CompTIA Security+ Practice Test (SY0-701)

Implementing geolocation-based access controls allows the company to restrict system access based on the geographic location of the users. By analyzing the source IP addresses and determining their originating countries, the system can permit or deny access accordingly. This method ensures compliance with regional regulations by controlling access based on physical location. Enforcing strong authentication protocols enhances security but does not restrict access by location. Utilizing encryption for all data in transit protects data confidentiality but does not address access control based on geography. Deploying endpoint security software secures individual devices but does not prevent access from unauthorized countries.

Due diligence involves a comprehensive appraisal of a business or person's performance, legal obligations, technical competencies, and financial viability before entering into an agreement. Conducting an in-depth background check, which includes reviewing past performance, financial stability, and reputation in the industry, is the correct course of action to ensure due diligence and care is undertaken. This action helps ascertain XYZ Support Inc.’s ability to deliver on their commitments, and align with ABC Tech Corporation's requirements and standards.

Financial gain is the likely motivation because the attacker can use or sell the stolen credit card information for monetary profit. Espionage involves obtaining confidential information for strategic advantage, typically in a political or corporate context, which is not indicated here. Revenge would suggest the attacker has a personal vendetta against the company, but there is no such indication. Data exfiltration refers to the unauthorized transfer of data, but in this context, it's the means rather than the motivation.

You are hired to do an analysis on the systems to determine the impact of a malicious actor. Hardening and wiping the servers is outside of the scope of this analysis, but may be a recommended next step based on your findings. The logical step is to determine which servers are the most critical based on the data hosted on them, and begin analyzing them one-by-one in order of most important/critical data.

The correct answer is 'Data in use'. Data in use refers to information that is currently being processed by an application, being in the immediate memory or CPU, and it is not at rest or in the process of being transmitted. 'Data at rest' describes data that is stored on a physical medium and is not actively being accessed or processed. 'Data in transit' refers to data that is moving through the network or telecommunication channels. 'Encrypted data' is a state that can apply to any of the three data states (at rest, in use, or in transit) and merely specifies that the data is encrypted, not that it is being processed by an application.

Implementing load balancing distributes incoming network traffic across multiple servers, effectively managing compute resources to handle fluctuating workloads. This improves both availability and scalability, ensuring the application remains responsive during peak usage times. While data replication to a standby server aids in recovery, it doesn't directly manage compute resources. Scheduling maintenance during off-peak hours minimizes disruption but doesn't address real-time workload management. Deploying redundant power supplies enhances power availability but doesn't handle compute load distribution.

Deterrent controls are designed to discourage potential attackers. Warning signs are a classic example as they inform individuals of the consequences of trespassing, aiming to deter the action. This is not a preventive control, as it does not physically stop an intruder (e.g., a fence or a lock). It is not a corrective control, which is used after an incident to limit damage (e.g., restoring from backups). It is also not a compensating control, which serves as an alternative when a primary control is not feasible.

The Information Security Policies document should guide the decision-making process as it outlines the organization's overarching rules, expectations, and practices related to maintaining information security. It provides a framework for ensuring that changes comply with the standards necessary to protect the company's information assets. The Acceptable Use Policy (AUP) mainly concerns how individuals are permitted to use company resources. The Software Development Lifecycle (SDLC) policy is generally specific to the creation of software rather than change management. Meanwhile, the Business Continuity Plan (BCP) is designed to guide operations post-disruption and is not primarily used for decision-making in change management.

Storing information with a 'Restricted' classification in a secure, access-controlled environment ensures that only authorized personnel with the necessary clearance or permissions have access to that data. Keep in mind the question is regarding physical access to the data. While encryption, logging, and secure disposal are important for the overall security posture, they do not inherently restrict access to the data to the appropriate individuals.

Firewalls that work at the application layer (layer 7) perform deep packet inspection. They can parse application-specific data like HTTP headers, URLs, and message bodies to allow or block traffic. Firewalls limited to the transport layer (layer 4) evaluate only header information such as IP addresses and TCP/UDP ports, while layers 3 and 2 concern routing and data-link functions and do not examine application content. Therefore, layer 7 is the only layer listed that provides content-aware filtering.

Automated monitoring and alerting systems provide real-time detection of security events, which significantly reduce response times to potential incidents. By setting thresholds and parameters for normal network behavior, these systems can promptly identify and report suspicious activities, enabling quicker remediation. While all other options may contribute to effective security practices, automated alerting will most directly address the current delays and inconsistencies in incident detection and reporting, leading to improved security posture.

The correct answer is to disable the employee's user accounts across all systems. This is the most critical first step in the de-provisioning process to immediately revoke access and prevent any potential unauthorized actions by the former employee. While retrieving company assets, archiving data, and notifying the team are all important parts of the offboarding checklist, none are as time-sensitive as cutting off system access to protect company data and resources.

A tap/monitor setup is preferred in scenarios where monitoring is essential, but it is crucial not to introduce latency or a single point of failure within the network traffic flow. An inline device would actively interact with traffic, potentially introducing latency, which is undesirable in strict throughput environments. Active devices are designed to intervene and could affect performance, whereas fail-open implies a state during failure, which is not relevant to the operational performance during normal conditions.

Implementing a version control system allows the organization to track every change made to configuration files, maintain a history of modifications, and revert to any previous version when needed. This meets all the requirements stated. Regular backups (Option B) allow restoration of files but may not provide detailed change tracking or the ability to view the history of changes. Strict access controls (Option C) can prevent unauthorized access but do not track changes made by authorized users. File integrity monitoring (Option D) can detect changes but doesn't provide version history or the ability to revert changes.

Risk avoidance involves not preforming an activity to avoid the associated risk. Not preforming the activity means the risk from that activity is zero. Each other method still leaves some level of risk.

The conductive enclosure is a Faraday cage. By blocking electromagnetic emissions, it prevents sensitive signals from being intercepted (TEMPEST/eavesdropping) and shields the equipment from external electromagnetic interference. This makes it a preventive physical control aimed at protecting the confidentiality and integrity of information-not a mechanism for detecting intrusions, regulating environmental conditions, or physically deterring forced entry.

High availability refers to a system's design that aims to ensure an agreed level of operational performance, typically uptime, for a higher than normal period. This is achieved through redundancy and failover mechanisms that allow a system to remain functional even if some of its components fail. Scalability refers to the ability of a system to handle growth, which is important but doesn't specifically relate to uptime. Redundancy is the duplication of components and is part of achieving high availability, but on its own, it does not describe the entire concept. Power efficiency is related to energy consumption and not directly to maintaining uptime.

The correct answer is a security operations dashboard. These dashboards, typically integrated with a Security Information and Event Management (SIEM) system, are specifically designed to aggregate, correlate, and visualize log data from numerous sources over time. This makes them the ideal tool for historical analysis and identifying trends or patterns indicative of a breach. A real-time network performance monitor focuses on current bandwidth and latency, not historical log correlation. A packet capture utility provides deep, low-level data but is cumbersome for analyzing long-term, aggregated trends across multiple systems. A system vulnerability scanner is used to identify unpatched systems and misconfigurations, not for analyzing event logs to investigate an active or past incident.

The pattern described suggests a reconnaissance action, possibly an attacker performing a directory traversal to uncover hidden files, directories, or exploit potential vulnerabilities. Normal browsing behavior usually involves fewer requests and focuses on typical, user-facing paths. Client-side scripting refers to scripts running in a user's browser, generally not visible on server logs. A misconfigured scheduled task might repeatedly access the same path, not different uncommon ones.

The correct answer is 'Phishing campaigns' because they involve the use of communications, typically emails, that attempt to fraudulently obtain sensitive information by impersonating a trusted organization or individual. 'Spear phishing' is a more targeted version of phishing, and while it is related, the question is asking about the broader term. 'Vishing' refers to voice call scams, and 'Tailgating' is a physical security breach method, which does not fit the context of identifying fraudulent emails.