CompTIA Security+ Practice Test (SY0-701)

The concept of 'Threat Scope Reduction' involves implementing measures to minimize the number of potential threats to an information system. This could mean reducing the attack surface by closing unnecessary ports, limiting the functionality and access rights to only what is strictly needed, and segmenting the network to limit potential lateral movement by an attacker. The idea is to reduce the number of vectors or paths an attacker can exploit, thus minimizing the overall potential for a security breach.

Stateful firewalls maintain a state table for every connection. After the outbound SYN packet is permitted, the firewall records the session and automatically allows packets that match the connection parameters (source IP = server, destination IP = client, source port = 80, destination port = ephemeral). Therefore, no additional inbound rule is needed. Creating separate inbound rules on port 80 or on the client's ephemeral port range is unnecessary, and UDP behavior is irrelevant because HTTP uses TCP.

A security key is a physical device that provides a second factor of authentication for a user accessing a service. As a "something you have" factor, it is a core component of multifactor authentication (MFA), which requires at least two verification factors to enhance account security. While physical tokens can include devices like key fobs or smart cards, modern security keys typically connect via USB, NFC, or Bluetooth and use advanced cryptographic protocols like FIDO2 to resist phishing attacks.

Effective third-party risk management does not end with the onboarding due-diligence review. Organizations should establish continuous monitoring and schedule periodic reassessments so that new threats, regulatory changes, or changes in the vendor's security posture are detected and addressed in a timely manner. Simply relying on the initial review, contractual service-level agreements, or the vendor's own internal audits without independent follow-up can leave significant gaps in risk coverage.

The scenario describes an allow list (application allowlisting). With an allow list, the default action is to deny all code execution except for applications that have been explicitly approved, thereby enforcing a "deny-by-default, allow-by-exception" model. A deny list works in the opposite manner by allowing everything except items specifically blocked. Role-based and discretionary access controls govern user or role permissions, not which binaries may run, so they do not fit the scenario.

This scenario illustrates Shadow IT, which occurs when employees use unauthorized software or services that have not been reviewed for security by the organization. The key issue with Shadow IT is that it can lead to unmonitored and potentially insecure data storage or transfer, and may not adhere to the company's security and compliance standards. The incorrect options do not specifically address using unsanctioned services and focus more on targeted threats or specific unauthorized actions that do not pose the same broad security risks as Shadow IT.

The challenge in this scenario is maintaining the confidentiality of the encrypting key while allowing many users to securely access and use it. Symmetric encryption often struggles with the secure distribution of the key to a large number of users, as everyone must have access to the same key. Asymmetric encryption, on the other hand, relies on public and private keys and does not suit scenarios where one common key is shared for both encrypting and decrypting. A Key Agreement Protocol like Diffie-Hellman solves this problem by allowing two parties to securely create a shared secret key, which can then be used for encryption and decryption by all authorized parties without ever transmitting the key itself.

Because the attempts originate from a country where the organization has no presence, the actor is almost certainly operating outside the corporate network. This matches the definition of an external threat actor-someone with no authorized access who must break in from the outside. Insider threats and shadow IT both originate from within the organization, and an unskilled attacker on the internal network would still be an internal actor, even if inexperienced. Therefore, the most likely actor is external.

Integrity refers to the accuracy and reliability of data. When the IT administrator overwrote the configuration files, it led to incorrect data being presented, thus compromising data integrity. Confidentiality involves protecting information from unauthorized access, which is not the issue here. Availability ensures that systems and data are accessible when needed, but the systems are still operational. Authentication relates to verifying the identity of users or systems, which is not impacted in this scenario.

Implementing geolocation-based access controls allows the company to restrict system access based on the geographic location of the users. By analyzing the source IP addresses and determining their originating countries, the system can permit or deny access accordingly. This method ensures compliance with regional regulations by controlling access based on physical location. Enforcing strong authentication protocols enhances security but does not restrict access by location. Utilizing encryption for all data in transit protects data confidentiality but does not address access control based on geography. Deploying endpoint security software secures individual devices but does not prevent access from unauthorized countries.

Implementing region-specific security policies is crucial because it ensures compliance with the unique local regulations and addresses specific security needs of each region. A uniform approach may fail to meet varied legal requirements, leading to compliance issues.

Containerization enables developers to package applications along with all their dependencies into isolated units called containers. This approach ensures that the application runs consistently regardless of the environment, enhancing portability and security by isolating applications from one another. Virtualization, while also providing isolation, involves creating full virtual machines with their own operating systems, which is more resource-intensive. Microservices refer to an architectural style that structures an application as a collection of loosely coupled services, focusing on design rather than deployment. Serverless computing allows developers to build and run applications without managing the underlying infrastructure but does not involve packaging applications with dependencies for consistency across environments.

Implementing regular and automatic comparisons of the current state of files against a trusted baseline is essential. It ensures any modifications are detected promptly, thereby providing timely alerts about potential unauthorized changes or malicious activity. Allowing manual integrity checks only during scheduled maintenance introduces unnecessary risk as unauthorized changes could remain undetected between maintenance windows. Relying on user reports is inefficient and insecure, as users may not notice subtle changes or may not report them in a timely manner. Setting up alerts for file size changes only does not provide comprehensive monitoring as many types of malicious modifications do not alter file size.

Establishing specific deadlines for the restoration of vital services is the cornerstone of an effective contingency plan, ensuring that the most critical operations are available again to meet business needs and customer expectations. While a meticulous resource inventory is useful for resource management and recovery, and defining storage and retrieval processes preserves data integrity, neither sets the timeline for restoring business services. Regulation adherence is also a consideration in planning but does not determine the urgency with which services must be reactivated.

A hot site is an exact or near-exact replica of the primary site. It contains all necessary hardware, software, and near-real-time copies of data, allowing the organization to fail over and resume operations almost immediately. A warm site has only some infrastructure and typically requires additional configuration and data restoration before it can take over. A cold site provides only basic power and environmental controls with no pre-installed systems, resulting in the longest recovery time. A mobile site is a temporary facility that also requires additional setup before becoming fully operational.

The Owner is responsible for determining the classification of the data they are responsible for and ensuring that it is protected adequately according to the classification. They establish the policies for how the data is to be handled and used. Custodians are tasked with implementing the data protection measures set by the Owner, but they do not determine data classification. Controllers and Processors are roles specific to data privacy and do not directly relate to determining data classification in the context of ownership.

An 'Unknown Environment' refers to a scenario in a penetration testing context where the tester has not been provided with any prior information regarding the target system or network. This approach aims to simulate an attacker who has no insider knowledge and must start discovering vulnerabilities from scratch.

Full disk encryption (FDE) is the correct choice as it provides comprehensive encryption of all data on the storage medium, ensuring that without the appropriate decryption key, no data can be read, regardless of the system state or whether the storage device is transferred to another machine. Encrypting individual files, while useful, does not offer the same level of protection if an attacker gains access to the underlying file system. Encrypting data using a VPN only secures data in transit, not at rest. SSL/TLS also protects data in transit and does not apply to data at rest.

Numerical severity scores provide a useful starting point, but they do not capture organization-specific factors such as asset criticality, exploit likelihood in the given environment, compensating controls, and overall business impact. The CVSS specification recommends that consumers supplement the Base score with Temporal and Environmental metrics and with additional risk data to arrive at a context-aware priority. Therefore, relying on the score alone is insufficient; broader organizational context must be considered when setting remediation priorities.

The SPF (Sender Policy Framework) record is used to specify which mail servers are allowed to send emails on behalf of a domain. The correct interpretation of 'v=spf1 -all' is:

• v=spf1 indicates the start of the SPF record.
• -all means that no mail servers are authorized to send emails on behalf of the domain. This configuration tells receiving mail servers to reject all emails claiming to be from this domain because they are not coming from any authorized source.

Therefore, 'v=spf1 -all' suggests that any email claiming to come from this domain should be considered illegitimate because no mail servers are allowed to send emails for the domain.