CompTIA Security+ Practice Test (SY0-701)

High availability refers to a system's design that aims to ensure an agreed level of operational performance, typically uptime, for a higher than normal period. This is achieved through redundancy and failover mechanisms that allow a system to remain functional even if some of its components fail. Scalability refers to the ability of a system to handle growth, which is important but doesn't specifically relate to uptime. Redundancy is the duplication of components and is part of achieving high availability, but on its own, it does not describe the entire concept. Power efficiency is related to energy consumption and not directly to maintaining uptime.

Single sign-on (SSO) relies on a centralized identity provider. After the initial logon, the provider issues tokens that all integrated applications accept, so one compromised credential can unlock everything the user can reach. VPNs, network segmentation, and discretionary access control models do not inherently grant blanket access with one password.

Containerization allows developers to create containers, which are standardized units that package up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. Virtual machines, on the other hand, include a full copy of an operating system along with the application, which is not as lightweight or portable as containerization. Function as a Service (FaaS) is a cloud computing service that provides a platform allowing customers to develop, run, and manage application functionalities without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app. Hardware security modules are physical devices that safeguard and manage digital keys for strong authentication and provide cryptoprocessing; they do not package applications with their dependencies.

End-to-end encryption is necessary for safeguarding data transmitted over an unsecured network. Among the available methods, Internet Protocol Security ensures both the encryption of data and strong key management capabilities through its embedded protocols. Protocols like HTTPS are typically limited to web traffic encryption, rather than a comprehensive solution for all office communications. Methods relying on outdated protocols or suited for specific services fail to meet the security and key management requirements for sensitive data in wide-area corporate environments.

A Single point of failure refers to any critical part of a system which, if it fails, would result in the failure of the entire system. The identification and mitigation of such points are crucial in designing secure and highly available systems. Redundancy is often introduced to systems to prevent a single failure from causing a system-wide outage. Documentation is essential for maintaining records; however, it does not directly relate to a component's failure impact on a system. Scalability pertains to the ability of a system to grow and handle increased demand, while limiting factors are components or variables that can restrict system performance but not necessarily lead to a complete system shutdown.

When a company expands into a new country, it must comply with the local laws and regulations pertaining to security and data protection. Evaluating and understanding the local legal implications is essential to operate within the legal framework of that jurisdiction and to protect the company from legal risks such as fines, sanctions, or reputational damage. The other options, while potentially important, do not directly address the localized legal requirements that are critical when entering a new market.

Static Application Security Testing (SAST) is the correct technique because it analyzes an application's source code or binaries for security vulnerabilities without running the program. This allows developers to find and fix issues like SQL injection and buffer overflows early in the SDLC, which is the core principle of 'shift-left' security. Dynamic Application Security Testing (DAST) analyzes applications in their running state, while fuzzing involves providing invalid or unexpected data to a running application to see if it crashes. A web application firewall (WAF) is a network security control that protects web applications from attacks at the network edge; it does not analyze source code.

Data loss prevention (DLP) software monitors data within the network to ensure that sensitive information isn’t handled in an unauthorized manner.

The correct option is multifactor authentication (MFA). MFA enhances security by requiring two or more different authentication factors to verify a user's identity. In this scenario, the password is 'something you know', and the hardware token is 'something you have'. Combining these two factors from different categories fulfills the requirement for MFA. Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single set of credentials to access multiple applications. Biometric authentication uses unique physical characteristics like fingerprints or facial scans ('something you are'). Authorization is the process of granting or denying access to resources after a user has been successfully authenticated.

An Unknown Environment Penetration Test is the best approach in this scenario because it simulates the actions of an actual attacker that has no prior knowledge of the network. This type of test can provide the most realistic assessment of security as it evaluates the organization's defenses from the perspective of an uninformed attacker, which is a common threat. A Known Environment Penetration Test is not the best choice because it assumes prior knowledge of the system's internals which may not be the case for real-world attackers. The Partially Known Environment Penetration Test provides a middle ground between known and unknown and is less realistic than the unknown approach for simulating a full external threat. Reconnaissance is a phase within penetration testing rather than a complete testing approach and does not alone provide a comprehensive assessment of system vulnerabilities.

Encryption using a shared secret key is the most suitable method for encrypting large amounts of data efficiently. This refers to symmetric encryption, where the same key is used for both encryption and decryption processes. Symmetric encryption algorithms are faster and require less computational power than asymmetric encryption, making them ideal for bulk data encryption.

Encryption using public and private keys involves asymmetric encryption, which is slower due to complex mathematical operations and is better suited for securing small amounts of data or exchanging keys securely. Hashing algorithms are used for data integrity verification, not for encrypting data, as they generate a fixed-size hash that cannot be reversed. Quantum encryption is an emerging technology that is not yet practical for standard organizational use and would not be the efficient choice for encrypting large amounts of data in this scenario.

Passwords should be complex to prevent unauthorized access. Complex passwords typically include a mixture of uppercase and lowercase letters, numbers, and special characters. This diversity makes them more difficult to guess or crack using brute force methods.

Digital signatures provide a way to ensure non-repudiation as they are unique to each user and cannot be replicated by others. They use a mathematical scheme for demonstrating the authenticity of a digital message or document. When a document is signed digitally, it is nearly impossible for the signer to deny having signed it. As for the other options: Salting is used in conjunction with hashing to protect passwords, and while a multi-factor authentication enhances the security of a system, it doesn't concern non-repudiation. Hash values, while unique to the content they represent, do not by themselves provide non-repudiation, as they do not bind a document or message to a specific individual's identity.

The term 'Neutral' is used to describe an organization's approach to risk appetite where they are neither aggressive in seeking out risks that may offer substantial rewards nor overly cautious to the point of hindering potential growth. This approach aims for a balance between the two, with decision making that is well-calibrated to engage with risks that offer a reasonable trade-off between potential benefits and potential harm. 'Expansionary' suggests an aggressive stance towards growth and assuming more risk, while 'Conservative' indicates a more cautious approach that avoids risks. 'Risk Mitigation' is a strategy to reduce the impact of risks, but it does not describe an appetite for risk.

Input validation is a crucial first line of defense against many types of attacks, including buffer overflows. By checking that input conforms to expected length, type, and format, it can prevent many overflow attempts. However, it is not a foolproof solution on its own and can be bypassed or implemented improperly. For comprehensive protection, input validation must be part of a defense-in-depth strategy that also includes other secure coding practices (like bounds checking), using memory-safe languages and functions where possible, and enabling runtime protections such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).