CompTIA Security+ Practice Test (SY0-701)

The correct answer is the implementation of real-time threat intelligence integrated with security systems for dynamic risk assessment, which exemplifies a continuous risk assessment approach. This approach ensures immediate identification and evaluation of risks as they emerge, allowing for prompt risk management actions. The other options describe more periodic, reactionary, and infrequent methods, which do not reflect the ongoing nature inherent to continuous risk assessment.

The fake security cameras are a deterrent control. They don’t actually prevent theft and since they aren’t operational cameras they won’t detect if theft is actually happening. They can be a deterrent to thieves who think they are functioning.

Implementing security benchmarks provides standardized guidelines for configuring systems securely, ensuring consistency and reducing vulnerabilities across all servers. This approach aligns with best practices for establishing and maintaining secure baselines.

'Smishing' is a type of attack that capitalizes on the widespread use of mobile messaging. It involves sending deceptive text messages aiming to manipulate recipients into providing sensitive data or to compromise their mobile devices. The term is a portmanteau of 'SMS' (Short Message Service) and 'phishing'. Understanding 'Smishing' is essential because this method exploits the familiarity and trust many users have with text messaging, and it's often less expected than email-based phishing attacks.

A questionnaire can still be an effective assessment tool without a formal cross-reference to a framework-provided the questions elicit adequate evidence about the controls that matter for the vendor's specific risk profile. Mapping to a framework is helpful for consistency and coverage, but it is not an absolute requirement; effectiveness depends on how well the questionnaire addresses the organization's risk tolerance, regulatory drivers, and the vendor's service scope. Framework alignment simply offers one proven method to reach that goal.

A multinational enterprise must comply with the data-protection and information-security laws of every jurisdiction in which it operates or whose residents' data it processes. Regulations such as the EU GDPR expressly apply to organizations outside the EU if they offer goods or services to, or monitor the behavior of, people in the EU; similar extraterritorial or local rules exist in many other regions. Limiting compliance to the headquarters country, data-center location, or voluntary standards would leave the organization exposed to fines, legal action, and reputational damage.

A jump server, also known as a jump host or bastion host, is a hardened server that acts as a secure intermediary and single point of entry for administrators to connect to other devices in a separate security zone. This approach centralizes access control and monitoring.

A proxy server primarily acts as an intermediary for user requests to other servers (like web servers), but it is not specifically designed for administrative access sessions. A load balancer distributes incoming traffic across multiple servers to improve availability and performance but does not serve as a secure administrative gateway. A VPN concentrator is used to establish secure, encrypted tunnels for remote access, but it typically provides broader network-level access rather than the specific, audited host-to-host administrative access that a jump server provides.

The Control Plane is responsible for making access decisions in a Zero Trust model. It analyzes the trustworthiness of entities and enforces established policies to determine whether access should be granted or denied. The Data Plane, in contrast, handles the actual transfer of data and does not make policy-based decisions. Authentication servers and segmentation gateways, while they may contribute to the overall security posture, are not the components responsible for the described decision-making process within the Zero Trust architecture.

The correct answer is Full-Disk Encryption (FDE) because it encrypts the entire hard drive of the laptop, including the operating system, and ensures that all data on the device is protected. This is most effective for devices like laptops that can easily be stolen or misplaced, protecting against unauthorized access even if the laptop is turned off.

Partition encryption would only encrypt a specific partition of the hard drive, which means sensitive data stored outside of this partition would not be protected. File-level encryption would protect individual files, but it would not necessarily secure system files or temporary files that could contain sensitive data. Database encryption focuses on protecting data within a database and is not typically applied to the entire storage system of a laptop.

A digital signature provides assurance that a file has not been altered since it was signed (integrity) and that it originated from the holder of the private key (authenticity). However, it does not guarantee the code is free from malware. As seen in major supply chain attacks, if an attacker compromises a vendor's internal build process, they can inject malicious code into the software before it is signed. The software, now containing malware, is then legitimately signed by the vendor, making it appear trustworthy. Another primary attack vector is the theft of a vendor's code-signing private key, which allows an attacker to sign their own malicious files. Therefore, relying solely on a digital signature is insufficient.

Discretionary Access Control (DAC) allows resource owners to determine who can access their resources. In this scenario, users are empowered to set permissions on their own files, which aligns with the principles of DAC. The other access control models, such as MAC, RBAC, and ABAC, involve more centralized or role-based permission management.

Tokenization is the optimal method because it allows specific sensitive data elements, such as credit card numbers, to be replaced with non-sensitive equivalents, referred to as tokens. These tokens can be used in various operational processes without exposing the actual sensitive data. This is particularly useful for customer data analysis, as the analysis can often be performed with the non-sensitive token rather than needing the actual credit card number. Encryption, while it also obscures the original data, would not be as convenient because data analysis would typically require decryption. Masking affects the utility of the data for analysis because it often involves altering part of the data permanently. Lastly, hashing is incorrect because it is non-reversible and thus unsuitable for scenarios where the original data might need to be accessed again.

A Man in the Browser (MitB is a type of man in the middle (MitM) attack using a Trojan Horse to infect the victim's computer. Once installed the trojan will attempt to use known vulnerabilities in a browser's executable to intercept or modify web traffic. A successful MiTB can occur even with SSL/TLS and without the web application being aware of the attack.

The correct answer is that the data remains on the drive and can be recovered. A quick format only removes the pointers to the files in the file system's index (like a table of contents), but it does not erase the actual data stored on the disk. Specialized data recovery tools can easily scan the drive and reconstruct the files, creating a significant data breach risk. Proper sanitization methods, such as those outlined in NIST 800-88 (e.g., overwriting, degaussing, or physical destruction), are required to ensure data is truly unrecoverable.

Obfuscation is used to make data ambiguous to unauthorized users to prevent them from understanding it, which adds a layer of security. This can deter attackers since they cannot easily interpret the obfuscated data without significant effort or the correct decoding mechanisms.

Enforcing password complexity, which requires a mix of upper-case letters, lower-case letters, numbers, and special characters, is the most effective control against brute-force and dictionary attacks. Simple passwords and password reuse make accounts vulnerable. While periodic password expiration was a common practice, modern standards from NIST advise against it unless there is evidence of compromise, as it often leads to weaker passwords.

Onboarding is the process that typically initiates the creation of user accounts and assignment of access rights, as it refers to the steps taken to integrate a new employee into an organization, which includes providing them with the necessary credentials and access to fulfill their roles. Offboarding is the process of removing access rights and accounts when an employee leaves the company, which is the opposite action of onboarding. Maintenance refers to ongoing system upkeep and does not directly relate to the initial account creation. Role changes may involve modification of access rights but are not responsible for the initiation of account creation.

A Blackmail motivation typically involves the threat of revealing sensitive information unless a demand (often for payment) is met, which aligns with the modus operandi of organized crime groups. Organized crime syndicates are known for seeking financial gain through coercion and intimidation, making them the most likely to engage in blackmail. Nation-state actors, while possessing the capability for such actions, are usually driven by espionage or political objectives. Unskilled attackers often lack the expertise to obtain and leverage sensitive information effectively, and hacktivists are generally motivated by political or social objectives, not financial gain through extortion.

Regulated data is subject to statutes or industry frameworks that prescribe how it must be secured (for example, HIPAA, FERPA, GDPR, or PCI-DSS). Because non-compliance can trigger fines and legal liability, organizations must implement controls such as encryption, strict access control, and auditing. Other data types like trade secrets or intellectual property may be highly valuable but are not dictated by external regulations in the same way.

The strategy where staff are permitted to use their personally-owned smartphones for work, with the company securing access to its systems and maintaining compliance with corporate security policies, is most closely associated with a 'Bring Your Own Device' policy without explicitly stating the acronym. It allows personal devices to access company resources, saving costs on hardware while still managing corporate data security through policy enforcement. The use of an exclusively corporate-provided device policy would not align with the goal of reducing hardware costs, as the organization would still need to purchase and maintain these devices. Similarly, offering a catalog of approved corporate devices to select from does not align with the objective of utilizing employee-owned devices; hence, it would be a less effective fit for the stated company goal. As for the approach involving a decoupled device environment where employees access a virtual mobile interface, it does not directly address the usage of personal devices for work-related tasks.