CompTIA Security+ Practice Test (SY0-701)

Pre-installed software that is not necessary for the user's activities-commonly called bloatware-can pose a security risk if it contains unpatched vulnerabilities. Because this software is often unmanaged, it can increase the device's attack surface. Attackers may exploit flaws in the unused software or its background services even if employees never actively launch the applications. Therefore, the main concern is the presence of potentially vulnerable code, not how frequently employees use the software.

The best initial approach when performing penetration testing in an environment with no prior knowledge of the organization's security posture is to refer to the Rules of Engagement. These rules define the scope, boundaries, and methods approved for the testing, ensure legal and ethical compliance, and minimize the risk of unintended disruptions to business operations. Simply starting with passive or active reconnaissance without established engagement parameters could lead to legal issues, overstepping authorized boundaries, and potentially causing unintended harm to the target environment. Properly outlined Rules of Engagement ensure that the penetration test is performed ethically, legally, and within the parameters agreed upon by all parties involved.

Bollards are a type of physical security control designed to prevent an incident from occurring. In this case, they physically block unauthorized vehicles from ramming the building's entrance, making them a preventive control. Detective controls (e.g., alarms, surveillance), corrective controls (e.g., disaster recovery plans), and compensating controls (e.g., using a different security measure when the primary one fails) serve different purposes.

Geographic dispersion refers to the strategic placement of IT resources, such as data centers and recovery sites, in various physical locations to minimize the risk associated with localized disasters. This dispersion helps organizations ensure continuity of operations and maintain availability of IT services in the event of an outage or disaster in one location. The incorrect answers offered either describe other concepts or do not specifically relate to the strategy of placing resources in diverse locations for resilience and recovery purposes.

Log aggregation is the correct answer because it involves gathering log data from multiple sources, such as servers, applications, and network devices, to centralize the analysis. This makes it easier to spot trends, identify potential security incidents, and ensure that important events are not overlooked amid the noise of isolated logs. Alerting, on the other hand, refers to the system's response to identified incidents, typically by notifying administrators. Scanning usually relates to the process of checking systems for vulnerabilities, and reporting is about presenting the findings of analyses in an informative manner, not the collection process itself.

Best practice requires that every change to a production system be routed through the organization's documented change-management process. Even though minor or "standard" changes may follow a streamlined or pre-approved workflow, they must still be logged, evaluated for risk, and retained in change records so that the environment can be audited, problems traced, and rollbacks performed if necessary. Allowing any change-no matter how small-to bypass documentation undermines accountability and can introduce hidden vulnerabilities.

A 'Recurring' process refers to a routine or periodic activity that takes place at regular intervals. In the context of risk management, it pertains to the consistent reevaluation of potential risks to the organization to ensure that new and evolving threats are identified and managed effectively. It contrasts with 'Ad Hoc', which is done as needed, 'One-Time', which is done once and not repeated, and 'Continuous', which implies an ongoing process without set intervals.

MD5 (Message Digest 5) creates a 128 bit fixed output. SHA1 creates 160 bit outputs, SHA2 creates 256 bit outputs and RIP128 is a thing we made up that sounds pretty cool.

The primary purpose of conducting simulation exercises is to validate the recovery process defined in the disaster recovery plan. It ensures that, in the event of a real disaster, the organization can recover critical systems and data within the predetermined timeframes (recovery time objectives) and with acceptable data loss (recovery point objectives). These exercises reveal weaknesses that can be corrected proactively, avoiding substantial operational impacts during an actual emergency. While encryption improvements, authentication changes, and financial evaluations may be worthwhile, they are not the core reason for running simulation tests.

Implementing load balancing distributes incoming network traffic across multiple servers, effectively managing compute resources to handle fluctuating workloads. This improves both availability and scalability, ensuring the application remains responsive during peak usage times. While data replication to a standby server aids in recovery, it doesn't directly manage compute resources. Scheduling maintenance during off-peak hours minimizes disruption but doesn't address real-time workload management. Deploying redundant power supplies enhances power availability but doesn't handle compute load distribution.

An Intrusion Detection System (IDS) is designed to monitor network or system activities for malicious actions or policy violations. Its primary purpose is to detect suspicious activities and generate alerts so that administrators can take appropriate action. Unlike preventive controls that block or prevent attacks, IDS serves as a detective control, identifying potential threats without necessarily stopping them.

A security alarm system of this nature is considered a detective control because it detects the presence of an intruder and sounds an alarm.

An inline security device is placed directly in the path of the network traffic. It has the ability to actively block, permit, or modify the traffic passing through it based on the security policies in place, similar to how a checkpoint can stop or allow traffic in a roadway. In contrast, a tap (test access point) or monitoring device connects to a network segment but does not directly interact with the traffic flow; it merely duplicates the data for analysis, thus incapable of affecting the original traffic.

The correct answer is that the Zero Trust Model assumes that no user, device, or network traffic should be trusted by default, even if it originates from within the network perimeter. This is the fundamental principle of the Zero Trust approach, which shifts away from the traditional "trust but verify" model to a "never trust, always verify" mindset. The other answers, while related to security concepts, do not accurately capture the essence of the Zero Trust Model. Least privilege access and multi-factor authentication are important security practices, but they are not the core defining characteristics of the Zero Trust approach.

Even when a patching job reports success, the vulnerability might persist because the patch failed to install on every file, did not reach all affected hosts, or introduced new issues. Running a follow-up vulnerability scan (or targeted rescan of the affected system) provides objective evidence that the vulnerability identifier (e.g., CVE) no longer appears and that no additional findings were introduced, thereby closing the remediation loop.