CompTIA Security+ Practice Test (SY0-701)

Vulnerability classification is the process of systematically categorizing security weaknesses based on their nature, such as the type of flaw (e.g., buffer overflow, misconfiguration) or the affected system. This allows an organization to group similar issues, assign them to the correct teams, and develop a prioritized and organized approach to remediation. Vulnerability scoring, like CVSS, assigns a severity score but does not categorize the vulnerability type. Vulnerability enumeration, like CVE, involves identifying and listing individual vulnerabilities.

The primary role of monitoring in relation to indicators within a security infrastructure is to identify unusual patterns or behavior that may signify a security incident. While it might also help in enforcing policy by triggering alerts when anomalies are detected, and can be instrumental in retrospective analysis after an incident, its essential function centers on the prompt detection of potentially malicious activity. Understanding the nuances of monitoring's main role is important in distinguishing it from ancillary benefits such as policy enforcement or post-incident analysis.

Developing a backout plan is indispensable in change management, especially for crucial systems within a financial institution. A backout plan ensures that in the event the upgrade introduces new vulnerabilities or disrupts services, the system can be returned to its pre-upgrade state, thereby maintaining operational capability and security. While engaging stakeholders, implementing version control, and updating documentation are all essential components of change management, none of these steps address the immediate preservation of system operational integrity and security in the case of an unsuccessful upgrade as directly and effectively as a well-structured backout plan does.

The correct option is multifactor authentication (MFA). MFA enhances security by requiring two or more different authentication factors to verify a user's identity. In this scenario, the password is 'something you know', and the hardware token is 'something you have'. Combining these two factors from different categories fulfills the requirement for MFA. Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single set of credentials to access multiple applications. Biometric authentication uses unique physical characteristics like fingerprints or facial scans ('something you are'). Authorization is the process of granting or denying access to resources after a user has been successfully authenticated.

Security cameras are a form of deterrent control designed to discourage unauthorized individuals from attempting to access a secure area. Their presence is often enough to dissuade potential attackers as it increases the likelihood of being caught and recorded, which can lead to identification and potential prosecution. In contrast, badge readers and mantraps, while part of physical security measures, are types of preventive controls that actively prevent unauthorized access. Security awareness posters do not directly discourage trespassers from entering secured premises, as they are more focused on educating authorized personnel on maintaining security practices.

This protocol is known for using a trusted third-party ticket-granting service to provide secure access to resources. It mitigates the risk of eavesdropping and replay attacks by avoiding the need to transmit passwords over the network. Instead, a client requests an access ticket from the ticket-granting service, which if granted, allows the client to access the desired service using that ticket. In contrast, Direct Access grants remote access to internal networks over IPv6 transitions, Simple Sign-On represents a one-time authentication process across multiple systems, which is not particularly related to ticket-granting, and Network Access Token is a made-up term not associated with a real-world authentication protocol.

Implementing load balancing is the correct strategy because it distributes traffic across multiple active servers, ensuring that if one server goes down, the application remains available via the other servers. This directly meets the requirement for continuous operation. Taking frequent snapshots is a data recovery and backup strategy, not a high availability solution for preventing downtime. Increasing memory capacity improves performance but does not address a single point of failure. Configuring a failover cluster is a valid high availability strategy, but it typically involves a primary server handling all traffic until it fails, at which point a secondary server takes over. This process can cause a brief service interruption, making load balancing the superior choice for ensuring seamless, continuous operation.

A tap passive device monitors network traffic by copying data from the network without being in the direct flow of traffic. This means it does not impact network performance or flow because it is not inline with the traffic; instead, it passively receives a copy of the data. Inline devices, whether active or passive, are placed directly in the path of network traffic and can introduce latency or points of failure. Active devices can take actions such as blocking or modifying traffic, which could impact performance. Therefore, a tap passive device is the most suitable for monitoring without affecting network performance.

The scenario describes an allow list (application allowlisting). With an allow list, the default action is to deny all code execution except for applications that have been explicitly approved, thereby enforcing a "deny-by-default, allow-by-exception" model. A deny list works in the opposite manner by allowing everything except items specifically blocked. Role-based and discretionary access controls govern user or role permissions, not which binaries may run, so they do not fit the scenario.

A logic bomb is a type of malware that is designed to execute a malicious action when certain conditions are met, such as a specific time or event. The recurring nature of the incident every Friday suggests that it is triggered by a time-based event, characteristic of a logic bomb. Other types of malware like Trojans or worms do not have this behavior tied to a specific condition and typically continue to execute or propagate regardless of specific events or times.

Performing a vulnerability rescan immediately after patch deployment verifies that the patch was installed correctly and that the previously detected vulnerability is no longer present. This validation step helps identify any systems where the patch failed and ensures that no new issues were introduced. The other choices (calculating exposure factor, assigning new CVE identifiers, or documenting an exception) do not test whether the vulnerability has truly been mitigated.

Configuring separate VLANs and matching IP subnets on the existing switch infrastructure isolates traffic at Layers 2-3 using software-defined settings. This is a logical segmentation method because it relies on switch port configuration and IP addressing, not on additional physical hardware or cabling. Installing air-gapped systems, dedicating separate switches/cabling, or running a stand-alone dark-fiber link all require new physical infrastructure and therefore constitute physical segmentation.

Classification is the correct answer because it involves assigning labels to assets to indicate their importance, ownership, and the degree of sensitivity or confidentiality. This step is crucial for determining how the assets should be handled and protected. Ownership refers to who is responsible for the asset and not the process of labeling assets. Monitoring refers to the ongoing process of tracking asset state and is not specifically about labeling assets. Enumeration is the act of creating a detailed list of assets, which is a broader concept than specifically determining their classification.

The Rules of Engagement document is critical in penetration testing as it outlines the scope, methods, timeline, and contact points, and it defines what activities are permitted during the test. This mitigates the risk of unauthorized or unintended actions that could cause harm to the organization or lead to legal complications. While service agreements, memorandums, and work statements have their respective places in the formalization of services, they do not provide the detailed rules and limitations required for a penetration test.

A firewall filters or blocks network traffic according to predefined rules, helping to prevent unauthorized access over the network. It does not transform the actual data on the server. If an attacker bypasses the firewall-through stolen credentials, an insider threat, or physical access-the files remain readable unless they are encrypted. Encrypting the disk, volume, or files converts them into ciphertext that is unintelligible without the decryption key, preserving confidentiality even if the storage media is stolen or the system is compromised. Therefore, encryption-not the firewall-provides protection for data at rest.

A Self Encrypting Drive (SED) is a type of hard drive that automatically encrypted all data saved to the disk. It is a hardware based encryption meaning that a circuit built in the disk drive controller handles the encrypted/decryption itself. All contents of the drive are encrypted including the operating system and any user files or documents.

A large amount of failed login attempts followed by a successful login from the same IP address is a strong indicator of a brute force attack, where an attacker systematically tries different passwords or passphrases with the hope of eventually guessing correctly. The other options, although plausible under different circumstances, do not align as closely with the specific pattern of login attempts described in the question.

Containerization allows developers to create containers, which are standardized units that package up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. Virtual machines, on the other hand, include a full copy of an operating system along with the application, which is not as lightweight or portable as containerization. Function as a Service (FaaS) is a cloud computing service that provides a platform allowing customers to develop, run, and manage application functionalities without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app. Hardware security modules are physical devices that safeguard and manage digital keys for strong authentication and provide cryptoprocessing; they do not package applications with their dependencies.

The correct answer is a security operations dashboard. These dashboards, typically integrated with a Security Information and Event Management (SIEM) system, are specifically designed to aggregate, correlate, and visualize log data from numerous sources over time. This makes them the ideal tool for historical analysis and identifying trends or patterns indicative of a breach. A real-time network performance monitor focuses on current bandwidth and latency, not historical log correlation. A packet capture utility provides deep, low-level data but is cumbersome for analyzing long-term, aggregated trends across multiple systems. A system vulnerability scanner is used to identify unpatched systems and misconfigurations, not for analyzing event logs to investigate an active or past incident.

A false positive occurs when a security system incorrectly identifies benign activity as a threat. In this scenario, the system erroneously flagged normal network traffic as potentially malicious, which is a classic example of a false positive. It is crucial for security analysts to recognize and address false positives to avoid unnecessary responses to non-threatening activities.