CompTIA Security+ Practice Test (SY0-701)

While process isolation is the fundamental mechanism that prevents VM escape, it is not foolproof, as vulnerabilities in the hypervisor can still be exploited. A comprehensive, defense-in-depth strategy is the most effective approach. This includes keeping both the hypervisor and guest operating systems fully patched, using network segmentation to limit an attacker's reach, and applying the principle of least privilege through strict access controls. HIDS on guest VMs and data encryption are valuable security layers, but they do not directly prevent the hypervisor compromise that enables a VM escape.

Implementing scalability in the infrastructure planning ensures that the system can handle growth in user demand without performance degradation or security compromise. Vertical scaling might offer an immediate increase in resources but often leads to downtime during upgrades and has limitations on how much can be scaled up. On the other hand, selecting a more powerful server might provide temporary relief but doesn't provide a long-term scalable solution. Using a single geographic region for data storage may reduce complexity but doesn't consider the increased load that comes with growth. Horizontal scaling, which involves adding more servers or using cloud resources, offers flexibility, improved fault tolerance, and seamless scalability, making it the most effective option for sustained growth.

The correct answer is credential replay. A credential replay attack occurs when an attacker captures valid credentials (like a username and password) and reuses, or "replays," them to gain unauthorized access to a system. The phishing attack described in the scenario is a common method for obtaining credentials for this purpose. Session hijacking involves stealing an active session token, not static credentials. Cross-site scripting (XSS) is an injection attack that targets other users of a vulnerable website. DNS poisoning is an attack that can redirect users to a malicious site but is not the attack performed with the stolen credentials.

Account lockouts are an effective mitigation strategy against brute force attacks because they prevent unlimited, rapid guessing of passwords by locking the account after a certain number of failed login attempts. This drastically reduces the attacker's ability to systematically try all possible password combinations, thus safeguarding against brute force attacks. While all other options can enhance security, they do not specifically address the prevention of brute force attacks on passwords as directly as account lockouts do. Strong password policies make it more difficult for brute force attacks to succeed but do not stop attempts. Monitoring for unauthorized access can detect an ongoing attack but may not prevent it. Disabling unused accounts helps reduce the attack surface but does not directly prevent a brute force attack on active accounts.

The correct answer is 'Minimization of human error in repetitive tasks,' as automation ensures that repetitive tasks are handled consistently without the same rate of errors that might occur with manual processing, thus saving time and enhancing operational efficiency. While 'Enforcing stronger password policies' and 'Improved user authentication protocols' are positive outcomes, they are not specifically related to the efficiency and timesaving aspect of automation. 'Automated patch management' does streamline updating software but the aspect of reducing human error is more universally applicable to the concept of automation improving efficiency.

Corrective controls are designed to limit the damage and impact after a security incident has already occurred. They are reactive measures that help organizations recover from an incident and minimize the extent of the damage. Examples of corrective controls include backup systems that allow for data restoration and incident response plans that outline the steps to be taken after an incident is detected. While preventive controls aim to stop incidents from occurring in the first place, and detective controls focus on identifying incidents, corrective controls are specifically designed to mitigate the consequences of an incident after it has happened.

A security audit examines logs, configurations, and practices after activities have occurred. Its purpose is to uncover inappropriate actions, policy violations, or anomalies so the organization can investigate and respond. Because it detects events rather than preventing or discouraging them, it falls into the detective control category. Deterrent controls (such as warning signs or visible cameras) strive to discourage wrongdoing, preventive controls block actions outright, and corrective controls minimize damage after an incident.

Under the shared responsibility model for cloud security, the responsibility for the protection of the physical hardware and the foundational network infrastructure, including the data centers, rests with the cloud service provider, regardless of whether the firm uses infrastructure, platform, or software-based service offerings. Users of the service are responsible for securing the data, applications, and access control elements that they configure and manage on top of the provided infrastructure.

A honeypot is a decoy system that mimics a legitimate system to attract and trap potential attackers. It is intentionally made vulnerable to entice malicious actors, allowing cybersecurity professionals to monitor and analyze their behavior, methods, and techniques. This information can then be used to strengthen the security of real systems and develop more effective defenses against future attacks. Honeypots are an essential tool in deception and disruption technology, as they help detect and deflect attacks away from critical systems.

An organization with a neutral risk appetite is one that seeks to maintain a balance between accepting some levels of risk and pursuing new opportunities, without skewing too far towards either risk aversion or risk seeking. Choice A best aligns with this balanced approach, whereas the other options suggest either a greater willingness to take on risk (expansionary) or a more conservative stance (conservative) that minimizes risk exposure.

The primary goal of a tabletop exercise is to verify the effectiveness of an organization's incident response plan through a facilitated discussion on how to address and manage hypothetical security incidents. This non-technical assessment focuses on communication, coordination, and decision-making processes, distinguishing it from other forms of response drills that involve active technical engagement.

A simulation exercise is a hands-on activity designed to test an organization's incident response plan and team. It closely mirrors a real-world scenario to assess how well the team can detect, respond to, and minimize the impact of security threats. The correct answer is to test the effectiveness of the incident response plan and train the team, as this directly addresses the practice's role in both evaluation and training. Other options, like patching vulnerabilities or regulatory compliance, are goals that are not directly addressed through simulation exercises, which are focused on response, not prevention or adhering to laws.

A packet capture involves collecting all the packets that pass through a certain point on a network. It allows security professionals to see the data being transmitted over the network, which can be valuable for analyzing traffic, troubleshooting network problems, or investigating security incidents. Examining packet contents helps to identify malicious activities, policy violations, or unauthorized data exfiltration. It's a detailed form of network monitoring used to closely inspect network traffic.

Concurrent account lockouts following a series of failed login attempts are indicative of a password attack, potentially a password spraying attempt where an attacker uses a common password against many accounts before moving on to try a different password, to avoid account lockout thresholds. Account lockouts are a common indicator of such attacks. The other options are potential indications of malicious activity, but they are not as closely related to the scenario of multiple user accounts being locked out due to failed login attempts.

Automating endpoint isolation removes the manual containment step, allowing the SOC to cut mean time to respond (MTTR) and stop malware from spreading. Although automation platforms can also generate compliance reports or store logs, those capabilities do not directly address the urgency of containing an active threat. Policy creation and user-training compliance remain management functions rather than technical automation tasks.

Utilizing a allowlist input validation approach serves as the most effective mitigation technique against injection attacks because it permits only known safe inputs, based on a predefined set of criteria, to be processed by the application. This control is strict by nature and denies all input that does not strictly conform to the expected and validated format. On the contrary, relying on a blocklist input validation approach or solely relying on cryptographic hashing functions might not fully prevent injection attacks, as blocklists cannot anticipate all possible malicious inputs and hashing functions do not actually validate input but rather ensure data integrity post-submission. While data type enforcement is a good practice, on its own, it may not be sufficient to prevent the diversity of injection attacks.

Containers share the host's operating-system kernel. If an attacker exploits a kernel-level vulnerability or misconfiguration, the code can escape the original container's namespace and interact with the host or other containers. Virtual machines, by contrast, have their own separate kernels, so a compromise stays isolated inside that VM.

Deploying a firewall to block unwanted traffic is preventive because it acts before an attack succeeds. Preventive controls reduce the likelihood of an incident by denying, restricting, or filtering actions up front. Detective controls only discover an event that has already happened, directive controls provide guidance, and compensating controls are alternatives when a primary safeguard is impractical.

Sandboxes are used to execute files or run applications in a controlled environment to observe their behavior without risking the main system or network. If the file is indeed a Trojan, it would exhibit malicious behavior within the isolated environment. Updating antivirus software and reviewing firewall rules may be important steps for general security hygiene but aren't specific enough actions to identify a Trojan. Reinstalling the operating system is not the best initial approach to identifying a suspected Trojan, as it is more of a last-resort action after confirming malicious activity.

Conducting a thorough analysis of the security logs, especially around the time of the breach, will likely reveal the sequence of events that led to the breach, including the initial point of entry and methods used by the attacker. This detailed trail is indispensable for pinpointing the original vulnerability or misconfiguration that the attacker exploited. Simply running a vulnerability scan might identify potential vulnerabilities but would not confirm which were actually exploited. Organizational policy review and user education, while important, are less likely to directly lead to the discovery of the specific exploited vulnerability.