CompTIA Security+ Practice Test (SY0-701)

An employee unknowingly installing malware on their workstation after believing they are updating legitimate software best represents an unintentional security risk. Unlike intentional actions that are derived from malicious intent, unintentional risks are often due to lack of awareness or mistakes made without malice. The employee did not intend to harm the company but did so by mistake. The other options involve deliberate actions and do not exemplify an unintentional security risk.

The correct answer is 'Compromised hardware or software' because suppliers have direct access to the components and programs that enterprises use, making it possible for them to introduce compromised products into an organization's infrastructure. 'Data corruption during transmission' focuses on data in transit rather than supply chain vulnerabilities. 'Inadequate customer service' does not directly relate to security issues, and 'Unauthorized data sharing' is a concern with entities that handle data, but it does not specifically relate to the unique risks posed by suppliers of hardware and software in the supply chain.

Implementing network segmentation would be the most effective at mitigating the risk as it restricts the traffic between the IoT devices and the rest of the network, reducing the potential attack surface and the chance of an attacker reaching sensitive data if the IoT devices are compromised. While full disk encryption is important for data at rest, it doesn't address the transmission or collection of data. Enabling a host-based firewall on IoT devices may not be feasible due to their limited computing resources and wouldn't protect against attacks exploiting the IoT network itself. Requiring multi-factor authentication (MFA) improves the security of user accounts, but it does not specifically address the issue of securing sensitive data collected by IoT devices from network-based threats.

The correct answer is credential replay. A credential replay attack occurs when an attacker captures valid credentials (like a username and password) and reuses, or "replays," them to gain unauthorized access to a system. The phishing attack described in the scenario is a common method for obtaining credentials for this purpose. Session hijacking involves stealing an active session token, not static credentials. Cross-site scripting (XSS) is an injection attack that targets other users of a vulnerable website. DNS poisoning is an attack that can redirect users to a malicious site but is not the attack performed with the stolen credentials.

The correct answer is vishing. Vishing, or voice phishing, is a social engineering attack that occurs over the phone, where attackers impersonate a legitimate entity to deceive victims into providing sensitive information or installing malware. The scenario describes a classic tech support scam executed via a phone call.

• Spear phishing is incorrect because it involves highly targeted attacks sent via email, not phone calls.
• Tailgating is a physical security attack where an unauthorized person follows an authorized individual into a secure area and is not relevant to this scenario.
• A watering hole attack is a strategy where an attacker compromises a website that is frequently visited by a specific group of users, rather than initiating contact via a phone call.

To calculate MTBF, divide the total operational time by the total number of failures. The total operational time over the 2-year period is 17,520 hours, and there were 4+2=6 outages. Therefore, the MTBF is 17,520 hours / 6 outages = 2,920 hours. Accurate calculation of MTBF is essential for gauging the reliability of equipment and scheduling maintenance to minimize downtime.

Detective controls are designed to identify and alert when security incidents occur or anomalies are detected, which includes monitoring network communications for suspicious activities. Preventive controls, as their name implies, aim to stop incidents from occurring, but they may not have alerting capabilities. Corrective controls are actions taken to repair the damage or restore systems after a security event, not to identify or detect them. Deterrent controls aim to discourage potential attackers but are not inherently designed for detecting anomalies within network communications.

The hallmark of a Worm is its ability to self-replicate and spread autonomously across networks, which aligns with the symptoms described: high network utilization and automatic propagation. While both Viruses and Worms can spread and cause harm, Viruses require some form of user action (like executing a file) to replicate, which is not suggested by the scenario. Bots typically perform automated tasks and may participate in large networks (botnets), but the specifics described (high network utilization, identical packets, no user interaction) align more closely with the behavior of a Worm. Logic bombs execute malicious actions when triggered by specific events, but do not self-replicate or spread across networks autonomously.

The correct action to take first is to apply the software patch provided by the vendor if one is available. Patch management is a critical security control that can mitigate vulnerabilities that have been discovered and addressed by the software provider. Installing a new antivirus in this case would not remove the existing vulnerability in the software, although it might provide some protection against malware that attempts to exploit the vulnerability. Changing the document format might avoid the vulnerability, but it is not a viable long-term solution and would likely disrupt normal business operations. Disabling internet access would prevent some exploitation attempts, but would not address the vulnerability itself and would likely disrupt business operations.

Applying updates, or 'patching', is essential because it resolves vulnerabilities that could be exploited by threat actors. Ignoring updates leaves systems susceptible to attacks that target these known weaknesses. Other options such as 'increasing system performance' or 'enhancing user interface' might be secondary benefits of some updates but are not the primary security purpose. 'Expanding compatibility' is usually not related to the security aspect of patching.

A VPN concentrator is a purpose-built appliance that creates, terminates, and manages large numbers of VPN tunnels. It performs hardware-accelerated encryption and authentication, scales to thousands of concurrent connections, and lets administrators enforce remote-access policies from one central point. An IDS/IPS inspects traffic for threats, a load balancer distributes application traffic for availability, and a content-filtering gateway screens web or email content; none of these devices are designed to establish VPN tunnels for remote users.

Blackmail involves threatening to reveal sensitive or damaging information unless specific demands are met. In this scenario, the attacker is leveraging confidential documents to coerce the company. Espionage involves gathering information for intelligence purposes, typically for a foreign entity. Revenge is motivated by a desire to retaliate for a perceived wrong, and sabotage aims to deliberately destroy or damage assets. Therefore, blackmail is the primary motivation described.

Firewalls are technical controls because they are technological solutions used to enforce security policies by monitoring and filtering network traffic. Technical controls involve the use of hardware and software to protect systems and data. The other options are not technical controls: security policies are managerial controls that define security objectives and guidelines; security awareness training is a managerial control focused on educating personnel; access badges are physical controls used to secure physical premises.

High availability refers to a system's design that aims to ensure an agreed level of operational performance, typically uptime, for a higher than normal period. This is achieved through redundancy and failover mechanisms that allow a system to remain functional even if some of its components fail. Scalability refers to the ability of a system to handle growth, which is important but doesn't specifically relate to uptime. Redundancy is the duplication of components and is part of achieving high availability, but on its own, it does not describe the entire concept. Power efficiency is related to energy consumption and not directly to maintaining uptime.

A snapshot is the most efficient method because it captures the entire state of a virtual machine at a specific point in time and is designed for rapid reversion. A full backup would work but restoring it would be significantly slower. Differential backups are also slower to restore as they require the last full backup as well. Replication to a warm site is a disaster recovery strategy for site-level failures, not for reverting a single server's configuration change.

Data is generally considered most vulnerable to interception when it is 'in transit'. This state, also known as 'data in motion', describes data being transferred over a network. During transit across local or public networks, data is susceptible to being captured, read, or altered by unauthorized parties if not properly encrypted. While data 'at rest' (stored) and 'in use' (being processed) have their own significant vulnerabilities, the act of moving data between systems often exposes it to the widest range of network-based threats. Security measures like TLS and IPsec are crucial for protecting data in this state.

Refining the correlation rules to establish more stringent alert criteria can significantly decrease the amount of false positive alerts generated by a Security Information and Event Management system. By defining more precise conditions for when an alert should be triggered, a SIEM can more accurately differentiate between standard operations and suspicious activities. Adjustments must be crafted carefully to minimize the risk of missing true security incidents. Altering system thresholds indiscriminately might suppress important warnings, while focus solely on historical data analysis may not take into account novel or evolving threats. Disabling alerts for activities that are considered to be low risk can be risky, as they might cumulatively indicate a security threat if analyzed in context.

The correct answer is 'Minimization of human error in repetitive tasks,' as automation ensures that repetitive tasks are handled consistently without the same rate of errors that might occur with manual processing, thus saving time and enhancing operational efficiency. While 'Enforcing stronger password policies' and 'Improved user authentication protocols' are positive outcomes, they are not specifically related to the efficiency and timesaving aspect of automation. 'Automated patch management' does streamline updating software but the aspect of reducing human error is more universally applicable to the concept of automation improving efficiency.

The correct answer is 'Incremental backups every 2 hours with daily full backups'. This approach efficiently balances the need to maintain recent data save points to minimize loss in the event of a system failure while utilizing resources effectively. Incremental backups save changes since the last full or incremental backup, reducing the volume of data that needs to be copied and the time required for each subsequent backup. Daily full backups ensure that there is always a recent complete copy of data to restore from, while the frequent incremental backups capture the ongoing changes.

Setting up a system that monitors, detects, and blocks potentially unauthorized data transmissions can dramatically lower the likelihood of sensitive information being leaked or transferred outside the company by an insider with legitimate access. While biometric authentication adds a layer of security, it does not prevent data exfiltration by authenticated users. Disabling unused service ports and enforcing strong encryption enhance security but are not directly effective in monitoring or preventing the transfer of sensitive data from insiders. Segmenting the network can reduce the risk of widespread internal access, but it is not specifically aimed at preventing data exfiltration.