CompTIA CompTIA Certifications SY0-601 Questions & Answers

• Question 1031:

  Which of the following is MOST likely to outline the roles and responsibilities of data controllers and data processors?

  A. SSAE SOC 2

  B. PCI DSS

  C. GDPR

  D. ISO 31000

  Correct Answer: C

  The General Data Protection Regulation (GDPR) is most likely to outline the roles and responsibilities of data controllers and data processors.

  GDPR is a comprehensive data protection law that applies to organizations operating within the European Union (EU) and processing the personal data of EU residents. It sets out the rights of individuals with regard to their personal data, and establishes certain obligations for organizations that process personal data, including data controllers and data processors.

• Question 1032:

  Which of the following algorithms has the SMALLEST key size?

  A. DES

  B. Twofish

  C. RSA

  D. AES

  Correct Answer: A

  A. DES = 56-bit

  B. Twofish = 256-bit

  C. RSA = Smallest is 512-bit

  D. AES = 128-bit, 192-bit, or 256-bit

• Question 1033:

  A database administrator needs to ensure all passwords are stored in a secure manner, so the administrate adds randomly generated data to each password before string. Which of the following techniques BEST explains this action?

  A. Predictability

  B. Key stretching

  C. Salting

  D. Hashing

  Correct Answer: B

  A cryptographic salt is made up of random bits added to each password instance BEFORE its hashing.

  In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. Key stretching is the practice of converting a password to a longer and more random key for cryptographic purposes such as encryption. This is generally recognized as making encryption stronger as it ensures that the encryption itself is reasonably hard.

• Question 1034:

  Administrators have allowed employees to access their company email from personal computers. However, the administrators are concerned that these computers are another attack

  Surface and can result in user accounts being breached by foreign actors. Which of the following actions would provide the MOST secure solution?

  A. Enable an option in the administration center so accounts can be locked if they are accessed from different geographical areas.

  B. Implement a 16-character minimum length and 30-day expiration password policy.

  C. Set up a global mail rule to disallow the forwarding of any company email to email addresses outside the organization,

  D. Enforce a policy that allows employees to be able to access their email only while they are connected to the Internet via VPN.

  Correct Answer: A

• Question 1035:

  A large industrial system's smart generator monitors the system status and sends alerts to third-party maintenance personnel when critical failures occur. While reviewing the network logs the company's security manager notices the generator's IP is sending packets to an internal file server's IP. Which of the following mitigations would be BEST for the security manager to implement while maintaining alerting capabilities?

  A. Segmentation

  B. Firewall whitelisting

  C. Containment

  D. isolation

  Correct Answer: A

  Segmentation. DMZ and VLAN are examples of segmentation. You can configure the device to be on its own isolated network while having access to the third-party vendor. The device will still try to communicate with the file server but traffic will be dropped and logged. This is how you would want to set up IoT and untrusted devices.

• Question 1036:

  A security team received the following requirements for a new BYOD program that will allow employees to use personal smartphones to access business email:

  1.

  Sensitive customer data must be safeguarded.

  2.

  Documents from managed sources should not be opened in unmanaged destinations.

  3.

  Sharing of managed documents must be disabled.

  4.

  Employees should not be able to download emailed images to their devices.

  5.

  Personal photos and contact lists must be kept private.

  6.

  IT must be able to remove data from lost/stolen devices or when an employee no longer works for the company.

  Which of the following are the best features to enable to meet these requirements? (Choose two.)

  A. Remote wipe

  B. VPN connection

  C. Biometric authentication

  D. Device location tracking

  E. Geofencing

  F. Application approve list

  G. Containerization

  Correct Answer: AG

  Containerization: Containerization involves creating a separate and secure container or workspace on the device for business applications and data. This allows for the isolation of business data from personal data and enables better control over the business-related activities on the device. Remote wipe: Remote wipe is a crucial security feature that allows the IT team to remotely erase all data on a lost or stolen device. This helps in safeguarding sensitive customer data and ensuring that company information does not fall into the wrong hands

• Question 1037:

  A company wants to begin taking online orders for products but has decided to outsource payment processing to limit risk. Which of the following best describes what the company should request from the payment processor?

  A. ISO 27001 certification documents

  B. Proof of PCI DSS compliance

  C. A third-party SOC 2 Type 2 report

  D. Audited GDPR policies

  Correct Answer: B

• Question 1038:

  An employee in the accounting department receives an email containing a demand for payment for services performed by a vendor. However, the vendor is not in the vendor management database. Which of the following is this scenario an example of?

  A. Pretexting

  B. Impersonation

  C. Ransomware

  D. Invoice scam

  Correct Answer: D

• Question 1039:

  An organization has implemented a policy requiring the use of conductive metal lockboxes for personal electronic devices outside of a secure research lab. Which of the following did the organization determine to be the GREATEST risk to intellectual property when creating this policy?

  A. The theft of portable electronic devices

  B. Geotagging in the metadata of images

  C. Bluesnarfing of mobile devices

  D. Data exfiltration over a mobile hot-spot

  Correct Answer: D

  The secure data they want to keep secure is presumably on stationary machines inside the facility, airgapped from the internet. How would that get bluesnarfed? Why on earth would you set up a phone confiscating system to prevent bluesnarfing instead of just disabling bluetooth on the machines inside? On the other hand, if we assume the secure facility is not internet-connected (makes sense to me) then we definitely don't want people bringing in phones to use as mobile hotspots, which allows a vector for inside info to get outside. Sorry Gibson, you're wrong again.

  https://www.signalbooster.com/blogs/news/how-much-which-building-materials-block-cellular-wifi-signals#:~:text=Along%20with%203G%20and%204G%20LTE%2C%20metal%20roofs%20deflect%205G%20signals%20the%20most% 20because%205G%20uses%20higher%20frequencies%20that%20can%20penetrate%20metal%20the%20least.

• Question 1040:

  An auditor is performing an assessment of a security appliance with an embedded OS that was vulnerable during the last two assessments. Which of the following BEST explains the appliance's vulnerable state?

  A. The system was configured with weak default security settings.

  B. The device uses weak encryption ciphers.

  C. The vendor has not supplied a patch for the appliance.

  D. The appliance requires administrative credentials for the assessment

  Correct Answer: C