CompTIA Security+ Practice Test (SY0-701)

Directive controls are designed to direct the actions of individuals or systems within an organization. They provide guidance and instructions on how to maintain security and comply with established policies. Examples of directive controls include security policies and guidelines that outline acceptable behaviors, procedures, and best practices. These controls help ensure that employees and systems operate in a manner consistent with the organization's security objectives.

Incorporating security requirements during the procurement process ensures that the security controls are integrated into the design and contractual obligations, which is vital to mitigate risks from the outset. Waiting until a system or service is deployed to consider security could result in higher costs due to retroactive changes and potential exposure to threats that could have been avoided.

A honeypot is a security mechanism set up to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Honeypots can come in the form of network-attached systems, applications, or data that simulate a real environment but are closely monitored to gain insights into attacker motives and tactics. This is distinctly different from the other options: Honeynet is a network of honeypots, a honeyfile is a decoy file rather than a system, and a honeytoken is not a system, but a piece of data or a token that serves as a trap.

The Control Plane is responsible for making access decisions in a Zero Trust model. It analyzes the trustworthiness of entities and enforces established policies to determine whether access should be granted or denied. The Data Plane, in contrast, handles the actual transfer of data and does not make policy-based decisions. Authentication servers and segmentation gateways, while they may contribute to the overall security posture, are not the components responsible for the described decision-making process within the Zero Trust architecture.

Numerical severity scores provide a useful starting point, but they do not capture organization-specific factors such as asset criticality, exploit likelihood in the given environment, compensating controls, and overall business impact. The CVSS specification recommends that consumers supplement the Base score with Temporal and Environmental metrics and with additional risk data to arrive at a context-aware priority. Therefore, relying on the score alone is insufficient; broader organizational context must be considered when setting remediation priorities.

The symptoms point to DNS hijacking. By compromising the organization's domain-registrar or authoritative DNS settings, the attackers redirected the company's domain away from its legitimate web servers. Because the web servers are still functioning and no suspicious logins are recorded, the problem lies with the DNS records, not the host itself. Man-in-the-middle, session hijacking, and cross-site scripting would not make the site completely unreachable or allow the attackers to demand a ransom for restoring access to the entire domain.

An inline device is deployed directly on the network path; all traffic must pass through it. This is ideal for scenarios where traffic analysis and blocking potential threats is necessary. Furthermore, since the device must not be bypassed even if it fails, an inline device must be used instead of a tap or monitor mode, which allows traffic to bypass the device if it fails or is not active.

Periodically restoring data from backup media in a test (or otherwise nonproduction) environment proves that the data can actually be recovered and that the organization's procedures meet recovery-time and recovery-point objectives. Encrypting archives, storing tapes off-site, and scheduling differential backups all improve aspects of confidentiality, availability, or frequency, but none of them confirms that the data can be restored successfully.

The correct answer is 'Botnet' because it describes a network of compromised computers that are controlled remotely, typically without the owners' knowledge, to perform tasks such as cryptocurrency mining. A botnet infection matches the scenario described where multiple endpoints are being remotely controlled. A Ransomware infection would generally encrypt files and demand payment, which is not mentioned in the scenario. A Logic Bomb would execute malicious code based on certain conditions being met, which is not indicated in this scenario. A Worm would self-replicate to spread to other computers, but it does not inherently control multiple endpoints for a task like cryptocurrency mining.

Having services running with default credentials is considered a misconfiguration because attackers often use these well-known credentials to gain unauthorized access to systems. Changing default credentials is a basic security measure that should be applied to all systems and services to prevent unauthorized access. The other options provided are not inherently misconfigurations, as regular software updates, using secure protocols, and having an up-to-date antivirus are recommended practices for securing systems.

Creating an IPsec VPN (or other strong encryption such as TLS 1.3) establishes an encrypted tunnel that offsets the risk of sending data across an untrusted network when the preferred primary control-a private, physically isolated link-cannot be used. That encrypted tunnel therefore serves as a compensating control. Daily log reviews, quarterly penetration tests, and additional awareness training are useful but do not directly provide equivalent protection for the specific gap (lack of a secure transmission channel).

Utilizing a allowlist input validation approach serves as the most effective mitigation technique against injection attacks because it permits only known safe inputs, based on a predefined set of criteria, to be processed by the application. This control is strict by nature and denies all input that does not strictly conform to the expected and validated format. On the contrary, relying on a blocklist input validation approach or solely relying on cryptographic hashing functions might not fully prevent injection attacks, as blocklists cannot anticipate all possible malicious inputs and hashing functions do not actually validate input but rather ensure data integrity post-submission. While data type enforcement is a good practice, on its own, it may not be sufficient to prevent the diversity of injection attacks.

The correct answer is 'Potential impact on business operations' because when prioritizing vulnerabilities, the primary concern is how a vulnerability might affect critical business functions and operations. If the impact is high, it could lead to significant loss or damage, so these vulnerabilities need to be addressed first. Other options such as the ease of implementation, popularity of the software, and personal preference are considered, but they do not outweigh the importance of the potential impact on business operations.

Configuring separate VLANs and matching IP subnets on the existing switch infrastructure isolates traffic at Layers 2-3 using software-defined settings. This is a logical segmentation method because it relies on switch port configuration and IP addressing, not on additional physical hardware or cabling. Installing air-gapped systems, dedicating separate switches/cabling, or running a stand-alone dark-fiber link all require new physical infrastructure and therefore constitute physical segmentation.

Media sanitization is defined by NIST SP 800-88 as a process that makes access to the data infeasible. Sanitization can be accomplished by methods such as overwriting, cryptographic erase, degaussing (for magnetic media), or physical destruction, depending on the device. Simply formatting, deleting files, or disabling hardware does not guarantee that residual data cannot be recovered.