CompTIA SY0-701 Online Practice Questions and Exam Preparation

CompTIA SY0-701 Online Questions & Answers

• Question 161:

  A security analyst receives alerts about an internal system sending a large amount of unusual DNS queries to systems on the internet over short periods of time during non-business hours.

  Which of the following is most likely occurring?

  A. A worm is propagating across the network.
  B. Data is being exfiltrated.
  C. A logic bomb is deleting data.
  D. Ransomware is encrypting files.
  B. Data is being exfiltrated.

  ---

  Explanation

  Data exfiltration is a technique that attackers use to steal sensitive data from a target system or network by transmitting it through DNS queries and responses. This method is often used in advanced persistent threat (APT) attacks, in which attackers seek to persistently evade detection in the target environment. A large amount of unusual DNS queries to systems on the internet over short periods of time during non-business hours is a strong indicator of data exfiltration. A worm, a logic bomb, and ransomware would not use DNS queries to communicate with their command and control servers or perform their malicious actions.

  References:

  CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 487

  Introduction to DNS Data Exfiltration

  Identifying a DNS Exfiltration Attack That Wasn't Real -- This Time

• Question 162:

  Several users have opened tickets with the help desk. The help desk has reassigned the tickets to a secunty analyst for further review.

  The security analyst reviews the following metrics:

  

  Which of the following is MOST likely the result of the security analyst's review?

  A. The ISP is dropping outbound connections
  B. The user of the Sales-PC fell for a phishing attack
  C. Corporate PCs have been turned into a botnet
  D. An on-path attack is taking place between PCs and the router
  C. Corporate PCs have been turned into a botnet

  ---

  Explanation

  The metrics show a significant increase in both CPU utilization and network connections for all the listed PCs compared to their normal values. This could indicate that the machines are being used for unauthorized activities. The current CPU utilization of all the PCs is significantly higher than the normal CPU utilization. This indicates that the PCs are running a lot of processes, which is a common symptom of a botnet infection. The number of current network connections for all the PCs is also significantly higher than the normal number of network connections. This is another common symptom of a botnet infection. A botnet is a network of computers that have been infected with malware and controlled by a remote attacker. The attacker can use the botnet to carry out a variety of malicious activities, such as sending spam, launching DDoS attacks, or stealing data.

• Question 163:

  Which of the following should a security team do first before a new web server goes live?

  A. Harden the virtual host.
  B. Create WAF rules.
  C. Enable network intrusion detection.
  D. Apply patch management.
  A. Harden the virtual host.

  ---

  Explanation

  Before a new web server goes live, the first step should be to harden the virtual host. Hardening involves securing the server by disabling unnecessary services, configuring permissions, and applying best practices to minimize vulnerabilities.

  This foundational step reduces the attack surface and ensures the server is secure before additional security measures, such as WAF rules, intrusion detection, or patch management, are applied.

• Question 164:

  A technician is opening ports on a firewall for a new system being deployed and supported by a SaaS provider.

  Which of the following is a risk in the new system?

  A. Default credentials
  B. Non-segmented network
  C. Supply chain vendor
  D. Vulnerable software
  D. Vulnerable software

  ---

  Explanation

  The key phrase is "opening ports on a firewall for a new system being deployed and supported by a SaaS provider." Opening firewall ports to support a new externally supported system increases exposure to the software and services behind those ports. That makes vulnerable software the most direct risk in the new system.

• Question 165:

  Which of the following penetration testing teams is focused only on trying to compromise an organization using an attacker's tactics?

  A. White
  B. Red
  C. Purple
  D. Blue
  B. Red

  ---

  Explanation

  Red teams are focused only on trying to compromise an organization using an attacker's tactics. They simulate real-world attacks to test the effectiveness of the organization's security defenses and identify vulnerabilities. Red team: Acts as adversaries to simulate attacks and find security weaknesses. White team: Oversees and ensures the rules of engagement are followed during the penetration test.

  Purple team: Facilitates collaboration between the red team and the blue team to improve security.

  Blue team: Defends against attacks and responds to security incidents.

  References:

  CompTIA Security+ SY0-701 Exam Objectives, Domain 5.5 - Types and purposes of audits and assessments (Penetration testing: Red team).

• Question 166:

  An organization has too many variations of a single operating system and needs to standardize the arrangement prior to pushing the system image to users.

  Which of the following should the organization implement first?

  A. Standard naming convention
  B. Mashing
  C. Network diagrams
  D. Baseline configuration
  D. Baseline configuration

  ---

  Explanation

  Baseline configuration is the process of standardizing the configuration settings for a system or network. In this scenario, the organization needs to standardize the operating system configurations before deploying them across the network.

  Establishing a baseline configuration ensures that all systems adhere to the organization's security policies and operational requirements.

  References:

  CompTIA Security+ SY0-701 study materials, particularly in the domain of system hardening and configuration management.

• Question 167:

  A systems administrator receives an alert that a company's internal file server is very slow and is only working intermittently. The systems administrator reviews the server management software and finds the following information about the server:

  

  Which of the following indicators most likely triggered this alert?

  A. Concurrent session usage
  B. Network saturation
  C. Account lockout
  D. Resource consumption
  D. Resource consumption

  ---

  Explanation

  The attached information shows that the CPU usage is at 99.6% and memory usage is at 97%. These high levels of resource consumption would lead to slow performance and intermittent issues, triggering an alert due to the server's limited ability to handle additional requests.

• Question 168:

  The management team wants to assess the cybersecurity team's readiness to respond to a threat scenario.

  Which of the following will adequately assess and formalize a response within a short time?

  A. Send a message to all IT managers and request formal action plans.
  B. Create a bug bounty program and assess the findings.
  C. Execute a tabletop exercise and document the performance results.
  D. Hire an external consultant to independently assess the cybersecurity processes.
  C. Execute a tabletop exercise and document the performance results.

  ---

  Explanation

  A tabletop exercise is the most effective way to quickly assess a cybersecurity team's readiness to respond to a threat scenario. CompTIA Security+ SY0-701 describes tabletop exercises as discussion-based simulations where incident response team members walk through a realistic scenario to evaluate procedures, decision-making, communication, and coordination. These exercises are specifically designed to be conducted in a short timeframe while still providing meaningful insight into preparedness.

  Executing a tabletop exercise allows management to observe how the team identifies threats, escalates incidents, assigns roles, and follows the incident response plan. Documenting performance results helps formalize findings, identify gaps, and improve playbooks and procedures without the complexity of a live incident or full-scale simulation.

  Option A is informal and does not test real-time decision-making.

  Option B focuses on vulnerability discovery, not response readiness.

  Option D can be effective but is time-consuming and not suited for rapid assessment.

  Therefore, C: Execute a tabletop exercise and document the performance results is the correct answer.

• Question 169:

  A security analyst receives an alert from a web server that contains the following logs:

  GET /image?filename=../../../etc/passwd Host: AcmeInc.web.net user-agent: python-requests/2.27.1

  GET /image?filename=../../..

  /etc/shadow Host: AcmeInc.web.net user-agent: python-requests/2.27.1 Which of the following attacks is being attempted?

  A. File injection
  B. Privilege escalation
  C. Directory traversal
  D. Cookie forgery
  C. Directory traversal

  ---

  Explanation

  The logs show a request attempting to access sensitive system files using sequences such as ../../../. This technique attempts to move up multiple directory levels in the file system hierarchy in order to access files outside the intended directory.

  The attacker is attempting to access /etc/passwd and /etc/shadow, which are sensitive Linux system files that store user account and password information. This behavior is characteristic of a directory traversal attack (also called path traversal).

  Directory traversal attacks exploit insufficient input validation in web applications that allow user-supplied file paths. By injecting ../ sequences, attackers can traverse the directory structure and access restricted files.

  File injection (A) involves inserting malicious files or code into an application. Privilege escalation (B) occurs when an attacker gains higher permissions than intended. Cookie forgery (D) involves manipulating session cookies.

  Thus, the correct answer is C: Directory traversal.

• Question 170:

  An organization discovers that its cold site does not have enough storage and computers available.

  Which of the following was most likely the cause of this failure?

  A. Capacity planning
  B. Load balancing
  C. Backups
  D. Platform diversity
  A. Capacity planning

  ---

  Explanation

  A cold site is a backup facility that provides basic power, space, and environmental controls but does not include hardware or preconfigured systems. It is the organization's responsibility to ensure the site has adequate storage, servers, and equipment staged or available for rapid procurement.

  If the cold site "does not have enough storage and computers," the cause is a failure in capacity planning (A). CompTIA Security+ SY0-701 highlights the need for organizations to determine:

  Required compute capacity

  Storage needs

  Network bandwidth

  Expected recovery workload

  Hardware replacement timelines

  Load balancing (B) distributes traffic; it has nothing to do with cold-site readiness. Backups (C) store data, not physical resources. Platform diversity (D) refers to using multiple technologies to reduce systemic risk.

  The issue is specifically the lack of resources, which directly reflects inadequate capacity planning. Therefore, A is the correct answer.