CompTIA Security+ Practice Test (SY0-701)

The incident response team must exist before any incident occurs. Establishing the team, defining its roles, and putting supporting processes and tools in place are all part of the Preparation phase of the incident response lifecycle. Subsequent phases focus on detecting, containing, and recovering from actual incidents.

A Code Signing certificate allows developers to sign software digitally, which verifies the integrity of the software and ensures that it has not been tampered with since being signed. Self-Signed certificates could be used but aren't typically trusted by users' operating systems or browsers by default, thereby potentially raising security warnings. An Email certificate is used for securing email communication and ensuring the authenticity of the sender, not for software integrity. A Root certificate is at the top of a certificate chain and signs other certificates rather than being directly used to sign software.

Compensating controls are security measures that are put in place to mitigate the risk associated with identified vulnerabilities that cannot be immediately resolved. They serve as alternatives to the direct remediation of security weaknesses, often due to technical, business, or financial constraints. Implementing compensating controls allows an organization to continue operations securely by reducing the potential impact of the vulnerability until it can be properly addressed. Encryption is not inherently a compensating control but might be part of one, depending upon the context. Threat intelligence and Penetration testing are methods for identifying vulnerabilities, not compensating for them.

The crossover error rate (CER) is the point at which the false acceptance rate (FAR) and the false rejection rate (FRR) are equal. The lower the CER the more accurate the biometric system is.

A Web application firewall (WAF) provides specialized protection to web applications by filtering and monitoring HTTP traffic and can specifically target and mitigate threats like SQL injection and cross-site scripting. While network-based, host-based, and cloud-based firewalls can offer protection at different levels, a WAF is specifically designed to secure web applications against these types of web-based threats. A Unified Threat Management (UTM) device provides broad network security solutions but is not specialized in web application security like a WAF is.

Protected health information (PHI) is any individually identifiable health data-such as diagnoses, treatment details, or prescriptions-maintained or transmitted by a covered entity. Under the HIPAA Breach Notification Rule, a breach involving the unsecured PHI of more than 500 residents of a state or jurisdiction requires the covered entity to notify the affected individuals and prominent media outlets within 60 days. Because that 500-person threshold and media-notice requirement apply specifically to PHI, the stolen data was almost certainly PHI, not general PII, payment-card data (PCI), or another category.

This statement is incorrect because risk appetite and risk tolerance are closely related concepts. An organization with a high risk appetite is willing to accept more risk in pursuit of higher returns, which correlates with a high risk tolerance. Conversely, a low risk tolerance implies a cautious approach to risk-taking, which would not align with aggressive growth strategies or accepting significant losses. Therefore, an entity with a low risk tolerance would typically also have a low risk appetite, not a high one.

A Hardware Security Module (HSM) is a dedicated hardware device designed to securely generate, store, and manage cryptographic keys and perform cryptographic operations. By offloading these tasks from servers, HSMs improve both security and performance in enterprise environments.

A TPM is a hardware chip embedded on a computer's motherboard, primarily used to store cryptographic keys and ensure platform integrity, but it's not designed to offload cryptographic processing from servers.

A Secure Enclave is a secure area within a processor for executing sensitive code, commonly found in mobile devices; it does not function as a separate hardware device for server cryptographic operations.

A Key Management System typically refers to software solutions for managing cryptographic keys' lifecycle but does not provide hardware-based processing capabilities.

Role-based access control (RBAC) links permissions to roles that correspond to organizational job functions. Administrators add users to the appropriate roles or security groups, which automatically grants the permissions needed for their duties. Permissions therefore are not managed on a per-user basis, simplifying administration and enforcing least privilege.

The correct choice is a Next-Generation Firewall (NGFW). NGFWs are advanced firewalls that operate up to Layer 7 (the application layer) of the OSI model. Unlike traditional firewalls that are limited to inspecting traffic based on ports and IP addresses (Layers 3 and 4), NGFWs can perform deep packet inspection (DPI) to identify the specific applications in use and enforce security policies on them. They also integrate other security features like an intrusion prevention system (IPS) to block application-layer attacks. Stateless and stateful firewalls are older technologies that lack this deep application awareness. A circuit-level gateway operates at the session layer (Layer 5) and does not inspect application content.

The most effective control to protect the confidentiality of data at rest, such as proprietary formulas on a server, is encryption. Even if an attacker or unauthorized user gains access to the file system, the encrypted data will remain unreadable without the proper decryption key. While physical security, access control lists (ACLs), and network segmentation are important layers of defense, they do not protect the data itself if those layers are breached. Encryption directly protects the data from unauthorized disclosure.

Incident response is the correct answer because it is an operational control that focuses on identifying, containing, and recovering from security incidents. Change management is incorrect because it deals with managing changes to systems and applications, not specifically security incidents. Access controls are preventive measures that limit access to resources, but do not directly address incident handling.

This statement is incorrect. The administrative (native) VLAN on a switch should not be left at the default which is usually VLAN 1. It is a security best practice to change the native VLAN to an unused VLAN ID to mitigate VLAN hopping attacks.

The SPF (Sender Policy Framework) record is used to specify which mail servers are allowed to send emails on behalf of a domain. The correct interpretation of 'v=spf1 -all' is:

• v=spf1 indicates the start of the SPF record.
• -all means that no mail servers are authorized to send emails on behalf of the domain. This configuration tells receiving mail servers to reject all emails claiming to be from this domain because they are not coming from any authorized source.

Therefore, 'v=spf1 -all' suggests that any email claiming to come from this domain should be considered illegitimate because no mail servers are allowed to send emails for the domain.

Implementing network segmentation and limiting the legacy system's connectivity to essential services is the correct answer. This approach reduces the risk of attacks from both internal and external threat vectors, as it would prevent the potentially compromised system from affecting unrelated parts of the network. While increasing security monitoring is a useful tactic, it does not directly mitigate the exposure of the legacy system to threats. Conducting regular security audits on the system is a good practice, but it does not provide real-time protection against threats. Encouraging the use of strong passwords is important but does not address the specific risks associated with an unsupported operating system.

Group Policy is used to control the working environment of user and computer accounts. It provides centralized management and configuration of operating systems, applications, and user settings in an Active Directory environment. By using Group Policy, administrators can specify settings for groups of users and computers, ensuring consistency and compliance with security policies. Other options, while related to domain environments, do not accurately describe the primary function of Group Policy.

IEEE 802.1X is a port-based network access-control protocol that works at the data-link layer. A supplicant (client) must authenticate through the switch (authenticator) to a backend RADIUS server before the port transitions from an unauthorized to an authorized state. This prevents unauthorized devices from gaining network access. 802.1X itself does not define encryption, provide VPN tunneling, or perform firewall functions-those are handled by other mechanisms.

Bollards are a type of physical security control designed to prevent an incident from occurring. In this case, they physically block unauthorized vehicles from ramming the building's entrance, making them a preventive control. Detective controls (e.g., alarms, surveillance), corrective controls (e.g., disaster recovery plans), and compensating controls (e.g., using a different security measure when the primary one fails) serve different purposes.

In a watering hole attack the attacker infects a website that is known to be commonly used by an organisation or industry. For example a specific industry news site to attack a business in that industry or the entire industry in general. With the knowledge that users frequent the website the attackers are able to target them with malware and if the attack is successful to install malicious software.

Reputational damage refers to the harm to a company’s prestige or esteem that occurs following a detrimental event, such as a security breach. This can result in lost customers, partners, reduced sales, and difficulty in attracting talent. Understanding this concept is essential because it transcends the immediate financial impact and can have long-term effects on the organization's success. 'Loss of confidence' refers to a more temporary or individualistic perception which might not necessarily translate into widespread damage to the organization's reputation. 'Ethical violation' is a specific behavior of non-compliance but does not directly equate to reputational damage. 'Operational downtime' refers to periods when systems or services are not operational; while it can contribute to reputational damage if it results from a security incident, on its own it does not encapsulate the broader implications of reputational damage.