CompTIA Security+ Practice Test (SY0-701)

Benchmarks are collections of security configuration settings that provide guidance for the secure setup of systems and applications. They are often developed by communities of cybersecurity experts and provide a standard set of practices for ensuring that a technology is deployed securely.

The correct answer is that the primary risk associated with Shadow IT is the potential for security breaches. This is because unauthorized applications and systems have not been vetted by the organization's security protocols. These tools might not be compliant with security policies, may not be regularly patched, and could lead to the exposure of sensitive data. While increased productivity is often the motivation for using such tools, and budget or usage of approved tools may be affected, the most significant risk from a security standpoint is the introduction of unmonitored vulnerabilities.

Symmetric encryption uses a single shared secret key for both encryption and decryption. This design makes it computationally efficient but requires a secure method to distribute the key to all parties. In contrast, asymmetric encryption employs two mathematically related keys (a public key for encryption and a private key for decryption), eliminating the need to share the private key but at the cost of higher computational overhead. Statements describing key pairs, elimination of key-exchange requirements, or digital-signature creation refer to asymmetric encryption, not symmetric encryption.

Guidelines are recommendations and best practices for users to follow. They are not strictly enforced but are designed to provide general advice on how to use IT resources securely. An organization would develop guidelines to offer staff general security advice. Policies, on the other hand, are mandatory rules that must be followed, and standards are specific low-level mandatory controls. Procedures are detailed step-by-step instructions on how to perform specific tasks.

Honeytokens are uniquely crafted bait elements embedded within data systems to detect unauthorized access. They can be any type of data, such as fake records or credentials, that appear legitimate but are monitored for interactions. When a honeytoken is accessed or used, it triggers an alert, allowing the security team to identify and respond to potential security breaches. While a honeyfile is a specific type of honeytoken in the form of a file, using honeytokens provides a broader approach, not limited to just files. Honeypots and honeynets involve setting up decoy systems or networks, which are more suited for detecting external attackers rather than monitoring interactions within data repositories.

The correct answer is port 443. Hypertext Transfer Protocol Secure (HTTPS) is the standard protocol for secure web communication and uses TCP port 443 by default. Port 80 is used for unencrypted HTTP traffic. Port 143 is the default for Internet Message Access Protocol (IMAP), which is used for email retrieval. Port 3389 is used for Remote Desktop Protocol (RDP).

Operational controls are focused on the daily operational tasks that maintain security within an organization. They include procedures for incident response, change management, and access controls. These controls ensure that routine activities are carried out securely and effectively. Technical controls involve the use of technology to enforce security, such as firewalls and encryption. Managerial controls are policies and procedures set by management to guide the organization's security strategy. Physical controls are measures put in place to protect physical assets and facilities.

Resilience refers to the ability of a system to continue to operate properly in the face of adversity. This can include redundancy, fault tolerance, and robust design choices that allow a system to endure and recover from disruptions. Scalability refers to the capacity of a system to handle growth, while maintainability concerns the ease with which a system can be kept operational. Responsiveness measures how quickly a system reacts to input.

A warm site is a type of disaster recovery site that has the necessary hardware and connectivity in place but doesn't have client data continuously updated. This means that, in the event of a disruption, a warm site may require some time to restore recent backups and configure systems to become fully operational. It offers a middle ground between the immediate availability of a hot site and the lack of infrastructure of a cold site.

Mitigation refers to the implementation of measures to reduce the impact of a threat or to reduce the likelihood of its occurrence. Establishing additional access controls to safeguard sensitive information makes it more difficult for unauthorized users to access this information, thus reducing the potential impact of a data breach. On the other hand, transferring the risk involves shifting the responsibility to another entity, such as through insurance. Avoiding the risk would mean completely eliminating the threat, which can be unrealistic for some risks, and accepting the risk would indicate no further actions to decrease its impact.

Implementing a file integrity monitoring solution that automatically checks the integrity of system and application software files is the correct answer because such a solution can detect changes to critical system files and software packages, alerting administrators if unauthorized modifications occur. Using automatic updates does not necessarily check for unauthorized modifications; it just updates software to the latest versions. Scanning with an antivirus checks for malware but does not validate software package integrity or unauthorized changes. Using a configuration management database is helpful for tracking changes but does not automatically monitor file integrity.

Installing biometric access controls on the data center doors is a preventive control that effectively stops unauthorized individuals from entering by requiring unique biological characteristics, such as fingerprints or retinal scans. This ensures that only authorized personnel can gain access, directly preventing unauthorized entry. Implementing CCTV (Closed-Circuit Television) cameras helps in monitoring and potentially deterring intruders but does not physically prevent access; it serves more as a deterrent and a detective control. Conducting regular security awareness training is important but focuses on educating employees rather than directly preventing unauthorized physical access. Reviewing access logs for suspicious activity is a detective control that identifies unauthorized access after it has occurred, not preventing it.

Network Address Translation (NAT) allows many devices to share an IP when accessing another network. Most commonly it is used to allow internal devices to share public IP addresses when accessing the internet. Benefits of NAT include minimizing the number of public IP addresses required (they cost money and for IPv4 there is a limited number available) as well as masking the origin of the request which provides security benefits. Generally NAT is used on a router or firewall.

The correct answer reflects the principle of data sovereignty, which dictates that data is subject to the laws and governance structures of the nation in which it is stored. Even if the company is not based in that nation, it must comply with those local laws. Companies often have to navigate complex legal environments, ensuring they comply with the laws in all the territories they operate in, including where their data resides.

Automated SIEM reports aggregate and correlate large volumes of log data to highlight suspicious patterns and potential incidents. While they save time by surfacing notable events, they are not authoritative verdicts. Security analysts must review the reports, validate the context of each alert, tune correlation rules, and separate true threats from false positives before initiating a response. Treating the reports as final decisions can lead to wasted effort on benign events or missed indications of compromise.

Cellular networks use geographically distributed base stations (cells) and seamless handovers so a mobile device can maintain voice and data sessions while moving. Bluetooth, NFC, and Wi-Fi Direct are short-range technologies that do not provide wide-area, tower-to-tower mobility.

An inline device is deployed directly on the network path; all traffic must pass through it. This is ideal for scenarios where traffic analysis and blocking potential threats is necessary. Furthermore, since the device must not be bypassed even if it fails, an inline device must be used instead of a tap or monitor mode, which allows traffic to bypass the device if it fails or is not active.

A playbook is a document that provides a step-by-step guide for responding to a specific type of security incident, such as ransomware or a data breach. A Business Impact Analysis (BIA) is an assessment used to identify critical business functions and determine the potential effects of their disruption. A risk register is a tool for documenting and tracking identified risks. An Acceptable Use Policy (AUP) is a policy that defines the rules and constraints for how users may use an organization's resources.

Reviewing security logs is a key part of security monitoring. It allows security professionals to track events that have occurred within the network. Monitoring these logs helps to identify any unauthorized actions, security incidents, or policy violations. Other options listed do not directly correspond to the activity of identifying unauthorized actions through monitoring.

A load balancer spreads client requests across several backend servers, optimizing resource utilization, reducing response times, and preventing any individual server from becoming overwhelmed. A proxy server merely acts as an intermediary for requests, an intrusion detection system monitors traffic for malicious activity, and a firewall enforces security rules; none of these devices natively distribute traffic among multiple servers the way a load balancer does.