CompTIA Security+ Practice Test (SY0-701)

'Data in use' refers to data actively processed within system memory (RAM) by applications or services. It is typically in a decrypted state and therefore vulnerable to exploitation, such as malware or unauthorized access. Security strategies must be tailored to address these risks, differing from those for 'Data at rest' or 'Data in transit'.

A tabletop exercise is a type of test where participants verbally walk through the steps of various emergency scenarios and disaster recovery procedures. It is designed to test the theoretical response to a disaster, ensuring that all individuals know their roles and responsibilities, without actually performing any recovery operations or disrupting the current operations. Other options, such as simulation and failover, involve more active engagement with systems or demonstration of the disaster recovery process.

Digital signatures use asymmetric encryption to associate a sender's identity with a document uniquely. This provides non-repudiation by ensuring that the sender cannot deny authoring the document, and the recipient can verify its authenticity. Strong authentication verifies user identities but does not prevent users from denying their actions. Hashing ensures data integrity but does not link actions to specific users. Encryption protects data confidentiality but does not provide proof of the sender's identity.

A load balancer is used to spread requests across multiple servers to optimize resource use, maximize throughput, reduce response time, and avoid overload on any single server. By distributing the load, the load balancer helps ensure that the web application remains highly available and reliable to users. While a jump server provides secure administrative access to servers from a single point, an intrusion detection system monitors network traffic for malicious activities, a firewall controls incoming and outgoing traffic based on security rules, and a proxy server acts as an intermediary for requests. None of these devices specifically distribute network traffic among multiple servers like a load balancer does.

Before proceeding with exploitation, it is crucial to review the agreed-upon rules of engagement and scope of work. This ensures that actions taken during a penetration test are within legal and authorized boundaries, safeguarding the tester from legal repercussions and the target system from unauthorized modification or damage.

Implementing network segmentation would be the most effective at mitigating the risk as it restricts the traffic between the IoT devices and the rest of the network, reducing the potential attack surface and the chance of an attacker reaching sensitive data if the IoT devices are compromised. While full disk encryption is important for data at rest, it doesn't address the transmission or collection of data. Enabling a host-based firewall on IoT devices may not be feasible due to their limited computing resources and wouldn't protect against attacks exploiting the IoT network itself. Requiring multi-factor authentication (MFA) improves the security of user accounts, but it does not specifically address the issue of securing sensitive data collected by IoT devices from network-based threats.

The correct answer involves updating the Incident Response Plan with improvements identified during the review of a recent incident. This is the best choice because it directly applies feedback from actual incidents to enhance procedures and readiness for future events. Simply reviewing historical trends or concluding that the existing plan is sufficient does not provide the iterative improvement needed for effective incident response. Updating training materials without specific reference to the improvements identified may not address the issues encountered during the incident.

An organization with a neutral risk appetite is one that seeks to maintain a balance between accepting some levels of risk and pursuing new opportunities, without skewing too far towards either risk aversion or risk seeking. Choice A best aligns with this balanced approach, whereas the other options suggest either a greater willingness to take on risk (expansionary) or a more conservative stance (conservative) that minimizes risk exposure.

The correct answer is Hacktivist. Hacktivists are often motivated by philosophical or political beliefs, which lead them to target organizations or governments that they perceive as acting against their values or agendas. The nature of these attacks, including website defacements and public message spreads, are typical of hacktivist groups that aim to broadcast a political message or to create awareness about their cause. The other options listed do not align as closely with the details given.

Supply chain attacks usually start by breaching a trusted third-party vendor or service provider and inserting malicious code or components into software or updates that are then distributed to downstream customers. Because the update appears to originate from a legitimate, trusted source, traditional perimeter and host defenses inside the customer's environment often fail to detect the compromise. Attacks that target only an organization's internally developed code, physical theft of hardware, or direct DDoS assaults do not fit the definition of a supply chain attack.

The correct answer is Implementing a centralized proxy for content categorization and filtering. This method is most effective as it centralizes the control over internet traffic, allowing the organization to maintain comprehensive oversight over web content access. A centralized proxy can analyze and categorize content dynamically, applying company-wide controls and filters based on the established policy. Other methods, like client-side scripting or relying solely on client configurations, do not offer the same level of centralized control and may be bypassed or require extensive individual configuration management.

Isolating the workstation from the network is the BEST immediate action to thwart the ongoing threat, as it prevents the infected system from communicating with the command and control servers and stops further spread of the infection. Changing access controls might not be effective if the infection is propagating in other ways, and conducting a vulnerability scan or capturing network traffic does not immediately contain the threat.

Encrypting data in transit is the most effective measure for protecting the privacy of health records as it prevents unauthorized parties from intercepting and reading the information as it travels over the network. While data masking and geographic restrictions are also security measures, they address different aspects of data protection and do not offer comprehensive protection for data in transit like encryption does. Multi-factor authentication is crucial for verifying user identity but does not protect the privacy of data as it is transmitted.

The software described is classified as spyware because it monitors user activities and sends the information to an external source without the user's consent. This type of malware often leads to the symptoms mentioned, such as degraded system performance and unusual network traffic. Antivirus software typically protects against malware in general, which is not as specific as the correct answer. Adware is meant to serve ads to the user instead of monitoring behavior, while a Trojan is a type of malware that is disguised as legitimate software but performs malicious activities and does not specifically refer to the surveillance component that is central to spyware.

This scenario is a classic example of pretexting. Pretexting involves an attacker creating a believable, fabricated scenario (the pretext) to manipulate a victim into providing sensitive information. In this case, the pretext is a security audit by a fake IT department member. Phishing is incorrect as it typically refers to attacks via email. Smishing is incorrect as it involves attacks via SMS text messages. A watering hole attack is incorrect as it involves compromising a website that targets are known to frequent.

The best solution for generating insights into network traffic patterns is NetFlow, because it collects detailed information about the data flows within the network, including source, destination, and volume of data, which is key for detecting irregular large data transfers occurring after standard operational hours. Simple Network Management Protocol (SNMP) traps are typically used for real-time event notification and not for in-depth traffic analysis. A Security Information and Event Management (SIEM) solution centralizes security alerts and logs but does not inherently provide the detailed network flow analysis characteristic of NetFlow. While antivirus software protects against malware, it does not offer network traffic pattern analysis and therefore would not be an effective tool for this particular requirement.

Bollards are designed to stop vehicles from entering restricted or sensitive areas, providing a high level of security against vehicular threats. They are often used at the perimeter of sensitive buildings to prevent potential attacks from vehicles. Fencing can deter or delay intruders but is less effective at stopping vehicles. Access control vestibules are more about managing individual access and less about vehicular threats. Security guards can be effective but may not be able to physically stop a vehicle without additional barriers like bollards.

Maintaining evidence from internal audits serves to verify that audits were conducted properly and to ensure accountability. It also provides a historical record that can be used for future reference or legal purposes. Documentation supports the findings and actions taken and is essential for demonstrating compliance with regulatory standards.

The Diffie-Hellman algorithm is specifically designed for secure key exchange over insecure channels without requiring prior shared secrets. It enables two parties to independently generate a shared secret key, which can then be used for symmetric encryption. Symmetric key distribution assumes that keys are already shared or delivered securely, which doesn't address the need to establish keys without prior arrangement. RSA digital signatures provide authentication and integrity but are not primarily used for key establishment. MD5 is a hashing algorithm used for data integrity verification, not for key exchange or encryption key establishment.

The primary reason for establishing a secure baseline configuration is to ensure that all systems start from a known state of security, with a consistent set of configurations that address security concerns. This makes it easier to manage, automate, and enforce security settings across multiple systems, reducing the likelihood of misconfigurations that could lead to vulnerabilities.