CompTIA SY0-701 Online Practice Questions and Exam Preparation

CompTIA SY0-701 Online Questions & Answers

• Question 691:

  A network security analyst monitors the network's IDS, which has flagged unusual activity. The IDS has detected multiple login attempts to a database server within a short period. These attempts come from various IP addresses that are not normally recognized by the network's usual traffic patterns. Each attempt uses the same username and password. Based on the following log output (corrected formatting for readability):

  2025-04-10 14:22:01.4532 - Source IP: 192.168.15.101 - Status: Failed - User: JDoe - Action: Login Attempt

  2025-04-10 14:22:02.1122 - Source IP: 192.168.15.102 - Status: Failed - User: JDoe - Action: Login Attempt

  2025-04-10 14:22:02.7835 - Source IP: 192.168.15.103 - Status: Failed - User: JDoe - Action: Login Attempt

  2025-04-10 14:22:03.5637 - Source IP: 192.168.15.104 - Status: Failed - User: JDoe - Action: Login Attempt

  2025-04-10 14:22:04.9474 - Source IP: 192.168.15.105 - Status: Failed - User: JDoe - Action: Login Attempt

  2025-04-10 14:22:05.5673 - Source IP: 192.168.15.106 - Status: Failed - User: JDoe - Action: Login Attempt

  2025-04-10 14:22:06.1573 - Source IP: 192.168.15.107 - Status: Failed - User: JDoe - Action: Login Attempt

  2025-04-10 14:22:07.7462 - Source IP: 192.168.15.108 - Status: Failed - User: JDoe - Action: Login Attempt

  Which of the following types of network attacks is most likely occurring?

  A. Cross-site scripting
  B. Credential replay
  C. Distributed denial of service
  D. SQL injection
  B. Credential replay

  ---

  Explanation

  The logs show multiple login attempts to the same account (JDoe) using the same username and password within a very short period. These attempts originate from different IP addresses, indicating that the same credentials are being reused repeatedly from multiple sources.

  This behavior is characteristic of a credential replay attack. In a credential replay attack, previously obtained credentials are reused to attempt authentication across systems or services.

  Cross-site scripting (A) involves injecting malicious scripts into web pages viewed by other users. Distributed denial of service (C) focuses on overwhelming a system with traffic to disrupt service availability. SQL injection (D) involves injecting malicious SQL statements into input fields to manipulate a database.

  Therefore, the most likely attack is B: Credential replay.

• Question 692:

  While updating the security awareness training, a security analyst wants to address issues created if vendors' email accounts are compromised.

  Which of the following recommendations should the security analyst include in the training?

  A. Refrain from clicking on images included in emails from new vendors
  B. Delete emails from unknown service provider partners.
  C. Require that invoices be sent as attachments
  D. Be alert to unexpected requests from familiar email addresses
  D. Be alert to unexpected requests from familiar email addresses

  ---

  Explanation

  Compromised vendor email accounts can be used to send phishing emails or fraudulent requests that appear legitimate. Employees should be trained to recognize and scrutinize unexpected requests even when they come from familiar email addresses, as this is a common tactic in phishing and business email compromise (BEC) attacks. This recommendation directly addresses the risk posed by compromised vendor accounts.

• Question 693:

  A nation-state attacker gains access to the email accounts of several journalists by compromising a website that the journalists frequently use.

  Which of the following types of attacks describes this example?

  A. On-path
  B. Watering-hole
  C. Typosquatting
  D. Brand impersonation
  B. Watering-hole

  ---

  Explanation

  The correct answer is Watering-hole because the attack involves compromising a legitimate website that is regularly visited by a specific group of targeted users-in this case, journalists-in order to indirectly infect or compromise them. The Security+ SY0-701 study guide defines watering-hole attacks as targeted attacks where adversaries identify websites frequented by their intended victims and then compromise those sites to deliver malware, steal credentials, or conduct further exploitation.

  In this scenario, the attacker does not directly target the journalists' email systems. Instead, the attacker compromises a trusted website that the journalists frequently access. When the journalists visit the site, malicious code can be delivered through drive-by downloads, malicious scripts, or credential-harvesting mechanisms. This technique is particularly effective for nation-state attackers because it leverages trust and normal user behavior, making detection more difficult.

  Option A, On-path, is incorrect because on-path (man-in-the-middle) attacks involve intercepting or altering communications between two parties in transit, rather than compromising a third-party website. Option C, Typosquatting, involves registering domains with misspelled names to trick users into visiting malicious sites, which is not described here. Option D, Brand impersonation, typically refers to phishing or spoofing attacks that mimic a trusted brand to deceive users, often via email or fake websites, rather than compromising a legitimate one.

  The SY0-701 objectives emphasize that watering-hole attacks are commonly associated with advanced persistent threats (APTs), including nation-state actors, because they allow precise targeting of specific industries, professions, or organizations. This attack method highlights the importance of browser security, threat intelligence, web filtering, and user awareness to reduce exposure to trusted-but-compromised resources.

  In summary, compromising a frequently used website to gain access to a targeted group's accounts is a textbook example of a watering-hole attack.

• Question 694:

  A company wants to add an MFA solution for all employees who access the corporate network remotely. Log-in requirements include something you know, are, and have. The company wants a solution that does not require purchasing third-party applications or specialized hardware.

  Which of the following MFA solutions would best meet the company's requirements?

  A. Smart card with PIN and password
  B. Security questions and a one-time passcode sent via email
  C. Voice and ngerprint verification with an SMS one-time passcode
  D. Mobile application-generated, one-time passcode with facial recognition
  B. Security questions and a one-time passcode sent via email

• Question 695:

  A network team segmented a critical, end-of-life server to a VLAN that can only be reached by specific devices but cannot be reached by the perimeter network.

  Which of the following best describe the controls the team implemented? (Choose two.)

  A. Managerial
  B. Physical
  C. Corrective
  D. Detective
  E. Compensating
  F. Technical
  G. Deterrent
  E. Compensating
  F. Technical

• Question 696:

  An organization is required to maintain financial data records for three years and customer data for five years.

  Which of the following data management policies should the organization implement?

  A. Retention
  B. Destruction
  C. Inventory
  D. Certification
  A. Retention

  ---

  Explanation

  The organization should implement a retention policy to ensure that financial data records are kept for three years and customer data for five years. A retention policy specifies how long different types of data should be maintained and when they should be deleted.

  Retention: Ensures that data is kept for a specific period to comply with legal, regulatory, or business requirements.

  Destruction: Involves securely deleting data that is no longer needed, which is part of the retention lifecycle but not the primary focus here.

  Inventory: Involves keeping track of data assets, not specifically about how long to retain data.

  Certification: Ensures that processes and systems meet certain standards, not directly related to data retention periods.

  References:

  CompTIA Security+ SY0-701 Exam Objectives, Domain 5.2 - Risk management process (Data retention).

• Question 697:

  Which of the following is the act of proving to a customer that software developers are trained on secure coding?

  A. Assurance
  B. Contract
  C. Due diligence
  D. Attestation
  B. Contract

• Question 698:

  Which of the following is the most likely reason a security analyst would review SIEM logs?

  A. To check for recent password reset attempts
  B. To monitor for potential DDoS attacks
  C. To assess the scope of a privacy breach
  D. To see correlations across multiple hosts
  D. To see correlations across multiple hosts

• Question 699:

  A client asked a security company to provide a document outlining the project, the cost, and the completion time frame.

  Which of the following documents should the company provide to the client?

  A. MSA
  B. SLA
  C. BPA
  D. SOW
  D. SOW

  ---

  Explanation

  An ISOW is a document that outlines the project, the cost, and the completion time frame for a security company to provide a service to a client. ISOW stands for Information Security Operations Work, and it is a type of contract that specifies the scope, deliverables, milestones, and payment terms of a security project. An ISOW is usually used for one-time or short-term projects that have a clear and defined objective and outcome. For example, an ISOW can be used for a security assessment, a penetration test, a security audit, or a security training.

  The other options are not correct because they are not documents that outline the project, the cost, and the completion time frame for a security company to provide a service to a client. A MSA is a master service agreement, which is a type of contract that establishes the general terms and conditions for a long-term or ongoing relationship between a security company and a client. A MSA does not specify the details of each individual project, but rather sets the framework for future projects that will be governed by separate statements of work (SOWs). A SLA is a service level agreement, which is a type of contract that defines the quality and performance standards for a security service provided by a security company to a client. A SLA usually includes the metrics, targets, responsibilities, and penalties for measuring and ensuring the service level. A BPA is a business partnership agreement, which is a type of contract that establishes the roles and expectations for a strategic alliance between two or more security companies that collaborate to provide a joint service to a client. A BPA usually covers the objectives, benefits, risks, and obligations of the partnership.

  References:

  CompTIA Security+ Study Guide (SY0-701), Chapter 8: Governance, Risk, and Compliance, page 387. Professor Messer's CompTIA SY0-701 Security+ Training Course, Section 8.2: Compliance and Controls, video: Contracts and Agreements (5:12).

• Question 700:

  Which of the following security measures is required when using a cloud-based platform for IoT management?

  A. Encrypted connection
  B. Federated identity
  C. Firewall
  D. Single sign-on
  A. Encrypted connection