CompTIA Security+ Practice Test (SY0-701)

The Information Security Policies document should guide the decision-making process as it outlines the organization's overarching rules, expectations, and practices related to maintaining information security. It provides a framework for ensuring that changes comply with the standards necessary to protect the company's information assets. The Acceptable Use Policy (AUP) mainly concerns how individuals are permitted to use company resources. The Software Development Lifecycle (SDLC) policy is generally specific to the creation of software rather than change management. Meanwhile, the Business Continuity Plan (BCP) is designed to guide operations post-disruption and is not primarily used for decision-making in change management.

A VPN that implements IPSec provides a high level of security by establishing an encrypted tunnel between the VPN client and the VPN server, which protects the privacy and integrity of data transmitted over public networks. IPSec operates at the network layer, allowing it to secure all traffic that passes through the tunnel, making it the best option for this scenario.

The correct answer is 'Review and align the security policies with the local/regional legal requirements.' When entering a new region, an organization must ensure that its security policies comply with local laws to avoid legal consequences and protect the company's reputation. Conducting a thorough review of the new region's legal requirements and aligning the organization's security policies accordingly is the most prudent initial step.

A brute force attack is a trial-and-error method used to decode encrypted data such as passwords. This type of attack systematically checks all possible combinations to discover the correct one, which can eventually allow an attacker to gain unauthorized access. This definition aligns with the description of a brute force attack.

Attestation involves creating a secure baseline of system components which are then compared against current system measurements to verify integrity. The verification step compares the current state against a set of known good values (trusted baseline) that could include measurements from binary files, configuration settings, or patches. Remote attestation extends this concept by allowing a system to report its state to a remote verifier. Hashing system files at startup and sending them to a central server compares current file states against known good hashes, but it is not specifically considered remote attestation which implies a challenge-response mechanism between a local and remote entity. Remote wiping a device and BIOS password protection are security controls to prevent unauthorized access and do not attest to the current state of the system's hardware or software.

Managerial controls are security controls that focus on the management of risk and the management of information system security. These controls are administrative in nature and include activities like creating security policies, conducting risk assessments, planning for business continuity, and performing security awareness training. The activities described in the scenario-risk assessment, policy creation, and defining roles-are all classic examples of managerial controls. Technical controls involve technology like firewalls, operational controls involve day-to-day procedures like reviewing logs, and physical controls involve tangible protections like fences and locks.

Presenting the information that applies a recognized scoring system to assess the severity of the vulnerabilities is correct, as it gives an objective measure of risk. This enables management to make informed decisions on which vulnerabilities to address first based on the potential impact. While identification by category, operating system, or the potential for data loss can provide important context, they do not inherently offer a mechanism for prioritization. Therefore, the key to an effective report is not only identifying the vulnerabilities but also clearly indicating which ones pose the greatest risk based on a standardized severity rating.

Load balancing effectively uses parallel processing by distributing incoming traffic across multiple servers, which not only manages the traffic surge during peak times but also provides redundancy in case one server fails. 'Database normalization' is a process used to optimize database design but does not directly apply to parallel processing for traffic management. 'Rate limiting' is used to control the traffic rate a single user or service can make to a web service but does not employ parallel processing to distribute workload. 'Single sign-on' (SSO) simplifies user authentication by using one set of login credentials for multiple services but is not related to the concept of parallel processing for handling increased load or capacity planning.

'Responsiveness' refers to the system's ability to acknowledge and react to requests in a timely manner. In security contexts, this ensures that the system can maintain service quality even under varying load conditions, which is critical to preventing denial-of-service attacks and ensuring user satisfaction.

Logging in from two geographically distant locations within a short time frame is indicative of impossible travel, suggesting that the user's credentials may have been compromised. This is a common indicator used to detect unauthorized access. Concurrent session usage involves a user being logged in from multiple locations or devices simultaneously, but not necessarily from implausible distances. Resource consumption refers to excessive use of system resources, which could indicate a denial-of-service attack. Out-of-cycle logging pertains to access attempts occurring outside of normal business hours or established patterns.

To estimate the Annualized Rate of Occurrence, which is the likelihood of a particular incident occurring within a one-year period, one must calculate the average occurrences over a given set of data. This is accomplished by adding the number of incidents for each year (1+2+3+4+4) and dividing by the number of years (5), resulting in an average of 2.8 incidents per year. This provides the closest estimate for the expected frequency over the next year, given the historical data.

Phishing simulations are a practical way to test whether employees can recognize and respond to social engineering attacks in a realistic but safe environment. By tracking metrics such as click rates, reporting rates, and time to report, simulations provide actionable data that highlights both strengths and gaps in user behavior. In contrast, unannounced network scans assess technical vulnerabilities rather than human behavior, quarterly newsletters only reinforce awareness without measuring it, and a post-training quiz checks short-term recall but not real-world application.

A deterrent control is designed to discourage potential attackers from attempting a security breach, making it the correct answer. Deterrent controls include things like warning signs or visible security measures that increase the perceived risk for attackers.

A false positive occurs when a security system incorrectly identifies benign activity as a threat. In this scenario, the system erroneously flagged normal network traffic as potentially malicious, which is a classic example of a false positive. It is crucial for security analysts to recognize and address false positives to avoid unnecessary responses to non-threatening activities.

Guidelines are recommendations that help an organization implement standards and policies. They are typically less formal, not mandatory, and provide suggested actions and best practices. In the scenario, the document offers helpful but not mandatory advice, which is the definition of a guideline.

• Standards are mandatory rules that specify minimum acceptable security levels, not flexible recommendations.
• Procedures are detailed, step-by-step instructions for performing specific tasks, not general best-practice advice.
• Regulations are laws or rules imposed by external bodies that an organization must legally follow.

The use of a Key Management Service (KMS) with encryption capabilities is the correct choice because it not only provides strong encryption but also facilitates efficient key management, which is crucial when dealing with backups that may need to be restored at any given time. It automates the lifecycle of cryptographic keys, including creation, rotation, deletion, and control of access to keys. Whole disk encryption, while secure, does not typically offer the same level of key management needed for a cloud-based environment. Manual symmetric key management could be prone to human error and does not scale efficiently. Database field encryption only encrypts specific fields and may not cover the entire backup dataset as required.

Uninstalling software applications that are not essential to a system's primary functions directly benefits security by reducing the number of potential attack vectors available to a threat actor. Every piece of software can introduce vulnerabilities, and non-essential applications may not be maintained with the same rigor as critical ones, leading to increased security risks. By minimizing the number of installed programs, the scope for vulnerabilities is narrowed, bolstering the system's resilience to cyber threats.

A Virtual Local Area Network (VLAN) is the appropriate solution for logically segmenting a network on shared physical infrastructure like a switch. By placing the Engineering and Marketing departments on separate VLANs, the administrator creates two distinct broadcast domains. This prevents traffic from one department from being directly visible to the other, enhancing security and containment. While installing a separate physical switch would achieve separation, it is a physical solution, not logical, and is less efficient. A Layer 4 firewall filters traffic based on port numbers, and an Intrusion Prevention System (IPS) actively monitors for threats, but neither provides the fundamental logical network separation on a single switch that VLANs are designed for.

Network logs are a primary resource for monitoring internal network traffic, which includes tracking unauthorized data flow or lateral movement within the organization's network infrastructure. Application logs are focused on specific software and may not capture network-wide traffic data. Endpoint logs give insight into individual host activity and might not show comprehensive internal traffic patterns. System health reports are typically concerned with the performance and health of systems, and do not usually provide the granular traffic data needed for tracking lateral movements.

The process of hardening a server should begin with updating the server to the latest stable version of the operating system, including all the available security patches. This action addresses known vulnerabilities and reduces the number of potential attack vectors that could be exploited. Configuring a firewall, setting account lockout policies, and conducting a vulnerability scan are important hardening steps, but they come after ensuring that the server is running the most secure operating system version available.