CompTIA SY0-601 Online Practice Questions and Exam Preparation

CompTIA SY0-601 Online Questions & Answers

• Question 681:

  A securtly analyst wants to reference a standard to develop a risk management program. Which af the following ts the BEST source for the analyst to use?

  A. SSAE SOC 2
  B. SO 31000
  C. NIST CSF
  D. GDPR
  B. SO 31000

  ---

  ISO 31000 The ISO 31000 Risk Management framework is an international standard that provides businesses with guidelines and principles for risk management from the International Organization for Standardization. Regulatory compliance initiatives are usually specific to a particular country and applicable to certain sized businesses or businesses in specific industries. However, ISO 31000 is designed to be used in organizations of any size. Its concepts work equally well in the public and the private sector, in large or small businesses and nonprofit organizations.

• Question 682:

  An organization suffered numerous multiday power outages at its current location. The Chief Executive Officer wants to create a disaster recovery strategy to resolve this issue. Which of the following options offer low-cost solutions? (Choose two.)

  A. Warm site
  B. Generator
  C. Hot site
  D. Cold site
  E. Cloud backups
  F. UPS
  B. Generator
  F. UPS

• Question 683:

  A network engineer notices the VPN concentrator overloaded and crashes on days when there are a lot of remote workers. Senior management has placed greater importance on the availability of VPN resources for the remote workers than the security of the end users' traffic.

  Which of the following would be BEST to solve this issue?

  A. iPSec
  B. Always On
  C. Split tunneling
  D. L2TP
  B. Always On

• Question 684:

  CORRECT TEXT

  A systems administrator needs to install a new wireless network for authenticated guest access. The wireless network should support 802. IX using the most secure encryption and protocol available.

  Perform the following slops:

  1. Configure the RADIUS server.

  2. Configure the WiFi controller.

  3. Preconfigure the client for an incoming guest. The guest AD credentials are:

  User: guest01 Password: guestpass

  

  

  Correct Answer. Check the explanation below
  Check the explanation below

  ---

  Explanation/Reference:

  See the answer below.

  Use the same settings as describe in below images.

  

  

• Question 685:

  A website developer is working on a new e-commerce website and has asked an information security expert for the most appropriate way to store credit card numbers to create an easy reordering process. Which of the following methods would BEST accomplish this goal?

  A. Salting the magnetic strip information
  B. Encrypting the credit card information in transit.
  C. Hashing the credit card numbers upon entry.
  D. Tokenizing the credit cards in the database
  D. Tokenizing the credit cards in the database

  ---

  Explanation Hashing credit card numbers is almost never a good idea. Hashing is a way to take an input (e.g. the credit card number) and return a string of numbers and letters that uniquely identifies the input data but is relatively difficult to determine the input data. Hashing works well when the inputs are fairly random. Credit card numbers are 16 digit numbers that meet the luh algorithm. If an attacker gets a hashed credit card number they could do some work to determine what hash was used. Then it is relatively easy to create what is called a rainbow table: a big list of credit card numbers and the associated hash. https://www.quora.com/Which-one-is-better-for-storing-credit-card-numbers-for-an-e-commerce-website-tokenization-or-hashing

• Question 686:

  A large enterprise has moved all its data to the cloud behind strong authentication and encryption. A sales director recently had a laptop stolen, and later, enterprise data was found to have been compromised from a local database. Which of the following was the MOST likely cause?

  A. Shadow IT
  B. Credential stuffing
  C. SQL injection
  D. Man in the browser
  E. Bluejacking
  A. Shadow IT

  ---

  Another example of unintentional insider threat is the concept of shadow IT, where users purchase or introduce computer hardware or software to the workplace without the sanction of the IT department and without going through a procurement and security analysis process. The problem of shadow IT is exacerbated by the proliferation of cloud services and mobile devices, which are easy for users to obtain. Shadow IT creates a new unmonitored attack surface for malicious adversaries to exploit. While SQL Injection might be one way that enterprise data from the local database was compromised, an attacker could simple have hacked into the person machine and opened up the local database to steal the data. SQL Injection is possible, but is not MOST Likely. You need to ask the question: If the enterprise has moved everything into the cloud, then the only reason there is a local database on the person's machine is because they installed the database. They installed an application on their local machine when they should have been using an application on the company's cloud. That, in its definition, is shadow IT.

• Question 687:

  An attacker is using a method to hide data inside of benign files in order to exfiltrate confidential data. Which of the following is the attacker most likely using?

  A. Base64 encoding
  B. Steganography
  C. Data encryption
  D. Perfect forward secrecy
  B. Steganography

  ---

  Steganography is a technique for hiding data inside of benign files such as images, audio, or video. This can be used to exfiltrate confidential data without raising suspicion or detection. References: How to Hide Files Inside Files [Images, Folder] - Raymond.CC Blog; How to Hide Data in a Secret Text File Compartment - How-To Geek; How to Hide Data Within an Image - Medium

• Question 688:

  A financial institution recently joined a bug bounty program to identify security issues in the institution's new public platform. Which of the following best describes who the institution is working with to identify security issues?

  A. Script kiddie
  B. Insider threats
  C. Malicious actor
  D. Authorized hacker
  D. Authorized hacker

  ---

  An authorized hacker, also known as an ethical hacker or a white hat hacker, is someone who uses their skills and knowledge to find and report security issues in a system or application with the permission of the owner. An authorized hacker follows the rules and guidelines of the bug bounty program and does not cause any harm or damage to the system or its users.

• Question 689:

  Which of the following is assured when a user signs an email using a private key?

  A. Non-repudiation
  B. Confidentiality
  C. Availably
  D. Authentication
  A. Non-repudiation

  ---

  Explanation Explanation/Reference:Non Repudiation is your virtual John Hancock. It's a way of virtually stamping any data or document with "I am who I say I am". Only way to break this would be if the private key owners' private key became compromised. Which at that point you got bigger problems than Non Repudiation.

• Question 690:

  A Chief Security Officer is looking for a solution that can reduce the occurrence of customers receiving errors from back-end infrastructure when systems go offline unexpectedly. The security architect would like the solution to help maintain session persistence.

  Which of the following would BEST meet the requirements?

  A. Reverse proxy
  B. NIC teaming
  C. Load balancer
  D. Forward proxy
  C. Load balancer

  ---

  Explanation Explanation/Reference:Load Balancer can provide below functions: 1. Not to send to the offlined systems with active monitoring. 2. Have persistence settings