CompTIA Security+ Practice Test (SY0-701)

The legal principle known as the 'Right to Be Forgotten' empowers individuals to have their personal data removed from the records of an organization, particularly when it is no longer necessary or pertinent. This principle is an important aspect of privacy law in many jurisdictions and requires organizations to take action upon such requests, subject to certain conditions and exceptions. The term 'Data Retention' refers to the policies that establish how long data should be kept before disposition, which is a separate topic. 'Data Sovereignty' describes the legal implications of data being subject to the laws of the country where it is stored, which does not deal directly with data removal requests by individuals. Lastly, 'Information Custodian' pertains to the roles and responsibilities associated with the protection and care of data, which does not entail an individual's right to request deletion.

Allocating time-restricted access tokens ensures that the auditors have temporary access to the necessary resources, and these tokens automatically expire after the designated period, aligning with the security policy of minimum necessary privileges and immediate expiration post-audit. API keys or permanent account credentials do not offer the same level of temporary access and can potentially remain active beyond the requirement, posing a security risk. Shared credentials are inherently insecure as they do not provide individual accountability and can be easily misused.

Longer passwords are generally more secure because they increase the number of possible combinations, making brute-force attacks more difficult and time-consuming. Although password complexity and lack of password reuse are important, increasing length has the most significant impact on a password's strength.

A checksum is a sequence of numbers generated by a checksum algorithm (such as check digits and parity bits) used to validate the integrity of data by comparing a calculated checksum to a previously calculated checksum value. Matching values indicate that the data has not been changed.

Sanitization is the process of removing sensitive data from a storage device to ensure that the data cannot be reconstructed or retrieved once the device is disposed of or repurposed. This is crucial for maintaining data confidentiality and preventing unauthorized access to sensitive information after the device leaves the organization's control.

A Web Application Firewall (WAF) is designed to protect web applications from application-layer attacks such as SQL injection and cross-site scripting (XSS). It operates at Layer 7 (the Application layer) of the OSI model, where it can inspect the content of HTTP and HTTPS traffic. Traditional network firewalls operate at Layer 3 (Network) and Layer 4 (Transport), filtering traffic based on IP addresses and ports, and cannot inspect the application-specific data needed to stop these attacks. Layer 2 is the Data Link layer, which handles node-to-node data transfer using MAC addresses.

The SPF (Sender Policy Framework) record is used to specify which mail servers are allowed to send emails on behalf of a domain. The correct interpretation of 'v=spf1 -all' is:

• v=spf1 indicates the start of the SPF record.
• -all means that no mail servers are authorized to send emails on behalf of the domain. This configuration tells receiving mail servers to reject all emails claiming to be from this domain because they are not coming from any authorized source.

Therefore, 'v=spf1 -all' suggests that any email claiming to come from this domain should be considered illegitimate because no mail servers are allowed to send emails for the domain.

A well-designed playbook dedicates a Roles and Responsibilities section to map specific duties to job titles or teams. Consulting this section lets responders immediately see who owns each critical task, enabling a faster and more organized reaction to a breach. The other sections focus on step-by-step technical actions (Incident Response Procedures), messaging rules (Communication Plan), or system restoration steps (Recovery Methods), but they do not enumerate who performs the work.

Because the attempts originate from a country where the organization has no presence, the actor is almost certainly operating outside the corporate network. This matches the definition of an external threat actor-someone with no authorized access who must break in from the outside. Insider threats and shadow IT both originate from within the organization, and an unskilled attacker on the internal network would still be an internal actor, even if inexperienced. Therefore, the most likely actor is external.

Placing a load balancer in front of a pool of identical web servers distributes each client request according to algorithms such as round-robin or least-connections. This evens out utilization, prevents any one server from being overwhelmed during traffic spikes, and automatically stops sending traffic to a failed node, eliminating that node as a single point of failure.

Clustering technologies focus on node redundancy and failover; in common active-passive clusters only one node actively serves traffic at a time, so they do not automatically spread day-to-day load. A reverse proxy can perform security, caching, and-depending on the product-may include load-balancing features, but the term alone does not guarantee request distribution. RAID protects disk storage and has no effect on HTTP traffic flow.

Operating system-specific security logs are designed to record events that are significant to the security of the operating system. They can provide detailed information about the activities on a server, such at login attempts, access to protected objects, and changes to security policies. These logs are more likely to give an accurate picture of the scope of a suspected breach compared to the other options, which may provide too broad or peripheral view, or lack the level of detail necessary for an analysis of server activities.

Account lockouts are an effective mitigation strategy against brute force attacks because they prevent unlimited, rapid guessing of passwords by locking the account after a certain number of failed login attempts. This drastically reduces the attacker's ability to systematically try all possible password combinations, thus safeguarding against brute force attacks. While all other options can enhance security, they do not specifically address the prevention of brute force attacks on passwords as directly as account lockouts do. Strong password policies make it more difficult for brute force attacks to succeed but do not stop attempts. Monitoring for unauthorized access can detect an ongoing attack but may not prevent it. Disabling unused accounts helps reduce the attack surface but does not directly prevent a brute force attack on active accounts.

The correct answer is preventive. Encryption is a technical control that functions as a preventive measure. It actively blocks unauthorized access by rendering data unreadable without the proper key, thereby preventing a data breach. Detective controls, such as log monitoring or intrusion detection systems, are used to identify incidents as they happen or after the fact. Corrective controls, like restoring from a backup, are used to limit the impact of an incident after it has occurred. Deterrent controls, such as warning banners, are intended to discourage potential attackers but do not technically block an action.

An agent-based monitoring tool would be appropriate for this task because it can be installed on each endpoint to monitor its health and security status in real-time. These agents regularly communicate with a central management console to report on the status of the endpoint and alert security personnel if an anomaly is detected. Other answers involve manual processes, provide incomplete solutions, or are less efficient for real-time monitoring in a large enterprise environment.

The correct answer is vishing, which is voice-based phishing. Vishing attackers use phone calls to impersonate trusted entities and trick individuals into disclosing sensitive information like passwords or financial details. Phishing typically occurs through emails, smishing uses SMS text messages, and tailgating is a physical security breach where someone follows an authorized person into a restricted area.

The organization is implementing deterrent controls, which are designed to discourage potential attackers by making them aware of the security measures in place. Visible security cameras and warning signs serve as psychological deterrents, reducing the likelihood of an attack. Preventive controls aim to stop incidents from occurring by blocking unauthorized actions, such as through access controls or firewalls. Detective controls identify and alert to incidents after they have occurred, like intrusion detection systems. Corrective controls focus on limiting damage after an incident, such as restoring systems from backups.

An Acceptable Use Policy (AUP) provides a set of rules and guidelines that outline how the organization's assets and network resources should be used. It helps to ensure that employees and other stakeholders are aware of what constitutes appropriate and inappropriate use, thereby protecting the organization from various risks associated with misuse. The other options listed do not directly address the specific need for governing the use of organizational assets and network resources.

The initial focus in the event of a security breach should be to limit the damage and prevent further compromise. This is achieved by containing the threat, thereby stopping the incident from affecting additional resources. While documenting the events and notifying appropriate parties are also important, these actions occur after the immediate threat has been controlled to prevent exacerbation of the situation. Analyzing logs is part of the subsequent investigation and not the immediate concern when a breach is in progress.

The process of hardening a server should begin with updating the server to the latest stable version of the operating system, including all the available security patches. This action addresses known vulnerabilities and reduces the number of potential attack vectors that could be exploited. Configuring a firewall, setting account lockout policies, and conducting a vulnerability scan are important hardening steps, but they come after ensuring that the server is running the most secure operating system version available.

The correct answer is Honeytoken. Honeytokens are decoy data, such as fake files or credentials, used to detect data breaches or unauthorized access. Unlike honeypots, which are decoy systems, or honeynets, which are entire decoy networks, honeytokens are specific pieces of data. An Intrusion Detection System (IDS) is a tool used to monitor a network for malicious activity, and it might be used to monitor a honeytoken, but it is not the decoy itself.