CompTIA SY0-701 Online Practice Questions and Exam Preparation

CompTIA SY0-701 Online Questions & Answers

• Question 511:

  A security administrator needs to create firewall rules for the following protocols: RTP, SIP, H.323. and SRTP.

  Which of the following does this rule set support?

  A. RTOS
  B. VoIP
  C. SoC
  D. HVAC
  B. VoIP

• Question 512:

  A security analyst is investigating an application server and discovers that software on the server is behaving abnormally. The software normally runs batch jobs locally and does not generate traffic, but the process is now generating outbound traffic over random high ports.

  Which of the following vulnerabilities has likely been exploited in this software?

  A. Memory injection
  B. Race condition
  C. Side loading
  D. SQL injection
  A. Memory injection

  ---

  Explanation

  Memory injection vulnerabilities allow unauthorized code or commands to be executed within a software program, leading to abnormal behavior such as generating outbound traffic over random high ports. This issue often arises from software not properly validating or encoding input, which can be exploited by attackers to inject malicious code.

  References:

  CompTIA Security+ SY0-701 course content and official CompTIA study resources.

• Question 513:

  Which of the following can best protect against an employee inadvertently installing malware on a company system?

  A. Host-based firewall
  B. System isolation
  C. Least privilege
  D. Application allow list
  D. Application allow list

  ---

  Explanation

  An application allow list is a security technique that specifies which applications are authorized to run on a system and blocks all other applications. An application allow list can best protect against an employee inadvertently installing malware on a company system because it prevents the execution of any unauthorized or malicious software, such as viruses, worms, trojans, ransomware, or spyware. An application allow list can also reduce the attack surface and improve the performance of the system.

  References:

  CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 11: Secure Application Development, page 551

• Question 514:

  A security administrator identifies an application that is storing data using MD5.

  Which of the following best identifies the vulnerability likely present in the application?

  A. Cryptographic
  B. Malicious update
  C. Zero day
  D. Side loading
  A. Cryptographic

  ---

  Explanation

  The vulnerability likely present in the application that is storing data using MD5 is a cryptographic vulnerability. MD5 is considered to be a weak hashing algorithm due to its susceptibility to collision attacks, where two different inputs produce the same hash output, compromising data integrity and security.

  Cryptographic: Refers to vulnerabilities in cryptographic algorithms or implementations, such as the weaknesses in MD5.

  Malicious update: Refers to the intentional injection of harmful updates, not related to the use of MD5.

  Zero day: Refers to previously unknown vulnerabilities for which no patch is available, not specifically related to MD5.

  Side loading: Involves installing software from unofficial sources, not directly related to the use of MD5.

  References:

  CompTIA Security+ SY0-701 Exam Objectives, Domain 1.4 - Explain the importance of using appropriate cryptographic solutions (MD5 vulnerabilities).

• Question 515:

  A Chief Information Officer wants to ensure that network devices cannot connect to the public internet and the local network to directly perform firmware updates. The IT team must manually perform the update process by using a portable device.

  Which of the following architecture types best fits this description?

  A. Microservices
  B. Air-gapped
  C. Software-defined networking
  D. Serverless
  B. Air-gapped

  ---

  Explanation

  The correct answer is Air-gapped because this architecture deliberately isolates systems from external and internal networks to prevent any direct electronic communication. In the Security+ SY0-701 domain of Security Architecture, air-gapped environments are used to achieve the highest level of protection against network-based threats by physically or logically separating critical systems from untrusted networks such as the internet or even the organization's internal network.

  In this scenario, the CIO requires that network devices cannot connect to the public internet or the local network for firmware updates, and that updates must be performed manually using a portable device. This is a defining characteristic of an air-gapped architecture. Air-gapped systems rely on controlled, manual transfer methods-such as USB drives or other removable media-to introduce updates, ensuring that malware, remote exploits, and supply-chain-based network attacks cannot reach the isolated systems through traditional network paths.

  Option A, Microservices, refers to an application design model where software is built as loosely coupled services and does not address physical or logical network isolation. Option C, Software-defined networking, focuses on centralized and programmable network control, not network disconnection. Option D, Serverless, is a cloud computing model where infrastructure management is abstracted away from developers and is incompatible with isolated, offline environments.

  The SY0-701 study guide highlights air-gapped architectures as common in high-security environments such as industrial control systems, military systems, financial infrastructure, and environments requiring maximum protection against zero-day exploits and remote compromise. While air-gapping introduces operational overhead and update delays, it significantly reduces attack surface and exposure to external threats.

  In summary, an architecture that requires manual updates via portable media and prevents any direct network connectivity is best described as air-gapped, making option B the correct answer.

• Question 516:

  A security analyst at an organization observed several user logins from outside the organization's network. The analyst determined that these logins were not performed by individuals within the organization.

  Which of the following recommendations would reduce the likelihood of future attacks? (Choose two.)

  A. Disciplinary actions for users
  B. Conditional access policies
  C. More regular account audits
  D. Implementation of additional authentication factors
  E. Enforcement of content filtering policies
  F. A review of user account permissions
  B. Conditional access policies
  D. Implementation of additional authentication factors

• Question 517:

  A company wants to protect a specialized legacy platform that controls the physical flow of gas inside of pipes.

  Which of the following environments does the company need to secure to best achieve this goal?

  A. IaaS
  B. SCADA
  C. SDN
  D. IoT
  B. SCADA

  ---

  Explanation

  Systems that control physical industrial processes-such as pumping gas, water control, electrical grids, or manufacturing lines-fall under SCADA (Supervisory Control and Data Acquisition) environments. SCADA systems are part of larger OT (Operational Technology) infrastructures and manage sensors, actuators, valves, flow controls, and telemetry.

  CompTIA Security+ SY0-701 explains that SCADA environments typically:

  Use legacy protocols (e.g., Modbus, DNP3)

  Require high availability

  Often run outdated operating systems

  Have control systems that cannot easily be patched

  Require specialized segmentation and monitoring

  This exactly matches the scenario describing a "specialized legacy platform controlling gas flow inside pipes."

  IaaS (A) is cloud infrastructure and unrelated to industrial control. SDN (C) relates to software-defined networking, not physical industrial controls. IoT (D) includes smart devices but is not typically used for large-scale industrial gas control.

  Thus, securing SCADA is the correct answer.

• Question 518:

  Which of the following describes the reason root cause analysis should be conducted as part of incident response?

  A. To gather loCs for the investigation
  B. To discover which systems have been affected
  C. To eradicate any trace of malware on the network
  D. To prevent future incidents of the same nature
  D. To prevent future incidents of the same nature

  ---

  Explanation

  Root cause analysis is a process of identifying and resolving the underlying factors that led to an incident. By conducting root cause analysis as part of incident response, security professionals can learn from the incident and implement corrective actions to prevent future incidents of the same nature. For example, if the root cause of a data breach was a weak password policy, the security team can enforce a stronger password policy and educate users on the importance of password security. Root cause analysis can also help to improve security processes, policies, and procedures, and to enhance security awareness and culture within the organization. Root cause analysis is not meant to gather loCs (indicators of compromise) for the investigation, as this is a task performed during the identification and analysis phases of incident response. Root cause analysis is also not meant to discover which systems have been affected or to eradicate any trace of malware on the network, as these are tasks performed during the containment and eradication phases of incident response.

  References:

  CompTIA Security+ SY0-701 Certification Study Guide, page 424-425

  Professor Messer's CompTIA SY0-701 Security+ Training Course, video 5.1 - Incident Response, 9:55 - 11:18.

• Question 519:

  After completing an annual external penetration test, a company receives the following guidance:

  Decommission two unused web servers currently exposed to the internet.

  Close 18 open and unused ports found on its existing production web servers.

  Remove company email addresses and contact information from public domain registration records.

  Which of the following does this represent?

  A. Attack surface reduction
  B. Vulnerability assessment
  C. Tabletop exercise
  D. Business impact analysis
  A. Attack surface reduction

• Question 520:

  An employee clicked a link in an email from a payment website that asked the employee to update contact information. The employee entered the log-in information but received a "page not found" error message.

  Which of the following types of social engineering attacks occurred?

  A. Brand impersonation
  B. Pretexting
  C. Typosquatting
  D. Phishing
  D. Phishing

  ---

  Explanation

  Phishing is the correct answer because the attack uses a fraudulent email containing a malicious link to trick the user into entering credentials on a fake website. The key element in this scenario is the delivery method-an email prompting the user to click a link and submit sensitive information.

  Importantly, this phishing attack leverages brand impersonation as part of its effectiveness. The attacker pretends to be a legitimate payment website to gain the user's trust, which is a common phishing tactic. However, "brand impersonation" is not a standalone attack type in this context; it is a technique used within phishing.

  The "page not found" message after credential submission further indicates a fake site designed only to harvest credentials.

  Therefore, while impersonation is involved, the overall attack type is phishing.

  References:

  Other Social Engineering Attacks -CompTIA Security+ SY0-701 -2.2, CompTIA Security+: Social Engineering Techniques&

  Other Attack ... - NICCS, [CompTIA Security+ Study Guide with over 500 Practice Test Questions:Exam SY0-701,

  9th Edition]