CompTIA Security+ Practice Test (SY0-701)

The institution is most vulnerable to passive reconnaissance. This is because passive reconnaissance involves collecting information without directly interacting with the target system, often by gathering accessible data such as company records, employee social media profiles, or public documents. This kind of information is exactly what the institution has not been monitoring, which could lead to an attacker collecting data without detection to facilitate social engineering or other types of attacks.

A fail-open configuration is designed to allow traffic to pass through when the security device experiences a failure, such as a malfunction or a loss of power, thus ensuring that network availability is prioritized. While this might introduce a security risk by allowing potentially unsecured traffic during the failure event, it supports the company's requirement for maximum uptime. The other provided responses either incorrectly relate to device security postures not focused on availability (such as fail-close), or do not relate to failure modes directly affecting traffic (such as a high availability cluster, which is designed for redundancy but not specifically addressing the company's need for availability during a security device failure).

MD5 (Message Digest 5) creates a 128 bit fixed output. SHA1 creates 160 bit outputs, SHA2 creates 256 bit outputs and RIP128 is a thing we made up that sounds pretty cool.

This scenario describes a race condition, specifically a Time-of-check to Time-of-use (TOCTOU) vulnerability. The application checks a condition (the account balance) at one point in time but uses the result of that check at a later point. An attacker can exploit the delay between the check and the use to change the state (in this case, by initiating another withdrawal), leading to unexpected and insecure behavior like withdrawing more money than is available in the account.

An Intrusion Detection System monitors network or host activity and generates alerts when suspicious behavior is detected. Because it identifies potential incidents rather than blocking or remediating them, it is categorized as a detective control. Preventive controls (e.g., firewalls) attempt to stop incidents, corrective controls focus on recovery, and deterrent controls primarily discourage attackers.

The correct answer is a DDoS attack. This type of attack floods the server with an excessive amount of traffic, intending to exceed the server's capacity to handle requests, leading to inaccessibility for legitimate users. The described symptoms—high traffic volume and service-specific disruption without affecting the entire network—are indicative of such an attack. Incorrect answers offer alternatives such as ARP spoofing, which might lead to network connectivity problems, but does not typically cause a massive surge in traffic to one particular service. Likewise, problems with the switching infrastructure or a misconfigured ACL, while they can cause network issues, wouldn't typically result in a sudden increase in traffic and would be more likely to affect multiple services or result in different symptoms.

Biometric authentication is tied to individual physiological characteristics, making it a more secure option compared to other authentication methods. It is something an individual 'is' and is, therefore, less susceptible to being stolen or replicated. Establishing biometric controls such as fingerprint scanners or facial recognition provides a higher level of assurance that access is being granted to the authenticated user. Token-based methods, although secure, can still be vulnerable if the physical token is lost or stolen. One-time codes sent over widely used message protocols, despite their convenience, can be intercepted or redirected by attackers. Using the physical location of the user as an authentication factor is not as secure on its own, as it does not directly verify the user's identity.

Given the high level of sophistication, targeted nature of the attack, and significant funding implied by the ongoing attack method, a nation-state actor is the most probable responsible party. Nation-state actors often engage in espionage and target sensitive government-related data. They possess the capabilities and funding to carry out advanced and persistent threats. An unskilled attacker is unlikely to have the required sophistication; a hacktivist would more likely be motivated by political beliefs and not typically target defense data for espionage; an insider threat would have access but may not have the same level of sophistication or require significant external resources.

The cloud provider's responsibility matrix outlines the division of security responsibilities between the provider and the customer. It specifies which security controls are managed by the provider and which are the customer's responsibility. The service level agreement (SLA) typically covers performance metrics like uptime and availability, not the specifics of security responsibilities. The incident response plan details how incidents are managed but doesn't define the division of security controls. The company's internal policies are important but do not inform them of the provider's responsibilities.

The IT staff member in this scenario is fulfilling the role of a Data Custodian. Data Custodians are responsible for the technical management and operations of data assets, ensuring that data is properly backed up, secured, and maintained. They implement the policies and controls specified by Data Owners but do not set or decide on those policies themselves.

A Data Owner is typically a senior individual who has authority over and accountability for a specific set of data, making decisions about data classification, access permissions, and policy decisions.

A Data Controller is an entity or individual that determines the purposes and means of processing personal data, often in the context of privacy laws, which is not directly relevant to the described duties.

A Data Processor is an entity that processes data on behalf of a Data Controller, but again, this role is more about processing activities rather than managing and maintaining data assets.

Time-of-day restrictions are a type of access control mechanism that limit user access to systems based on predefined time periods. This is to prevent users from accessing the system during times when they should not, such as non-business hours or during maintenance windows. This is not related to the attributes of the user (attribute-based) or their role within the organization (role-based), and it does not necessarily reflect the least privilege principle on its own. Instead, it specifies when the access is permitted, regardless of other attributes or roles.

The correct answer is 'Phishing campaigns' because they involve the use of communications, typically emails, that attempt to fraudulently obtain sensitive information by impersonating a trusted organization or individual. 'Spear phishing' is a more targeted version of phishing, and while it is related, the question is asking about the broader term. 'Vishing' refers to voice call scams, and 'Tailgating' is a physical security breach method, which does not fit the context of identifying fraudulent emails.

An Amplified DDoS attack relies on the use of public network services to enlarge the volume of traffic directed at the victim's network. The attacker sends requests to these services with spoofed source IP addresses so that the large responses are redirected to the victim's server, thus amplifying the attack traffic without the need for a botnet. Reflected attacks also use spoofed IP addresses, but the amplification factor is not their defining characteristic. A SYN flood attack does not inherently use amplification techniques; it primarily exhausts resources by initiating numerous incomplete TCP connection requests. Similarly, a Ping flood is a straightforward attack that sends numerous ICMP Echo request packets to overwhelm the target but does not involve amplification through public network services.

A 'One-Time' risk assessment is a standalone evaluation conducted to assess the risks associated with a specific event or change, such as the introduction of a new business initiative. It helps in identifying potential risks before proceeding with the project and is not part of the regular, scheduled assessments. This type of assessment is critical for making informed decisions about one-off projects or changes that are not part of the routine operational activities. 'Ad Hoc', 'Recurring', and 'Continuous' assessments are incorrect because they respectively describe assessments that are unscheduled and irregular, regularly scheduled, and ongoing monitoring.

The use of code signing certificates by the developers ensures that the application is legitimately from the source it claims to be, and that it has not been tampered with after being signed. Code signing provides a digital signature mechanism where a certificate issued by a trusted Certificate Authority (CA) is used to sign the software, enhancing trust and security. Although all answers may relate to software security, secure cookies, multifactor authentication, and antivirus are not directly relevant to establishing the authenticity and integrity of an application's source code or executable.