CompTIA Security+ Practice Test (SY0-701)

While process isolation is the fundamental mechanism that prevents VM escape, it is not foolproof, as vulnerabilities in the hypervisor can still be exploited. A comprehensive, defense-in-depth strategy is the most effective approach. This includes keeping both the hypervisor and guest operating systems fully patched, using network segmentation to limit an attacker's reach, and applying the principle of least privilege through strict access controls. HIDS on guest VMs and data encryption are valuable security layers, but they do not directly prevent the hypervisor compromise that enables a VM escape.

Deploying a firewall to block unwanted traffic is preventive because it acts before an attack succeeds. Preventive controls reduce the likelihood of an incident by denying, restricting, or filtering actions up front. Detective controls only discover an event that has already happened, directive controls provide guidance, and compensating controls are alternatives when a primary safeguard is impractical.

The maintenance window is the specified time frame designated for implementing changes and updates with minimal disruption to users. By referring to the maintenance window, the IT team can schedule the software update during a period when system usage is low. The backout plan outlines steps to reverse a change if issues arise, impact analysis assesses the potential effects of the change on the organization, and test results provide information on the outcomes of testing but do not assist in scheduling.

The correct answer is the Service-Level Agreement. A Service-Level Agreement is a formal document that outlines the expected level of service provided by a vendor, including measurable performance metrics like uptime and response times. Memoranda of Agreement and Memoranda of Understanding typically document more general cooperation or mutual intent between parties without delving into specific service metrics. A Master Service Agreement establishes a contractual framework that might not detail service metrics, which are often found in subsequent work orders or statements of work. A Non-Disclosure Agreement is focused on confidentiality of information and does not relate to service performance criteria. A Business Partners Agreement is similar in some respects but is not primarily concerned with specific service delivery metrics like response times or system availability.

A tabletop exercise is a discussion-based activity where members of an organization, including IT and management teams, analyze and resolve hypothetical situations. This type of training is valuable as it allows team members to think through the policies, procedures, and roles they would play during a real event without the pressure of an actual emergency. Such exercises are critical for improving an organization's incident response and establishing a culture of security awareness. They differ from simulations, which are hands-on practices that often involve the actual use of technology to respond to a mock incident, and from fire drills, which are physical evacuation practices.

The correct answer is the National Vulnerability Database (NVD) because it is a comprehensive database where CVE details are cataloged and can be searched. The CVE identifier would provide a standardized reference for the vulnerability in question, allowing the security team to access the details they need to begin assessing the impact and planning their response. The CERT Coordination Center deals with coordinating responses to security incidents, not cataloging CVEs. The Open Web Application Security Project (OWASP) focuses on improving software security, specifically for web applications, and does not serve as a database for CVEs. The Internet Engineering Task Force (IETF) develops and promotes voluntary internet standards and protocols, but does not manage a database of vulnerabilities.

Signature updates in an IDS/IPS are vital to maintain the system's effectiveness against new threats. As attack methodologies evolve, the system must be updated with information about these new threats to accurately detect and potentially prevent them. Novel software updates would pertain to general software enhancements rather than threat intelligence. Configuration changes may improve system performance but do not directly relate to new threat intelligence. Rule adjustments generally involve customizing how the system responds to detected threats, not updating its threat detection capabilities.

An owner is an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use, and security of the assets. This includes ensuring appropriate access controls are in place and the integrity and security of the asset are maintained.

Data sovereignty is correct because it specifically refers to the notion that data is subject to the legal requirements and regulations of the country in which it physically resides. Compliance with data sovereignty is critical when operating in multiple jurisdictions, as failure to adhere to local data laws can result in significant legal and financial penalties.

A Remote Access Server (RAS) is specifically designed to handle a significant number of secure, authenticated connections, which typically involve telecommuting scenarios. It provides a centralized solution for remote workers to access the corporate network, offering encryption and authentication to maintain data integrity and confidentiality. Despite being capable of various security functions, an Intrusion Detection and Prevention System (IDPS) primarily focuses on identifying and mitigating potential threats and breaches, rather than facilitating remote access. A Load Balancer excels at distributing networking or application traffic across multiple servers but does not inherently provide connectivity solutions for remote workers. 'Content Filtering Appliance' might seem like a viable option because it implies data protection, but it serves a different role — typically screening incoming web content for malware or policy violations — rather than enabling secure remote access.

The correct answer is a threat feed. A threat feed is a real-time or near-real-time stream of data providing information on current and potential cyber threats, including indicators of compromise like malicious IPs, URLs, and malware signatures. A security baseline defines a standard state for a system, a SIEM is used to aggregate and analyze log data from internal sources, and a vulnerability scanner actively probes systems for weaknesses rather than providing a continuous external data stream.

Creating an IPsec VPN (or other strong encryption such as TLS 1.3) establishes an encrypted tunnel that offsets the risk of sending data across an untrusted network when the preferred primary control-a private, physically isolated link-cannot be used. That encrypted tunnel therefore serves as a compensating control. Daily log reviews, quarterly penetration tests, and additional awareness training are useful but do not directly provide equivalent protection for the specific gap (lack of a secure transmission channel).

Governance committees (often called security or cybersecurity steering committees) exist to set the information-security strategy, approve or endorse policies, and provide ongoing oversight and guidance to ensure the program aligns with business objectives and risk appetite. They do not perform hands-on technical work such as configuring devices, staffing the SOC, or running vulnerability scans; those tasks belong to operational teams.

Presenting the information that applies a recognized scoring system to assess the severity of the vulnerabilities is correct, as it gives an objective measure of risk. This enables management to make informed decisions on which vulnerabilities to address first based on the potential impact. While identification by category, operating system, or the potential for data loss can provide important context, they do not inherently offer a mechanism for prioritization. Therefore, the key to an effective report is not only identifying the vulnerabilities but also clearly indicating which ones pose the greatest risk based on a standardized severity rating.

The correct answer is 'Conduct an impact analysis' because it is a practice that helps determine the potential implications of the change on the organization's systems and security posture. An impact analysis will review how the proposed update will interact with existing systems, identify any potential risks or conflicts, and help plan to mitigate them before the change is implemented. 'Reviewing the backout plan' is performed later and is associated with preparation for potential rollback in case the update causes issues. 'Consulting the stakeholders' is important but not the first step, as they would require the impact analysis to assess the change effectively. 'Updating policies/procedures' is premature at this stage, since it's necessary first to understand the effects of the changes on the current policies and procedures.

Availability refers to the concept that systems, functions, or data should be accessible when required by the user. High availability systems are designed to be operational and available for use a very high percentage of the time, often through redundant or fault-tolerant components. An 'Air-gapped network' refers to a security measure to physically isolate a computer or network from other networks, including the internet, which doesn't directly pertain to its ability to be available. 'Ease of recovery' is associated with the ability to restore system capabilities or access to data after a disruption, not the continuous availability. 'Real-time processing' refers to the capability of systems to process data as it comes in without delay, which is not exclusively about the system’s ability to be continuously operational and available.

Revenge is often a motivation for employees who feel wronged or slighted by their organization. In this scenario, the employee's resignation following a missed promotion and the immediate subsequent data exfiltration suggest a revenge-motivated insider threat. Other motivations like financial gain or data exfiltration for espionage purposes are less direct in linking the disgruntled employee's actions to the incident. Philosophical/political beliefs is unlikely the motive in this context, as the act of retaliation is personal rather than ideological.

A load balancer is used to distribute network or application traffic across multiple servers, which improves responsiveness and increases availability of applications. It is designed to prevent any one server from becoming overloaded with too much traffic, which can degrade performance or cause outages. Proxies may balance requests but are not primarily designed for load balancing, while an IPS/IDS focuses on monitoring and analyzing network traffic for any malicious activity. Jump servers are utilized to manage access to devices within a security zone.

Input validation is a crucial first line of defense against many types of attacks, including buffer overflows. By checking that input conforms to expected length, type, and format, it can prevent many overflow attempts. However, it is not a foolproof solution on its own and can be bypassed or implemented improperly. For comprehensive protection, input validation must be part of a defense-in-depth strategy that also includes other secure coding practices (like bounds checking), using memory-safe languages and functions where possible, and enabling runtime protections such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).

Total cost of ownership includes the direct and indirect costs incurred throughout the life cycle of a security control, encompassing purchase price, maintenance fees, operational costs, and potential training expenses. This is critical as it reflects the overall investment needed and impacts the budgeting and financial planning of an organization's security strategy. Other options, like the time-to-market or the number of users, may indirectly influence costs but are not direct financial considerations on their own. The time to remediate vulnerabilities focuses on the duration of the response rather than on financial implications.