CompTIA Security+ Practice Test (SY0-701)

A Hardware Security Module (HSM) is a physical device that provides secure generation, storage, and management of cryptographic keys. HSMs are designed to protect keys from unauthorized access and are used to enhance security in encryption processes. A Key Management System is typically software-based and manages keys but doesn't provide the physical security level of an HSM. A Trusted Platform Module (TPM) is a hardware-based security chip embedded in devices, used mainly for device authentication and integrity verification rather than comprehensive key management. A Secure Enclave is a secure area within a processor, primarily used in mobile devices to store sensitive data, but it is not a standalone device like an HSM.

A tabletop exercise is a discussion-based activity where members of an organization, including IT and management teams, analyze and resolve hypothetical situations. This type of training is valuable as it allows team members to think through the policies, procedures, and roles they would play during a real event without the pressure of an actual emergency. Such exercises are critical for improving an organization's incident response and establishing a culture of security awareness. They differ from simulations, which are hands-on practices that often involve the actual use of technology to respond to a mock incident, and from fire drills, which are physical evacuation practices.

A honeypot is designed to appear as a vulnerable system to attract attackers. By mimicking services and recording interactions, it allows organizations to study attack methods without compromising actual assets. While an intrusion detection system monitors network traffic for suspicious activity, it does not simulate vulnerable services. A firewall configured with logging controls access but doesn't engage attackers to gather intelligence. A vulnerability scanner identifies weaknesses but doesn't record attacker interactions.

The correct answer is a guideline. A security guideline is a document that provides recommendations and best practices; it is not mandatory. In contrast, a policy is a high-level statement of intent from management that is mandatory. A standard is a mandatory rule that supports a policy, often specifying technologies or configurations. A procedure is a detailed, step-by-step set of instructions for performing a specific task, which is also mandatory.

Creating an air-gapped network that is not connected to the internet or any other networks is the most secure form of physical isolation. This prevents any form of remote access or cyberattack that depends on network connectivity. Using dedicated cabling still leaves the system connected to external networks; VLANs provide only logical segmentation on shared infrastructure; and firewalls merely filter traffic on connected networks, so none of those options achieve true physical isolation.

Recording the date, time, and individuals who handle the evidence ensures a documented trail, which is crucial for maintaining the chain of custody. This documentation verifies that the evidence has not been tampered with and is admissible in court. While other actions like using write-blocking devices are important for preserving evidence integrity, they do not directly address the documentation aspect of the chain of custody.

You are hired to do an analysis on the systems to determine the impact of a malicious actor. Hardening and wiping the servers is outside of the scope of this analysis, but may be a recommended next step based on your findings. The logical step is to determine which servers are the most critical based on the data hosted on them, and begin analyzing them one-by-one in order of most important/critical data.

To address the limitation of a system that only provides notifications when a potential breach occurs, implementing a solution that can take preventative action is necessary. An Intrusion Prevention System is designed to not only detect but to preventively respond to threats by blocking them, therefore enhancing the network's defensive capabilities. The options of bolstering data loss prevention (DLP) strategies, incorporating additional security information and event management (SIEM) features, and enhancing public key infrastructure (PKI) are all valuable in their respective contexts. However, none of these solutions are purposed to block malicious traffic in the way an Intrusion Prevention System would. DLP focuses on preventing data leaks, SIEM centralizes logging and provides threat detection, and PKI deals with encryption and authentication, not inline traffic analysis and intervention.

Open Authorization, commonly known as OAuth, is best suited for this purpose. OAuth is a protocol that enables applications to obtain limited access to user accounts on an HTTP service without passing user credentials to the application. It works by using access tokens provided by the authorization server, which mediate the authentication of the end user by the information provider.

• LDAP (Lightweight Directory Access Protocol) is primarily used for accessing and maintaining distributed directory information services over an IP network, which is not the goal in this scenario.
• RADIUS (Remote Authentication Dial-In User Service) provides centralized authentication, authorization, and accounting for users who connect and use a network service, but does not cater to the specific needs of application-to-application authorization.
• TACACS+ (Terminal Access Controller Access-Control System Plus) provides detailed accounting information and flexible administrative control over authentication and authorization processes, but it is not designed for delegating user authorization between web services.

Intrusion Detection Systems (IDS) are designed to monitor network and system activities for malicious activity or policy violations. A well-configured IDS can detect numerous types of malicious network traffic and computer usage that often go unnoticed by a firewall, which makes it an excellent choice for identifying unauthorized accesses or anomalies. Anti-virus software, while useful for detecting and removing malware, does not generally monitor network traffic for anomalies. Firewalls are preventive controls that block unauthorized access based on predefined rules but do not perform post-passage anomaly detection. Security training is essential for personnel but does not continuously monitor network traffic.

A jump server, also known as a jump host or bastion host, is a hardened server that acts as a secure intermediary and single point of entry for administrators to connect to other devices in a separate security zone. This approach centralizes access control and monitoring.

A proxy server primarily acts as an intermediary for user requests to other servers (like web servers), but it is not specifically designed for administrative access sessions. A load balancer distributes incoming traffic across multiple servers to improve availability and performance but does not serve as a secure administrative gateway. A VPN concentrator is used to establish secure, encrypted tunnels for remote access, but it typically provides broader network-level access rather than the specific, audited host-to-host administrative access that a jump server provides.

A Virtual Private Network (VPN) creates a secure tunnel between the remote user's device and the corporate network, encrypting data in transit, which helps protect sensitive corporate data from eavesdropping and man-in-the-middle attacks. Remote access and tunneling protocols can be part of a VPN solution, emphasizing the importance of encryption and a secure tunnel. A jump server, even though it acts as a bridge between different security zones, does not inherently encrypt traffic and is less suited as a comprehensive solution for remote employees' secure connectivity.

The best strategy is to assign access rights according to the functions necessary for each job role within the new platform. The analytics division should receive a viewing and reporting role to access and analyze data without the risk of altering it, enhancing data integrity. Conversely, the account management division should be given a more comprehensive role that encompasses the creation, viewing, updating, and deletion of client records, aligned with their day-to-day account maintenance and client interaction tasks. This access control mechanism follows the principle of 'least privilege,' granting users only the permissions necessary to perform their jobs, which is a fundamental aspect of secure role assignments. Using 'RBAC' without explaining its meaning or acronym form could lead to confusion for those unfamiliar with the term, highlighting the necessity for clarity in both teaching and testing environments.

Authentication is the correct term for the process where an entity (user, system, or process) proves its identity to a verifying entity by providing the appropriate credentials. Authorization refers to the granting of rights and permissions post-authentication, and accounting refers to the tracking of user activities, while multifactor indicates a means or type of authentication, not the process itself.

When an existing security control is found to not mitigate risk down to an acceptable level, a compensating control can be used to bring the risk to the desired level.