CompTIA SY0-701 Online Practice Questions and Exam Preparation

CompTIA SY0-701 Online Questions & Answers

• Question 741:

  Which of the following best describes the risk present after controls and mitigating factors have been applied?

  A. Residual
  B. Avoided
  C. Inherent
  D. Operational
  A. Residual

• Question 742:

  Which of the following can be used to compromise a system that is running an RTOS?

  A. Cross-site scripting
  B. Memory injection
  C. Replay attack
  D. Ransomware
  B. Memory injection

  ---

  Explanation

  Memory injection attacks are particularly dangerous for systems running a Real-Time Operating System (RTOS) because these systems often have limited resources and strict timing requirements, making them more susceptible to disruptions caused by injected code. Memory injection can compromise the system's integrity, allowing an attacker to alter its operation or cause it to behave unpredictably.

• Question 743:

  The help desk receives multiple calls that machines with an outdated OS version are running slowly. Several users are seeing virus detection alerts.

  Which of the following mitigation techniques should be reviewed first?

  A. Patching
  B. Segmentation
  C. Monitoring
  D. Isolation
  A. Patching

• Question 744:

  While troubleshooting a firewall configuration, a technician determines that a "deny any" policy should be added to the bottom of the ACL. The technician updates the policy, but the new policy causes several company servers to become unreachable.

  Which of the following actions would prevent this issue?

  A. Documenting the new policy in a change request and submitting the request to change management
  B. Testing the policy in a non-production environment before enabling the policy in the production network
  C. Disabling any intrusion prevention signatures on the "deny any" policy prior to enabling the new policy
  D. Including an "allow any" policy above the "deny any" policy
  B. Testing the policy in a non-production environment before enabling the policy in the production network

  ---

  Explanation

  A firewall policy is a set of rules that defines what traffic is allowed or denied on a network. A firewall policy should be carefully designed and tested before being implemented, as a misconfigured policy can cause network disruptions or security breaches. A common best practice is to test the policy in a non-production environment, such as a lab or a simulation, before enabling the policy in the production network. This way, the technician can verify the functionality and

  performance of the policy, and identify and resolve any issues or conflicts, without affecting the live network. Testing the policy in a non-production environment would prevent the issue of the `deny any' policy causing several company servers to become unreachable, as the technician would be able to detect and correct the problem before applying the policy to the production network. Documenting the new policy in a change request and submitting the request to change management is a good practice, but it would not prevent the issue by itself. Change management is a process that ensures that any changes to the network are authorized, documented, and communicated, but it does not guarantee that the

  changes are error-free or functional. The technician still needs to test the policy before implementing it. Disabling any intrusion prevention signatures on the `deny any' policy prior to enabling the new policy would not prevent the issue, and it could reduce the security of the network. Intrusion prevention signatures are patterns that identify malicious or unwanted traffic, and allow the firewall to block or alert on such traffic. Disabling these signatures would make the firewall less effective in detecting and preventing attacks, and it would not affect the reachability of the company servers.

  Including an `allow any' policy above the `deny any' policy would not prevent the issue, and it would render the `deny any' policy useless. A firewall policy is processed from top to bottom, and the first matching rule is applied. An `allow any' policy would match any traffic and allow it to pass through the firewall, regardless of the source, destination, or protocol. This would negate the purpose of the `deny any' policy, which is to block any traffic that does not match any of the

  previous rules. Moreover, an `allow any' policy would create a security risk, as it would allow any unauthorized or malicious traffic to enter or exit the network.

  References:

  CompTIA Security+ SY0-701 Certification Study Guide, page 204- 205

  Professor Messer's CompTIA SY0-701 Security+ Training Course, video 2.1 - Network Security Devices, 8:00 - 10:00.

• Question 745:

  A security analyst needs to improve the company's authentication policy following a password audit.

  Which of the following should be included in the policy? (Choose two.)

  A. Length
  B. Complexity
  C. Least privilege
  D. Something you have
  E. Security keys
  F. Biometrics
  A. Length
  B. Complexity

• Question 746:

  Which of the following security threats aims to compromise a website that multiple employees frequently visit?

  A. Supply chain
  B. Typosquatting
  C. Watering hole
  D. Impersonation
  C. Watering hole

  ---

  Explanation

  The best answer is C. Watering hole. A watering hole attack occurs when an attacker compromises a website that a targeted group of users commonly visits. The attacker chooses that site because they know the intended victims are likely to access it during normal work activities. Once the site is compromised, the attacker can deliver malware, steal credentials, or exploit browser vulnerabilities. This exactly matches the scenario in the question: a website that multiple employees frequently visit is targeted for compromise.

  Why the other options are incorrect:

  A. Supply chainA supply chain attack targets vendors, software providers, or service providers in order to affect downstream customers. That is different from compromising a commonly visited website for a specific group of users.

  B.

  TyposquattingTyposquatting involves creating a fraudulent website with a name similar to a legitimate one so users accidentally visit it. The question describes compromising an existing site people already visit, not creating a lookalike domain.

  D. ImpersonationImpersonation involves pretending to be a trusted person or entity. It does not specifically describe compromising a frequently visited website. From a Security+ perspective, a compromised site used to target a specific population is a classic watering hole attack, so C is correct.

• Question 747:

  A security analyst is reviewing alerts in the SIEM related to potential malicious network traffic coming from an employee's corporate laptop. The security analyst has determined that additional data about the executable running on the machine is necessary to continue the investigation.

  Which of the following logs should the analyst use as a data source?

  A. Application
  B. IPS/IDS
  C. Network
  D. Endpoint
  D. Endpoint

  ---

  Explanation

  An endpoint log is a file that contains information about the activities and events that occur on an end-user device, such as a laptop, desktop, tablet, or smartphone. Endpoint logs can provide valuable data for security analysts, such as the processes running on the device, the network connections established, the files accessed or modified, the user actions performed, and the applications installed or updated. Endpoint logs can also record the details of any executable files running on the device, such as the name, path, size, hash, signature, and permissions of the executable. An application log is a file that contains information about the events that occur within a software application, such as errors, warnings, transactions, or performance metrics. Application logs can help developers and administrators troubleshoot issues, optimize performance, and monitor user behavior. However, application logs may not provide enough information about the executable files running on the device, especially if they are malicious or unknown.

  An IPS/IDS log is a file that contains information about the network traffic that is monitored and analyzed by an intrusion prevention system (IPS) or an intrusion detection system (IDS). IPS/IDS logs can help security analysts identify and block potential attacks, such as exploit attempts, denial-of-service (DoS) attacks, or malicious scans. However, IPS/IDS logs may not provide enough information about the executable files running on the device, especially if they are encrypted, obfuscated, or use legitimate protocols. A network log is a file that contains information about the network activity and communication that occurs between devices, such as IP addresses, ports, protocols, packets, or bytes. Network logs can help security analysts understand the network topology, traffic patterns, and bandwidth usage. However, network logs may not provide enough information about the executable files running on the device, especially if they are hidden, spoofed, or use proxy servers.

  Therefore, the best log type to use as a data source for additional information about the executable running on the machine is the endpoint log, as it can provide the most relevant and detailed data about the executable file and its behavior.

  References:

  https://www.crowdstrike.com/cybersecurity-101/observability/application-log/

  https://owasp.org/www-project-proactive-controls/v3/en/c9-security-logging

• Question 748:

  Which of the following should be used to ensure a device is inaccessible to a network-connected resource?

  A. Disablement of unused services
  B. Web application firewall
  C. Host isolation
  D. Network-based IDS
  C. Host isolation

  ---

  Explanation

  Host isolation ensures that a device is separated from the network, preventing it from accessing or being accessed by other network resources. This is typically achieved by quarantining the device.

  References:

  CompTIA Security+ SY0-701 Study Guide, Domain 4: Security Operations, Section: "Isolation and Containment".

• Question 749:

  Which of the following should be used to ensure that a new software release has not been modified before reaching the user?

  A. Tokenization
  B. Encryption
  C. Hashing
  D. Obfuscation
  C. Hashing

  ---

  Explanation

  Hashing is the correct mechanism for ensuring that a software release has not been modified prior to reaching the end user. Hashing provides integrity verification by generating a fixed-length digest (such as SHA-256) from the original software package. When users download the software, they can compute the hash locally and compare it to the hash value published by the vendor. If the values match, the software has not been altered; if they differ, tampering or corruption has occurred.

  CompTIA Security+ SY0-701 emphasizes hashing as a core cryptographic control used to verify integrity for files, updates, patches, and software distributions. Hashing is extremely sensitive to change-altering even a single bit in the file results in a completely different hash value.

  Encryption (B) protects confidentiality, not integrity. Tokenization (A) replaces sensitive data with tokens and is unrelated to software integrity. Obfuscation (D) makes code harder to read but does not guarantee it has not been modified.

  Therefore, hashing is the most appropriate and reliable method to ensure software integrity before release.

• Question 750:

  An IT manager informs the entire help desk staff that only the IT manager and the help desk lead will have access to the administrator console of the help desk software.

  Which of the following security techniques is the IT manager setting up?

  A. Hardening
  B. Employee monitoring
  C. Configuration enforcement
  D. Least privilege
  D. Least privilege

  ---

  Explanation

  The principle of least privilege is a security concept that limits access to resources to the minimum level needed for a user, a program, or a device to perform a legitimate function. It is a cybersecurity best practice that protects high-value data and assets from compromise or insider threat. Least privilege can be applied to different abstraction layers of a computing environment, such as processes, systems, or connected devices. However, it is rarely implemented in practice. In this scenario, the IT manager is setting up the principle of least privilege by restricting access to the administrator console of the help desk software to only two authorized users: the IT manager and the help desk lead. This way, the IT manager can prevent unauthorized or accidental changes to the software configuration, data, or functionality by other help desk staff. The other help desk staff will only have access to the normal user interface of the software, which is sufficient for them to perform their job functions. The other options are not correct. Hardening is the process of securing a system by reducing its surface of vulnerability, such as by removing unnecessary software, changing default passwords, or disabling unnecessary services. Employee monitoring is the surveillance of workers' activity, such as by tracking web browsing, application use, keystrokes, or screenshots. Configuration enforcement is the process of ensuring that a system adheres to a predefined set of security settings, such as by applying a patch, a policy, or a template.

  References:

  https://en.wikipedia.org/wiki/Principle_of_least_privilege

  https://en.wikipedia.org/wiki/Principle_of_least_privilege