CompTIA Security+ Practice Test (SY0-701)

A Blackmail motivation typically involves the threat of revealing sensitive information unless a demand (often for payment) is met, which aligns with the modus operandi of organized crime groups. Organized crime syndicates are known for seeking financial gain through coercion and intimidation, making them the most likely to engage in blackmail. Nation-state actors, while possessing the capability for such actions, are usually driven by espionage or political objectives. Unskilled attackers often lack the expertise to obtain and leverage sensitive information effectively, and hacktivists are generally motivated by political or social objectives, not financial gain through extortion.

A wildcard certificate allows an organization to secure a domain and all of its subdomains with a single certificate. This is achieved by using an asterisk (*) in the domain name portion of the certificate, representing all possible subdomains. Self-signed certificates are generated by the owner and are not trusted by default by browsers and operating systems. Extended Validation (EV) certificates provide higher levels of trust through a rigorous authentication process but do not inherently support multiple subdomains. Root certificates are used to sign other certificates in a certificate hierarchy but are not used to secure specific domains or subdomains.

Operational controls are focused on the daily operational tasks that maintain security within an organization. They include procedures for incident response, change management, and access controls. These controls ensure that routine activities are carried out securely and effectively. Technical controls involve the use of technology to enforce security, such as firewalls and encryption. Managerial controls are policies and procedures set by management to guide the organization's security strategy. Physical controls are measures put in place to protect physical assets and facilities.

Storing information with a 'Restricted' classification in a secure, access-controlled environment ensures that only authorized personnel with the necessary clearance or permissions have access to that data. Keep in mind the question is regarding physical access to the data. While encryption, logging, and secure disposal are important for the overall security posture, they do not inherently restrict access to the data to the appropriate individuals.

This scenario illustrates Shadow IT, which occurs when employees use unauthorized software or services that have not been reviewed for security by the organization. The key issue with Shadow IT is that it can lead to unmonitored and potentially insecure data storage or transfer, and may not adhere to the company's security and compliance standards. The incorrect options do not specifically address using unsanctioned services and focus more on targeted threats or specific unauthorized actions that do not pose the same broad security risks as Shadow IT.

Phishing simulations are a practical method of testing employees' abilities to recognize and respond to social engineering attacks. This type of simulation provides actionable insights by creating realistic scenarios similar to actual phishing attempts, without the associated risk. This helps measure the effectiveness of the training and identifies areas where additional training may be necessary. Answer options like 'Unannounced network scans' and 'Publishing quarterly newsletters' are less direct and less effective methods of assessing the specific understanding of recognizing social engineering attacks. Although helpful in a broader security context, they do not directly test the application of the training content. 'Including a quiz at the end of the training session' can validate immediate retention but does not measure long-term understanding or practical application in an actual work environment.

Adaptive identity is a control-plane capability that monitors contextual signals-such as user behaviour, device posture, location, and time-and dynamically changes authentication and authorization requirements. By reassessing trust throughout a session, it enforces least privilege and limits an attacker's ability to move laterally.

The Policy Administrator simply establishes or tears down the communication path between the subject and the resource based on decisions from the Policy Engine; it does not perform risk analysis or change permissions on its own. "Implicit trust zones" conflict with the Zero Trust principle of never trust, always verify. "Policy-driven access control" refers broadly to enforcing predefined rules; it may leverage adaptive identity but is not itself the mechanism that performs continuous trust evaluation.

Configuring the security appliance to fail-open ensures that in the event of a malfunction, network traffic continues to flow, maintaining availability for users. While this may temporarily reduce security by allowing potentially malicious traffic, it aligns with the policy priority of uninterrupted service. In contrast, fail-closed or fail-secure modes would block all traffic upon failure, prioritizing security over availability, which does not meet the organization's requirements. Fail-safe can be ambiguous but often implies defaulting to a secure state, similar to fail-closed. Therefore, choosing fail-open addresses the need for continuous availability despite equipment failures.

Pre-installed software that is not necessary for the user's activities-commonly called bloatware-can pose a security risk if it contains unpatched vulnerabilities. Because this software is often unmanaged, it can increase the device's attack surface. Attackers may exploit flaws in the unused software or its background services even if employees never actively launch the applications. Therefore, the main concern is the presence of potentially vulnerable code, not how frequently employees use the software.

The correct answer is that the data remains on the drive and can be recovered. A quick format only removes the pointers to the files in the file system's index (like a table of contents), but it does not erase the actual data stored on the disk. Specialized data recovery tools can easily scan the drive and reconstruct the files, creating a significant data breach risk. Proper sanitization methods, such as those outlined in NIST 800-88 (e.g., overwriting, degaussing, or physical destruction), are required to ensure data is truly unrecoverable.

Personal grievances that manifest as revenge are a leading driver of malicious insider activity. CERT's analysis attributes more than 70 % of IT-sabotage cases-and roughly one-quarter of all malicious insider incidents-to revenge, whereas ideological or political beliefs appear in well under 15 % of cases. The other listed motivations (ethical whistleblowing, political beliefs, or seeking publicity) do occur but are documented far less frequently than revenge-based actions. Therefore, revenge or personal grievance is the best answer.

A content filter is a security control used to block or restrict access to certain websites and/or emails based on their content. This is frequently used by companies to protect the network from malicious sites, prevent phishing attempts, and enforce acceptable use policies by blocking access to unauthorized content. While a DLP system also inspects content, its primary focus is preventing data exfiltration, not blocking inbound access. IDS is a detection-only control, and while an IPS can block traffic, it is primarily focused on blocking malicious activity and exploits, whereas a content filter is policy-based for blocking specific categories of content.

When entering new international markets, a firm must prioritize understanding and adhering to the data protection laws specific to those regions. The GDPR in the European Union has stringent requirements for personal data handling, and a similar emphasis on data privacy exists in many Asian jurisdictions. Ensuring compliance with these laws is foundational because non-compliance can lead to severe penalties. While all other options provided are valid considerations for a security program, they do not directly address the legal and regulatory differences introduced by international expansion.

Role-Based Access Control (RBAC) is an authorization model that grants or denies access to resources based on predefined roles assigned to users. In RBAC, permissions are associated with roles, and users are assigned to these roles based on their responsibilities and job functions. This simplifies access management and reduces the risk of unauthorized access. Other authorization models include:

• Discretionary Access Control (DAC): Access is determined by the owner of the resource.
• Mandatory Access Control (MAC): Access is controlled by the system based on security labels.
• Attribute-Based Access Control (ABAC): Access is granted or denied based on attributes associated with users, resources, and environmental conditions.

The best immediate action is to isolate the workstation from the network but keep it powered on. Isolating the system prevents the potential malware from spreading to other devices on the network (lateral movement) or communicating with external command-and-control servers. Keeping the system powered on is crucial because shutting it down would erase volatile memory (RAM), which contains valuable forensic evidence like running processes, active network connections, and other in-memory artifacts that are essential for analyzing the attack. Powering off the system immediately would destroy this evidence. Running a scan before isolation could allow the malware to spread further. Re-imaging the system is a remediation step that should only occur after a thorough investigation is complete.

Just-in-time permissions restrict the timeframe during which administrative or elevated rights are granted to users, minimizing the potential for misuse of those privileges. By limiting access to only when it is required for a specific task and automatically revocating those permissions after a set time, the attack window is reduced. This prevents risks associated with standing privileged accounts, which could be exploited if compromised.

The correct answer is 'Playbooks.' In cybersecurity, a playbook is a detailed, step-by-step guide that outlines the procedures for responding to a specific type of security incident, such as a malware outbreak. This document provides task-level instructions for detection, containment, eradication, and recovery. A 'Change Management Policy' governs how alterations are made to IT systems and is not an incident response guide. An 'Information Security Policy' is a high-level document that sets broad security rules for an organization, lacking the specific procedural detail of a playbook. 'Risk Analysis Documentation' is used to identify and assess potential risks, not to provide instructions for responding to an active incident.

When preparing a report that will be submitted to both internal stakeholders and an independent regulatory body, it is crucial to include evidence of alignment with regulatory compliance standards, as well as internal policies and procedures. This ensures that the report demonstrates adherence to external legal and compliance mandates, while also confirming that internal governance is in line with organizational objectives and practices. Incorrect answers may be plausible, but they do not fully satisfy the dual requirement of adherence to internal policies and external regulations.

Disabling unused ports is a primary method for enhancing the security of a network switch. It mitigates the risk of unauthorized access or network taps by reducing the number of active points where a malicious actor can connect to the network. VLAN configuration is crucial for segmenting network traffic and implementing access controls, but it is a practice for organizing and controlling network traffic rather than securing the switch itself. Changing the management VLAN to a non-default value helps minimize risk but is an added measure rather than a primary method. Enabling DHCP on the switch is generally not a security measure; in fact, it could introduce risks if not properly managed.

An inline security device is placed directly in the path of the network traffic. It has the ability to actively block, permit, or modify the traffic passing through it based on the security policies in place, similar to how a checkpoint can stop or allow traffic in a roadway. In contrast, a tap (test access point) or monitoring device connects to a network segment but does not directly interact with the traffic flow; it merely duplicates the data for analysis, thus incapable of affecting the original traffic.