CompTIA Security+ Practice Test (SY0-701)

Updating systems regularly is a hardening technique that involves applying patches to operating systems and applications to protect against known vulnerabilities. Disabling firewalls or allowing root access would decrease system security, while using default passwords is against security best practices as they are often easily guessable.

Containment techniques are options for limiting the spread of malware after it has been discovered on a network. The best response is to isolate any systems that are infected or believed to be infected so they cannot propagate the malware to other systems. From the security and IT teams can begin determining the impact and remediation options.

Discretionary Access Control (DAC) allows resource owners to determine who can access their resources. In this scenario, users are empowered to set permissions on their own files, which aligns with the principles of DAC. The other access control models, such as MAC, RBAC, and ABAC, involve more centralized or role-based permission management.

The correct answer is 'Use the Trusted Platform Module (TPM) on the laptops.' A TPM is a specialized chip on an endpoint device that stores RSA encryption keys specific to the host system for hardware authentication. The keys stored in the TPM are used for different security applications, such as disk encryption, which is critical for securing sensitive data on employee laptops. Moreover, the TPM can provide platform integrity verification, enhancing the overall security posture. While an HSM and Secure Enclave can offer secure storage for keys and perform cryptographic operations, they are typically external devices or isolated areas within a CPU, not embedded solutions specifically tailored for endpoint devices like laptops. A Key Management System is more of an overarching system to manage cryptographic keys throughout their lifecycle and does not provide the hardware-level storage necessary for this scenario.

Adaptive Policy-driven access control, also known as risk-adaptive access control, is correct because it incorporates real-time risk assessments based on context, such as user behavior, device security status, and data sensitivity, to adapt access permissions dynamically, thereby limiting the scope of threats by granting access based on policies that respond to perceived risk levels. While Role-based access control (RBAC) is statically designed based on predefined roles and Discretionary access control (DAC) is based on the resource owner's discretion, neither adapts dynamically to changing threat landscapes. Mandatory access control (MAC) is policy-based but not adaptive to real-time risks.

Establishing a comprehensive data governance framework that is built to comply with the highest standard among international data protection regulations ensures that the organization operates above the baseline requirements of all jurisdictions it operates in. This approach is usually more efficient than attempting to comply with each set of local regulations separately and minimizes the risk of non-compliance. Marking the setup of an external compliance team as the correct answer would be inappropriate because it does not necessarily ensure compliance with global data protection standards. Creating a data retention policy focusing on the least restrictive standards does not ensure compliance with more stringent regulations in other jurisdictions. Lastly, leaving the compliance decision to local IT departments may result in a fragmented and inconsistent approach to data protection that could lead to non-compliance.

To calculate MTBF, divide the total operational time by the total number of failures. The total operational time over the 2-year period is 17,520 hours, and there were 4+2=6 outages. Therefore, the MTBF is 17,520 hours / 6 outages = 2,920 hours. Accurate calculation of MTBF is essential for gauging the reliability of equipment and scheduling maintenance to minimize downtime.

Single sign-on (SSO) is an authentication scheme that allows a user to use a single set of credentials (like a username and password) to access multiple different applications and resources. This directly addresses the company's goal of reducing the number of logins employees must manage.

• RADIUS and TACACS+ are AAA (Authentication, Authorization, and Accounting) protocols, primarily used for centralizing authentication for network access (like Wi-Fi or VPNs) or network device administration, respectively. They do not provide the seamless single-login experience across various applications that SSO offers.
• 802.1X is a port-based network access control (PNAC) standard used to authenticate devices before they are allowed to connect to a network. It is not used for authenticating users to applications.

The CISO should opt to accept the risks that cannot be fully mitigated due to budgetary constraints. This involves acknowledging that the risks exist, understanding the potential impact, and making a conscious decision not to take direct action to address them. Other strategies like transferring, avoiding, or mitigating the risks may be inappropriate or too costly in this situation compared to the value of the assets being protected.

Single Sign-On (SSO) is the appropriate authentication method because it enables users to authenticate once and gain access to multiple applications without re-entering credentials. This streamlines the login process and enhances user experience while maintaining security. Multifactor Authentication (MFA) increases security by requiring multiple authentication factors but does not allow access to multiple systems without additional logins. Federated Identity Management allows sharing of identity information across different organizations or domains, which may not be applicable here. Biometric Authentication uses unique physical traits for identity verification but doesn't provide access to multiple systems with a single authentication.

Implementing security benchmarks provides standardized guidelines for configuring systems securely, ensuring consistency and reducing vulnerabilities across all servers. This approach aligns with best practices for establishing and maintaining secure baselines.

A dedicated hardware appliance known as a Hardware Security Module specializes in the secure generation, storage, and management of encryption keys. It is used to enhance security by offloading these sensitive operations from less secure general-purpose servers. On the other hand, a Secure Enclave is a subset of a processor used to protect sensitive data but does not primarily focus on key management. Biometric Readers are used for authentication purposes based on physical characteristics and are unrelated to encryption key management. Network Attached Storage devices are used for data storage and also do not specialize in managing encryption keys.

While biometric authentication provides a convenient and personal security layer, it should not be the sole method of protection. Biometric systems can be bypassed or spoofed using various techniques. Furthermore, a single authentication factor is inherently weaker than a multi-factor approach. Therefore, the best practice is to require biometrics in conjunction with another factor, like a strong PIN or password, as part of a multi-factor authentication (MFA) strategy to provide defense-in-depth.

A configuration audit specifically assesses configurations against established security baselines and policies, ensuring that systems are compliant with the required security settings. This would detect deviations in access control policies and configurations from the standard across servers. A performance audit, while it assesses the efficiency and effectiveness of an organization's processes, would not focus solely on security settings and policies. A financial audit is concerned with the financial accounts and transactions of an organization, and while an operational audit evaluates the operational aspects of an organization, it does not concentrate on access control policies and system configurations to the extent necessary for the given task.

An organization needs to comply with local and regional regulations to ensure that they are not violating any laws that may be specific to the jurisdictions they operate in. Not understanding these local nuances could lead to legal issues, such as fines or sanctions. For example, certain regions may have specific requirements for data protection that differ from national laws, such as stricter privacy regulations that mandate data residency within the region. National and global standards, while essential, may not cover all aspects of the local regulatory environment, and universal standards do not typically exist for cybersecurity, hence the specificity of the correct answer.

Implementing an air-gapped network means these critical systems are physically disconnected from any other networks and the internet, providing the highest level of isolation. This prevents remote access and network-based attacks. While using VLANs, firewalls, or NAT can enhance security through logical segmentation and filtering, they do not offer the same level of isolation because the systems remain connected to other networks, potentially exposing them to threats.

The correct answer involves updating the Incident Response Plan with improvements identified during the review of a recent incident. This is the best choice because it directly applies feedback from actual incidents to enhance procedures and readiness for future events. Simply reviewing historical trends or concluding that the existing plan is sufficient does not provide the iterative improvement needed for effective incident response. Updating training materials without specific reference to the improvements identified may not address the issues encountered during the incident.

Sanitization refers to the thorough removal of data from storage devices to prevent data retrieval and unauthorized access after the device is disposed of or repurposed. Physically destroying the device is an extreme form of sanitization, but it is not the overall definition, which also includes non-destructive methods. Compression is a data storage optimization technique, and encryption is a data protection method; neither constitutes data removal for disposal.

The motion sensors act as a Detective Control because they identify and alert to unauthorized activity. They do not prevent the incident from occurring but detect it so that appropriate action can be taken. Preventive Controls, like locks or access restrictions, are designed to stop unauthorized access from happening in the first place. Corrective Controls come into play after an incident to mitigate its impact, such as restoring data from backups. Deterrent Controls are intended to discourage potential attackers, like warning signs or visible security cameras.

A hot site is a fully equipped backup facility that is operational and ready to activate immediately after a disaster. It maintains up-to-date copies of data, hardware, and software, allowing an organization to resume normal operations rapidly. Warm sites are partially equipped and require additional time to become fully functional, while cold sites have only the basic infrastructure and need significant time to set up equipment and restore data.