CompTIA Security+ Practice Test (SY0-701)

An inline deployment positions the security appliance directly in the path of production traffic, allowing it to actively inspect, block, or modify packets in real time based on security policies. Tap, out-of-band monitoring, and passive sensor placements receive only a copy of the traffic; they can detect threats but cannot alter the original packet flow, so they do not satisfy the requirement.

The primary role of monitoring in relation to indicators within a security infrastructure is to identify unusual patterns or behavior that may signify a security incident. While it might also help in enforcing policy by triggering alerts when anomalies are detected, and can be instrumental in retrospective analysis after an incident, its essential function centers on the prompt detection of potentially malicious activity. Understanding the nuances of monitoring's main role is important in distinguishing it from ancillary benefits such as policy enforcement or post-incident analysis.

The Zero Trust Model is a security framework that mandates all users and devices, regardless of their location, to be authenticated, authorized, and continuously verified before accessing resources. This approach operates on the principle of 'never trust, always verify,' ensuring that no implicit trust is granted to assets based solely on their network location. The Least Privilege Model limits user access rights to only what is necessary for their job functions but does not require continuous validation. Defense in Depth is a layered security strategy that uses multiple defenses but doesn't inherently require continuous authentication and authorization. Discretionary Access Control allows data owners to set access permissions but doesn't enforce continuous validation of users and devices.

Implementing full-disk encryption encrypts the entire content of the hard drive, providing comprehensive protection by ensuring that data is encrypted, including system files and temporary files. This means that even if someone gains physical access to the laptop, they cannot access data without proper authentication. Encrypting sensitive files individually may leave some data unprotected and relies on users to properly secure each file. Using database encryption is not effective in this scenario because the concern is data stored on laptops, not databases. Implementing email encryption protects emails in transit and does not secure data stored on the device. Therefore, full-disk encryption is the most effective solution to protect data on lost or stolen laptops.

Syslog is a vendor-neutral standard for message logging. It includes a standard format for log messages and a network protocol for sending that data to a central logging server. It is widely used by network devices like routers, switches, and firewalls, and on Unix and Linux operating systems. The other options are incorrect. A Security Information and Event Management (SIEM) system collects and analyzes logs but is not the logging standard itself. Simple Network Management Protocol (SNMP) is a protocol for network management, not a logging standard. 'Event manager' refers to proprietary systems like the Windows Event Viewer, not a vendor-neutral standard.

The correct answer is 'Regulations'. Regulations are specific, enforceable requirements laid down by governmental authorities, and organizations must adhere to them to ensure compliance within various domains, including data protection and privacy. 'Guidelines' offer advice or suggestions but are not legally enforceable. 'Frameworks' provide a structured approach to addressing complex issues but also lack the force of law. While 'Mandates' require action, the term is broad and may not necessarily pertain to legally enforceable directives from a government body in the way 'regulations' do.

Firewalls are foundational controls that inspect and filter network traffic based on rule sets. While they can block some malicious connections, they typically cannot inspect every payload-especially traffic that is encrypted or disguised as legitimate-and therefore cannot stop all forms of malware on their own. Effective malware defense requires additional layers such as endpoint antivirus/EDR, intrusion detection or prevention systems, and security monitoring to detect, contain, and remediate threats that bypass or originate inside the firewall.

By reporting the suspicious email to the organization’s security team, the employee is following the proper protocol for dealing with potential file-based threats. This allows the security team to investigate and respond to the threat effectively, possibly preventing a security breach. Opening or ignoring the attachment could lead to system compromise, and contacting the manager directly may not stop the potential threat in time if the file is indeed malicious.

A false negative is a situation where a security system fails to detect an actual security threat or vulnerability, incorrectly indicating that everything is secure when, in fact, it is not. This can result in unaddressed vulnerabilities that may be exploited by an attacker. On the other hand, a false positive refers to a security system mistakenly identifying legitimate activity as malicious, resulting in wasted resources and potential disruption of normal operations. True positive describes accurate detection of an actual threat, while false security is not a commonly used term in the context of threat detection and is often used rhetorically to describe an unwarranted feeling of safety.

The institution is most vulnerable to passive reconnaissance. This is because passive reconnaissance involves collecting information without directly interacting with the target system, often by gathering accessible data such as company records, employee social media profiles, or public documents. This kind of information is exactly what the institution has not been monitoring, which could lead to an attacker collecting data without detection to facilitate social engineering or other types of attacks.

'Responsiveness' refers to the system's ability to acknowledge and react to requests in a timely manner. In security contexts, this ensures that the system can maintain service quality even under varying load conditions, which is critical to preventing denial-of-service attacks and ensuring user satisfaction.

Implementing load balancing distributes incoming network traffic across multiple servers, effectively managing compute resources to handle fluctuating workloads. This improves both availability and scalability, ensuring the application remains responsive during peak usage times. While data replication to a standby server aids in recovery, it doesn't directly manage compute resources. Scheduling maintenance during off-peak hours minimizes disruption but doesn't address real-time workload management. Deploying redundant power supplies enhances power availability but doesn't handle compute load distribution.

The correct answer is 'Brute force attack'. This type of activity suggests an attempt to guess the password by systematically trying numerous possible combinations. A brute force attack often generates many failed login attempts in a short time frame, which would be recorded by an IDS. An IDS is designed to detect this kind of anomalous behavior and raise alerts accordingly. 'Port scanning' involves probing a server for open ports and does not necessarily result in multiple failed login attempts and would not typically generate an IDS alert for this behavior. 'DDoS attack' and 'Phishing attempt' are also incorrect because although they are security threats, they generally do not result in repeated failed logins on a server.

Uninstalling software applications that are not essential to a system's primary functions directly benefits security by reducing the number of potential attack vectors available to a threat actor. Every piece of software can introduce vulnerabilities, and non-essential applications may not be maintained with the same rigor as critical ones, leading to increased security risks. By minimizing the number of installed programs, the scope for vulnerabilities is narrowed, bolstering the system's resilience to cyber threats.

Regulated data is subject to statutes or industry frameworks that prescribe how it must be secured (for example, HIPAA, FERPA, GDPR, or PCI-DSS). Because non-compliance can trigger fines and legal liability, organizations must implement controls such as encryption, strict access control, and auditing. Other data types like trade secrets or intellectual property may be highly valuable but are not dictated by external regulations in the same way.

A guideline is the most appropriate document type. Guidelines are non-mandatory and provide recommendations or best practices to help employees make informed decisions. Unlike policies and standards, which are mandatory, guidelines offer flexibility. An Acceptable Use Policy (AUP) is a formal policy dictating mandatory rules for using company resources. A password standard sets compulsory rules for password creation. A change management procedure provides required, step-by-step instructions for making changes to IT systems.

The correct answer identifies the pattern that confirms a successful compromise. A series of failed login attempts followed by a successful login from the same source is a classic indicator of a successful brute-force attack. An account lockout event indicates that a security control successfully thwarted the attack, not that the system was compromised. Continued failed attempts for different usernames suggest a password spraying attack is ongoing, but it does not confirm a successful breach. Successful logins for other users from different locations are likely normal activity and unrelated to the specific attack being investigated.

A honeypot is a decoy system that mimics a legitimate system to attract and trap potential attackers. It is intentionally made vulnerable to entice malicious actors, allowing cybersecurity professionals to monitor and analyze their behavior, methods, and techniques. This information can then be used to strengthen the security of real systems and develop more effective defenses against future attacks. Honeypots are an essential tool in deception and disruption technology, as they help detect and deflect attacks away from critical systems.

Salting introduces random data to each password before hashing, which ensures that identical passwords result in different hash values. This protects against rainbow table attacks that rely on precomputed hash values. Steganography hides data within other files, obfuscation makes data difficult to interpret, and tokenization replaces sensitive data with non-sensitive equivalents. These methods do not prevent rainbow table attacks on passwords.

Evaluating how frequently a particular security event is expected to occur over a one-year period provides the annualized rate of occurrence (ARO). A higher ARO reflects a greater probability that the risk will be realized within the year, so risks with the highest ARO typically rise to the top of the mitigation list. By contrast, reviewing new technology features, patch cadence, or the historical time between past incidents may inform other aspects of the security program but do not directly express the likelihood of a future event, making them less effective for initial prioritization.