CompTIA Security+ Practice Test (SY0-701)

This scenario describes the Mandatory Access Control (MAC) model. In MAC, access permissions are enforced by a central authority based on security labels and classifications. Users cannot alter access controls; they are determined by system policies that match user clearances with resource classifications. Discretionary Access Control (DAC) allows resource owners to set access permissions, Role-Based Access Control (RBAC) assigns permissions based on organizational roles, and Attribute-Based Access Control (ABAC) considers various user and environmental attributes for access decisions.

Software-defined networking (SDN) is the proper choice because it separates the control plane from the data plane, granting centralized management of the network. This central control facilitates fast, programmatically efficient network configuration changes, which traditional models that rely on individual device configurations cannot match. Network function virtualization focuses on optimizing network services themselves rather than providing dynamic traffic management and control, while a content delivery network is a distributed server system designed to serve content to users with high availability and high performance.

A recurring risk assessment is performed at set intervals to continuously evaluate and update the organization's security measures, ensuring ongoing protection against emerging threats.

Concurrent account lockouts following a series of failed login attempts are indicative of a password attack, potentially a password spraying attempt where an attacker uses a common password against many accounts before moving on to try a different password, to avoid account lockout thresholds. Account lockouts are a common indicator of such attacks. The other options are potential indications of malicious activity, but they are not as closely related to the scenario of multiple user accounts being locked out due to failed login attempts.

Enforcing password complexity, which requires a mix of upper-case letters, lower-case letters, numbers, and special characters, is the most effective control against brute-force and dictionary attacks. Simple passwords and password reuse make accounts vulnerable. While periodic password expiration was a common practice, modern standards from NIST advise against it unless there is evidence of compromise, as it often leads to weaker passwords.

The institution is most vulnerable to passive reconnaissance. This is because passive reconnaissance involves collecting information without directly interacting with the target system, often by gathering accessible data such as company records, employee social media profiles, or public documents. This kind of information is exactly what the institution has not been monitoring, which could lead to an attacker collecting data without detection to facilitate social engineering or other types of attacks.

'Blocked content' generally refers to network security tools' actions to block data that violates security policies or that has been deemed malicious. This action can indicate attempts to access or deliver content that is not allowed by organizational or security policies. It's an essential part of maintaining cybersecurity as it helps prevent unauthorized access and distribution of potentially harmful data.

Risk mitigation is the process of using security controls/countermeasures in reducing risk exposure and minimizing the likelihood of an incident.

The attacker is leveraging a SQL injection vulnerability by inserting malicious SQL commands into the login form. This allows unauthorized access to the database and exposure of sensitive user credentials.

Protected health information (PHI) is any individually identifiable health data-such as diagnoses, treatment details, or prescriptions-maintained or transmitted by a covered entity. Under the HIPAA Breach Notification Rule, a breach involving the unsecured PHI of more than 500 residents of a state or jurisdiction requires the covered entity to notify the affected individuals and prominent media outlets within 60 days. Because that 500-person threshold and media-notice requirement apply specifically to PHI, the stolen data was almost certainly PHI, not general PII, payment-card data (PCI), or another category.

An Intrusion Detection System (IDS) passively monitors network or system traffic for malicious actions or policy violations. Its primary role is to detect suspicious behavior and generate alerts so administrators can respond. Because it does not sit inline to block or filter packets, it is classified as a detective-not preventive-control. Encryption protects data confidentiality, firewalls or IPSs block unauthorized traffic, and performance audit tools generate usage statistics rather than identify threats.

A hot site is a fully operational offsite data center equipped with hardware and software, configured to quickly assume operational responsibilities from a primary site in case of a disaster. This is the best option for business continuity as it enables rapid resumption of critical functions. A cold site, while being the least expensive, offers only space and utilities, requiring additional time to become operational. A warm site provides some pre-installed equipment but would still require additional time and effort to be fully operational. Therefore, a hot site offers the highest level of readiness for immediate disaster recovery.

The first and most effective action is to check for and apply security patches released by the hardware vendor. This action directly addresses the specific vulnerability in your supply chain by ensuring that the hardware is updated with the latest protection measures provided by the vendor. While alternatives like switching suppliers, performing an internal risk assessment, or conducting staff training may contribute to an overall improvement in security posture, they do not immediately address the identified vulnerability at hand.

When a company accepts a risk, they decide that the cost of any of the other risk treatments isn’t worth the potential loss if the risk is realized. They just accept the risk and any loss that could come with it.

The organization is intending to set up a key escrow system. A key escrow refers to a secure process where a third party holds a copy of the encryption key, which can be used to access encrypted data if the user's private key is lost or becomes inaccessible. Using a certificate authority explicitly for encryption does not imply that key escrow services are provided; a certificate authority usually authenticates identities and issues digital certificates. Designating a key recovery agent does not necessarily indicate the use of a key escrow system, as this role is meant for retrieving keys from the escrow but is not the service itself. Full-disk encryption is unrelated to key management or recovery, as it pertains to protecting data at rest and does not encompass storing or handling keys.

The guidelines requiring employees to report suspicious behavior represent a directive control. Directive controls are policies, regulations, and guidelines that mandate specific actions or behavior to ensure compliance and enhance the security posture of an organization. The focus on behavior and reporting in this scenario aligns with the intention behind directive controls to guide user actions. The other options, while plausible, do not fulfill the purpose of directing specific actions. Technical controls involve technology and devices, deterrent controls aim to discourage but don't direct specific reporting actions, and physical controls involve tangible measures to secure assets, which do not include guidelines for behavior.

A Virtual Local Area Network (VLAN) provides a logical or virtual way to separate areas of a network. This means devices can physically share the same network infrastructure (e.g. using a common switch) but remain separated from each other on the network.

Onboarding is the process that typically initiates the creation of user accounts and assignment of access rights, as it refers to the steps taken to integrate a new employee into an organization, which includes providing them with the necessary credentials and access to fulfill their roles. Offboarding is the process of removing access rights and accounts when an employee leaves the company, which is the opposite action of onboarding. Maintenance refers to ongoing system upkeep and does not directly relate to the initial account creation. Role changes may involve modification of access rights but are not responsible for the initiation of account creation.

Attackers exploit human psychology rather than technical vulnerabilities. Because any single compromised person can provide an entry point, every employee-regardless of role, privilege, or tenure-must be considered a potential target. Focusing defenses only on executives or privileged administrators leaves other staff vulnerable and still exposes the organization.

A deterrent control is a control that simply deters from taking an action. The control in no way prevents the action from being taken but is only there to persuade not to. The other choices are other types of controls that serve other purposes.