CompTIA Security+ Practice Test (SY0-701)

Detective controls are designed to identify and record unauthorized activities or access within a system or network. Intrusion Detection Systems (IDS) are a perfect example of detective controls since their main purpose is to detect potential security breaches, log security events, and alert systems or network administrators. While firewalls are used for prevention, and security policies guide user behavior, they are not primarily used to detect unauthorized activities.

A 'fail-open' configuration will allow traffic to pass through if the security device fails. This mode avoids interrupting the flow of traffic, which can be critical for business continuity but may pose a security risk by not filtering traffic during the outage.

Stateful firewalls maintain a state table for every connection. After the outbound SYN packet is permitted, the firewall records the session and automatically allows packets that match the connection parameters (source IP = server, destination IP = client, source port = 80, destination port = ephemeral). Therefore, no additional inbound rule is needed. Creating separate inbound rules on port 80 or on the client's ephemeral port range is unnecessary, and UDP behavior is irrelevant because HTTP uses TCP.

Implementing a federation service is the correct solution because it enables different authentication systems to interoperate by allowing them to trust and validate each other's users. It serves as a middle layer that manages and brokers identity information between organizations, thus simplifying cross-domain user access. Additionally, a federation service allows users to authenticate once and gain access to multiple applications, even if the underlying authentication protocols differ. Updating password management procedures or initiating enhanced user credential verification does not provide a method for protocol interoperability. Introducing additional network-layer security, such as an encrypted channel, does not address the core issue of authenticating users across different authentication protocols.

The correct answer is to conduct an impact analysis prior to deployment. An impact analysis is a process of understanding the potential consequences of changes, especially how they affect security controls and operations. By doing this, the company can identify potential security risks introduced by the update and take steps to mitigate them before the system goes live, ensuring that security is maintained throughout the change process. The other options, while they might be parts of the overall change management process, do not directly address the proactive identification and mitigation of security risks specific to the introduction of new software or updates.

Account lockouts are an effective mitigation strategy against brute force attacks because they prevent unlimited, rapid guessing of passwords by locking the account after a certain number of failed login attempts. This drastically reduces the attacker's ability to systematically try all possible password combinations, thus safeguarding against brute force attacks. While all other options can enhance security, they do not specifically address the prevention of brute force attacks on passwords as directly as account lockouts do. Strong password policies make it more difficult for brute force attacks to succeed but do not stop attempts. Monitoring for unauthorized access can detect an ongoing attack but may not prevent it. Disabling unused accounts helps reduce the attack surface but does not directly prevent a brute force attack on active accounts.

A Gap Analysis is a comprehensive review that is conducted to identify the discrepancies between the current security measures (baseline) and where the organization aims to be with respect to its security posture (target state). Understanding this difference helps organizations prioritize their security initiatives and improve their overall security. A risk assessment identifies and prioritizes risk, a business impact analysis determines the effects of service disruption, and threat modeling identifies security weaknesses from an attacker's perspective.

An air-gapped system is physically isolated from all other networks, including the Internet. Because no network interfaces remain connected, data cannot enter or leave electronically, providing maximum protection for highly sensitive assets. A host-based firewall, VLAN segmentation, or an IDS can restrict or monitor traffic, but all still depend on an active network connection and therefore cannot guarantee total isolation.

The correct answer is 'Cellular network' because it specifically refers to a system of distributed mobile communication that enables devices to send and receive data, voice, and video through radio waves with cell sites. The incorrect options, though related to mobile technology, do not directly describe the wireless communication system that provides high-speed data transmission to mobile users.

The IT staff member in this scenario is fulfilling the role of a Data Custodian. Data Custodians are responsible for the technical management and operations of data assets, ensuring that data is properly backed up, secured, and maintained. They implement the policies and controls specified by Data Owners but do not set or decide on those policies themselves.

A Data Owner is typically a senior individual who has authority over and accountability for a specific set of data, making decisions about data classification, access permissions, and policy decisions.

A Data Controller is an entity or individual that determines the purposes and means of processing personal data, often in the context of privacy laws, which is not directly relevant to the described duties.

A Data Processor is an entity that processes data on behalf of a Data Controller, but again, this role is more about processing activities rather than managing and maintaining data assets.

A vulnerability scanner is specifically designed to assess computers, systems, and networks for security weaknesses. These tools can check for misconfigurations, unpatched software, and other vulnerabilities, making it the most appropriate choice for the given task. Network sniffers are primarily used for capturing and analyzing network traffic and will not necessarily identify misconfigurations and unpatched systems. Protocol analyzers are best for diagnosing network communication issues but do not actively scan for vulnerabilities. Antivirus software protects against malware and is not a tool for scanning network infrastructures for vulnerabilities.

Software-defined networking (SDN) is the proper choice because it separates the control plane from the data plane, granting centralized management of the network. This central control facilitates fast, programmatically efficient network configuration changes, which traditional models that rely on individual device configurations cannot match. Network function virtualization focuses on optimizing network services themselves rather than providing dynamic traffic management and control, while a content delivery network is a distributed server system designed to serve content to users with high availability and high performance.

The correct answer is that segmentation reduces the attack surface within the network. By dividing the network into smaller segments, each with its own security controls and policies, the potential for an incident in one segment to affect others is limited, thus reducing the overall attack surface. Implementing VLANs or enforcing subnetting are common methods of achieving segmentation. Incorrect answers such as preventing data leakage and enhancing data encryption might seem plausible as they also relate to network security, but they are not the primary security benefits of segmentation. While increasing scalability is important, it is not directly a security benefit but rather an architectural one.

The correct answer is risk tolerance. Risk tolerance is the degree of risk or uncertainty an organization is willing to accept in pursuit of its objectives. When a company's strategic goals shift, as in this scenario from a conservative posture to an aggressive growth strategy, its willingness to take on risk (its risk tolerance) must be re-evaluated. The new fintech platform represents a higher-risk, higher-reward initiative, which necessitates a change in the company's established risk tolerance. The Recovery Point Objective (RPO) and Annualized Rate of Occurrence (ARO) are metrics used within risk management, but they do not represent the organization's overall willingness to accept risk. An Acceptable Use Policy (AUP) defines rules for technology use and would likely be updated, but the primary, high-level concept that needs reassessment due to a major strategic change is the overall risk tolerance.

The CISO should opt to accept the risks that cannot be fully mitigated due to budgetary constraints. This involves acknowledging that the risks exist, understanding the potential impact, and making a conscious decision not to take direct action to address them. Other strategies like transferring, avoiding, or mitigating the risks may be inappropriate or too costly in this situation compared to the value of the assets being protected.

Creating an air-gapped network that is not connected to the internet or any other networks is the most secure form of physical isolation. This prevents any form of remote access or cyberattack that depends on network connectivity. Using dedicated cabling still leaves the system connected to external networks; VLANs provide only logical segmentation on shared infrastructure; and firewalls merely filter traffic on connected networks, so none of those options achieve true physical isolation.

Financial gain is the likely motivation because the attacker can use or sell the stolen credit card information for monetary profit. Espionage involves obtaining confidential information for strategic advantage, typically in a political or corporate context, which is not indicated here. Revenge would suggest the attacker has a personal vendetta against the company, but there is no such indication. Data exfiltration refers to the unauthorized transfer of data, but in this context, it's the means rather than the motivation.

The correct measure when repurposing storage devices that previously contained sensitive data is to conduct a secure erasure process that adheres to industry standards (e.g., NIST SP 800-88), ensuring that the data recovery is not possible without extraordinary measures. Degaussing is also a method to sanitize data, but it's suitable for magnetic drives only and might not be practicable for solid-state drives (SSDs). Reformatting the drive is not secure enough, as most standard formatting procedures leave data recoverable. Running a standard antivirus scan, although important for detecting and removing malware, does not address the need to prevent data recovery from the storage device.

'Patch availability' is the correct consideration because it refers to the ability to obtain and apply vendor-provided patches or updates to fix security vulnerabilities. Ensuring that patches are available and can be applied promptly is essential for maintaining system security and integrity. 'Ease of recovery' pertains to restoring systems after failures, 'Compute capacity' relates to the processing resources of the systems, and 'Resilience' refers to the ability to withstand and recover from adverse conditions. None of these directly address the need to obtain and apply solutions to known vulnerabilities.

A retinal scan is an example of a 'something you are' factor in multifactor authentication, as it relies on the unique biological traits of an individual's retina. This factor is based on physical characteristics that are inherent to an individual and cannot be transferred or guessed, unlike a digital certificate which is 'something you have' or a password which is 'something you know'.