CompTIA Security+ Practice Test (SY0-701)

This statement is misleading and thus incorrect. Compensating controls may mitigate the risk of identified vulnerabilities, but they do not replace the need for rescanning the system. Rescanning is essential to verify that vulnerabilities have been effectively addressed and that the compensating controls or applied patches are functioning as expected. Additionally, new vulnerabilities may have been discovered since the last scan, or changes to the system could introduce new security gaps, further necessitating rescanning. Incorrect answers might appear convincing because compensating controls do play a role in decreasing the risk of known vulnerabilities; however, they are not a substitute for the verification process provided by a follow-up scan.

An Intrusion Detection System (IDS) operates passively by monitoring network traffic and alerting administrators to suspicious activities without interfering with the traffic flow or introducing latency. It does not become a point of failure because it does not sit inline with the network traffic. In contrast, an Intrusion Prevention System (IPS) actively analyzes and can block or modify traffic to prevent threats, potentially introducing latency and becoming a point of failure. A firewall filters network traffic and can affect performance or interfere with legitimate traffic. A Content Filter inspects and potentially blocks specific content, which can also interfere with traffic and introduce latency.

Configuring DLP policies to monitor and block sensitive information being sent through IM helps prevent data leaks. The IM system can be set up to detect and stop the transmission of predetermined sensitive information patterns. Use of encryption would make messages secure in transit but would not prevent employees from sharing sensitive information. Restricting file permissions is unrelated to IM conversations. Manually reviewing message logs is less efficient and might not effectively prevent leaks compared to automated DLP mechanisms.

Complexity in security operations pertains to the intricacy of systems, processes, and technologies that could potentially increase their vulnerability to attacks. More complex systems are harder to manage and secure, because the likelihood of misconfiguration and undiscovered vulnerabilities increases. Simplifying systems can lead to more robust and easier to manage security postures.

This type of malware is called Ransomware. It holds data or information ransom until a fee is paid after which point it will return the information or data (or so it says...). Based on the information available in the question this is the only conclusion we can make. It is possible as the CEO of the company they were targeted specifically via social media (spear phishing) but there isn't definitive evidence of this yet.

A screened subnet is a sectioned off perimeter network that is isolated from the internal network. The screened subnet provides additional security from external threats by housing public facing resources.

Attribute-based access control is the correct answer because it is a method that defines an access control paradigm whereby access rights are granted to users through the use of policies that combine different attributes. These attributes can be associated with the user, the resource being accessed, the current time, and even the current environmental conditions. This is different from role-based access control that focuses solely on the roles that users have, discretionary access control which allows owners to define access, and mandatory access control which enforces access based on a centralized policy.

Financial gain is the likely motivation because the attacker can use or sell the stolen credit card information for monetary profit. Espionage involves obtaining confidential information for strategic advantage, typically in a political or corporate context, which is not indicated here. Revenge would suggest the attacker has a personal vendetta against the company, but there is no such indication. Data exfiltration refers to the unauthorized transfer of data, but in this context, it's the means rather than the motivation.

Compensating controls are used as a substitute for primary controls when the primary control is not feasible or practical to implement. They provide an alternative way to mitigate risks and achieve the same level of security. For example, if a company cannot afford to implement a firewall (a preventive control), they may use a virtual private network (VPN) as a compensating control to protect their network traffic.

Exposure Factor is the percentage of the asset's value that is estimated to be lost due to a security incident. It represents the magnitude of the impact should a security breach occur in terms of the asset's value. In this scenario, identifying the percentage of the $2 million in assets that would potentially be lost during a network compromise is a direct application of the 'Exposure Factor' concept.

Data owners are usually individuals in senior management and have overall responsibility for the data within their area of the organization. The data owner for HR data would typically be senior staff within the HR department.

An Uninterruptible Power Supply (UPS) provides backup power to the infrastructure in the event of a power outage, ensuring the servers remain operational until either the main power is restored or a longer-term solution like a generator can take over. Surge protectors, while they protect against voltage spikes, do not provide power during an outage. Redundant power supplies ensure the servers can continue to operate if one power supply fails, but they require power from an external source and will not protect against an outage. Battery banks can store power but generally do not switch as rapidly as a UPS to provide uninterrupted power.

Total cost of ownership includes the direct and indirect costs incurred throughout the life cycle of a security control, encompassing purchase price, maintenance fees, operational costs, and potential training expenses. This is critical as it reflects the overall investment needed and impacts the budgeting and financial planning of an organization's security strategy. Other options, like the time-to-market or the number of users, may indirectly influence costs but are not direct financial considerations on their own. The time to remediate vulnerabilities focuses on the duration of the response rather than on financial implications.

Restoring data from backups and applying patches to affected systems are actions that limit the damage after an incident, making them examples of corrective controls. These steps aim to fix the issues caused by the breach and prevent further impact. Conducting a forensic analysis is a detective control, as it involves identifying how the breach occurred. Implementing stronger network firewalls is a preventive control designed to stop future incidents. Displaying warning banners is a deterrent control meant to discourage unauthorized access.

The correct answer is the implementation of real-time threat intelligence integrated with security systems for dynamic risk assessment, which exemplifies a continuous risk assessment approach. This approach ensures immediate identification and evaluation of risks as they emerge, allowing for prompt risk management actions. The other options describe more periodic, reactionary, and infrequent methods, which do not reflect the ongoing nature inherent to continuous risk assessment.

RSA uses mathematically linked public and private keys to encrypt or sign data, making it an asymmetric algorithm. The other listed algorithms-AES, Blowfish, and RC4-are all symmetric ciphers that rely on the same shared key for both encryption and decryption.

Pre-installed software that is not necessary for the user's activities-commonly called bloatware-can pose a security risk if it contains unpatched vulnerabilities. Because this software is often unmanaged, it can increase the device's attack surface. Attackers may exploit flaws in the unused software or its background services even if employees never actively launch the applications. Therefore, the main concern is the presence of potentially vulnerable code, not how frequently employees use the software.

The scenario describes a directory traversal attack, also known as a path traversal attack. This attack manipulates input variables, like parts of a URL, with 'dot-dot-slash' ("../") sequences to navigate the server's file system and access files or directories outside the intended web root folder.

• SQL injection (SQLi) is an attack that targets the application's database by injecting malicious SQL code into input fields.
• Cross-site scripting (XSS) involves injecting malicious scripts into web pages viewed by other users, typically to steal session cookies or other sensitive information.
• Privilege escalation is the act of gaining elevated rights and permissions, which could be a goal or result of an attack like directory traversal, but it is not the attack method itself.

A guideline is a general rule, principle, or piece of advice that is intended to advise or guide behavior within an organization. Guidelines are not mandatory or enforceable but serve to direct consistent security practices throughout an entity.

Automating the de-provisioning of user accounts based on triggers from an HR system is the most effective solution. This approach ensures that access is revoked promptly and consistently as soon as an employee's status changes in the authoritative source (the HR system), which significantly reduces the risk of human error or delays inherent in manual processes. While stricter manual reviews, immediate password changes, and periodic audits are all valid security controls, they do not address the root cause of the problem as effectively as automation. Audits are a detective control, whereas automation is a preventative control that stops the issue from occurring.