CompTIA Security+ Practice Test (SY0-701)

Some malware will attempt to contact a Command-and-Control (C2) server or network to let the creators of the malware know it has infected a target. The malware will then be given commands remotely from the C2 server to steal data, infect more hosts, or begin monitoring the infected device. The act of calling a C2 server is also called a beacon. Communication with known C2 addresses is a common sign that an infection has occurred within a network. One common use of this type of malware is for a botnet. The C2 server may, for example, then send a command to all infected devices to initiate a Distributed Denial-of-Service (DDoS) attack (this is just one example).

A Non-Disclosure Agreement (NDA) is specifically designed to legally bind parties to keep shared sensitive information confidential. While other agreements like Service-Level Agreements (SLA), Master Service Agreements (MSA), and Memorandums of Understanding (MOU) address different aspects of vendor relationships, the NDA focuses on confidentiality.

A network intrusion prevention system (NIPS) is the only one of the choices that you can place to monitor your entire network for intrusions while at the same time attempting to prevent the intrusion. HIPS and HIDS are only for a single host, while NIDS will only detect an intrusion.

An Intrusion Detection System (IDS) is adept at continuously monitoring network traffic for abnormal behavior and is specifically designed to alert the security team about potential threats without modifying, discarding, or preventing the flow of traffic, which aligns with the requirement in the given scenario. On the other hand, an Intrusion Prevention System (IPS) not only detects but also takes action to prevent the identified threats, which could interfere with data flow. A Jump Server is a hardened and monitored device that acts as a bridging point for administrators to connect to other servers but does not perform real-time threat monitoring. A Unified Threat Management (UTM) device combines several security functions into one, yet its threat detection capabilities are broader and not solely focused on network traffic monitoring.

Deterrent controls are security measures that are put in place to discourage potential attackers from attempting to breach an organization's defenses. They work by making the target appear more difficult, time-consuming, or risky to attack. Security cameras are a prime example of a deterrent control because their presence can make potential intruders think twice about attempting to gain unauthorized access, as they know their actions may be recorded and used as evidence against them. Preventive controls aim to stop an incident from happening, detective controls identify incidents as they occur, and corrective controls are used to limit the damage after an incident.

A VPN concentrator is a purpose-built appliance that creates, terminates, and manages large numbers of VPN tunnels. It performs hardware-accelerated encryption and authentication, scales to thousands of concurrent connections, and lets administrators enforce remote-access policies from one central point. An IDS/IPS inspects traffic for threats, a load balancer distributes application traffic for availability, and a content-filtering gateway screens web or email content; none of these devices are designed to establish VPN tunnels for remote users.

When reassessing the Recovery Point Objective (RPO) for a critical system like a transactional database, especially in the context of increased granularity in data analytics, the most relevant factor to consider is the potential financial impact of data loss. Given the database handles high-value transactions, even a small amount of data loss could be financially significant. Therefore, understanding the impact of data loss is crucial in determining whether the current RPO meets the business's tolerance for loss and if it should be reduced to ensure data integrity and maintain financial stability.

Having a comprehensive impact analysis will ensure that the measure aligns with the organization's security policies and operational impact is anticipated and minimized. It identifies the potential repercussions on existing systems and processes and contributes to informed decision-making. Simply obtaining approval or generating test results does not provide a complete picture of the impact. The backout plan is necessary for recovery but does not help in aligning with policies. Updating documentation or version control practices are part of the process but are not central to aligning changes with security policies or minimizing operational impact.

The correct answer is resilience. Resilience in security architecture is the ability of an organization to prepare for, withstand, and rapidly recover from security incidents or disruptions. The scenario's focus on maintaining operations with minimal downtime after a compromise directly reflects the principle of resilience. Least privilege is an access control principle, defense in depth is about layered security, and Zero Trust is an architectural model assuming no implicit trust; while these contribute to overall security, resilience specifically addresses the ability to recover and continue operations.

The component designed to be integrated into a computing device for securing cryptographic keys is the Trusted Platform Module. It provides hardware-based security by managing keys within a protected environment, isolated from the operating system. A Hardware Security Module is a dedicated external device used for managing keys, not typically integrated directly on a computer's motherboard. Biometric sensors and secure boot are unrelated to the secure storage and handling of cryptographic keys. Biometric sensors are used for authentication purposes, while secure boot is a process ensuring the integrity of the operating system's boot process.

Immediately disabling the former employee's logical accounts (usernames, passwords, tokens) and collecting their physical access devices (badges, keys) eliminates the opportunity for the individual-or anyone who might obtain those credentials-to access company resources. Delaying revocation, leaving badges in circulation, or waiting for a periodic review extends the attack window and violates best-practice guidance in NIST SP 800-53 PS-4 and ISO 27001 Annex A 9.2.6.

Attribution in cybersecurity is notoriously difficult because attackers can intentionally plant misleading evidence. Linguistic and cultural artifacts-such as comments, debug paths, or variable names written in a specific language-may be genuine, but they can also be inserted deliberately as false flags to divert suspicion toward another actor or nation-state. Without corroborating technical indicators, intelligence, or context, such markers are suggestive at best and never conclusive proof of government-sponsored espionage.

A 'Recurring' process refers to a routine or periodic activity that takes place at regular intervals. In the context of risk management, it pertains to the consistent reevaluation of potential risks to the organization, such as a scheduled quarterly scan. This ensures that new and evolving threats are identified and managed effectively. It contrasts with 'Ad Hoc', which is done as needed; 'One-Time', which is done once and not repeated; and 'Continuous', which implies an ongoing process without set intervals.

In this scenario the best option for next steps is to organize the vulnerabilities by criticality. Some may be very important and represent significant risk, while others may be false positive or very minor issues. Most scanning solutions will have this information readily available. There is no way to identify false positives without going through each and every one, and halting all code changes would likely cause major disruptions to the business. The logical next step is to begin planning and focus on the worst issues first.

Annualized Loss Expectancy is calculated by multiplying the Single Loss Expectancy (SLE) with the Annualized Rate of Occurrence (ARO). In this scenario, the SLE is $3 million per incident, and the ARO is once every five years, which is an ARO of 0.2 (1/5). Therefore, the ALE is $600,000 ($3 million x 0.2).

Deploying configuration management tools allows the company to automate the enforcement of secure baselines across all servers. This ensures that the secure settings are applied consistently, and any deviations are automatically corrected. Manual review, while important, is not as effective or efficient for ensuring consistency across a large number of servers. Providing training to IT staff is useful for awareness but does not guarantee consistent application or enforcement of the secure baselines. Regularly scheduled security updates are critical for maintaining server security but do not ensure that all security settings align with the secure baseline.

Sanitization is the process of permanently and irreversibly removing or destroying data on a storage device to make it unrecoverable. This is the correct overarching process that applies to both HDDs and SSDs, using methods like overwriting for HDDs and Secure Erase commands for SSDs. Degaussing uses a powerful magnetic field to destroy data, but it is only effective on magnetic media like HDDs and is not effective on SSDs. Encryption renders data unreadable without the key, but it does not remove the data; a separate process called cryptographic erase (destroying the key) is a form of sanitization, but 'encryption' alone is not the answer. Formatting a drive typically only removes pointers to the data, leaving the actual data recoverable with forensic tools, and is not a secure method of disposal.

Vishing is a contraction of 'voice' and 'phishing' and refers to the fraudulent practice where attackers use voice communication, which can include VoIP (Voice over Internet Protocol) calls, to trick individuals into divulging sensitive information. This term is specific to voice-based social engineering, making it the correct term for this type of attack.

Federation is the practice of linking a user's electronic identity and attributes, stored across multiple distinct identity management systems. Implementing a federated identity management system would be ideal in this situation as it enables the company's employees to use their existing corporate credentials to access the third-party service provider's resources securely. This negates the need for multiple credentials and simplifies the authentication process for users, which directly aligns with the scenario's requirements of minimizing complexity and offering a streamlined process.

Creating additional user credentials for each employee within the partner's system and relying on a central access policy that governs the usage of applications across both entities, are less efficient solutions that increase complexity and management overhead, which does not fulfill the specified criteria of streamlined access. The web authentication standard accentuates a specific method of authentication that can be utilized in federated environments but does not represent the overarching federated identity management system needed here.

Jailbreaking or rooting bypasses the manufacturer's code-signing and sandbox controls, granting the user and any installed application root-level privileges. Without these protections, unvetted software can run unrestricted, dramatically enlarging the attack surface and making malware infection, data theft, and further privilege escalation far more likely. By contrast, the other statements are incorrect: jailbreaking removes app-store restrictions instead of enforcing them, does not automatically enable encryption, and typically prevents or delays future security updates from the vendor.