CompTIA Security+ Practice Test (SY0-701)

In a tabletop exercise the key staff of an organization gather and discuss their actions during an incident (security incident, disaster, etc.). The staff is sometimes organized into blue and red teams (attackers and defenders). The exercise is used to train staff, promote collaboration and identify any weak spots in existing procedures and plans.

Vulnerability classification is a systematic process of sorting vulnerabilities into categories. This helps in understanding the nature of the vulnerability, its potential impact, and the methods for mitigation. It allows for an organized approach to prioritize vulnerabilities for remediation efforts.

MD5 (Message Digest 5) creates a 128 bit fixed output. SHA1 creates 160 bit outputs, SHA2 creates 256 bit outputs and RIP128 is a thing we made up that sounds pretty cool.

A feature known as a 'selective wipe' or 'corporate wipe' is designed for the scenario presented. It allows an organization to remove only the data and configurations that pertain to the company, preserving the personal information of the user. This is critical for organizations that allow the use of personal devices for work, to manage the risk associated with data retention when employees leave. A 'full wipe' would erase all data from the device, which affects personal information and therefore is not suitable. 'Remote locking' secures a device against unauthorized use, but it doesn't address the removal of data. 'Encryption' secures data but does not offer a method for selective removal of company data upon employee departure.

The correct answer is 'Shared Responsibility Model.' This model is essential in cloud computing as it clearly outlines what security controls are the responsibility of the cloud service provider and what controls are the responsibility of the customer. Understanding this division is key to maintaining security in a cloud environment.

Full-disk encryption is the correct choice because it encrypts the entire hard drive, including the operating system, applications, and all files. This ensures that if the laptop is lost or stolen, the data on it remains protected and inaccessible without the proper credentials or decryption key. Partition encryption would only protect specific partitions, which might leave other sensitive data exposed. File encryption is more granular and would not provide the broad protection needed for this scenario. Database encryption is intended for protecting data within databases and does not address the potential risk of entire drives being accessed through theft or loss.

The correct answer is Hardware Security Module (HSM). An HSM is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. It is resistant to tampering and integrates with existing systems to facilitate secure boot, disk encryption, and digital rights management, fitting the company's needs. Trusted Platform Module (TPM) is also dedicated hardware designed to protect hardware through integrated cryptographic keys, but it is typically used for securing individual computers rather than for managing keys across an organization. Secure Enclave provides hardware-based key management, primarily in mobile devices, and is less suitable for enterprise-scale key management and lacks the full functionality of an HSM. Lastly, Key Management System is a more general term for systems that manage cryptographic keys; however, it doesn't specify resistance to physical tampering or integration capabilities needed for secure boot or digital rights management, which an HSM provides.

Performing a vendor risk assessment is crucial as it helps an organization to identify, evaluate, and mitigate the risks associated with a potential vendor. The assessment can reveal security practices and compliance with industry standards, helping the organization understand the level of risk it may assume if entering into an agreement with the vendor. Orders such as 'Right-to-Audit Clause' and 'Due Diligence' are more focused on ongoing monitoring or the preparation for the audit process itself, though they are related to the broader scope of risk management. A 'Business Impact Analysis' is generally used for internal purposes to assess the impact of disruptions on the business and is less about evaluating third-party vendors.

A deterrent control is a control that simply deters from taking an action. The control in no way prevents the action from being taken but is only there to persuade not to. The other choices are other types of controls that serve other purposes.

You are hired to do an analysis on the systems to determine the impact of a malicious actor. Hardening and wiping the servers is outside of the scope of this analysis, but may be a recommended next step based on your findings. The logical step is to determine which servers are the most critical based on the data hosted on them, and begin analyzing them one-by-one in order of most important/critical data.

Surveillance cameras are a common physical control used to provide visibility into the security of premises, allowing the detection of unauthorized or unusual activity without engaging in physical confrontations. They act as both a deterrent and a means to gather evidence. Bollards are designed to stop vehicles, not for surveillance purposes. Keypad door locks are access controls but do not necessarily provide visibility or detection of unauthorized entry. A mantrap controls access to secure areas but generally does not provide visibility of the area beyond its confines.

Log tampering is a deliberate act to manipulate or erase logs to hide unauthorized activities or to disrupt the integrity of the logging process. While logs can be lost due to technical issues such as configuration errors or system overload, sporadic and selective disappearance is more indicative of a deliberate effort to alter logs, which signifies that log tampering is the most likely explanation. Scheduled maintenance wouldn't selectively affect log entries, and time synchronization issues would cause discrepancies in timestamps rather than missing entries. Log rotation without archiving could lead to loss of older records, but would not usually result in sporadic missing entries.

FTP uses ports 20 and 21, so those should be left open and the others should be closed. Note: The question asks which should REMAIN open, not which should be closed.

Some Malware will attempt to contact a Command-and-Control (C2) server or network to let the creators of the malware know it has infected a target. The malware will then be given commands remotely from the C2 server to steal data, infect more hosts or begin monitoring the infected device. The act of calling a C2 server is also called a beacon. The communication with known C2 addresses is a common sign that an infection has occurred within a network. One common use of this type of Malware is for a botnet. The C2 server may for example then send a command to all infected devices to initiate a Distributed Denial of Service (DDOS) attack (this is just one example).

In most cloud service models, except for Infrastructure as a Service (IaaS), the responsibility for securing the application layer falls to the customer, not the cloud service provider. For example, in Platform as a Service (PaaS) and Software as a Service (SaaS), while the provider maintains the infrastructure, the customer is responsible for the application itself. With IaaS, customers are even responsible for managing the operating system, storage, and deployed applications. Therefore, stating that the responsibility is always with the provider is incorrect as it varies depending on the service model and the shared responsibility agreement.