CompTIA SY0-701 Online Practice Questions and Exam Preparation

CompTIA SY0-701 Online Questions & Answers

• Question 771:

  A company identified the potential for malicious insiders to harm the organization.

  Which of the following measures should the organization implement to reduce this risk?

  A. Unified threat management
  B. Web application firewall
  C. User behavior analytics
  D. Intrusion detection system
  C. User behavior analytics

• Question 772:

  A security analyst is concerned malicious actors are lurking in an environment but has not received any alerts regarding suspicious activity.

  Which of the following should the analyst conduct to further investigate the presence of these actors?

  A. Threat hunting
  B. Digital forensics
  C. Vulnerability scanning
  D. E-discovery
  A. Threat hunting

  ---

  Explanation

  Threat hunting is a proactive security activity focused on identifying hidden or undetected threats within an environment, even when no alerts or indicators have been triggered. According to CompTIA Security+ SY0- 701, threat hunting assumes that attackers may already be present and actively evading traditional security controls such as SIEMs, IDS/IPS, or endpoint protection tools.

  Threat hunting involves manually analyzing logs, endpoint telemetry, network traffic, and behavioral patterns to uncover anomalies that automated systems may miss. This aligns directly with the scenario, where the analyst has a suspicion of malicious actors but no alerts confirming activity. Threat hunting helps identify advanced persistent threats (APTs), living-off-the-land techniques, credential misuse, and lateral movement that may not generate immediate alerts.

  Digital forensics (B) is typically performed after an incident has been confirmed. Vulnerability scanning (C) identifies weaknesses but does not detect active attackers. E-discovery (D) is a legal process for collecting electronically stored information and is not used for threat detection.

  Because the analyst is proactively searching for hidden threats without existing alerts, the correct action is A: Threat hunting.

• Question 773:

  A company is utilizing an offshore team to help support the finance department. The company wants to keep the data secure by keeping it on a company device but does not want to provide equipment to the offshore team.

  Which of the following should the company implement to meet this requirement?

  A. VDI
  B. MDM
  C. VPN
  D. VPC
  A. VDI

  ---

  Explanation

  Virtual Desktop Infrastructure (VDI) allows a company to host desktop environments on a centralized server. Offshore teams can access these virtual desktops remotely, ensuring that sensitive data stays within the company's infrastructure without the need to provide physical devices to the team. This solution is ideal for maintaining data security while enabling remote work, as all data processing occurs on the company's secure servers.

  References:

  CompTIA Security+ SY0-701 Course Content: VDI is discussed as a method for securely managing remote access to company resources without compromising data security.

• Question 774:

  A security analyst is reviewing the following logs about a suspicious activity alert for a user's VPN log-ins:

  

  Which of the following malicious activity indicators triggered the alert?

  A. Impossible travel
  B. Account lockout
  C. Blocked content
  D. Concurrent session usage
  A. Impossible travel

• Question 775:

  A systems administrator is auditing all company servers to ensure they meet the minimum security baseline. While auditing a Linux server, the systems administrator observes the /etc/shadow file has permissions beyond the baseline recommendation.

  Which of the following commands should the systems administrator use to resolve this issue?

  A. chmod
  B. grep
  C. dd
  D. passwd
  A. chmod

  ---

  Explanation

  The chmod command is used to change file permissions on Unix and Linux systems. If the /etc/shadow file has permissions beyond the baseline recommendation, the systems administrator should use chmod to modify the file's permissions, ensuring it adheres to the security baseline and limits access to authorized users only.

  References:

  CompTIA Security+ SY0-701 study materials, focusing on system hardening and file permissions management.

• Question 776:

  A security analyst is reviewing the following logs:

  

  Which of the following attacks is most likely occurring?

  A. Password spraying
  B. Account forgery
  C. Pass-the-hash
  D. Brute-force
  A. Password spraying

  ---

  Explanation

  Password spraying is a type of brute force attack that tries common passwords across several accounts to find a match. It is a mass trial-and-error approach that can bypass account lockout protocols. It can give hackers access to personal or business accounts and information. It is not a targeted attack, but a high-volume attack tactic that uses a dictionary or a list of popular or weak passwords. The logs show that the attacker is using the same password ("password123") to attempt to log in to different accounts ("admin", "user1", "user2", etc.) on the same web server. This is a typical pattern of password spraying, as the attacker is hoping that at least one of the accounts has a weak password that matches the one they are trying. The attacker is also using a tool called Hydra, which is one of the most popular brute force tools, often used in cracking passwords for network authentication. Account forgery is not the correct answer, because it involves creating fake accounts or credentials to impersonate legitimate users or entities. There is no evidence of account forgery in the logs, as the attacker is not creating any new accounts or using forged credentials.

  Pass-the-hash is not the correct answer, because it involves stealing a hashed user credential and using it to create a new authenticated session on the same network. Pass-the-hash does not require the attacker to know or crack the password, as they use the stored version of the password to initiate a new session. The logs show that the attacker is using plain text passwords, not hashes, to try to log in to the web server. Brute-force is not the correct answer, because it is a broader term that encompasses different types of attacks that involve trying different variations of symbols or words until the correct password is found. Password spraying is a specific type of brute force attack that uses a single common password against multiple accounts. The logs show that the attacker is using password spraying, not brute force in general, to try to gain access to the web server.

  References:

  1: Password spraying: An overview of password spraying attacks ... - Norton,

  2: Security: Credential Stuffing vs. Password Spraying - Baeldung,

  3: Brute Force Attack: A definition + 6 types to know | Norton,

  4: What is a Pass-the-Hash Attack? - CrowdStrike,

  5: What is a Brute Force Attack? | Definition, Types & How It Works - Fortinet

• Question 777:

  Which of the following is the primary reason why false negatives on a vulnerability scan should be a concern?

  A. The system has vulnerabilities that are not being detected.
  B. The time to remediate vulnerabilities that do not exist is excessive.
  C. Vulnerabilities with a lower severity will be prioritized over critical vulnerabilities.
  D. The system has vulnerabilities, and a patch has not yet been released.
  A. The system has vulnerabilities that are not being detected.

  ---

  Explanation

  False negatives in vulnerability scanning occur when the scan fails to detect existing vulnerabilities. This is a concern because it means that the system has vulnerabilities, but they are not being identified and addressed, leaving the system potentially exposed to exploitation. Unlike false positives, which result in wasted time on vulnerabilities that aren't actually present, false negatives directly impact security by failing to identify real risks.

• Question 778:

  During a recent breach, employee credentials were compromised when a service desk employee issued an MFA bypass code to an attacker who called and posed as an employee.

  Which of the following should be used to prevent this type of incident in the future?

  A. Hardware token MFA
  B. Biometrics
  C. Identity proofing
  D. Least privilege
  C. Identity proofing

  ---

  Explanation

  To prevent the issuance of an MFA bypass code to an attacker posing as an employee, implementing identity proofing would be most effective. Identity proofing involves verifying the identity of individuals before granting access or providing sensitive information.

  Identity proofing: Ensures that the person requesting the MFA bypass is who they claim to be, thereby preventing social engineering attacks where attackers pose as legitimate employees.

  Hardware token MFA: Provides an additional factor for authentication but does not address verifying the requester's identity.

  Biometrics: Offers strong authentication based on physical characteristics but is not related to the process of issuing MFA bypass codes. Least privilege: Limits access rights for users to the bare minimum necessary to perform their work but does not prevent social engineering attacks targeting the service desk.

  References:

  CompTIA Security+ SY0-701 Exam Objectives, Domain 4.6 - Implement and maintain identity and access management (Identity proofing).

• Question 779:

  A company's accounts payable clerk receives a message from a vendor asking to change their bank account before paying an invoice. The clerk makes the change and sends the payment to the new account. Days later, the clerk receives another message from the same vendor with a request for a missing payment to the original bank account.

  Which of the following has most likely occurred?

  A. Phishing campaign
  B. Data exfiltration
  C. Pretext calling
  D. Business email compromise
  D. Business email compromise

• Question 780:

  A systems administrator receives a text message from an unknown number claiming to be the Chief Executive Officer of the company. The message states an emergency situation requires a password reset.

  Which of the following threat vectors is being used?

  A. Typosquatting
  B. Smishing
  C. Pretexting
  D. Impersonation
  B. Smishing

  ---

  Explanation

  Smishing is a type of phishing attack that uses SMS text messages to deceive recipients into taking actions such as revealing sensitive information. The urgency in the text indicates this vector.

  References:

  CompTIA Security+ SY0-701 Study Guide, Domain 2: Threats, Section: "Social Engineering Techniques".