CompTIA Security+ Practice Test (SY0-701)

Surveillance cameras provide continuous visual coverage, enabling staff to detect and verify unauthorized activity from a safe location while also recording evidence. They serve as both a deterrent and a detective control. Bollards are intended to stop or slow vehicles but do not provide visual monitoring. Keypad door locks regulate entry but offer no real-time visibility into an attempted breach. A mantrap limits access to one person at a time but typically lacks external video coverage of wider areas, so it does not satisfy the requirement for remote visibility.

The correct answer is Hardware Security Module (HSM). An HSM is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. It is resistant to tampering and integrates with existing systems to facilitate secure boot, disk encryption, and digital rights management, fitting the company's needs. Trusted Platform Module (TPM) is also dedicated hardware designed to protect hardware through integrated cryptographic keys, but it is typically used for securing individual computers rather than for managing keys across an organization. Secure Enclave provides hardware-based key management, primarily in mobile devices, and is less suitable for enterprise-scale key management and lacks the full functionality of an HSM. Lastly, Key Management System is a more general term for systems that manage cryptographic keys; however, it doesn't specify resistance to physical tampering or integration capabilities needed for secure boot or digital rights management, which an HSM provides.

Open Authorization, commonly known as OAuth, is best suited for this purpose. OAuth is a protocol that enables applications to obtain limited access to user accounts on an HTTP service without passing user credentials to the application. It works by using access tokens provided by the authorization server, which mediate the authentication of the end user by the information provider.

• LDAP (Lightweight Directory Access Protocol) is primarily used for accessing and maintaining distributed directory information services over an IP network, which is not the goal in this scenario.
• RADIUS (Remote Authentication Dial-In User Service) provides centralized authentication, authorization, and accounting for users who connect and use a network service, but does not cater to the specific needs of application-to-application authorization.
• TACACS+ (Terminal Access Controller Access-Control System Plus) provides detailed accounting information and flexible administrative control over authentication and authorization processes, but it is not designed for delegating user authorization between web services.

A deterrent control is a control that simply deters from taking an action. The control in no way prevents the action from being taken but is only there to persuade not to. The other choices are other types of controls that serve other purposes.

Under the shared-responsibility model, duties move up the stack as you transition from IaaS to SaaS:

• IaaS: The customer controls and secures the guest OS and anything above it, including the application code.
• PaaS: The provider secures the underlying OS and runtime, but the customer still secures any applications they develop and deploy on the platform.
• SaaS: The provider operates and patches the application itself, while the customer focuses on data protection, identity, and configuration. Therefore, the most accurate statement is that responsibility varies by service model: the customer handles the application layer in IaaS and usually in PaaS, whereas the provider handles it in SaaS.

The Recovery Point Objective (RPO) represents the maximum period of data that an organization can tolerate losing during a disaster event. A tighter RPO calls for more frequent backups, whereas a lenient RPO allows for less frequent backups. Understanding the RPO helps to determine the backup schedule that aligns with the business's data loss tolerance. On the contrary, Recovery Time Objective (RTO) focuses on the maximum amount of time an organization can tolerate to recover operations. Meanwhile, Single Loss Expectancy (SLE) and Annualized Loss Expectancy (ALE) pertain to financial impacts of data loss and do not directly dictate backup frequencies.

A Layer 2 switch creates a separate collision domain on every port, so frames are forwarded only to the intended interface rather than to all connected devices. When VLANs are configured, the switch also establishes separate broadcast domains, ensuring that broadcast traffic is contained within each VLAN and not forwarded to ports assigned to other VLANs. Routers inherently break up broadcast domains but do not reduce collisions on individual access links. Hubs place all connected hosts in one shared collision and broadcast domain, and wireless access points segment neither collisions nor broadcasts in a wired network.

Resource provisioning refers to the process of allocating and managing computing resources, like user accounts and permission sets, to users or systems in a way that aligns with organizational security policies. Incorrect answers might seem plausible because they involve similar processes, but they do not accurately describe the act of resource allocation and management as resource provisioning does.

Automated monitoring and alerting systems provide real-time detection of security events, which significantly reduce response times to potential incidents. By setting thresholds and parameters for normal network behavior, these systems can promptly identify and report suspicious activities, enabling quicker remediation. While all other options may contribute to effective security practices, automated alerting will most directly address the current delays and inconsistencies in incident detection and reporting, leading to improved security posture.

A tabletop exercise is a discussion-based session where key personnel meet to discuss their roles and responses to a simulated security incident, without using actual systems. This method is used to identify gaps in plans and procedures. A simulation, in contrast, is a more hands-on exercise that involves interacting with a simulated environment. Incident Response Planning (IRP) and Disaster Recovery Planning (DRP) refer to the overall process of creating the plans themselves, not the act of testing them through an exercise.

The correct answer is the Shared Responsibility Model. This model outlines the security obligations of the cloud service provider versus the customer. In an IaaS model, the provider is responsible for the security of the cloud (i.e., the physical infrastructure), while the customer is responsible for security in the cloud. This includes securing and patching the guest operating system, managing applications, and protecting data. A Service Level Agreement (SLA) focuses on service performance metrics like uptime and response times, not the comprehensive division of security duties. The Cloud Control Matrix is a specific framework of security controls used for assessment and compliance, not the high-level conceptual model of responsibility itself.

MD5 (Message Digest 5) is a hashing algorithm that produces a 128-bit fixed-size hash value. It is considered a legacy algorithm with known vulnerabilities and is no longer recommended for security purposes like password hashing. SHA-1 produces a 160-bit hash. SHA-256 is part of the SHA-2 family and produces a 256-bit hash. RIPEMD-160 produces a 160-bit hash.

Vulnerability classification is the process of systematically categorizing security weaknesses based on their nature, such as the type of flaw (e.g., buffer overflow, misconfiguration) or the affected system. This allows an organization to group similar issues, assign them to the correct teams, and develop a prioritized and organized approach to remediation. Vulnerability scoring, like CVSS, assigns a severity score but does not categorize the vulnerability type. Vulnerability enumeration, like CVE, involves identifying and listing individual vulnerabilities.

Some malware will attempt to contact a Command-and-Control (C2) server or network to let the creators of the malware know it has infected a target. The malware will then be given commands remotely from the C2 server to steal data, infect more hosts, or begin monitoring the infected device. The act of calling a C2 server is also called a beacon. Communication with known C2 addresses is a common sign that an infection has occurred within a network. One common use of this type of malware is for a botnet. The C2 server may, for example, then send a command to all infected devices to initiate a Distributed Denial-of-Service (DDoS) attack (this is just one example).

A feature known as a 'selective wipe' or 'corporate wipe' is designed for the scenario presented. It allows an organization to remove only the data and configurations that pertain to the company, preserving the personal information of the user. This is critical for organizations that allow the use of personal devices for work, to manage the risk associated with data retention when employees leave. A 'full wipe' would erase all data from the device, which affects personal information and therefore is not suitable. 'Remote locking' secures a device against unauthorized use, but it doesn't address the removal of data. 'Encryption' secures data but does not offer a method for selective removal of company data upon employee departure.

The server is performing authorization. Authorization occurs after authentication and determines a user's permissions-what resources or actions are allowed. Authentication only verifies identity, while accounting logs activity, and non-repudiation is a separate security concept focused on proof of origin.

Log tampering is a deliberate act to manipulate or erase logs to hide unauthorized activities or to disrupt the integrity of the logging process. While logs can be lost due to technical issues such as configuration errors or system overload, sporadic and selective disappearance is more indicative of a deliberate effort to alter logs, which signifies that log tampering is the most likely explanation. Scheduled maintenance wouldn't selectively affect log entries, and time synchronization issues would cause discrepancies in timestamps rather than missing entries. Log rotation without archiving could lead to loss of older records, but would not usually result in sporadic missing entries.

A vendor risk assessment is the specific process used to identify, evaluate, and mitigate the risks associated with a potential third-party vendor before signing an agreement. This assessment examines a vendor's security controls, compliance posture, and operational resilience. While a vendor risk assessment is a key component of the overall Due Diligence process, "due diligence" is a broader term that also includes investigating a vendor's financial stability and reputation. A Right-to-Audit Clause is a contractual term included in an agreement, not an assessment performed beforehand. A Business Impact Analysis is an internal process to determine how disruptions could affect business operations and is not used to evaluate external vendors.

Standard FTP operates on two well-known TCP ports. Port 21 is the control (command) channel, and port 20 is the default data channel. All other listed ports (43 for WHOIS, 80 for HTTP, and 3389 for Remote Desktop Protocol) are unrelated to FTP and should be closed to reduce the attack surface. Therefore, only ports 20 and 21 should stay open.

A tap/monitor setup is preferred in scenarios where monitoring is essential, but it is crucial not to introduce latency or a single point of failure within the network traffic flow. An inline device would actively interact with traffic, potentially introducing latency, which is undesirable in strict throughput environments. Active devices are designed to intervene and could affect performance, whereas fail-open implies a state during failure, which is not relevant to the operational performance during normal conditions.