CompTIA Security+ Practice Test (SY0-701)

A tabletop exercise is a discussion-based activity where members of an organization, including IT and management teams, analyze and resolve hypothetical situations. This type of training is valuable as it allows team members to think through the policies, procedures, and roles they would play during a real event without the pressure of an actual emergency. Such exercises are critical for improving an organization's incident response and establishing a culture of security awareness. They differ from simulations, which are hands-on practices that often involve the actual use of technology to respond to a mock incident, and from fire drills, which are physical evacuation practices.

A Master Service Agreement, spelled out, should take precedence as it will outline the overall structure of the agreement between the company and the vendor. This agreement is key as it sets the stage for any additional specific contracts or project-based terms. This document is pivotal in managing the broad terms and conditions that will govern all other projects and their respective contracts. An Acceptable Use Policy is more focused on guiding how company resources are to be used by individuals and does not cover vendor-client contracts. An agreement specifying the Service Level, fully spelled out, defines specific performance and quality metrics for services provided and does not typically establish general relationship terms. A Business Partners Agreement outlines the partnership between two business entities, but it is not as comprehensive in scope for service agreements and operations as a Master Service Agreement.

A Code Signing certificate allows developers to sign software digitally, which verifies the integrity of the software and ensures that it has not been tampered with since being signed. Self-Signed certificates could be used but aren't typically trusted by users' operating systems or browsers by default, thereby potentially raising security warnings. An Email certificate is used for securing email communication and ensuring the authenticity of the sender, not for software integrity. A Root certificate is at the top of a certificate chain and signs other certificates rather than being directly used to sign software.

To address the limitation of a system that only provides notifications when a potential breach occurs, implementing a solution that can take preventative action is necessary. An Intrusion Prevention System is designed to not only detect but to preventively respond to threats by blocking them, therefore enhancing the network's defensive capabilities. The options of bolstering data loss prevention (DLP) strategies, incorporating additional security information and event management (SIEM) features, and enhancing public key infrastructure (PKI) are all valuable in their respective contexts. However, none of these solutions are purposed to block malicious traffic in the way an Intrusion Prevention System would. DLP focuses on preventing data leaks, SIEM centralizes logging and provides threat detection, and PKI deals with encryption and authentication, not inline traffic analysis and intervention.

A honeypot is designed to appear as a vulnerable system to attract attackers. By mimicking services and recording interactions, it allows organizations to study attack methods without compromising actual assets. While an intrusion detection system monitors network traffic for suspicious activity, it does not simulate vulnerable services. A firewall configured with logging controls access but doesn't engage attackers to gather intelligence. A vulnerability scanner identifies weaknesses but doesn't record attacker interactions.

Change Management establishes a formal process that requires proposed modifications to be recorded, risk-assessed, reviewed, and approved before implementation. By following this procedure, the team would have submitted the update for evaluation, obtained authorization, scheduled the work in a maintenance window, and documented the change-steps that collectively reduce the chance of service disruption. Incident Response focuses on reacting after an event, Acceptable Use Policy governs end-user behavior, and Business Continuity Planning addresses maintaining critical functions during major disruptions; none of these directly enforce the gating and documentation of routine configuration changes.

The correct answer is 'Playbooks.' In cybersecurity, a playbook is a detailed, step-by-step guide that outlines the procedures for responding to a specific type of security incident, such as a malware outbreak. This document provides task-level instructions for detection, containment, eradication, and recovery. A 'Change Management Policy' governs how alterations are made to IT systems and is not an incident response guide. An 'Information Security Policy' is a high-level document that sets broad security rules for an organization, lacking the specific procedural detail of a playbook. 'Risk Analysis Documentation' is used to identify and assess potential risks, not to provide instructions for responding to an active incident.

Asymmetric key cryptography, also known as public-key cryptography, is the correct answer because it uses a pair of keys for encryption and decryption-a public key and a private key. Symmetric key cryptography uses a single, shared key for both encryption and decryption. Hashing creates a fixed-size, non-reversible output and is used for integrity, not for encrypting and decrypting data. A block cipher is an algorithm that encrypts data in fixed-size blocks; it describes the method of encryption rather than the key management scheme and is commonly used in symmetric encryption.

Account lockouts are an important indicator because they often appear during password-spray or brute-force attacks. However, they can also be triggered by legitimate users mistyping or caching old credentials on multiple devices. Therefore, analysts should correlate lockout events with additional evidence-such as source IP addresses, Event ID details, or other anomalies-before concluding that malicious activity is occurring. This avoids false positives and unnecessary escalation.

Syslog is a vendor-neutral standard for message logging. It includes a standard format for log messages and a network protocol for sending that data to a central logging server. It is widely used by network devices like routers, switches, and firewalls, and on Unix and Linux operating systems. The other options are incorrect. A Security Information and Event Management (SIEM) system collects and analyzes logs but is not the logging standard itself. Simple Network Management Protocol (SNMP) is a protocol for network management, not a logging standard. 'Event manager' refers to proprietary systems like the Windows Event Viewer, not a vendor-neutral standard.

A packet capture involves collecting all the packets that pass through a certain point on a network. It allows security professionals to see the data being transmitted over the network, which can be valuable for analyzing traffic, troubleshooting network problems, or investigating security incidents. Examining packet contents helps to identify malicious activities, policy violations, or unauthorized data exfiltration. It's a detailed form of network monitoring used to closely inspect network traffic.

The correct answer is 'Brute force attack'. This type of activity suggests an attempt to guess the password by systematically trying numerous possible combinations. A brute force attack often generates many failed login attempts in a short time frame, which would be recorded by an IDS. An IDS is designed to detect this kind of anomalous behavior and raise alerts accordingly. 'Port scanning' involves probing a server for open ports and does not necessarily result in multiple failed login attempts and would not typically generate an IDS alert for this behavior. 'DDoS attack' and 'Phishing attempt' are also incorrect because although they are security threats, they generally do not result in repeated failed logins on a server.

The General Data Protection Regulation (GDPR) is a comprehensive data privacy framework that imposes strict rules on data protection and privacy for individuals within the European Union. As it is one of the strictest privacy and security laws in the world, adopting GDPR-compliant policies will likely ensure compliance with a wide range of international data protection standards. The regulation requires businesses to protect the personal data and privacy of EU citizens. Additionally, because the GDPR has extraterritorial applicability, meaning it applies to organizations outside the EU that process data of EU residents, adhering to its standards can help a multinational corporation align with global data protection regulations. The other options are either national and not globally focused (like the Federal Information Security Management Act), industry-specific (such as acts related to shipping port security), or limited in scope with regards to data protection (for example, the United Nations Convention on Contracts for the International Sale of Goods).

'Blocked content' generally refers to network security tools' actions to block data that violates security policies or that has been deemed malicious. This action can indicate attempts to access or deliver content that is not allowed by organizational or security policies. It's an essential part of maintaining cybersecurity as it helps prevent unauthorized access and distribution of potentially harmful data.

The principle of least privilege is about limiting user permissions to the most restrictive set necessary to perform job duties, thus mitigating the potential risk and impact of a security incident. Granting full rights regardless of role would violate this principle. Time-of-day restrictions are a form of access control but do not inherently limit the scope of access rights to essential tasks. Read-write access to all network devices would provide excessive privileges that are not aligned with the principle.

The correct answer is vishing. Vishing, or voice phishing, is a social engineering attack that occurs over the phone, where attackers impersonate a legitimate entity to deceive victims into providing sensitive information or installing malware. The scenario describes a classic tech support scam executed via a phone call.

• Spear phishing is incorrect because it involves highly targeted attacks sent via email, not phone calls.
• Tailgating is a physical security attack where an unauthorized person follows an authorized individual into a secure area and is not relevant to this scenario.
• A watering hole attack is a strategy where an attacker compromises a website that is frequently visited by a specific group of users, rather than initiating contact via a phone call.

Availability refers to the concept that systems, functions, or data should be accessible when required by the user. High availability systems are designed to be operational and available for use a very high percentage of the time, often through redundant or fault-tolerant components. An 'Air-gapped network' refers to a security measure to physically isolate a computer or network from other networks, including the internet, which doesn't directly pertain to its ability to be available. 'Ease of recovery' is associated with the ability to restore system capabilities or access to data after a disruption, not the continuous availability. 'Real-time processing' refers to the capability of systems to process data as it comes in without delay, which is not exclusively about the system’s ability to be continuously operational and available.

A retinal scan is an example of a 'something you are' factor in multifactor authentication, as it relies on the unique biological traits of an individual's retina. This factor is based on physical characteristics that are inherent to an individual and cannot be transferred or guessed, unlike a digital certificate which is 'something you have' or a password which is 'something you know'.

Conducting a thorough analysis of the security logs, especially around the time of the breach, will likely reveal the sequence of events that led to the breach, including the initial point of entry and methods used by the attacker. This detailed trail is indispensable for pinpointing the original vulnerability or misconfiguration that the attacker exploited. Simply running a vulnerability scan might identify potential vulnerabilities but would not confirm which were actually exploited. Organizational policy review and user education, while important, are less likely to directly lead to the discovery of the specific exploited vulnerability.

Implementing a server cluster with load balancing is the most effective strategy for maintaining operations during hardware failures. Load balancing distributes traffic across multiple servers, so if one server fails, others can handle the load seamlessly, ensuring high availability. Using a single powerful server, even with redundant components, still presents a single point of failure. Regular updates and encryption are important for security and maintenance but do not directly address the need for continuous operation during failures.