CompTIA SY0-701 Online Practice Questions and Exam Preparation

CompTIA SY0-701 Online Questions & Answers

• Question 571:

  Which of the following data roles is responsible for identifying risks and appropriate access to data?

  A. Owner
  B. Custodian
  C. Steward
  D. Controller
  A. Owner

  ---

  Explanation

  The data owner is the role responsible for identifying risks to data and determining who should have access to that data. The owner has the authority to make decisions about the protection and usage of the data, including setting access controls and ensuring that appropriate security measures are in place.

  References:

  CompTIA Security+ SY0-701 study materials, particularly in the domain of data governance and the roles and responsibilities associated with data management.

• Question 572:

  A newly implemented wireless network is designed so that visitors can connect to the wireless network for business activities. The legal department is concerned that visitors might connect to the network and perform illicit activities.

  Which of me following should the security team implement to address this concern?

  A. Configure a RADIUS server to manage device authentication.
  B. Use 802.1X on all devices connecting to wireless.
  C. Add a guest captive portal requiring visitors to accept terms and conditions.
  D. Allow for new devices to be connected via WPS.
  C. Add a guest captive portal requiring visitors to accept terms and conditions.

• Question 573:

  An employee asks a security analyst to scan a suspicious email that contains a link to a file on a file-sharing site. The analyst determines that the file is safe after downloading and scanning the file with antivirus software. When the employee opens the file, their device is infected with ransomware.

  Which of the following steps should the analyst have taken?

  A. Review the file in a code editor.
  B. Monitor the file connections with netstat -ano.
  C. Execute the file in a sandbox.
  D. Retrieve the file hash and check with OSINT.
  C. Execute the file in a sandbox.

  ---

  Explanation

  The best answer is C. Execute the file in a sandbox. Antivirus alone may miss new, obfuscated, or modified malware, including ransomware. A sandbox provides an isolated environment where the file can be safely executed and observed for malicious behavior such as: file encryption activity process spawning registry changes network callbacks persistence attempts.

  Why the other options are incorrect:

  A. Review the file in a code editor.Many malicious files are compiled, packed, or obfuscated, so this is not a reliable analysis method.

  B. Monitor the file connections with netstat -ano.This only shows network connections and would not fully reveal ransomware behavior.

  D. Retrieve the file hash and check with OSINT.This helps only if the malware is already known. New variants may not match existing threat intelligence. From a SY0-701 perspective, dynamic analysis in a sandbox is the strongest step for safely identifying malicious file behavior.

• Question 574:

  A Chief Information Security Officer wants to monitor the company's servers for SQLi attacks and allow for comprehensive investigations if an attack occurs. The company uses SSL decryption to allow traffic monitoring.

  Which of the following strategies would best accomplish this goal?

  A. Logging all NetFlow traffic into a SIEM
  B. Deploying network traffic sensors on the same subnet as the servers
  C. Logging endpoint and OS-specific security logs
  D. Enabling full packet capture for traffic entering and exiting the servers
  D. Enabling full packet capture for traffic entering and exiting the servers

  ---

  Explanation

  Full packet capture is a technique that records all network traffic passing through a device, such as a router or firewall. It allows for detailed analysis and investigation of network events, such as SQLi attacks, by providing the complete content and context of the packets. Full packet capture can help identify the source, destination, payload, and timing of an SQLi attack, as well as the impact on the server and database. Logging NetFlow traffic, network traffic sensors, and endpoint and OS-specific security logs can provide some information about network activity, but they do not capture the full content of the packets, which may limit the scope and depth of the investigation.

  References:

  CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 372-373

• Question 575:

  While analyzing SIEM alerts for a company ' s WAF, an incident response analyst observes the following:

  https://corporate-A.com/loadimage?filename=/etc/ https://corporate-A.com/loadimage?filename=../../etc/passwd https://corporate-A.com/loadimage?filename=.

  /etc/passwd Which of the following best describes the observed behavior?

  A. Credential replay
  B. Directory traversal
  C. Brute-force attack
  D. Resource exhaustion
  B. Directory traversal

  ---

  Explanation

  The best answer is B. Directory traversal. The URLs show attempts to manipulate the filename parameter in order to access sensitive files and directories on the server, especially: /etc/../../etc/passwd./etc/passwd.

  This is a classic directory traversal attack, also known as path traversal. The attacker is trying to move outside the intended directory structure and access protected operating system files. The reference to /etc/passwd is a common indicator of an attempt to read sensitive files on Unix/Linux systems. Why the other options are incorrect:

  A. Credential replayCredential replay involves reusing captured authentication credentials, which is not what these requests show.

  C. Brute-force attackA brute-force attack involves repeated guessing, usually of passwords, keys, or codes. That is not the behavior shown here.

  D. Resource exhaustionResource exhaustion involves overwhelming a system with requests or usage to reduce availability. These examples instead show attempts to access files through manipulated paths. From a Security+ standpoint, attacks using../ to escape directories are a well-known example of directory traversal, so B is the correct answer.

• Question 576:

  Which of the following is an example of a data protection strategy that uses tokenization?

  A. Encrypting databases containing sensitive data
  B. Replacing sensitive data with surrogate values
  C. Removing sensitive data from production systems
  D. Hashing sensitive data in critical systems
  B. Replacing sensitive data with surrogate values

  ---

  Explanation

  Tokenization replaces sensitive data with non-sensitive surrogate values that retain the necessary format but are meaningless without access to the original data.

  References:

  CompTIA Security+ SY0-701 Study Guide, Domain 3: Security Architecture, Section: "Data Masking and Tokenization".

• Question 577:

  Which of the following practices would be best to prevent an insider from introducing malicious code into a company's development process?

  A. Code scanning for vulnerabilities
  B. Open-source component usage
  C. Quality assurance testing
  D. Peer review and approval
  D. Peer review and approval

  ---

  Explanation

  Peer review and approval is a practice that involves having other developers or experts review the code before it is deployed or released. Peer review and approval can help detect and prevent malicious code, errors, bugs, vulnerabilities, and poor quality in the development process. Peer review and approval can also enforce coding standards, best practices, and compliance requirements. Peer review and approval can be done manually or with the help of tools, such as code analysis, code review, and code signing.

  References:

  CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 11: Secure Application Development, page 543

• Question 578:

  Which of the following threat actors would most likely target an organization by using a logic bomb within an internally-developed application?

  A. Nation-state
  B. Trusted insider
  C. Organized crime group
  D. Hacktivist
  B. Trusted insider

  ---

  Explanation

  A logic bomb is a malicious code segment hidden inside legitimate software that triggers under specific conditions (dates, system states, user actions). Because logic bombs require direct access to source code or the development environment, the most likely attacker is a trusted insider-especially a disgruntled developer or administrator with the ability to modify internal applications.

  Security+ SY0-701 emphasizes that insider threats have:

  Elevated access

  Knowledge of internal systems

  Ability to manipulate production code

  Motivation driven by revenge, termination, or personal grievances

  These factors make insiders uniquely capable of embedding logic bombs into internally-developed applications.

  Nation-state actors (A) typically target critical infrastructure or advanced espionage, not internal business apps. Organized crime groups (C) seek financial gain and generally do not have internal code access. Hacktivists (D) focus on ideological disruption, typically through external attacks, not internal code manipulation.

  Thus, the threat actor most likely to plant a logic bomb in internal software is B: Trusted insider.

• Question 579:

  A security analyst wants to automate a task that shares data between systems.

  Which of the following is the best option for the analyst to use?

  A. SOAR
  B. API
  C. SFTP
  D. RDP
  B. API

• Question 580:

  Which of the following risk management strategies is being used when a Chief Information Security Officer ignores known vulnerabilities identified during a risk assessment?

  A. Transfer
  B. Avoid
  C. Mitigate
  D. Accept
  D. Accept

  ---

  Explanation

  The correct answer is Accept because knowingly choosing not to address identified vulnerabilities is a formal example of risk acceptance. In the Security+ SY0-701 risk management framework, accepting risk means that leadership is aware of a vulnerability and its potential impact but decides to take no corrective action. This decision is typically based on factors such as cost, operational constraints, low likelihood of exploitation, or limited business impact.

  Risk acceptance is a deliberate management decision, not an oversight. When a Chief Information Security Officer ignores known vulnerabilities identified during a risk assessment, the organization is implicitly acknowledging the risk and choosing to tolerate it. The SY0-701 study guide emphasizes that risk acceptance must be informed and approved by appropriate leadership, as accountability remains with the organization if the risk materializes.

  Option A, Transfer, is incorrect because transferring risk involves shifting responsibility to a third party, such as purchasing cyber insurance or outsourcing services. Option B, Avoid, refers to eliminating risk entirely by discontinuing the risky activity, system, or process. Option C, Mitigate, involves implementing security controls to reduce the likelihood or impact of the risk, such as patching vulnerabilities or adding compensating controls.

  Accepting risk does not mean the vulnerability is harmless; it means leadership has determined that addressing it is not justified at that time. The SY0-701 objectives highlight that accepted risks should be documented, reviewed periodically, and reassessed as conditions change, especially if threat likelihood or business impact increases.

  In summary, ignoring known vulnerabilities after a risk assessment reflects a conscious decision to tolerate potential loss rather than reduce or eliminate it. This aligns directly with the risk acceptance strategy, making Option D the correct answer.