CompTIA Security+ Practice Test (SY0-701)

Zero Trust Architecture is designed to eliminate implicit trust and enforce strict verification for every user and device attempting to access network resources. It requires full authentication, authorization, and encryption for each access request, effectively meeting the manager's requirements. The Principle of Least Privilege limits access rights but doesn't address continuous authentication or the elimination of implicit trust for each request. Defense in Depth employs multiple layers of security but does not specifically focus on the trust model for access requests. Security through Obscurity is not a valid or effective security strategy, as it relies on secrecy rather than robust security measures.

Changing the default credentials is the best initial step for securing new devices. Attackers often use known default usernames and passwords to gain unauthorized access to new system installations. Resetting these credentials to unique and strong username/password combinations significantly reduces the risk of simple but effective attacks. Updating firmware, while important, is generally focused on addressing functional and security issues rather than preventing unauthorized access due to default credentials. Enforcing account lockout policies is more about responding to attack attempts rather than preemptively mitigating the risk. Scanning for vulnerabilities is an ongoing security practice but does not directly address the specific risk of default password use.

The Data Owner is responsible for managing and mitigating risks related to their data. They have the authority and accountability for the data, making them the appropriate risk owners.

The best strategy here is 'Mitigate', which means that the company should take actions to reduce the impact or likelihood of the risk. This can include adding additional security controls or seeking alternative solutions to address the identified risk temporarily until the vulnerability can be patched. 'Transfer' would generally imply shifting the risk to another party, such as through insurance, but it would not be a direct action against the vulnerability in the software. 'Accept' would be incorrect because the question states that they do not want to accept the risk as it is. 'Avoid' generally implies ceasing to use the at-risk component altogether, which may not be feasible for operational continuity.

Mean Time Between Failures (MTBF) is a reliability metric that indicates the average time between system breakdowns or failures. It is calculated by dividing the total operational time by the number of failures.

MTBF Calculation:

Total operational time (T) = 8760 hours (given)

Number of unplanned outages (N) = 5 (given)

MTBF = T / N

MTBF = 8760 hours / 5 outages = 1752 hours

An ACL can be bound to an interface in the inbound direction to inspect packets as they arrive and/or in the outbound direction to inspect packets as they leave. Administrators may place separate ACLs in each direction on the same interface, providing granular control over traffic entering and exiting the device.

This is a service provider vulnerability because the breach occurred through an external company providing services to the organization. When service providers are compromised, they can inadvertently expose their clients to security risks. This differs from hardware or software supplier vulnerabilities, which involve flaws in the physical devices or applications supplied to the organization.

Predictive (virtual) site surveys use computer modeling and digital floor plans to estimate RF propagation and can generate heat maps before a building is finished or remodeled. Although these simulated heat maps must later be validated with an on-site survey, they are accurate enough for preliminary design, budgeting, and cabling plans. Therefore, heat-map creation does not always require the physical environment to be in its final state.

RSA uses mathematically linked public and private keys to encrypt or sign data, making it an asymmetric algorithm. The other listed algorithms-AES, Blowfish, and RC4-are all symmetric ciphers that rely on the same shared key for both encryption and decryption.

Open Authorization, commonly known as OAuth, is best suited for this purpose. OAuth is a protocol that enables applications to obtain limited access to user accounts on an HTTP service without passing user credentials to the application. It works by using access tokens provided by the authorization server, which mediate the authentication of the end user by the information provider.

• LDAP (Lightweight Directory Access Protocol) is primarily used for accessing and maintaining distributed directory information services over an IP network, which is not the goal in this scenario.
• RADIUS (Remote Authentication Dial-In User Service) provides centralized authentication, authorization, and accounting for users who connect and use a network service, but does not cater to the specific needs of application-to-application authorization.
• TACACS+ (Terminal Access Controller Access-Control System Plus) provides detailed accounting information and flexible administrative control over authentication and authorization processes, but it is not designed for delegating user authorization between web services.

A false positive occurs when a security system incorrectly identifies benign activity as a threat. In this scenario, the system erroneously flagged normal network traffic as potentially malicious, which is a classic example of a false positive. It is crucial for security analysts to recognize and address false positives to avoid unnecessary responses to non-threatening activities.

Based on the description provided, the attacker is most likely a Nation-state actor. Nation-state actors are typically well-funded, have political motives, and possess advanced capabilities to avoid detection and carry out sophisticated attacks. Unskilled attackers usually lack funding and high-level expertise; hacktivists could have political motives but do not typically possess the level of sophistication described; insider threats involve individuals within the organization itself.

A Virtual Local Area Network (VLAN) provides a logical or virtual way to separate areas of a network. This means devices can physically share the same network infrastructure (e.g. using a common switch) but remain separated from each other on the network.

Salting is the correct answer because it involves adding random data (salt) to a message before hashing. This makes the resulting hash value unique, even for identical messages, which helps prevent rainbow table attacks. Rainbow tables are precomputed tables of hash values that can be used to quickly reverse hashes and obtain the original message. By adding a unique salt to each message before hashing, the resulting hash values will be different, rendering rainbow tables ineffective.

The correct category for data that is intended for the public and does not need protection is Public. This classification is used for information that can be freely accessed and shared without any risk of harm to individuals or the organization. Sensitive and Confidential data require strict access controls due to their potential impact on privacy and business operations. Restricted is incorrect as it implies limited access due to legal, regulatory, or operational requirements.