CompTIA Security+ Practice Test (SY0-701)

An Acceptable Use Policy (AUP) defines what users are and are not allowed to do with the organization's IT assets. This is crucial for maintaining the integrity and security of an organization's infrastructure.

Security zones are utilized to segregate different parts of the network, often by their role or requirements for security, to apply appropriate controls and limit the spread of security breaches. By controlling communication between zones, the risk of a compromised system affecting the entire network is reduced. Each answer choice is related to network management or security, but only one specifically addresses the central concept of isolating network segments to enhance security.

The most effective control in this scenario is multifactor authentication (MFA). MFA requires more than just a password to authenticate, so even if an attacker steals a user's password, they cannot access the account without the second factor (e.g., a token, biometric scan, or push notification). A strong password policy is a good practice, but it is defeated once the password is stolen. Applying the latest security patches is crucial for preventing vulnerability exploitation but does not stop an attacker from using valid, stolen credentials. A host-based firewall controls network access but does not prevent a legitimate-looking authentication attempt with a stolen password from a permitted location.

The organization has implemented a detective control. Detective controls are designed to identify and alert when a security incident occurs. The scenario describes a monitoring system that flags unusual behavior, which aligns with the detection and alerting function of a detective control. Preventive controls aim to stop incidents from occurring before they happen, which is not the focus in this scenario. Corrective controls are instituted to limit the damage after an incident has occurred, which is again not the main function described. While compensating controls provide an alternative measure if primary controls fail or are not feasible, the scenario directly mentions the implementation was a response to a previous undetected breach, indicating it is a primary monitoring solution, not a compensatory one.

Symmetric encryption uses a single shared secret key for both encryption and decryption. This design makes it computationally efficient but requires a secure method to distribute the key to all parties. In contrast, asymmetric encryption employs two mathematically related keys (a public key for encryption and a private key for decryption), eliminating the need to share the private key but at the cost of higher computational overhead. Statements describing key pairs, elimination of key-exchange requirements, or digital-signature creation refer to asymmetric encryption, not symmetric encryption.

An application allow list is the most effective control because it operates on a 'deny-by-default' principle, permitting only explicitly approved applications to run. This is the most restrictive and secure approach for a sensitive server. An application deny list would block known bad applications but allow all others, which is less secure. Anomaly-based intrusion detection is a detective control that identifies unusual behavior but does not block application execution. Network Access Control (NAC) is a control that restricts device access to the network, not what applications can run on a host.

RPO (Recovery Point Objective) defines the amount of data an organization can afford to lose, measured in time. This helps in determining the frequency of data backups to ensure data loss stays within acceptable limits. The other options relate to different aspects of disaster recovery, such as restoration time, incident response procedures, and access prevention strategies.

The correct choice is a Next-Generation Firewall (NGFW). NGFWs are advanced firewalls that operate up to Layer 7 (the application layer) of the OSI model. Unlike traditional firewalls that are limited to inspecting traffic based on ports and IP addresses (Layers 3 and 4), NGFWs can perform deep packet inspection (DPI) to identify the specific applications in use and enforce security policies on them. They also integrate other security features like an intrusion prevention system (IPS) to block application-layer attacks. Stateless and stateful firewalls are older technologies that lack this deep application awareness. A circuit-level gateway operates at the session layer (Layer 5) and does not inspect application content.

Data retention timeframes are pivotal to compliance since they dictate the specific duration for which data must be stored according to various legal and regulatory frameworks. Organizations are often required to retain certain records for a defined period to comply with laws and industry regulations. Retaining data for either too short or too long a period can lead to non-compliance and associated penalties. Having too broad or too narrow scopes in retention policies can be non-compliant or inefficient, respectively, but the actual retention period is the key factor that relates directly to legal and regulatory requirements.

The alarm system is a detective control. Its primary purpose is to detect unauthorized entry after it occurs and generate an alert so that an appropriate response can be initiated. It does not physically stop an intruder (preventive), mainly scare them away (deterrent), or repair damage after the fact (corrective).

Implementing a firewall is the most effective solution in this scenario. A firewall acts as a barrier between the internal network and external sources, controlling incoming and outgoing network traffic based on predefined security rules. It blocks unauthorized access attempts from external entities while allowing legitimate outbound communication required by employees. An intrusion detection system monitors network activities for suspicious behavior and generates alerts but does not prevent access. Encryption secures data but does not control network access. Physical access controls protect the physical hardware and premises but do not safeguard the network from external cyber threats.

Updating security control definitions with information from the threat feed immediately turns raw intelligence into preventive controls. By loading new indicators of compromise into firewalls, intrusion prevention systems, and similar technologies, the organization can automatically detect or block activity associated with the identified threats. Creating dashboards, adding more feeds without a plan, or reserving the data only for incident response are useful but do not embed the intelligence directly into real-time defenses.

Implementing ephemeral credentials is the best solution as they are, by definition, temporary and designed to expire after a short, predefined period. This directly aligns with the policy requirement for access to be automatically revoked after the audit. This approach embodies the principles of Just-in-Time (JIT) access and least privilege by providing access only for the duration it is needed. Permanent accounts create a standing privilege that increases the attack surface, which is against security best practices. Shared passwords eliminate individual accountability and are a poor security practice. Non-expiring API keys, even if IP-restricted, violate the policy for temporary access and create a persistent security risk if compromised.

An Intrusion Detection System (IDS) operates passively by monitoring network traffic and alerting administrators to suspicious activities without interfering with the traffic flow or introducing latency. It does not become a point of failure because it does not sit inline with the network traffic. In contrast, an Intrusion Prevention System (IPS) actively analyzes and can block or modify traffic to prevent threats, potentially introducing latency and becoming a point of failure. A firewall filters network traffic and can affect performance or interfere with legitimate traffic. A Content Filter inspects and potentially blocks specific content, which can also interfere with traffic and introduce latency.

Gap analysis is the correct answer because it involves comparing the current state of a system, process, or security posture with the desired or future state in order to identify discrepancies and areas for improvement. In this scenario, the IT department is conducting a gap analysis to determine where their security posture stands against industry best practices and what steps they need to take to reach their desired level of security. A risk assessment focuses on identifying, evaluating, and prioritizing risks – it does not inherently compare current and desired states. Security baselining involves setting a minimum level of security to compare against future measurements, but it does not involve a comparison to industry best practices. An impact analysis is generally conducted to understand the effects of system changes, not to compare current and desired security postures.

'Impossible travel' refers to a situation where a user account is accessed from geographically distant locations within a timeframe that is too short for normal travel to occur, suggesting the use of compromised credentials. This is an important red flag for security analysts as it may indicate an account takeover by an unauthorized user. In contrast, 'Concurrent session usage' may raise concern but does not imply physical impossibility, 'Account lockout' is a response to suspicious activities and itself is not an indicator, and 'Time-of-check (TOC)' relates to a specific vulnerability type concerning the timing of security checks.

The process of hardening a server should begin with updating the server to the latest stable version of the operating system, including all the available security patches. This action addresses known vulnerabilities and reduces the number of potential attack vectors that could be exploited. Configuring a firewall, setting account lockout policies, and conducting a vulnerability scan are important hardening steps, but they come after ensuring that the server is running the most secure operating system version available.

Implementing a federation service is the correct solution because it enables different authentication systems to interoperate by allowing them to trust and validate each other's users. It serves as a middle layer that manages and brokers identity information between organizations, thus simplifying cross-domain user access. Additionally, a federation service allows users to authenticate once and gain access to multiple applications, even if the underlying authentication protocols differ. Updating password management procedures or initiating enhanced user credential verification does not provide a method for protocol interoperability. Introducing additional network-layer security, such as an encrypted channel, does not address the core issue of authenticating users across different authentication protocols.

The correct answer is: Spoofing.

• Spoofing: Spoofing specifically refers to the act of imitating a trusted device or user on a network. By creating fabricated packets that appear to originate from a legitimate source, the attacker can gain unauthorized access or disrupt communication flows.

• Replay: A replay attack involves capturing and retransmitting legitimate network traffic to gain unauthorized access or manipulate data. While it utilizes existing packets, it doesn't necessarily impersonate a trusted source.

• Phishing: Phishing attacks attempt to trick users into revealing sensitive information by disguising themselves as legitimate entities (e.g., emails or websites). Spoofing can be a technique used in phishing attacks, but it's not the sole characteristic.

• Forgery: Forgery can encompass a broader range of activities like counterfeiting documents or digital signatures. In the context of network security, spoofing is a more specific term referring to impersonation on a network level.

Biometric access control systems provide a high level of security by using unique physical characteristics of individuals, such as fingerprints, retinal scans, or facial recognition, to verify a person's identity. This is more secure than using key cards alone, since key cards can be lost, stolen, or duplicated, while biometric traits are much harder to replicate or share. A combination lock, while providing a layer of security, does not uniquely identify an individual and could be more easily compromised through observing the entry or sharing the code. Surveillance cameras act as a deterrent and a means to record events, but they do not actively restrict access to authorized personnel.