SY0-701-222q-Dump-25-June.pdf

Full Transcript

CompTIA

SY0-701

CompTIA Security+ Exam 2024
Version: 6.0

[ Total Questions: 222]

Web: www.dumpsmate.com

Email: [email protected]
IMPORTANT NOTICE
Feedback
We have developed quality product and state-of-art service to ensure our customers interest. If you have any
suggestions, please feel free to contact us at [email protected]

Support
If you have any questions about our product, please provide the following items:

exam code
screenshot of the question
login id/email

please contact us at [email protected] and our technical experts will provide support within 24 hours.

Copyright
The product of each order has its own encryption code, so you should use it independently. Any unauthorized
changes will inflict legal punishment. We reserve the right of final explanation for this statement.
Verified Questions and Answers CompTIA - SY0-701

Question #:1

Which of the following would be the best ways to ensure only authorized personnel can access a secure
facility? (Select two).

A. Fencing

B. Video surveillance

C. Badge access

D. Access control vestibule

E. Sign-in sheet

F. Sensor

Answer: C D

Explanation
Badge access and access control vestibule are two of the best ways to ensure only authorized personnel can
access a secure facility. Badge access requires the personnel to present a valid and authenticated badge to a
reader or scanner that grants or denies access based on predefined rules and permissions. Access control
vestibule is a physical security measure that consists of a small room or chamber with two doors, one leading
to the outside and one leading to the secure area. The personnel must enter the vestibule and wait for the first
door to close and lock before the second door can be opened. This prevents tailgating or piggybacking by
unauthorized individuals. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter
4, pages 197-1981

Question #:2

Which of the following agreement types defines the time frame in which a vendor needs to respond?

A. SOW

B. SLA

C. MOA

D. MOU

Answer: B

Explanation
A service level agreement (SLA) is a type of agreement that defines the expectations and responsibilities
between a service provider and a customer. It usually includes the quality, availability, and performance
metrics of the service, as well as the time frame in which the provider needs to respond to service requests,

Updated Dumps | Pass 100% 1 of 159
Verified Questions and Answers CompTIA - SY0-701

incidents, or complaints. An SLA can help ensure that the customer receives the desired level of service and
that the provider is accountable for meeting the agreed-upon standards.

References:

Security+ (Plus) Certification | CompTIA IT Certifications, under “About the exam”, bullet point 3:
“Operate with an awareness of applicable regulations and policies, including principles of governance,
risk, and compliance.”

CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 1, page 14: “Service Level
Agreements (SLAs) are contracts between a service provider and a customer that specify the level of
service expected from the service provider.”

Question #:3

A U.S.-based cloud-hosting provider wants to expand its data centers to new international locations. Which of
the following should the hosting provider considerfirst?

A. Local data protection regulations

B. Risks from hackers residing in other countries

C. Impacts to existing contractual obligations

D. Time zone differences in log correlation

Answer: A

Explanation
Local data protection regulations are the first thing that a cloud-hosting provider should consider before
expanding its data centers to new international locations. Data protection regulations are laws or standards that
govern how personal or sensitive data is collected, stored, processed, and transferred across borders. Different
countries or regions may have different data protection regulations, such as the General Data Protection
Regulation (GDPR) in the European Union, the Personal Information Protection and Electronic Documents
Act (PIPEDA) in Canada, or the California Consumer Privacy Act (CCPA) in the United States. A
cloud-hosting provider must comply with the local data protection regulations of the countries or regions
where it operates or serves customers, or else it may face legal penalties, fines, or reputational damage.
Therefore, a cloud-hosting provider should research and understand the local data protection regulations of the
new international locations before expanding its data centers there. References = CompTIA Security+ Study
Guide with over 500 Practice Test Questions: Exam SY0-701, 9th Edition, Chapter 7, page 269. CompTIA
Security+ SY0-701 Exam Objectives, Domain 5.1, page 14.

Question #:4

A client demands at least 99.99% uptime from a service provider's hosted security services. Which of the
following documents includes the information the service provider should return to the client?

A. MOA

B.

Updated Dumps | Pass 100% 2 of 159
Verified Questions and Answers CompTIA - SY0-701

B. SOW

C. MOU

D. SLA

Answer: D

Explanation
A service level agreement (SLA) is a document that defines the level of service expected by a customer from a
service provider, indicating the metrics by which that service is measured, and the remedies or penalties, if
any, should the agreed-upon levels not be achieved. An SLA can specify the minimum uptime or availability
of a service, such as 99.99%, and the consequences for failing to meet that standard. A memorandum of
agreement (MOA), a statement of work (SOW), and amemorandum of understanding (MOU) are other types
of documents that can be used to establish a relationship between parties, but they do not typically include the
details of service levels and performance metrics that an SLA does. References: CompTIA Security+ Study
Guide: Exam SY0-701, 9th Edition, page 16-17

Question #:5

A small business uses kiosks on the sales floor to display product information for customers. A security team
discovers the kiosks use end-of-life operating systems. Which of the following is the security team most likely
to document as a security implication of the current architecture?

A. Patch availability

B. Product software compatibility

C. Ease of recovery

D. Cost of replacement

Answer: A

Explanation
End-of-life operating systems are those that are no longer supported by the vendor or manufacturer, meaning
they do not receive any security updates or patches. This makes them vulnerable to exploits and attacks that
take advantage of known or unknown flaws in the software. Patch availability is the security implication of
using end-of-life operating systems, as it affects the ability to fix or prevent security issues. Other factors, such
as product software compatibility, ease of recovery, or cost of replacement, are not directly related to security,
but rather to functionality, availability, or budget. References: CompTIA Security+ Study Guide: Exam
SY0-701, 9th Edition, page 29 1

Question #:6

Which of the following security concepts is the best reason for permissions on a human resources fileshare to
follow the principle of least privilege?

A.

Updated Dumps | Pass 100% 3 of 159
Verified Questions and Answers CompTIA - SY0-701

A. Integrity

B. Availability

C. Confidentiality

D. Non-repudiation

Answer: C

Explanation
Confidentiality is the security concept that ensures data is protected from unauthorized access or disclosure.
The principle of least privilege is a technique that grants users or systems the minimum level of access or
permissions that they need to perform their tasks, and nothing more. By applying the principle of least
privilege to a human resources fileshare, the permissions can be restricted to only those who have a legitimate
need to access the sensitive data, such as HR staff, managers, or auditors. This can prevent unauthorized users,
such as hackers, employees, or contractors, from accessing, copying, modifying, or deleting the data.
Therefore, the principle of least privilege can enhance the confidentiality of the data on the fileshare. Integrity,
availability, and non-repudiation are other security concepts, but they are not the best reason for permissions
on a human resources fileshare to follow the principle of least privilege. Integrity is the security concept that
ensures data is accurate and consistent, and protected from unauthorized modification or corruption.
Availabilityis the security concept that ensures data is accessible and usable by authorized users or systems
when needed. Non-repudiation is the security concept that ensures the authenticity and accountability of data
and actions, and prevents the denial of involvement or responsibility. While these concepts are also important
for data security, they are not directly related to the level of access or permissions granted to users or systems.
References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 16-17, 372-373

Question #:7

A company is planning a disaster recovery site and needs to ensure that a single natural disaster would not
result in the complete loss of regulated backup data. Which of the following should the company consider?

A. Geographic dispersion

B. Platform diversity

C. Hot site

D. Load balancing

Answer: A

Explanation
Geographic dispersion is the practice of having backup data stored in different locations that are far enough
apart to minimize the risk of a single natural disaster affecting both sites. This ensures that the company can
recover its regulated data in case of a disaster at the primary site. Platform diversity, hot site, and load

Updated Dumps | Pass 100% 4 of 159
Verified Questions and Answers CompTIA - SY0-701

balancing are not directly related to the protection of backup data from natural
disasters. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 449; Disaster
Recovery Planning: Geographic Diversity

Question #:8

Which of the following threat actors is the most likely to be hired by a foreign government to attack critical
systems located in other countries?

A. Hacktivist

B. Whistleblower

C. Organized crime

D. Unskilled attacker

Answer: C

Explanation
Organized crime is a type of threat actor that is motivated by financial gain and often operates across national
borders. Organized crime groups may be hired by foreign governments to conduct cyberattacks on critical
systems located in other countries, such as power grids, military networks, or financial institutions. Organized
crime groups have the resources, skills, and connections to carry out sophisticated and persistent attacks that
can cause significant damage and disruption12. References = 1: Threat Actors - CompTIA Security+ SY0-701
- 2.1 2: CompTIA Security+ SY0-701 Certification Study Guide

Question #:9

A company that is located in an area prone to hurricanes is developing a disaster recovery plan and looking at
site considerations that allow the company to immediately continue operations. Which of the following is the
best type of site for this company?

A. Cold

B. Tertiary

C. Warm

D. Hot

Answer: D

Explanation
For a company located in an area prone to hurricanes and needing to immediately continue operations, the best
type of site is a hot site. A hot site is a fully operational offsite data center that is equipped with hardware,
software, and network connectivity and is ready to take over operations with minimal downtime.

Hot site:Fully operational and can take over business operations almost immediately after a disaster.

Updated Dumps | Pass 100% 5 of 159
Verified Questions and Answers CompTIA - SY0-701

Cold site:A basic site with infrastructure in place but without hardware or data, requiring significant
time to become operational.

Tertiary site:Not a standard term in disaster recovery; it usually refers to an additional backup location
but lacks the specifics of readiness.

Warm site:Equipped with hardware and connectivity but requires some time and effort to become fully
operational, not as immediate as a hot site.

Question #:10

Malware spread across a company's network after an employee visited a compromised industry blog. Which of
the following best describes this type of attack?

A. Impersonation

B. Disinformation

C. Watering-hole

D. Smishing

Answer: C

Explanation
A watering-hole attack is a type of cyberattack that targets groups of users by infecting websites that they
commonly visit. The attackers exploit vulnerabilities to deliver a malicious payload to the organization’s
network. The attack aims to infect users’ computers and gain access to a connected corporate network. The
attackers target websites known to be popular among members of a particular organization or
demographic. The attack differs from phishing and spear-phishing attacks, which typically attempt to steal
data or install malware onto users’ devices1

In this scenario, the compromised industry blog is the watering hole that the attackers used to spread malware
across the company’s network. The attackers likely chose this blog because they knew that the employees of
the company were interested in its content and visited it frequently. The attackers may have injected malicious
code into the blog or redirected the visitors to a spoofed website that hosted the malware. The malware then
infected the employees’ computers and propagated to the network.

References1: Watering Hole Attacks: Stages, Examples, Risk Factors & Defense …

Question #:11

An analyst is evaluating the implementation of Zero Trust principles within the data plane. Which of the
following would bemostrelevant for the analyst to evaluate?

A. Secured zones A Is the Correct Answer
B. Subject role

Updated Dumps | Pass 100% 6 of 159
Verified Questions and Answers CompTIA - SY0-701

C. Adaptive identity

D. Threat scope reduction

Answer: D

Explanation
The data plane, also known as the forwarding plane, is the part of the network that carries user traffic and
data. It is responsible for moving packets from one device to another based on the routing and switching
decisions made by the control plane. The data plane is a critical component of the Zero Trust architecture, as it
is where most of the attacks and breaches occur. Therefore, implementing Zero Trust principles within the data
plane can help to improve the security and resilience of the network.

One of the key principles of Zero Trust is to assume breach and minimize the blast radius and segment access.
This means that the network should be divided into smaller and isolated segments or zones, each with its own
security policies and controls. This way, if one segment is compromised, the attacker cannot easily move
laterally to other segments and access more resources or data. This principle is also known as threat scope
reduction, as it reduces the scope and impact of a potential threat.

The other options are not as relevant for the data plane as threat scope reduction. Secured zones are a concept
related to the control plane, which is the part of the network that makes routing and switching decisions.
Subject role is a concept related to the identity plane, which is the part of the network that authenticates and
authorizesusers and devices. Adaptive identity is a concept related to the policy plane, which is the part of the
network that defines and enforces the security policies and rules.

References = https://bing.com/search?q=Zero+Trust+data+plane

https://learn.microsoft.com/en-us/security/zero-trust/deploy/data

Question #:12

An enterprise has been experiencing attacks focused on exploiting vulnerabilities in older browser versions
with well-known exploits. Which of the following security solutions should be configured to best provide the
ability to monitor and block these known signature-based attacks?

A. ACL

B. DLP

C. IDS

D. IPS

Answer: D

Explanation
An intrusion prevention system (IPS) is a security device that monitors network traffic and blocks or modifies

Updated Dumps | Pass 100% 7 of 159
Verified Questions and Answers CompTIA - SY0-701

malicious packets based on predefined rules or signatures. An IPS can prevent attacks that exploit known
vulnerabilities in older browser versions by detecting and dropping the malicious packets before they reach the
target system. An IPS can also perform other functions, such as rate limiting, encryption, or
redirection. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 3: Securing
Networks, page 132.

Question #:13

Which of the following security concepts is accomplished with the installation of a RADIUS server?

A. CIA

B. AAA

C. ACL

D. PEM

Answer: B

Explanation
The installation of a RADIUS server (Remote Authentication Dial-In User Service) is primarily associated
with the security concept of AAA, which stands for Authentication, Authorization, and Accounting. RADIUS
servers are used to manage user credentials and permissions centrally, ensuring that only authenticated and
authorized users can access network resources, and tracking user activity for accounting purposes.

Authentication:Verifies the identity of a user or device. When a user tries to access a network, the
RADIUS server checks their credentials (username and password) against a database.

Authorization:Determines what an authenticated user is allowed to do. After authentication, the
RADIUS server grants permissions based on predefined policies.

Accounting:Tracks the consumption of network resources by users. This involves logging session
details such as the duration of connections and the amount of data transferred.

Question #:14

Which of the following is thebestway to consistently determine on a daily basis whether security settings on
servers have been modified?

A. Automation

B. Compliance checklist

C. Attestation

D. Manual audit

Answer: A

Updated Dumps | Pass 100% 8 of 159
Verified Questions and Answers CompTIA - SY0-701

Explanation
Automation is the best way to consistently determine on a daily basis whether security settings on servers
have been modified. Automation is the process of using software, hardware, or other tools to perform tasks
that would otherwise require human intervention or manual effort. Automation can help to improve the
efficiency, accuracy, and consistency of security operations, as well as reduce human errors and costs.
Automation can be used to monitor, audit, and enforce security settings on servers, such as firewall rules,
encryption keys, access controls, patch levels, and configuration files. Automation can also alert security
personnel of any changes or anomalies that may indicate a security breach or compromise12.

The other options are not the best ways to consistently determine on a daily basis whether security settings on
servers have been modified:

Compliance checklist: This is a document that lists the security requirements, standards, or best
practices that an organization must follow or adhere to. A compliance checklist can help to ensure that
the security settings on servers are aligned with the organizational policies and regulations, but it does
not automatically detect or report any changes or modifications that may occur on a daily basis3.

Attestation: This is a process of verifying or confirming the validity or accuracy of a statement, claim, or
fact. Attestation can be used to provide assurance or evidence that the security settings on servers are
correct and authorized, but it does not continuously monitor or audit any changes or modifications that
may occur on a daily basis4.

Manual audit: This is a process of examining or reviewing the security settings on servers by human
inspectors or auditors. A manual audit can help to identify and correct any security issues or
discrepancies on servers, but it is time-consuming, labor-intensive, and prone to human errors. A manual
audit may not be feasible or practical to perform on a daily basis.

References = 1: CompTIA Security+ SY0-701 Certification Study Guide, page 1022: Automation and
Scripting – CompTIA Security+ SY0-701 – 5.1, video by Professor Messer3: CompTIA Security+ SY0-701
Certification Study Guide, page 974: CompTIA Security+ SY0-701 Certification Study Guide, page 98. :
CompTIA Security+ SY0-701 Certification Study Guide, page 99.

Question #:15

A security analyst reviews domain activity logs and notices the following:

Which of the following is thebestexplanation for what the security analyst has discovered?

A. The user jsmith's account has been locked out.

B. A keylogger is installed on [smith's workstation

C.

Updated Dumps | Pass 100% 9 of 159
Verified Questions and Answers CompTIA - SY0-701

C. An attacker is attempting to brute force ismith's account.

D. Ransomware has been deployed in the domain.

Answer: C

Explanation
Brute force is a type of attack that tries to guess the password or other credentials of a user account by using a
large number of possible combinations. An attacker can use automated toolsor scripts to perform a brute force
attack and gain unauthorized access to the account. The domain activity logs show that the user ismith has
failed to log in 10 times in a row within a short period of time, which is a strong indicator of a brute force
attack. The logs also show that the source IP address of the failed logins is different from the usual IP address
of ismith, which suggests that the attacker is using a different device or location to launch the attack. The
security analyst should take immediate action to block the attacker’s IP address, reset ismith’s password, and
notify ismith of the incident. References = CompTIA Security+ Study Guide with over 500 Practice Test
Questions: Exam SY0-701, 9th Edition, Chapter 1, page 14. CompTIA Security+ (SY0-701) Certification
Exam Objectives, Domain 1.1, page 2. Threat Actors and Attributes – SY0-601 CompTIA Security+ : 1.1

Question #:16

The CIRT is reviewing an incident that involved a human resources recruiter exfiltration sensitive company
data. The CIRT found that the recruiter was able to use HTTP over port 53 to upload documents to a web
server. Which of the following security infrastructure devices could have identified and blocked this activity?

A. WAF utilizing SSL decryption

B. NGFW utilizing application inspection

C. UTM utilizing a threat feed

D. SD-WAN utilizing IPSec

Answer: B

Explanation
An NGFW (Next-Generation Firewall) utilizing application inspection could have identified and blocked the
unusual use of HTTP over port 53. Application inspection allows NGFWs to analyze traffic at the application
layer, identifying and blocking suspicious or non-standard protocol usage, such as HTTP traffic on DNS port
53.

NGFW utilizing application inspection:Inspects traffic at the application layer and can block
non-standard protocol usage, such as HTTP over port 53.

WAF utilizing SSL decryption:Focuses on protecting web applications and decrypting SSL traffic but
may not detect the use of HTTP over port 53.

UTM utilizing a threat feed:Provides comprehensive security but may not focus specifically on
application layer inspection.

Updated Dumps | Pass 100% 10 of 159
Verified Questions and Answers CompTIA - SY0-701

SD-WAN utilizing IPSec:Enhances secure WAN connections but is not primarily designed to inspect
and block specific application traffic.

Question #:17

A security analyst scans a company's public network and discovers a host is running a remote desktop that can
be used to access the production network. Which of the following changes should the security analyst
recommend?

A. Changing the remote desktop port to a non-standard number

B. Setting up a VPN and placing the jump server inside the firewall

C. Using a proxy for web connections from the remote desktop server

D. Connecting the remote server to the domain and increasing the password length

Answer: B

Explanation
A VPN is a virtual private network that creates a secure tunnel between two or more devices over a public
network. A VPN can encrypt and authenticate the data, as well as hide the IP addresses and locations of the
devices. A jump server is a server that acts as an intermediary between a user and a target server, such as a
production server. A jump server can provide an additional layer of security and access control, as well as
logging and auditing capabilities. A firewall is a device or software that filters and blocks unwanted network
traffic based on predefined rules. A firewall can protect the internal network from external threats and limit the
exposure of sensitive services and ports. A security analyst should recommend setting up a VPN and placing
the jump server inside the firewall to improve the security of the remote desktop access to the production
network. This way, the remote desktop service will not be exposed to the public network, and only authorized
users with VPN credentials can access the jump server and then the production server. References: CompTIA
Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 8: Secure Protocols and Services, page
382-383 1; Chapter 9: Network Security, page 441-442 1

Question #:18

After a security awareness training session, a user called the IT help desk and reported a suspicious call. The
suspicious caller stated that the Chief Financial Officer wanted credit card information in order to close an
invoice. Which of the following topics did the user recognize from the training?

A. Insider threat

B. Email phishing

C. Social engineering

D. Executive whaling

Answer: C

Updated Dumps | Pass 100% 11 of 159
Verified Questions and Answers CompTIA - SY0-701

Explanation
Social engineering is the practice of manipulating people into performing actions or divulging confidential
information, often by impersonating someone else or creating a sense of urgency or trust. The suspicious caller
in this scenario was trying to use social engineering to trick the user into giving away credit card information
by pretending to be the CFO and asking for a payment. The user recognized this as a potential scam and
reported it to the IT help desk. The other topics are not relevant to this situation. References: CompTIA
Security+ Study Guide: Exam SY0-701, 9th Edition, page 19 1

Question #:19

A company is planning to set up a SIEM system and assign an analyst to review the logs on a weekly basis
Which of the following types of controls is the company setting up?

A. Corrective

B. Preventive

C. Detective

D. Deterrent

Answer: C

Explanation
A detective control is a type of security control that monitors and analyzes events to detect and report on
potential or actual security incidents. A SIEM system is an example of a detective control, as it collects,
correlates, and analyzes security data from various sources and generates alerts for security teams. Corrective,
preventive, and deterrent controls are different types of security controls that aim to restore, protect, or
discourage security breaches, respectively. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th
Edition, page 33; What is Security Information and Event Management (SIEM)?

Question #:20

A technician is opening ports on a firewall for a new system being deployed and supported by a SaaS provider.
Which of the following is a risk in the new system?

A. Default credentials

B. Non-segmented network

C. Supply chain vendor

D. Vulnerable software

Answer: C

Explanation
A supply chain vendor is a third-party entity that provides goods or services to an organization, such as a SaaS

Updated Dumps | Pass 100% 12 of 159
Verified Questions and Answers CompTIA - SY0-701

provider. A supply chain vendor can pose a risk to the new system if the vendor has poor security practices,
breaches, or compromises that could affect the confidentiality, integrity, or availability of the system or its
data. The organization should perform due diligence and establish a service level agreement with the vendor to
mitigate this risk. The other options are not specific to the scenario of using a SaaS provider, but rather general
risks that could apply to any system.

Question #:21

While troubleshooting a firewall configuration, a technician determines that a “deny any” policy should be
added to the bottom of the ACL. The technician updates the policy, but the new policy causes several
company servers to become unreachable.

Which of the following actions would prevent this issue?

A. Documenting the new policy in a change request and submitting the request to change management

B. Testing the policy in a non-production environment before enabling the policy in the production
network

C. Disabling any intrusion prevention signatures on the 'deny any* policy prior to enabling the new policy

D. Including an 'allow any1 policy above the 'deny any* policy

Answer: B

Explanation
A firewall policy is a set of rules that defines what traffic is allowed or denied on a network. A firewall policy
should be carefully designed and tested before being implemented, as a misconfigured policy can cause
network disruptions or security breaches. A common best practice is to test the policy in a non-production
environment, such as a lab or a simulation, before enabling the policy in the production network. This way, the
technician can verify the functionality and performance of the policy, and identify and resolve any issues or
conflicts, without affecting the live network. Testing the policy in a non-production environment would
prevent the issue of the ‘deny any’ policy causing several company servers to become unreachable, as the
technician would be able to detect and correct the problem before applying the policy to the production
network.

Documenting the new policy in a change request and submitting the request to change management is a good
practice, but it would not prevent the issue by itself. Change management is a process that ensures that any
changes to the network are authorized, documented, and communicated, but it does not guarantee that the
changes are error-free or functional. The technician still needs to test the policy before implementing it.

Disabling any intrusion prevention signatures on the ‘deny any’ policy prior to enabling the new policy would
not prevent the issue, and it could reduce the security of the network. Intrusion prevention signatures are
patterns that identify malicious or unwanted traffic, and allow the firewall to block or alert on such traffic.
Disabling these signatures would make the firewall less effective in detecting and preventing attacks, and it
would not affect the reachability of the company servers.

Including an ‘allow any’ policy above the ‘deny any’ policy would not prevent the issue, and it would render
the ‘deny any’ policy useless. A firewall policy is processed from top to bottom, and the first matching rule is
applied. An ‘allow any’ policy would match any traffic and allow it to pass through the firewall, regardless of

Updated Dumps | Pass 100% 13 of 159
Verified Questions and Answers CompTIA - SY0-701

the source, destination, or protocol. This would negate the purpose of the ‘deny any’ policy, which is to block
any traffic that does not match any of the previous rules. Moreover, an ‘allow any’ policy would create a
security risk, as it would allow any unauthorized or malicious traffic to enter or exit the
network. References = CompTIA Security+ SY0-701 Certification StudyGuide, page 204-205; Professor
Messer’s CompTIA SY0-701 Security+ Training Course, video 2.1 - Network Security Devices, 8:00 - 10:00.

Question #:22

An enterprise is trying to limit outbound DNS traffic originating from its internal network. Outbound DNS
requests will only be allowed from one device with the IP address 10.50.10.25. Which of the following
firewall ACLs will accomplish this goal?

A. Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53

Access list outbound deny 10.50.10.25/32 0.0.0.0/0 port 53

B. Access list outbound permit 0.0.0.0/0 10.50.10.25/32 port 53

Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53

C. Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53

Access list outbound deny 0.0.0.0/0 10.50.10.25/32 port 53

D. Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53

Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53

Answer: D

Explanation
A firewall ACL (access control list) is a set of rules that determines which traffic is allowed or denied by the
firewall. The rules are processed in order, from top to bottom, until a match is found. The syntax of a firewall
ACL rule is:

Access list

To limit outbound DNS traffic originating from the internal network, the firewall ACL should allow only the
device with the IP address 10.50.10.25 to send DNS requests toany destination on port 53, and deny all other
outbound traffic on port 53. The correct firewall ACL is:

Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0
port 53

The first rule permits outbound traffic from the source address 10.50.10.25/32 (a single host) to any
destination address (0.0.0.0/0) on port 53 (DNS). The second rule denies all other outbound traffic on port 532.

References: CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 4, page 175.

Updated Dumps | Pass 100% 14 of 159
Verified Questions and Answers CompTIA - SY0-701

Question #:23

Which of the following describes the maximum allowance of accepted risk?

A. Risk indicator

B. Risk level

C. Risk score

D. Risk threshold

Answer: D

Explanation
Risk threshold is the maximum amount of risk that an organization is willing to accept for a given activity or
decision. It is also known as risk appetite or risk tolerance. Risk threshold helps an organization to prioritize
and allocate resources for risk management. Risk indicator, risk level, and risk score are different ways of
measuring or expressing the likelihood and impact of a risk, but they do not describe the maximum allowance
of accepted risk. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page
34; Accepting Risk: Definition, How It Works, and Alternatives

Question #:24

An engineer needs to find a solution that creates an added layer of security by preventing unauthorized access
to internal company resources. Which of the following would be thebestsolution?

A. RDP server

B. Jump server

C. Proxy server

D. Hypervisor

Answer: B

Explanation
= A jump server is a server that acts as an intermediary between a user and a target system. A jump server can
provide an added layer of security by preventing unauthorized access to internal company resources. A user
can connect to the jump server using a secure protocol, such as SSH, and then access the target system from
the jump server. This way, the target system is isolated from the external network and only accessible through
the jump server. A jump server can also enforce security policies, such as authentication, authorization,
logging, and auditing, on the user’s connection. A jump server is also known as a bastion host or a jump
box. References = CompTIA Security+ Certification Exam Objectives, Domain 3.3: Given a scenario,
implement secure network architecture concepts. CompTIA Security+ Study Guide(SY0-701), Chapter 3:
Network Architecture and Design, page 101. Other Network Appliances – SY0-601 CompTIA Security+ : 3.3,
Video 3:03. CompTIA Security+ Certification Exam SY0-701 Practice Test 1, Question 2.

Updated Dumps | Pass 100% 15 of 159
Verified Questions and Answers CompTIA - SY0-701

Question #:25

Which of the following describes the category of data that is most impacted when it is lost?

A. Confidential

B. Public

C. Private

D. Critical

Answer: D

Explanation
The category of data that is most impacted when it is lost is "Critical." Critical data is essential to the
organization’s operations and often includes sensitive information such as financial records, proprietary
business information, and vital operational data. The loss of critical data can severely disrupt business
operations and have significant financial, legal, and reputational consequences.

Confidential:Refers to data that must be protected from unauthorized access to maintain privacy and
security.

Public:Refers to data that is intended for public disclosure and whose loss does not have severe
consequences.

Private:Typically refers to personal data that needs to be protected to ensure privacy.

Critical:Refers to data that is essential for the operation and survival of the organization, and its loss
can have devastating impacts.

Question #:26

A company is planning to set up a SIEM system and assign an analyst to review the logs on a weekly basis.
Which of the following types of controls is the company setting up?

A. Corrective

B. Preventive

C. Detective

D. Deterrent

Answer: C

Explanation
A detective control is a type of control that monitors and analyzes the events and activities in a system or a

Updated Dumps | Pass 100% 16 of 159
Verified Questions and Answers CompTIA - SY0-701

network, and alerts or reports when an incident or a violation occurs. A SIEM (Security Information and Event
Management) system is a tool that collects, correlates, and analyzes the logs from various sources, such as
firewalls, routers, servers, or applications, and provides a centralized view of the security status and incidents.
An analyst who reviews the logs on a weekly basis can identify and investigate any anomalies, trends, or
patterns that indicate a potential threat or a breach. A detective control can help the company to respond
quickly and effectively to the incidents, and to improve its security posture and
resilience. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions:Exam
SY0-701, 9th Edition, Chapter 1, page 23. CompTIA Security+ SY0-701 Exam Objectives, Domain 4.3, page
14.

Question #:27

A security analyst is investigating an alert that was produced by endpoint protection software. The analyst
determines this event was a false positive triggered by an employee who attempted to download a file. Which
of the following is the most likely reason the download was blocked?

A. A misconfiguration in the endpoint protection software

B. A zero-day vulnerability in the file

C. A supply chain attack on the endpoint protection vendor

D. Incorrect file permissions

Answer: A

Explanation
The most likely reason the download was blocked, resulting in a false positive, is a misconfiguration in the
endpoint protection software. False positives occur when legitimate actions are incorrectly identified as threats
due to incorrect settings or overly aggressive rules in the security software.

Misconfiguration in the endpoint protection software:Common cause of false positives, where
legitimate activities are flagged incorrectly due to improper settings.

Zero-day vulnerability:Refers to previously unknown vulnerabilities, which are less likely to be
associated with a false positive.

Supply chain attack:Involves compromising the software supply chain, which is a broader and more
severe issue than a simple download being blocked.

Incorrect file permissions:Would prevent access to files but not typically cause an alert in endpoint
protection software.

Question #:28

A systems administrator would like to deploy a change to a production system. Which of the following must
the administrator submit to demonstrate that the system can be restored to a working state in the event of a
performance issue?

A. Backout plan

Updated Dumps | Pass 100% 17 of 159
Verified Questions and Answers CompTIA - SY0-701

B. Impact analysis

C. Test procedure

D. Approval procedure

Answer: A

Explanation
To demonstrate that the system can be restored to a working state in the event of a performance issue after
deploying a change, the systems administrator must submit a backout plan. A backout plan outlines the steps
to revert the system to its previous state if the new deployment causes problems.

Backout plan:Provides detailed steps to revert changes and restore the system to its previous state in
case of issues, ensuring minimal disruption and quick recovery.

Impact analysis:Evaluates the potential effects of a change but does not provide steps to revert changes.

Test procedure:Details the steps for testing the change but does not address restoring the system to a
previous state.

Approval procedure:Involves obtaining permissions for the change but does not ensure system
recovery in case of issues.

Question #:29

Employees in the research and development business unit receive extensive training to ensure they understand
how to best protect company data. Which of the following is the type of data these employees aremostlikely to
use in day-to-day work activities?

A. Encrypted

B. Intellectual property

C. Critical

D. Data in transit

Answer: B

Explanation
Intellectual property is a type of data that consists of ideas, inventions, designs, or other creative works that
have commercial value and are protected by law. Employees in the research and development business unit are
most likely to use intellectual property data in their day-to-day work activities, as they are involved in creating
new products or services for the company. Intellectual property data needs to be protected from unauthorized
use, disclosure, or theft, as it can give the company a competitive advantage in the market. Therefore, these

Updated Dumps | Pass 100% 18 of 159
Verified Questions and Answers CompTIA - SY0-701

employees receive extensive training to ensure they understand how to best protect this type of
data. References = CompTIA Security+ SY0-701 Certification Study Guide, page 90; Professor Messer’s
CompTIA SY0-701 Security+ Training Course, video 1.2 - Security Concepts, 7:57 - 9:03.

Question #:30

A company hired a consultant to perform an offensive security assessment covering penetration testing and
social engineering.

Which of the following teams will conduct this assessment activity?

A. White

B. Purple

C. Blue

D. Red

Answer: D

Explanation
A red team is a group of security professionals who perform offensive security assessments covering
penetration testing and social engineering. A red team simulates real-world attacks and exploits the
vulnerabilities of a target organization, system, or network. A red team aims to test the effectiveness of the
security controls, policies, and procedures of the target, as well as the awareness and response of the staff and
the blue team. A red team can be hired as an external consultant or formed internally within the
organization. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam
SY0-701, 9th Edition, Chapter 1, page 18. CompTIA Security+ (SY0-701) Certification Exam Objectives,
Domain 1.8, page 4. Security Teams – SY0-601 CompTIA Security+ : 1.8

Question #:31

An attacker posing as the Chief Executive Officer calls an employee and instructs the employee to buy gift
cards. Which of the following techniques is the attacker using?

A. Smishing

B. Disinformation

C. Impersonating C Is the Correct Answer
D. Whaling

Answer: D

Explanation
Whaling is a type of phishing attack that targets high-profile individuals, such as executives, celebrities, or
politicians. The attacker impersonates someone with authority or influence and tries to trick the victim into

Updated Dumps | Pass 100% 19 of 159
Verified Questions and Answers CompTIA - SY0-701

performing an action, such as transferring money, revealing sensitive information, or clicking on a malicious
link. Whaling is also called CEO fraud or business email compromise2.

References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 3, page 97.

Question #:32

Which of the following would be best suited for constantly changing environments?

A. RTOS

B. Containers

C. Embedded systems

D. SCADA

Answer: B

Explanation
Containers are a method of virtualization that allows applications to run in isolated environments with their
own dependencies, libraries, and configurations. Containers are best suited for constantly changing
environments because they are lightweight, portable, scalable, and easy to deploy and update. Containers can
also support microservices architectures, which enable faster and more frequent delivery of software
features. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 10: Mobile
Device Security, page 512 1

Question #:33

A software developer released a new application and is distributing application files via the developer's
website. Which of the following should the developer post on the website to allow users to verify the integrity
of the downloaded files?

A. Hashes

B. Certificates

C. Algorithms

D. Salting

Answer: A

Explanation
To verify the integrity of downloaded files, a software developer should post hashes on the website. A hash is
a fixed-length string or number generated from input data, such as a file. When users download the application
files, they can generate their own hash from the downloaded files and compare it with the hash provided by the

Updated Dumps | Pass 100% 20 of 159
Verified Questions and Answers CompTIA - SY0-701

developer. If the hashes match, it confirms that the files have not been altered or corrupted during the
download process.

Hashes:Ensure data integrity by allowing users to verify that the downloaded files are identical to the
original ones. Common hashing algorithms include MD5, SHA-1, and SHA-256.

Certificates and Algorithms:Are more related to ensuring authenticity and securing communications
rather than verifying file integrity.

Salting:Is a technique used in hashing passwords to add an additional layer of security, not for verifying
file integrity.

Question #:34

To improve the security at a data center, a security administrator implements a CCTV system and posts several
signs about the possibility of being filmed. Which of the following best describe these types of controls?
(Select two).

A. Preventive

B. Deterrent

C. Corrective

D. Directive

E. Compensating

F. Detective

Answer: B F

Explanation
The CCTV system and signs about the possibility of being filmed serve as both deterrent and detective
controls.

Deterrent controls:Aim to discourage potential attackers from attempting unauthorized actions. Posting
signs about CCTV serves as a deterrent by warning individuals that their actions are being monitored.

Detective controls:Identify and record unauthorized or suspicious activity. The CCTV system itself
functions as a detective control by capturing and recording footage that can be reviewed later.

Preventive controls:Aim to prevent security incidents but are not directly addressed by the CCTV and
signs in this context.

Updated Dumps | Pass 100% 21 of 159
Verified Questions and Answers CompTIA - SY0-701

Corrective controls:Aim to correct or mitigate the impact of a security incident.

Directive controls:Provide guidelines or instructions but are not directly addressed by the CCTV and
signs.

Compensating controls:Provide alternative measures to compensate for the absence or failure of
primary controls.

Question #:35

Which of the following is the most common data loss path for an air-gapped network?

A. Bastion host

B. Unsecured Bluetooth

C. Unpatched OS

D. Removable devices

Answer: D

Explanation
An air-gapped network is a network that is physically isolated from other networks, such as the internet, to
prevent unauthorized access and data leakage. However, an air-gapped network can still be compromised by
removable devices, such as USB drives, CDs, DVDs, or external hard drives, that are used to transfer data
between the air-gapped network and other networks. Removable devices can carry malware, spyware, or other
malicious code that can infect the air-gapped network or exfiltrate data from it. Therefore, removable devices
are the most common data loss path for an air-gapped network. References: CompTIA Security+ Study Guide:
Exam SY0-701, 9th Edition, Chapter 9: Network Security, page 449 1

Question #:36

An organization wants a third-party vendor to do a penetration test that targets a specific device. The
organization has provided basic information about the device. Which of the following best describes this kind
of penetration test?

A. Partially known environment

B. Unknown environment

C. Integrated

D. Known environment

Answer: A

Explanation

Updated Dumps | Pass 100% 22 of 159
Verified Questions and Answers CompTIA - SY0-701

A partially known environment is a type of penetration test where the tester has some information about the
target, such as the IP address, the operating system, or the device type. This can help the tester focus on
specific vulnerabilities and reduce the scope of the test. A partially known environment is also called a gray
box test1.

References: CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 10, page 543.

Question #:37

A company is required to use certified hardware when building networks. Which of the following best
addresses the risks associated with procuring counterfeit hardware?

A. A thorough analysis of the supply chain

B. A legally enforceable corporate acquisition policy

C. A right to audit clause in vendor contracts and SOWs

D. An in-depth penetration test of all suppliers and vendors

Answer: A

Explanation
Counterfeit hardware is hardware that is built or modified without the authorization of the original equipment
manufacturer (OEM). It can pose serious risks to network quality, performance, safety, and
reliability12. Counterfeit hardware can also contain maliciouscomponents that can compromise the security of
the network and the data that flowsthrough it3. To address the risks associated with procuring counterfeit
hardware, a company should conduct a thorough analysis of the supply chain, which is the network of entities
involved in the production, distribution, and delivery of the hardware. By analyzing the supply chain, the
company can verify the origin, authenticity, and integrityof the hardware, and identify any potential sources of
counterfeit or tampered products. A thorough analysis of the supply chain can include the following steps:

Establishing a trusted relationship with the OEM and authorized resellers

Requesting documentation and certification of the hardware from the OEM or authorized resellers

Inspecting the hardware for any signs of tampering, such as mismatched labels, serial numbers, or
components

Testing the hardware for functionality, performance, and security

Implementing a tracking system to monitor the hardware throughout its lifecycle

Reporting any suspicious or counterfeit hardware to the OEM and law enforcement
agencies References = 1: Identify Counterfeit and Pirated Products - Cisco, 2: What Is Hardware
Security? Definition, Threats, and Best Practices, 3: Beware of Counterfeit Network Equipment -
TechNewsWorld, : Counterfeit Hardware: The Threat and How to Avoid It

Updated Dumps | Pass 100% 23 of 159
Verified Questions and Answers CompTIA - SY0-701

Question #:38

Which of the following is the phase in the incident response process when a security analyst reviews roles and
responsibilities?

A. Preparation

B. Recovery

C. Lessons learned

D. Analysis

Answer: A

Explanation
Preparation is the phase in the incident response process when a security analyst reviews roles and
responsibilities, as well as the policies and procedures for handling incidents. Preparation also involves
gathering and maintaining the necessary tools, resources, and contacts for responding to incidents. Preparation
can help a security analyst to be ready and proactive when an incident occurs, as well as to reduce the impact
and duration of the incident.

Some of the activities that a security analyst performs during the preparation phase are:

Defining the roles and responsibilities of the incident response team members, such as the incident
manager, the incident coordinator, the technical lead, the communications lead, and the legal advisor.

Establishing the incident response plan, which outlines the objectives, scope, authority, and procedures
for responding to incidents, as well as the escalation and reporting mechanisms.

Developing the incident response policy, which defines the types and categories of incidents, the
severity levels, the notification and reporting requirements, and the roles and responsibilities of the
stakeholders.

Creating the incident response playbook, which provides the step-by-step guidance and checklists for
handling specific types of incidents, such as denial-of-service, ransomware, phishing, or data breach.

Acquiring and testing the incident response tools, such as network and host-based scanners, malware
analysis tools, forensic tools, backup and recovery tools, and communication and collaboration tools.

Identifying and securing the incident response resources, such as the incident response team, the
incident response location, the evidence storage, and the external support.

Building and maintaining the incident response contacts, such as the internal and external stakeholders,
the law enforcement agencies, the regulatory bodies, and the media.

References:

CompTIA Security+ SY0-701 Certification Study Guide, Chapter 6: Architecture and Design, Section
6.4: Secure Systems Design, p. 279-280

Updated Dumps | Pass 100% 24 of 159
Verified Questions and Answers CompTIA - SY0-701

CompTIA Security+ SY0-701 Certification Exam Objectives, Domain 3: Architecture and Design,
Objective 3.5: Given a scenario, implement secure network architecture concepts, Sub-objective:
Incident response, p. 16

Question #:39

A systems administrator is working on a solution with the following requirements:

Provide a secure zone.

Enforce a company-wide access control policy.

Reduce the scope of threats.

Which of the following is the systems administrator setting up?

A. Zero Trust

B. AAA

C. Non-repudiation

D. CIA

Answer: A

Explanation
Zero Trust is a security model that assumes no trust for any entity inside or outside the network perimeter and
requires continuous verification of identity and permissions. Zero Trust can provide a secure zone by isolating
and protecting sensitive data and resources from unauthorized access. Zero Trust can also enforce a
company-wide access control policy by applying the principle of least privilege and granular segmentation for
users, devices, and applications. Zero Trust can reduce the scope of threats by preventing lateral movement
and minimizing the attack surface.

References:

5: This source explains the concept and benefits of Zero Trust security and how it differs from
traditional security models.

8: This source provides an overview of Zero Trust identity security and how it can help verify the
identity and integrity of users and devices.

Question #:40

Which of the following is used to add extra complexity before using a one-way data transformation algorithm?

A. Key stretching

Updated Dumps | Pass 100% 25 of 159
Verified Questions and Answers CompTIA - SY0-701

B. Data masking

C. Steganography

D. Salting

Answer: D

Explanation
Salting is the process of adding extra random data to a password or other data before applying a one-way data
transformation algorithm, such as a hash function. Salting increases the complexity and randomness of the
input data, making it harder for attackers to guess or crack the original data using precomputed tables or brute
force methods. Salting also helps prevent identical passwords from producing identical hash values, which
could reveal the passwords to attackers who have access to thehashed data. Salting is commonly used to
protect passwords stored in databases or transmitted over networks. References =

Passwords technical overview

Encryption, hashing, salting – what’s the difference?

Salt (cryptography)

Question #:41

Which of the following describes a security alerting and monitoring tool that collects system, application, and
network logs from multiple sources in a centralized system?

A. SIEM

B. DLP

C. IDS

D. SNMP

Answer: A

Explanation
SIEM stands for Security Information and Event Management. It is a security alerting and monitoring tool that
collects system, application, and network logs from multiple sources in a centralized system. SIEM can
analyze the collected data, correlate events, generate alerts, and provide reports and dashboards. SIEM can
also integrate with other security tools and support compliance requirements. SIEM helps organizations to
detect and respond to cyber threats, improve security posture, and reduce operational costs. References:
CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 10: Monitoring and Auditing, page
393. CompTIA Security+ Practice Tests: Exam SY0-701, 3rd Edition, Chapter 10: Monitoring and Auditing,
page 397.

Updated Dumps | Pass 100% 26 of 159
Verified Questions and Answers CompTIA - SY0-701

Question #:42

An accounting clerk sent money to an attacker's bank account after receiving fraudulent instructions to use a
new account. Which of the following would most likely prevent this activity in the future?

A. Standardizing security incident reporting

B. Executing regular phishing campaigns

C. Implementing insider threat detection measures

D. Updating processes for sending wire transfers

Answer: D

Explanation
To prevent an accounting clerk from sending money to an attacker's bank account due to fraudulent
instructions, the most effective measure would be updating the processes for sending wire transfers. This can
include implementing verification steps, such as requiring multiple approvals for changes in payment
instructions and directly confirming new account details with trusted sources.

Updating processes for sending wire transfers:Involves adding verification and approval steps to
prevent fraudulent transfers.

Standardizing security incident reporting:Important for handling incidents but not specifically
focused on preventing fraudulent wire transfers.

Executing regular phishing campaigns:Helps raise awareness but may not directly address the process
vulnerability.

Implementing insider threat detection measures:Useful for detecting malicious activities but does not
directly prevent fraudulent transfer instructions.

Question #:43

The local administrator account for a company's VPN appliance was unexpectedly used to log in to the remote
management interface. Which of the following would have most likely prevented this from happening'?

A. Using least privilege

B. Changing the default password

C. Assigning individual user IDs

D. Reviewing logs more frequently

Answer: B

Explanation

Updated Dumps | Pass 100% 27 of 159
Verified Questions and Answers CompTIA - SY0-701

Changing the default password for the local administrator account on a VPN appliance is a basic security
measure that would have most likely prevented the unexpected login to the remote management interface.
Default passwords are often easy to guess or publicly available, and attackers can use them to gain
unauthorized access to devices and systems. Changing the default password to a strong and unique one reduces
the risk of brute-force attacks and credential theft. Using least privilege, assigning individual user IDs, and
reviewing logs more frequently are also good security practices, but they are not as effective as changing the
default password in preventing the unexpected login. References: CompTIA Security+ Study Guide: Exam
SY0-701, 9th Edition, page 116; Local Admin Accounts - Security Risks and Best Practices (Part 1)

Question #:44

A company prevented direct access from the database administrators’ workstations to the network segment
that contains database servers. Which of the following should a database administrator use to access the
database servers?

A. Jump server

B. RADIUS

C. HSM

D. Load balancer

Answer: A

Explanation
A jump server is a device or virtual machine that acts as an intermediary between a user’s workstation and a
remote network segment. A jump server can be used to securely access servers or devices that are not directly
reachable from the user’s workstation, such as database servers. A jump server can also provide audit logs and
access control for the remote connections. A jump server is also known as a jump box or a jump host12.

RADIUS is a protocol for authentication, authorization, and accounting of network access. RADIUS is not a
device or a method to access remote servers, but rather a way to verify the identity and permissions of users or
devices that request network access34.

HSM is an acronym for Hardware Security Module, which is a physical device that provides secure storage
and generation of cryptographic keys. HSMs are used to protect sensitive data and applications, such as digital
signatures, encryption, and authentication. HSMs are not used to access remote servers, but rather to enhance
the security of the data and applications that reside on them5.

A load balancer is a device or software that distributes network traffic across multiple servers or devices,
based on criteria such as availability, performance, or capacity. A load balancer can improve the scalability,
reliability, and efficiency of network services, such as web servers, application servers, or database servers. A
load balancer is not used toaccess remote servers, but rather to optimize the delivery of the services that run on
them. References =

How to access a remote server using a jump host

Jump server

Updated Dumps | Pass 100% 28 of 159
Verified Questions and Answers CompTIA - SY0-701

RADIUS

Remote Authentication Dial-In User Service (RADIUS)

Hardware Security Module (HSM)

[What is an HSM?]

[Load balancing (computing)]

[What is Load Balancing?]

Question #:45

A company is expanding its threat surface program and allowing individuals to security test the company’s
internet-facing application. The company will compensate researchers based on the vulnerabilities discovered.
Which of the followingbestdescribes the program the company is setting up?

A. Open-source intelligence

B. Bug bounty

C. Red team

D. Penetration testing

Answer: B

Explanation
A bug bounty is a program that rewards security researchers for finding and reporting vulnerabilities in an
application or system. Bug bounties are often used by companies to improve their security posture and
incentivize ethical hacking. A bug bounty program typically defines the scope, rules, and compensation for the
researchers. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam
SY0-701, 9th Edition, Chapter 1, page 10. CompTIA Security+ (SY0-701) Certification Exam Objectives,
Domain 1.1, page 2.

Question #:46

Which of the following vulnerabilities is exploited when an attacker overwrites a register with a malicious
address?

A. VM escape

B. SQL injection

C. Buffer overflow

D. Race condition

Updated Dumps | Pass 100% 29 of 159
Verified Questions and Answers CompTIA - SY0-701

Answer: C

Explanation
A buffer overflow is a vulnerability that occurs when an application writes more data to a memory buffer than
it can hold, causing the excess data to overwrite adjacent memory locations. A register is a small storage area
in the CPU that holds temporary data or instructions. An attacker can exploit a buffer overflow to overwrite a
register with a malicious address that points to a shellcode, which is a piece of code that gives the attacker
control over the system. By doing so, the attacker can bypass the normal execution flow of the application and
execute arbitrary commands.

References: CompTIA Security+ SY0-701 Certification Study Guide, Chapter 2: Threats, Attacks, and
Vulnerabilities, Section 2.3: Application Attacks, Page 76 1; Buffer Overflows - CompTIA Security+
SY0-701 - 2.3 2

Question #:47

Which of the following would most likely mitigate the impact of an extended power outage on a company's
environment?

A. Hot site

B. UPS

C. Snapshots

D. SOAR

Answer: B

Explanation
A UPS (Uninterruptible Power Supply) would most likely mitigate the impact of an extended power outage on
a company's environment. A UPS provides backup power and ensures that systems continue to run during
short-term power outages, giving enough time to perform an orderly shutdown or switch to a longer-term
power solution like a generator.

Hot site:A fully operational offsite data center that can be used if the primary site becomes unavailable.
It’s more suitable for disaster recovery rather than mitigating short-term power outages.

UPS:Provides immediate backup power, protecting against data loss and hardware damage during
power interruptions.

Snapshots:Used for data backup and recovery, not for power outage mitigation.

SOAR (Security Orchestration, Automation, and Response):A platform for automating security
operations, not related to power outage mitigation.

Question #:48

Updated Dumps | Pass 100% 30 of 159
Verified Questions and Answers CompTIA - SY0-701

Which of the following security concepts is being followed when implementing a product that offers
protection against DDoS attacks?

A. Availability

B. Non-repudiation

C. Integrity

D. Confidentiality

Answer: A

Explanation
When implementing a product that offers protection against Distributed Denial of Service (DDoS) attacks, the
security concept being followed is availability. DDoS protection ensures that systems and services remain
accessible to legitimate users even under attack, maintaining the availability of network resources.

Availability:Ensures that systems and services are accessible when needed, which is directly addressed
by DDoS protection.

Non-repudiation:Ensures that actions or transactions cannot be denied by the involved parties, typically
achieved through logging and digital signatures.

Integrity:Ensures that data is accurate and has not been tampered with.

Confidentiality:Ensures that information is accessible only to authorized individuals.

Question #:49

An organization’s internet-facing website was compromised when an attacker exploited a buffer overflow.
Which of the following should the organization deploy tobestprotect against similar attacks in the future?

A. NGFW

B. WAF

C. TLS

D. SD-WAN

Answer: B

Explanation
A buffer overflow is a type of software vulnerability that occurs when an application writes more data to a
memory buffer than it can hold, causing the excess data to overwrite adjacent memory locations. This can lead
to unexpected behavior, such as crashes, errors, or code execution. A buffer overflow can be exploited by an
attacker to inject malicious code or commands into the application, which can compromise the security and
functionality of the system. An organization’s internet-facing website was compromised when an attacker

Updated Dumps | Pass 100% 31 of 159
Verified Questions and Answers CompTIA - SY0-701

exploited a buffer overflow. To best protect against similar attacks in the future, the organization should
deploy a web application firewall (WAF). A WAF is a type of firewall that monitors and filters the traffic
between a web application and the internet. A WAF can detect and block common web attacks, such as buffer
overflows, SQL injections, cross-site scripting (XSS), and more. A WAF can also enforce security policies and
rules, such as input validation, output encoding, and encryption. A WAF can provide a layer of protection for
the web application, preventing attackers from exploiting its vulnerabilities and compromising its
data. References = Buffer Overflows – CompTIA Security+ SY0-701 – 2.3, Web Application Firewalls –
CompTIA Security+ SY0-701 –2.4, [CompTIA Security+ Study Guide with over 500 Practice Test Questions:
Exam SY0-701, 9th Edition]

Question #:50

An organization would like to calculate the time needed to resolve a hardware issue with a server. Which of
the following risk management processes describes this example?

A. Recovery point objective

B. Mean time between failures

C. Recovery time objective

D. Mean time to repair

Answer: D

Explanation
Mean time to repair (MTTR) describes the time needed to resolve a hardware issue with a server. MTTR is a
key metric in risk management and maintenance that measures the average time required to repair a failed
component or system and restore it to operational status.

Recovery point objective (RPO):Defines the maximum acceptable amount of data loss measured in
time. It is the point in time to which data must be restored after a disaster.

Mean time between failures (MTBF):Measures the average time between failures of a system or
component, indicating reliability.

Recovery time objective (RTO):Defines the maximum acceptable length of time to restore a system
after a disaster or disruption.

Mean time to repair (MTTR):Measures the average time required to repair a failed component or
system.

Question #:51

An organization is struggling with scaling issues on its VPN concentrator and internet circuit due to remote
work. The organization is looking for a software solution that will allow it to reduce traffic on the VPN and
internet circuit, while still providing encrypted tunnel access to the data center and monitoring of remote
employee internet traffic. Which of the following will help achieve these objectives?

A. Deploying a SASE solution to remote employees

Updated Dumps | Pass 100% 32 of 159
Verified Questions and Answers CompTIA - SY0-701

B. Building a load-balanced VPN solution with redundant internet

C. Purchasing a low-cost SD-WAN solution for VPN traffic

D. Using a cloud provider to create additional VPN concentrators

Answer: A

Explanation
SASE stands for Secure Access Service Edge. It is a cloud-based service that combines network and security
functions into a single integrated solution. SASE can help reduce traffic on the VPN and internet circuit by
providing secure and optimized access to the data center and cloud applications for remote employees. SASE
can also monitor and enforce security policies on the remote employee internet traffic, regardless of their
location or device. SASE can offer benefits such as lower costs, improved performance, scalability, and
flexibility compared to traditional VPN solutions. References: CompTIA Security+ Study Guide: Exam
SY0-701, 9th Edition, page 457-458 1

Question #:52

Which of the following describes the process of concealing code or text inside a graphical image?

A. Symmetric encryption

B. Hashing

C. Data masking

D. Steganography

Answer: D

Explanation
Steganography is the process of hiding information within another medium, such as an image, audio, video, or
text file. The hidden information is not visible or noticeable to the casual observer, and can only be extracted
by using a specific technique or key. Steganography can be used for various purposes, such as concealing
secret messages, watermarking, or evading detection by antivirus software12

References:

1: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 5: Cryptography and PKI, page
233 2: CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 5: Cryptography and PKI,
page 235

Question #:53

During a recent breach, employee credentials were compromised when a service desk employee issued an
MFA bypass code to an attacker who called and posed as an employee. Which of the following should be used

Updated Dumps | Pass 100% 33 of 159
Verified Questions and Answers CompTIA - SY0-701

to prevent this type of incident in the future?

A. Hardware token MFA

B. Biometrics

C. Identity proofing

D. Least privilege

Answer: C

Explanation
To prevent the issuance of an MFA bypass code to an attacker posing as an employee, implementing identity
proofing would be most effective. Identity proofing involves verifying the identity of individuals before
granting access or providing sensitive information.

Identity proofing:Ensures that the person requesting the MFA bypass is who they claim to be, thereby
preventing social engineering attacks where attackers pose as legitimate employees.

Hardware token MFA:Provides an additional factor for authentication but does not address verifying
the requester's identity.

Biometrics:Offers strong authentication based on physical characteristics but is not related to the
process of issuing MFA bypass codes.

Least privilege:Limits access rights for users to the bare minimum necessary to perform their work but
does not prevent social engineering attacks targeting the service desk.

Question #:54

Which of the following threat actors is themostlikely to use large financial resources to attack critical systems
located in other countries?

A. Insider

B. Unskilled attacker

C. Nation-state

D. Hacktivist

Answer: C

Explanation
A nation-state is a threat actor that is sponsored by a government or a political entity to conduct cyberattacks
against other countries or organizations. Nation-states have large financial resources, advanced technical skills,
and strategic objectives that may target critical systems such as military, energy, or
infrastructure. Nation-states are often motivated by espionage, sabotage, or warfare12. References = 1:

Updated Dumps | Pass 100% 34 of 159
Verified Questions and Answers CompTIA - SY0-701

CompTIA Security+ SY0-701 Certification Study Guide, page 542: Threat Actors – CompTIA Security+
SY0-701 – 2.1, video by Professor Messer.

Question #:55

Which of the following tools can assist with detecting an employee who has accidentally emailed a file
containing a customer’s PII?

A. SCAP

B. Net Flow

C. Antivirus

D. DLP

Answer: D

Explanation
DLP stands for Data Loss Prevention, which is a tool that can assist with detecting and preventing the
unauthorized transmission or leakage of sensitive data, such as a customer’s PII (Personally Identifiable
Information). DLP can monitor, filter, and block data in motion (such as emails), data at rest (such asfiles),
and data in use (such as applications). DLP can also alert the sender, the recipient, or the administrator of the
data breach, and apply remediation actions, such as encryption, quarantine, or deletion. DLP can help an
organization comply with data protection regulations, such as GDPR, HIPAA, or PCI DSS, and protect its
reputation and assets. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions:
Exam SY0-701, 9th Edition, Chapter 2, page 78. CompTIA Security+ SY0-701 Exam Objectives, Domain 2.5,
page 11.

Question #:56

A cyber operations team informs a security analyst about a new tactic malicious actors are using to
compromise networks.

SIEM alerts have not yet been configured. Which of the followingbestdescribes what the security analyst
should do to identify this behavior?

A. [Digital forensics

B. E-discovery

C. Incident response

D. Threat hunting

Answer: D

Explanation
Threat hunting is the process of proactively searching for signs of malicious activity or compromise in a

Updated Dumps | Pass 100% 35 of 159
Verified Questions and Answers CompTIA - SY0-701

network, rather than waiting for alerts or indicators of compromise (IOCs) to appear. Threat hunting can help
identify new tactics, techniques, and procedures (TTPs) used by malicious actors, as well as uncover hidden or
stealthy threats that may have evaded detection by security tools. Threat hunting requires a combination of
skills, tools, and methodologies, such as hypothesis generation, data collection and analysis, threat
intelligence, and incident response. Threat hunting can also help improve the security posture of an
organization by providing feedback and recommendations for security improvements. References = CompTIA
Security+ Certification Exam Objectives, Domain 4.1: Given a scenario, analyze potential indicators of
malicious activity. CompTIA Security+ Study Guide (SY0-701), Chapter 4: Threat Detection and Response,
page 153. Threat Hunting – SY0-701 CompTIA Security+ : 4.1, Video 3:18. CompTIA Security+ Certification
Exam SY0-701 Practice Test 1, Question 3.

Question #:57

A company's end users are reporting that they are unable to reach external websites. After reviewing the
performance data for the DNS severs, the analyst discovers that the CPU, disk, and memory usage are
minimal, but the network interface is flooded with inbound traffic. Network logs show only a small number of
DNS queries sent to this server. Which of the following best describes what the security analyst is seeing?

A. Concurrent session usage

B. Secure DNS cryptographic downgrade

C. On-path resource consumption

D. Reflected denial of service

Answer: D

Explanation
A reflected denial of service (RDoS) attack is a type of DDoS attack that uses spoofed source IP addresses to
send requests to a third-party server, which then sends responses to the victim server. The attacker exploits the
difference in size between the request and the response, which can amplify the amount of traffic sent to the
victim server. The attacker also hides their identity by using the victim’s IP address as the source. A RDoS
attack can target DNS servers by sending forged DNS queries that generate large DNS responses. This can
flood the network interface of the DNS server and prevent it from serving legitimate requests from end
users. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 215-216 1

Question #:58

An IT manager informs the entire help desk staff that only the IT manager and the help desk lead will have
access to the administrator console of the help desk software. Which of the following security techniques is the
IT manager setting up?

A. Hardening

B. Employee monitoring

C. Configuration enforcement

D. Least privilege

Updated Dumps | Pass 100% 36 of 159
Verified Questions and Answers CompTIA - SY0-701

Answer: D

Explanation
The principle of least privilege is a security concept that limits access to resources to the minimum level
needed for a user, a program, or a device to perform a legitimate function. It is a cybersecurity best practice
that protects high-value data and assets from compromise or insider threat. Least privilege can be applied to
different abstraction layers of a computing environment, such as processes, systems, or connected devices.
However, it is rarely implemented in practice.

In this scenario, the IT manager is setting up the principle of least privilege by restricting access to the
administrator console of the help desk software to only two authorized users: the IT manager and the help desk
lead. This way, the IT manager can prevent unauthorized or accidental changes to the software configuration,
data, or functionality by other help desk staff. The other help desk staff will only have access to the normal
user interface of the software, which is sufficient for them to perform their job functions.

The other options are not correct. Hardening is the process of securing a system by reducing its surface of
vulnerability, such as by removing unnecessary software, changing default passwords, or disabling
unnecessary services. Employee monitoring is the surveillance of workers’ activity, such as by tracking web
browsing, application use, keystrokes, or screenshots. Configuration enforcement is the process of ensuring
that a system adheres to a predefined set of security settings, such as by applying a patch, a policy, or a
template.

References =

https://en.wikipedia.org/wiki/Principle_of_least_privilege

https://en.wikipedia.org/wiki/Principle_of_least_privilege

Question #:59

Which of the following risk management strategies should an enterprise adopt first if a legacy application is
critical to business operations and there are preventative controls that are not yet implemented?

A. Mitigate

B. Accept

C. Transfer

D. Avoid

Answer: A

Explanation
Mitigate is the risk management strategy that involves reducing the likelihood or impact of a risk. If a legacy
application is critical to business operations and there are preventative controls that are not yet implemented,
the enterprise should adopt the mitigate strategy first to address the existing vulnerabilities and gaps in the

Updated Dumps | Pass 100% 37 of 159
Verified Questions and Answers CompTIA - SY0-701

application. This could involve applying patches, updates, or configuration changes to the application, or
adding additional layers of security controls around the application. Accept, transfer, and avoid are other risk
management strategies, but they are not the best options for this scenario. Accept means acknowledging the
risk and accepting the consequences without taking any action. Transfer means shifting the risk to a third
party, such as an insurance company or a vendor. Avoid means eliminating the risk by removing the source or
changing the process. These strategies may not be feasible or desirable for a legacy application that is critical
to business operations and has no preventative controls in place. References: CompTIA Security+ Study
Guide: Exam SY0-701, 9th Edition, page 1221; A Risk-Based Framework for Legacy System Migration and
Deprecation2

Question #:60

A Chief Information Security Officer (CISO) wants to explicitly raise awareness about the increase of
ransomware-as-a-service in a report to the management team. Which of the following best describes the threat
actor in the CISO's report?

A. Insider threat

B. Hacktivist

C. Nation-state

D. Organized crime

Answer: D

Explanation
Ransomware-as-a-service is a type of cybercrime where hackers sell or rent ransomware tools or services to
other criminals who use them to launch attacks and extort money from victims. This is a typical example of
organized crime, which is a group of criminals who work together to conduct illegal activities for
profit. Organized crime is different from other types of threat actors, such as insider threats, hacktivists, or
nation-states, who may have different motives, methods, or targets. References: CompTIA Security+ Study
Guide: Exam SY0-701, 9th Edition, page 17 1

Question #:61

A company's marketing department collects, modifies, and stores sensitive customer data. The infrastructure
team is responsible for securing the data while in transit and at rest. Which of the following data roles
describes the customer?

A. Processor

B. Custodian

C. Subject

D. Owner

Answer: C

Updated Dumps | Pass 100% 38 of 159
Verified Questions and Answers CompTIA - SY0-701

Explanation
According to the CompTIA Security+ SY0-701 Certification Study Guide, data subjects are the individuals
whose personal data is collected, processed, or stored by an organization. Data subjects have certain rights and
expectations regarding how their data is handled, such as the right to access, correct, delete, or restrict their
data. Data subjects are different from data owners, who are the individuals or entities that have the authority
and responsibility to determine how data is classified, protected, and used.Data subjects are also different from
data processors, who are the individuals or entities that perform operations on data on behalf of the data
owner, such as collecting, modifying, storing, or transmitting data. Data subjects are also different from data
custodians, who are the individuals or entities that implement the security controls and procedures specified by
the data owner to protect data while in transit and at rest.

ReferencesCompTIA Security+ SY0-701 Certification Study Guide, Chapter 2: Data Security, page 511

Question #:62

A systems administrator is configuring a site-to-site VPN between two branch offices. Some of the settings
have already been configured correctly. The systems administrator has been provided the following
requirements as part of completing the configuration:

Most secure algorithms should be selected

All traffic should be encrypted over the VPN

A secret password will be used to authenticate the two VPN concentrators

Updated Dumps | Pass 100% 39 of 159
Verified Questions and Answers CompTIA - SY0-701

Updated Dumps | Pass 100% 40 of 159
Verified Questions and Answers CompTIA - SY0-701

Updated Dumps | Pass 100% 41 of 159
Verified Questions and Answers CompTIA - SY0-701

Updated Dumps | Pass 100% 42 of 159
Verified Questions and Answers CompTIA - SY0-701

See the Explanation part for all the Solution.

Explanation
To configure the site-to-site VPN between the two branch offices according to the provided requirements, here
are the detailed steps and settings that need to be applied to the VPN concentrators:

Most secure algorithms should be selected.

All traffic should be encrypted over the VPN.

A secret password will be used to authenticate the two VPN concentrators.

Peer IP address:5.5.5.10 (The IP address of VPN Concentrator 2)

Auth method:PSK (Pre-Shared Key)

Negotiation mode:MAIN

Encryption algorithm:AES256

Hash algorithm:SHA256

DH key group:14

Updated Dumps | Pass 100% 43 of 159
Verified Questions and Answers CompTIA - SY0-701

Mode:Tunnel

Protocol:ESP (Encapsulating Security Payload)

Encryption algorithm:AES256

Hash algorithm:SHA256

Local network/mask:192.168.1.0/24

Remote network/mask:192.168.2.0/24

Peer IP address:5.5.5.5 (The IP address of VPN Concentrator 1)

Auth method:PSK (Pre-Shared Key)

Negotiation mode:MAIN

Encryption algorithm:AES256

Hash algorithm:SHA256

DH key group:14

Mode:Tunnel

Protocol:ESP (Encapsulating Security Payload)

Encryption algorithm:AES256

Hash algorithm:SHA256

Local network/mask:192.168.2.0/24

Remote network/mask:192.168.1.0/24

Peer IP Address:Set to the IP address of the remote VPN concentrator.

Auth Method:PSK for using a pre-shared key.

Negotiation Mode:MAIN for the initial setup.

Encryption Algorithm:AES256, which is a strong and secure algorithm.

Hash Algorithm:SHA256, which provides strong hashing.

DH Key Group:14 for strong Diffie-Hellman key exchange.

Phase 2 Protocol:ESP for encryption and integrity.

Updated Dumps | Pass 100% 44 of 159
Verified Questions and Answers CompTIA - SY0-701

Local and Remote Networks:Properly configure the local and remote network addresses to match each
branch office subnet.

Requirements:VPN Concentrator 1 Configuration:Phase 1:Phase 2:VPN Concentrator 2 Configuration:Phase
1:Phase 2:Summary:By configuring these settings on both VPN concentrators, the site-to-site VPN will meet
the requirements for strong security algorithms, encryption of all traffic, and authentication using a pre-shared
key.

Question #:63

A company is working with a vendor to perform a penetration test Which of the following includes an estimate
about the number of hours required to complete the enga