CompTIA Security+ Practice Test (SY0-701)

A Certificate Revocation List (CRL) is a list of certificates that have been revoked before their scheduled expiration date, and should no longer be trusted. Certificate Authorities (CAs) maintain this list to ensure that any certificate that has been compromised or is no longer valid for some other reason can be quickly identified by clients checking the CRL.

Static code analysis is the analysis of software code without executing the software. Reviewing the lines of a program’s/software’s source code is a type of static code analysis. Dynamic code analysis is performed while it is being executed.

A solution that creates an encrypted tunnel to the corporate network is essential for secure remote access. The most appropriate technology for establishing such secure connections is a solution that encapsulates and encrypts data as it travels over possibly insecure networks, like the internet, requiring proper authentication from the connecting users to access internal network resources. Implementing remote access servers without additional encryption would not ensure data confidentiality and integrity. Configuring encrypted gateways focuses solely on securing gateways but does not address endpoint-to-network secure connectivity. Secure network perimeters enhance the overall network security but do not inherently provide secure remote access capabilities.

A configuration audit specifically assesses configurations against established security baselines and policies, ensuring that systems are compliant with the required security settings. This would detect deviations in access control policies and configurations from the standard across servers. A performance audit, while it assesses the efficiency and effectiveness of an organization's processes, would not focus solely on security settings and policies. A financial audit is concerned with the financial accounts and transactions of an organization, and while an operational audit evaluates the operational aspects of an organization, it does not concentrate on access control policies and system configurations to the extent necessary for the given task.

Developing and documenting an incident response policy is the MOST critical activity for establishing an incident response capability. This policy outlines the purpose, scope, roles, responsibilities, and management commitment. It serves as the foundation for the entire incident response process. Distributing an employee handbook only communicates existing policies and procedures, conducting background checks is an HR security measure, and holding a retrospective meeting is an activity that takes place after an incident has been handled (part of the 'Lessons Learned' phase).

The correct answer is 'Vishing'. Vishing, or voice phishing, involves an attacker using the telephone system in an attempt to scam the user into disclosing private information by pretending to be a legitimate entity, in this case, the company's IT department. Email phishing is incorrect as it specifically refers to the use of emails for scamming users. Smishing involves sending text messages, which is not the case here. Moreover, Pretexting generally refers to a scenario where an attacker comes up with a fabricated scenario to steal information, but the key difference lies in the means, which here is a phone call characteristic of vishing.

Containment is the correct answer because the immediate priority in incident response, following detection and analysis, is to contain the incident to prevent further damage or spread of the threat. Eradication and Recovery are subsequent steps that cannot be effectively performed unless the threat is first contained.

Restoring data from backups and applying patches to affected systems are actions that limit the damage after an incident, making them examples of corrective controls. These steps aim to fix the issues caused by the breach and prevent further impact. Conducting a forensic analysis is a detective control, as it involves identifying how the breach occurred. Implementing stronger network firewalls is a preventive control designed to stop future incidents. Displaying warning banners is a deterrent control meant to discourage unauthorized access.

Automatic failover is when systems or services switch to a redundant or standby system automatically, typically without human intervention, in the event of a failure or service interruption. This type of failover is essential for mission-critical applications where downtime must be minimized. Manual failover, while it involves intentional human intervention to switch systems, would not apply as the question indicates the switch happens without manual intervention. Active-active and active-passive describe configurations of how systems are set up for redundancy, but they do not define the type of failover process.

Just-in-time permissions restrict the timeframe during which administrative or elevated rights are granted to users, minimizing the potential for misuse of those privileges. By limiting access to only when it is required for a specific task and automatically revocating those permissions after a set time, the attack window is reduced. This prevents risks associated with standing privileged accounts, which could be exploited if compromised.

The correct answer is to develop and enforce policies for secure remote access, home network configuration, and the use of personal devices. In a hybrid model, the traditional security perimeter of the office is dissolved. Employees connect from various networks and may use personal devices, creating new risks. Establishing clear policies for remote access (e.g., via VPN with MFA), guiding users on securing their home Wi-Fi, and setting rules for Bring Your Own Device (BYOD) are the most critical steps to extend operational security to the new working environment. Strengthening data center physical security is important but does not address the primary risks of a distributed workforce. Mandating in-person briefings is impractical for a hybrid model and less effective than addressing the technical security gaps. Decommissioning on-premises servers is a major architectural decision, not a direct or immediate OpSec response to a hybrid work model.

The correct answer is 'Trojan.' A Trojan is a type of malware that disguises itself as legitimate software. Attackers use Trojans to gain unauthorized access to systems by tricking users into loading and executing the malware on their systems. While the other options are also types of malware, they do not describe software that appears legitimate to gain unauthorized access. For instance, 'Ransomware' is designed to encrypt files and demand a ransom for the decryption key, 'Virus' attaches itself to legitimate software and spreads to other programs, and 'Spyware' typically aims to gather information without the user's knowledge. The key distinction for a Trojan is its disguise as legitimate software to perform malicious activities.

This setup is best known as an air gap. In network an air gap means two or more networks are physically separated from each other to ensure no data can traverse from one to the other. Generally if a network is so critical it requires an air gap it will be a completely stand alone network with no access to other networks and especially the internet. A true air gap is not common in most businesses, but some known examples are government or military networks, highly critical infrastructure networks like nuclear power plant controls and financial systems like stock exchanges.

Scheduling the update during a designated timeframe after conducting an impact analysis is the best approach. Conducting an impact analysis allows the organization to identify potential risks and understand how the patch may affect operations. Scheduling the update during a designated timeframe, such as a maintenance window, ensures that the patch is applied when it will cause the least disruption to business activities.

Applying the update at a time when it can be closely monitored is important, but without an impact analysis and proper scheduling, it may still lead to unexpected issues and operational disruptions.

Notifying users and installing the update with consideration of potential disruption shows consideration for stakeholders, but without a thorough impact analysis and scheduled timeframe, it may not effectively minimize the impact on operations.

Deploying the update while ensuring it does not adversely affect current operations is ideal, but without conducting an impact analysis and proper scheduling, it's challenging to guarantee that operations won't be affected.

Issuing temporary access badges to the contractors acts as a compensating control, substituting for the primary control of smart cards. The temporary badges could use a barcode, or have a picture and name of the individual that can be verified by security personnel. This allows secure access while maintaining security protocols. Other options either do not address the immediate need or compromise security standards.

Containerization enables developers to package applications along with all their dependencies into isolated units called containers. This approach ensures that the application runs consistently regardless of the environment, enhancing portability and security by isolating applications from one another. Virtualization, while also providing isolation, involves creating full virtual machines with their own operating systems, which is more resource-intensive. Microservices refer to an architectural style that structures an application as a collection of loosely coupled services, focusing on design rather than deployment. Serverless computing allows developers to build and run applications without managing the underlying infrastructure but does not involve packaging applications with dependencies for consistency across environments.

The correct answer is Hacktivist. Hacktivists are often motivated by philosophical or political beliefs, which lead them to target organizations or governments that they perceive as acting against their values or agendas. The nature of these attacks, including website defacements and public message spreads, are typical of hacktivist groups that aim to broadcast a political message or to create awareness about their cause. The other options listed do not align as closely with the details given.

A jump server is a specially configured server that administrators must use as a gateway to access secure systems, providing controlled and monitored access. This enhances security by limiting direct access to critical systems. A proxy server acts on behalf of clients to access resources on other servers but doesn't enforce administrator authentication for internal systems. A load balancer distributes network traffic across multiple servers to optimize resource utilization but doesn't control administrative access. A router directs data packets between networks based on destination addresses but doesn't manage authentication for administrators accessing secure systems.

The scenario describes a common social engineering tactic known as pretexting, where an attacker fabricates a scenario to lure the victim into performing an action they shouldn't. The file 'Financial_Report_2023.xls' could contain a macro or exploit that, once opened, could execute malicious code on the user's system, leading to potential data exfiltration or other security incidents. This threat could materialize if macros are enabled or the file exploits a known vulnerability within the spreadsheet software. The other options are potential outcomes or states of a file but do not describe the immediate threat that an unexpected, unsolicited file could pose.

Guard rails in an automated security environment are pre-defined rules or policies that provide boundaries within which automated tasks can operate. They prevent the automated systems from executing tasks that could lead to security vulnerabilities or compliance issues. By setting these parameters, organizations can ensure that automation does not inadvertently cause harm or deviate from expected security practices.