CompTIA Security+ Practice Test (SY0-701)

Confirmation is the correct term because it involves verifying whether a detected vulnerability by a scan or a security tool truly exists and is not a false positive. It's important for security professionals to accurately confirm vulnerabilities to prioritize remediation efforts and avoid wasting resources on issues that aren’t actual vulnerabilities. A false positive, on the other hand, would refer to erroneously identified issues that are not actual vulnerabilities, and reporting is related to the communication of findings, not the verification of them. Threat hunting is the proactive search for threats that are not detected by automated systems.

Numerical severity scores provide a useful starting point, but they do not capture organization-specific factors such as asset criticality, exploit likelihood in the given environment, compensating controls, and overall business impact. The CVSS specification recommends that consumers supplement the Base score with Temporal and Environmental metrics and with additional risk data to arrive at a context-aware priority. Therefore, relying on the score alone is insufficient; broader organizational context must be considered when setting remediation priorities.

A worm is a type of malware that replicates itself in order to spread to other computers, often over a network. It can consume system resources which can lead to denial of service. Unlike a virus, it does not need to attach itself to an existing program and often exploits vulnerabilities in network services to spread. Ransomware, while it may spread across networks, is primarily known for encrypting files and demanding a ransom; it is not characterized by its ability to replicate on its own. Spyware is designed to gather information without consent and does not typically replicate itself. A rootkit is designed to provide unauthorized access to a computer system and conceal its presence, not to propagate across networks.

The policy is a directive control because it provides written guidance that instructs users on the required behavior (how to create passwords) to meet the organization's security expectations. Preventive controls stop incidents from occurring (for example, a firewall), deterrent controls discourage attacks (for example, posted warning signs), and detective controls identify incidents after they happen (for example, log analysis). The password-complexity statement does not directly block or detect attacks; it directs users, so it is classified as a directive control.

The 'Confidential' data classification is typically applied to information that if disclosed without authorization could lead to a significant level of risk to the organization or individuals. This classification requires a higher level of access control and protective measures due to the potential harm that could result from its exposure. Other classifications like 'Public' and 'Sensitive' do not carry the same implication of risk if disclosed and thus are not characterized by the same level of required protection. 'Restricted' often refers to a higher classification level than 'Confidential' and may require even stricter controls.

Writing more data to a fixed-length memory buffer than it was allocated to hold is a classic buffer overflow. The excess data overwrites neighboring memory, which can result in crashes or allow the attacker to execute arbitrary code. SQL injection and XSS target web application input handling, while directory traversal manipulates file-system paths; none of these involve overrunning a memory buffer.

The correct answer is Hacktivist. Hacktivists are often motivated by philosophical or political beliefs, which lead them to target organizations or governments that they perceive as acting against their values or agendas. The nature of these attacks, including website defacements and public message spreads, are typical of hacktivist groups that aim to broadcast a political message or to create awareness about their cause. The other options listed do not align as closely with the details given.

An access control vestibule uses two interlocking doors to control the passage of individuals into a secure area. This configuration enhances security by verifying credentials before granting access. Turnstiles control pedestrian flow but typically do not use interlocking doors. Bollards are physical barriers that prevent vehicle access but do not control pedestrian entry. Security cameras monitor areas but do not physically restrict access.

To estimate the yearly financial impact of the security breaches, the security manager needs to consider both the frequency of the incidents and the cost of each incident. This is known as Annualized Loss Expectancy, which is the product of the yearly occurrence rate and the cost of a single incident. Since the data breaches happen twice per year, the frequency (occurrence rate) is 2. Multiplying this by the cost for a single data breach ($50,000) gives an estimated annual impact of 2 * $50,000 = $100,000. Similarly named metrics or partially correct values would not account for both the incidence frequency and individual incident cost correctly.

Changing default credentials is an essential security measure to prevent unauthorized access, as many attack vectors involve using known defaults to gain control over systems. Attackers often rely on databases of default usernames and passwords-such as those exploited by the Mirai botnet-to compromise devices that have not had their credentials changed from the manufacturer's defaults. Regularly updating device passwords to complex, unique values greatly reduces this risk. Conducting a vulnerability scan or updating firmware, while important, would not address the immediate exposure created by default credentials. Disabling remote management could limit some attack vectors but still leaves the device vulnerable if the credentials remain unchanged.

A 'Partially Known Environment,' also called a gray-box test, is one where the penetration tester has some information about the target system, such as network diagrams or configurations, but does not have complete knowledge. This approach mimics a scenario where an attacker might have some insider knowledge. In contrast, an 'Unknown Environment' (black-box test) implies the tester has no prior knowledge of the system. A 'Known Environment' (white-box test) is when the tester has full knowledge of the system, including source code and architecture documents. 'Reconnaissance' is not an environment type but a phase of penetration testing focused on information gathering.

The correct choice is a screened subnet, which is also commonly known as a demilitarized zone (DMZ). A screened subnet is a perimeter network that is isolated from the secure internal network by a firewall, providing a buffer zone between the internal network and the untrusted internet. It is the standard architecture for hosting public-facing services, like web servers, because it contains potential security breaches within the DMZ, preventing them from spreading to the critical internal network. An air-gapped network is completely physically isolated and not connected to the internet, so it is unsuitable for a public web server. A honeynet is a decoy network used to attract and study attackers, not for hosting production services. A virtual private network (VPN) is used to create a secure, encrypted connection over an untrusted network and is not the primary tool for segmenting a public server.

A nation-state actor is most likely responsible, as they are characterized by high levels of sophistication, significant resources, and government backing, often targeting other nations for espionage or strategic advantage. Their use of zero-day exploits and custom malware are hallmarks of their advanced capabilities. An unskilled attacker lacks the skills and resources for such an attack. An insider threat originates from within the organization and, while potentially sophisticated, the description points towards a well-funded external entity. Organized crime is typically motivated by financial gain, not state-sponsored espionage.

Requiring passwords to be long and include a combination of uppercase letters, lowercase letters, numbers, and special characters significantly increases their complexity, making them harder to guess or crack. Allowing password reuse or limiting password age does not directly enhance password strength and can lead to weaker security practices.

A brute force attack involves trying random passwords on user accounts in an attempt to gain access. If accounts are set up to auto lock after a certain number of failed login attempts this can be a sign of an attacker's attempt to brute force accounts.

Containers share the host's operating-system kernel. If an attacker exploits a kernel-level vulnerability or misconfiguration, the code can escape the original container's namespace and interact with the host or other containers. Virtual machines, by contrast, have their own separate kernels, so a compromise stays isolated inside that VM.

RTOS are designed to handle real-time applications that require a deterministic response to events. The most critical aspect of securing an RTOS is ensuring the availability and timely processing of tasks, which can be crucial for safety and operational continuity in industrial environments. If tasks are not completed within the required time frame, it could result in system failures or hazards. Other answers, such as data leakage and physical tampering, although important for general security, are not as central to RTOS security concerns as availability and timely task execution.

This attack is a directory traversal. By inserting "../" into the URL, the attacker navigates the file system hierarchy to access files and folders that are outside the intended scope of the web application. This can lead to unauthorized access to sensitive files. Directory traversal exploits occur when input validation is insufficient on file path parameters. The other options are distinct types of attacks: SQL injection involves injecting malicious SQL queries into a database query, cross-site scripting (XSS) entails injecting malicious scripts into web content viewed by other users, and a buffer overflow occurs when too much data is sent to a fixed-length memory buffer, potentially allowing an attacker to execute arbitrary code.

The guidelines requiring employees to report suspicious behavior represent a directive control. Directive controls are policies, regulations, and guidelines that mandate specific actions or behavior to ensure compliance and enhance the security posture of an organization. The focus on behavior and reporting in this scenario aligns with the intention behind directive controls to guide user actions. The other options, while plausible, do not fulfill the purpose of directing specific actions. Technical controls involve technology and devices, deterrent controls aim to discourage but don't direct specific reporting actions, and physical controls involve tangible measures to secure assets, which do not include guidelines for behavior.

While process isolation is the fundamental mechanism that prevents VM escape, it is not foolproof, as vulnerabilities in the hypervisor can still be exploited. A comprehensive, defense-in-depth strategy is the most effective approach. This includes keeping both the hypervisor and guest operating systems fully patched, using network segmentation to limit an attacker's reach, and applying the principle of least privilege through strict access controls. HIDS on guest VMs and data encryption are valuable security layers, but they do not directly prevent the hypervisor compromise that enables a VM escape.