CompTIA Security+ Practice Test (SY0-701)

To address the limitation of a system that only provides notifications when a potential breach occurs, implementing a solution that can take preventative action is necessary. An Intrusion Prevention System is designed to not only detect but to preventively respond to threats by blocking them, therefore enhancing the network's defensive capabilities. The options of bolstering data loss prevention (DLP) strategies, incorporating additional security information and event management (SIEM) features, and enhancing public key infrastructure (PKI) are all valuable in their respective contexts. However, none of these solutions are purposed to block malicious traffic in the way an Intrusion Prevention System would. DLP focuses on preventing data leaks, SIEM centralizes logging and provides threat detection, and PKI deals with encryption and authentication, not inline traffic analysis and intervention.

Implementing a password manager application allows users to securely store and manage complex and unique passwords for all their accounts. This encourages the use of strong, unique passwords without the burden of memorization. Enforcing strict password policies may lead to password reuse or users writing down passwords. Single sign-on (SSO) reduces the number of passwords but does not promote unique passwords for each service. Implementing biometric authentication enhances security but doesn't address the management of multiple complex passwords.

A Single point of failure refers to any critical part of a system which, if it fails, would result in the failure of the entire system. The identification and mitigation of such points are crucial in designing secure and highly available systems. Redundancy is often introduced to systems to prevent a single failure from causing a system-wide outage. Documentation is essential for maintaining records; however, it does not directly relate to a component's failure impact on a system. Scalability pertains to the ability of a system to grow and handle increased demand, while limiting factors are components or variables that can restrict system performance but not necessarily lead to a complete system shutdown.

In a Zero Trust model, adaptive identity and policy-driven access control are crucial. Every request is evaluated against dynamic policies that consider the requesting identity, device posture, and other contextual signals. This process enforces least-privilege, need-to-know access and eliminates implicit trust. Standard static firewall rules mainly protect a network perimeter, while device-compliance checks act only as one input to an access decision; annual security-awareness training does not control access at all. Therefore, adaptive identity combined with policy-driven access control is the component that defines and enforces granular resource permissions.

Full disk encryption (FDE) is the correct choice as it provides comprehensive encryption of all data on the storage medium, ensuring that without the appropriate decryption key, no data can be read, regardless of the system state or whether the storage device is transferred to another machine. Encrypting individual files, while useful, does not offer the same level of protection if an attacker gains access to the underlying file system. Encrypting data using a VPN only secures data in transit, not at rest. SSL/TLS also protects data in transit and does not apply to data at rest.

A system that offers real-time analysis and automated response to security alerts from applications and network hardware is crucial for organizations looking to monitor their IT infrastructure effectively and streamline their incident response processes. While antivirus software is essential for scanning and removing known malware, it does not offer the capability of central event log aggregation or incident response. A system for preventing data mishandling focuses on the secure handling and transfer of sensitive information but does not encompass broad monitoring or automated incident response. Although enhanced firewall rules strengthen the network perimeter defense, they do not provide holistic security event management or the capability to automate responses to anomalies detected across the network.

'Blocked content' generally refers to network security tools' actions to block data that violates security policies or that has been deemed malicious. This action can indicate attempts to access or deliver content that is not allowed by organizational or security policies. It's an essential part of maintaining cybersecurity as it helps prevent unauthorized access and distribution of potentially harmful data.

Risk acceptance is the risk management strategy where a risk to an asset is accepted and no action is taken. This usually happens when the cost to mitigate the risk is more than the loss that would occur in the event the risk materializes.

The best immediate action is to isolate the workstation from the network but keep it powered on. Isolating the system prevents the potential malware from spreading to other devices on the network (lateral movement) or communicating with external command-and-control servers. Keeping the system powered on is crucial because shutting it down would erase volatile memory (RAM), which contains valuable forensic evidence like running processes, active network connections, and other in-memory artifacts that are essential for analyzing the attack. Powering off the system immediately would destroy this evidence. Running a scan before isolation could allow the malware to spread further. Re-imaging the system is a remediation step that should only occur after a thorough investigation is complete.

In this scenario the best option for next steps is to organize the vulnerabilities by criticality. Some may be very important and represent significant risk, while others may be false positive or very minor issues. Most scanning solutions will have this information readily available. There is no way to identify false positives without going through each and every one, and halting all code changes would likely cause major disruptions to the business. The logical next step is to begin planning and focus on the worst issues first.

Utilizing search engines to find information on disclosed vulnerabilities pertaining to the organization's network infrastructure directly aligns with the practice of OSINT. It involves using publicly available resources to uncover potential risks that need to be addressed. Social media profiles tend not to reveal technical vulnerabilities of network infrastructure components. Reviewing the organization’s own website source code can be part of a security review, but it does not encompass the collection of OSINT. Attending industry conferences is a good practice for professional development and networking, but it may not specifically yield the actionable vulnerability data that can be found through targeted online searches.

This scenario represents the CSA threat category of shared technology vulnerabilities. Components such as hypervisors, CPU caches, and virtualized hardware are shared among multiple tenants in an IaaS cloud. If a vulnerability or misconfiguration allows a VM escape, an attacker can compromise the hypervisor and affect all other customers hosted on the same infrastructure. Insecure interfaces, data breaches, and account hijacking are important threats but they do not focus on vulnerabilities within the shared virtualization layer itself.

The correct answer is 'Clustered servers with resource balancing' because it allows for the distribution of compute tasks across multiple servers, providing high availability for the various services with differing compute requirements. In the event of a server failure, tasks can be redistributed to other servers in the cluster, minimizing downtime. The incorrect answers are: 'Single powerful server with a hot spare' does not address the diverse compute needs and may lead to underutilization or bottlenecks. 'Multiple air-gapped systems' could provide isolation for security but would not be efficient for resource management across services with different compute needs. 'Decentralized servers without load balancing' would not efficiently distribute compute tasks and could result in suboptimal performance and higher risk of service disruptions.

A Web application firewall (WAF) provides specialized protection to web applications by filtering and monitoring HTTP traffic and can specifically target and mitigate threats like SQL injection and cross-site scripting. While network-based, host-based, and cloud-based firewalls can offer protection at different levels, a WAF is specifically designed to secure web applications against these types of web-based threats. A Unified Threat Management (UTM) device provides broad network security solutions but is not specialized in web application security like a WAF is.

Storing information with a 'Restricted' classification in a secure, access-controlled environment ensures that only authorized personnel with the necessary clearance or permissions have access to that data. Keep in mind the question is regarding physical access to the data. While encryption, logging, and secure disposal are important for the overall security posture, they do not inherently restrict access to the data to the appropriate individuals.