CompTIA Security+ Practice Test (SY0-701)

Updating the Acceptable Use Policy (AUP) is the appropriate action because the AUP specifically outlines the permissible and prohibited activities regarding the use of company resources, including internet access. Policies like Information Security Policies or Access Control Standards do not directly address acceptable usage behaviors.

Utilizing search engines to find information on disclosed vulnerabilities pertaining to the organization's network infrastructure directly aligns with the practice of OSINT. It involves using publicly available resources to uncover potential risks that need to be addressed. Social media profiles tend not to reveal technical vulnerabilities of network infrastructure components. Reviewing the organization’s own website source code can be part of a security review, but it does not encompass the collection of OSINT. Attending industry conferences is a good practice for professional development and networking, but it may not specifically yield the actionable vulnerability data that can be found through targeted online searches.

Ease of recovery is the measure of how quickly and easily a system can be restored to full operation after a failure. The company's goal of a 15-minute restoration time directly relates to this principle. Resilience is the broader capacity of a system to withstand failures, while scalability is the ability to handle increased load. Cost is a financial constraint and a valid consideration, but it does not technically describe the speed of restoration.

Sanitizing resources when deallocating virtual machines addresses resource reuse vulnerabilities. This process ensures that any residual data in memory and storage is securely erased before resources are reassigned to other virtual machines, preventing unauthorized access to sensitive information.

Disabling hyper-threading on physical CPUs can help mitigate certain side-channel attacks but does not address data leakage due to resource reuse.

Isolating virtual machines in separate VLANs protects against network-based threats like sniffing but does not prevent data exposure through shared physical resources.

Installing antivirus software on the host enhances malware detection but does not prevent data leakage caused by improper resource sanitization in virtualization.

Automating vulnerability management replaces ad hoc, manual scanning and patching with repeatable workflows that run on a set schedule or in near real time. Software performs the high-volume discovery, prioritization, and remediation steps uniformly, so coverage is consistent and the mean time to detect and fix flaws drops dramatically. Although automation also helps enforce baselines and reduce user mistakes, its chief value is the efficiency and uniformity it brings to identifying and closing vulnerabilities.

Effective third-party risk management does not end with the onboarding due-diligence review. Organizations should establish continuous monitoring and schedule periodic reassessments so that new threats, regulatory changes, or changes in the vendor's security posture are detected and addressed in a timely manner. Simply relying on the initial review, contractual service-level agreements, or the vendor's own internal audits without independent follow-up can leave significant gaps in risk coverage.

The most effective control to protect the confidentiality of data at rest, such as proprietary formulas on a server, is encryption. Even if an attacker or unauthorized user gains access to the file system, the encrypted data will remain unreadable without the proper decryption key. While physical security, access control lists (ACLs), and network segmentation are important layers of defense, they do not protect the data itself if those layers are breached. Encryption directly protects the data from unauthorized disclosure.

The correct answer is 'Vishing'. Vishing, or voice phishing, involves an attacker using the telephone system in an attempt to scam the user into disclosing private information by pretending to be a legitimate entity, in this case, the company's IT department. Email phishing is incorrect as it specifically refers to the use of emails for scamming users. Smishing involves sending text messages, which is not the case here. Pretexting is the creation of a fabricated scenario to steal information, which is a component of this attack; however, vishing is the more specific and accurate term because the attack is delivered via a phone call.

Reviewing third-party audit reports of the vendors provides an in-depth analysis of their security controls and compliance with industry standards. It is a crucial aspect of due diligence that helps in understanding the vendor's capabilities and in making an informed decision. The incorrect options, while possibly part of other processes, do not directly relate to the assessment of the risk and controls of the vendor as part of due diligence. For example, agreeing on the prices does not assess risk or security capabilities, and reviewing the company's own internal policies will not provide information on the vendor's practices.

Network segmentation divides the network into smaller, isolated zones with specific access controls. By restricting traffic between segments, it limits attackers' ability to move laterally, significantly reducing the attack surface and containing potential breaches. Other options describe benefits that segmentation does not inherently provide, such as power redundancy, eliminating firewalls, or enabling unrestricted communication.

True. Laws and regulations such as HIPAA or the FTC Safeguards Rule create mandatory security objectives (for example, requiring appropriate safeguards or certain baseline controls), yet they allow-or require-each private organization to craft its own written security program, policies, and implementation details appropriate to its size, risk, and technology environment. Thus, while compliance is compulsory, the organization-not the government-writes the internal policy language and chooses the exact mechanisms to satisfy the law. "False" is incorrect because it implies that government agencies directly write and impose every internal policy and control, which they do not.

Load balancing distributes workload across multiple servers or resources, often to improve responsiveness and availability of applications or websites. This solution is appropriate when there is a need to manage dynamic, uneven loads, and provide redundancy in case one of the servers fails. Clustering, on the other hand, is often used for increasing the availability of services by linking multiple servers so that they behave like a single entity, but it's not primarily responsible for distributing workloads to manage variable traffic levels. Serverless computing abstracts the server layer completely and automatically scales to handle load, but for a web hosting company looking for balanced distribution across their own servers, load balancing is more appropriate. Containerization enables applications to run in isolated user spaces called containers, but it does not directly relate to distributing a workload.

The goal is to meet or exceed every region's regulatory requirements with one consistent control set. Adopting the strictest applicable encryption standard ensures global compliance and establishes the highest security baseline enterprise-wide. Creating an entirely new internal standard that only meets minimum requirements, following headquarters-only rules, or choosing the least-restrictive regional standard would leave some locations out of compliance and increase legal and operational risk.

Establishing a geographically separated hot site allows the institution to quickly switch operations to an alternative location if the main site is compromised due to a cyberattack. This strategy ensures continuous service availability by replicating critical systems and data in a separate location. Weekly backups secure data but do not prevent downtime during a site outage. Deploying an IDS (Intrusion Detection System) helps detect malicious activity but does not provide redundancy for service availability. Enforcing strict firewall policies enhances security measures but does not guarantee availability if the main site is disrupted.

Information security policies should undergo a recurring review-commonly at least once per year-and be updated whenever significant changes in technology, regulations, threats, or business processes occur. This continuous monitoring and revision ensure the policies remain aligned with the evolving risk landscape. Relying on a single, one-time review or waiting only for major events leaves the organization exposed to new or emerging threats.

Bug bounty programs invite external security researchers to test systems for rewards. This crowdsourced approach greatly expands the range of skills, tools, and perspectives applied to security testing, which helps uncover vulnerabilities that may slip past automated scanners, internal assessments, and periodic penetration tests. Increased transparency or compliance benefits can flow from a program, and zero-day exploits might be caught as a result, but those are secondary effects-not the fundamental purpose of adding the program to vulnerability identification.

Log aggregation is the correct answer because it involves gathering log data from multiple sources, such as servers, applications, and network devices, to centralize the analysis. This makes it easier to spot trends, identify potential security incidents, and ensure that important events are not overlooked amid the noise of isolated logs. Alerting, on the other hand, refers to the system's response to identified incidents, typically by notifying administrators. Scanning usually relates to the process of checking systems for vulnerabilities, and reporting is about presenting the findings of analyses in an informative manner, not the collection process itself.

The correct answer is 'Microservices' because this pattern organizes an application as a suite of small, independently deployable services that communicate through lightweight mechanisms and are each built around a distinct business capability. Monolithic architecture combines all components into one tightly coupled application, Function as a Service focuses on single event-driven functions within a serverless platform, and Service-Oriented Architecture refers to a broader, service-based integration approach that does not necessarily require fine-grained, independently deployable services.

Infrared is the only option that uses light as a communication medium. 802.11 (the standard for WLAN), Near Field Communication (NFC), and Bluetooth all use radio frequencies. Infrared is best for the type of device in the question as it requires line of sight to operate. When the line of sight is broken, the device will register a person in the entrance.

To 'Avoid' a risk means to eliminate the possibility of the risk occurring or to remove the organization's exposure to that risk entirely. This can be achieved by not engaging in activities that lead to the risk or by changing business processes to bypass the risk. It is essential to distinguish this proactive strategy from other strategies like 'Transfer', which entails shifting the risk to another party, or 'Mitigate', which involves reducing the potential impact or likelihood of the risk.