CompTIA SY0-701 Online Practice Questions and Exam Preparation

CompTIA SY0-701 Online Questions & Answers

• Question 421:

  A security team has been alerted to a flood of incoming emails that have various subject lines and are addressed to multiple email inboxes. Each email contains a URL shortener link that is redirecting to a dead domain.

  Which of the following is the best step for the security team to take?

  A. Create a blocklist for all subject lines.
  B. Send the dead domain to a DNS sinkhole.
  C. Quarantine all emails received and notify all employees.
  D. Block the URL shortener domain in the web proxy.
  B. Send the dead domain to a DNS sinkhole.

• Question 422:

  A security team created a document that details the order in which critical systems should be through back online after a major outage.

  Which of the following documents did the team create?

  A. Communication plan
  B. Incident response plan
  C. Data retention policy
  D. Disaster recovery plan
  D. Disaster recovery plan

  ---

  Explanation

  The document described in the question is a Disaster Recovery Plan (DRP). A DRP outlines the process and procedures for restoring critical systems and operations after a major disruption or outage. It includes the order in which systems should be brought back online to ensure minimal impact on business operations, prioritizing the most critical systems to recover first.

  References:

  CompTIA Security+ SY0-701 Course Content: Domain 5: Security Program Management and Oversight, which discusses the development and implementation of disaster recovery plans.

• Question 423:

  Following a security review, an organization must ensure users verify their identities against the company's identity services with individual credentials leveraging WPA2-Enterprise for wireless access.

  Which of the following configuration steps correctly applies RADIUS in this environment?

  A. Enabling 802.1X authentication and integrating it with the corporate directory
  B. Installing self-signed certificates on all user devices
  C. Enabling MAC filters for all wireless clients
  D. Configuring the wireless controller to require multifactor authentication
  A. Enabling 802.1X authentication and integrating it with the corporate directory

  ---

  Explanation

  WPA2-Enterprise is designed for environments where users authenticate with unique, individual credentials backed by an enterprise identity store, rather than a shared preshared key. The Study Guide explicitly states: "WPA2-Enterprise relies on a RADIUS authentication server as part of an 802.1X implementation for authentication. Users can thus have unique credentials and be individually identified." That maps directly to the requirement that users verify identity against the company's identity services using individual credentials. It further explains how this is implemented operationally: "802.1X is an IEEE standard for access control... In wireless networks, 802.1X is used to integrate with RADIUS servers, allowing enterprise users to authenticate and gain access to the network."

  Therefore, the correct configuration step is enabling 802.1X and tying authentication into the organization's identity source (commonly a corporate directory). The other choices don't correctly "apply RADIUS" for WPA2-Enterprise: self-signed certs are not universally required for all EAP types and can introduce trust issues; MAC filters are weak and spoofable; and MFA might be beneficial but is not the fundamental step that enables RADIUS-backed WPA2-Enterprise authentication.

  References:

  WPA2-Enterprise uses RADIUS + 802.1X and supports unique user credentials

  802.1X integrates wireless authentication with RADIUS.

• Question 424:

  A healthcare organization wants to provide a web application that allows individuals to digitally report health emergencies.

  Which of the following is the most important consideration during development?

  A. Scalability
  B. Availability
  C. Cost
  D. Ease of deployment
  B. Availability

  ---

  Explanation

  Availability is the ability of a system or service to be accessible and usable when needed. For a web application that allows individuals to digitally report health emergencies, availability is the most important consideration during development, because any downtime or delay could have serious consequences for the health and safety of the users. The web application should be designed to handle high traffic, prevent denial-of-service attacks, and have backup and recovery plans in case of failures.

  References:

  CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 2, page 41.

• Question 425:

  A company requires hard drives to be securely wiped before sending decommissioned systems to recycling.

  Which of the following best describes this policy?

  A. Enumeration
  B. Sanitization
  C. Destruction
  D. Inventory
  B. Sanitization

  ---

  Explanation

  Sanitization is the process of removing sensitive data from a storage device or a system before it is disposed of or reused. Sanitization can be done by using software tools or hardware devices that overwrite the data with random patterns or zeros, making it unrecoverable. Sanitization is different from destruction, which is the physical damage of the storage device to render it unusable. Sanitization is also different from enumeration, which is the identification of network resources or devices, and inventory, which is the tracking of assets and their locations. The policy of securely wiping hard drives before sending decommissioned systems to recycling is an example of sanitization, as it ensures that no confidential data can be retrieved from the recycled devices.

  References:

  Secure Data Destruction -SY0-601 CompTIA Security+ : 2.7, video at 1:00

  CompTIA Security+ SY0-701 Certification Study Guide, page 387.

• Question 426:

  Which of the following incident response activities ensures evidence is properly handied?

  A. E-discovery
  B. Chain of custody
  C. Legal hold
  D. Preservation
  B. Chain of custody

  ---

  Explanation

  Chain of custody is the process of documenting and preserving the integrity of evidence collected during an incident response. It involves recording the details of each person who handled the evidence, the time and date of each transfer, and the location where the evidence was stored. Chain of custody ensures that the evidence is admissible in legal proceedings and can be traced back to its source. E-discovery, legal hold, and preservation are related concepts, but they do not ensure evidence is properly handled.

  References:

  CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 487

  NIST SP 800-61: 3.2. Evidence Gathering and Handling

• Question 427:

  A security engineer needs to configure an NGFW to minimize the impact of the increasing number of various traffic types during attacks.

  Which of the following types of rules is the engineer the most likely to configure?

  A. Signature-based
  B. Behavioral-based
  C. URL-based
  D. Agent-based
  B. Behavioral-based

  ---

  Explanation

  To minimize the impact of the increasing number of various traffic types during attacks, a security engineer is most likely to configure behavioral-based rules on a Next-Generation Firewall (NGFW). Behavioral-based rules analyze the behavior of traffic patterns and can detect and block unusual or malicious activity that deviates from normal behavior.

  Behavioral-based: Detects anomalies by comparing current traffic behavior to known good behavior, making it effective against various traffic types during attacks.

  Signature-based: Relies on known patterns of known threats, which might not be as effective against new or varied attack types.

  URL-based: Controls access to websites based on URL categories but is not specifically aimed at handling diverse traffic types during attacks.

  Agent-based: Typically involves software agents on endpoints to monitor and enforce policies, not directly related to NGFW rules.

  References:

  CompTIA Security+ SY0-701 Exam Objectives, Domain 4.5 - Modify enterprise capabilities to enhance security (Behavioral-based rules on NGFW).

• Question 428:

  An IT team rolls out a new management application that uses a randomly generated MFA token sent to the administrator's phone. Despite this new MFA precaution, there is a security breach of the same software.

  Which of the following describes this kind of attack?

  A. Smishing
  B. Typosquatting
  C. Espionage
  D. Pretexting
  D. Pretexting

  ---

  Explanation

  Comprehensive and Detailed Explanation From Exact Extract:

  If MFA is in place yet attackers still breach the system, the compromise most likely resulted from social engineering, specifically pretexting. Pretexting occurs when an attacker fabricates a convincing scenario (a "pretext") to trick the victim into revealing authentication information, such as OTP codes, MFA prompts, or login details. Even strong MFA cannot prevent an attack when a human is tricked into voluntarily providing the code.

  Smishing (A) involves fraudulent SMS messages, but no messaging is mentioned in the scenario. Typosquatting (B) involves deceptive URLs that appear similar to legitimate sites and is unrelated to MFA compromise. Espionage (C) refers to stealing sensitive or national-security-related information, not bypassing MFA protections.

  Security+ SY0-701 details pretexting under Social Engineering Attacks, emphasizing that MFA does not fully mitigate human manipulation. Attackers frequently impersonate IT staff, vendors, or automated systems to convince victims to "verify" or "confirm" credentials. This perfectly matches a breach where MFA was present but still circumvented through deception.

• Question 429:

  A security analyst investigates abnormal outbound traffic from a corporate endpoint. The traffic is encrypted and uses non-standard ports.

  Which of the following data sources should the analyst use first to confirm whether this traffic is malicious?

  A. Application logs
  B. Vulnerability scans
  C. Endpoint logs
  D. Packet captures
  C. Endpoint logs

  ---

  Explanation

  When investigating abnormal outbound traffic originating from a specific endpoint, endpoint logs are the most appropriate first data source to review. According to CompTIA Security+ SY0-701, endpoint logs provide detailed visibility into process execution, user actions, service creation, network connections initiated by applications, and security agent detections. This context is critical for determining which process initiated the encrypted traffic and why it is using non-standard ports.

  Because the traffic is encrypted, packet captures (D) would reveal limited payload information and are more resource-intensive. Endpoint logs can quickly identify suspicious executables, command-line arguments, parent-child process relationships, and persistence mechanisms that indicate malware or command-and-control activity. Modern EDR tools rely heavily on endpoint telemetry for exactly this reason.

  Application logs (A) may be useful later but are limited to specific applications. Vulnerability scans (B) identify weaknesses, not active malicious behavior.

  Security+ SY0-701 emphasizes starting investigations as close to the suspected source as possible. Since the activity originates from a corporate endpoint, endpoint logs provide the fastest and most relevant confirmation of whether the traffic is malicious.

• Question 430:

  A company uses its backups to recover from a ransomware attack.

  Which of the following best guarantees that the backups are not infected?

  A. Immutability
  B. Destruction
  C. Sanitization
  D. Retention
  A. Immutability

  ---

  Explanation

  The correct answer is immutability, which is a critical concept in backup security and ransomware resilience as covered in the CompTIA Security+ SY0-701 study guide. Immutability ensures that backup data, once written, cannot be altered, modified, or deleted for a defined period of time. This protection is essential in ransomware recovery scenarios because modern ransomware often attempts to encrypt or delete backups to prevent recovery.

  Immutable backups are typically implemented using write-once-read-many (WORM) storage or immutable cloud storage configurations. When immutability is enforced, even administrators or attackers with elevated privileges cannot modify the backup contents during the retention window. As a result, organizations can be confident that their backups remain in a known-good, unaltered state, free from ransomware infection or tampering.

  The other options do not provide the same guarantee. Destruction refers to permanently deleting data, which would eliminate backups rather than protect them. Sanitization is the process of securely erasing data from storage media and is unrelated to preserving clean backups. Retention defines how long backups are kept but does not protect them from being modified or encrypted during that period.

  From a Security+ SY0-701 perspective, immutability is closely tied to resilience, recovery, and data protection strategies. It supports business continuity by ensuring that organizations can reliably restore systems after an attack. Immutable backups are a cornerstone of modern ransomware defense strategies because they prevent attackers from corrupting recovery data. Therefore, immutability is the best and most effective control to guarantee that backups used for recovery are not infected.