CompTIA Security+ Practice Test (SY0-701)

Sanitizing resources when deallocating virtual machines addresses resource reuse vulnerabilities. This process ensures that any residual data in memory and storage is securely erased before resources are reassigned to other virtual machines, preventing unauthorized access to sensitive information.

Disabling hyper-threading on physical CPUs can help mitigate certain side-channel attacks but does not address data leakage due to resource reuse.

Isolating virtual machines in separate VLANs protects against network-based threats like sniffing but does not prevent data exposure through shared physical resources.

Installing antivirus software on the host enhances malware detection but does not prevent data leakage caused by improper resource sanitization in virtualization.

Placing NIDS sensors in tap/monitor mode would allow the organization to detect unauthorized activities by mirroring the traffic that flows through the network, without injecting any additional latency or load on the primary network path. This strategy helps ensure network performance is not significantly impacted while maintaining an effective security posture. In contrast, inline mode can introduce latency since traffic must flow through the sensor, and promiscuous mode lacks the capability of real-time traffic replication typical of a tap/monitor setup.

The correct answer is 'Phishing campaigns' because they involve the use of communications, typically emails, that attempt to fraudulently obtain sensitive information by impersonating a trusted organization or individual. 'Spear phishing' is a more targeted version of phishing, and while it is related, the question is asking about the broader term. 'Vishing' refers to voice call scams, and 'Tailgating' is a physical security breach method, which does not fit the context of identifying fraudulent emails.

Refining the correlation rules to establish more stringent alert criteria can significantly decrease the amount of false positive alerts generated by a Security Information and Event Management system. By defining more precise conditions for when an alert should be triggered, a SIEM can more accurately differentiate between standard operations and suspicious activities. Adjustments must be crafted carefully to minimize the risk of missing true security incidents. Altering system thresholds indiscriminately might suppress important warnings, while focus solely on historical data analysis may not take into account novel or evolving threats. Disabling alerts for activities that are considered to be low risk can be risky, as they might cumulatively indicate a security threat if analyzed in context.

The correct answer is 'Qualitative Risk Analysis.' Qualitative risk analysis evaluates and prioritizes risks using subjective measures, such as low, medium, and high, to describe the impact and likelihood of potential threats. This approach is useful for presenting an overview to stakeholders who prefer general magnitudes over detailed statistics. The incorrect answers involve either specific numerical values or do not align with the described scenario. 'Quantitative Risk Analysis' utilizes numerical values to quantify risk and is more complex and detailed than necessary for providing a general overview. 'Annualized Rate of Occurrence Analysis' focuses on the frequency of an event occurring over a year, which overly specifies the scenario at hand. 'Disaster Recovery Strategy' is a plan for resuming normal business operations after a disaster and is not a method for risk analysis.

A firewall establishes a barrier between trusted and untrusted networks. By evaluating packets against configured security rules, it decides whether to allow or block traffic, thereby preventing unauthorized access. Intrusion detection systems only alert, VPNs encrypt traffic but do not enforce rule-based filtering, and SIEMs aggregate logs without directly controlling traffic.

When an organization is under a legal hold, the duty to preserve evidence is broad. All data that is potentially relevant to the case must be preserved. Unilaterally deciding that data is irrelevant and deleting it can be considered spoliation of evidence, which can result in severe legal penalties. The standard data retention policy is suspended by the legal hold for all data that falls within its scope. The final determination of what is relevant is a legal process, not a decision to be made by an individual administrator.

Writing more data to a fixed-length memory buffer than it was allocated to hold is a classic buffer overflow. The excess data overwrites neighboring memory, which can result in crashes or allow the attacker to execute arbitrary code. SQL injection and XSS target web application input handling, while directory traversal manipulates file-system paths; none of these involve overrunning a memory buffer.

Setting permissions that allow the Finance department to have read and write access while denying all other users ensures that only authorized personnel can access the sensitive financial records. This approach effectively applies the principle of least privilege.

The correct step after discovering a non-compliance issue in an internal audit is to report the issue to the appropriate department or individual responsible for compliance. This initiates the process of addressing the non-compliance, which may include a review of the issue, adjusting the non-compliant system, or implementing additional controls to ensure that it meets the organization's encryption standards. It is central to the concept of internal compliance reporting that such issues are promptly and effectively communicated to enable swift corrective action.

The 'Confidential' data classification is typically applied to information that if disclosed without authorization could lead to a significant level of risk to the organization or individuals. This classification requires a higher level of access control and protective measures due to the potential harm that could result from its exposure. Other classifications like 'Public' and 'Sensitive' do not carry the same implication of risk if disclosed and thus are not characterized by the same level of required protection. 'Restricted' often refers to a higher classification level than 'Confidential' and may require even stricter controls.

Automating endpoint isolation removes the manual containment step, allowing the SOC to cut mean time to respond (MTTR) and stop malware from spreading. Although automation platforms can also generate compliance reports or store logs, those capabilities do not directly address the urgency of containing an active threat. Policy creation and user-training compliance remain management functions rather than technical automation tasks.

Network logs are a primary resource for monitoring internal network traffic, which includes tracking unauthorized data flow or lateral movement within the organization's network infrastructure. Application logs are focused on specific software and may not capture network-wide traffic data. Endpoint logs give insight into individual host activity and might not show comprehensive internal traffic patterns. System health reports are typically concerned with the performance and health of systems, and do not usually provide the granular traffic data needed for tracking lateral movements.

Integrity is the principle of ensuring that data remains accurate, complete, and trustworthy throughout its lifecycle, and has not been altered by unauthorized parties. In this scenario, the requirement to prevent unauthorized modification of transaction records and verify their accuracy directly addresses data integrity. Confidentiality would involve protecting the records from unauthorized viewing, while availability would ensure the database is accessible to authorized users when needed. Non-repudiation would provide proof of who created a transaction.

Salting involves adding a unique, random string-called a salt-to the password input before it is hashed. Because each password receives a different salt, identical plaintext passwords no longer produce identical hashes, dramatically reducing the effectiveness of rainbow-table attacks and improving overall password-database security.

Containerization provides a lightweight alternative to full virtualization by encapsulating an application in a container with its own operating environment. This isolation ensures that applications do not interfere with each other and can be managed independently, enhancing security by containing potential breaches within the isolated environment of the container.

Vishing (or voice phishing) is phishing done using voice over the telephone. This type of phishing often involves the use of voice over IP technology to spoof the caller ID of a legitimate phone number.

Business Email Compromise (BEC) is a type of cyberattack that involves the unauthorized access or manipulation of a company's email system for fraudulent purposes. BEC attacks are typically sophisticated and rely on social engineering tactics to deceive employees, partners, or customers into taking actions that benefit the attacker. This type of cyberattack is also known as CEO Fraud or Email Account Compromise.

The correct answer is a security operations dashboard. These dashboards, typically integrated with a Security Information and Event Management (SIEM) system, are specifically designed to aggregate, correlate, and visualize log data from numerous sources over time. This makes them the ideal tool for historical analysis and identifying trends or patterns indicative of a breach. A real-time network performance monitor focuses on current bandwidth and latency, not historical log correlation. A packet capture utility provides deep, low-level data but is cumbersome for analyzing long-term, aggregated trends across multiple systems. A system vulnerability scanner is used to identify unpatched systems and misconfigurations, not for analyzing event logs to investigate an active or past incident.

The motion sensors act as a Detective Control because they identify and alert to unauthorized activity. They do not prevent the incident from occurring but detect it so that appropriate action can be taken. Preventive Controls, like locks or access restrictions, are designed to stop unauthorized access from happening in the first place. Corrective Controls come into play after an incident to mitigate its impact, such as restoring data from backups. Deterrent Controls are intended to discourage potential attackers, like warning signs or visible security cameras.