CompTIA Security+ Practice Test (SY0-701)

A digital signature provides assurance that a file has not been altered since it was signed (integrity) and that it originated from the holder of the private key (authenticity). However, it does not guarantee the code is free from malware. As seen in major supply chain attacks, if an attacker compromises a vendor's internal build process, they can inject malicious code into the software before it is signed. The software, now containing malware, is then legitimately signed by the vendor, making it appear trustworthy. Another primary attack vector is the theft of a vendor's code-signing private key, which allows an attacker to sign their own malicious files. Therefore, relying solely on a digital signature is insufficient.

Guidelines are recommendations and best practices for users to follow. They are not strictly enforced but are designed to provide general advice on how to use IT resources securely. An organization would develop guidelines to offer staff general security advice. Policies, on the other hand, are mandatory rules that must be followed, and standards are specific low-level mandatory controls. Procedures are detailed step-by-step instructions on how to perform specific tasks.

An Intrusion Detection System (IDS) is adept at continuously monitoring network traffic for abnormal behavior and is specifically designed to alert the security team about potential threats without modifying, discarding, or preventing the flow of traffic, which aligns with the requirement in the given scenario. On the other hand, an Intrusion Prevention System (IPS) not only detects but also takes action to prevent the identified threats, which could interfere with data flow. A Jump Server is a hardened and monitored device that acts as a bridging point for administrators to connect to other servers but does not perform real-time threat monitoring. A Unified Threat Management (UTM) device combines several security functions into one, yet its threat detection capabilities are broader and not solely focused on network traffic monitoring.

Domain-based Message Authentication, Reporting and Conformance (DMARC) lets domain owners publish a policy that instructs receiving mail servers how to handle messages that fail SPF and/or DKIM checks-typically to monitor (none), quarantine, or reject them. By aligning the visible From domain with authenticated domains, DMARC significantly reduces successful spoofing attacks, thereby strengthening an organization's email security posture.

The correct answer is a DDoS attack. This type of attack floods the server with an excessive amount of traffic, intending to exceed the server's capacity to handle requests, leading to inaccessibility for legitimate users. The described symptoms—high traffic volume and service-specific disruption without affecting the entire network—are indicative of such an attack. Incorrect answers offer alternatives such as ARP spoofing, which might lead to network connectivity problems, but does not typically cause a massive surge in traffic to one particular service. Likewise, problems with the switching infrastructure or a misconfigured ACL, while they can cause network issues, wouldn't typically result in a sudden increase in traffic and would be more likely to affect multiple services or result in different symptoms.

RSA uses mathematically linked public and private keys to encrypt or sign data, making it an asymmetric algorithm. The other listed algorithms-AES, Blowfish, and RC4-are all symmetric ciphers that rely on the same shared key for both encryption and decryption.

In the correct scenario, two sessions are initiated from geographically distant locations at the exact same time, which is unlikely to occur under normal circumstances and could indicate that the user's credentials have been compromised and used by an unauthorized party. The other options, although they may also raise some concerns, do not present the clear-cut, simultaneous nature of concurrent session usage that strongly suggests an account compromise.

A Non-Disclosure Agreement (NDA) should be signed by the vendor before sharing any sensitive information. The NDA is a legal contract that establishes a confidential relationship between the parties and specifies that the information shared is to be used only for the purposes outlined in the agreement. NDAs are essential for protecting sensitive information from being disclosed to unauthorized parties or used inappropriately.

An 'Ad Hoc' risk assessment is performed as required, without a regular schedule, often in response to significant changes or new threats to an organization's environment. It contrasts with recurring or continuous assessments that happen at regular intervals or constantly, respectively. A 'Qualitative' risk assessment refers to the process that prioritizes risks based on their severity and impact, rather than their frequency or timing.

Even when a patching job reports success, the vulnerability might persist because the patch failed to install on every file, did not reach all affected hosts, or introduced new issues. Running a follow-up vulnerability scan (or targeted rescan of the affected system) provides objective evidence that the vulnerability identifier (e.g., CVE) no longer appears and that no additional findings were introduced, thereby closing the remediation loop.

In a decentralized governance structure, decision-making authority is distributed among various departments or business units, allowing for policies and procedures tailored to their specific needs. This contrasts with a centralized model where decisions are made at the executive level and a single policy is enforced company-wide. While security functions can be outsourced, this is a separate concept from the internal decision-making structure of an organization's governance model.

A credentialed vulnerability scan was done. While the other answers could also be correct (e.g. it could have been an intrusive and credentialed scan) but with the information given in the question you could not know this. When a credentialed scan is used the scanner has valid user credentials while in a non-credentialed attack they do not.

Nation-state actors are typically well-funded and possess advanced capabilities, enabling them to conduct sophisticated attacks that can bypass even the most robust security measures. They often focus on long-term objectives, such as espionage and data exfiltration over extended periods. Insider threats involve individuals within the organization but may not have the resources or need to use advanced techniques for prolonged undetected access. Hacktivists are motivated by political or social causes but generally lack the resources for highly sophisticated attacks. Unskilled attackers, also known as script kiddies, lack the expertise and resources to perform advanced and prolonged infiltration without detection.

Resource provisioning refers to the process of allocating and managing computing resources, like user accounts and permission sets, to users or systems in a way that aligns with organizational security policies. Incorrect answers might seem plausible because they involve similar processes, but they do not accurately describe the act of resource allocation and management as resource provisioning does.

Managerial controls, such as security policies and risk management, provide the framework and guidelines for implementing technical controls. Technical controls, like firewalls and encryption, are the tools used to enforce the policies and procedures established by managerial controls. Managerial controls do not replace the need for technical controls, but rather work in conjunction with them to create a comprehensive security strategy. While managerial controls can help prevent incidents, they are not solely responsible for incident prevention, as that requires a combination of various control types.

Change management is an operational control that provides a structured approach for handling modifications to systems. It ensures that all changes are properly reviewed, tested, and approved before implementation, minimizing the risk of disruptions. Intrusion detection is a technical control that monitors for security breaches, security awareness training is a managerial control focused on educating staff, and encryption protocols are technical controls for data protection. Therefore, change management is the most effective operational control for managing system updates and modifications in day-to-day operations.

The correct answer is 'Clustered servers with resource balancing' because it allows for the distribution of compute tasks across multiple servers, providing high availability for the various services with differing compute requirements. In the event of a server failure, tasks can be redistributed to other servers in the cluster, minimizing downtime. The incorrect answers are: 'Single powerful server with a hot spare' does not address the diverse compute needs and may lead to underutilization or bottlenecks. 'Multiple air-gapped systems' could provide isolation for security but would not be efficient for resource management across services with different compute needs. 'Decentralized servers without load balancing' would not efficiently distribute compute tasks and could result in suboptimal performance and higher risk of service disruptions.

An organization needs to comply with local and regional regulations to ensure that they are not violating any laws that may be specific to the jurisdictions they operate in. Not understanding these local nuances could lead to legal issues, such as fines or sanctions. For example, certain regions may have specific requirements for data protection that differ from national laws, such as stricter privacy regulations that mandate data residency within the region. National and global standards, while essential, may not cover all aspects of the local regulatory environment, and universal standards do not typically exist for cybersecurity, hence the specificity of the correct answer.

The statement is false. The Choose Your Own Device (CYOD) model requires employees to select a device from a curated list of company-approved options. This approach allows the organization to ensure that devices meet its security and compatibility standards, giving IT more control than a Bring Your Own Device (BYOD) model. The scenario described, where any personal device is allowed, is characteristic of a BYOD policy, not CYOD.

The correct answer is 'Create and implement a documented security configuration baseline'. This is because before deploying new servers or any computing resources, it is essential to have a standard, documented configuration that aligns with organizational security policies. This security configuration baseline serves as a reference point to ensure all systems start from a secure state. Using industry best practices as a guide does not guarantee alignment with the specific organization's policies, which is why it is not the best initial step. Scanning the servers with a vulnerability scanner after deployment or conducting a security awareness training for IT staff are important practices, but they come after establishing a baseline for system configuration.