CompTIA Security+ Practice Test (SY0-701)

A brute force attack involves trying random passwords on user accounts in an attempt to gain access. If accounts are set up to auto lock after a certain number of failed login attempts this can be a sign of an attacker's attempt to brute force accounts.

An exemption is appropriately granted when adherence to a specific security policy or control would not be feasible, such as when it would interfere with operational requirements or when the associated cost far outweighs the benefit. It is not a means to avoid implementing security measures altogether but a considered decision that requires approval by the appropriate level of management. The approval process must include an understanding of the potential risks and agreement that such risks are acceptable. This distinguishes exemptions from other risk strategies, like mitigation where risks are reduced, or transference where risks are shared.

Within an Intrusion Detection System (IDS), sensors are responsible for the analysis of network traffic and detection of suspicious patterns that may indicate a security breach or malicious activity. They do not execute preventive measures such as blocking traffic, nor do they merely log traffic without analysis or serve to optimize traffic throughput.

Data retention timeframes are pivotal to compliance since they dictate the specific duration for which data must be stored according to various legal and regulatory frameworks. Organizations are often required to retain certain records for a defined period to comply with laws and industry regulations. Retaining data for either too short or too long a period can lead to non-compliance and associated penalties. Having too broad or too narrow scopes in retention policies can be non-compliant or inefficient, respectively, but the actual retention period is the key factor that relates directly to legal and regulatory requirements.

Implementing role-based access control (RBAC) allows the organization to assign permissions to users based on their job responsibilities. This ensures that employees have access only to the resources necessary for their tasks, reducing unauthorized access to sensitive files. Encrypting files protects data confidentiality but doesn't prevent authorized users from accessing data beyond their responsibilities. Enforcing multi-factor authentication strengthens login security but doesn't control access permissions. Applying network segmentation divides the network but doesn't directly manage user access to specific files.

This scenario describes a detective control. Detective controls are designed to find and alert on security incidents after they have already occurred or as they are happening. Intrusion detection systems (IDS) and log analysis tools fit this description perfectly as they monitor for and report on suspicious activity, rather than stopping it outright.

• Preventive controls aim to stop an incident before it happens (e.g., a firewall blocking a malicious IP address).
• Corrective controls are used to limit the damage and restore systems after an incident has been detected (e.g., restoring from a backup after a ransomware attack).
• Deterrent controls are meant to discourage potential attackers (e.g., warning banners).

Bug bounty programs invite external security researchers to test systems for rewards. This crowdsourced approach greatly expands the range of skills, tools, and perspectives applied to security testing, which helps uncover vulnerabilities that may slip past automated scanners, internal assessments, and periodic penetration tests. Increased transparency or compliance benefits can flow from a program, and zero-day exploits might be caught as a result, but those are secondary effects-not the fundamental purpose of adding the program to vulnerability identification.

A passive device attribute allows the network appliance to observe traffic without interacting or making changes to it, enabling monitoring and analysis without affecting data flow. This contrasts with an active device, which is designed to interact with or change the traffic passing through it, performing actions such as blocking or modifying packets.

A serverless architecture refers to a cloud computing model in which the cloud provider automatically provisions, scales, and manages the infrastructure required to run code. Developers can write and deploy code without worrying about the underlying infrastructure. Traditional cloud services typically require users to manage and scale virtual machine instances, whereas microservices are a design approach to build a single application as a suite of small services, and containers provide a standard way to package code and its dependencies.

Antivirus is a technical control. It is software installed on the computer whose job it is to protect the system against viruses.

Data masking intentionally substitutes realistic but fake values (for example, shuffling or substituting names, account numbers, or dates) for the original sensitive data. Because the format and fields remain consistent, developers, testers, and analysts can still use the data set, but the real values cannot be reconstructed. Techniques such as lossless compression, differential backup, and multifactor authentication do not serve this purpose: compression reduces file size, backup provides data recovery, and multifactor authentication verifies user identity rather than altering data.

Fail-closed (sometimes called fail-secure) means that when a security control becomes unavailable, it blocks or denies traffic instead of allowing it to pass unchecked. Configuring the IPS to fail-closed therefore prevents uninspected packets from traversing the network during an outage. Fail-open does the opposite-it allows all traffic for the sake of availability. Fail-safe focuses on protecting other components, often by bypassing the device rather than dropping traffic, and failover relies on redundant equipment rather than a traffic-blocking posture.

A hot site is a fully equipped and continuously synchronized duplicate of the primary environment. Because systems and data are already online and up-to-date, operations can shift to the hot site almost instantly, resulting in minimal downtime. Warm sites have some equipment in place but require additional configuration and data restoration, so recovery takes longer. Cold sites provide only basic facilities with no preinstalled systems, leading to the slowest recovery. Offsite tape backups offer data protection but no ready-to-run infrastructure at all.

Nation-state actors typically have substantial financial resources and advanced technical capabilities, enabling them to conduct sophisticated attacks such as data exfiltration. Other threat actors like unskilled attackers or hacktivists generally lack the extensive resources and expertise required for such complex operations.

A security policy is a high-level document that outlines an organization's approach to protecting its assets, including data, systems, and personnel. It establishes the framework for security controls and procedures, defining roles, responsibilities, and expected behavior. While security policies may include specific guidelines and procedures, their primary purpose is to provide overarching guidance and direction for the organization's security posture. Incident response plans, access control lists, and encryption standards are examples of more specific security controls that are typically guided by the security policy but are not the primary purpose of the policy itself.

Legacy hardware frequently runs unsupported operating systems or firmware that no longer receive security patches. Because known vulnerabilities remain uncorrected and modern security controls (such as endpoint detection, strong authentication, or encryption) are often absent, attackers can exploit these weaknesses with minimal effort. In many organizations these older systems still process critical data, so a successful compromise can yield high value to the attacker. Therefore, the lure for cybercriminals is the combination of easier exploitation and potentially lucrative data or disruption.

The Diffie-Hellman algorithm is specifically designed for secure key exchange over insecure channels without requiring prior shared secrets. It enables two parties to independently generate a shared secret key, which can then be used for symmetric encryption. Symmetric key distribution assumes that keys are already shared or delivered securely, which doesn't address the need to establish keys without prior arrangement. RSA digital signatures provide authentication and integrity but are not primarily used for key establishment. MD5 is a hashing algorithm used for data integrity verification, not for key exchange or encryption key establishment.

While process isolation is the fundamental mechanism that prevents VM escape, it is not foolproof, as vulnerabilities in the hypervisor can still be exploited. A comprehensive, defense-in-depth strategy is the most effective approach. This includes keeping both the hypervisor and guest operating systems fully patched, using network segmentation to limit an attacker's reach, and applying the principle of least privilege through strict access controls. HIDS on guest VMs and data encryption are valuable security layers, but they do not directly prevent the hypervisor compromise that enables a VM escape.

The correct answer is 'Conducting a security review of the vendor and their products', because ensuring the security of computing resources begins with a thorough evaluation of the vendors and their offerings. This evaluation should cover the vendor's security policies, compliance with relevant standards, and the security features of the products they are providing. Reviewing vendor security practices mitigates the risk of introducing vulnerabilities into the network through third-party products or services. 'Checking compatibility with current systems' is also a step in the process, but it does not directly strengthen security. 'Choosing products with the newest features' or 'Negotiating the lowest cost for products' may be important from a functionality or budget perspective, but they do not necessarily reflect the security posture of the products or the vendor.

This scenario is indicative of a phishing attack carried out via SMS, commonly known as 'Smishing'. The attacker sends a deceptive message attempting to trick the recipient into providing sensitive information. Given that the message includes a link for verification and mentions urgent action required due to 'suspicious account activities,' it's designed to create a sense of urgency and lure the employee into compromising their credentials. Smishing attacks exploit the trust people generally have in text messages and the limited verification measures available on mobile platforms compared to email systems.