CompTIA Security+ Practice Test (SY0-701)

The correct answer is preventive. Encryption is a technical control that functions as a preventive measure. It actively blocks unauthorized access by rendering data unreadable without the proper key, thereby preventing a data breach. Detective controls, such as log monitoring or intrusion detection systems, are used to identify incidents as they happen or after the fact. Corrective controls, like restoring from a backup, are used to limit the impact of an incident after it has occurred. Deterrent controls, such as warning banners, are intended to discourage potential attackers but do not technically block an action.

Full-disk (device) encryption protects data at rest by rendering the entire storage medium unreadable without proper authentication. If a device is lost or stolen, attackers cannot access corporate information without the decryption key. Disabling NFC, restricting device use to a geographic area, or lengthening the screen-lock timeout do not provide the same level of protection for locally stored data.

Transport/Communication Encryption is specifically designed to secure data in transit between locations like remote offices. It ensures confidentiality (privacy of the data) and integrity (no tampering of data), using either symmetric or asymmetric encryption methods, while also simplifying key management. Using Full-Disk Encryption would not be the best choice as it's designed to protect data at rest and does not inherently secure data in transit. Asymmetric Encryption by itself is not a complete solution for data in transit and could introduce complexity in key management. Steganography provides obfuscation by hiding the existence of data but does not on its own ensure data encryption and integrity.

Data masking intentionally substitutes realistic but fake values (for example, shuffling or substituting names, account numbers, or dates) for the original sensitive data. Because the format and fields remain consistent, developers, testers, and analysts can still use the data set, but the real values cannot be reconstructed. Techniques such as lossless compression, differential backup, and multifactor authentication do not serve this purpose: compression reduces file size, backup provides data recovery, and multifactor authentication verifies user identity rather than altering data.

Applying strong encryption to the database files, tables, or individual columns converts the plaintext records into ciphertext that can only be returned to readable form with the correct decryption key. This directly preserves confidentiality if the storage media, backups, or underlying server are compromised. Geographic restrictions only constrain where data is stored, masking substitutes fictitious values for limited use cases such as testing, and hashing creates digest values that detect tampering but does not hide the underlying data.

Establishing a well-defined contract that explicitly stipulates data protection and handling requirements is vital when a financial institution outsources credit card processing to a third party. This contract must delineate the expectations, roles, and responsibilities, including security controls and breach notification protocols, ensuring the service provider processes the data in compliance with the applicable data protection standards and legal obligations. While regular security audits and encrypting data in transit are important aspects of a comprehensive security strategy, they lack the overarching governance framework that a detailed contractual agreement provides. Data anonymization might reduce the risks associated with data handling but would not be feasible in the context of credit card transactions where personal data is inherently required for processing.

A hot site is a fully operational offsite data center equipped with hardware and software, configured to quickly assume operational responsibilities from a primary site in case of a disaster. This is the best option for business continuity as it enables rapid resumption of critical functions. A cold site, while being the least expensive, offers only space and utilities, requiring additional time to become operational. A warm site provides some pre-installed equipment but would still require additional time and effort to be fully operational. Therefore, a hot site offers the highest level of readiness for immediate disaster recovery.

Endpoint logs provide invaluable information regarding the activities occurring on individual systems. In this case, repeated login failures followed by a successful login often indicate a brute force attack, where an attacker has repeatedly attempted to log in using different passwords until the correct one is found. This is a common indication of a compromised account, which is why the answer detailing this pattern is correct. The other answers describe events that may be ordinary and not indicative of a security incident, such as a single successful login, periodic security scanning, or regular system updates.

The most prudent immediate action is to quarantine the message to prevent any potential harm while maintaining its integrity for further investigation. Initiating a review process entails examining headers, sender information, and URLs using automated or manual procedures without activating any potentially malicious elements. Initiating a company-wide alert may cause unnecessary panic before the threat is confirmed, replying to the sender could lead to further compromise, and shutting down network services is premature and disruptive without evidence of a widespread issue.

The Owner of a system or data is primarily responsible for determining the classification of the data and the controls necessary to protect it. They make decisions on how the data should be handled, dictate access controls, and are often decision-makers on acceptable risk levels for their data. While they may delegate certain tasks to others like Custodians or Processors, the Owner retains the ultimate responsibility for the data's security.

The most effective technique for this scenario is sandboxing. Sandboxing creates a controlled, isolated environment where a potentially malicious application can be executed and observed without risking harm to the host system or the network. Code signing is a method to verify the authenticity and integrity of software but does not isolate it at runtime. Input validation is used to sanitize data being entered into an application to prevent attacks like SQL injection. Static code analysis involves examining the source code for vulnerabilities without executing the program. None of these other options provide the necessary isolated runtime environment for safely analyzing the executable's behavior.

A Hardware Security Module (HSM) is a physical device that provides secure generation, storage, and management of cryptographic keys. HSMs are designed to protect keys from unauthorized access and are used to enhance security in encryption processes. A Key Management System is typically software-based and manages keys but doesn't provide the physical security level of an HSM. A Trusted Platform Module (TPM) is a hardware-based security chip embedded in devices, used mainly for device authentication and integrity verification rather than comprehensive key management. A Secure Enclave is a secure area within a processor, primarily used in mobile devices to store sensitive data, but it is not a standalone device like an HSM.

An air-gapped environment is a security measure in which a computer or network is physically isolated from all external networks. With no wired or wireless interfaces connected to outside systems, data cannot enter or leave electronically, creating a strong barrier against remote attacks. Serverless, microservices, and virtualized environments may still rely on network connectivity, so they do not provide the same level of isolation.

Security policies, standards, and guidelines do not directly stop or detect attacks. Instead, they provide direction by defining required behaviors and rules. Because they set expectations and guide how people and systems should act, they are categorized as directive controls. Detective controls identify incidents after they occur, preventive controls stop incidents, and corrective controls restore normal operations.

Risk transference is a strategy that involves shifting the financial consequences of a risk to a third party. Purchasing insurance is the most common example of risk transference, as it moves the potential financial loss from an incident to the insurance provider.

With asymmetric encryption, the sender uses the recipient's public key to encrypt the data. Only the holder of the mathematically related private key can decrypt that ciphertext, so confidentiality is preserved even if the encrypted traffic is intercepted. In contrast, symmetric encryption relies on a single shared secret key (Answer 1), digital signatures created with a sender's private key provide integrity and authentication-not confidentiality (Answer 3), and striping data across drives (Answer 4) is a storage redundancy technique unrelated to encryption.

A false negative occurs when a security control or detection tool fails to identify a real threat or vulnerability, incorrectly indicating that the environment is safe. This leaves actual risks unaddressed until discovered by other means. A false positive is the opposite problem-safe activity flagged as malicious. A true positive is an accurate alert on real malicious activity, while false security is not a formal term in detection theory.

Implementing DLP systems enables the organization to prevent certain types of sensitive data from being sent outside the corporate network, which directly addresses the concern of accidental data leakage mentioned in the scenario. While training on policy and the review of existing procedures may help reduce incidents, they are reactive measures that don't offer the technological prevention that DLP systems do. Role-based access controls are essential for limiting data access but would not necessarily prevent data from being sent to unauthorized recipients.

The email shows typical signs of a phishing attempt, including spelling errors, generic greetings, and unsolicited attachments. These characteristics are often used to trick recipients into divulging sensitive information or installing malware.

Authentication is the correct term for the process where an entity (user, system, or process) proves its identity to a verifying entity by providing the appropriate credentials. Authorization refers to the granting of rights and permissions post-authentication, and accounting refers to the tracking of user activities, while multifactor indicates a means or type of authentication, not the process itself.