident response steps is the administrator following? ❍ A. Lessons learned Quick ❍ B. Recovery Answer: 33 ❍ C. Detection The Details: 88 ❍ D. Containment A51. A company has placed a SCADA system on a segmented network with limited access from the rest of the corporate network. Which of the following would describe this process? ❍ A. Load balancing Quick Answer: 33 ❍ B. Least privilege ❍ C. Data retention The Details: 89 ❍ D. Hardening 18 Practice Exam A - Questions A52. An administrator is viewing the following security log: Dec 30 08:40:03 web01 Failed password for root from 10.101.88.230 port 26244 ssh2 Dec 30 08:40:05 web01 Failed password for root from 10.101.88.230 port 26244 ssh2 Dec 30 08:40:09 web01 445 more authentication failures; rhost=10.101.88.230 user=root Which of the following would describe this attack? ❍ A. Spraying Quick ❍ B. Downgrade Answer: 33 ❍ C. Brute force The Details: 90 ❍ D. DDoS A53. During a morning login process, a user's laptop was moved to a private VLAN and a series of updates were automatically installed. Which of the following would describe this process? ❍ A. Account lockout Quick Answer: 33 ❍ B. Configuration enforcement ❍ C. Decommissioning The Details: 91 ❍ D. Sideloading A54. Which of the following describes two-factor authentication? Quick ❍ A. A printer uses a password and a PIN Answer: 33 ❍ B. The door to a building requires a fingerprint scan The Details: 92 ❍ C. An application requires a pseudo-random code ❍ D. A Windows Domain requires a password and smart card Practice Exam A - Questions 19 A55. A company is deploying a new application to all employees in the field. Some of the problems associated with this roll out include: The company does not have a way to manage the devices in the field Team members have many different kinds of mobile devices The same device needs to be used for both corporate and private use Which of the following deployment models would address these concerns? ❍ A. CYOD Quick Answer: 33 ❍ B. SSO The Details: 93 ❍ C. COPE ❍ D. BYOD A56. An organization is installing a UPS for their new data center. Which of the following would BEST describe this control type? ❍ A. Compensating Quick Answer: 33 ❍ B. Directive ❍ C. Deterrent The Details: 94 ❍ D. Detective A57. A manufacturing company would like to track the progress of parts used on an assembly line. Which of the following technologies would be the BEST choice for this task? ❍ A. Secure enclave Quick Answer: 33 ❍ B. Blockchain ❍ C. Hashing The Details: 95 ❍ D. Asymmetric encryption 20 Practice Exam A - Questions A58. A company's website has been compromised and the website content has been replaced with a political message. Which of the following threat actors would be the MOST likely culprit? ❍ A. Insider Quick Answer: 33 ❍ B. Organized crime The Details: 96 ❍ C. Shadow IT ❍ D. Hacktivist A59. A Linux administrator is downloading an updated version of her Linux distribution. The download site shows a link to the ISO and a SHA256 hash value. Which of these would describe the use of this hash value? ❍ A. Verifies that the file was not corrupted during Quick the file transfer Answer: 33 ❍ B. Provides a key for decrypting the ISO The Details: 97 after download ❍ C. Authenticates the site as an official ISO distribution site ❍ D. Confirms that the file does not contain any malware A60. A company's security policy requires that login access should only be available if a person is physically within the same building as the server. Which of the following would be the BEST way to provide this requirement? ❍ A. USB security key Quick Answer: 33 ❍ B. Biometric scanner The Details: 98 ❍ C. PIN ❍ D. SMS Practice Exam A - Questions 21 A61. A development team has installed a new application and database to a cloud service. After running a vulnerability scanner on the application instance, a security administrator finds the database is available for anyone to query without providing any authentication. Which of these vulnerabilities is MOST associated with this issue? ❍ A. Legacy software Quick Answer: 33 ❍ B. Open permissions ❍ C. Race condition The Details: 99 ❍ D. Malicious update A62. Employees of an organization have received an email with a link offering a cash bonus for completing an internal training course. Which of the following would BEST describe this email? ❍ A. Watering hole attack Quick Answer: 33 ❍ B. Cross-site scripting ❍ C. Zero-day The Details: 100 ❍ D. Phishing campaign A63. Which of the following risk management strategies would include the purchase and installation of an NGFW? ❍ A. Transfer Quick Answer: 33 ❍ B. Mitigate The Details: 101 ❍ C. Accept ❍ D. Avoid A64. An organization is implementing a security model where all application requests must be validated at a policy enforcement point. Which of the following would BEST describe this model? Quick ❍ A. Public key infrastructure Answer: 33 ❍ B. Zero trust The Details: 102 ❍ C. Discretionary access control ❍ D. Federation 22 Practice Exam A - Questions A65. A company is installing a new application in a public cloud. Which of the following determines the assignment of data security in this cloud infrastructure? ❍ A. Playbook Quick Answer: 33 ❍ B. Audit committee ❍ C. Responsibility matrix The Details: 103 ❍ D. Right-to-audit clause A66. When decommissioning a device, a company documents the type and size of storage drive, the amount of RAM, and any installed adapter cards. Which of the following describes this process? ❍ A. Destruction Quick Answer: 33 ❍ B. Sanitization ❍ C. Certification The Details: 104 ❍ D. Enumeration A67. An attacker has sent more information than expected in a single API call, and this has allowed the execution of arbitrary code. Which of the following would BEST describe this attack? Quick ❍ A. Buffer overflow Answer: 33 ❍ B. Replay attack The Details: 105 ❍ C. Session hijacking ❍ D. DDoS A68. A company encourages users to encrypt all of their confidential materials on a central server. The organization would like to enable key escrow as a backup option. Which of these keys should the organization place into escrow? ❍ A. Private Quick Answer: 33 ❍ B. CA The Details: 106 ❍ C. Session ❍ D. Public Practice Exam A - Questions 23 A69. A company is in the process of configuring and enabling host-based firewalls on all user devices. Which of the following threats is the company addressing? ❍ A. Default credentials Quick Answer: 33 ❍ B. Vishing ❍ C. Instant messaging The Details: 107 ❍ D. On-path A70. A manufacturing company would like to use an existing router to separate a corporate network from a manufacturing floor. Both networks use the same physical switch, and the company does not want to install any additional hardware. Which of the following would be the BEST choice for this segmentation? Quick Answer: 33 ❍ A. Connect the corporate network and the manufacturing floor with a VPN The Details: 108 ❍ B. Build an air gapped manufacturing floor network ❍ C. Use host-based firewalls on each device ❍ D. Create separate VLANs for the corporate network and the manufacturing floor A71. An organization needs to provide a remote access solution for a newly deployed cloud-based application. This application is designed to be used by mobile field service technicians. Which of the following would be the best option for this requirement? ❍ A. RTOS Quick Answer: 33 ❍ B. CRL ❍ C. Zero-trust The Details: 109 ❍ D. SASE 24 Practice Exam A - Questions A72. A company is implementing a quarterly security awareness campaign. Which of the following would MOST likely be part of this campaign? ❍ A. Suspicious message reports from users Quick Answer: 33 ❍ B. An itemized statement of work ❍ C. An IaC configuration file The Details: 110 ❍ D. An acceptable use policy document A73. A recent report shows the return of a vulnerability that was previously patched four months ago. After researching this issue, the security team has found a recent patch has reintroduced this vulnerability on the servers. Which of the following should the security administrator implement to prevent this issue from occurring in the future? ❍ A. Containerization Quick Answer: 33 ❍ B. Data masking The Details: 111 ❍ C. 802.1X ❍ D. Change management A74. A security manager would like to ensure that unique hashes are used with an application login process. Which of the following would be the BEST way to add random data when generating a set of stored password hashes? ❍ A. Salting Quick ❍ B. Obfuscation Answer: 33 ❍ C. Key stretching The Details: 112 ❍ D. Digital signature A75. Which cryptographic method is used to add trust to a digital certificate? ❍ A. Steganography Quick Answer: 33 ❍ B. Hash The Details: 113 ❍ C. Symmetric encryption ❍ D. Digital signature Practice Exam A - Questions 25 A76. A company is using SCAP as part of their security monitoring processes. Which of the following would BEST describe this implementation? ❍ A. Train the user community to better identify phishing attempts ❍ B. Present the results of an internal audit to the board ❍ C. Automate the validation and patching of Quick security issues Answer: 33 ❍ D. Identify and document authorized data The Details: 114 center visitors A77. An organization maintains a large database of customer information for sales tracking and customer support. Which person in the organization would be responsible for managing the access rights to this data? ❍ A. Data processor Quick Answer: 33 ❍ B. Data owner The Details: 115 ❍ C. Data subject ❍ D. Data custodian A78. An organization’s content management system currently labels files and documents as “Public” and “Restricted.” On a recent update, a new classification type of “Private” was added. Which of the following would be the MOST likely reason for this addition? ❍ A. Minimized attack surface Quick Answer: 33 ❍ B. Simplified categorization The Details: 116 ❍ C. Expanded privacy compliance ❍ D. Decreased search time 26 Practice Exam A - Questions A79. A corporate security team would like to consolidate and protect the private keys across all of their web servers. Which of these would be the BEST way to securely store these keys? Quick ❍ A. Integrate an HSM Answer: 33 ❍ B. Implement full disk encryption on the web servers The Details: 117 ❍ C. Use a TPM ❍ D. Upgrade the web servers to use a UEFI BIOS A80. A security technician is reviewing this security log from an IPS: ALERT 2018-06-01 13:07:29 [163bcf65118-179b547b] Cross-Site Scripting in JSON Data 222.43.112.74:3332 -> 64.235.145.35:80 URL/index.html - Method POST - Query String "-" User Agent: curl/7.21.3 (i386-redhat-linux-gnu) libcurl/7.21.3 NSS/3.13.1.0 zlib/1.2.5 libidn/1.19 libssh2/1.2.7 Detail: token="" key="key7" value="alert(2)" Which of the following can be determined from this log information? (Select TWO) ❍ A. The alert was generated from a malformed User Agent header ❍ B. The alert was generated from an embedded script ❍ C. The attacker’s IP address is 222.43.112.74 Quick Answer: 33 ❍ D. The attacker’s IP address is 64.235.145.35 ❍ E. The alert was generated due to an invalid The Details: 118 client port number A81. Which of the following describes a monetary loss if one event occurs? ❍ A. ALE Quick Answer: 33 ❍ B. SLE ❍ C. RTO The Details: 119 ❍ D. ARO Practice Exam A - Questions 27 A82. A user with restricted access has typed this text in a search field of an internal web-based application: USER77' OR '1'='1 After submitting this search request, all database records are displayed on the screen. Which of the following would BEST describe this search? ❍ A. Cross-site scripting Quick Answer: 33 ❍ B. Buffer overflow The Details: 120 ❍ C. SQL injection ❍ D. SSL stripping A83. A user has opened a helpdesk ticket complaining of poor system performance, excessive pop up messages, and the cursor moving without anyone touching the mouse. This issue began after they opened a spreadsheet from a vendor containing part numbers and pricing information. Which of the following is MOST likely the cause of this user's issues? ❍ A. On-path Quick Answer: 33 ❍ B. Worm The Details: 121 ❍ C. Trojan horse ❍ D. Logic bomb A84. A web-based manufacturing company processes monthly charges to credit card information saved in the customer's profile. All of the customer information is encrypted and protected with additional authentication factors. Which of the following would be the justification for these security controls? ❍ A. Chain of custody Quick Answer: 33 ❍ B. Password vaulting The Details: 122 ❍ C. Compliance reporting ❍ D. Sandboxing 28 Practice Exam A - Questions A85. A security manager has created a report showing intermittent network communication from certain workstations on the internal network to one external IP address. These traffic patterns occur at random times during the day. Which of the following would be the MOST likely reason for these traffic patterns? ❍ A. On-path attack Quick Answer: 33 ❍ B. Keylogger The Details: 123 ❍ C. Replay attack ❍ D. Brute force A86. The security policies in a manufacturing company prohibit the transmission of customer information. However, a security administrator has received an alert that credit card numbers were transmitted as an email attachment. Which of the following was the MOST likely source of this alert message? ❍ A. IPS Quick Answer: 33 ❍ B. DLP The Details: 124 ❍ C. RADIUS ❍ D. IPsec A87. A security administrator has configured a virtual machine in a screened subnet with a guest login account and no password. Which of the following would be the MOST likely reason for this configuration? ❍ A. The server is a honeypot for attracting Quick potential attackers Answer: 33 ❍ B. The server is a cloud storage service for The Details: 125 remote users ❍ C. The server will be used as a VPN concentrator ❍ D. The server is a development sandbox for third- party programming projects Practice Exam A - Questions 29 A88. A security administrator is configuring a DNS server with a SPF record. Which of the following would be the reason for this configuration? ❍ A. Transmit all outgoing email over an Quick encrypted tunnel Answer: 33 ❍ B. List all servers authorized to send emails The Details: 126 ❍ C. Digitally sign all outgoing email messages ❍ D. Obtain disposition instructions for emails marked as spam A89. A company would like to securely deploy applications without the overhead of installing a virtual machine for each system. Which of the following would be the BEST way to deploy these applications? ❍ A. Containerization Quick Answer: 33 ❍ B. IoT ❍ C. Proxy The Details: 127 ❍ D. RTOS A90. A company has just purchased a new application server, and the security director wants to determine if the system is secure. The system is currently installed in a test environment and will not be available to users until the roll out to production next week. Which of the following would be the BEST way to determine if any part of the system can be exploited? ❍ A. Tabletop exercise Quick Answer: 33 ❍ B. Vulnerability scanner ❍ C. DDoS The Details: 128 ❍ D. Penetration test 30 Practice Exam A - Questions Practice Exam A - Questions 31 Practice Exam A Multiple Choice Quick Answers A6. B A36. D A66. D A7. C A37. D A67. A A8. A A38. D and E A68. A A9. A A39. D A69. C A10. C A40. C A70. D A11. C A41. C A71. D A12. A A42. A A72. A A13. D A43. B A73. D A14. A, E, and G A44. D A74. A A15. B A45. C A75. D A16. C A46. D A76. C and D A17. A A47. A A77. D A18. A A48. D A78. C A19. A A49. C A79. A A20. C A50. B A80. B and C A21. B A51. D A81. B A22. C A52. C A82. C A23. B and D A53. B A83. C A24. B A54. D A84. C A25. C A55. C A85. B A26. B A56. A A86. B A27. A A57. B A87. A A28. B A58. D A88. B A29. C A59. A A89. A A30. D A60. B A90. D A31. D A61. B A32. A A62. D A33. B A63. B A34. D A64. B A35. A A65. C Practice Exam A - Answers 33 Practice Exam A Detailed Answers A1. Match the description with the most accurate attack type. Not all attack types will be used. Attacker obtains bank account number and birth date by calling the victim Vishing Social engineering over the telephone continues to be an effective attack vector, and obtaining personal information such as a bank account or birth date would be considered phishing over voice, or vishing. More information: SY0-701, Objective 2.2 - Phishing https://professormesser.link/701020202 Attacker accesses a database directly from a web browser Injection A SQL (Structured Query Language) injection attack sends SQL commands directly to a database using a vulnerable web application. More information: SY0-701, Objective 2.3 - SQL Injection https://professormesser.link/701020306 Attacker intercepts all communication between a client and a web server On-path On-path attacks are quite effective because the attacker can often sit invisibly between two devices and gather useful information or modify the data streams in real-time. More information: SY0-701, Objective 2.4 - On-path Attacks https://professormesser.link/701020409 Practice Exam A - Answers 35 Multiple attackers overwhelm a web server DDoS A DoS (Denial of Service) occurs when a service is unavailable due to the actions of a third-party. A DDoS (Distributed Denial of Service) occurs when multiple third-parties work together to create a service outage. More information: SY0-701, Objective 2.4 - Denial of Service https://professormesser.link/701020406 Attacker obtains a list of all login credentials used over the last 24 hours Keylogger Attackers can install hardware or software keyloggers to capture all information typed into a keyboard. Keylogger software can also capture screenshots and other media and covertly send all of this information to the attacker using an existing Internet connection. More information: SY0-701, Objective 2.4 - Other Malware Types https://professormesser.link/701020404 36 Practice Exam A - Answers A2. The security team at a manufacturing company is creating a set of security standards for employees and visitors. Select the BEST security control for each location. All of the available security controls will be used once. Fencing Outside Parking and Building Visitor drop-off Lighting Security outside of the building is focused on the safety of employees and visitors as they park their vehicles or are dropped off at the entrance. The parking lot and exterior building areas should be surrounded by fencing to control access and the parking lot should be well-lit at all times. Security guard Reception Building lobby Access control vestibule The reception area is the first interaction with employees or visitors. Security guards should be available to check the authorization of anyone entering the building, and the use of an access control vestibule can help manage the flow of individuals through this checkpoint. Practice Exam A - Answers 37 Data Entrance from Access badge Center inside building Door Biometrics Once inside, many areas of the building are readily available to employees and visitors. However, some areas of the building containing sensitive information may require additional authorization. To gain access to the data center from inside of the building, an individual would need to provide a valid access badge and perform a biometric check of their fingerprint, handprint, or a similar type of authentication factor. Authentication to Server Authentication token server console Administration in the data center Gaining access through the door of the data center doesn't provide any access to the server data. If a technician needs console access to a server, they'll need to provide the proper username, password, and authentication token. This multi- factor authentication ensures only authorized users are able to gain access to the information contained on the server. More information: SY0-701, Objective 1.2 - Physical Security https://professormesser.link/701010206 38 Practice Exam A - Answers A3. Select the most appropriate security category. Some categories may be used more than once. Operational A guard checks the identification of all visitors Managerial All returns must be approved by a Vice President Physical A generator is used during a power outage Physical Building doors can be unlocked with an access card Technical System logs are transferred automatically to a SIEM Control categories describe the type of security applied to a task or event. Operational controls are often implemented by people instead of systems. Security guards and awareness programs are examples of an operational control. Managerial controls are administrative controls associated with security design and implementation. A set of policies and procedures would be an example of a managerial control. Physical controls are used to limit physical access. Badge readers, fences, and guard shacks are categorized as physical controls. Technical controls are implemented using systems. Operating system controls, firewalls, and automated processes are considered technical controls. More information: SY0-701, Objective 1.1 - Security Controls https://professormesser.link/701010101 Practice Exam A - Answers 39 A4. Match the appropriate authentication factor to each description. Each authentication factor will be used once. Something you know Something you have Something you are Somewhere you are Description Authentication Factor During the login process, your phone receives a text message with a one-time passcode Something you have You enter your PIN to make a deposit into an ATM Something you know You can use your fingerprint to unlock the door to the data center Something you are Your login will not work unless you are connected to the VPN Somewhere you are Authentication factors are important to consider when developing applications or designing network infrastructures. It's useful to know each authentication factor and some examples of how that factor can be applied during the authentication process. More information: SY0-701, Objective 4.6 - Multi-factor Authentication https://professormesser.link/701040603 40 Practice Exam A - Answers A5. Configure the following stateful firewall rules: Block HTTP sessions between the Web Server and the Database Server Allow the Storage Server to transfer files to the Video Server over HTTPS Allow the Management Server to use a secure terminal on the File Server DMZ File Server Video Server Web Server 10.1.1.3 10.1.1.7 10.1.1.2 DMZ Switch Internet Firewall Internal Switch Internal Network Storage Server Management Server Database Server 10.2.1.33 10.2.1.47 10.2.1.20 Destination Protocol Allow/ Rule # Source IP Port # IP (TCP/UDP) Block 1 10.1.1.2 10.2.1.20 TCP 80 Block 2 10.2.1.33 10.1.1.7 TCP 443 Allow 3 10.2.1.47 10.1.1.3 TCP 22 Allow Practice Exam A - Answers 41 Creating firewall policies is a foundational skill for any IT security professional. Fortunately, the process is relatively straightforward if each part of the firewall rule is broken down into individual pieces. Block HTTP sessions between the Web Server and the Database Server The first step is to determine the source and destination of the firewall rule. After referencing the diagram, we can see the source Web Server IP address is 10.1.1.2 and the destination Database Server is 10.2.1.20. This question requires a knowledge of basic TCP and UDP ports, and recognizing the well- known port for the HTTP protocol as TCP/80 provides the next two fields in the firewall rule. Finally, the rule is designed to prevent traffic between these two devices, so the disposition is set to Block. Since this firewall is stateful, the firewall rule allows the first packet in the traffic flow and any return traffic in the flow will be automatically associated with this rule. A stateful firewall does not require a separate firewall rule for response traffic associated with the original traffic flow. Allow the Storage Server to transfer files to the Video Server over HTTPS The Storage Server is 10.2.1.33, and the Video Server is 10.1.1.7. Notice that the traffic flow moves through the firewall in a different direction than the first rule, but these firewall rules are focused on the source and destination of the traffic flow. This rule specifies HTTPS traffic, so TCP/443 will be listed in the firewall rule. Finally, the firewall rule should allow these traffic flows. Allow the Management Server to use a secure terminal on the File Server The management server IP address is 10.2.1.47, and the File Server is 10.1.1.3. A secure terminal would use the SSH protocol over TCP/22, and the firewall should be configured to allow this traffic. More information: SY0-701, Objective 4.5 - Firewalls https://professormesser.link/701040501 42 Practice Exam A - Answers A6. A company has hired a third-party to gather information about the company’s servers and data. This third-party will not have direct access to the company's internal network, but they can gather information from any other source. Which of the following would BEST describe this approach? ❍ A. Vulnerability scanning ❍ B. Passive reconnaissance ❍ C. Supply chain analysis ❍ D. Regulatory audit The Answer: B. Passive reconnaissance Passive reconnaissance focuses on gathering as much information from open sources such as social media, corporate websites, and business organizations. The incorrect answers: A. Vulnerability scanning Some active reconnaissance tests will query systems directly to see if a vulnerability currently exists. C. Supply chain analysis A supply chain analysis will examine the security associated with a supplier, and the analysis will not provide any information regarding a company's own servers and data. D. Regulatory audit A regulatory audit is a detailed security analysis based on existing laws or private guidelines. A regulatory audit commonly requires access to internal systems and data. More information: SY0-701, Objective 5.5 - Penetration Tests https://professormesser.link/701050502 Practice Exam A - Answers 43 A7. A company's email server has received an email from a third-party, but the origination server does not match the list of authorized devices. Which of the following would determine the disposition of this message? ❍ A. SPF ❍ B. NAC ❍ C. DMARC ❍ D. DKIM The Answer: C. DMARC DMARC (Domain-based Message Authentication Reporting and Conformance) specifies the disposition of spam emails. The legitimate owner of the originating email domain can choose to have these messages accepted, sent to a spam folder, or rejected. The incorrect answers: A. SPF SPF (Sender Policy Framework) is a list of all authorized mail servers for a specific domain. All legitimate emails would be sent from one of the servers listed in the SPF configuration. B. NAC NAC (Network Access Control) is a way to limit network access to only authorized users. NAC is not commonly used to manage the transfer of email messages. D. DKIM DKIM (Domain Keys Identified Mail) provides a way to validate all digitally signed messages from a specific email server. DKIM does not determine how the receiving server categorizes these digitally signed messages. More information: SY0-701, Objective 4.5 - Email Security https://professormesser.link/701040505 44 Practice Exam A - Answers A8. Which of these threat actors would be MOST likely to attack systems for direct financial gain? ❍ A. Organized crime ❍ B. Hacktivist ❍ C. Nation state ❍ D. Shadow IT The Answer: A. Organized crime An organized crime actor is motivated by money, and their hacking objectives are usually based around objectives that can be easily exchanged for financial capital. The incorrect answers: B. Hacktivist A hacktivist is focused on a political agenda and not commonly on a financial gain. C. Nation state Nation states are already well funded, and their primary objective is not usually based on revenue or income. D. Shadow IT Shadow IT describes part of the organization that works around the existing IT department to build their own applications and infrastructure. More information: SY0-701, Objective 2.1 - Threat Actors https://professormesser.link/701020101 Practice Exam A - Answers 45 A9. A security administrator has examined a server recently compromised by an attacker, and has determined the system was exploited due to a known operating system vulnerability. Which of the following would BEST describe this finding? ❍ A. Root cause analysis ❍ B. E-discovery ❍ C. Risk appetite ❍ D. Data subject The Answer: A. Root cause analysis The goal of a root cause analysis is to explain the ultimate cause of an incident. Once the cause is known, it becomes easier to protect against similar attacks in the future. The incorrect answers: B. E-discovery E-discovery relates to the collection, preparation, review, interpretation, and production of electronic documents. E-discovery itself is not involved with the research and determination of an attack's root cause. C. Risk appetite A risk appetite describes the amount of risk an organization is willing to take before taking any action to reduce that risk. Risk appetite is not part of a root cause analysis. D. Data subject A data subject describes any information relating to an identified or identifiable natural person, especially when describing or managing private information about the subject. More information: SY0-701, Objective 4.8 - Incident Planning https://professormesser.link/701040802 46 Practice Exam A - Answers A10. A city is building an ambulance service network for emergency medical dispatching. Which of the following should have the highest priority? ❍ A. Integration costs ❍ B. Patch availability ❍ C. System availability ❍ D. Power usage The Answer: C. System availability Requests to emergency services are often critical in nature, and it's important for a dispatching system to always be available when a call is made. The incorrect answers: A. Integration costs When lives are on the line, the cost is not commonly the most important aspect of a system integration. B. Patch availability Although it's important to always keep systems patched, it's more important that a life saving service be available to those who might need it. D. Power usage Power usage is not usually the most important consideration when building a critical healthcare and emergency service infrastructure. More information: SY0-701, Objective 3.1 - Infrastructure Considerations https://professormesser.link/701030104 Practice Exam A - Answers 47 A11. A system administrator receives a text alert when access rights are changed on a database containing private customer information. Which of the following would describe this alert? ❍ A. Maintenance window ❍ B. Attestation and acknowledgment ❍ C. Automation ❍ D. External audit The Answer: C. Automation Automation ensures that compliance checks can be performed on a regular basis without the need for human intervention. This can be especially useful to provide alerts when a configuration change causes an organization to be out of compliance. The incorrect answers: A. Maintenance window A maintenance window describes the scheduling associated with the change control process. Systems and services generally have limited availability during a maintenance window. B. Attestation and acknowledgment With compliance, the process of attestation and acknowledgment is the final verification of the formal compliance documentation. An alert from an automated process would not qualify as attestation. D. External audit An external audit can be a valuable tool for verifying the compliance process, but an automated alert from a monitoring system would not be part of an external audit. More information: SY0-701, Objective 5.4 - Compliance https://professormesser.link/701050401 48 Practice Exam A - Answers A12. A security administrator is concerned about the potential for data exfiltration using external storage drives. Which of the following would be the BEST way to prevent this method of data exfiltration? ❍ A. Create an operating system security policy to block the use of removable media ❍ B. Monitor removable media usage in host-based firewall logs ❍ C. Only allow applications that do not use removable media ❍ D. Define a removable media block rule in the UTM The Answer: A. Create an operating system security policy to prevent the use of removable media Removable media uses hot-pluggable interfaces such as USB to connect storage drives. A security policy in the operating system can prevent any files from being written to a removable drive. The incorrect answers: B. Monitor removable media usage in host-based firewall logs A host-based firewall monitors traffic flows and does not commonly log hardware or USB drive access. C. Only allow applications that do not use removable media File storage access options are not associated with applications, so it’s not possible to allow based on external storage drive usage. D. Define a removable media block rule in the UTM A UTM (Unified Threat Manager) watches traffic flows across the network and does not commonly manage the storage options on individual computers. More information: SY0-701, Objective 2.2 - Common Threat Vectors https://professormesser.link/701020201 Practice Exam A - Answers 49 A13. A company creates a standard set of government reports each calendar quarter. Which of the following would describe this type of data? ❍ A. Data in use ❍ B. Obfuscated ❍ C. Trade secrets ❍ D. Regulated The Answer: D. Regulated Reports and information created for governmental use are regulated by laws regarding the disclosure of certain types of data. The incorrect answers: A. Data in use Data in use describes information actively processing in the memory of a system, such as system RAM, CPU registers, or CPU cache. Government reports are static documents and are not actively being processed. B. Obfuscated Obfuscation describes the modification of data to make something understandable into something very difficult to understand. Information contained in a government report is relatively easy to understand and would not be considered obfuscated data. C. Trade secrets Trade secrets are the private details a company uses as part of their normal business processes, and these trade secrets are not shared with any other organization or business. More information: SY0-701, Objective 3.3 - Data Types and Classifications https://professormesser.link/701030301 50 Practice Exam A - Answers A14. An insurance company has created a set of policies to handle data breaches. The security team has been given this set of requirements based on these policies: Access records from all devices must be saved and archived Any data access outside of normal working hours must be immediately reported Data access must only occur inside of the country Access logs and audit reports must be created from a single database Which of the following should be implemented by the security team to meet these requirements? (Select THREE) ❍ A. Restrict login access by IP address and GPS location ❍ B. Require government-issued identification during the onboarding process ❍ C. Add additional password complexity for accounts that access data ❍ D. Conduct monthly permission auditing ❍ E. Consolidate all logs on a SIEM ❍ F. Archive the encryption keys of all disabled accounts ❍ G. Enable time-of-day restrictions on the authentication server The Answer: A. Restrict login access by IP address and GPS location, E. Consolidate all logs on a SIEM, and G. Enable time-of-day restrictions on the authentication server Adding location-based policies will prevent direct data access from outside of the country. Saving log information from all devices and creating audit reports from a single database can be implemented through the use of a SIEM (Security Information and Event Manager). Adding a check for the time-of-day will report any access that occurs during non-working hours. Practice Exam A - Answers 51 The incorrect answers: B. Require government-issued identification during the onboarding process Requiring proper identification is always a good idea, but it’s not one of the listed requirements. C. Add additional password complexity for accounts that access data Additional password complexity is another good best practice, but it’s not part of the provided requirements. D. Conduct monthly permission auditing No requirements for ongoing auditing were included in the requirements, but ongoing auditing is always an important consideration. F. Archive the encryption keys of all disabled accounts If an account is disabled, there may still be encrypted data that needs to be recovered later. Archiving the encryption keys will allow access to that data after the account is no longer in use. More information: SY0-701, Objective 4.6 - Access Controls https://professormesser.link/701040602 52 Practice Exam A - Answers A15. A security engineer, is viewing this record from the firewall logs: UTC 04/05/2023 03:09:15809 AV Gateway Alert 136.127.92.171 80 -> 10.16.10.14 60818 Gateway Anti-Virus Alert: XPACK.A_7854 (Trojan) blocked. Which of the following can be observed from this log information? ❍ A. The victim's IP address is 136.127.92.171 ❍ B. A download was blocked from a web server ❍ C. A botnet DDoS attack was blocked ❍ D. The Trojan was blocked, but the file was not The Answer: B. A download was blocked from a web server A traffic flow from a web server port number (80) to a device port (60818) indicates that this traffic flow originated on port 80 of the web server. A file download is one of the most common ways to deliver a Trojan, and this log entry shows that the file containing the XPACK.A_7854 Trojan was blocked. The incorrect answers: A. The victim’s IP address is 136.127.92.171 The format for this log entry uses an arrow to differentiate between the attacker and the victim. The attacker IP address is 136.127.92.171, and the victim’s IP address is 10.16.10.14. C. A botnet DDoS attack was blocked A botnet attack would not commonly include a Trojan horse as part of a distributed denial of service (DDoS) attack. D. The Trojan was blocked, but the file was not A Trojan horse attack involves malware that is disguised as legitimate software. The Trojan malware and the file are the same entity, so there isn’t a way to decouple the malware from the file. More information: SY0-701, Objective 4.9 - Log Files https://professormesser.link/701040901 Practice Exam A - Answers 53 A16. A user connects to a third-party website and receives this message: Your connection is not private. NET::ERR_CERT_INVALID Which of the following attacks would be the MOST likely reason for this message? ❍ A. Brute force ❍ B. DoS ❍ C. On-path ❍ D. Deauthentication The Answer: C. On-path An on-path attack is often associated with a third-party who is actively intercepting network traffic. This entity in the middle would not be able to provide a valid SSL certificate for a third-party website, and this error would appear in the browser as a warning. The incorrect answers: A. Brute force A brute force attack is commonly associated with password hacks. Brute force attacks would not cause the certificate on a website to be invalid. B. DoS A DoS (Denial of Service) attack would prevent communication to a server and most likely provide a timeout error. This error is not related to a service availability issue. D. Deauthentication Deauthentication attacks are commonly associated with wireless networks, and they usually cause disconnects and lack of connectivity. The error message in this example does not appear to be associated with a network outage or disconnection. More information: SY0-701, Objective 2.4 - On-Path Attacks https://professormesser.link/701020409 54 Practice Exam A - Answers A17. Which of the following would be the BEST way to provide a website login using existing credentials from a third-party site? ❍ A. Federation ❍ B. 802.1X ❍ C. EAP ❍ D. SSO The Answer: A. Federation Federation would allow members of one organization to authenticate using the credentials of another organization. The incorrect answers: B. 802.1X 802.1X is a useful authentication protocol, but it needs additional functionality to authenticate across multiple user databases. C. EAP EAP (Extensible Authentication Protocol) is an authentication framework commonly associated with network access control. EAP by itself does not provide the federation needed to authenticate users to a third-party access database. D. SSO SSO (Single Sign-On) describes the process of enabling a single authentication to grant access to many different network services. Obtaining login credentials from a third-party access database does not describe the process used by SSO. More information: SY0-701, Objective 4.6 - Identity and Access Management https://professormesser.link/701040601 Practice Exam A - Answers 55 A18. A system administrator is working on a contract that will specify a minimum required uptime for a set of Internet-facing firewalls. The administrator needs to know how often the firewall hardware is expected to fail between repairs. Which of the following would BEST describe this information? ❍ A. MTBF ❍ B. RTO ❍ C. MTTR ❍ D. RPO The Answer: A. MTBF The MTBF (Mean Time Between Failures) is a prediction of how often a repairable system will fail. The incorrect answers: B. RTO RTO (Recovery Time Objectives) define a set of objectives needed to restore a particular service level. C. MTTR MTTR (Mean Time to Restore) is the amount of time it takes to repair a component. D. RPO RPO (Recovery Point Objective) describes the minimum data or operational state required to categorize a system as recovered. More information: SY0-701, Objective 5.2 - Business Impact Analysis https://professormesser.link/701050204 56 Practice Exam A - Answers A19. An attacker calls into a company’s help desk and pretends to be the director of the company’s manufacturing department. The attacker states that they have forgotten their password and they need to have the password reset quickly for an important meeting. What kind of attack would BEST describe this phone call? ❍ A. Social engineering ❍ B. Supply chain ❍ C. Watering hole ❍ D. On-path The Answer: A. Social engineering This social engineering attack uses impersonation to take advantage of authority and urgency principles in an effort to convince someone else to circumvent normal security controls. The incorrect answers: B. Supply chain A supply chain attack focuses on the equipment or raw materials used to deliver products or services to an organization or user. A call to the help desk would not be categorized as part of the supply chain. C. Watering hole A watering hole attack uses a third-party site to perform attacks outside of a user's local (and usually more secure) network. D. On-path An on-path attack commonly occurs without any knowledge to the parties involved, and there’s usually no additional notification that an attack is underway. In this question, the attacker contacted the help desk engineer directly. More information: SY0-701, Objective 2.2 - Impersonation https://professormesser.link/701020203 Practice Exam A - Answers 57 A20. Two companies have been working together for a number of months, and they would now like to qualify their partnership with a broad formal agreement between both organizations. Which of the following would describe this agreement? ❍ A. SLA ❍ B. SOW ❍ C. MOA ❍ D. NDA The Answer: C. MOA An MOA (Memorandum of Agreement) is a formal document where both sides agree to a broad set of goals and objectives associated with the partnership. The incorrect answers: A. SLA An SLA (Service Level Agreement) is commonly provided as a formal contract between two

Use Quizgecko on...
Browser
Browser