CompTIA Security+ Practice Test (SY0-701)

Whaling is a type of phishing attack that targets high-level executives with the purpose of stealing sensitive information from a company. The term 'whaling' is used because it refers to going after the 'big fish' or high-value targets within an organization. Unlike typical phishing attacks, whaling emails are highly customized and often include specific details relevant to the target to make them appear more legitimate.

Compliance to regulatory requirements is the correct answer because it refers to the organization’s duty to follow laws and regulations relevant to its business processes and data handling practices. Failure to comply can result in legal penalties, fines, and reputational damage. 'Access control standards' are part of internal security measures and not external regulations. 'Change management procedures' are related to internal operations to ensure smooth transitions in IT systems and are not directly connected to legal requirements. 'Disaster recovery policies' are internally developed to prepare for and respond to catastrophic events and do not define an organization's requirement to adhere to external legal standards. 'Password guidelines' are internal controls designed to enhance security but do not represent the adherence to external laws.

The SPF (Sender Policy Framework) record is used to specify which mail servers are allowed to send emails on behalf of a domain. The correct interpretation of 'v=spf1 -all' is:

• v=spf1 indicates the start of the SPF record.
• -all means that no mail servers are authorized to send emails on behalf of the domain. This configuration tells receiving mail servers to reject all emails claiming to be from this domain because they are not coming from any authorized source.

Therefore, 'v=spf1 -all' suggests that any email claiming to come from this domain should be considered illegitimate because no mail servers are allowed to send emails for the domain.

The correct answer is that an unnecessary open port increases the system's attack surface. Even if no legitimate service is running on the port, it can be probed by attackers using techniques like port scanning. This can reveal information about the operating system and attract further attacks, such as brute-force attempts or the exploitation of a vulnerability if a service is ever misconfigured or a malicious one is installed on that port. Unused ports do not inherently consume significant resources, cause data exfiltration, or block legitimate traffic to other services. Best practice is to close all unused ports to minimize the attack surface.

Jailbreaking or rooting bypasses the manufacturer's code-signing and sandbox controls, granting the user and any installed application root-level privileges. Without these protections, unvetted software can run unrestricted, dramatically enlarging the attack surface and making malware infection, data theft, and further privilege escalation far more likely. By contrast, the other statements are incorrect: jailbreaking removes app-store restrictions instead of enforcing them, does not automatically enable encryption, and typically prevents or delays future security updates from the vendor.

Legacy hardware frequently runs unsupported operating systems or firmware that no longer receive security patches. Because known vulnerabilities remain uncorrected and modern security controls (such as endpoint detection, strong authentication, or encryption) are often absent, attackers can exploit these weaknesses with minimal effort. In many organizations these older systems still process critical data, so a successful compromise can yield high value to the attacker. Therefore, the lure for cybercriminals is the combination of easier exploitation and potentially lucrative data or disruption.

Risk transfer is characterized by shifting the financial burden of a risk to another entity. Obtaining a cybersecurity insurance policy effectively transfers the financial risk of a cyber attack to the insurance company. Adjusting security controls to enhance detection would be an example of mitigation, which aims at reducing the risk's probability or impact. Developing a response strategy falls under preparedness and mitigation, as it prepares the organization to handle the impact, but does not transfer the risk. Lastly, training employees is a preventive measure and also falls into risk mitigation; it does not transfer the risk.

'Escalation' is the correct term for the process in which the urgency and importance of an incident are increased, often involving a higher level of management or additional resources. This ensures that the situation is handled appropriately as it unfolds. 'Elevation' commonly refers to raising user privileges, which is not directly related to the organization-wide approach to managing an incident. 'Intensification' can be misleading, but it's not commonly used in the nomenclature for incident management. 'Amplification' is a term that could indicate an increase in intensity or scope but isn't typically used in the context of incident response procedures.

Nation-state actors are the most likely perpetrators of attacks on critical national infrastructure, such as a power grid, where the primary motive is disruption rather than direct financial gain. Their goals are often political, military, or strategic. Organized crime is primarily motivated by financial profit and is less likely to conduct an attack without a clear monetization strategy. While a hacktivist might also have political motivations to disrupt services, they typically lack the high level of resources and sophistication required to successfully attack national critical infrastructure. An insider threat could potentially cause significant disruption, but an attack on a national scale is more characteristic of a well-funded, external actor like a nation-state.

A honeypot is a system specifically set up to attract and trap potential attackers. It mimics a real system with vulnerabilities, enticing attackers to interact with it. By monitoring the honeypot, security professionals can gather valuable information about the attackers' methods and intentions without exposing the actual production systems to risk. Honeynets and honeyfiles serve similar purposes but on a larger scale or with specific file types, respectively, while honeytokens are used to track and detect unauthorized access to data.

A honeypot is designed to appear as a vulnerable system to attract attackers. By mimicking services and recording interactions, it allows organizations to study attack methods without compromising actual assets. While an intrusion detection system monitors network traffic for suspicious activity, it does not simulate vulnerable services. A firewall configured with logging controls access but doesn't engage attackers to gather intelligence. A vulnerability scanner identifies weaknesses but doesn't record attacker interactions.

Organized crime groups often engage in the theft of data for the purpose of selling it on the black market, as it can be extremely profitable. Nation-state actors are typically more interested in espionage or sabotage; hacktivists are motivated by political or societal goals, and insiders might seek revenge or intellectual challenge, but are less likely to sell data on a scale consistent with organized crime.

Revenge is a common motivation for attacks carried out by former employees seeking to harm their previous employer for perceived wrongs.

A 'something you know' factor is an authentication method based on information that is memorized and provided by the user. A passphrase is a multi-word form of a password and falls under this category. In contrast, a biometric pattern, such as a retina scan, is 'something you are,' and a USB security key is 'something you have.' GPS location data would be categorized under 'somewhere you are,' as it provides information on the user's geographical location.

A hot site is a fully equipped backup facility that is operational and ready to activate immediately after a disaster. It maintains up-to-date copies of data, hardware, and software, allowing an organization to resume normal operations rapidly. Warm sites are partially equipped and require additional time to become fully functional, while cold sites have only the basic infrastructure and need significant time to set up equipment and restore data.

Directive controls are the correct answer because they are intended to direct the actions of individuals or systems. Examples of directive controls include security policies and guidelines that provide instructions on how to maintain security. Preventive controls, such as firewalls and access controls, are designed to stop incidents from occurring. Detective controls, like intrusion detection systems, identify and respond to incidents. Corrective controls, such as backup systems, limit damage after an incident occurs.

A multinational enterprise must comply with the data-protection and information-security laws of every jurisdiction in which it operates or whose residents' data it processes. Regulations such as the EU GDPR expressly apply to organizations outside the EU if they offer goods or services to, or monitor the behavior of, people in the EU; similar extraterritorial or local rules exist in many other regions. Limiting compliance to the headquarters country, data-center location, or voluntary standards would leave the organization exposed to fines, legal action, and reputational damage.

Enforcing password complexity, which requires a mix of upper-case letters, lower-case letters, numbers, and special characters, is the most effective control against brute-force and dictionary attacks. Simple passwords and password reuse make accounts vulnerable. While periodic password expiration was a common practice, modern standards from NIST advise against it unless there is evidence of compromise, as it often leads to weaker passwords.

The correct answer is 'Incremental backups every 2 hours with daily full backups'. This approach efficiently balances the need to maintain recent data save points to minimize loss in the event of a system failure while utilizing resources effectively. Incremental backups save changes since the last full or incremental backup, reducing the volume of data that needs to be copied and the time required for each subsequent backup. Daily full backups ensure that there is always a recent complete copy of data to restore from, while the frequent incremental backups capture the ongoing changes.

This scenario describes a phishing attack, which is a form of social engineering where attackers masquerade as a trustworthy entity in an email to distribute malicious links or gather sensitive information like login credentials. The described situation fits the classic pattern of a phishing attempt through email, exploiting the credibility of 'system maintenance' to deceive employees into providing their information. It is not a vishing attack because that involves using phone calls to obtain confidential information. Smishing attacks involve the use of SMS texts, not emails. While typosquatting could be used in conjunction with phishing, it specifically involves registering domains that are slight misspellings of legitimate company domains and there is no mention of this detail in the scenario.