CompTIA SY0-701 Online Practice Questions and Exam Preparation

CompTIA SY0-701 Online Questions & Answers

• Question 901:

  n administrator is investigating an incident and discovers several users' computers were infected with malware after viewing files that were shared with them. The administrator discovers no degraded performance in the infected machines and an examination of the log files does not show excessive failed logins.

  Which of the following attacks is most likely the cause of the malware?

  A. Malicious flash drive
  B. Remote access Trojan
  C. Brute-forced password
  D. Cryptojacking
  D. Cryptojacking

  ---

  Explanation

  Cryptojacking is the likely cause in this scenario. It involves malware that hijacks the resources of infected computers to mine cryptocurrency, usually without the user's knowledge. This type of attack doesn't typically degrade performance significantly or result in obvious system failures, which matches the situation described, where the machines showed no signs of degraded performance or excessive failed logins.

  References:

  CompTIA Security+ SY0-701 Course Content: Cryptojacking is covered under types of malware attacks, highlighting its stealthy nature and impact on infected systems.

• Question 902:

  An organization is required to provide assurance that its controls are properly designed and operating effectively.

  Which of the following reports will best achieve the objective?

  A. Red teaming
  B. Penetration testing
  C. Independent audit
  D. Vulnerability assessment
  C. Independent audit

• Question 903:

  An administrator investigating an incident is concerned about the downtime of a critical server due to a failed drive.

  Which of the following would the administrator use to estimate the time needed to fix the issue?

  A. MTTR
  B. MTBF
  C. RTO
  D. RPO
  A. MTTR

• Question 904:

  Which of the following is an algorithm performed to verify that data has not been modified?

  A. Hash
  B. Code check
  C. Encryption
  D. Checksum
  A. Hash

  ---

  Explanation

  A hash is an algorithm used to verify data integrity by generating a fixed-size string of characters from input data. If even a single bit of the input data changes, the hash value will change, allowing users to detect any modification to the data.

  Hashing algorithms like SHA-256 and MD5 are commonly used to ensure data has not been altered.

  References:

  CompTIA Security+ SY0-701 Course Content: Domain 6: Cryptography and PKI, which discusses the role of hashing in verifying data integrity.

• Question 905:

  Which of the following best describes a common use of OSINT?

  A. Monitoring internal systems and network traffic to detect abnormal behavior
  B. Installing and configuring security patches to fix known vulnerabilities
  C. Collecting information from public platforms to find possible security exposures
  D. Encrypting sensitive company data and storing it securely in the cloud
  C. Collecting information from public platforms to find possible security exposures

  ---

  Explanation

  OSINT stands for open source intelligence and is commonly used to gather information from publicly available sources to support security activities such as reconnaissance, threat intelligence, and identifying exposures (for example, leaked credentials, exposed infrastructure details, or public references to vulnerabilities). The Practice Tests book defines OSINT directly: "OSINT, or open source intelligence, is intelligence information obtained from public sources like search engines, websites, domain name registrars, and a host of other locations." That definition aligns precisely with option C's "collecting information from public platforms."

  The Study Guide similarly explains OSINT in the threat intelligence context: "Open source threat intelligence is threat intelligence that is acquired from publicly available sources." This supports the idea that OSINT is used to discover relevant information that may affect security posture-such as indicators, exposed assets, or details useful for defensive planning. The other options describe different operational activities: A is internal monitoring (SIEM/IDS/EDR style), B is patch management, and D is encryption/storage strategy-none are "open source intelligence."

  References:

  OSINT definition as intelligence obtained from public sources

  OSINT as threat intelligence acquired from publicly available sources.

• Question 906:

  An administrator discovers that some files on a database server were recently encrypted. The administrator sees from the security logs that the data was last accessed by a domain user.

  Which of the following best describes the type of attack that occurred?

  A. Insider threat
  B. Social engineering
  C. Watering-hole
  D. Unauthorized attacker
  A. Insider threat

  ---

  Explanation

  An insider threat is a type of attack that originates from someone who has legitimate access to an organization's network, systems, or data. In this case, the domain user who encrypted the files on the database server is an example of an insider threat, as they abused their access privileges to cause harm to the organization. Insider threats can be motivated by various factors, such as financial gain, revenge, espionage, or sabotage.

  References:

  1: General Security Concepts, page 251. CompTIA Security+ Certification Kit: Exam SY0- 701, 7th Edition, Chapter

  1: General Security Concepts, page 252.

• Question 907:

  Which of the following would enable a data center to remain operational through a multiday power outage?

  A. Generator
  B. Uninterruptible power supply
  C. Replication
  D. Parallel processing
  A. Generator

  ---

  Explanation

  A generator can provide continuous power for extended periods during a power outage, as long as it has sufficient fuel. Unlike an Uninterruptible Power Supply (UPS), which is typically used to bridge short power interruptions, a generator is designed to sustain operations over longer durations, making it ideal for keeping a data center functional during a multiday outage.

• Question 908:

  The Chief Information Security Officer (CISO) requires that new servers include hardware-level memory encryption.

  Which of the following data states does the CISO want to protect?

  A. Data in use
  B. Data at rest
  C. Data in transit
  D. Data sovereignty
  A. Data in use

  ---

  Explanation

  Hardware-level memory encryption is designed to protect the contents of RAM from being read or stolen by an attacker who gains sufficient access (for example, through privileged malware, a hypervisor/host compromise, physical attacks like cold-boot techniques, or other memory-snooping methods). That maps directly to data in use, because "data in use" is the state where data is actively processed and often resides in memory during computation. The Study Guide explicitly defines the three data states and makes the connection to memory for data in use: "Data in use is data that is actively in use by a computer system. This includes the data stored in memory while processing takes place. An attacker with control of the system may be able to read the contents of memory and steal sensitive information." By contrast, data at rest focuses on storage media (disk, tape, cloud storage), data in transit focuses on network movement, and data sovereignty concerns jurisdiction/location requirements-none of which are directly addressed by encrypting RAM contents at the hardware level. Since the requirement is specifically "hardware-level memory encryption," the targeted data state is unambiguously data in use.

  References:

  Data state definitions-data in use includes data stored in memory while processing.

• Question 909:

  A security report shows that during a two-week test period, 80% of employees unwittingly disclosed their SSO credentials when accessing an external website. The organization purposely created the website to simulate a cost-free password complexity test.

  Which of the following would best help reduce the number of visits to similar websites in the future?

  A. Block all outbound traffic from the intranet.
  B. Introduce a campaign to recognize phishing attempts.
  C. Restrict internet access for the employees who disclosed credentials.
  D. Implement a deny list of websites.
  B. Introduce a campaign to recognize phishing attempts.

• Question 910:

  An administrator at a small business notices an increase in support calls from employees who receive a blocked page message after trying to navigate to a spoofed website.

  Which of the following should the administrator do?

  A. Deploy multifactor authentication.
  B. Decrease the level of the web filter settings
  C. Implement security awareness training.
  D. Update the acceptable use policy
  C. Implement security awareness training.

  ---

  Explanation

  In this scenario, employees are attempting to navigate to spoofed websites, which is being blocked by the web filter. To address this issue, the administrator should implement security awareness training. Training helps employees recognize phishing and other social engineering attacks, reducing the likelihood that they will attempt to access malicious websites in the future. Deploying multifactor authentication (MFA) would strengthen authentication but does not directly address user behavior related to phishing websites. Decreasing the level of the web filter would expose the organization to more threats. Updating the acceptable use policy may clarify guidelines but is not as effective as hands-on training for improving user behavior.