CompTIA Security+ Certification Exam SY0-701 V14.35 PDF
Document Details
Uploaded by SensibleCyclops
CompTIA
Tags
Related
- comptia-security-sy0-701-exam-objectives-(5-0).pdf
- comptia-security-sy0-701-exam-objectives-(5-0).pdf
- CompTIA Security+ Student Guide (Exam SY0-701) PDF
- CompTIA Security+ (SY0-701) Study Guide PDF
- CompTIA Security+ SY0-701 Practice Tests 2024 PDF
- Professor Messer's CompTIA Security+ Practice Exams (SY0-701) PDF
Summary
This document is a sample of past CompTIA Security+ certification exam questions and answers.
Full Transcript
IT Certification Guaranteed, The Easy Way! Exam : SY0-701 Title : CompTIA Security+ Certification Exam Vendor : CompTIA Version : V14.35 1 IT C...
IT Certification Guaranteed, The Easy Way! Exam : SY0-701 Title : CompTIA Security+ Certification Exam Vendor : CompTIA Version : V14.35 1 IT Certification Guaranteed, The Easy Way! NO.1 Which of the following must be considered when designing a high-availability network? (Select two). A. Ease of recovery B. Ability to patch C. Physical isolation D. Responsiveness E. Attack surface F. Extensible authentication Answer: A E Explanation: A high-availability network is a network that is designed to minimize downtime and ensure continuous operation of critical services and applications. To achieve this goal, a high-availability network must consider two important factors: ease of recovery and attack surface. Ease of recovery refers to the ability of a network to quickly restore normal functionality after a failure, disruption, or disaster. A high-availability network should have mechanisms such as redundancy, failover, backup, and restore to ensure that any single point of failure does not cause a complete network outage. A high-availability network should also have procedures and policies for incident response, disaster recovery, and business continuity to minimize the impact of any network issue on the organization's operations and reputation. Attack surface refers to the exposure of a network to potential threats and vulnerabilities. A high- availability network should have measures such as encryption, authentication, authorization, firewall, intrusion detection and prevention, and patch management to protect the network from unauthorized access, data breaches, malware, denial-of-service attacks, and other cyberattacks. A high-availability network should also have processes and tools for risk assessment, threat intelligence, vulnerability scanning, and penetration testing to identify and mitigate any weaknesses or gaps in the network security. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 4: Architecture and Design, pages 164-1651. CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 4: Architecture and Design, pages 164-1652. NO.2 A company needs to provide administrative access to internal resources while minimizing the traffic allowed through the security boundary. Which of the following methods is most secure? A. Implementing a bastion host B. Deploying a perimeter network C. Installing a WAF D. Utilizing single sign-on Answer: A Explanation: A bastion host is a special-purpose server that is designed to withstand attacks and provide secure access to internal resources. A bastion host is usually placed on the edge of a network, acting as a gateway or proxy to the internal network. A bastion host can be configured to allow only certain types of traffic, such as SSH or HTTP, and block all other traffic. A bastion host can also run security software such as firewalls, intrusion detection systems, and antivirus programs to monitor and filter incoming and outgoing traffic. A bastion host can provide administrative access to internal resources by requiring strong authentication and encryption, and by logging all activities for auditing 2 IT Certification Guaranteed, The Easy Way! purposes12. A bastion host is the most secure method among the given options because it minimizes the traffic allowed through the security boundary and provides a single point of control and defense. A bastion host can also isolate the internal network from direct exposure to the internet or other untrusted networks, reducing the attack surface and the risk of compromise3. NO.3 A company is discarding a classified storage array and hires an outside vendor to complete the disposal. Which of the following should the company request from the vendor? A. Certification B. Inventory list C. Classification D. Proof of ownership Answer: A Explanation: The company should request a certification from the vendor that confirms the storage array has been disposed of securely and in compliance with the company's policies and standards. A certification provides evidence that the vendor has followed the proper procedures and methods to destroy the classified data and prevent unauthorized access or recovery. A certification may also include details such as the date, time, location, and method of disposal, as well as the names and signatures of the personnel involved. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 3, page 1441 3 IT Certification Guaranteed, The Easy Way! NO.4 A systems administrator works for a local hospital and needs to ensure patient data is protected and secure. Which of the following data classifications should be used to secure patient data? A. Private B. Critical C. Sensitive D. Public Answer: C Explanation: Patient data in a hospital setting typically falls under the category of sensitive data. Sensitive data classifications are used to indicate information that requires a higher level of protection due to its confidentiality, integrity, and/or availability concerns. Patient data, including medical records, diagnoses, treatments, and personal information, is considered sensitive and should be treated as such to ensure compliance with privacy regulations like HIPAA (Health Insurance Portability and Accountability Act) in the United States or similar regulations in other countries. NO.5 Which of the following is used to protect a computer from viruses, malware, and Trojans being installed and moving laterally across the network? A. IDS B. ACL C. EDR D. NAC Answer: C Explanation: Endpoint detection and response (EDR) is a technology that monitors and analyzes the activity and behavior of endpoints, such as computers, laptops, mobile devices, and servers. EDR can help to detect and prevent malicious software, such as viruses, malware, and Trojans, from infecting the 4 IT Certification Guaranteed, The Easy Way! endpoints and spreading across the network. EDR can also provide visibility and response capabilities to contain and remediate threats. EDR is different from IDS, which is a network-based technology that monitors and alerts on network traffic anomalies. EDR is also different from ACL, which is a list of rules that control the access to network resources. EDR is also different from NAC, which is a technology that enforces policies on the network access of devices based on their identity and compliance status. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 2561 NO.6 During a security incident, the security operations team identified sustained network traffic from a malicious IP address: 10.1.4.9. A security analyst is creating an inbound firewall rule to block the IP address from accessing the organization's network. Which of the following fulfills this request? A. access-list inbound deny ig source 0.0.0.0/0 destination 10.1.4.9/32 B. access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0 C. access-list inbound permit ig source 10.1.4.9/32 destination 0.0.0.0/0 D. access-list inbound permit ig source 0.0.0.0/0 destination 10.1.4.9/32 Answer: B Explanation: --"access-list inbound" indicates that this rule is being applied to an inbound access list. --"deny" specifies that the traffic matching this rule should be denied. --"ig" (which might represent an interface group or interface) is not explicitly defined in the question but is likely referring to the interface where the inbound traffic is being filtered. --"source 10.1.4.9/32" specifies the source IP address that the rule applies to. The /32 subnet mask indicates a single IP address. --"destination 0.0.0.0/0" indicates that the rule applies to traffic destined for any IP address. NO.7 During an investigation, an incident response team attempts to understand the source of an incident. Which of the following incident response activities describes this process? A. Analysis B. Lessons learned C. Detection 5 IT Certification Guaranteed, The Easy Way! D. Containment Answer: A Explanation: Analysis is the incident response activity that describes the process of understanding the source of an incident. Analysis involves collecting and examining evidence, identifying the root cause, determining the scope and impact, and assessing the threat actor's motives and capabilities. Analysis helps the incident response team to formulate an appropriate response strategy, as well as to prevent or mitigate future incidents. Analysis is usually performed after detection and before containment, eradication, recovery, and lessons learned. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701, 9th Edition, Chapter 6, page 223. CompTIA Security+ SY0-701 Exam Objectives, Domain 4.2, page 13. NO.8 A network manager wants to protect the company's VPN by implementing multifactor authentication that uses:. Something you know. Something you have. Something you are Which of the following would accomplish the manager's goal? A. Domain name, PKI, GeolP lookup B. VPN IP address, company ID, facial structure C. Password, authentication token, thumbprint D. Company URL, TLS certificate, home address Answer: C Explanation: The correct answer is C. Password, authentication token, thumbprint. This combination of authentication factors satisfies the manager's goal of implementing multifactor authentication that uses something you know, something you have, and something you are. * Something you know is a type of authentication factor that relies on the user's knowledge of a secret or personal information, such as a password, a PIN, or a security question. A password is a common example of something you know that can be used to access a VPN12 * Something you have is a type of authentication factor that relies on the user's possession of a physical object or device, such as a smart card, a token, or a smartphone. An authentication token is a common example of something you have that can be used to generate a one-time password (OTP) or a code that can be used to access a VPN12 * Something you are is a type of authentication factor that relies on the user's biometric characteristics, such as a fingerprint, a face, or an iris. A thumbprint is a common example of something you are that can be used to scan and verify the user's identity to access a VPN12 References: NO.9 Which of the following is the best way to consistently determine on a daily basis whether security settings on servers have been modified? 6 IT Certification Guaranteed, The Easy Way! A. Automation B. Compliance checklist C. Attestation D. Manual audit Answer: A Explanation: Automation is the best way to consistently determine on a daily basis whether security settings on servers have been modified. Automation is the process of using software, hardware, or other tools to perform tasks that would otherwise require human intervention or manual effort. Automation can help to improve the efficiency, accuracy, and consistency of security operations, as well as reduce human errors and costs. Automation can be used to monitor, audit, and enforce security settings on servers, such as firewall rules, encryption keys, access controls, patch levels, and configuration files. Automation can also alert security personnel of any changes or anomalies that may indicate a security breach or compromise12. The other options are not the best ways to consistently determine on a daily basis whether security settings on servers have been modified: * Compliance checklist: This is a document that lists the security requirements, standards, or best practices that an organization must follow or adhere to. A compliance checklist can help to ensure that the security settings on servers are aligned with the organizational policies and regulations, but it does not automatically detect or report any changes or modifications that may occur on a daily basis3. * Attestation: This is a process of verifying or confirming the validity or accuracy of a statement, claim, or fact. Attestation can be used to provide assurance or evidence that the security settings on servers are correct and authorized, but it does not continuously monitor or audit any changes or modifications that may occur on a daily basis4. * Manual audit: This is a process of examining or reviewing the security settings on servers by human inspectors or auditors. A manual audit can help to identify and correct any security issues or discrepancies on servers, but it is time-consuming, labor-intensive, and prone to human errors. A manual audit may not be feasible or practical to perform on a daily basis. NO.10 A company has begun labeling all laptops with asset inventory stickers and associating them with employee IDs. Which of the following security benefits do these actions provide? (Choose two.) A. If a security incident occurs on the device, the correct employee can be notified. B. The security team will be able to send user awareness training to the appropriate device. C. Users can be mapped to their devices when configuring software MFA tokens. D. User-based firewall policies can be correctly targeted to the appropriate laptops. E. When conducting penetration testing, the security team will be able to target the desired laptops. F. Company data can be accounted for when the employee leaves the organization. Answer: A F 7 IT Certification Guaranteed, The Easy Way! Explanation: Labeling all laptops with asset inventory stickers and associating them with employee IDs can provide several security benefits for a company. Two of these benefits are: * A: If a security incident occurs on the device, the correct employee can be notified. An asset inventory sticker is a label that contains a unique identifier for a laptop, such as a serial number, a barcode, or a QR code. By associating this identifier with an employee ID, the security team can easily track and locate the owner of the laptop in case of a security incident, such as a malware infection, a data breach, or a theft. This way, the security team can notify the correct employee about the incident, and provide them with the necessary instructions or actions to take, such as changing passwords, scanning for viruses, or reporting the loss. This can help to contain the incident, minimize the damage, and prevent further escalation. * F: Company data can be accounted for when the employee leaves the organization. When an employee leaves the organization, the company needs to ensure that all the company data and assets are returned or deleted from the employee's laptop. By labeling the laptop with an asset inventory sticker and associating it with an employee ID, the company can easily identify and verify the laptop that belongs to the departing employee, and perform the appropriate data backup, wipe, or transfer procedures. This can help to protect the company data from unauthorized access, disclosure, or misuse by the former employee or any other party. The other options are not correct because they are not related to the security benefits of labeling laptops with asset inventory stickers and associating them with employee IDs. NO.11 A user is attempting to patch a critical system, but the patch fails to transfer. Which of the following access controls is most likely inhibiting the transfer? A. Attribute-based B. Time of day 8 IT Certification Guaranteed, The Easy Way! C. Role-based D. Least privilege Answer: D Explanation: The least privilege principle states that users and processes should only have the minimum level of access required to perform their tasks. This helps to prevent unauthorized or unnecessary actions that could compromise security. In this case, the patch transfer might be failing because the user or process does not have the appropriate permissions to access the critical system or the network resources needed for the transfer. Applying the least privilege principle can help to avoid this issue by granting the user or process the necessary access rights for the patching activity. NO.12 An organization's internet-facing website was compromised when an attacker exploited a buffer overflow. Which of the following should the organization deploy to best protect against similar attacks in the future? A. NGFW B. WAF C. TLS D. SD-WAN Answer: B Explanation: A buffer overflow is a type of software vulnerability that occurs when an application writes more data to a memory buffer than it can hold, causing the excess data to overwrite adjacent memory locations. This can lead to unexpected behavior, such as crashes, errors, or code execution. A buffer overflow can be exploited by an attacker to inject malicious code or commands into the application, which can compromise the security and functionality of the system. An organization's internet-facing website was compromised when an attacker exploited a buffer overflow. To best protect against similar attacks in the future, the organization should deploy a web application firewall (WAF). A WAF is a type of firewall that monitors and filters the traffic between a web application and the internet. A WAF can detect and block common web attacks, such as buffer overflows, SQL injections, cross-site scripting (XSS), and more. A WAF can also enforce security policies and rules, such as input validation, output encoding, and encryption. A WAF can provide a layer of protection for the web application, preventing attackers from exploiting its vulnerabilities and compromising its data. References = Buffer Overflows - CompTIA Security+ SY0-701 - 2.3, Web Application Firewalls - CompTIA Securit y+ SY0-701 - 2.4, [CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0 -701, 9th Edition] NO.13 A Chief Information Security Officer wants to monitor the company's servers for SQLi attacks and allow for comprehensive investigations if an attack occurs. The company uses SSL decryption to allow traffic monitoring. Which of the following strategies would best accomplish this goal? A. Logging all NetFlow traffic into a SIEM B. Deploying network traffic sensors on the same subnet as the servers C. Logging endpoint and OS-specific security logs D. Enabling full packet capture for traffic entering and exiting the servers 9 IT Certification Guaranteed, The Easy Way! Answer: D Explanation: Full packet capture is a technique that records all network traffic passing through a device, such as a router or firewall. It allows for detailed analysis and investigation of network events, such as SQLi attacks, by providing the complete content and context of the packets. Full packet capture can help identify the source, destination, payload, and timing of an SQLi attack, as well as the impact on the server and database. Logging NetFlow traffic, network traffic sensors, and endpoint and OS-specific security logs can provide some information about network activity, but they do not capture the full content of the packets, which may limit the scope and depth of the investigation. References: NO.14 A systems administrator is working on a solution with the following requirements: * Provide a secure zone. * Enforce a company-wide access control policy. * Reduce the scope of threats. Which of the following is the systems administrator setting up? A. Zero Trust B. AAA C. Non-repudiation D. CIA Answer: A Explanation: Zero Trust is a security concept based on the idea that organizations should not automatically trust anything inside or outside their perimeters and must verify anything and everything trying to connect to its systems before granting access. It emphasizes strict access controls and verification processes, effectively creating secure zones within the network while reducing the scope of potential threats. NO.15 An administrator notices that several users are logging in from suspicious IP addresses. After speaking with the users, the administrator determines that the employees were not logging in from those IP addresses and resets the affected users' passwords. Which of the following should the administrator implement to prevent this type of attack from succeeding in the future? A. Multifactor authentication B. Permissions assignment C. Access management D. Password complexity Answer: A Explanation: 10 IT Certification Guaranteed, The Easy Way! The correct answer is A because multifactor authentication (MFA) is a method of verifying a user's identity by requiring more than one factor, such as something the user knows (e.g., password), something the user has (e.g., token), or something the user is (e.g., biometric). MFA can prevent unauthorized access even if the user's password is compromised, as the attacker would need to provide another factor to log in. The other options are incorrect because they do not address the root cause of the attack, which is weak authentication. NO.16 An enterprise is trying to limit outbound DNS traffic originating from its internal network. Outbound DNS requests will only be allowed from one device with the IP address 10.50.10.25. Which of the following firewall ACLs will accomplish this goal? A. Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53 Access list outbound deny 10.50.10.25/32 0.0.0.0/0 port 53 B. Access list outbound permit 0.0.0.0/0 10.50.10.25/32 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53 C. Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 10.50.10.25/32 port 53 D. Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53 Answer: D Explanation: A firewall ACL (access control list) is a set of rules that determines which traffic is allowed or denied by the firewall. The rules are processed in order, from top to bottom, until a match is found. The syntax of a firewall ACL rule is: Access list To limit outbound DNS traffic originating from the internal network, the firewall ACL should allow only the device with the IP address 10.50.10.25 to send DNS requests to any destination on port 53, and deny all other outbound traffic on port 53. The correct firewall ACL is: Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53 The first rule permits outbound traffic from the source address 10.50.10.25/32 (a single host) to any destination address (0.0.0.0/0) on port 53 (DNS). The second rule denies all other outbound traffic on port 532. 11 IT Certification Guaranteed, The Easy Way! NO.17 Employees in the research and development business unit receive extensive training to ensure they understand how to best protect company data. Which of the following is the type of data these employees are most likely to use in day-to-day work activities? A. Encrypted B. Intellectual property C. Critical D. Data in transit Answer: B Explanation: Employees in the research and development (R&D) business unit are likely to work with intellectual property data on a day-to-day basis. Intellectual property refers to creations of the mind, such as inventions, designs, processes, or information, which can be legally protected. In an R&D environment, employees are often involved in creating, refining, and managing intellectual property, making it crucial for them to understand how to best protect such data. NO.18 A technician is opening ports on a firewall for a new system being deployed and supported by a SaaS provider. Which of the following is a risk in the new system? A. Default credentials B. Non-segmented network C. Supply chain vendor D. Vulnerable software Answer: C Explanation: A supply chain vendor is a third-party entity that provides goods or services to an organization, such as a SaaS provider. A supply chain vendor can pose a risk to the new system if the vendor has poor security practices, breaches, or compromises that could affect the confidentiality, integrity, or availability of the system or its data. The organization should perform due diligence and establish a service level agreement with the vendor to mitigate this risk. The other options are not specific to the scenario of using a SaaS provider, but rather general risks that could apply to any system. NO.19 An organization is struggling with scaling issues on its VPN concentrator and internet circuit due to remote work. The organization is looking for a software solution that will allow it to reduce traffic on the VPN and internet circuit, while still providing encrypted tunnel access to the data center and monitoring of remote employee internet traffic. Which of the following will help achieve these objectives? A. Deploying a SASE solution to remote employees B. Building a load-balanced VPN solution with redundant internet C. Purchasing a low-cost SD-WAN solution for VPN traffic D. Using a cloud provider to create additional VPN concentrators 12 IT Certification Guaranteed, The Easy Way! Answer: A Explanation: SASE stands for Secure Access Service Edge. It is a cloud-based service that combines network and security functions into a single integrated solution. SASE can help reduce traffic on the VPN and internet circuit by providing secure and optimized access to the data center and cloud applications for remote employees. SASE can also monitor and enforce security policies on the remote employee internet traffic, regardless of their location or device. SASE can offer benefits such as lower costs, improved performance, scalability, and flexibility compared to traditional VPN solutions. NO.20 An employee clicked a link in an email from a payment website that asked the employee to update contact information. The employee entered the log-in information but received a "page not found" error message. Which of the following types of social engineering attacks occurred? A. Brand impersonation B. Pretexting C. Typosquatting D. Phishing Answer: D Explanation: Phishing is a type of social engineering attack that involves sending fraudulent emails that appear to be from legitimate sources, such as payment websites, banks, or other trusted entities. The goal of phishing is to trick the recipients into clicking on malicious links, opening malicious attachments, or providing sensitive information, such as log-in credentials, personal data, or financial details. In this scenario, the employee received an email from a payment website that asked the employee to update contact information. The email contained a link that directed the employee to a fake website that mimicked the appearance of the real one. The employee entered the log-in information, but received a "page not found" error message. This indicates that the employee fell victim to a phishing attack, and the attacker may have captured the employee's credentials for the payment website.. NO.21 Which of the following vulnerabilities is associated with installing software outside of a manufacturer's approved software repository? A. Jailbreaking B. Memory injection C. Resource reuse D. Side loading Answer: D Explanation: Side loading is the process of installing software outside of a manufacturer's approved software repository. This can expose the device to potential vulnerabilities, such as malware, spyware, or unauthorized 13 IT Certification Guaranteed, The Easy Way! access. Side loading can also bypass security controls and policies that are enforced by the manufacturer or the organization. Side loading is often done by users who want to access applications or features that are not available or allowed on their devices. NO.22 A company is concerned about weather events causing damage to the server room and downtime. Which of the following should the company consider? A. Clustering servers B. Geographic dispersion C. Load balancers D. Off-site backups Answer: B Explanation: Geographic dispersion is a strategy that involves distributing the servers or data centers across different geographic locations. Geographic dispersion can help the company to mitigate the risk of weather events causing damage to the server room and downtime, as well as improve the availability, performance, and resilience of the network. Geographic dispersion can also enhance the disaster recovery and business continuity capabilities of the company, as it can provide backup and failover options in case of a regional outage or disruption NO.23 After an audit, an administrator discovers all users have access to confidential data on a file server. Which of the following should the administrator use to restrict access to the data quickly? A. Group Policy B. Content filtering C. Data loss prevention D. Access control lists 14 IT Certification Guaranteed, The Easy Way! Answer: D Explanation: Access control lists (ACLs) are rules that specify which users or groups can access which resources on a file server. They can help restrict access to confidential data by granting or denying permissions based on the identity or role of the user. In this case, the administrator can use ACLs to quickly modify the access rights of the users and prevent them from accessing the data they are not authorized to see. References: NO.24 A company is working with a vendor to perform a penetration test Which of the following includes an estimate about the number of hours required to complete the engagement? A. SOW B. BPA C. SLA D. NDA Answer: A Explanation: A statement of work (SOW) is a document that defines the scope, objectives, deliverables, timeline, and costs of a project or service. It typically includes an estimate of the number of hours required to complete the engagement, as well as the roles and responsibilities of the parties involved. A SOW is often used for penetration testing projects to ensure that both the client and the vendor have a clear and mutual understanding of what is expected and how the work will be performed. NO.25 A systems administrator receives the following alert from a file integrity monitoring tool: The hash of the cmd.exe file has changed. The systems administrator checks the OS logs and notices that no patches were applied in the last two months. Which of the following most likely occurred? A. The end user changed the file permissions. B. A cryptographic collision was detected. C. A snapshot of the file system was taken. D. A rootkit was deployed. Answer: D Explanation: A rootkit is a type of malware that modifies or replaces system files or processes to hide its presence and activity. A rootkit can change the hash of the cmd.exe file, which is a command-line interpreter for Windows systems, to avoid detection by antivirus or file integrity monitoring tools. A rootkit can also grant the attacker remote access and control over the infected system, as well as perform malicious actions such as stealing data, installing backdoors, or launching attacks on other systems. A rootkit is one of the most difficult types of malware to remove, as it can persist even after rebooting 15 IT Certification Guaranteed, The Easy Way! or reinstalling the OS. NO.26 Which of the following has been implemented when a host-based firewall on a legacy Linux system allows connections from only specific internal IP addresses? A. Compensating control B. Network segmentation C. Transfer of risk D. SNMP traps Answer: A Explanation: A compensating control is a security measure that is implemented to mitigate the risk of a vulnerability or a weakness that cannot be resolved by the primary control. A compensating control does not prevent or eliminate the vulnerability or weakness, but it can reduce the likelihood or impact of an attack. A host-based firewall on a legacy Linux system that allows connections from only specific internal IP addresses is an example of a compensating control, as it can limit the exposure of the system to potential threats from external or unauthorized sources. A host-based firewall is a software application that monitors and filters the incoming and outgoing network traffic on a single host, based on a set of rules or policies. A legacy Linux system is an older version of the Linux operating system that may not be compatible with the latest security updates or patches, and may have known vulnerabilities or weaknesses that could be exploited by attackers. NO.27 Which of the following is required for an organization to properly manage its restore process in the event of system failure? A. IRP B. DRP C. RPO D. SDLC Answer: B Explanation: A disaster recovery plan (DRP) is a set of policies and procedures that aim to restore the normal operations of an organization in the event of a system failure, natural disaster, or other emergency. 16 IT Certification Guaranteed, The Easy Way! NO.28 A security analyst receives alerts about an internal system sending a large amount of unusual DNS queries to systems on the internet over short periods of time during non-business hours. Which of the following is most likely occurring? A. A worm is propagating across the network. B. Data is being exfiltrated. C. A logic bomb is deleting data. D. Ransomware is encrypting files. Answer: B Explanation: Data exfiltration is a technique that attackers use to steal sensitive data from a target system or network by transmitting it through DNS queries and responses. This method is often used in advanced persistent threat (APT) attacks, in which attackers seek to persistently evade detection in the target environment. A large amount of unusual DNS queries to systems on the internet over short periods of time during non-business hours is a strong indicator of data exfiltration. NO.29 Which of the following security concepts is the best reason for permissions on a human resources fileshare to follow the principle of least privilege? A. Integrity B. Availability C. Confidentiality D. Non-repudiation Answer: C Explanation: Confidentiality is the security concept that ensures data is protected from unauthorized access or disclosure. 17 IT Certification Guaranteed, The Easy Way! NO.30 A security analyst is investigating an application server and discovers that software on the server is behaving abnormally. The software normally runs batch jobs locally and does not generate traffic, but the process is now generating outbound traffic over random high ports. Which of the following vulnerabilities has likely been exploited in this software? A. Memory injection B. Race condition C. Side loading D. SQL injection Answer: A Explanation: Memory injection vulnerabilities allow unauthorized code or commands to be executed within a software program, leading to abnormal behavior such as generating outbound traffic over random high ports. This issue often arises from software not properly validating or encoding input, which can be exploited by attackers to inject malicious code. NO.31 Which of the following factors are the most important to address when formulating a training curriculum plan for a security awareness program? (Select two). A. Channels by which the organization communicates with customers B. The reporting mechanisms for ethics violations C. Threat vectors based on the industry in which the organization operates D. Secure software development training for all personnel E. Cadence and duration of training events F. Retraining requirements for individuals who fail phishing simulations Answer: C E Explanation: A training curriculum plan for a security awareness program should address the following factors: * The threat vectors based on the industry in which the organization operates. This will help the employees to understand the specific risks and challenges that their organization faces, and how to protect themselves and the organization from cyberattacks. For example, a healthcare organization may face different threat vectors than a financial organization, such as ransomware, data breaches, or medical device hacking1. * The cadence and duration of training events. This will help the employees to retain the information and skills they learn, and to keep up with the changing security landscape. The training events should be frequent enough to reinforce the key concepts and behaviors, but not too long or too short to lose the attention or interest of the employees. For example, a security awareness program may include monthly newsletters, quarterly webinars, annual workshops, or periodic quizzes2. 18 IT Certification Guaranteed, The Easy Way! NO.32 Which of the following is the most likely to be used to document risks, responsible parties, and thresholds? A. Risk tolerance B. Risk transfer C. Risk register D. Risk analysis Answer: C Explanation: A risk register is a document that records and tracks the risks associated with a project, system, or organization. A risk register typically includes information such as the risk description, the risk owner, the risk probability, the risk impact, the risk level, the risk response strategy, and the risk status. A risk register can help identify, assess, prioritize, monitor, and control risks, as well as communicate them to relevant stakeholders. A risk register can also help document the risk tolerance and thresholds of an organization, which are the acceptable levels of risk exposure and the criteria for escalating or mitigating risks. NO.33 A cyber operations team informs a security analyst about a new tactic malicious actors are using to compromise networks. SIEM alerts have not yet been configured. Which of the following best describes what the security analyst should do to identify this behavior? A. [Digital forensics B. E-discovery C. Incident response D. Threat hunting Answer: D Explanation: Threat hunting is the process of proactively searching for signs of malicious activity or compromise in a network, rather than waiting for alerts or indicators of compromise (IOCs) to appear. Threat hunting can help identify new tactics, techniques, and procedures (TTPs) used by malicious actors, as well as uncover hidden or stealthy threats that may have evaded detection by security tools. Threat hunting requires a combination of skills, tools, and methodologies, such as hypothesis generation, data collection and analysis, threat intelligence, and incident response.. 19 IT Certification Guaranteed, The Easy Way! Answer: 21 IT Certification Guaranteed, The Easy Way! 22 IT Certification Guaranteed, The Easy Way! NO.35 A newly appointed board member with cybersecurity knowledge wants the board of directors to receive a quarterly report detailing the number of incidents that impacted the organization. The systems administrator is creating a way to present the data to the board of directors. Which of the following should the systems administrator use? A. Packet captures B. Vulnerability scans C. Metadata D. Dashboard Answer: D Explanation: A dashboard is a graphical user interface that provides a visual representation of key performance indicators, metrics, and trends related to security events and incidents. A dashboard can help the board of directors to understand the number and impact of incidents that affected the organization in a given period, as well as the status and effectiveness of the security controls and processes. A dashboard can also allow the board of directors to drill down into specific details or filter the data by various criteria 23 IT Certification Guaranteed, The Easy Way! NO.36 A systems administrator wants to prevent users from being able to access data based on their responsibilities. The administrator also wants to apply the required access structure via a simplified format. Which of the following should the administrator apply to the site recovery resource group? A. RBAC B. ACL C. SAML D. GPO Answer: A Explanation: RBAC stands for Role-Based Access Control, which is a method of restricting access to data and resources based on the roles or responsibilities of users. Job / Task / Function NO.37 Which of the following threat actors is the most likely to be hired by a foreign government to attack critical systems located in other countries? A. Hacktivist B. Whistleblower C. Organized crime D. Unskilled attacker Answer: C Explanation: Organized crime is a type of threat actor that is motivated by financial gain and often operates across national borders. Organized crime groups may be hired by foreign governments to conduct cyberattacks on critical systems located in other countries, such as power grids, military networks, or financial institutions. Should be APTs NO.38 Which of the following is a primary security concern for a company setting up a BYOD program? A. End of life B. Buffer overflow 24 IT Certification Guaranteed, The Easy Way! C. VM escape D. Jailbreaking Answer: D Explanation: Jailbreaking is a primary security concern for a company setting up a BYOD (Bring Your Own Device) program. Jailbreaking is the process of removing the manufacturer's or the carrier's restrictions on a device, such as a smartphone or a tablet, to gain root access and install unauthorized or custom software. Jailbreaking can compromise the security of the device and the data stored on it, as well as expose it to malware, viruses, or hacking. Jailbreaking can also violate the warranty and the terms of service of the device, and make it incompatible with the company's security policies and standards. Therefore, a company setting up a BYOD program should prohibit jailbreaking and enforce device compliance and encryption. NO.39 A security analyst locates a potentially malicious video file on a server and needs to identify both the creation date and the file's creator. Which of the following actions would most likely give the security analyst the information required? A. Obtain the file's SHA-256 hash. B. Use hexdump on the file's contents. C. Check endpoint logs. D. Query the file's metadata. Answer: D Explanation: Metadata is data that describes other data, such as its format, origin, creation date, author, and other attributes. NO.40 A security administrator would like to protect data on employees' laptops. Which of the following encryption techniques should the security administrator use? A. Partition 25 IT Certification Guaranteed, The Easy Way! B. Asymmetric C. Full disk D. Database Answer: C Explanation: Full disk encryption (FDE) is a technique that encrypts all the data on a hard drive, including the operating system, applications, and files. FDE protects the data from unauthorized access in case the laptop is lost, stolen, or disposed of without proper sanitization. NO.41 Which of the following must be considered when designing a high-availability network? (Choose two). A. Ease of recovery B. Ability to patch C. Physical isolation D. Responsiveness E. Attack surface F. Extensible authentication Answer: A E Explanation: 26 IT Certification Guaranteed, The Easy Way! A. Ease of recovery: High-availability networks should be designed with redundancy and failover mechanisms to minimize downtime in the event of failures. Ease of recovery refers to how quickly and efficiently the network can be restored to normal operation following a failure. E. Attack surface: High-availability networks should be designed to minimize the attack surface, which is the sum of all possible points where an attacker can try to enter or extract data from a system. By reducing the attack surface, the network becomes more resilient to potential security threats and less susceptible to downtime caused by malicious activities. NO.42 Which of the following can best protect against an employee inadvertently installing malware on a company system? A. Host-based firewall B. System isolation C. Least privilege D. Application allow list Answer: D Explanation: An application allow list is a security technique that specifies which applications are authorized to run on a system and blocks all other applications. An application allow list can best protect against an employee inadvertently installing malware on a company system because it prevents the execution of any unauthorized or malicious software, such as viruses, worms, trojans, ransomware, or spyware. An application allow list can also reduce the attack surface and improve the performance of the system. NO.43 A company is expanding its threat surface program and allowing individuals to security test the company's internet-facing application. The company will compensate researchers based on the vulnerabilities discovered. Which of the following best describes the program the company is setting up? 27
