CompTIA Security+ Practice Test (SY0-701)

A Web application firewall (WAF) provides specialized protection to web applications by filtering and monitoring HTTP traffic and can specifically target and mitigate threats like SQL injection and cross-site scripting. While network-based, host-based, and cloud-based firewalls can offer protection at different levels, a WAF is specifically designed to secure web applications against these types of web-based threats. A Unified Threat Management (UTM) device provides broad network security solutions but is not specialized in web application security like a WAF is.

Pre-installed software that is not necessary for the user's activities-commonly called bloatware-can pose a security risk if it contains unpatched vulnerabilities. Because this software is often unmanaged, it can increase the device's attack surface. Attackers may exploit flaws in the unused software or its background services even if employees never actively launch the applications. Therefore, the main concern is the presence of potentially vulnerable code, not how frequently employees use the software.

Bollards are short, sturdy posts that are installed in a line to prevent vehicles from entering a restricted area. They are an effective physical security control for protecting against unauthorized vehicle access. Access control vestibules, fencing, and lighting are also important physical security measures but do not specifically address preventing vehicle entry.

The scenario described is a classic password spraying attack. An account lockout policy is a direct countermeasure that is specifically designed to mitigate such attacks. By locking an account after a small number of failed login attempts (e.g., 3-5), it prevents the attacker from trying even a few common passwords against many accounts without triggering lockouts, which would disrupt the attack and alert security personnel. Multi-factor authentication (MFA) is an excellent control that prevents access even with a compromised password, but it does not stop the password guessing attempts themselves. A password complexity policy makes passwords harder to guess but does not stop the spraying action. Geofencing is only effective if the attack originates from an untrusted geographical location and would not stop a domestic or internal attack.

The risk register is not a static list created once and forgotten. It is a living document that should be reviewed at defined intervals (for example, during regular risk reviews, project milestones, or after significant environmental changes) even if no new risks have been detected. Regular updates allow the organization to record changes in likelihood or impact, document mitigation efforts, retire risks that are no longer relevant, and add emerging risks. Updating only when a new risk is discovered-or worse, after a risk materializes-fails to keep decision-makers informed of the current risk landscape.

Classifying data involves assigning a level of sensitivity to data, which helps an organization to determine the appropriate level of security controls and manage risk effectively. This ensures that sensitive information is adequately protected from unauthorized access or leaks. Options such as 'To reduce the amount of data stored' and 'To increase the data's value' are incorrect because classification itself does not specifically aim to reduce storage requirements or directly increase the value of the data. Instead, classification serves to protect data’s integrity, availability, and confidentiality based on its sensitivity level.

The correct answer is 'Minimization of human error in repetitive tasks,' as automation ensures that repetitive tasks are handled consistently without the same rate of errors that might occur with manual processing, thus saving time and enhancing operational efficiency. While 'Enforcing stronger password policies' and 'Improved user authentication protocols' are positive outcomes, they are not specifically related to the efficiency and timesaving aspect of automation. 'Automated patch management' does streamline updating software but the aspect of reducing human error is more universally applicable to the concept of automation improving efficiency.

A firewall establishes a barrier between trusted and untrusted networks. By evaluating packets against configured security rules, it decides whether to allow or block traffic, thereby preventing unauthorized access. Intrusion detection systems only alert, VPNs encrypt traffic but do not enforce rule-based filtering, and SIEMs aggregate logs without directly controlling traffic.

A forward proxy server sits between internal clients and external resources. It makes outbound requests on behalf of the clients, so the destination sees only the proxy's public IP address. This hides the internal system's identity, allows content filtering and caching, and can log or inspect traffic.

• A firewall may also perform NAT, but its primary purpose is to enforce security policy, not to proxy application-layer requests.
• A switch operates at Layer 2/3 inside the LAN and does not normally mask IP addresses from external destinations.
• A router moves packets between networks; unless specifically configured as a NAT device or proxy, it does not conceal the internal host at the application layer.

Software-defined networking (SDN) is the proper choice because it separates the control plane from the data plane, granting centralized management of the network. This central control facilitates fast, programmatically efficient network configuration changes, which traditional models that rely on individual device configurations cannot match. Network function virtualization focuses on optimizing network services themselves rather than providing dynamic traffic management and control, while a content delivery network is a distributed server system designed to serve content to users with high availability and high performance.

Physical access controls are designed to restrict entry to physical areas and protect the resources within those areas. They include measures like locks, security badges, mantraps, and biometric systems. Logical controls, on the other hand, refer to mechanisms enforcing access policies in software, such as permissions, authentication methods, and firewalls. Administrative controls involve policies and procedures that govern how organizational security is managed and may include training and awareness programs. Perimeter controls focus more broadly on protecting the organization's boundaries but are not specific to data center access.

Time-of-day restrictions are a type of access control mechanism that limit user access to systems based on predefined time periods. This is to prevent users from accessing the system during times when they should not, such as non-business hours or during maintenance windows. This is not related to the attributes of the user (attribute-based) or their role within the organization (role-based), and it does not necessarily reflect the least privilege principle on its own. Instead, it specifies when the access is permitted, regardless of other attributes or roles.

Implementing a password history policy that prevents the reuse of a specified number of previous passwords ensures that users do not recycle their passwords when a change is required, which enhances security by reducing the potential effectiveness of previously compromised credentials. Other options such as reusing the same password with incremental changes, emailing passwords, or only changing passwords after a security incident do not meet the robust requirements of a stringent information security policy and do not encourage good password hygiene.

The document commonly known as the Acceptable Use Policy specifies the rules regarding the usage of a company's digital assets and communication networks. It instructs workers on what behaviors are sanctioned and those that are not, as well as detailing what disciplinary measures could be faced for non-adherence. The Business Continuity and Incident Response plans are focused on organizational measures for business stability and reacting to security events, respectively, and do not directly address individual user responsibilities and rules of use for digital assets.

When dealing with international data protection standards, maintaining accurate records of user data activities is a legal requirement. If an organization fails to do so, especially within territories governed by strict data protection laws, it risks facing considerable economic sanctions. In this context, the priority after such an audit finding is to ensure that these records are immediately addressed and brought into compliance with the legislation to avoid any impending penalties. Failure to do so could lead to significant fines. The incorrect options, while potentially beneficial to the organization's overall security posture, do not directly address the urgent compliance issue related to record-keeping and the direct threat of fines.

The correct set of permissions adheres to the principle of least privilege. The accounting department's requirement to 'add and edit files' is best met with the 'Write' permission. The auditing and sales departments' requirement to 'review the contents' is met with the 'Read' permission. Using 'Read & execute' would be excessive for the auditing and sales teams as there is no requirement to run programs from the share. Granting 'Modify' or 'Full control' to the accounting department would also violate least privilege, as these permissions include rights (like deletion or changing permissions) that were not specified in the requirements.

Endpoint logs provide invaluable information regarding the activities occurring on individual systems. In this case, repeated login failures followed by a successful login often indicate a brute force attack, where an attacker has repeatedly attempted to log in using different passwords until the correct one is found. This is a common indication of a compromised account, which is why the answer detailing this pattern is correct. The other answers describe events that may be ordinary and not indicative of a security incident, such as a single successful login, periodic security scanning, or regular system updates.

A possession factor is an authentication method based on something the user physically possesses. A hardware authentication token is a small physical device that can generate a secure login code or house digital certificates and is carried by the user to provide a possession factor for authentication. Eye color is a trait, not something possessed. A password is something the user knows, and a mobile app authorization request, while delivered to a device the user possesses, by itself is not considered a possession factor until accepted and is not inherently a physical item.

Implementing a solution at network egress points is the most effective strategy to mitigate the risk of sensitive data being shared with external parties. Such systems are engineered to scrutinize outgoing information and enforce organizational policies to prevent unauthorized data transfer. By setting up strict rules that analyze the content and context of data being transmitted, the system can detect potential breaches and block the dissemination of sensitive information, especially through emails. While full disk encryption safeguards data at rest, it does not control data being sent out. Access control enhancements may restrict who can access sensitive data but do not necessarily govern the unauthorized transmission of the information. Antivirus applications typically protect against threats like malware and viruses, and may not have the necessary capabilities to prevent data exfiltration.

Only Twofish is a symmetric-key block cipher that uses the same key for encryption and decryption. Diffie-Hellman, RSA, and DSA all rely on public-key (asymmetric) cryptography and therefore do not meet the requirement of being symmetric.