CompTIA Security+ Practice Test (SY0-701)

Under the EU GDPR, Article 30 obligates controllers and processors to maintain detailed records of processing activities involving personal data. Failure to keep these records can lead to administrative fines of up to €10 million or 2 % of global annual turnover, whichever is higher. Therefore, the highest priority after the audit finding is to remedy the record-keeping gap and bring documentation into full compliance. While reviewing access controls, improving perimeter defenses, or holding training sessions may strengthen the overall security program, they do not directly address the specific violation that triggered the audit failure and potential fines.

The correct answer is that IoT devices often ship with default credentials and may contain unpatched vulnerabilities. This is a widely recognized and significant risk, as attackers frequently scan for and exploit devices with factory-default settings or known, unpatched firmware flaws. While other options can be concerns, they are not as primary or common as default credentials and vulnerabilities. Excessive bandwidth usage is a performance issue, not a primary security risk. Not all IoT devices require cloud connectivity to function, and while physical tampering is a risk, it is generally less common in a corporate environment than remote attacks exploiting software or configuration weaknesses.

A deterrent control is a control that simply deters from taking an action. The control in no way prevents the action from being taken but is only there to persuade not to. The other choices are other types of controls that serve other purposes.

Ensuring adherence to federally recommended cybersecurity practices would be the best course of action for a multinational corporation, as it would provide the most comprehensive and relevant guidance for operating within the United States. While the specific strategy of safeguarding electronic protected health information is crucial for organizations in the healthcare industry, it would not be the primary regulatory requirement for a multinational corporation in general. Similarly, implementing data protection measures related to payment processing would be targeted to entities handling such transactions, but not as a broad national requirement. Adhering to international privacy regulations would also be important; however, for operations within United United States, domestic compliance would take precedence and should be aligned first with federal practices.

Security groups in cloud computing act as a virtual firewall for your servers to control inbound and outbound traffic. They are used to define rules that allow or deny network traffic to resources based on IP address, port, and protocol. The correct answer represents the purpose of a security group, while the incorrect answers either describe other security concepts or configurations not directly related to security groups.

Symmetric encryption uses the same secret key for both encryption and decryption. It is typically faster than its counterpart, asymmetric encryption, which uses a pair of keys (a public and a private key) for encrypting and decrypting data, respectively.

Business Email Compromise (BEC) is effectively combated by strong organizational verification procedures. In a BEC attack, an attacker impersonates an executive or a partner organization in an email to trick an employee into making a financial transfer or revealing sensitive information. Training employees to verify such requests using multiple communication channels, like phone calls or face-to-face meetings, is crucial in preventing successful BEC attacks.

The bulk data that flows after a secure session has been established is encrypted with symmetric algorithms (for example, AES or ChaCha20). Asymmetric algorithms (such as RSA or ECDHE) are used only during the handshake to authenticate the parties and to agree on a shared secret. Hashing algorithms provide integrity, and key-stretching algorithms strengthen stored secrets but do not directly encrypt transit traffic.

The correct answer is vishing, which is voice-based phishing. Vishing attackers use phone calls to impersonate trusted entities and trick individuals into disclosing sensitive information like passwords or financial details. Phishing typically occurs through emails, smishing uses SMS text messages, and tailgating is a physical security breach where someone follows an authorized person into a restricted area.

Vishing is a contraction of 'voice' and 'phishing' and refers to the fraudulent practice where attackers use voice communication, which can include VoIP (Voice over Internet Protocol) calls, to trick individuals into divulging sensitive information. This term is specific to voice-based social engineering, making it the correct term for this type of attack.

This attack is a directory traversal. By inserting "../" into the URL, the attacker navigates the file system hierarchy to access files and folders that are outside the intended scope of the web application. This can lead to unauthorized access to sensitive files. Directory traversal exploits occur when input validation is insufficient on file path parameters. The other options are distinct types of attacks: SQL injection involves injecting malicious SQL queries into a database query, cross-site scripting (XSS) entails injecting malicious scripts into web content viewed by other users, and a buffer overflow occurs when too much data is sent to a fixed-length memory buffer, potentially allowing an attacker to execute arbitrary code.

Having services running with default credentials is considered a misconfiguration because attackers often use these well-known credentials to gain unauthorized access to systems. Changing default credentials is a basic security measure that should be applied to all systems and services to prevent unauthorized access. The other options provided are not inherently misconfigurations, as regular software updates, using secure protocols, and having an up-to-date antivirus are recommended practices for securing systems.

The correct option is 'Malicious update'. The most significant vulnerability in this design is that the lack of digital signature validation allows an attacker to introduce a malicious update. An attacker could use an on-path attack to provide a compromised firmware file. Because the device does not verify the file's authenticity and integrity, it will install the malicious firmware, potentially leading to a full system compromise. VM escape is a vulnerability specific to virtualized environments. A TOCTOU attack is a type of race condition. Directory traversal is an attack to access unauthorized files. None of these other options describe the primary flaw in the described firmware update process.

Implementing region-specific security policies is crucial because it ensures compliance with the unique local regulations and addresses specific security needs of each region. A uniform approach may fail to meet varied legal requirements, leading to compliance issues.

Detective controls are designed to identify and alert when security incidents occur or anomalies are detected, which includes monitoring network communications for suspicious activities. Preventive controls, as their name implies, aim to stop incidents from occurring, but they may not have alerting capabilities. Corrective controls are actions taken to repair the damage or restore systems after a security event, not to identify or detect them. Deterrent controls aim to discourage potential attackers but are not inherently designed for detecting anomalies within network communications.

Detective controls are designed to identify and record incidents as they occur, which helps in analyzing and understanding the threats that the organization faces. Intrusion detection systems (IDS) are a specific example of a detective control which monitors network traffic for suspicious activity and security breaches in real-time.

Governance committees (often called security or cybersecurity steering committees) exist to set the information-security strategy, approve or endorse policies, and provide ongoing oversight and guidance to ensure the program aligns with business objectives and risk appetite. They do not perform hands-on technical work such as configuring devices, staffing the SOC, or running vulnerability scans; those tasks belong to operational teams.

Physical destruction is the process of destroying the data storage device itself, rendering it unusable and ensuring that the data can no longer be accessed or recovered. Common methods include shredding, crushing, or incinerating the device. It is distinguished from other sanitization methods that may leave some potential for data recovery.

By reporting the suspicious email to the organization’s security team, the employee is following the proper protocol for dealing with potential file-based threats. This allows the security team to investigate and respond to the threat effectively, possibly preventing a security breach. Opening or ignoring the attachment could lead to system compromise, and contacting the manager directly may not stop the potential threat in time if the file is indeed malicious.

Developing and documenting an incident response policy is the MOST critical activity for establishing an incident response capability. This policy outlines the purpose, scope, roles, responsibilities, and management commitment. It serves as the foundation for the entire incident response process. Distributing an employee handbook only communicates existing policies and procedures, conducting background checks is an HR security measure, and holding a retrospective meeting is an activity that takes place after an incident has been handled (part of the 'Lessons Learned' phase).