CompTIA Security+ Practice Test (SY0-701)

Isolating industrial control systems on a separate network segment is the best practice to protect them from cyber threats. Network segmentation limits exposure by separating sensitive systems from other networks, reducing the risk of unauthorized access and malware spread. While enforcing strong password policies, installing antivirus software on control devices, and conducting regular security training are beneficial, they do not provide the same level of protection against network-based attacks as network isolation does.

Recording the date, time, and individuals who handle the evidence ensures a documented trail, which is crucial for maintaining the chain of custody. This documentation verifies that the evidence has not been tampered with and is admissible in court. While other actions like using write-blocking devices are important for preserving evidence integrity, they do not directly address the documentation aspect of the chain of custody.

'Patch availability' is the correct consideration because it refers to the ability to obtain and apply vendor-provided patches or updates to fix security vulnerabilities. Ensuring that patches are available and can be applied promptly is essential for maintaining system security and integrity. 'Ease of recovery' pertains to restoring systems after failures, 'Compute capacity' relates to the processing resources of the systems, and 'Resilience' refers to the ability to withstand and recover from adverse conditions. None of these directly address the need to obtain and apply solutions to known vulnerabilities.

Access Control Vestibule is a security measure that separates two spaces allowing for an individual verification process, but it is not based on personal biometric attributes. Fencing is a deterrent and boundary control rather than a personal authentication mechanism. Sensors can detect and alert on various environmental factors but are not used to authenticate individual personal attributes. Biometric systems, such as fingerprint or retina scanners, are designed to authenticate individual personnel by verifying unique personal attributes, making them a key physical security control for highly secure areas.

The correct answer is operational control. Operational controls are security measures implemented and managed by people in their day-to-day work. The act of an administrator regularly reviewing firewall rules and user permissions is a human-centric process focused on maintaining security, which is the definition of an operational control. Technical controls are the technologies themselves, like the firewall or the access control list system. Managerial controls are the high-level policies and procedures, such as a policy that mandates weekly reviews. Physical controls are tangible measures like fences or locks.

Antivirus is a technical control. It is software installed on the computer whose job it is to protect the system against viruses.

Ticket creation serves as the initial step in documenting and tracking reported security incidents or issues within an organization. It ensures that each incident is recorded, assigned a unique identifier, and managed effectively through to resolution. By contrast, risk assessment is a broader process that identifies, evaluates, and prioritizes risks. Configuration management deals with maintaining systems and software in known, good states. IT service management (ITSM) is a general term that encompasses the management of all IT services, with ticket creation being one component of that broader category.

Network segmentation is the most effective choice for enhancing the defense of control systems because it creates boundaries that limit communications with less secure or external networks. This isolation is crucial for environments that manage critical processes, as it not only minimizes the potential attack surface but also contains the spread of any intrusion, thereby safeguarding essential services. While disabling unused services, applying regular updates, and encrypting storage are all important security practices, they do not provide the same level of systemic protection or containment against network-based threats that segmentation offers.

Conducting regular audits of the vendor's practices ensures that they maintain compliance with agreed-upon standards and policies over the duration of the relationship. While vendor-supplied compliance reports are useful, they may not always be as rigorous as independent audits. Service-Level Agreements (SLAs) primarily define service delivery expectations, not security compliance measures. Complete reliance on vendor-supplied security tools does not provide independent verification of security posture and could leave gaps in compliance monitoring.

Chain of custody requires that as potential evidence changes hands each transfer must be documented. Chain of custody should include who has custody and the time frame it was in their custody.

DKIM adds a cryptographic signature to selected headers and the entire message body, which includes any MIME attachments. When the recipient's server retrieves the sender's public key from DNS and verifies the signature, it can confirm that the signed portions of the message-including attachments-have not been altered in transit. DKIM does not encrypt email content, block senders by IP address, or impose domain-wide handling rules for failed checks; those capabilities are provided by TLS, SPF, and DMARC, respectively.

Bollards are a type of physical security control designed to prevent an incident from occurring. In this case, they physically block unauthorized vehicles from ramming the building's entrance, making them a preventive control. Detective controls (e.g., alarms, surveillance), corrective controls (e.g., disaster recovery plans), and compensating controls (e.g., using a different security measure when the primary one fails) serve different purposes.

A centralized governance structure concentrates security-related decisions in a single authority-often executive management or a dedicated security office-ensuring uniform policy enforcement across the enterprise. In contrast, decentralized, federated, or matrix approaches delegate significant authority to separate business units or project teams.

Implementing an air-gapped network means these critical systems are physically disconnected from any other networks and the internet, providing the highest level of isolation. This prevents remote access and network-based attacks. While using VLANs, firewalls, or NAT can enhance security through logical segmentation and filtering, they do not offer the same level of isolation because the systems remain connected to other networks, potentially exposing them to threats.

Operating system-specific security logs are designed to record events that are significant to the security of the operating system. They can provide detailed information about the activities on a server, such at login attempts, access to protected objects, and changes to security policies. These logs are more likely to give an accurate picture of the scope of a suspected breach compared to the other options, which may provide too broad or peripheral view, or lack the level of detail necessary for an analysis of server activities.