CompTIA Security+ Practice Test (SY0-701)

Although several measures could improve the organization's overall security posture, the activity in the logs indicates a likely brute-force or credential-stuffing attack against user accounts. Establishing appropriate account lockout thresholds restricts the number of consecutive failed authentication attempts, effectively limiting an attacker's ability to guess valid credentials. Routine tasks such as updating firewall firmware and applying operating-system patches improve resilience against known vulnerabilities but do not directly curtail the observed login attempts. Additional user security-awareness training is valuable but likewise does nothing to stop automated, external password-guessing activity. Therefore, configuring and enforcing account lockout thresholds is the most immediate and relevant mitigation.

The correct answer is Hacktivist. Hacktivists are often motivated by philosophical or political beliefs, which lead them to target organizations or governments that they perceive as acting against their values or agendas. The nature of these attacks, including website defacements and public message spreads, are typical of hacktivist groups that aim to broadcast a political message or to create awareness about their cause. The other options listed do not align as closely with the details given.

Isolating the affected system or segment of the network is the best initial containment strategy. It helps to prevent the spread of an attack while allowing the investigation to proceed with minimal interference. Changing access control lists could impact normal operations and may not effectively contain the incident. Rebooting the system could potentially destroy volatile evidence. Applying patches, while important, does not address immediate containment and may alter the state of the system, complicating any ongoing investigation.

A Change Management Procedure is vital for controlling the lifecycle of all changes, enabling beneficial changes to be made with minimal disruption to IT services. It is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. This is opposed to other procedures mentioned which do not deal directly with the process of change.

The correct answer highlights the primary risk of deploying patches without prior evaluation. Untested patches can introduce new bugs, create software or hardware incompatibilities, and cause system instability, which may lead to significant operational disruptions and downtime. While other concerns like bandwidth consumption, patch documentation, and occasional vendor recalls are valid, the direct risk of causing system failures is the most critical reason for testing patches in a non-production environment before a full rollout.

A detailed and current asset inventory is a foundational component of an effective disaster recovery plan. Without it, an organization cannot accurately prioritize which systems to restore first, understand dependencies between assets, or ensure that all necessary components are recovered. This leads to inefficient and delayed recovery efforts, potentially preventing the organization from meeting its Recovery Time Objectives (RTOs). The inventory is essential for knowing what needs to be restored to bring critical business functions back online.

The correct option is multifactor authentication (MFA). MFA enhances security by requiring two or more different authentication factors to verify a user's identity. In this scenario, the password is 'something you know', and the hardware token is 'something you have'. Combining these two factors from different categories fulfills the requirement for MFA. Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single set of credentials to access multiple applications. Biometric authentication uses unique physical characteristics like fingerprints or facial scans ('something you are'). Authorization is the process of granting or denying access to resources after a user has been successfully authenticated.

You are hired to do an analysis on the systems to determine the impact of a malicious actor. Hardening and wiping the servers is outside of the scope of this analysis, but may be a recommended next step based on your findings. The logical step is to determine which servers are the most critical based on the data hosted on them, and begin analyzing them one-by-one in order of most important/critical data.

A hot site is a fully equipped backup facility that is operational and ready to activate immediately after a disaster. It maintains up-to-date copies of data, hardware, and software, allowing an organization to resume normal operations rapidly. Warm sites are partially equipped and require additional time to become fully functional, while cold sites have only the basic infrastructure and need significant time to set up equipment and restore data.

A Remote Access Server (RAS) is specifically designed to handle a significant number of secure, authenticated connections, which typically involve telecommuting scenarios. It provides a centralized solution for remote workers to access the corporate network, offering encryption and authentication to maintain data integrity and confidentiality. Despite being capable of various security functions, an Intrusion Detection and Prevention System (IDPS) primarily focuses on identifying and mitigating potential threats and breaches, rather than facilitating remote access. A Load Balancer excels at distributing networking or application traffic across multiple servers but does not inherently provide connectivity solutions for remote workers. 'Content Filtering Appliance' might seem like a viable option because it implies data protection, but it serves a different role — typically screening incoming web content for malware or policy violations — rather than enabling secure remote access.

The Control Plane component is responsible for making decisions about access to resources based upon security policies in a Zero Trust model. It acts as a gatekeeper, ensuring that only authenticated and authorized entities can access networked resources.

Brand impersonation involves mimicking the official brand to deceive people into providing sensitive information or performing actions that compromise security. In this scenario, the use of the company's logo and formatting in emails from an unfamiliar domain indicates an attempt to pose as the company, which is characteristic of a brand impersonation attack.

The correct answer is Honeytoken. Honeytokens are decoy data, such as fake files or credentials, used to detect data breaches or unauthorized access. Unlike honeypots, which are decoy systems, or honeynets, which are entire decoy networks, honeytokens are specific pieces of data. An Intrusion Detection System (IDS) is a tool used to monitor a network for malicious activity, and it might be used to monitor a honeytoken, but it is not the decoy itself.

The correct answer is that organized crime groups are known for their high level of resources and sophisticated capabilities. These groups are typically well-funded and deploy a range of technical and human resources to carry out complex attacks, often with a primary motivation of financial gain. The other options are incorrect. Acting based on philosophical or political beliefs is characteristic of hacktivists. Focusing on service disruption without financial motives can also be a trait of hacktivists. Low technical capacity and limited financial backing are attributes of an unskilled attacker, not a sophisticated organized crime group.

Digital signatures provide non-repudiation because they use cryptographic techniques to prove the origin and integrity of a message, document, or transaction. Once a digital signature is attached, the signer cannot credibly deny signing the document or message, because the digital signature is unique to both the signer and the document. Audit logs, while useful for tracking activities, do not tie an action irrefutably to an initiator. Time stamps indicate when an action took place but do not necessarily tie that action to an individual. Usernames can be repudiated as they can sometimes be shared or stolen, whereas a digital signature is secured and much harder to forge or repudiate.