CompTIA Security+ Practice Test (SY0-701)

Geofencing allows for the setup of a virtual perimeter which can be configured to notify if a device leaves the indicated area. This differs from geolocation which will just show the current location of a device. Geolocation could be used for the purpose in the question but is not the most effective choice.

Disabling unnecessary services and ports on a server is indeed a recommended best practice in the security field, as it minimizes the number of potential entry points for an attacker, thus reducing the server's attack surface. Services and ports that are not needed for the server's operation can become vulnerabilities if they are left enabled and unsecured.

By using automation during the process of scaling computing resources, organizations can ensure that security baselines and policies are consistently applied across all new systems, reducing the chance of human error and maintaining security standards. This consistency is crucial as it helps in preventing configuration drift and the resulting vulnerabilities that may arise from manual intervention. Other options, albeit relevant to automation or security, do not directly address the core advantage of securing the scale-out process with automation.

The correct document for outlining the specific tasks, deliverables, and timeline in a vendor agreement is the Statement of Work. This document plays a crucial role in setting clear expectations and project details before work commences, ensuring that both parties are aligned on what is to be delivered, when, and in what manner. An agreement for services, on the other hand, defines the level of service performance and quality assurances rather than detailing the project specifics. A confidentiality agreement focuses on the protection of proprietary and sensitive information shared during the engagement and does not detail project specifics. A partnership agreement outlines the general terms of the partnership and cooperation between two entities, which again does not focus on the provision of services for a particular project like a Statement of Work does.

Adaptive Policy-driven access control, also known as risk-adaptive access control, is correct because it incorporates real-time risk assessments based on context, such as user behavior, device security status, and data sensitivity, to adapt access permissions dynamically, thereby limiting the scope of threats by granting access based on policies that respond to perceived risk levels. While Role-based access control (RBAC) is statically designed based on predefined roles and Discretionary access control (DAC) is based on the resource owner's discretion, neither adapts dynamically to changing threat landscapes. Mandatory access control (MAC) is policy-based but not adaptive to real-time risks.

Authorization is the component of AAA that indicates what a user is authorized to do on the network aka their permissions.

Tokenization transforms sensitive data into a token, which is a unique identifier that has no meaningful value outside of the tokenization system. Unlike encryption that can be reversed with the decryption key, tokenized data requires access to the original mapping in the tokenization system to convert it back, ensuring enhanced security by preventing reverse-engineering of the tokens if the database is compromised. In the case of protecting credit card information, tokenization is ideal because the tokens can be used for transactional processes without exposing actual credit card numbers.

The correct answer is Virtual Private Network (VPN) because it ensures that data transmitted over an unsecured network is encrypted and thus kept secure from interception. A VPN creates a secure tunnel for data packets to travel through an untrusted network, such as the internet, by encrypting the data before it is sent and decrypting it upon receipt.

Remote desktop is incorrect because it is a service that allows a user to connect to and control a computer from a remote location, but by itself does not provide encryption of data in transit.

File transfer protocol (FTP) is incorrect as it is used to transfer files between computers on a network but does not inherently provide encryption for data in transit.

Secure Shell (SSH) is incorrect because, while it does provide secure data communication through encryption, it is mainly intended for secure command execution and file transfer on remote computers, not for creating secure tunnels for general data traffic like a VPN does.

Tokenization is the correct method for replacing sensitive data with a unique identifier that is not sensitive, known as a token, which has no extrinsic or exploitable meaning or value. The process allows businesses to work with the essential information without exposing sensitive data—enhancing security while minimizing the impact on systems that need to use the data. Encryption, in contrast, protects data by converting it into a coded format that can be decrypted only with a key, making it different from tokenization. Salting is used to enhance the security of a hashing process by adding a unique value to the end of the password before hashing occurs, thus providing no data obfuscation or replacement on its own. Anonymization is the process of removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous, which is a broader concept than tokenization and does not necessarily use a token to replace sensitive data.

Examining the vendor's component sourcing and manufacturing processes for security vulnerabilities is essential in a supply chain analysis. This helps identify risks such as counterfeit parts, tampered hardware, or insecure manufacturing practices that could compromise the organization's security. Investigating trade compliance focuses on legal and regulatory adherence, not specific security risks in the supply chain. Arranging a product demonstration assesses functionality but does not reveal underlying security issues. Verifying compatibility ensures the hardware works with existing systems but does not address potential security vulnerabilities introduced by the new hardware.

The correct answer is 'Authentication' because the implemented access code from a hardware token is an additional authentication factor that must be presented along with the username and password. This is known as multi-factor authentication (MFA), which significantly increases the security by requiring multiple forms of verification before granting access.

The incorrect choices are: 'Authorization' refers to granting or denying rights to a user, resource, or service once authentication has been successful. 'Accounting' involves tracking user activities and resource usage, which could be for billing or auditing purposes. 'Non-repudiation' ensures that a person or entity cannot deny sending a message or transaction, which is not directly enhanced by the addition of a hardware token.

Jailbreaking removes the manufacturer's restrictions on mobile devices, allowing users to install unauthorized applications and bypass security features. This poses significant security risks as it can lead to the installation of unverified apps that may contain malware or compromise the device's integrity.

An outdated firmware might have vulnerabilities but does not directly lead to bypassing default security features in this manner. Malware infection could cause unauthorized applications to run but would not typically result in bypassed security features across multiple devices without additional indicators. Connecting to an unsecured Wi-Fi network exposes devices to network-based attacks but does not allow for bypassing of security features or installation of unauthorized applications on the device itself.

The first and most effective action to address the issue is to modify the permissions on the files to ensure that only the development team has access. This alteration directly addresses the problem identified during the audit by enforcing proper access controls, thereby preventing unauthorized access to sensitive information. Disabling the shared network drive would remove access for the authorized development team and is not a precise method of access control. Performing a user account review may surface additional issues but will not rectify the immediate concern of unauthorized access to the proprietary source code. Monitoring the file access patterns is a reactive approach and would not prevent further unauthorized access.

Loss of license is a potential consequence for an organization that fails to adhere to the terms set forth in the license agreement of a software product. This can occur if the organization uses more copies than allowed, fails to pay the required fees, or breaches any other terms of the license. Loss of license means the organization would no longer have the legal right to use the software, which could lead to operational disruptions and the need to find alternative solutions.

Data retention timeframes are pivotal to compliance since they dictate the specific duration for which data must be stored according to various legal and regulatory frameworks. Organizations are often required to retain certain records for a defined period to comply with laws and industry regulations. Retaining data for either too short or too long a period can lead to non-compliance and associated penalties. Having too broad or too narrow scopes in retention policies can be non-compliant or inefficient, respectively, but the actual retention period is the key factor that relates directly to legal and regulatory requirements.