CompTIA Security+ Practice Test (SY0-701)

The term 'workforce multiplier' refers to the use of technology, especially automation and orchestration tools, that enables a security team to be more productive by handling tasks that would otherwise require greater staffing. By automating repetitive and tedious tasks, the organization can maximize the effectiveness of its existing workforce, therefore multiplying its capabilities. The incorrect choices are designed to test the student's ability to distinguish between similar terms and concepts in the context of security operations.

Compensating controls are used as a substitute for primary controls when the primary control is not feasible or practical to implement. They provide an alternative way to mitigate risks and achieve the same level of security. For example, if a company cannot afford to implement a firewall (a preventive control), they may use a virtual private network (VPN) as a compensating control to protect their network traffic.

The primary security-related reason to regularly review and update security policies is to ensure they address the current threat landscape. Cyber threats, technologies, and business processes evolve constantly. Outdated policies may not provide sufficient guidance to protect against modern attack vectors, leaving the organization vulnerable. While regulatory compliance is a critical reason for policy updates, failing to protect against current threats poses a more direct and immediate risk to the organization's security posture.

The crossover error rate (CER) is the point at which the false acceptance rate (FAR) and the false rejection rate (FRR) are equal. The lower the CER the more accurate the biometric system is.

The use of a Key Management Service (KMS) with encryption capabilities is the correct choice because it not only provides strong encryption but also facilitates efficient key management, which is crucial when dealing with backups that may need to be restored at any given time. It automates the lifecycle of cryptographic keys, including creation, rotation, deletion, and control of access to keys. Whole disk encryption, while secure, does not typically offer the same level of key management needed for a cloud-based environment. Manual symmetric key management could be prone to human error and does not scale efficiently. Database field encryption only encrypts specific fields and may not cover the entire backup dataset as required.

The attacker is leveraging a SQL injection vulnerability by inserting malicious SQL commands into the login form. This allows unauthorized access to the database and exposure of sensitive user credentials.

The correct answer is 'Clustered servers with resource balancing' because it allows for the distribution of compute tasks across multiple servers, providing high availability for the various services with differing compute requirements. In the event of a server failure, tasks can be redistributed to other servers in the cluster, minimizing downtime. The incorrect answers are: 'Single powerful server with a hot spare' does not address the diverse compute needs and may lead to underutilization or bottlenecks. 'Multiple air-gapped systems' could provide isolation for security but would not be efficient for resource management across services with different compute needs. 'Decentralized servers without load balancing' would not efficiently distribute compute tasks and could result in suboptimal performance and higher risk of service disruptions.

The correct answer is 'Vishing'. Vishing, or voice phishing, involves an attacker using the telephone system in an attempt to scam the user into disclosing private information by pretending to be a legitimate entity, in this case, the company's IT department. Email phishing is incorrect as it specifically refers to the use of emails for scamming users. Smishing involves sending text messages, which is not the case here. Moreover, Pretexting generally refers to a scenario where an attacker comes up with a fabricated scenario to steal information, but the key difference lies in the means, which here is a phone call characteristic of vishing.

The correct answer is to conduct an impact analysis prior to deployment. An impact analysis is a process of understanding the potential consequences of changes, especially how they affect security controls and operations. By doing this, the company can identify potential security risks introduced by the update and take steps to mitigate them before the system goes live, ensuring that security is maintained throughout the change process. The other options, while they might be parts of the overall change management process, do not directly address the proactive identification and mitigation of security risks specific to the introduction of new software or updates.

A security key is a physical device that provides a second factor of authentication for a user accessing a service. As a "something you have" factor, it is a core component of multifactor authentication (MFA), which requires at least two verification factors to enhance account security. While physical tokens can include devices like key fobs or smart cards, modern security keys typically connect via USB, NFC, or Bluetooth and use advanced cryptographic protocols like FIDO2 to resist phishing attacks.

There are times when certain data is required to be kept for a certain period of time due to legal, regulatory or policy reasons. There are also requirements pertaining to when data isn’t supposed to be kept. This is all referred to as data retention.

Custodians, also known as stewards, are responsible for the day-to-day maintenance and implementation of the security controls over assets based on the policies and guidelines set forth by the organization. While an owner may define the policy for data protection, it is the custodian's role to enforce and implement these policies through technical means, such as configuring and applying encryption to sensitive data. The data owner is typically a senior-level executive who defines what level of protection is required for the data but does not directly manage the security mechanisms. The controller is responsible for making decisions about the processing of the data, and auditors are responsible for reviewing the adherence to policies and regulations, not implementing security measures.

Full-disk encryption is a strong security measure but protects only data at rest on storage media, not information being transmitted. Obfuscation methods (such as data masking) can disguise values but are reversible and do not provide cryptographic confidentiality against a determined adversary. Certificate-based network authentication, as used in 802.1X, verifies a device's identity to join a network but does not by itself encrypt the payload of subsequent communications. End-to-end encryption, in contrast, encrypts the data on the sender's device and keeps it encrypted until it reaches the recipient's device, ensuring that any interceptor lacking the decryption key cannot read the report contents.

A honeypot is a single computer or service intentionally exposed so it appears to be a valuable, vulnerable asset. Because no legitimate user should connect, any activity is malicious and can be recorded for later analysis. A honeynet is a network of multiple honeypots; it is more elaborate than the stand-alone system described. A DMZ is merely a network segment for public-facing servers, and a DDoS mitigator is designed to absorb large-scale traffic floods rather than lure attackers for research.

Configuring the firewall to restrict database traffic to only authorized application servers limits exposure of the vulnerable service and provides an equivalent layer of protection until the vendor patch can be tested and installed. This is the essence of a compensating control-an alternative safeguard that mitigates risk when the primary fix (patching) is temporarily unavailable. Re-scanning the host or delaying backups does not directly reduce the attack surface, and a major operating-system upgrade could introduce new issues without specifically addressing the flaw.

While all listed aspects are important in their own right, clearly defined security requirements are the most critical to protect sensitive data. These requirements set the minimum security standards that the business partner must adhere to, directly impacting the safeguarding of data involved in the partnership. Elements such as review cycles and party definitions are also important, but their impact on data protection is more indirect compared to the explicit security requirements.

The Data Owner is primarily responsible for defining the classification of the data, setting sharing permissions, and overseeing the data throughout its lifecycle. They make decisions about who can access the data and how it will be handled or protected based on organizational policies. Custodians or Stewards handle data as directed by the Data Owner, but the ownership and decision-making responsibility lies with the Data Owner. Processors merely process data on behalf of another party, and Data Controllers determine the purposes and means of processing personal data but do not typically define its classification or lifecycle management details.

This scenario describes identity proofing, which is the process of verifying a user's claimed identity before issuing credentials or granting access. It happens at the beginning of the user lifecycle, such as during account creation, to establish trust. Authentication is the subsequent process of verifying a user's identity each time they log in. Authorization involves granting specific permissions to an authenticated user. Attestation is the process of affirming that something is true or that a requirement has been met; while related, 'identity proofing' is the most accurate and specific term for the overall process described.

Automation in security program management refers to the use of technology to perform repetitive and routine tasks without human intervention, which increases efficiency and consistency while reducing human error. Automation can encompass a wide range of processes, from compliance reporting to vulnerability management. For example, automating patch management ensures that systems are updated consistently without the need for manual oversight. In contrast, artificial intelligence would be focused on the simulation of human intelligence processes by machines, social engineering is a manipulation technique that exploits human error to gain private information, and encryption standardization is about defining protocols for encrypting data, not automating processes.

A Virtual Machine (VM) escape is a security vulnerability that allows an attacker to break out from a virtual machine and interact with the host operating system. This type of vulnerability is particularly concerning because it undermines the isolation properties that are fundamental to secure virtualization.