CompTIA Security+ SY0-701 Exam Questions PDF
Document Details
Uploaded by BelievableEpigram
CompTIA
Tags
Summary
This document contains CompTIA Security+ SY0-701 exam questions. Questions cover topics like incident response, threat hunting and risk management.
Full Transcript
Vendor: CompTIA Exam Code: SY0-701 Exam Name: CompTIA Security+ SY0-701 Certification Exam Version: 24.062 Important Notice Product Our Product Manager keeps an eye for Exam updates by Vendors. Free update is available within One year after your purchase. You can login member center and downloa...
Vendor: CompTIA Exam Code: SY0-701 Exam Name: CompTIA Security+ SY0-701 Certification Exam Version: 24.062 Important Notice Product Our Product Manager keeps an eye for Exam updates by Vendors. Free update is available within One year after your purchase. You can login member center and download the latest product anytime. (Product downloaded from member center is always the latest.) PS: Ensure you can pass the exam, please check the latest product in 2-3 days before the exam again. Feedback We devote to promote the product quality and the grade of service to ensure customers interest. If you have any questions about our product, please provide Exam Number, Version, Page Number, Question Number, and your Login Account to us, please contact us at [email protected] and our technical experts will provide support in 24 hours. Copyright The product of each order has its own encryption code, so you should use it independently. If anyone who share the file we will disable the free update and account access. Any unauthorized changes will be inflicted legal punishment. We will reserve the right of final explanation for this statement. Order ID: **************** PayPal Name: **************** PayPal ID: **************** QUESTION 1 A security analyst is reviewing alerts in the SIEM related to potential malicious network traffic coming from an employee's corporate laptop. The security analyst has determined that additional data about the executable running on the machine is necessary to continue the investigation. Which of the following logs should the analyst use as a data source? A. Application B. IPS/IDS C. Network D. Endpoint Answer: D Explanation: Endpoint logs are the most suitable data source for gathering additional information about the executable running on the employee's corporate laptop. These logs contain detailed information about processes, executables, and activities occurring on the endpoint, enabling the security analyst to understand the behavior of the executable and its potential impact on the system and network. QUESTION 2 A cyber operations team informs a security analyst about a new tactic malicious actors are using to compromise networks. SIEM alerts have not yet been configured. Which of the following best describes what the security analyst should do to identify this behavior? A. Digital forensics B. E-discovery C. Incident response D. Threat hunting Answer: D Explanation: Threat hunting is the process of proactively searching for signs of malicious activity or compromise in a network, rather than waiting for alerts or indicators of compromise (IOCs) to appear. Threat hunting can help identify new tactics, techniques, and procedures (TTPs) used by malicious actors, as well as uncover hidden or stealthy threats that may have evaded detection by security tools. Threat hunting requires a combination of skills, tools, and methodologies, such as hypothesis generation, data collection and analysis, threat intelligence, and incident response. Threat hunting can also help improve the security posture of an organization by providing feedback and recommendations for security improvements. QUESTION 3 A company purchased cyber insurance to address items listed on the risk register. Which of the following strategies does this represent? A. Accept B. Transfer C. Mitigate D. Avoid Answer: B Explanation: Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 2 https://www.passleader.com Transfer: Transferring a risk involves shifting some or all of the risk to another party, such as an insurance provider, through contractual agreements or financial arrangements. If the company purchases cyber insurance to address items listed on the risk register, it represents a risk transfer strategy. The company is transferring the financial burden of potential cyber incidents to the insurance provider, who will compensate the company for covered losses. Given the scenario described, the strategy represented by the company's purchase of cyber insurance to address items listed on the risk register is Transfer. The company is transferring some of the financial consequences of potential cyber incidents to the insurance provider through the purchase of insurance coverage. QUESTION 4 A security administrator would like to protect data on employees' laptops. Which of the following encryption techniques should the security administrator use? A. Partition B. Asymmetric C. Full disk D. Database Answer: C Explanation: Full disk encryption (FDE) encrypts all the data on a disk drive, protecting the data at rest on the entire laptop, including the operating system, applications, and user files. This ensures that if a laptop is lost or stolen, the data cannot be accessed without the correct decryption key. QUESTION 5 Which of the following security control types does an acceptable use policy best represent? A. Detective B. Compensating C. Corrective D. Preventive Answer: D Explanation: Preventive - an acceptable use policy enforces rules to users to use company resources. example - company A states that in order to access files in the company server you must connect to your company VPN when working from home. This prevents you from connecting from an insecure network. QUESTION 6 An IT manager informs the entire help desk staff that only the IT manager and the help desk lead will have access to the administrator console of the help desk software. Which of the following security techniques is the IT manager setting up? A. Hardening B. Employee monitoring C. Configuration enforcement D. Least privilege Answer: D Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 3 https://www.passleader.com Explanation: The principle of least privilege is a security concept that limits access to resources to the minimum level needed for a user, a program, or a device to perform a legitimate function. It is a cybersecurity best practice that protects high-value data and assets from compromise or insider threat. Least privilege can be applied to different abstraction layers of a computing environment, such as processes, systems, or connected devices. However, it is rarely implemented in practice. In this scenario, the IT manager is setting up the principle of least privilege by restricting access to the administrator console of the help desk software to only two authorized users: the IT manager and the help desk lead. This way, the IT manager can prevent unauthorized or accidental changes to the software configuration, data, or functionality by other help desk staff. The other help desk staff will only have access to the normal user interface of the software, which is sufficient for them to perform their job functions. The other options are not correct. Hardening is the process of securing a system by reducing its surface of vulnerability, such as by removing unnecessary software, changing default passwords, or disabling unnecessary services. Employee monitoring is the surveillance of workers' activity, such as by tracking web browsing, application use, keystrokes, or screenshots. Configuration enforcement is the process of ensuring that a system adheres to a predefined set of security settings, such as by applying a patch, a policy, or a template. QUESTION 7 Which of the following roles, according to the shared responsibility model, is responsible for securing the company's database in an IaaS model for a cloud environment? A. Client B. Third-party vendor C. Cloud provider D. DBA Answer: A Explanation: According to the shared responsibility model, the client and the cloud provider have different roles and responsibilities for securing the cloud environment, depending on the service model. In an IaaS (Infrastructure as a Service) model, the cloud provider is responsible for securing the physical infrastructure, such as the servers, storage, and network devices, while the client is responsible for securing the operating systems, applications, and data that run on the cloud infrastructure. Therefore, the client is responsible for securing the company's database in an IaaS model for a cloud environment, as the database is an application that stores data. The client can use various security controls, such as encryption, access control, backup, and auditing, to protect the database from unauthorized access, modification, or loss. The third-party vendor and the DBA (Database Administrator) are not roles defined by the shared responsibility model, but they may be involved in the implementation or management of the database security. QUESTION 8 A client asked a security company to provide a document outlining the project, the cost, and the completion time frame. Which of the following documents should the company provide to the client? A. MSA B. SLA C. BPA D. SOW Answer: D Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 4 https://www.passleader.com Explanation: An ISOW is a document that outlines the project, the cost, and the completion time frame for a security company to provide a service to a client. ISOW stands for Information Security Operations Work, and it is a type of contract that specifies the scope, deliverables, milestones, and payment terms of a security project. An ISOW is usually used for one-time or short-term projects that have a clear and defined objective and outcome. For example, an ISOW can be used for a security assessment, a penetration test, a security audit, or a security training. The other options are not correct because they are not documents that outline the project, the cost, and the completion time frame for a security company to provide a service to a client. A MSA is a master service agreement, which is a type of contract that establishes the general terms and conditions for a long-term or ongoing relationship between a security company and a client. A MSA does not specify the details of each individual project, but rather sets the framework for future projects that will be governed by separate statements of work (SOWs). A SLA is a service level agreement, which is a type of contract that defines the quality and performance standards for a security service provided by a security company to a client. A SLA usually includes the metrics, targets, responsibilities, and penalties for measuring and ensuring the service level. A BPA is a business partnership agreement, which is a type of contract that establishes the roles and expectations for a strategic alliance between two or more security companies that collaborate to provide a joint service to a client. A BPA usually covers the objectives, benefits, risks, and obligations of the partnership. QUESTION 9 A security team is reviewing the findings in a report that was delivered after a third party performed a penetration test. One of the findings indicated that a web application form field is vulnerable to cross-site scripting. Which of the following application security techniques should the security analyst recommend the developer implement to prevent this vulnerability? A. Secure cookies B. Version control C. Input validation D. Code signing Answer: C Explanation: Input validation is a technique that checks the user input for any malicious or unexpected data before processing it by the web application. Input validation can prevent cross-site scripting (XSS) attacks, which exploit the vulnerability of a web application to execute malicious scripts in the browser of a victim. XSS attacks can compromise the confidentiality, integrity, and availability of the web application and its users. Input validation can be implemented on both the client-side and the server-side, but server-side validation is more reliable and secure. Input validation can use various methods, such as whitelisting, blacklisting, filtering, escaping, encoding, and sanitizing the input data. QUESTION 10 Which of the following must be considered when designing a high-availability network? (Choose two). A. Ease of recovery B. Ability to patch C. Physical isolation D. Responsiveness E. Attack surface Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 5 https://www.passleader.com F. Extensible authentication Answer: AD QUESTION 11 A technician needs to apply a high-priority patch to a production system. Which of the following steps should be taken first? A. Air gap the system. B. Move the system to a different network segment. C. Create a change control request. D. Apply the patch to the system. Answer: C Explanation: A change control request is a document that describes the proposed change to a system, the reason for the change, the expected impact, the approval process, the testing plan, the implementation plan, the rollback plan, and the communication plan. A change control request is a best practice for applying any patch to a production system, especially a high-priority one, as it ensures that the change is authorized, documented, tested, and communicated. A change control request also minimizes the risk of unintended consequences, such as system downtime, data loss, or security breaches. QUESTION 12 Which of the following describes the reason root cause analysis should be conducted as part of incident response? A. To gather loCs for the investigation B. To discover which systems have been affected C. To eradicate any trace of malware on the network D. To prevent future incidents of the same nature Answer: D Explanation: Root cause analysis is a process of identifying and resolving the underlying factors that led to an incident. By conducting root cause analysis as part of incident response, security professionals can learn from the incident and implement corrective actions to prevent future incidents of the same nature. For example, if the root cause of a data breach was a weak password policy, the security team can enforce a stronger password policy and educate users on the importance of password security. Root cause analysis can also help to improve security processes, policies, and procedures, and to enhance security awareness and culture within the organization. Root cause analysis is not meant to gather loCs (indicators of compromise) for the investigation, as this is a task performed during the identification and analysis phases of incident response. Root cause analysis is also not meant to discover which systems have been affected or to eradicate any trace of malware on the network, as these are tasks performed during the containment and eradication phases of incident response. QUESTION 13 Which of the following is the most likely outcome if a large bank fails an internal PCI DSS compliance assessment? Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 6 https://www.passleader.com A. Fines B. Audit findings C. Sanctions D. Reputation damage Answer: A Explanation: What are the consequences of not being PCI DSS compliant? The fines imposed by the Card Brands and Acquiring Banks on merchants for non-compliance can range from $5,000 to $100,000 per month. These fines, along with credit monitoring fees, can impose substantial financial strain on businesses, underscoring the necessity of abiding by the PCI DSS requirements. QUESTION 14 A company is developing a business continuity strategy and needs to determine how many staff members would be required to sustain the business in the case of a disruption. Which of the following best describes this step? A. Capacity planning B. Redundancy C. Geographic dispersion D. Tablet exercise Answer: A Explanation: Capacity planning is the process of determining the resources needed to meet the current and future demands of an organization. Capacity planning can help a company develop a business continuity strategy by estimating how many staff members would be required to sustain the business in the case of a disruption, such as a natural disaster, a cyberattack, or a pandemic. Capacity planning can also help a company optimize the use of its resources, reduce costs, and improve performance. QUESTION 15 A company's legal department drafted sensitive documents in a SaaS application and wants to ensure the documents cannot be accessed by individuals in high-risk countries. Which of the following is the most effective way to limit this access? A. Data masking B. Encryption C. Geolocation policy D. Data sovereignty regulation Answer: C Explanation: A geolocation policy is a policy that restricts or allows access to data or resources based on the geographic location of the user or device. A geolocation policy can be implemented using various methods, such as IP address filtering, GPS tracking, or geofencing. A geolocation policy can help the company's legal department to prevent unauthorized access to sensitive documents from individuals in high-risk countries. QUESTION 16 Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 7 https://www.passleader.com Which of the following is a hardware-specific vulnerability? A. Firmware version B. Buffer overflow C. SQL injection D. Cross-site scripting Answer: A Explanation: Firmware is a type of software that is embedded in a hardware device, such as a router, a printer, or a BIOS chip. Firmware controls the basic functions and operations of the device, and it can be updated or modified by the manufacturer or the user. Firmware version is a hardware-specific vulnerability, as it can expose the device to security risks if it is outdated, corrupted, or tampered with. An attacker can exploit firmware vulnerabilities to gain unauthorized access, modify device settings, install malware, or cause damage to the device or the network. Therefore, it is important to keep firmware updated and verify its integrity and authenticity. QUESTION 17 While troubleshooting a firewall configuration, a technician determines that a "deny any" policy should be added to the bottom of the ACL. The technician updates the policy, but the new policy causes several company servers to become unreachable. Which of the following actions would prevent this issue? A. Documenting the new policy in a change request and submitting the request to change management B. Testing the policy in a non-production environment before enabling the policy in the production network C. Disabling any intrusion prevention signatures on the 'deny any' policy prior to enabling the new policy D. Including an 'allow any1 policy above the 'deny any' policy Answer: B QUESTION 18 An organization is building a new backup data center with cost-benefit as the primary requirement and RTO and RPO values around two days. Which of the following types of sites is the best for this scenario? A. Real-time recovery B. Hot C. Cold D. Warm Answer: D Explanation: Warm Sites - Not fully equipped, but fundamentals in place - Can be up and running within a few days - Cheaper than hot sites but with a slight delay Cold Sites - Fewer facilities than warm sites Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 8 https://www.passleader.com - May be just an empty building, ready in 1-2 months - Cost-effective but adds more recovery time QUESTION 19 A company requires hard drives to be securely wiped before sending decommissioned systems to recycling. Which of the following best describes this policy? A. Enumeration B. Sanitization C. Destruction D. Inventory Answer: B Explanation: Sanitization is the process of removing sensitive data from a storage device or a system before it is disposed of or reused. Sanitization can be done by using software tools or hardware devices that overwrite the data with random patterns or zeros, making it unrecoverable. Sanitization is different from destruction, which is the physical damage of the storage device to render it unusable. Sanitization is also different from enumeration, which is the identification of network resources or devices, and inventory, which is the tracking of assets and their locations. The policy of securely wiping hard drives before sending decommissioned systems to recycling is an example of sanitization, as it ensures that no confidential data can be retrieved from the recycled devices. QUESTION 20 A systems administrator works for a local hospital and needs to ensure patient data is protected and secure. Which of the following data classifications should be used to secure patient data? A. Private B. Critical C. Sensitive D. Public Answer: C QUESTION 21 A U.S.-based cloud-hosting provider wants to expand its data centers to new international locations. Which of the following should the hosting provider consider first? A. Local data protection regulations B. Risks from hackers residing in other countries C. Impacts to existing contractual obligations D. Time zone differences in log correlation Answer: A Explanation: Local data protection regulations are the first thing that a cloud-hosting provider should consider before expanding its data centers to new international locations. Data protection regulations are laws or standards that govern how personal or sensitive data is collected, stored, processed, and transferred across borders. Different countries or regions may have different data protection regulations, such as the General Data Protection Regulation (GDPR) in the European Union, the Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 9 https://www.passleader.com Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, or the California Consumer Privacy Act (CCPA) in the United States. A cloud-hosting provider must comply with the local data protection regulations of the countries or regions where it operates or serves customers, or else it may face legal penalties, fines, or reputational damage. Therefore, a cloud-hosting provider should research and understand the local data protection regulations of the new international locations before expanding its data centers there. QUESTION 22 Which of the following would be the best way to block unknown programs from executing? A. Access control list B. Application allow list. C. Host-based firewall D. DLP solution Answer: B Explanation: An application allow list is a security technique that specifies which applications are permitted to run on a system or a network. An application allow list can block unknown programs from executing by only allowing the execution of programs that are explicitly authorized and verified. An application allow list can prevent malware, unauthorized software, or unwanted applications from running and compromising the security of the system or the network. The other options are not the best ways to block unknown programs from executing: Access control list: This is a security technique that specifies which users or groups are granted or denied access to a resource or an object. An access control list can control the permissions and privileges of users or groups, but it does not directly block unknown programs from executing. Host-based firewall: This is a security device that monitors and filters the incoming and outgoing network traffic on a single host or system. A host-based firewall can block or allow network connections based on predefined rules, but it does not directly block unknown programs from executing. DLP solution: This is a security system that detects and prevents the unauthorized transmission or leakage of sensitive data. A DLP solution can protect the confidentiality and integrity of data, but it does not directly block unknown programs from executing. QUESTION 23 A company hired a consultant to perform an offensive security assessment covering penetration testing and social engineering. Which of the following teams will conduct this assessment activity? A. White B. Purple C. Blue D. Red Answer: D Explanation: A red team is a group of security professionals who perform offensive security assessments covering penetration testing and social engineering. A red team simulates real-world attacks and exploits the vulnerabilities of a target organization, system, or network. A red team aims to test the effectiveness of the security controls, policies, and procedures of the target, as well as the awareness and response of the staff and the blue team. A red team can be hired as an external consultant or formed internally within the organization. Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 10 https://www.passleader.com QUESTION 24 A software development manager wants to ensure the authenticity of the code created by the company. Which of the following options is the most appropriate? A. Testing input validation on the user input fields B. Performing code signing on company-developed software C. Performing static code analysis on the software D. Ensuring secure cookies are use Answer: B Explanation: Code signing is a technique that uses cryptography to verify the authenticity and integrity of the code created by the company. Code signing involves applying a digital signature to the code using a private key that only the company possesses. The digital signature can be verified by anyone who has the corresponding public key, which can be distributed through a trusted certificate authority. Code signing can prevent unauthorized modifications, tampering, or malware injection into the code, and it can also assure the users that the code is from a legitimate source. QUESTION 25 Which of the following can be used to identify potential attacker activities without affecting production servers? A. Honey pot B. Video surveillance C. Zero Trust D. Geofencing Answer: A Explanation: A honey pot is a system or a network that is designed to mimic a real production server and attract potential attackers. A honey pot can be used to identify the attacker's methods, techniques, and objectives without affecting the actual production servers. A honey pot can also divert the attacker's attention from the real targets and waste their time and resources. The other options are not effective ways to identify potential attacker activities without affecting production servers: Video surveillance: This is a physical security technique that uses cameras and monitors to record and observe the activities in a certain area. Video surveillance can help to deter, detect, and investigate physical intrusions, but it does not directly identify the attacker's activities on the network or the servers. Zero Trust: This is a security strategy that assumes that no user, device, or network is trustworthy by default and requires strict verification and validation for every request and transaction. Zero Trust can help to improve the security posture and reduce the attack surface of an organization, but it does not directly identify the attacker's activities on the network or the servers. Geofencing: This is a security technique that uses geographic location as a criterion to restrict or allow access to data or resources. Geofencing can help to protect the data sovereignty and compliance of an organization, but it does not directly identify the attacker's activities on the network or the servers. QUESTION 26 During an investigation, an incident response team attempts to understand the source of an incident. Which of the following incident response activities describes this process? Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 11 https://www.passleader.com A. Analysis B. Lessons learned C. Detection D. Containment Answer: A Explanation: Analysis is the incident response activity that describes the process of understanding the source of an incident. Analysis involves collecting and examining evidence, identifying the root cause, determining the scope and impact, and assessing the threat actor's motives and capabilities. Analysis helps the incident response team to formulate an appropriate response strategy, as well as to prevent or mitigate future incidents. Analysis is usually performed after detection and before containment, eradication, recovery, and lessons learned. QUESTION 27 A security practitioner completes a vulnerability assessment on a company's network and finds several vulnerabilities, which the operations team remediates. Which of the following should be done next? A. Conduct an audit. B. Initiate a penetration test. C. Rescan the network. D. Submit a report. Answer: C QUESTION 28 An administrator was notified that a user logged in remotely after hours and copied large amounts of data to a personal device. Which of the following best describes the user's activity? A. Penetration testing B. Phishing campaign C. External audit D. Insider threat Answer: D Explanation: An insider threat is a security risk that originates from within the organization, such as an employee, contractor, or business partner, who has authorized access to the organization's data and systems. An insider threat can be malicious, such as stealing, leaking, or sabotaging sensitive data, or unintentional, such as falling victim to phishing or social engineering. An insider threat can cause significant damage to the organization's reputation, finances, operations, and legal compliance. The user's activity of logging in remotely after hours and copying large amounts of data to a personal device is an example of a malicious insider threat, as it violates the organization's security policies and compromises the confidentiality and integrity of the data. QUESTION 29 Which of the following allows for the attribution of messages to individuals? A. Adaptive identity Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 12 https://www.passleader.com B. Non-repudiation C. Authentication D. Access logs Answer: B Explanation: Non-repudiation is the ability to prove that a message or document was sent or signed by a particular person, and that the person cannot deny sending or signing it. Non-repudiation can be achieved by using cryptographic techniques, such as hashing and digital signatures, that can verify the authenticity and integrity of the message or document. Non-repudiation can be useful for legal, financial, or contractual purposes, as it can provide evidence of the origin and content of the message or document. QUESTION 30 Which of the following is the best way to consistently determine on a daily basis whether security settings on servers have been modified? A. Automation B. Compliance checklist C. Attestation D. Manual audit Answer: A QUESTION 31 Which of the following tools can assist with detecting an employee who has accidentally emailed a file containing a customer's PII? A. SCAP B. Net Flow C. Antivirus D. DLP Answer: D Explanation: DLP stands for Data Loss Prevention, which is a tool that can assist with detecting and preventing the unauthorized transmission or leakage of sensitive data, such as a customer's PII (Personally Identifiable Information). DLP can monitor, filter, and block data in motion (such as emails), data at rest (such as files), and data in use (such as applications). DLP can also alert the sender, the recipient, or the administrator of the data breach, and apply remediation actions, such as encryption, quarantine, or deletion. DLP can help an organization comply with data protection regulations, such as GDPR, HIPAA, or PCI DSS, and protect its reputation and assets. QUESTION 32 An organization recently updated its security policy to include the following statement: Regular expressions are included in source code to remove special characters such as $, |, ;. &, `, and ? from variables set by forms in a web application. Which of the following best explains the security technique the organization adopted by making this addition to the policy? Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 13 https://www.passleader.com A. Identify embedded keys B. Code debugging C. Input validation D. Static code analysis Answer: C QUESTION 33 A security analyst and the management team are reviewing the organizational performance of a recent phishing campaign. The user click-through rate exceeded the acceptable risk threshold, and the management team wants to reduce the impact when a user clicks on a link in a phishing message. Which of the following should the analyst do? A. Place posters around the office to raise awareness of common phishing activities. B. Implement email security filters to prevent phishing emails from being delivered C. Update the EDR policies to block automatic execution of downloaded programs. D. Create additional training for users to recognize the signs of phishing attempts. Answer: C Explanation: An endpoint detection and response (EDR) system is a security tool that monitors and analyzes the activities and behaviors of endpoints, such as computers, laptops, mobile devices, and servers. An EDR system can detect, prevent, and respond to various types of threats, such as malware, ransomware, phishing, and advanced persistent threats (APTs). One of the features of an EDR system is to block the automatic execution of downloaded programs, which can prevent malicious code from running on the endpoint when a user clicks on a link in a phishing message. This can reduce the impact of a phishing attack and protect the endpoint from compromise. Updating the EDR policies to block automatic execution of downloaded programs is a technical control that can mitigate the risk of phishing, regardless of the user's awareness or behavior. Therefore, this is the best answer among the given options. The other options are not as effective as updating the EDR policies, because they rely on administrative or physical controls that may not be sufficient to prevent or stop a phishing attack. Placing posters around the office to raise awareness of common phishing activities is a physical control that can increase the user's knowledge of phishing, but it may not change their behavior or prevent them from clicking on a link in a phishing message. Implementing email security filters to prevent phishing emails from being delivered is an administrative control that can reduce the exposure to phishing, but it may not be able to block all phishing emails, especially if they are crafted to bypass the filters. Creating additional training for users to recognize the signs of phishing attempts is an administrative control that can improve the user's skills of phishing detection, but it may not guarantee that they will always be vigilant or cautious when receiving an email. Therefore, these options are not the best answer for this question. QUESTION 34 Which of the following has been implemented when a host-based firewall on a legacy Linux system allows connections from only specific internal IP addresses? A. Compensating control B. Network segmentation C. Transfer of risk D. SNMP traps Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 14 https://www.passleader.com Answer: A Explanation: A compensating control is a security measure that is implemented to mitigate the risk of a vulnerability or a weakness that cannot be resolved by the primary control. A compensating control does not prevent or eliminate the vulnerability or weakness, but it can reduce the likelihood or impact of an attack. A host-based firewall on a legacy Linux system that allows connections from only specific internal IP addresses is an example of a compensating control, as it can limit the exposure of the system to potential threats from external or unauthorized sources. A host-based firewall is a software application that monitors and filters the incoming and outgoing network traffic on a single host, based on a set of rules or policies. A legacy Linux system is an older version of the Linux operating system that may not be compatible with the latest security updates or patches, and may have known vulnerabilities or weaknesses that could be exploited by attackers. QUESTION 35 The management team notices that new accounts that are set up manually do not always have correct access or permissions. Which of the following automation techniques should a systems administrator use to streamline account creation? A. Guard rail script B. Ticketing workflow C. Escalation script D. User provisioning script Answer: D Explanation: A user provisioning script is an automation technique that uses a predefined set of instructions or commands to create, modify, or delete user accounts and assign appropriate access or permissions. A user provisioning script can help to streamline account creation by reducing manual errors, ensuring consistency and compliance, and saving time and resources. The other options are not automation techniques that can streamline account creation: Guard rail script: This is a script that monitors and enforces the security policies and rules on a system or a network. A guard rail script can help to prevent unauthorized or malicious actions, such as changing security settings, accessing restricted resources, or installing unwanted software. Ticketing workflow: This is a process that tracks and manages the requests, issues, or incidents that are reported by users or customers. A ticketing workflow can help to improve the communication, collaboration, and resolution of problems, but it does not automate the account creation process. Escalation script: This is a script that triggers an alert or a notification when a certain condition or threshold is met or exceeded. An escalation script can help to inform the relevant parties or authorities of a critical situation, such as a security breach, a performance degradation, or a service outage. QUESTION 36 A company is planning to set up a SIEM system and assign an analyst to review the logs on a weekly basis. Which of the following types of controls is the company setting up? A. Corrective B. Preventive C. Detective D. Deterrent Answer: C Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 15 https://www.passleader.com Explanation: A detective control is a type of control that monitors and analyzes the events and activities in a system or a network, and alerts or reports when an incident or a violation occurs. A SIEM (Security Information and Event Management) system is a tool that collects, correlates, and analyzes the logs from various sources, such as firewalls, routers, servers, or applications, and provides a centralized view of the security status and incidents. An analyst who reviews the logs on a weekly basis can identify and investigate any anomalies, trends, or patterns that indicate a potential threat or a breach. A detective control can help the company to respond quickly and effectively to the incidents, and to improve its security posture and resilience. QUESTION 37 A systems administrator is looking for a low-cost application-hosting solution that is cloud-based. Which of the following meets these requirements? A. Serverless framework B. Type 1 hvpervisor C. SD-WAN D. SDN Answer: A QUESTION 38 A security operations center determines that the malicious activity detected on a server is normal. Which of the following activities describes the act of ignoring detected activity in the future? A. Tuning B. Aggregating C. Quarantining D. Archiving Answer: A Explanation: Tuning is the activity of adjusting the configuration or parameters of a security tool or system to optimize its performance and reduce false positives or false negatives. Tuning can help to filter out the normal or benign activity that is detected by the security tool or system, and focus on the malicious or anomalous activity that requires further investigation or response. Tuning can also help to improve the efficiency and effectiveness of the security operations center by reducing the workload and alert fatigue of the analysts. Tuning is different from aggregating, which is the activity of collecting and combining data from multiple sources or sensors to provide a comprehensive view of the security posture. Tuning is also different from quarantining, which is the activity of isolating a potentially infected or compromised device or system from the rest of the network to prevent further damage or spread. Tuning is also different from archiving, which is the activity of storing and preserving historical data or records for future reference or compliance. The act of ignoring detected activity in the future that is deemed normal by the security operations center is an example of tuning, as it involves modifying the settings or rules of the security tool or system to exclude the activity from the detection scope. Therefore, this is the best answer among the given options. QUESTION 39 A security analyst reviews domain activity logs and notices the following: Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 16 https://www.passleader.com Which of the following is the best explanation for what the security analyst has discovered? A. The user jsmith's account has been locked out. B. A keylogger is installed on jsmith's workstation C. An attacker is attempting to brute force jsmith's account. D. Ransomware has been deployed in the domain. Answer: C Explanation: Brute force is a type of attack that tries to guess the password or other credentials of a user account by using a large number of possible combinations. An attacker can use automated tools or scripts to perform a brute force attack and gain unauthorized access to the account. The domain activity logs show that the user ismith has failed to log in 10 times in a row within a short period of time, which is a strong indicator of a brute force attack. The logs also show that the source IP address of the failed logins is different from the usual IP address of ismith, which suggests that the attacker is using a different device or location to launch the attack. The security analyst should take immediate action to block the attacker's IP address, reset ismith's password, and notify ismith of the incident. QUESTION 40 A company is concerned about weather events causing damage to the server room and downtime. Which of the following should the company consider? A. Clustering servers B. Geographic dispersion C. Load balancers D. Off-site backups Answer: B Explanation: Geographic dispersion is a strategy that involves distributing the servers or data centers across different geographic locations. Geographic dispersion can help the company to mitigate the risk of weather events causing damage to the server room and downtime, as well as improve the availability, performance, and resilience of the network. Geographic dispersion can also enhance the disaster recovery and business continuity capabilities of the company, as it can provide backup and failover options in case of a regional outage or disruption. The other options are not the best ways to address the company's concern: Clustering servers: This is a technique that involves grouping multiple servers together to act as a single system. Clustering servers can help to improve the performance, scalability, and fault tolerance of the network, but it does not protect the servers from physical damage or downtime caused by weather events, especially if the servers are located in the same room or building. Load balancers: These are devices or software that distribute the network traffic or workload among multiple servers or resources. Load balancers can help to optimize the utilization, efficiency, and reliability of the network, but they do not prevent the servers from being damaged or disrupted by weather events, especially if the servers are located in the same room or building. Off-site backups: These are copies of data or files that are stored in a different location than the original source. Off-site backups can help to protect the data from being lost or corrupted by Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 17 https://www.passleader.com weather events, but they do not prevent the servers from being damaged or disrupted by weather events, nor do they ensure the availability or continuity of the network services. QUESTION 41 Which of the following is a primary security concern for a company setting up a BYOD program? A. End of life B. Buffer overflow C. VM escape D. Jailbreaking Answer: D Explanation: Jailbreaking is a primary security concern for a company setting up a BYOD (Bring Your Own Device) program. Jailbreaking is the process of removing the manufacturer's or the carrier's restrictions on a device, such as a smartphone or a tablet, to gain root access and install unauthorized or custom software. Jailbreaking can compromise the security of the device and the data stored on it, as well as expose it to malware, viruses, or hacking. Jailbreaking can also violate the warranty and the terms of service of the device, and make it incompatible with the company's security policies and standards. Therefore, a company setting up a BYOD program should prohibit jailbreaking and enforce device compliance and encryption. QUESTION 42 A company decided to reduce the cost of its annual cyber insurance policy by removing the coverage for ransomware attacks. Which of the following analysis elements did the company most likely use in making this decision? A. IMTTR B. RTO C. ARO D. MTBF Answer: C QUESTION 43 Which of the following is the most likely to be included as an element of communication in a security awareness program? A. Reporting phishing attempts or other suspicious activities B. Detecting insider threats using anomalous behavior recognition C. Verifying information when modifying wire transfer data D. Performing social engineering as part of third-party penetration testing Answer: A QUESTION 44 Hotspot Question Select the appropriate attack and remediation from each drop-down list to label the corresponding Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 18 https://www.passleader.com attack with its remediation. INSTRUCTIONS Not all attacks and remediation actions will be used. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 19 https://www.passleader.com Answer: Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 20 https://www.passleader.com QUESTION 45 Hotspot Question You are a security administrator investigating a potential infection on a network. Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 21 https://www.passleader.com INSTRUCTIONS Click on each host and firewall. Review all logs to determine which host originated the infection and then identify if each remaining host is clean or infected. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 22 https://www.passleader.com Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 23 https://www.passleader.com Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 24 https://www.passleader.com Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 25 https://www.passleader.com Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 26 https://www.passleader.com Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 27 https://www.passleader.com Answer: Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 28 https://www.passleader.com QUESTION 46 Which of the following vulnerabilities is exploited when an attacker overwrites a register with a malicious address? A. VM escape B. SQL injection C. Buffer overflow D. Race condition Answer: C Explanation: A buffer overflow is a vulnerability that occurs when an application writes more data to a memory buffer than it can hold, causing the excess data to overwrite adjacent memory locations. A register is a small storage area in the CPU that holds temporary data or instructions. An attacker can exploit a buffer overflow to overwrite a register with a malicious address that points to a shellcode, which is a piece of code that gives the attacker control over the system. By doing so, the attacker can bypass the normal execution flow of the application and execute arbitrary commands. QUESTION 47 Which of the following would be the best way to handle a critical business application that is running on a legacy server? A. Segmentation B. Isolation Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 29 https://www.passleader.com C. Hardening D. Decommissioning Answer: A Explanation: The device is STILL running a critical application. therefore it needs to be connected to the network. a compensating mechanism for this scenario would be segmentation as this would limit the ability of an attacker to pivot from the vulnerable server to the rest of the network.as possible. QUESTION 48 Which of the following describes the process of concealing code or text inside a graphical image? A. Symmetric encryption B. Hashing C. Data masking D. Steganography Answer: D Explanation: Steganography is the process of hiding information within another medium, such as an image, audio, video, or text file. The hidden information is not visible or noticeable to the casual observer, and can only be extracted by using a specific technique or key. Steganography can be used for various purposes, such as concealing secret messages, watermarking, or evading detection by antivirus software. QUESTION 49 After a company was compromised, customers initiated a lawsuit. The company's attorneys have requested that the security team initiate a legal hold in response to the lawsuit. Which of the following describes the action the security team will most likely be required to take? A. Retain the emails between the security team and affected customers for 30 days. B. Retain any communications related to the security breach until further notice. C. Retain any communications between security members during the breach response. D. Retain all emails from the company to affected customers for an indefinite period of time. Answer: B Explanation: A legal hold (also known as a litigation hold) is a notification sent from an organization's legal team to employees instructing them not to delete electronically stored information (ESI) or discard paper documents that may be relevant to a new or imminent legal case. A legal hold is intended to preserve evidence and prevent spoliation, which is the intentional or negligent destruction of evidence that could harm a party's case. A legal hold can be triggered by various events, such as a lawsuit, a regulatory investigation, or a subpoena. In this scenario, the company's attorneys have requested that the security team initiate a legal hold in response to the lawsuit filed by the customers after the company was compromised. This means that the security team will most likely be required to retain any communications related to the security breach until further notice. This could include emails, instant messages, reports, logs, memos, or any other documents that could be relevant to the lawsuit. The security team should also inform the relevant custodians (the employees who have access to or control over the ESI) of their preservation obligations and monitor their compliance. The security team should also document the legal hold process and its scope, as well as take steps to protect the ESI from alteration, deletion, or loss. Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 30 https://www.passleader.com QUESTION 50 A network manager wants to protect the company's VPN by implementing multifactor authentication that uses: - Something you know - Something you have - Something you are Which of the following would accomplish the manager's goal? A. Domain name, PKI, GeolP lookup B. VPN IP address, company ID, facial structure C. Password, authentication token, thumbprint D. Company URL, TLS certificate, home address Answer: C QUESTION 51 A security manager created new documentation to use in response to various types of security incidents. Which of the following is the next step the manager should take? A. Set the maximum data retention policy. B. Securely store the documents on an air-gapped network. C. Review the documents' data classification policy. D. Conduct a tabletop exercise with the team. Answer: D Explanation: A tabletop exercise is a simulated scenario that tests the effectiveness of a security incident response plan. It involves gathering the relevant stakeholders and walking through the steps of the plan, identifying any gaps or issues that need to be addressed. A tabletop exercise is a good way to validate the documentation created by the security manager and ensure that the team is prepared for various types of security incidents. QUESTION 52 Users at a company are reporting they are unable to access the URL for a new retail website because it is flagged as gambling and is being blocked. Which of the following changes would allow users to access the site? A. Creating a firewall rule to allow HTTPS traffic B. Configuring the IPS to allow shopping C. Tuning the DLP rule that detects credit card data D. Updating the categorization in the content filter Answer: D Explanation: A content filter is a device or software that blocks or allows access to web content based on predefined rules or categories. In this case, the new retail website is mistakenly categorized as gambling by the content filter, which prevents users from accessing it. To resolve this issue, the content filter's categorization needs to be updated to reflect the correct category of the website, Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 31 https://www.passleader.com such as shopping or retail. This will allow the content filter to allow access to the website instead of blocking it. QUESTION 53 An administrator discovers that some files on a database server were recently encrypted. The administrator sees from the security logs that the data was last accessed by a domain user. Which of the following best describes the type of attack that occurred? A. Insider threat B. Social engineering C. Watering-hole D. Unauthorized attacker Answer: A Explanation: An insider threat is a type of attack that originates from someone who has legitimate access to an organization's network, systems, or data. In this case, the domain user who encrypted the files on the database server is an example of an insider threat, as they abused their access privileges to cause harm to the organization. Insider threats can be motivated by various factors, such as financial gain, revenge, espionage, or sabotage. QUESTION 54 Which of the following automation use cases would best enhance the security posture of an organization by rapidly updating permissions when employees leave a company? A. Provisioning resources B. Disabling access C. Reviewing change approvals D. Escalating permission requests Answer: B Explanation: Disabling access is an automation use case that would best enhance the security posture of an organization by rapidly updating permissions when employees leave a company. Disabling access is the process of revoking or suspending the access rights of a user account, such as login credentials, email, VPN, cloud services, etc. Disabling access can prevent unauthorized or malicious use of the account by former employees or attackers who may have compromised the account. Disabling access can also reduce the attack surface and the risk of data breaches or leaks. Disabling access can be automated by using scripts, tools, or workflows that can trigger the action based on predefined events, such as employee termination, resignation, or transfer. Automation can ensure that the access is disabled in a timely, consistent, and efficient manner, without relying on manual intervention or human error. QUESTION 55 Which of the following must be considered when designing a high-availability network? (Select two). A. Ease of recovery B. Ability to patch C. Physical isolation D. Responsiveness Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 32 https://www.passleader.com E. Attack surface F. Extensible authentication Answer: AE Explanation: A high-availability network is a network that is designed to minimize downtime and ensure continuous operation of critical services and applications. To achieve this goal, a high-availability network must consider two important factors: ease of recovery and attack surface. Ease of recovery refers to the ability of a network to quickly restore normal functionality after a failure, disruption, or disaster. A high-availability network should have mechanisms such as redundancy, failover, backup, and restore to ensure that any single point of failure does not cause a complete network outage. A high-availability network should also have procedures and policies for incident response, disaster recovery, and business continuity to minimize the impact of any network issue on the organization's operations and reputation. Attack surface refers to the exposure of a network to potential threats and vulnerabilities. A high- availability network should have measures such as encryption, authentication, authorization, firewall, intrusion detection and prevention, and patch management to protect the network from unauthorized access, data breaches, malware, denial-of-service attacks, and other cyberattacks. A high-availability network should also have processes and tools for risk assessment, threat intelligence, vulnerability scanning, and penetration testing to identify and mitigate any weaknesses or gaps in the network security. QUESTION 56 Which of the following methods to secure credit card data is best to use when a requirement is to see only the last four numbers on a credit card? A. Encryption B. Hashing C. Masking D. Tokenization Answer: C Explanation: Masking is a method to secure credit card data that involves replacing some or all of the digits with symbols, such as asterisks, dashes, or Xs, while leaving some of the original digits visible. Masking is best to use when a requirement is to see only the last four numbers on a credit card, as it can prevent unauthorized access to the full card number, while still allowing identification and verification of the cardholder. Masking does not alter the original data, unlike encryption, hashing, or tokenization, which use algorithms to transform the data into different formats. QUESTION 57 An administrator finds that all user workstations and servers are displaying a message that is associated with files containing an extension of.ryk. Which of the following types of infections is present on the systems? A. Virus B. Trojan C. Spyware D. Ransomware Answer: D Explanation: Ransomware is a type of malware that encrypts the victim's files and demands a ransom for the Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 33 https://www.passleader.com decryption key. The ransomware usually displays a message on the infected system with instructions on how to pay the ransom and recover the files. The.ryk extension is associated with a ransomware variant called Ryuk, which targets large organizations and demands high ransoms. QUESTION 58 A healthcare organization wants to provide a web application that allows individuals to digitally report health emergencies. Which of the following is the most important consideration during development? A. Scalability B. Availability C. Cost D. Ease of deployment Answer: B Explanation:Availability is the ability of a system or service to be accessible and usable when needed. For a web application that allows individuals to digitally report health emergencies, availability is the most important consideration during development, because any downtime or delay could have serious consequences for the health and safety of the users. The web application should be designed to handle high traffic, prevent denial-of-service attacks, and have backup and recovery plans in case of failures. QUESTION 59 Which of the following is the best reason to complete an audit in a banking environment? A. Regulatory requirement B. Organizational change C. Self-assessment requirement D. Service-level requirement Answer: A Explanation: A regulatory requirement is a mandate imposed by a government or an authority that must be followed by an organization or an individual. In a banking environment, audits are often required by regulators to ensure compliance with laws, standards, and policies related to security, privacy, and financial reporting. Audits help to identify and correct any gaps or weaknesses in the security posture and the internal controls of the organization. QUESTION 60 A security administrator is deploying a DLP solution to prevent the exfiltration of sensitive customer data. Which of the following should the administrator do first? A. Block access to cloud storage websites. B. Create a rule to block outgoing email attachments. C. Apply classifications to the data. D. Remove all user permissions from shares on the file server. Answer: C Explanation: Data classification is the process of assigning labels or tags to data based on its sensitivity, value, and risk. Data classification is the first step in a data loss prevention (DLP) solution, as it helps to Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 34 https://www.passleader.com identify what data needs to be protected and how. By applying classifications to the data, the security administrator can define appropriate policies and rules for the DLP solution to prevent the exfiltration of sensitive customer data. QUESTION 61 Which of the following describes a security alerting and monitoring tool that collects system, application, and network logs from multiple sources in a centralized system? A. SIEM B. DLP C. IDS D. SNMP Answer: A Explanation: SIEM stands for Security Information and Event Management. It is a security alerting and monitoring tool that collects system, application, and network logs from multiple sources in a centralized system. SIEM can analyze the collected data, correlate events, generate alerts, and provide reports and dashboards. SIEM can also integrate with other security tools and support compliance requirements. SIEM helps organizations to detect and respond to cyber threats, improve security posture, and reduce operational costs. QUESTION 62 Which of the following are cases in which an engineer should recommend the decommissioning of a network device? (Select two). A. The device has been moved from a production environment to a test environment. B. The device is configured to use cleartext passwords. C. The device is moved to an isolated segment on the enterprise network. D. The device is moved to a different location in the enterprise. E. The device's encryption level cannot meet organizational standards. F. The device is unable to receive authorized updates. Answer: BE Explanation: B. The device is configured to use cleartext passwords. This is a major security vulnerability and poses a significant risk of unauthorized access. Devices using cleartext passwords should be decommissioned and replaced with devices using secure authentication methods. E. The device's encryption level cannot meet organizational standards. If the device cannot encrypt data to the required level, it compromises the confidentiality of sensitive information and should be decommissioned. Organizational security policies should dictate the minimum acceptable encryption level for network devices. QUESTION 63 An administrator assists the legal and compliance team with ensuring information about customer transactions is archived for the proper time period. Which of the following data policies is the administrator carrying out? A. Compromise B. Retention C. Analysis Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 35 https://www.passleader.com D. Transfer E. Inventory Answer: B Explanation: A data retention policy is a set of rules that defines how long data should be stored and when it should be deleted or archived. An administrator assists the legal and compliance team with ensuring information about customer transactions is archived for the proper time period by following the data retention policy of the organization. This policy helps the organization to comply with legal and regulatory requirements, optimize storage space, and protect data privacy and security. QUESTION 64 A systems administrator is working on a solution with the following requirements: - Provide a secure zone. - Enforce a company-wide access control policy. - Reduce the scope of threats. Which of the following is the systems administrator setting up? A. Zero Trust B. AAA C. Non-repudiation D. CIA Answer: A Explanation: Zero Trust is a security model that assumes no trust for any entity inside or outside the network perimeter and requires continuous verification of identity and permissions. Zero Trust can provide a secure zone by isolating and protecting sensitive data and resources from unauthorized access. Zero Trust can also enforce a company-wide access control policy by applying the principle of least privilege and granular segmentation for users, devices, and applications. Zero Trust can reduce the scope of threats by preventing lateral movement and minimizing the attack surface. QUESTION 65 A security administrator needs a method to secure data in an environment that includes some form of checks so that the administrator can track any changes. Which of the following should the administrator set up to achieve this goal? A. SPF B. GPO C. NAC D. FIM Answer: D Explanation: FIM stands for File Integrity Monitoring, which is a method to secure data by detecting any changes or modifications to files, directories, or registry keys. FIM can help a security administrator track any unauthorized or malicious changes to the data, as well as verify the integrity and compliance of the data. FIM can also alert the administrator of any potential breaches or incidents involving the data. Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 36 https://www.passleader.com QUESTION 66 Which of the following is the phase in the incident response process when a security analyst reviews roles and responsibilities? A. Preparation B. Recovery C. Lessons learned D. Analysis Answer: A Explanation: Preparation is the phase in the incident response process when a security analyst reviews roles and responsibilities, as well as the policies and procedures for handling incidents. Preparation also involves gathering and maintaining the necessary tools, resources, and contacts for responding to incidents. Preparation can help a security analyst to be ready and proactive when an incident occurs, as well as to reduce the impact and duration of the incident. Some of the activities that a security analyst performs during the preparation phase are: QUESTION 67 A company is discarding a classified storage array and hires an outside vendor to complete the disposal. Which of the following should the company request from the vendor? A. Certification B. Inventory list C. Classification D. Proof of ownership Answer: A Explanation: The company should request a certification from the vendor that confirms the storage array has been disposed of securely and in compliance with the company's policies and standards. A certification provides evidence that the vendor has followed the proper procedures and methods to destroy the classified data and prevent unauthorized access or recovery. A certification may also include details such as the date, time, location, and method of disposal, as well as the names and signatures of the personnel involved. QUESTION 68 Which of the following would be the best ways to ensure only authorized personnel can access a secure facility? (Select two). A. Fencing B. Video surveillance C. Badge access D. Access control vestibule E. Sign-in sheet F. Sensor Answer: CD Explanation: Badge access and access control vestibule are two of the best ways to ensure only authorized Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 37 https://www.passleader.com personnel can access a secure facility. Badge access requires the personnel to present a valid and authenticated badge to a reader or scanner that grants or denies access based on predefined rules and permissions. Access control vestibule is a physical security measure that consists of a small room or chamber with two doors, one leading to the outside and one leading to the secure area. The personnel must enter the vestibule and wait for the first door to close and lock before the second door can be opened. This prevents tailgating or piggybacking by unauthorized individuals. QUESTION 69 A company's marketing department collects, modifies, and stores sensitive customer data. The infrastructure team is responsible for securing the data while in transit and at rest. Which of the following data roles describes the customer? A. Processor B. Custodian C. Subject D. Owner Answer: C QUESTION 70 Malware spread across a company's network after an employee visited a compromised industry blog. Which of the following best describes this type of attack? A. Impersonation B. Disinformation C. Watering-hole D. Smishing Answer: C Explanation: A watering-hole attack is a type of cyberattack that targets groups of users by infecting websites that they commonly visit. The attackers exploit vulnerabilities to deliver a malicious payload to the organization's network. The attack aims to infect users' computers and gain access to a connected corporate network. The attackers target websites known to be popular among members of a particular organization or demographic. The attack differs from phishing and spear- phishing attacks, which typically attempt to steal data or install malware onto users' devices1 In this scenario, the compromised industry blog is the watering hole that the attackers used to spread malware across the company's network. The attackers likely chose this blog because they knew that the employees of the company were interested in its content and visited it frequently. The attackers may have injected malicious code into the blog or redirected the visitors to a spoofed website that hosted the malware. The malware then infected the employees' computers and propagated to the network. QUESTION 71 After a recent ransomware attack on a company's system, an administrator reviewed the log files. Which of the following control types did the administrator use? A. Compensating B. Detective C. Preventive Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 38 https://www.passleader.com D. Corrective Answer: B Explanation: Detective controls are security measures that are designed to identify and monitor any malicious activity or anomalies on a system or network. They can help to discover the source, scope, and impact of an attack, and provide evidence for further analysis or investigation. Detective controls include log files, security audits, intrusion detection systems, network monitoring tools, and antivirus software. In this case, the administrator used log files as a detective control to review the ransomware attack on the company's system. Log files are records of events and activities that occur on a system or network, such as user actions, system errors, network traffic, and security alerts. They can provide valuable information for troubleshooting, auditing, and forensics. QUESTION 72 Which of the following agreement types defines the time frame in which a vendor needs to respond? A. SOW B. SLA C. MOA D. MOU Answer: B Explanation: A service level agreement (SLA) is a type of agreement that defines the expectations and responsibilities between a service provider and a customer. It usually includes the quality, availability, and performance metrics of the service, as well as the time frame in which the provider needs to respond to service requests, incidents, or complaints. An SLA can help ensure that the customer receives the desired level of service and that the provider is accountable for meeting the agreed-upon standards. QUESTION 73 A Chief Information Security Officer wants to monitor the company's servers for SQLi attacks and allow for comprehensive investigations if an attack occurs. The company uses SSL decryption to allow traffic monitoring. Which of the following strategies would best accomplish this goal? A. Logging all NetFlow traffic into a SIEM B. Deploying network traffic sensors on the same subnet as the servers C. Logging endpoint and OS-specific security logs D. Enabling full packet capture for traffic entering and exiting the servers Answer: D Explanation: Full packet capture is a technique that records all network traffic passing through a device, such as a router or firewall. It allows for detailed analysis and investigation of network events, such as SQLi attacks, by providing the complete content and context of the packets. Full packet capture can help identify the source, destination, payload, and timing of an SQLi attack, as well as the impact on the server and database. Logging NetFlow traffic, network traffic sensors, and endpoint and OS-specific security logs can provide some information about network activity, but they do not capture the full content of the packets, which may limit the scope and depth of the investigation. Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 39 https://www.passleader.com QUESTION 74 A client demands at least 99.99% uptime from a service provider's hosted security services. Which of the following documents includes the information the service provider should return to the client? A. MOA B. SOW C. MOU D. SLA Answer: D Explanation: A service level agreement (SLA) is a document that defines the level of service expected by a customer from a service provider, indicating the metrics by which that service is measured, and the remedies or penalties, if any, should the agreed-upon levels not be achieved. An SLA can specify the minimum uptime or availability of a service, such as 99.99%, and the consequences for failing to meet that standard. A memorandum of agreement (MOA), a statement of work (SOW), and a memorandum of understanding (MOU) are other types of documents that can be used to establish a relationship between parties, but they do not typically include the details of service levels and performance metrics that an SLA does. QUESTION 75 A company is adding a clause to its AUP that states employees are not allowed to modify the operating system on mobile devices. Which of the following vulnerabilities is the organization addressing? A. Cross-site scripting B. Buffer overflow C. Jailbreaking D. Side loading Answer: C Explanation: Jailbreaking is the process of removing the restrictions imposed by the manufacturer or carrier on a mobile device, such as an iPhone or iPad. Jailbreaking allows users to install unauthorized applications, modify system settings, and access root privileges. However, jailbreaking also exposes the device to potential security risks, such as malware, spyware, unauthorized access, data loss, and voided warranty. Therefore, an organization may prohibit employees from jailbreaking their mobile devices to prevent these vulnerabilities and protect the corporate data and network. QUESTION 76 Which of the following practices would be best to prevent an insider from introducing malicious code into a company's development process? A. Code scanning for vulnerabilities B. Open-source component usage C. Quality assurance testing D. Peer review and approval Answer: D Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 40 https://www.passleader.com Explanation: Peer review and approval is a practice that involves having other developers or experts review the code before it is deployed or released. Peer review and approval can help detect and prevent malicious code, errors, bugs, vulnerabilities, and poor quality in the development process. Peer review and approval can also enforce coding standards, best practices, and compliance requirements. Peer review and approval can be done manually or with the help of tools, such as code analysis, code review, and code signing. QUESTION 77 A systems administrator is creating a script that would save time and prevent human error when performing account creation for a large number of end users. Which of the following would be a good use case for this task? A. Off-the-shelf software B. Orchestration C. Baseline D. Policy enforcement Answer: B Explanation: Orchestration is the process of automating multiple tasks across different systems and applications. It can help save time and reduce human error by executing predefined workflows and scripts. In this case, the systems administrator can use orchestration to create accounts for a large number of end users without having to manually enter their information and assign permissions. QUESTION 78 After an audit, an administrator discovers all users have access to confidential data on a file server. Which of the following should the administrator use to restrict access to the data quickly? A. Group Policy B. Content filtering C. Data loss prevention D. Access control lists Answer: D Explanation: Access control lists (ACLs) are rules that specify which users or groups can access which resources on a file server. They can help restrict access to confidential data by granting or denying permissions based on the identity or role of the user. In this case, the administrator can use ACLs to quickly modify the access rights of the users and prevent them from accessing the data they are not authorized to see. QUESTION 79 A Chief Information Security Officer (CISO) wants to explicitly raise awareness about the increase of ransomware-as-a-service in a report to the management team. Which of the following best describes the threat actor in the CISO's report? A. Insider threat B. Hacktivist C. Nation-state Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 41 https://www.passleader.com D. Organized crime Answer: D Explanation: Ransomware-as-a-service is a type of cybercrime where hackers sell or rent ransomware tools or services to other criminals who use them to launch attacks and extort money from victims. This is a typical example of organized crime, which is a group of criminals who work together to conduct illegal activities for profit. Organized crime is different from other types of threat actors, such as insider threats, hacktivists, or nation-states, who may have different motives, methods, or targets. QUESTION 80 A small business uses kiosks on the sales floor to display product information for customers. A security team discovers the kiosks use end-of-life operating systems. Which of the following is the security team most likely to document as a security implication of the current architecture? A. Patch availability B. Product software compatibility C. Ease of recovery D. Cost of replacement Answer: A Explanation: End-of-life operating systems are those that are no longer supported by the vendor or manufacturer, meaning they do not receive any security updates or patches. This makes them vulnerable to exploits and attacks that take advantage of known or unknown flaws in the software. Patch availability is the security implication of using end-of-life operating systems, as it affects the ability to fix or prevent security issues. Other factors, such as product software compatibility, ease of recovery, or cost of replacement, are not directly related to security, but rather to functionality, availability, or budget. QUESTION 81 A company is developing a critical system for the government and storing project information on a fileshare. Which of the following describes how this data will most likely be classified? (Select two). A. Private B. Confidential C. Public D. Operational E. Urgent F. Restricted Answer: BF Explanation: Data classification is the process of assigning labels to data based on its sensitivity and business impact. Different organizations and sectors may have different data classification schemes, but a common one is the following: Public: Data that can be freely disclosed to anyone without any harm or risk. Private: Data that is intended for internal use only and may cause some harm or risk if disclosed. Confidential: Data that is intended for authorized use only and may cause significant harm or risk if disclosed. Restricted: Data that is intended for very limited use only and may cause severe harm or risk if Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 42 https://www.passleader.com disclosed. In this scenario, the company is developing a critical system for the government and storing project information on a fileshare. This data is likely to be classified as confidential and restricted, because it is not meant for public or private use, and it may cause serious damage to national security or public safety if disclosed. The government may also have specific requirements or regulations for handling such data, such as encryption, access control, and auditing. QUESTION 82 After reviewing the following vulnerability scanning report: A security analyst performs the following test: Which of the following would the security analyst conclude for this reported vulnerability? A. It is a false positive. B. A rescan is required. C. It is considered noise. D. Compensating controls exist. Answer: D QUESTION 83 A security consultant needs secure, remote access to a client environment. Which of the following should the security consultant most likely use to gain access? A. EAP B. DHCP C. IPSec D. NAT Answer: C Explanation: IPSec is a protocol suite that provides secure communication over IP networks. IPSec can be Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 43 https://www.passleader.com used to create virtual private networks (VPNs) that encrypt and authenticate the data exchanged between two or more parties. IPSec can also provide data integrity, confidentiality, replay protection, and access control. A security consultant can use IPSec to gain secure, remote access to a client environment by establishing a VPN tunnel with the client's network. QUESTION 84 Which of the following best practices gives administrators a set period to perform changes to an operational system to ensure availability and minimize business impacts? A. Impact analysis B. Scheduled downtime C. Backout plan D. Change management boards Answer: B Explanation: Scheduled downtime is a planned period of time when a system or service is unavailable for maintenance, updates, upgrades, or other changes. Scheduled downtime gives administrators a set period to perform changes to an operational system without disrupting the normal business operations or affecting the availability of the system or service. Scheduled downtime also allows administrators to inform the users and stakeholders about the expected duration and impact of the changes. QUESTION 85 Which of the following actions could a security engineer take to ensure workstations and servers are properly monitored for unauthorized changes and software? A. Configure all systems to log scheduled tasks. B. Collect and monitor all traffic exiting the network. C. Block traffic based on known malicious signatures. D. Install endpoint management software on all systems. Answer: D Explanation: Endpoint management software is a tool that allows security engineers to monitor and control the configuration, security, and performance of workstations and servers from a central console. Endpoint management software can help detect and prevent unauthorized changes and software installations, enforce policies and compliance, and provide reports and alerts on the status of the endpoints. The other options are not as effective or comprehensive as endpoint management software for this purpose. QUESTION 86 After a security awareness training session, a user called the IT help desk and reported a suspicious call. The suspicious caller stated that the Chief Financial Officer wanted credit card information in order to close an invoice. Which of the following topics did the user recognize from the training? A. Insider threat B. Email phishing C. Social engineering D. Executive whaling Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 44 https://www.passleader.com Answer: C Explanation: Social engineering is the practice of manipulating people into performing actions or divulging confidential information, often by impersonating someone else or creating a sense of urgency or trust. The suspicious caller in this scenario was trying to use social engineering to trick the user into giving away credit card information by pretending to be the CFO and asking for a payment. The user recognized this as a potential scam and reported it to the IT help desk. The other topics are not relevant to this situation. QUESTION 87 Which of the following exercises should an organization use to improve its incident response process? A. Tabletop B. Replication C. Failover D. Recovery Answer: A Explanation: A tabletop exercise is a simulated scenario that tests the organization's incident response plan and procedures. It involves key stakeholders and decision-makers who discuss their roles and actions in response to a hypothetical incident. It can help identify gaps, weaknesses, and improvement areas in the incident response process. It can also enhance communication, coordination, and collaboration among the participants. QUESTION 88 Which of the following is used to validate a certificate when it is presented to a user? A. OCSP B. CSR C. CA D. CRC Answer: A Explanation: OCSP stands for Online Certificate Status Protocol. It is a protocol that allows applications to check the revocation status of a certificate in real-time. It works by sending a query to an OCSP responder, which is a server that maintains a database of revoked certificates. The OCSP responder returns a response that indicates whether the certificate is valid, revoked, or unknown. OCSP is faster and more efficient than downloading and parsing Certificate Revocation Lists (CRLs), which are large files that contain the serial numbers of all revoked certificates issued by a Certificate Authority (CA). QUESTION 89 A newly identified network access vulnerability has been found in the OS of legacy IoT devices. Which of the following would best mitigate this vulnerability quickly? A. Insurance B. Patching Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 45 https://www.passleader.com C. Segmentation D. Replacement Answer: C Explanation: Segmentation is a technique that divides a network into smaller subnetworks or segments, each with its own security policies and controls. Segmentation can help mitigate network access vulnerabilities in legacy loT devices by isolating them from other devices and systems, reducing their attack surface and limiting the potential impact of a breach. Segmentation can also improve network performance and efficiency by reducing congestion and traffic. Patching, insurance, and replacement are other possible strategies to deal with network access vulnerabilities, but they may not be feasible or effective in the short term. Patching may not be available or compatible for legacy loT devices, insurance may not cover the costs or damages of a cyberattack, and replacement may be expensive and time-consuming. QUESTION 90 A bank insists all of its vendors must prevent data loss on stolen laptops. Which of the following strategies is the bank requiring? A. Encryption at rest B. Masking C. Data classification D. Permission restrictions Answer: A Explanation: Encryption at rest is a strategy that protects data stored on a device, such as a laptop, by converting it into an unreadable format that can only be accessed with a decryption key or password. Encryption at rest can prevent data loss on stolen laptops by preventing unauthorized access to the data, even if the device is physically compromised. Encryption at rest can also help comply with data privacy regulations and standards that require data protection. Masking, data classification, and permission restrictions are other strategies that can help protect data, but they may not be sufficient or applicable for data stored on laptops. Masking is a technique that obscures sensitive data elements, such as credit card numbers, with random characters or symbols, but it is usually used for data in transit or in use, not at rest. Data classification is a process that assigns labels to data based on its sensitivity and business impact, but it does not protect the data itself. Permission restrictions are rules that define who can access, modify, or delete data, but they may not prevent unauthorized access if the laptop is stolen and the security controls are bypassed. QUESTION 91 Which of the following would be best suited for constantly changing environments? A. RTOS B. Containers C. Embedded systems D. SCADA Answer: B Explanation: Containers are a method of virtualization that allows applications to run in isolated environments with their own dependencies, libraries, and configurations. Containers are best suited for Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 46 https://www.passleader.com constantly changing environments because they are lightweight, portable, scalable, and easy to deploy and update. Containers can also support microservices architectures, which enable faster and more frequent delivery of software features. QUESTION 92 A security analyst scans a company's public network and discovers a host is running a remote desktop that can be used to access the production network. Which of the following changes should the security analyst recommend? A. Changing the remote desktop port to a non-standard number B. Setting up a VPN and placing the jump server inside the firewall C. Using a proxy for web connections from the remote desktop server D. Connecting the remote server to the domain and increasing the password length Answer: B Explanation: A VPN is a virtual private network that creates a secure tunnel between two or more devices over a public network. A VPN can encrypt and authenticate the data, as well as hide the IP addresses and locations of the devices. A jump server is a server that acts as an intermediary between a user and a target server, such as a production server. A jump server can provide an additional layer of security and access control, as well as logging and auditing capabilities. A firewall is a device or software that filters and blocks unwanted network traffic based on predefined rules. A firewall can protect the internal network from external threats and limit the exposure of sensitive services and ports. A security analyst should recommend setting up a VPN and placing the jump server inside the firewall to improve the security of the remote desktop access to the production network. This way, the remote desktop service will not be exposed to the public network, and only authorized users with VPN credentials can access the jump server and then the production server. QUESTION 93 Which of the following involves an attempt to take advantage of database misconfigurations? A. Buffer overflow B. SQL injection C. VM escape D. Memory injection Answer: B Explanation: SQL injection is a type of attack that exploits a database misconfiguration or a flaw in the application code that interacts with the database. An attacker can inject malicious SQL statements into the user input fields or the URL parameters that are sent to the database server. These statements can then execute unauthorized commands, such as reading, modifying, deleting, or creating data, or even taking over the database server. SQL injection can compromise the confidentiality, integrity, and availability of the data and the system. QUESTION 94 An organization would like to store customer data on a separate part of the network that is not accessible to users on the main corporate network. Which of the following should the administrator use to accomplish this goal? Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 47 https://www.passleader.com A. Segmentation B. Isolation C. Patching D. Encryption Answer: A Explanation: Segmentation is a network design technique that divides the network into smaller and isolated segments based on logical or physical boundaries. Segmentation can help improve network security by limiting the scope of an attack, reducing the attack surface, and enforcing access control policies. Segmentation can also enhance network performance, scalability, and manageability. To accomplish the goal of storing customer data on a separate part of the network, the administrator can use segmentation technologies such as subnetting, VLANs, firewalls, routers, or switches. QUESTION 95 Which of the following is used to quantitatively measure the criticality of a vulnerability? A. CVE B. CVSS C. CIA D. CERT Answer: B Explanation: CVSS stands for Common Vulnerability Scoring System, which is a framework that provides a standardized way to assess and communicate the severity and risk of vulnerabilities. CVSS uses a set of metrics and formulas to calculate a numerical score ranging from 0 to 10, where higher scores indicate higher criticality. CVSS can help organizations prioritize remediation efforts and compare vulnerabilities across different systems and vendors. The other options are not used to measure the criticality of a vulnerability, but rather to identify, classify, or report them. QUESTION 96 A technician is opening ports on a firewall for a new system being deployed and supported by a SaaS provider. Which of the following is a risk in the new system? A. Default credentials B. Non-segmented network C. Supply chain vendor D. Vulnerable software Answer: D QUESTION 97 Which of the following security concepts is the best reason for permissions on a human resources fileshare to follow the principle of least privilege? A. Integrity B. Availability C. Confidentiality Get Latest & Actual SY0-701 Exam's Question and Answers from Passleader. 48 https://www.passleader.com D. Non-repudiation Answer: C Explanation: Confidentiality is the security concept that ensures data is protected from unauthorized access or disclosure. The principle of least privilege is a technique that grants users or systems the minimum level of access or permissions that they need to perform their tasks, and nothing more. By applying the principle of least privilege to a human resources fileshare, the permissions can be restricted to only those who have a legitimate need to access the sensitive data, such as HR staff, managers, or auditors. This can prevent unauthorized users, such as hackers, employees, or contractors, from accessing, copying, modifying, or deleting the data. Therefore, the principle of least privilege can enhance the confidentiality of the data on the fileshare. Integrity, availability, and non-repudiation are other security concepts, but they are not the best reason for permissions on a human resources fileshare to follow the principle of least privilege. Integrity is the security concept that ensures data is accurate and consistent, and protected from unauthorized modification or corruption. Availability is the security concept that ensures data is accessible and usable by authorized users or systems when needed. Non-repudiation is the security concept that ensures the authenticity and accountability of data and actions, and prevents the denial of involvement or responsibility. While these concepts are also important for data security, they are not directly related to the level of access or permissions granted to users or systems. QUESTION 98 Security controls in a data center are being reviewed to ensure data is properly protected and that human life considerations are included. Which of the following best describes how the controls should be set up? A. Remote access points should fail closed. B. Logging controls should fail open. C. Safety controls should fail open. D. Logical security controls should fail closed. Answer: C Explanation: Safety controls are security controls that are designed to protect human life and physical assets from harm or damage. Examples of safety controls include fire alarms, sprinklers, emergency exits, backup generators, and surge protectors. Safety controls should fail open, which means that they should remain operational or allow access when a failure or error occurs. Failing open can prevent or minimize the impact of a disaster, such as a fire, flood, earthquake, or power outage, on human life and physical assets. For example, if a fire alarm fails, it should still trigger the sprinklers and unlock the emergency exits, rather than remain silent and locked. Failing open can also ensure that essential services, such as healthcare, transportation, or communication, are available during a crisis. Remote access points, logging controls, and logical security controls are other types of security controls, but they should not fail open in a data center. Remote access points are security controls that allow users or systems to access a network or a system from a remote location, such as a VPN, a web portal, or a wireless access point. Remote access points should fail closed, which means that they should deny access when a failure or error occurs. Failing closed can prevent unauthorized or malicious