CompTIA Security+ Practice Test (SY0-701)

Utilizing search engines to find information on disclosed vulnerabilities pertaining to the organization's network infrastructure directly aligns with the practice of OSINT. It involves using publicly available resources to uncover potential risks that need to be addressed. Social media profiles tend not to reveal technical vulnerabilities of network infrastructure components. Reviewing the organization’s own website source code can be part of a security review, but it does not encompass the collection of OSINT. Attending industry conferences is a good practice for professional development and networking, but it may not specifically yield the actionable vulnerability data that can be found through targeted online searches.

A brute force attack involves trying many different password combinations on user accounts in an attempt to gain unauthorized access. If an organization has an account lockout policy, a large number of lockouts is a strong indicator of a brute force attack in progress. The other options are incorrect. A keylogger is malware that records a user's keystrokes. Ransomware is malware that encrypts files and demands payment for their release. A trojan is a type of malware that disguises itself as legitimate software to gain access to a system.

Applying patches quickly closes known software vulnerabilities and therefore blocks many exploits used by commodity malware. It does not guarantee immunity from new or zero-day threats, nor does it stop malware delivered through phishing, malicious macros, or other techniques that do not rely on an unpatched vulnerability. A layered defense that includes security awareness, EDR, email filtering, and least-privilege controls is still required.

A tabletop exercise is a type of test where participants verbally walk through the steps of various emergency scenarios and disaster recovery procedures. It is designed to test the theoretical response to a disaster, ensuring that all individuals know their roles and responsibilities, without actually performing any recovery operations or disrupting the current operations. Other options, such as simulation and failover, involve more active engagement with systems or demonstration of the disaster recovery process.

Data that isn’t active and is on a storage media is considered data at rest.

Fingerprints, along with other physiological or behavioral biometrics such as iris or facial recognition, are unique physical characteristics tied to the user. Because these traits identify who the person is rather than what they know or possess, they fall under the MFA category of "something you are." The other options describe knowledge-based, possession-based, or location-based factors, none of which apply to biometric traits.

Encryption is the process of converting plaintext into a coded format known as ciphertext, which can only be read by authorized parties who have the decryption key. This process uses an algorithm and a key to transform the readable data into an unreadable format, thereby protecting the data from unauthorized access or eavesdropping.

The Owner of the data is responsible for making decisions about the data, establishing control mechanisms, and determining data classification levels. They are accountable for ensuring that the data is properly protected and used in compliance with legal and organizational requirements. The Processor is responsible for processing data on behalf of the Controller as per their instructions. The Custodian (also known as the Steward) is responsible for maintaining and protecting the data assets on a day-to-day basis. The Controller determines the purposes for which and the means by which personal data is processed but may not own the data or the process.

A web application firewall (WAF) is designed to sit in front of web servers and inspect HTTP/HTTPS traffic, blocking malicious requests such as SQL injection and cross-site scripting. Traditional network or host firewalls focus on ports, protocols, and IP addresses, so they cannot parse the application payload to stop these attacks. Simply forcing traffic over HTTPS protects confidentiality in transit but does not prevent injection attacks because the malicious payload is decrypted before it reaches the application. Therefore, deploying a WAF in front of the web server environment is the best option.

Automated compliance-monitoring tools can continuously collect evidence, check configurations, and raise alerts more quickly than manual methods. However, they still require human review to interpret nuanced legal requirements, investigate false positives or negatives, and decide on appropriate remediation. NIST SP 800-137 notes that efficient monitoring cannot rely solely on manual or automated methods; both are necessary to achieve comprehensive coverage and sound risk decisions.

The correct choice is a Next-Generation Firewall (NGFW). NGFWs are advanced firewalls that operate up to Layer 7 (the application layer) of the OSI model. Unlike traditional firewalls that are limited to inspecting traffic based on ports and IP addresses (Layers 3 and 4), NGFWs can perform deep packet inspection (DPI) to identify the specific applications in use and enforce security policies on them. They also integrate other security features like an intrusion prevention system (IPS) to block application-layer attacks. Stateless and stateful firewalls are older technologies that lack this deep application awareness. A circuit-level gateway operates at the session layer (Layer 5) and does not inspect application content.

The data owner is typically a senior business stakeholder-such as a finance manager or line-of-business executive-who has statutory or operational authority over the information set. Because that person controls how the data are collected, processed, retained, and disclosed, they are best positioned to determine acceptable risk levels, approve mitigation controls, and formally accept or transfer residual risk. Technical staff such as security analysts or IT support can recommend safeguards, and the CIO provides enterprise-wide technology leadership, but none of them own the specific financial data set. Therefore, the data owner is the appropriate risk owner for breaches affecting that information.

Steganography involves hiding sensitive information within another file, such as embedding a secret message within an image or audio file. This makes the existence of the sensitive data less obvious to unauthorized users. Encryption transforms data into unreadable ciphertext, but the encrypted data is still noticeable and may attract attention. Hashing converts data into a fixed-size hash value, mainly for integrity verification, and is not reversible. Data masking replaces sensitive data with altered values but does not hide it within another file.

The correct answer is 'Vishing'. Vishing, or voice phishing, involves an attacker using the telephone system in an attempt to scam the user into disclosing private information by pretending to be a legitimate entity, in this case, the company's IT department. Email phishing is incorrect as it specifically refers to the use of emails for scamming users. Smishing involves sending text messages, which is not the case here. Pretexting is the creation of a fabricated scenario to steal information, which is a component of this attack; however, vishing is the more specific and accurate term because the attack is delivered via a phone call.

The most effective control in this scenario is multifactor authentication (MFA). MFA requires more than just a password to authenticate, so even if an attacker steals a user's password, they cannot access the account without the second factor (e.g., a token, biometric scan, or push notification). A strong password policy is a good practice, but it is defeated once the password is stolen. Applying the latest security patches is crucial for preventing vulnerability exploitation but does not stop an attacker from using valid, stolen credentials. A host-based firewall controls network access but does not prevent a legitimate-looking authentication attempt with a stolen password from a permitted location.

Educating users on how to identify and report phishing emails directly addresses the social-engineering tactics leveraged in malicious messages. User awareness training reduces the likelihood that an employee will click a suspicious link, closing the primary attack path. Although email filtering and endpoint anti-malware controls can lower the volume of malicious emails or detect malware after execution, determined attackers can still bypass these technical defenses. Strict password policies do not affect a user's decision to click a link.

Applying security benchmarks provides standardized guidelines for configuring systems securely, ensuring consistency, and reducing vulnerabilities. These benchmarks serve as the foundation for creating a secure baseline. While a SCAP tool can automate the process, the benchmark itself is the standard being implemented. An IDS is used for detecting intrusions, not for configuration hardening, and password policies are only one component of a comprehensive security benchmark.

Directive controls are designed to direct the actions of individuals or systems within an organization. They provide guidance and instructions on how to maintain security and comply with established policies. Examples of directive controls include security policies and guidelines that outline acceptable behaviors, procedures, and best practices. These controls help ensure that employees and systems operate in a manner consistent with the organization's security objectives.

The principle of least privilege states that each user, process, or system should be granted only the specific permissions necessary to perform its assigned duties-nothing more. By applying this principle, the clerk can post invoices and generate reports without having unnecessary rights (such as creating vendors or approving payments) that could be abused.

Separation of duties divides critical tasks among multiple people to reduce fraud. Need-to-know restricts data access to those who require specific information but does not necessarily limit functional permissions. Mandatory access control enforces centrally defined security labels and classifications rather than tailoring privileges to individual job roles.

Data remanence is the primary risk. If RAM or storage blocks are not sanitized before being reassigned, residual information from the previous VM can persist. A new VM might be able to read that leftover data, exposing sensitive information. While privilege escalation, denial-of-service conditions, and virtual-switch misconfigurations are genuine virtualization issues, none of them directly stem from reusing uncleared resources.