MesserPracticeExams701.pdf

Full Transcript

 Professor Messer’s
CompTIA SY0-701
Security+ Practice Exams

by James “Professor” Messer

http://www.ProfessorMesser.com
Professor Messer’s CompTIA SY0-701 Security+ Practice Exams
Written by James “Professor” Messer
Copyright © 2023 by Messer Studios, LLC
https://www.ProfessorMesser.com
All rights reserved. No part of this book may be reproduced or transmitted in any form
or by any means, electronic or mechanical, including photocopying, recording, or by any
information storage and retrieval system, without written permission from
the publisher.

First Edition: November 2023
This is version 1.1

Trademark Acknowledgments
All product names and trademarks are the property of their respective owners, and are
in no way associated or affiliated with Messer Studios LLC.

“Professor Messer” is a registered trademark of Messer Studios LLC.

“CompTIA” and “Security+” are registered trademarks of CompTIA, Inc.

Warning and Disclaimer
This book is designed to provide information about the CompTIA Security+
certification exam. However, there may be typographical and/or content errors.
Therefore, this book should serve only as a general guide and not as the ultimate source
of subject information. The author shall have no liability or responsibility to any person
or entity regarding any loss or damage incurred, or alleged to have incurred, directly or
indirectly, by the information contained in this book.
Contents
Introduction
The CompTIA SY0-701
Security+ Certification 

i
How to Use This Book 

ii

Practice Exam A
Performance-Based Questions 

1
Multiple Choice Questions 

5
Multiple Choice Quick Answers 

33
Detailed Answers 

35

Practice Exam B
Performance-Based Questions 

131
Multiple Choice Questions 

135
Multiple Choice Quick Answers 

161
Detailed Answers 

163

Practice Exam C
Performance-Based Questions 

257
Multiple Choice Questions 

261
Multiple Choice Quick Answers 

289
Detailed Answers 

291
About the Author

James "Professor" Messer is an information technology veteran whose
career has included supercomputer operations, system administration,
network management, and IT security.

James is also the f ounder and CEO of Messer Studios, a leading publisher
of training materials for IT certification exams. With over 185 million
videos viewed and over 850,000 subscribers, Professor Messer's training
has helped thousands of students realize their goals of a profession in
information technology.
Introduction
The process of answering a test question is our ultimate test of knowledge.
After hours of video watching, book reading, and note taking, do you really
know the material? If you're trying to prove yourself, nothing beats getting the
right answer.

This book contains three sample exams containing performance-based and
multiple-choice questions for the Security+ exam. I've personally curated every
question to make sure this Q&A matches the expectations of the SY0-701
Security+ exam.

I hope this book will help you be the smartest one in the room. Best of luck
with your studies!

- Professor Messer

The CompTIA SY0-701
Security+ Certification
CompTIA's Security+ certification is the entry point for IT security
professionals. If you're planning on securing the data and networks on the
world's largest networks, then you're in the right place.

Earning the Security+ certification requires the completion of one exam
covering a broad range of security topics. After completing the certification, a
CompTIA Security+ certified professional will have an understanding of attack
types, network security technologies, secure network architecture concepts,
cryptography, and much more.

Here's the breakdown of each domain and the percentage of each topic on the
SY0-701 exam:

Domain 1.0 - General Security Concepts - 12%
Domain 2.0 - Threats, Vulnerabilities, and Mitigations - 22%
Domain 3.0 - Security Architecture - 18%
Domain 4.0 - Security Operations - 28%
Domain 5.0 - Security Program Management and Oversight - 20%

i
How to Use This Book
This book contains three separate 90-question practice exams; Exam A, Exam
B, and Exam C. The exams are designed to emulate the format and difficulty
level of the actual Security+ exam.

Take one exam at a time. The difficulty levels are similar between exam, so
it doesn't matter which exam you take first.

The actual Security+ exam is 90 minutes in length, so try setting a timer
when you start your practice exam. Time management is an important part
of the exam.

The first section of each practice exam is the list of questions. There's a link
after every question that will jump immediately to the quick answer page
or the detailed answer page. If you're using the digital version, your PDF
reader keys can quickly jump back to the question page. Adobe Reader
in Windows uses Alt-Left arrow and macOS Preview uses Command-[
to move back to the previous view. Be sure to check your PDF reader for
specific navigation options.

The quick answer page is a consolidated list of the answers without any
detail or explanation. If you want to quickly check your answer sheet, this is
the page for you.

A detailed answer is available for each exam question. This section repeats
the question, the possible answers, and shows the answer with a detailed
explanation. This section is formatted to show only one answer per page to
avoid giving away the answer to any other questions. Digital readers can use
your PDF reader's back button to quickly jump back to the questions.

As you go through the exam, write down the answers on a separate sheet
of paper or separate text editor window. Many PDF readers also support
on-screen annotation. You can check the answers after the 90 minutes have
elapsed.

You can grade your results against the quick answer page. Be sure to check
the detailed answer pages for information on why certain answers were
considered correct or incorrect.

After each detailed answer, a video link is available for more information
on the topic. You can click the link in your PDF or use your camera to view
the QR (Quick Response) code on the page. Your camera app will provide
a notification message that will launch the video page in your browser. The
URL is also provided for manual entry.
ii
 You have the option of using each practice test as a 90 minute timed exam,
or as a casual Q&A. Try stepping through each question, picking an answer,
and then jumping to the detailed explanation to learn more about each
possible answer.

How to score the practice exams
Broadly speaking, the purpose of this book is to determine your readiness for
the Security+ exam. Although we've worked hard to provide you with a similar
experience as the actual exam, we're not trying to reverse-engineer CompTIA's
scoring system. CompTIA doesn't share the details of their scoring system, so
any attempt at recreating an actual exam score would be speculative and almost
certainly incorrect.
Many of the questions in this book have a single answer. If you get the question
right, you would obviously give yourself one point. Some of the exam questions
require multiple answers, and this is especially common with performance-
based questions. With these questions, you could potentially get part of a
question correct and other parts of the question incorrect.
Our recommendation is to count each question as one point, but you could also
give yourself partial credit if that helps provide a better measurement of your
readiness. You ultimately don't have any control over the scoring on the actual
exam, so we would recommend you focus on the content and let the score
provide a relative measurement of your success.
Here's a scoring chart:
Less than 63 questions correct / 70% and lower - Use the exam objectives
at the end of each detailed answer to determine where you might need
some additional help.
63 to 72 questions correct / 70% to 80% - You're so close! Keep working
on the areas you're missing and fill in those gaps.
73 to 81 questions correct / 80% to 90% - This is a strong showing, but
some additional studying will help you earn points on the real exam.
Although the actual Security+ exam does not calculate the final score
as a percentage, getting an 85% on the practice exam can be reasonably
considered a passing grade.
More than 81 questions correct / over 90% - You're ready for the real
thing! Book your exam and earn your Security+ certification!

The detailed answer pages break down every correct answer and every incorrect
answer. Although it's useful to know when you got a question right, it's
probably more important if you understand exactly why a question was marked
wrong. If you understand all of the technologies on these sample exams, then
you'll be ready for the actual exam.
iii
Practice Exam A
Performance-Based Questions
A1. Match the description with the most accurate attack type.
Not all attack types will be used.
Attack Types:

On-path RFID cloning
Keylogger Vishing
Rootkit DDoS
Injection Supply chain

Attacker obtains bank account number
and birth date by calling the victim

Select an Attack Type

Attacker accesses a database directly
from a web browser
Select an Attack Type

Attacker intercepts all communication between
a client and a web server
Select an Attack Type

Multiple attackers
overwhelm a web server
Select an Attack Type

Attacker obtains a list of all login credentials used
over the last 24 hours

Select an Attack Type
Answer Page: 35

Practice Exam A - Questions 1
A2. The security team at a manufacturing company is creating a set of
security standards for employees and visitors.
Select the BEST security control for each location.
All of the available security controls will be used once.

Fencing Authentication token
Available Security
Controls: Access control vestibule Biometrics

Access badge Security guard Lighting

Location Description Security Controls

Outside Parking and
Building Visitor drop-off

Reception Building lobby

Data Entrance from
Center inside building
Door

Authentication to
Server
server console
Administration
in the data center

Answer Page: 37

2 Practice Exam A - Questions
A3. Select the most appropriate security category.
Some categories may be used more than once.

Technical Managerial Operational Physical

A guard checks the identification of all visitors

All returns must be approved by a Vice President

A generator is used during a power outage

Building doors can be unlocked with an access card

System logs are transferred automatically to a SIEM

Answer Page: 39

A4. Match the appropriate authentication factor to each description.
Each authentication factor will be used once.

Something you know Something you have
Something you are Somewhere you are

Description Authentication Factor

During the login process, your phone receives a
text message with a one-time passcode

You enter your PIN to make
a deposit into an ATM

You can use your fingerprint to unlock
the door to the data center

Your login will not work unless you are
connected to the VPN

Answer Page: 40

Practice Exam A - Questions 3
A5. Configure the following stateful firewall rules:
Block HTTP sessions between the Web Server and the Database Server
Allow the Storage Server to transfer files to the Video Server over HTTPS
Allow the Management Server to use a secure terminal on the File Server

DMZ

File Server Video Server Web Server
10.1.1.3 10.1.1.7 10.1.1.2

DMZ
Switch

Internet Firewall

Internal
Switch

Internal Network

Storage Server Management Server Database Server
10.2.1.33 10.2.1.47 10.2.1.20

Destination Protocol Allow/
Rule # Source IP Port #
IP (TCP/UDP) Block
1
2
3

Answer Page: 41
4 Practice Exam A - Questions
Practice Exam A
Multiple Choice Questions
A6. A company has hired a third-party to gather information
about the company’s servers and data. This third-party
will not have direct access to the company's internal
network, but they can gather information from any other
source. Which of the following would BEST describe
this approach?
❍ A. Vulnerability scanning Quick
Answer: 33
❍ B. Passive reconnaissance
❍ C. Supply chain analysis The Details: 43

❍ D. Regulatory audit

A7. A company's email server has received an email from a
third-party, but the origination server does not match the
list of authorized devices. Which of the following would
determine the disposition of this message?
Quick
❍ A. SPF
Answer: 33
❍ B. NAC
The Details: 44
❍ C. DMARC
❍ D. DKIM

A8. Which of these threat actors would be MOST likely to
attack systems for direct financial gain?
❍ A. Organized crime Quick
Answer: 33
❍ B. Hacktivist
❍ C. Nation state The Details: 45
❍ D. Shadow IT

A9. A security administrator has examined a server recently
compromised by an attacker, and has determined the
system was exploited due to a known operating system
vulnerability. Which of the following would BEST
describe this finding?
Quick
❍ A. Root cause analysis
Answer: 33
❍ B. E-discovery
The Details: 46
❍ C. Risk appetite
❍ D. Data subject
Practice Exam A - Questions 5
A10. A city is building an ambulance service network for
emergency medical dispatching. Which of the following
should have the highest priority?
❍ A. Integration costs Quick
Answer: 33
❍ B. Patch availability
❍ C. System availability The Details: 47

❍ D. Power usage

A11. A system administrator receives a text alert when access
rights are changed on a database containing private
customer information. Which of the following would
describe this alert?
Quick
❍ A. Maintenance window
Answer: 33
❍ B. Attestation and acknowledgment
❍ C. Automation The Details: 48

❍ D. External audit

A12. A security administrator is concerned about the potential
for data exfiltration using external storage drives. Which
of the following would be the BEST way to prevent this
method of data exfiltration?
❍ A. Create an operating system security policy Quick
to block the use of removable media Answer: 33
❍ B. Monitor removable media usage in The Details: 49
host-based firewall logs
❍ C. Only allow applications that do not use
removable media
❍ D. Define a removable media block rule in the UTM

6 Practice Exam A - Questions
A13. A company creates a standard set of government reports
each calendar quarter. Which of the following would
describe this type of data?
❍ A. Data in use Quick
Answer: 33
❍ B. Obfuscated
❍ C. Trade secrets The Details: 50

❍ D. Regulated

A14. An insurance company has created a set of policies to
handle data breaches. The security team has been given
this set of requirements based on these policies:
Access records from all devices must be
saved and archived
Any data access outside of normal working hours
must be immediately reported
Data access must only occur inside of the country
Access logs and audit reports must be created from a
single database
Which of the following should be implemented by the
security team to meet these requirements?
(Select THREE)
❍ A. Restrict login access by IP address and Quick
GPS location Answer: 33

❍ B. Require government-issued identification The Details: 51
during the onboarding process
❍ C. Add additional password complexity for accounts
that access data
❍ D. Conduct monthly permission auditing
❍ E. Consolidate all logs on a SIEM
❍ F. Archive the encryption keys of all disabled
accounts
❍ G. Enable time-of-day restrictions on the
authentication server

Practice Exam A - Questions 7
A15. Rodney, a security engineer, is viewing this record from
the firewall logs:
UTC 04/05/2023 03:09:15809 AV Gateway Alert
136.127.92.171 80 -> 10.16.10.14 60818
Gateway Anti-Virus Alert:
XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this
log information?
❍ A. The victim's IP address is 136.127.92.171 Quick
Answer: 33
❍ B. A download was blocked from a web server
❍ C. A botnet DDoS attack was blocked The Details: 53

❍ D. The Trojan was blocked, but the file was not

A16. A user connects to a third-party website and receives this
message:

Your connection is not private.
NET::ERR_CERT_INVALID

Which of the following attacks would be the MOST
likely reason
for this message?
Quick
❍ A. Brute force
Answer: 33
❍ B. DoS
The Details: 54
❍ C. On-path
❍ D. Deauthentication

A17. Which of the following would be the BEST way to
provide a website login using existing credentials from a
third-party site?
❍ A. Federation Quick
Answer: 33
❍ B. 802.1X
❍ C. EAP The Details: 55
❍ D. SSO

8 Practice Exam A - Questions
A18. A system administrator is working on a contract that will
specify a minimum required uptime for a set of Internet-
facing firewalls. The administrator needs to know how
often the firewall hardware is expected to fail between
repairs. Which of the following would BEST describe
this information?
❍ A. MTBF Quick
Answer: 33
❍ B. RTO
❍ C. MTTR The Details: 56
❍ D. RPO

A19. An attacker calls into a company’s help desk
and pretends to be the director of the company’s
manufacturing department. The attacker states that they
have forgotten their password and they need to have the
password reset quickly for an important meeting. What
kind of attack would BEST describe this phone call?
❍ A. Social engineering Quick
Answer: 33
❍ B. Supply chain
❍ C. Watering hole The Details: 57
❍ D. On-path

A20. Two companies have been working together for a
number of months, and they would now like to qualify
their partnership with a broad formal agreement between
both organizations. Which of the following would
describe this agreement?
❍ A. SLA Quick
Answer: 33
❍ B. SOW
❍ C. MOA The Details: 58

❍ D. NDA

Practice Exam A - Questions 9
A21. Which of the following would explain why a company
would automatically add a digital signature to each
outgoing email message?
❍ A. Confidentiality Quick
Answer: 33
❍ B. Integrity
❍ C. Authentication The Details: 59
❍ D. Availability

A22. The embedded OS in a company’s time clock appliance is
configured to reset the file system and reboot when a file
system error occurs. On one of the time clocks, this file
system error occurs during the startup process and causes
the system to constantly reboot. Which of the following
BEST describes this issue?
❍ A. Memory injection Quick
Answer: 33
❍ B. Resource consumption
❍ C. Race condition The Details: 60
❍ D. Malicious update

A23. A recent audit has found that existing password policies
do not include any restrictions on password attempts,
and users are not required to periodically change their
passwords. Which of the following would correct these
policy issues? (Select TWO)
❍ A. Password complexity Quick
Answer: 33
❍ B. Password expiration
❍ C. Password reuse The Details: 61
❍ D. Account lockout
❍ E. Password managers

10 Practice Exam A - Questions
A24. What kind of security control is associated with
a login banner?
❍ A. Preventive Quick
Answer: 33
❍ B. Deterrent
❍ C. Corrective The Details: 62

❍ D. Detective
❍ E. Compensating
❍ F. Directive

A25. An internal audit has discovered four servers that have
not been updated in over a year, and it will take two
weeks to test and deploy the latest patches. Which of
the following would be the best way to quickly Quick
Answer: 33
respond to this situation in the meantime?
❍ A. Purchase cybersecurity insurance The Details: 63
❍ B. Implement an exception for all data center services
❍ C. Move the servers to a protected segment
❍ D. Hire a third-party to perform an extensive audit

A26. A business manager is documenting a set of steps for
processing orders if the primary Internet connection fails.
Which of these would BEST describe these steps?
❍ A. Platform diversity Quick
Answer: 33
❍ B. Continuity of operations
❍ C. Cold site recovery The Details: 64

❍ D. Tabletop exercise

A27. A company would like to examine the credentials of each
individual entering the data center building. Which of
the following would BEST facilitate this requirement?
❍ A. Access control vestibule Quick
Answer: 33
❍ B. Video surveillance
❍ C. Pressure sensors The Details: 65

❍ D. Bollards

Practice Exam A - Questions 11
A28. A company stores some employee information in
encrypted form, but other public details are stored as
plaintext. Which of the following would BEST describe
this encryption strategy?
❍ A. Full-disk Quick
Answer: 33
❍ B. Record
❍ C. Asymmetric The Details: 66
❍ D. Key escrow

A29. A company would like to minimize database corruption
if power is lost to a server. Which of the following would
be the BEST strategy to follow?
❍ A. Encryption Quick
Answer: 33
❍ B. Off-site backups
❍ C. Journaling The Details: 67

❍ D. Replication

A30. A company is creating a security policy for corporate
mobile devices:
All mobile devices must be automatically locked after a
predefined
time period.
The location of each device needs to be traceable.
All of the user’s information should be completely
separate from company data.
Which of the following would be the BEST way to
establish these security policy rules?
❍ A. Segmentation Quick
Answer: 33
❍ B. Biometrics
The Details: 68
❍ C. COPE
❍ D. MDM

12 Practice Exam A - Questions
A31. A security engineer runs a monthly vulnerability scan.
The scan doesn’t list any vulnerabilities for Windows
servers, but a significant vulnerability was announced last
week and none of the servers are patched yet. Which of
the following best describes this result?
❍ A. Exploit Quick
Answer: 33
❍ B. Compensating controls
❍ C. Zero-day attack The Details: 69
❍ D. False negative

A32. An IT help desk is using automation to improve the
response time for security events. Which of the following
use cases would apply to this process?
❍ A. Escalation Quick
Answer: 33
❍ B. Guard rails
❍ C. Continuous integration The Details: 70

❍ D. Resource provisioning

A33. A network administrator would like each user to
authenticate with their corporate username and
password when connecting to the company's wireless
network. Which of the following should the network
administrator configure on the wireless access points?
❍ A. WPA3 Quick
❍ B. 802.1X Answer: 33

❍ C. PSK The Details: 71
❍ D. MFA

A34. A company's VPN service performs a posture assessment
during the login process. Which of the following
mitigation techniques would this describe?
❍ A. Encryption Quick
Answer: 33
❍ B. Decommissioning
The Details: 72
❍ C. Least privilege
❍ D. Configuration enforcement

Practice Exam A - Questions 13
A35. A user has assigned individual rights and permissions
to a file on their network drive. The user adds three
additional individuals to have read-only access to the
file. Which of the following would describe this access
control model?
❍ A. Discretionary Quick
Answer: 33
❍ B. Mandatory
The Details: 73
❍ C. Attribute-based
❍ D. Role-based

A36. A remote user has received a text message with a link to
login and confirm their upcoming work schedule. Which
of the following would BEST describe this attack?
❍ A. Brute force Quick
❍ B. Watering hole Answer: 33
❍ C. Typosquatting The Details: 74
❍ D. Smishing

A37. A company is formalizing the design and deployment
process used by their application programmers. Which of
the following policies would apply?
❍ A. Business continuity Quick
Answer: 33
❍ B. Acceptable use policy
❍ C. Incident response The Details: 75

❍ D. Development lifecycle

A38. A security administrator has copied a suspected malware
executable from a user's computer and is running the
program in a sandbox. Which of the following would
describe this part of the incident response process?
❍ A. Eradication Quick
Answer: 33
❍ B. Preparation
❍ C. Recovery The Details: 76

❍ D. Containment

14 Practice Exam A - Questions
A39. A server administrator at a bank has noticed a decrease
in the number of visitors to the bank's website.
Additional research shows that users are being directed
to a different IP address than the bank's web server.
Which of the following would MOST likely describe
this attack?
❍ A. Deauthentication Quick
Answer: 33
❍ B. DDoS
❍ C. Buffer overflow The Details: 77

❍ D. DNS poisoning

A40. Which of the following considerations are MOST
commonly associated with a hybrid cloud model?
❍ A. Microservice outages Quick
❍ B. IoT support Answer: 33

❍ C. Network protection mismatches The Details: 78
❍ D. Containerization backups

A41. A company hires a large number of seasonal employees,
and their system access should normally be disabled
when the employee leaves the company. The security
administrator would like to verify that their systems
cannot be accessed by any of the former employees.
Which of the following would be the BEST way to
provide this verification?
Quick
❍ A. Confirm that no unauthorized accounts have Answer: 33
administrator access
The Details: 79
❍ B. Validate the account lockout policy
❍ C. Validate the offboarding processes and procedures
❍ D. Create a report that shows all authentications
for a 24-hour period

Practice Exam A - Questions 15
A42. Which of the following is used to describe how cautious
an organization might be to taking a specific risk?
❍ A. Risk appetite Quick
Answer: 33
❍ B. Risk register
❍ C. Risk transfer The Details: 80
❍ D. Risk reporting

A43. A technician is applying a series of patches to fifty web
servers during a scheduled maintenance window. After
patching and rebooting the first server, the web service
fails with a critical error. Which of the following should
the technician do NEXT?
❍ A. Contact the stakeholders regarding the outage Quick
Answer: 33
❍ B. Follow the steps listed in the backout plan
❍ C. Test the upgrade process in the lab The Details: 81

❍ D. Evaluate the impact analysis associated with
the change

A44. An attacker has discovered a way to disable a server by
sending specially crafted packets from many remote
devices to the operating system. When the packet is
received, the system crashes and must be rebooted to
restore normal operations. Which of the following would
BEST describe this attack? Quick
Answer: 33
❍ A. Privilege escalation
❍ B. SQL injection The Details: 82
❍ C. Replay attack
❍ D. DDoS

A45. A data breach has occurred in a large insurance company.
A security administrator is building new servers and
security systems to get all of the financial systems back
online. Which part of the incident response process
would BEST describe these actions?
❍ A. Lessons learned Quick
Answer: 33
❍ B. Containment
The Details: 83
❍ C. Recovery
❍ D. Analysis
16 Practice Exam A - Questions
A46. A network team has installed new access points to
support an application launch. In less than 24 hours,
the wireless network was attacked and private company
information was accessed. Which of the following would
be the MOST likely reason for this breach?
❍ A. Race condition Quick
Answer: 33
❍ B. Jailbreaking
❍ C. Impersonation The Details: 84

❍ D. Misconfiguration

A47. An organization has identified a significant vulnerability
in an Internet-facing firewall. The firewall company has
stated the firewall is no longer available for sale and
there are no plans to create a patch for this vulnerability.
Which of the following would BEST describe this issue?
❍ A. End-of-life Quick
Answer: 33
❍ B. Improper input handling
❍ C. Improper key management The Details: 85
❍ D. Incompatible OS

A48. A company has decided to perform a disaster recovery
exercise during an annual meeting with the IT directors
and senior directors. A simulated disaster will be
presented, and the participants will discuss the logistics
and processes required to resolve the disaster. Which of
the following would BEST describe this exercise?
❍ A. Capacity planning Quick
Answer: 33
❍ B. Business impact analysis
❍ C. Continuity of operations The Details: 86

❍ D. Tabletop exercise

Practice Exam A - Questions 17
A49. A security administrator needs to block users from
visiting websites hosting malicious software. Which of
the following would be the BEST way to control this
access?
❍ A. Honeynet Quick
Answer: 33
❍ B. Data masking
The Details: 87
❍ C. DNS filtering
❍ D. Data loss prevention

A50. A system administrator has been called to a system with
a malware infection. As part of the incident response
process, the administrator has imaged the operating
system to a known-good version. Which of these
incident response steps is the administrator following?
❍ A. Lessons learned Quick
❍ B. Recovery Answer: 33

❍ C. Detection The Details: 88
❍ D. Containment

A51. A company has placed a SCADA system on a segmented
network with limited access from the rest of the
corporate network. Which of the following would
describe this process?
❍ A. Load balancing Quick
Answer: 33
❍ B. Least privilege
❍ C. Data retention The Details: 89

❍ D. Hardening

18 Practice Exam A - Questions
A52. An administrator is viewing the following security log:
Dec 30 08:40:03 web01 Failed password for root
from 10.101.88.230 port 26244 ssh2

Dec 30 08:40:05 web01 Failed password for root
from 10.101.88.230 port 26244 ssh2

Dec 30 08:40:09 web01 445 more authentication
failures; rhost=10.101.88.230 user=root

Which of the following would describe this attack?
❍ A. Spraying Quick
❍ B. Downgrade Answer: 33

❍ C. Brute force The Details: 90
❍ D. DDoS

A53. During a morning login process, a user's laptop was
moved to a private VLAN and a series of updates were
automatically installed. Which of the following would
describe this process?
❍ A. Account lockout Quick
Answer: 33
❍ B. Configuration enforcement
❍ C. Decommissioning The Details: 91
❍ D. Sideloading

A54. Which of the following describes two-factor
authentication?
Quick
❍ A. A printer uses a password and a PIN Answer: 33
❍ B. The door to a building requires a fingerprint scan
The Details: 92
❍ C. An application requires a pseudo-random code
❍ D. A Windows Domain requires a password and
smart card

Practice Exam A - Questions 19
A55. A company is deploying a new application to all
employees in the field. Some of the problems associated
with this roll out include:
The company does not have a way to manage the
devices in the field
Team members have many different kinds of
mobile devices
The same device needs to be used for both corporate
and private use
Which of the following deployment models would
address these concerns?
❍ A. CYOD Quick
Answer: 33
❍ B. SSO
The Details: 93
❍ C. COPE
❍ D. BYOD

A56. An organization is installing a UPS for their new data
center. Which of the following would BEST describe
this control type?
❍ A. Compensating Quick
Answer: 33
❍ B. Directive
❍ C. Deterrent The Details: 94

❍ D. Detective

A57. A manufacturing company would like to track the
progress of parts used on an assembly line. Which of the
following technologies would be the BEST choice for
this task?
❍ A. Secure enclave Quick
Answer: 33
❍ B. Blockchain
❍ C. Hashing The Details: 95

❍ D. Asymmetric encryption

20 Practice Exam A - Questions
A58. A company's website has been compromised and the
website content has been replaced with a political
message. Which of the following threat actors would be
the MOST likely culprit?
❍ A. Insider Quick
Answer: 33
❍ B. Organized crime
The Details: 96
❍ C. Shadow IT
❍ D. Hacktivist

A59. A Linux administrator is downloading an updated
version of her Linux distribution. The download site
shows a link to the ISO and a SHA256 hash value.
Which of these would describe the use of this
hash value?
❍ A. Verifies that the file was not corrupted during Quick
the file transfer Answer: 33

❍ B. Provides a key for decrypting the ISO The Details: 97
after download
❍ C. Authenticates the site as an official ISO
distribution site
❍ D. Confirms that the file does not contain
any malware

A60. A company's security policy requires that login access
should only be available if a person is physically within
the same building as the server. Which of the following
would be the BEST way to provide this requirement?
❍ A. USB security key Quick
Answer: 33
❍ B. Biometric scanner
The Details: 98
❍ C. PIN
❍ D. SMS

Practice Exam A - Questions 21
A61. A development team has installed a new application and
database to a cloud service. After running a vulnerability
scanner on the application instance, a security
administrator finds the database is available for anyone
to query without providing any authentication. Which of
these vulnerabilities is MOST associated with this issue?
❍ A. Legacy software Quick
Answer: 33
❍ B. Open permissions
❍ C. Race condition The Details: 99

❍ D. Malicious update

A62. Employees of an organization have received an email
with a link offering a cash bonus for completing an
internal training course. Which of the following would
BEST describe this email?
❍ A. Watering hole attack Quick
Answer: 33
❍ B. Cross-site scripting
❍ C. Zero-day The Details: 100

❍ D. Phishing campaign

A63. Which of the following risk management strategies
would include the purchase and installation of an
NGFW?
❍ A. Transfer Quick
Answer: 33
❍ B. Mitigate
The Details: 101
❍ C. Accept
❍ D. Avoid

A64. An organization is implementing a security model where
all application requests must be validated at a policy
enforcement point. Which of the following would BEST
describe this model?
Quick
❍ A. Public key infrastructure
Answer: 33
❍ B. Zero trust
The Details: 102
❍ C. Discretionary access control
❍ D. Federation

22 Practice Exam A - Questions
A65. A company is installing a new application in a
public cloud. Which of the following determines the
assignment of data security in this cloud infrastructure?
❍ A. Playbook Quick
Answer: 33
❍ B. Audit committee
❍ C. Responsibility matrix The Details: 103

❍ D. Right-to-audit clause

A66. When decommissioning a device, a company documents
the type and size of storage drive, the amount of RAM,
and any installed adapter cards. Which of the following
describes this process?
❍ A. Destruction Quick
Answer: 33
❍ B. Sanitization
❍ C. Certification The Details: 104

❍ D. Enumeration

A67. An attacker has sent more information than expected
in a single API call, and this has allowed the execution
of arbitrary code. Which of the following would BEST
describe this attack?
Quick
❍ A. Buffer overflow Answer: 33
❍ B. Replay attack
The Details: 105
❍ C. Session hijacking
❍ D. DDoS

A68. A company encourages users to encrypt all of
their confidential materials on a central server. The
organization would like to enable key escrow as a backup
option. Which of these keys should the organization
place into escrow?
❍ A. Private Quick
Answer: 33
❍ B. CA
The Details: 106
❍ C. Session
❍ D. Public

Practice Exam A - Questions 23
A69. A company is in the process of configuring and enabling
host-based firewalls on all user devices. Which of the
following threats is the company addressing?
❍ A. Default credentials Quick
Answer: 33
❍ B. Vishing
❍ C. Instant messaging The Details: 107

❍ D. On-path

A70. A manufacturing company would like to use an
existing router to separate a corporate network from
a manufacturing floor. Both networks use the same
physical switch, and the company does not want to install
any additional hardware. Which of the following would
be the BEST choice for this segmentation? Quick
Answer: 33
❍ A. Connect the corporate network and the
manufacturing floor with a VPN The Details: 108
❍ B. Build an air gapped manufacturing floor network
❍ C. Use host-based firewalls on each device
❍ D. Create separate VLANs for the corporate network
and the manufacturing floor

A71. An organization needs to provide a remote access
solution for a newly deployed cloud-based application.
This application is designed to be used by mobile field
service technicians. Which of the following would be the
best option for this requirement?
❍ A. RTOS Quick
Answer: 33
❍ B. CRL
❍ C. Zero-trust The Details: 109

❍ D. SASE

24 Practice Exam A - Questions
A72. A company is implementing a quarterly security
awareness campaign. Which of the following would
MOST likely be part of this campaign?
❍ A. Suspicious message reports from users Quick
Answer: 33
❍ B. An itemized statement of work
❍ C. An IaC configuration file The Details: 110

❍ D. An acceptable use policy document

A73. A recent report shows the return of a vulnerability
that was previously patched four months ago. After
researching this issue, the security team has found a
recent patch has reintroduced this vulnerability on the
servers. Which of the following should the security
administrator implement to prevent this issue from
occurring in the future?
❍ A. Containerization Quick
Answer: 33
❍ B. Data masking
The Details: 111
❍ C. 802.1X
❍ D. Change management

A74. A security manager would like to ensure that unique
hashes are used with an application login process. Which
of the following would be the BEST way to add random
data when generating a set of stored password hashes?
❍ A. Salting Quick
❍ B. Obfuscation Answer: 33

❍ C. Key stretching The Details: 112

❍ D. Digital signature

A75. Which cryptographic method is used to add trust to a
digital certificate?
❍ A. Steganography Quick
Answer: 33
❍ B. Hash
The Details: 113
❍ C. Symmetric encryption
❍ D. Digital signature

Practice Exam A - Questions 25
A76. A company is using SCAP as part of their security
monitoring processes. Which of the following would
BEST describe this implementation?
❍ A. Train the user community to better identify
phishing attempts
❍ B. Present the results of an internal audit to the board
❍ C. Automate the validation and patching of Quick
security issues Answer: 33

❍ D. Identify and document authorized data The Details: 114
center visitors

A77. An organization maintains a large database of customer
information for sales tracking and customer support.
Which person in the organization would be responsible
for managing the access rights to this data?
❍ A. Data processor Quick
Answer: 33
❍ B. Data owner
The Details: 115
❍ C. Data subject
❍ D. Data custodian

A78. An organization’s content management system currently
labels files and documents as “Public” and “Restricted.”
On a recent update, a new classification type of “Private”
was added. Which of the following would be the MOST
likely reason for this addition?
❍ A. Minimized attack surface Quick
Answer: 33
❍ B. Simplified categorization
The Details: 116
❍ C. Expanded privacy compliance
❍ D. Decreased search time

26 Practice Exam A - Questions
A79. A corporate security team would like to consolidate and
protect the private keys across all of their web servers.
Which of these would be the BEST way to securely store
these keys?
Quick
❍ A. Integrate an HSM Answer: 33
❍ B. Implement full disk encryption on the web servers
The Details: 117
❍ C. Use a TPM
❍ D. Upgrade the web servers to use a UEFI BIOS

A80. A security technician is reviewing this security log from
an IPS:
ALERT 2018-06-01 13:07:29 [163bcf65118-179b547b]
Cross-Site Scripting in JSON Data
222.43.112.74:3332 -> 64.235.145.35:80
URL/index.html - Method POST - Query String "-"
User Agent: curl/7.21.3 (i386-redhat-linux-gnu) libcurl/7.21.3
NSS/3.13.1.0 zlib/1.2.5 libidn/1.19 libssh2/1.2.7
Detail: token="" key="key7" value="alert(2)"
Which of the following can be determined from this log
information? (Select TWO)
❍ A. The alert was generated from a malformed
User Agent header
❍ B. The alert was generated from an embedded script
❍ C. The attacker’s IP address is 222.43.112.74 Quick
Answer: 33
❍ D. The attacker’s IP address is 64.235.145.35
❍ E. The alert was generated due to an invalid The Details: 118
client port number

A81. Which of the following describes a monetary loss if one
event occurs?
❍ A. ALE Quick
Answer: 33
❍ B. SLE
❍ C. RTO The Details: 119

❍ D. ARO

Practice Exam A - Questions 27
A82. A user with restricted access has typed this text in a
search field of an internal web-based application:

USER77' OR '1'='1

After submitting this search request, all database records
are displayed on the screen. Which of the following
would BEST describe this search?
❍ A. Cross-site scripting Quick
Answer: 33
❍ B. Buffer overflow
The Details: 120
❍ C. SQL injection
❍ D. SSL stripping

A83. A user has opened a helpdesk ticket complaining of poor
system performance, excessive pop up messages, and
the cursor moving without anyone touching the mouse.
This issue began after they opened a spreadsheet from a
vendor containing part numbers and pricing information.
Which of the following is MOST likely the cause of this
user's issues?
❍ A. On-path Quick
Answer: 33
❍ B. Worm
The Details: 121
❍ C. Trojan horse
❍ D. Logic bomb

A84. A web-based manufacturing company processes
monthly charges to credit card information saved in the
customer's profile. All of the customer information is
encrypted and protected with additional authentication
factors. Which of the following would be the justification
for these security controls?
❍ A. Chain of custody Quick
Answer: 33
❍ B. Password vaulting
The Details: 122
❍ C. Compliance reporting
❍ D. Sandboxing

28 Practice Exam A - Questions
A85. A security manager has created a report showing
intermittent network communication from certain
workstations on the internal network to one external
IP address. These traffic patterns occur at random times
during the day. Which of the following would be the
MOST likely reason for these traffic patterns?
❍ A. On-path attack Quick
Answer: 33
❍ B. Keylogger
The Details: 123
❍ C. Replay attack
❍ D. Brute force

A86. The security policies in a manufacturing company
prohibit the transmission of customer information.
However, a security administrator has received an alert
that credit card numbers were transmitted as an email
attachment. Which of the following was the MOST
likely source of this alert message?
❍ A. IPS Quick
Answer: 33
❍ B. DLP
The Details: 124
❍ C. RADIUS
❍ D. IPsec

A87. A security administrator has configured a virtual machine
in a screened subnet with a guest login account and no
password. Which of the following would be the MOST
likely reason for this configuration?
❍ A. The server is a honeypot for attracting Quick
potential attackers Answer: 33

❍ B. The server is a cloud storage service for The Details: 125
remote users
❍ C. The server will be used as a VPN concentrator
❍ D. The server is a development sandbox for third-
party programming projects

Practice Exam A - Questions 29
A88. A security administrator is configuring a DNS server
with a SPF record. Which of the following would be the
reason for this configuration?
❍ A. Transmit all outgoing email over an Quick
encrypted tunnel Answer: 33
❍ B. List all servers authorized to send emails The Details: 126
❍ C. Digitally sign all outgoing email messages
❍ D. Obtain disposition instructions for emails
marked as spam

A89. A company would like to securely deploy applications
without the overhead of installing a virtual machine for
each system. Which of the following would be the BEST
way to deploy these applications?
❍ A. Containerization Quick
Answer: 33
❍ B. IoT
❍ C. Proxy The Details: 127

❍ D. RTOS

A90. A company has just purchased a new application server,
and the security director wants to determine if the
system is secure. The system is currently installed in a test
environment and will not be available to users until the
roll out to production next week. Which of the following
would be the BEST way to determine if any part of the
system can be exploited?
❍ A. Tabletop exercise Quick
Answer: 33
❍ B. Vulnerability scanner
❍ C. DDoS The Details: 128

❍ D. Penetration test

30 Practice Exam A - Questions
Practice Exam A - Questions 31
Practice Exam A
Multiple Choice Quick Answers
A6. B A36. D A66. D
A7. C A37. D A67. A
A8. A A38. D and E A68. A
A9. A A39. D A69. C
A10. C A40. C A70. D
A11. C A41. C A71. D
A12. A A42. A A72. A
A13. D A43. B A73. D
A14. A, E, and G A44. D A74. A
A15. B A45. C A75. D
A16. C A46. D A76. C and D
A17. A A47. A A77. D
A18. A A48. D A78. C
A19. A A49. C A79. A
A20. C A50. B A80. B and C
A21. B A51. D A81. B
A22. C A52. C A82. C
A23. B and D A53. B A83. C
A24. B A54. D A84. C
A25. C A55. C A85. B
A26. B A56. A A86. B
A27. A A57. B A87. A
A28. B A58. D A88. B
A29. C A59. A A89. A
A30. D A60. B A90. D
A31. D A61. B
A32. A A62. D
A33. B A63. B
A34. D A64. B
A35. A A65. C

Practice Exam A - Answers 33
Practice Exam A
Detailed Answers
A1. Match the description with the most accurate attack type.
Not all attack types will be used.

Attacker obtains bank account number
and birth date by calling the victim

Vishing
Social engineering over the telephone continues to be an effective attack vector,
and obtaining personal information such as a bank account or birth date would
be considered phishing over voice, or vishing.
More information:
SY0-701, Objective 2.2 - Phishing
https://professormesser.link/701020202

Attacker accesses a database directly
from a web browser
Injection
A SQL (Structured Query Language) injection attack sends SQL commands
directly to a database using a vulnerable web application.
More information:
SY0-701, Objective 2.3 - SQL Injection
https://professormesser.link/701020306

Attacker intercepts all communication between
a client and a web server
On-path
On-path attacks are quite effective because the attacker can often sit invisibly
between two devices and gather useful information or modify the data streams
in real-time.
More information:
SY0-701, Objective 2.4 - On-path Attacks
https://professormesser.link/701020409
Practice Exam A - Answers 35
 Multiple attackers
overwhelm a web server
DDoS
A DoS (Denial of Service) occurs when a service is unavailable due to the
actions of a third-party. A DDoS (Distributed Denial of Service) occurs when
multiple third-parties work together to create a service outage.
More information:
SY0-701, Objective 2.4 - Denial of Service
https://professormesser.link/701020406

Attacker obtains a list of all login credentials used
over the last 24 hours

Keylogger
Attackers can install hardware or software keyloggers to capture all
information typed into a keyboard. Keylogger software can also capture
screenshots and other media and covertly send all of this information to the
attacker using an existing Internet connection.
More information:
SY0-701, Objective 2.4 - Other Malware Types
https://professormesser.link/701020404

36 Practice Exam A - Answers
A2. The security team at a manufacturing company is creating a set of security
standards for employees and visitors.
Select the BEST security control for each location.
All of the available security controls will be used once.

Fencing
Outside Parking and
Building Visitor drop-off
Lighting

Security outside of the building is focused on the safety of employees and
visitors as they park their vehicles or are dropped off at the entrance. The
parking lot and exterior building areas should be surrounded by fencing to
control access and the parking lot should be well-lit at all times.

Security guard

Reception Building lobby
Access control vestibule

The reception area is the first interaction with employees or visitors. Security
guards should be available to check the authorization of anyone entering the
building, and the use of an access control vestibule can help manage the flow of
individuals through this checkpoint.

Practice Exam A - Answers 37
 Data Entrance from Access badge
Center inside building
Door
Biometrics

Once inside, many areas of the building are readily available to employees and
visitors. However, some areas of the building containing sensitive information
may require additional authorization. To gain access to the data center from
inside of the building, an individual would need to provide a valid access badge
and perform a biometric check of their fingerprint, handprint, or a similar type
of authentication factor.

Authentication to
Server Authentication token
server console
Administration
in the data center

Gaining access through the door of the data center doesn't provide any access
to the server data. If a technician needs console access to a server, they'll need to
provide the proper username, password, and authentication token. This multi-
factor authentication ensures only authorized users are able to gain access to the
information contained on the server.

More information:
SY0-701, Objective 1.2 - Physical Security
https://professormesser.link/701010206

38 Practice Exam A - Answers
A3. Select the most appropriate security category.
Some categories may be used more than once.

Operational A guard checks the identification of all visitors

Managerial All returns must be approved by a Vice President

Physical A generator is used during a power outage

Physical Building doors can be unlocked with an access card

Technical System logs are transferred automatically to a SIEM

Control categories describe the type of security applied to a task or event.

Operational controls are often implemented by people instead of systems.
Security guards and awareness programs are examples of an operational control.

Managerial controls are administrative controls associated with security design
and implementation. A set of policies and procedures would be an example of a
managerial control.

Physical controls are used to limit physical access. Badge readers, fences, and
guard shacks are categorized as physical controls.

Technical controls are implemented using systems. Operating system controls,
firewalls, and automated processes are considered technical controls.

More information:
SY0-701, Objective 1.1 - Security Controls
https://professormesser.link/701010101

Practice Exam A - Answers 39
A4. Match the appropriate authentication factor to each description.
Each authentication factor will be used once.

Something you know Something you have
Something you are Somewhere you are

Description Authentication Factor

During the login process, your phone receives a
text message with a one-time passcode Something you have

You enter your PIN to make
a deposit into an ATM Something you know

You can use your fingerprint to unlock
the door to the data center Something you are

Your login will not work unless you are
connected to the VPN Somewhere you are

Authentication factors are important to consider when developing applications
or designing network infrastructures. It's useful to know each authentication
factor and some examples of how that factor can be applied during the
authentication process.

More information:
SY0-701, Objective 4.6 - Multi-factor Authentication
https://professormesser.link/701040603

40 Practice Exam A - Answers
A5. Configure the following stateful firewall rules:
Block HTTP sessions between the Web Server and the Database Server
Allow the Storage Server to transfer files to the Video Server over HTTPS
Allow the Management Server to use a secure terminal on the File Server

DMZ

File Server Video Server Web Server
10.1.1.3 10.1.1.7 10.1.1.2

DMZ
Switch

Internet Firewall

Internal
Switch

Internal Network

Storage Server Management Server Database Server
10.2.1.33 10.2.1.47 10.2.1.20

Destination Protocol Allow/
Rule # Source IP Port #
IP (TCP/UDP) Block
1 10.1.1.2 10.2.1.20 TCP 80 Block
2 10.2.1.33 10.1.1.7 TCP 443 Allow
3 10.2.1.47 10.1.1.3 TCP 22 Allow

Practice Exam A - Answers 41
Creating firewall policies is a foundational skill for any IT security professional.
Fortunately, the process is relatively straightforward if each part of the firewall
rule is broken down into individual pieces.

Block HTTP sessions between the Web Server and the Database Server
The first step is to determine the source and destination of the firewall rule.
After referencing the diagram, we can see the source Web Server IP address
is 10.1.1.2 and the destination Database Server is 10.2.1.20. This question
requires a knowledge of basic TCP and UDP ports, and recognizing the well-
known port for the HTTP protocol as TCP/80 provides the next two fields in
the firewall rule. Finally, the rule is designed to prevent traffic between these
two devices, so the disposition is set to Block.
Since this firewall is stateful, the firewall rule allows the first packet in the
traffic flow and any return traffic in the flow will be automatically associated
with this rule. A stateful firewall does not require a separate firewall rule for
response traffic associated with the original traffic flow.

Allow the Storage Server to transfer files to the Video Server over HTTPS
The Storage Server is 10.2.1.33, and the Video Server is 10.1.1.7. Notice that
the traffic flow moves through the firewall in a different direction than the first
rule, but these firewall rules are focused on the source and destination of the
traffic flow. This rule specifies HTTPS traffic, so TCP/443 will be listed in the
firewall rule. Finally, the firewall rule should allow these traffic flows.

Allow the Management Server to use a secure terminal on the File Server
The management server IP address is 10.2.1.47, and the File Server is 10.1.1.3.
A secure terminal would use the SSH protocol over TCP/22, and the firewall
should be configured to allow this traffic.

More information:
SY0-701, Objective 4.5 - Firewalls
https://professormesser.link/701040501

42 Practice Exam A - Answers
A6. A company has hired a third-party to gather information about the
company’s servers and data. This third-party will not have direct access to
the company's internal network, but they can gather information from any
other source. Which of the following would BEST describe this approach?
❍ A. Vulnerability scanning
❍ B. Passive reconnaissance
❍ C. Supply chain analysis
❍ D. Regulatory audit

The Answer: B. Passive reconnaissance
Passive reconnaissance focuses on gathering as much information from
open sources such as social media, corporate websites, and business
organizations.

The incorrect answers:
A. Vulnerability scanning
Some active reconnaissance tests will query systems directly to see if a
vulnerability currently exists.

C. Supply chain analysis
A supply chain analysis will examine the security associated with a
supplier, and the analysis will not provide any information regarding a
company's own servers and data.

D. Regulatory audit
A regulatory audit is a detailed security analysis based on existing laws or
private guidelines. A regulatory audit commonly requires access to internal
systems and data.

More information:
SY0-701, Objective 5.5 - Penetration Tests
https://professormesser.link/701050502

Practice Exam A - Answers 43
A7. A company's email server has received an email from a third-party, but the
origination server does not match the list of authorized devices. Which of
the following would determine the disposition of this message?
❍ A. SPF
❍ B. NAC
❍ C. DMARC
❍ D. DKIM

The Answer: C. DMARC
DMARC (Domain-based Message Authentication Reporting and
Conformance) specifies the disposition of spam emails. The legitimate
owner of the originating email domain can choose to have these messages
accepted, sent to a spam folder, or rejected.

The incorrect answers:
A. SPF
SPF (Sender Policy Framework) is a list of all authorized mail servers for
a specific domain. All legitimate emails would be sent from one of the
servers listed in the SPF configuration.

B. NAC
NAC (Network Access Control) is a way to limit network access to only
authorized users. NAC is not commonly used to manage the transfer of
email messages.

D. DKIM
DKIM (Domain Keys Identified Mail) provides a way to validate all
digitally signed messages from a specific email server. DKIM does not
determine how the receiving server categorizes these digitally signed
messages.

More information:
SY0-701, Objective 4.5 - Email Security
https://professormesser.link/701040505

44 Practice Exam A - Answers
A8. Which of these threat actors would be MOST likely to attack systems for
direct financial gain?
❍ A. Organized crime
❍ B. Hacktivist
❍ C. Nation state
❍ D. Shadow IT

The Answer: A. Organized crime
An organized crime actor is motivated by money, and their hacking
objectives are usually based around objectives that can be easily exchanged
for financial capital.

The incorrect answers:
B. Hacktivist
A hacktivist is focused on a political agenda and not commonly on a
financial gain.

C. Nation state
Nation states are already well funded, and their primary objective is not
usually based on revenue or income.

D. Shadow IT
Shadow IT describes part of the organization that works around the
existing IT department to build their own applications and infrastructure.

More information:
SY0-701, Objective 2.1 - Threat Actors
https://professormesser.link/701020101

Practice Exam A - Answers 45
A9. A security administrator has examined a server recently compromised by
an attacker, and has determined the system was exploited due to a known
operating system vulnerability. Which of the following would BEST
describe this finding?
❍ A. Root cause analysis
❍ B. E-discovery
❍ C. Risk appetite
❍ D. Data subject

The Answer: A. Root cause analysis
The goal of a root cause analysis is to explain the ultimate cause of an
incident. Once the cause is known, it becomes easier to protect against
similar attacks in the future.

The incorrect answers:
B. E-discovery
E-discovery relates to the collection, preparation, review, interpretation,
and production of electronic documents. E-discovery itself is not involved
with the research and determination of an attack's root cause.

C. Risk appetite
A risk appetite describes the amount of risk an organization is willing to
take before taking any action to reduce that risk. Risk appetite is not part
of a root cause analysis.

D. Data subject
A data subject describes any information relating to an identified or
identifiable natural person, especially when describing or managing private
information about the subject.

More information:
SY0-701, Objective 4.8 - Incident Planning
https://professormesser.link/701040802

46 Practice Exam A - Answers
A10. A city is building an ambulance service network for emergency medical
dispatching. Which of the following should have the highest priority?
❍ A. Integration costs
❍ B. Patch availability
❍ C. System availability
❍ D. Power usage

The Answer: C. System availability
Requests to emergency services are often critical in nature, and it's
important for a dispatching system to always be available when a call is
made.

The incorrect answers:
A. Integration costs
When lives are on the line, the cost is not commonly the most important
aspect of a system integration.

B. Patch availability
Although it's important to always keep systems patched, it's more
important that a life saving service be available to those who might need it.

D. Power usage
Power usage is not usually the most important consideration when
building a critical healthcare and emergency service infrastructure.

More information:
SY0-701, Objective 3.1 - Infrastructure Considerations
https://professormesser.link/701030104

Practice Exam A - Answers 47
A11. A system administrator receives a text alert when access rights are
changed on a database containing private customer information. Which
of the following would describe this alert?
❍ A. Maintenance window
❍ B. Attestation and acknowledgment
❍ C. Automation
❍ D. External audit

The Answer: C. Automation
Automation ensures that compliance checks can be performed on a
regular basis without the need for human intervention. This can be
especially useful to provide alerts when a configuration change causes an
organization to be out of compliance.

The incorrect answers:
A. Maintenance window
A maintenance window describes the scheduling associated with the
change control process. Systems and services generally have limited
availability during a maintenance window.

B. Attestation and acknowledgment
With compliance, the process of attestation and acknowledgment is the
final verification of the formal compliance documentation. An alert from
an automated process would not qualify as attestation.

D. External audit
An external audit can be a valuable tool for verifying the compliance
process, but an automated alert from a monitoring system would not be
part of an external audit.

More information:
SY0-701, Objective 5.4 - Compliance
https://professormesser.link/701050401

48 Practice Exam A - Answers
A12. A security administrator is concerned about the potential for data
exfiltration using external storage drives. Which of the following would
be the BEST way to prevent this method of data exfiltration?
❍ A. Create an operating system security policy to block
the use of removable media
❍ B. Monitor removable media usage in host-based firewall logs
❍ C. Only allow applications that do not use removable media
❍ D. Define a removable media block rule in the UTM

The Answer: A. Create an operating system security policy to prevent
the use of removable media

Removable media uses hot-pluggable interfaces such as USB to connect
storage drives. A security policy in the operating system can prevent any
files from being written to a removable drive.

The incorrect answers:
B. Monitor removable media usage in host-based firewall logs
A host-based firewall monitors traffic flows and does not commonly log
hardware or USB drive access.

C. Only allow applications that do not use removable media
File storage access options are not associated with applications, so it’s not
possible to allow based on external storage drive usage.

D. Define a removable media block rule in the UTM
A UTM (Unified Threat Manager) watches traffic flows across the
network and does not commonly manage the storage options on individual
computers.

More information:
SY0-701, Objective 2.2 - Common Threat Vectors
https://professormesser.link/701020201

Practice Exam A - Answers 49
A13. A company creates a standard set of government reports each calendar
quarter. Which of the following would describe this type of data?
❍ A. Data in use
❍ B. Obfuscated
❍ C. Trade secrets
❍ D. Regulated

The Answer: D. Regulated
Reports and information created for governmental use are regulated by
laws regarding the disclosure of certain types of data.

The incorrect answers:
A. Data in use
Data in use describes information actively processing in the memory of a
system, such as system RAM, CPU registers, or CPU cache. Government
reports are static documents and are not actively being processed.

B. Obfuscated
Obfuscation describes the modification of data to make something
understandable into something very difficult to understand. Information
contained in a government report is relatively easy to understand and
would not be considered obfuscated data.

C. Trade secrets
Trade secrets are the private details a company uses as part of their normal
business processes, and these trade secrets are not shared with any other
organization or business.

More information:
SY0-701, Objective 3.3 - Data Types and Classifications
https://professormesser.link/701030301

50 Practice Exam A - Answers
A14. An insurance company has created a set of policies to handle data
breaches. The security team has been given this set of requirements based
on these policies:
Access records from all devices must be saved and archived
Any data access outside of normal working hours
must be immediately reported
Data access must only occur inside of the country
Access logs and audit reports must be created from a single database
Which of the following should be implemented by the security team to
meet these requirements? (Select THREE)
❍ A. Restrict login access by IP address and GPS location
❍ B. Require government-issued identification
during the onboarding process
❍ C. Add additional password complexity for accounts that access data
❍ D. Conduct monthly permission auditing
❍ E. Consolidate all logs on a SIEM
❍ F. Archive the encryption keys of all disabled accounts
❍ G. Enable time-of-day restrictions on the authentication server

The Answer: A. Restrict login access by IP address and GPS location,
E. Consolidate all logs on a SIEM, and
G. Enable time-of-day restrictions on
the authentication server

Adding location-based policies will prevent direct data access from outside
of the country. Saving log information from all devices and creating audit
reports from a single database can be implemented through the use of a
SIEM (Security Information and Event Manager). Adding a check for the
time-of-day will report any access that occurs during non-working hours.

Practice Exam A - Answers 51
 The incorrect answers:
B. Require government-issued identification during the
onboarding process

Requiring proper identification is always a good idea, but it’s not one of
the listed requirements.

C. Add additional password complexity for accounts that access data
Additional password complexity is another good best practice, but it’s not
part of the provided requirements.

D. Conduct monthly permission auditing
No requirements for ongoing auditing were included in the requirements,
but ongoing auditing is always an important consideration.

F. Archive the encryption keys of all disabled accounts
If an account is disabled, there may still be encrypted data that needs to be
recovered later. Archiving the encryption keys will allow access to that data
after the account is no longer in use.

More information:
SY0-701, Objective 4.6 - Access Controls
https://professormesser.link/701040602

52 Practice Exam A - Answers
A15. A security engineer, is viewing this record from the firewall logs:
UTC 04/05/2023 03:09:15809 AV Gateway Alert
136.127.92.171 80 -> 10.16.10.14 60818
Gateway Anti-Virus Alert:
XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this log information?
❍ A. The victim's IP address is 136.127.92.171
❍ B. A download was blocked from a web server
❍ C. A botnet DDoS attack was blocked
❍ D. The Trojan was blocked, but the file was not

The Answer: B. A download was blocked from a web server
A traffic flow from a web server port number (80) to a device port (60818)
indicates that this traffic flow originated on port 80 of the web server. A
file download is one of the most common ways to deliver a Trojan, and
this log entry shows that the file containing the XPACK.A_7854 Trojan
was blocked.

The incorrect answers:
A. The victim’s IP address is 136.127.92.171
The format for this log entry uses an arrow to differentiate between the
attacker and the victim. The attacker IP address is 136.127.92.171, and the
victim’s IP address is 10.16.10.14.

C. A botnet DDoS attack was blocked
A botnet attack would not commonly include a Trojan horse as part of a
distributed denial of service (DDoS) attack.

D. The Trojan was blocked, but the file was not
A Trojan horse attack involves malware that is disguised as legitimate
software. The Trojan malware and the file are the same entity, so there isn’t
a way to decouple the malware from the file.

More information:
SY0-701, Objective 4.9 - Log Files
https://professormesser.link/701040901

Practice Exam A - Answers 53
A16. A user connects to a third-party website and receives this message:

Your connection is not private.
NET::ERR_CERT_INVALID

Which of the following attacks would be the MOST likely reason
for this message?
❍ A. Brute force
❍ B. DoS
❍ C. On-path
❍ D. Deauthentication

The Answer: C. On-path
An on-path attack is often associated with a third-party who is actively
intercepting network traffic. This entity in the middle would not be able
to provide a valid SSL certificate for a third-party website, and this error
would appear in the browser as a warning.

The incorrect answers:
A. Brute force
A brute force attack is commonly associated with password hacks. Brute
force attacks would not cause the certificate on a website to be invalid.

B. DoS
A DoS (Denial of Service) attack would prevent communication to a
server and most likely provide a timeout error. This error is not related to a
service availability issue.

D. Deauthentication
Deauthentication attacks are commonly associated with wireless networks,
and they usually cause disconnects and lack of connectivity. The error
message in this example does not appear to be associated with a network
outage or disconnection.

More information:
SY0-701, Objective 2.4 - On-Path Attacks
https://professormesser.link/701020409

54 Practice Exam A - Answers
A17. Which of the following would be the BEST way to provide a website
login using existing credentials from a third-party site?
❍ A. Federation
❍ B. 802.1X
❍ C. EAP
❍ D. SSO

The Answer: A. Federation
Federation would allow members of one organization to authenticate
using the credentials of another organization.

The incorrect answers:
B. 802.1X
802.1X is a useful authentication protocol, but it needs additional
functionality to authenticate across multiple user databases.

C. EAP
EAP (Extensible Authentication Protocol) is an authentication
framework commonly associated with network access control. EAP by
itself does not provide the federation needed to authenticate users to a
third-party access database.

D. SSO
SSO (Single Sign-On) describes the process of enabling a single
authentication to grant access to many different network services.
Obtaining login credentials from a third-party access database does not
describe the process used by SSO.

More information:
SY0-701, Objective 4.6 - Identity and Access Management
https://professormesser.link/701040601

Practice Exam A - Answers 55
A18. A system administrator is working on a contract that will specify a
minimum required uptime for a set of Internet-facing firewalls. The
administrator needs to know how often the firewall hardware is expected
to fail between repairs. Which of the following would BEST describe this
information?
❍ A. MTBF
❍ B. RTO
❍ C. MTTR
❍ D. RPO

The Answer: A. MTBF
The MTBF (Mean Time Between Failures) is a prediction of how often a
repairable system will fail.

The incorrect answers:
B. RTO
RTO (Recovery Time Objectives) define a set of objectives needed to
restore a particular service level.

C. MTTR
MTTR (Mean Time to Restore) is the amount of time it takes to repair a
component.

D. RPO
RPO (Recovery Point Objective) describes the minimum data or
operational state required to categorize a system as recovered.

More information:
SY0-701, Objective 5.2 - Business Impact Analysis
https://professormesser.link/701050204

56 Practice Exam A - Answers
A19. An attacker calls into a company’s help desk and pretends to be the
director of the company’s manufacturing department. The attacker
states that they have forgotten their password and they need to have the
password reset quickly for an important meeting. What kind of attack
would BEST describe this phone call?
❍ A. Social engineering
❍ B. Supply chain
❍ C. Watering hole
❍ D. On-path

The Answer: A. Social engineering
This social engineering attack uses impersonation to take advantage of
authority and urgency principles in an effort to convince someone else to
circumvent normal security controls.

The incorrect answers:
B. Supply chain
A supply chain attack focuses on the equipment or raw materials used to
deliver products or services to an organization or user. A call to the help
desk would not be categorized as part of the supply chain.

C. Watering hole
A watering hole attack uses a third-party site to perform attacks outside of
a user's local (and usually more secure) network.

D. On-path
An on-path attack commonly occurs without any knowledge to the parties
involved, and there’s usually no additional notification that an attack is
underway. In this question, the attacker contacted the help desk engineer
directly.

More information:
SY0-701, Objective 2.2 - Impersonation
https://professormesser.link/701020203

Practice Exam A - Answers 57
A20. Two companies have been working together for a number of months,
and they would now like to qualify their partnership with a broad formal
agreement between both organizations. Which of the following would
describe this agreement?
❍ A. SLA
❍ B. SOW
❍ C. MOA
❍ D. NDA

The Answer: C. MOA
An MOA (Memorandum of Agreement) is a formal document where
both sides agree to a broad set of goals and objectives associated with the
partnership.

The incorrect answers:
A. SLA
An SLA (Service Level Agreement) is commonly provided as a formal
contract between two