CompTIA Security+ Practice Test (SY0-701)

A Software-Defined Wide Area Network (SD-WAN) provides centralized management, enabling organizations to apply security policies and updates uniformly across the network with ease. This centralized approach not only simplifies the administration of the network but also ensures consistent security measures are in place throughout, addressing the organization's need for improved security management. While the option of improved performance through optimized routing is a benefit of SD-WAN, it is not inherently a security benefit. Reduction in operational costs mainly pertains to financial aspects rather than direct security enhancements. Similarly, the ability to dynamically change network paths is a performance-related benefit, but it's not the primary security advantage that SD-WAN offers.

Placing a load balancer in front of a pool of identical web servers distributes each client request according to algorithms such as round-robin or least-connections. This evens out utilization, prevents any one server from being overwhelmed during traffic spikes, and automatically stops sending traffic to a failed node, eliminating that node as a single point of failure.

Clustering technologies focus on node redundancy and failover; in common active-passive clusters only one node actively serves traffic at a time, so they do not automatically spread day-to-day load. A reverse proxy can perform security, caching, and-depending on the product-may include load-balancing features, but the term alone does not guarantee request distribution. RAID protects disk storage and has no effect on HTTP traffic flow.

The documentation should be updated whenever changes are made to the security infrastructure. This includes major upgrades such as the implementation of a new firewall. Updating the documentation ensures that accurate information is available for the operation and maintenance of the security controls, as well as for audit purposes. Failing to update documentation can lead to confusion, improper configuration, and weaknesses in security. The incorrect options, while they may be important in other contexts, do not directly address the primary need for keeping an accurate historical record of system configurations and policy changes that affect security operations.

Extensible Authentication Protocol (EAP) is an authentication framework, not a single method. Defined in RFC 3748, EAP runs directly over data-link layers such as PPP and IEEE 802 (used by 802.1X). Because it is extensible, the organization can choose among many credential types-smart cards (EAP-TLS), one-time passwords (EAP-OTP), or password-based tunneling (PEAP)-without altering the framework. WPA/WPA2/WPA3-Enterprise all rely on 802.1X and EAP for client authentication, so the same framework works across Wi-Fi and PPP links. RADIUS and Kerberos are authentication servers/protocols rather than link-layer frameworks, while PEAP is only one EAP method, not the overarching framework.

A responsibility matrix-sometimes called a customer or shared responsibility matrix-lists each security control and specifies whether the cloud service provider or the customer is responsible for implementing and maintaining it. Reviewing this matrix (often embedded in the SLA or an attachment to it) allows the client to verify who handles patching, incident response, access management, and other controls so that no gaps or overlaps exist.

A microwave sensor is used to detect motion by emitting microwave pulses and then measuring the reflection of moving objects, making it an effective motion detector. Infrared sensors detect heat signatures, ultrasonic sensors utilize sound waves, and pressure sensors respond to physical force or weight.

This is a Structured Query Language (SQL) injection. SQL is a standard language for relational database management. It's common for an application to take data from a user, create a SQL script and pass this to the underlying database. When an application has a SQL injection vulnerability the application is not validating user input to check for SQL. This allows a malicious user to send SQL commands through the application and into the database for execution.

The primary purpose of implementing automation in vulnerability management is to increase efficiency and consistency in identifying and responding to security vulnerabilities. Automated tools can consistently monitor systems for known vulnerabilities, help in scheduling scans, and manage patch deployment without the need for manual intervention. While automation certainly helps in maintaining minimum security baselines and reduces the chances of user error, its main role in the context of vulnerability management is to streamline the detection and remediation of vulnerabilities within a system.

RSA uses mathematically linked public and private keys to encrypt or sign data, making it an asymmetric algorithm. The other listed algorithms-AES, Blowfish, and RC4-are all symmetric ciphers that rely on the same shared key for both encryption and decryption.

An ACL can be bound to an interface in the inbound direction to inspect packets as they arrive and/or in the outbound direction to inspect packets as they leave. Administrators may place separate ACLs in each direction on the same interface, providing granular control over traffic entering and exiting the device.

DKIM adds a cryptographic signature to selected headers and the entire message body, which includes any MIME attachments. When the recipient's server retrieves the sender's public key from DNS and verifies the signature, it can confirm that the signed portions of the message-including attachments-have not been altered in transit. DKIM does not encrypt email content, block senders by IP address, or impose domain-wide handling rules for failed checks; those capabilities are provided by TLS, SPF, and DMARC, respectively.

This statement is true because it illustrates a scenario where an organization chooses to accept the risk (delaying a patch) due to the potential of disrupting operations. Risk tolerance influences such decisions, where the risk of immediate disruption is seen as more significant than the risk of a potential vulnerability being exploited. This falls under vulnerability response and remediation, as organizations must balance the risks and costs of immediate action against potential security incidents.

An access control vestibule uses two interlocking doors to control the passage of individuals into a secure area. This configuration enhances security by verifying credentials before granting access. Turnstiles control pedestrian flow but typically do not use interlocking doors. Bollards are physical barriers that prevent vehicle access but do not control pedestrian entry. Security cameras monitor areas but do not physically restrict access.

The most effective approach to ensure compliance with different countries' privacy and data laws is to adopt a robust data inventory and retention policy. This policy allows the company to keep a clear record of what data it has, where it is stored, and how long it should be retained according to each jurisdiction's legal requirements. By systematically categorizing data and its lifecycles, the company can tailor its compliance strategy region by region, adequately addressing the nuances of local privacy laws. Though establishing organizational policies and awareness training are beneficial, they are supplementary measures and don't directly manage data handling practices as per legal requirements. Similarly, engaging with third-party auditors can identify risks but doesn't inherently maintain compliance with varying international regulations.

Tokenization is the best answer because it substitutes the sensitive data with non-sensitive equivalents, known as tokens, which have no exploitable value. This allows the company to process transactions without exposing actual credit card data, significantly reducing the risk of breaches while still enabling business functionality.

IEEE 802.1X is a port-based network access-control protocol that works at the data-link layer. A supplicant (client) must authenticate through the switch (authenticator) to a backend RADIUS server before the port transitions from an unauthorized to an authorized state. This prevents unauthorized devices from gaining network access. 802.1X itself does not define encryption, provide VPN tunneling, or perform firewall functions-those are handled by other mechanisms.

The correct answer is a security operations dashboard. These dashboards, typically integrated with a Security Information and Event Management (SIEM) system, are specifically designed to aggregate, correlate, and visualize log data from numerous sources over time. This makes them the ideal tool for historical analysis and identifying trends or patterns indicative of a breach. A real-time network performance monitor focuses on current bandwidth and latency, not historical log correlation. A packet capture utility provides deep, low-level data but is cumbersome for analyzing long-term, aggregated trends across multiple systems. A system vulnerability scanner is used to identify unpatched systems and misconfigurations, not for analyzing event logs to investigate an active or past incident.

Employing a biometric authentication system increases security by requiring personal physical attributes, making it significantly more resistant to systematic guessing and unauthorized entry compared to numerical access codes. Updating numerical access codes intermittently can temporarily prevent unauthorized access but does not inherently improve resistance against a focused attack. An audible alert after a set number of failed attempts might deter but not prevent an intruder who can still continue to attempt access. Video surveillance, although useful for monitoring and recording, does not in itself prevent unauthorized access.

By forcing a system to use a weaker encryption protocol with known vulnerabilities, an attacker is performing a downgrade attack. This attack leverages older, less secure versions of protocols or ciphers, making it easier to exploit the system. In contrast, a side-channel attack gathers information from the physical implementation of a cryptosystem, a birthday attack exploits the mathematics of hash functions to find collisions, and a replay attack involves reusing valid data transmissions to deceive a system or gain unauthorized access.

The best action is to verify the identity of the caller through a callback to a known, official phone number for the telecommunications provider before discussing sensitive information. This is because providing such details over the phone without verification can lead to potential security breaches. Unverified calls, especially those requesting sensitive information, are likely to be vishing attacks where attackers attempt to extract critical information by impersonating legitimate entities. Unlike the incorrect options, immediate verification is critical and proper protocol in such situations; informing a supervisor is also advisable but does not directly address the potential immediate threat. Sharing the requested information or placing the caller on a brief hold without attempting to verify their identity doesn't reduce the risk associated with the potential vishing attempt.