CompTIA SY0-701 Practice Test

Explanation: Analysis is the incident response activity that describes the process of understanding the source of an incident. Analysis involves collecting and examining evidence, identifying the root cause, determining the scope and impact, and assessing the threat actor’s motives and capabilities. Analysis helps the incident response team to formulate an appropriate response strategy, as well as to prevent or mitigate future incidents. Analysis is usually performed after detection and before containment, eradication, recovery, and lessons learned.
References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701, 9th Edition, Chapter 6, page 223. CompTIA Security+ SY0-701 Exam Objectives, Domain 4.2, page 13.

Explanation:
The Annualized Loss Expectancy (ALE) is the most useful metric for comparing the long-term cost of risk transfer (e.g., purchasing insurance) against the impact of the risk itself. The ALE represents the expected monetary loss per year due to a specific risk. It is calculated as:

ALE = Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO)

SLE is the cost of a single occurrence of the risk (e.g., $10,000 per incident).

ARO is the estimated number of times the risk is expected to occur in a year (e.g., 0.5 times per year).

If the annual cost of transferring the risk (e.g., insurance premium) is less than the ALE, it may be financially justified to transfer the risk. Conversely, if the transfer cost is higher than the ALE, it might be more cost-effective to accept or mitigate the risk.

Analysis of Incorrect Options:

A. ARO (Annualized Rate of Occurrence):
This represents how often a threat is expected to occur annually (e.g., twice a year). While it is a component of ALE, it does not account for the cost of the risk, so it alone cannot determine if transfer is cost-effective.

B. RTO (Recovery Time Objective):
This is the maximum acceptable downtime after a disaster before business operations must resume. It is a metric used in business continuity planning, not quantitative risk analysis for cost comparisons.

C. RPO (Recovery Point Objective):
This is the maximum acceptable amount of data loss measured in time (e.g., losing no more than 1 hour of data). Like RTO, it is used for disaster recovery planning and does not help calculate financial impacts for risk decisions.

E. SLE (Single Loss Expectancy):
This is the cost of a single occurrence of a risk (e.g., $50,000 per data breach). While it is part of the ALE calculation, it does not account for how often the risk occurs annually, so it cannot represent the long-term cost.

Reference:
This question falls under Domain 5.0: Security Program Management and Oversight, specifically quantitative risk analysis. ALE is a key formula used to prioritize risks and make cost-effective decisions about risk treatment (avoid, transfer, mitigate, accept). It is central to frameworks like NIST SP 800-30 (Risk Management Guide).

Explanation:
EDR (Endpoint Detection and Response) is a security solution that continuously monitors and collects endpoint data (e.g., workstations, servers), uses behavioral analysis to identify suspicious activities, and provides capabilities to investigate and respond to threats. It is specifically designed to detect and prevent the installation and execution of malware (like viruses and Trojans) and is highly effective at identifying and stopping lateral movement across a network by isolating compromised endpoints.

Why the others are incorrect:

A) IDS (Intrusion Detection System):
An IDS is a network-based (NIDS) or host-based (HIDS) monitoring system that detects and alerts on suspicious activity but typically lacks the integrated response capabilities to actively prevent the initial installation or stop lateral movement on its own.

B) ACL (Access Control List):
An ACL is a fundamental network security feature (on routers, switches, or firewalls) that filters traffic based on rules (e.g., allow/deny by IP address/port). While it can be used to segment a network and inhibit lateral movement, it is not specifically designed to protect an individual computer from malware installation. It operates at the network level, not the endpoint level.

D) NAC (Network Access Control):
NAC is a solution that enforces security policies on devices attempting to access the network. It checks for compliance (e.g., updated antivirus, OS patches) before granting access. Its primary role is to prevent initial network access by unauthorized or non-compliant devices, but it is not focused on continuous monitoring and response to threats after a device is already on the network, which is when lateral movement occurs.

Reference:
This aligns with SY0-701 Objective 3.2 ("Given a scenario, implement host or application security solutions") which specifically lists Endpoint Detection and Response (EDR) as a key security solution. EDR's role in containing threats and preventing lateral movement is a core concept in modern security architecture.

Explanation:
A Warm site is the best option in this scenario because it balances cost, recovery time, and administrative effort. It typically includes pre-configured infrastructure (like servers, network equipment, and power) but may not have live data or fully synchronized systems. This reduces the workload during recovery compared to a cold site (where everything must be set up from scratch) while still being more cost-effective than a hot site (which requires continuous maintenance and data synchronization). Since the business does not require immediate failover, the slightly longer recovery time of a warm site is acceptable.

Why the other options are incorrect:

A. Hot site:
A hot site is fully operational with real-time data replication, allowing for immediate failover. However, it is the most expensive option and requires significant ongoing maintenance (workload) to keep systems synchronized. This exceeds the business’s requirements.

B. Cold site:
A cold site is the least expensive but requires the most workload to recover. It is essentially a bare-bones facility with basic infrastructure (power, cooling), but all hardware, software, and data must be restored manually after an outage. This contradicts the goal of reducing recovery workload.

D. Geographically dispersed:
This refers to distributing resources across multiple locations to mitigate regional risks (e.g., natural disasters). It is a strategy that can be applied to any site type (hot, warm, cold) but does not define the recovery site’s readiness level. The business needs a specific site type (warm) that meets its cost and workload constraints.

Reference:
This question tests knowledge of disaster recovery site types and their trade-offs.

This falls under Domain 5.4: Explain the key aspects of business continuity and disaster recovery of the CompTIA Security+ SY0-701 exam objectives.

Warm sites are commonly recommended for organizations that need a balance between cost and recovery capabilities, as outlined in frameworks like NIST SP 800-34 (Contingency Planning Guide) and industry best practices. They offer a practical solution for businesses that can tolerate a short downtime without the high expense of a hot site.

Explanation:
This question requires matching the threat actor profile to the specific activity: being hired by a foreign government to attack critical systems in other countries.

C. Organized crime is correct.
Cyber-organized crime groups are highly sophisticated, well-funded, and operate for financial profit. They often act as cyber mercenaries or are contracted as APT (Advanced Persistent Threat) groups by nation-states. This practice is known as a "proxy" attack. The foreign government benefits from plausible deniability ("it wasn't us, it was a criminal group") while still achieving its strategic goals. Attacking critical systems requires significant skill and resources, which organized crime possesses.

A. Hacktivist is incorrect.
Hacktivists are motivated by ideology (social, political, or religious beliefs). They are not typically motivated by financial gain and are therefore less likely to be "hired." Their actions are usually aimed at raising awareness or causing disruption to a specific cause, not carrying out sophisticated attacks on behalf of a government.

B. Whistleblower is incorrect.
A whistleblower is an insider who exposes wrongdoing, illegal activities, or unethical practices within an organization to the public or authorities. Their goal is typically transparency and accountability, not conducting cyber attacks for a foreign government.

D. Unskilled attacker is incorrect.
Unskilled attackers (often called "script kiddies") lack the technical expertise to attack critical national infrastructure. They use pre-written scripts and tools to exploit well-known vulnerabilities. A foreign government would not hire an unskilled actor for a mission targeting critical systems due to the high likelihood of failure and detection.

Reference:
CompTIA Security+ SY0-701 Objective 1.5: "Explain different threat actor models and attributes." This objective requires understanding the motivations, attributes, and targets of different threat actors, including organized crime groups and their role in targeted attacks, often on behalf of nation-states.

Explanation:

Why A is Correct:
Port security is a feature on network switches that restricts which devices can connect to a physical network port. It can be configured to:

Allow only specific MAC addresses to use a port (sticky learning or static entries).

Limit the number of MAC addresses on a port (to prevent hubs/switches from being connected).

Take action (e.g., shut down the port, drop traffic) if an unauthorized device connects.

In this scenario, configuring port security on the switch port connected to the lobby jack would prevent unauthorized devices (like the visitor's laptop) from gaining access to the network, as its MAC address would not be allowed.

Why B is Incorrect:
A web application firewall (WAF) is designed to protect web applications by filtering and monitoring HTTP traffic. It is not used to control physical access to network ports or prevent unauthorized devices from connecting at the network layer.

Why C is Incorrect:
Transport Layer Security (TLS) is a protocol for encrypting data in transit. It protects the confidentiality of communications but does nothing to prevent an unauthorized device from physically connecting to a network jack and accessing the network.

Why D is Incorrect:
A virtual private network (VPN) is used to provide secure remote access over the internet. It is irrelevant to preventing a physical device from connecting to an internal network jack. In fact, if a visitor plugs into the network, they are already on the internal network and would not need a VPN.

Reference:
This question falls under Domain 2.0: Architecture and Design, specifically covering network security controls. Port security is a fundamental switch configuration best practice to prevent unauthorized access via physical network jacks, aligning with the principle of controlling physical network access.

Explanation: When calculating risk ratings, the concepts of impact and likelihood are most likely to be considered. Risk assessment typically involves evaluating the potential impact of a threat (how severe the consequences would be if the threat materialized) and the likelihood of the threat occurring (how probable it is that the threat will occur). Impact: Measures the severity of the consequences if a particular threat exploits a vulnerability. It considers factors such as financial loss, reputational damage, and operational disruption. Likelihood: Measures the probability of a threat exploiting a vulnerability. This can be based on historical data, current threat landscape, and expert judgment. Reference: CompTIA Security+ SY0-701 Exam Objectives, Domain 5.2 - Risk management process (Risk assessment: impact and likelihood).

Explanation:
The correct answer is A. OCSP (Online Certificate Status Protocol).

When a user's browser or application is presented with a digital certificate (e.g., when visiting an HTTPS website), it needs to verify two main things:

That the certificate was issued by a trusted Certificate Authority (CA) and is valid (not expired, with a proper signature chain).

That the certificate has not been revoked by the CA before its expiration date.

OCSP (Online Certificate Status Protocol) is a method used specifically for this second step: validating that a certificate is still valid and has not been revoked.

Instead of downloading a full list of all revoked certificates (a CRL), the client sends a query to an OCSP responder (hosted by the CA) with the certificate's serial number. The OCSP responder sends back a signed response stating whether the certificate is "good," "revoked," or "unknown."

This provides real-time (or near-real-time) validation of a certificate's status at the moment it is presented.

Why the other options are incorrect:

B. CSR (Certificate Signing Request):
A CSR is a file generated by an applicant who wants a certificate. It contains the public key and identifying information to be included in the certificate. The CA uses the CSR to create the actual certificate. A CSR is used to request a certificate, not to validate one that has been presented.

C. CA (Certificate Authority):
The CA is the trusted entity that issues the certificate. The user's system trusts the CA's root certificate, which allows it to validate the cryptographic signature on the presented certificate. However, the CA itself is not the mechanism used for the daily, real-time validation of revocation status. The CA provides the infrastructure for OCSP or CRLs to perform that specific function.

D. CRC (Cyclic Redundancy Check):
A CRC is an error-detecting code used in digital networks and storage devices to detect accidental changes to raw data (e.g., to check for file corruption). It has nothing to do with PKI or digital certificate validation. This is a distractor.

Reference:
This is a core concept of Public Key Infrastructure (PKI) and is covered in the CompTIA Security+ SY0-701 objectives under Domain 3.3: Given a scenario, implement secure protocols.

The two primary methods for checking certificate revocation are:

CRL (Certificate Revocation List): A periodically updated list of revoked certificates that clients can download and check.

OCSP (Online Certificate Status Protocol): A real-time request/response protocol for checking a certificate's status.

Explanation:
Cross-site scripting (XSS) is a vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users. This often occurs when a web application takes input from a user (like a form field) and displays it back on a page without properly checking or sanitizing it.

C. Input validation is correct.
This is the primary defense against XSS attacks. Input validation involves checking and sanitizing all user-supplied input before it is processed by the application. Techniques include:

Allow-listing:
Only accepting characters that are known to be safe for a specific field (e.g., only numbers in a zip code field).

Sanitization:
Removing or encoding potentially malicious characters (like < > " ' / &).

By validating input, the application prevents the malicious script from being injected in the first place.

A. Secure cookies is incorrect.
The Secure cookie attribute ensures cookies are only sent over encrypted HTTPS connections. This protects against cookie theft via eavesdropping but does nothing to prevent the injection of a malicious script that could steal cookies via other means.

B. Version control is incorrect.
Version control systems (like Git) manage changes to source code over time. While they are a critical development best practice for tracking changes and collaborating, they do not directly prevent code-level vulnerabilities like XSS from being introduced.

D. Code signing is incorrect.
Code signing uses digital certificates to verify the author of a software program and ensure the code has not been altered after it was signed. It is used to establish trust and integrity for distributed software (like executables or scripts). It does not prevent vulnerabilities within the application's own logic, such as a lack of input validation.

Reference:
CompTIA Security+ SY0-701 Objective 3.2: "Given a scenario, implement secure coding practices." Input validation is a fundamental secure coding practice explicitly listed to mitigate common web application vulnerabilities, including cross-site scripting (XSS).

Explanation:
The first step in reducing the number of credentials employees must maintain across multiple SaaS applications is to select an Identity Provider (IdP). An IdP (e.g., Azure AD, Okta, Ping Identity) serves as the central authority for authenticating users and managing their identities. Once an IdP is in place, the organization can implement Single Sign-On (SSO) protocols like SAML or OIDC, allowing users to authenticate once with the IdP and gain access to all integrated applications without needing separate credentials for each. Choosing the IdP is the foundational step, as it will determine the standards and methods for integrating with the various SaaS applications.

Analysis of Incorrect Options:

A. Enable SAML:
Security Assertion Markup Language (SAML) is a protocol used for implementing SSO. However, enabling SAML requires first having an IdP in place to generate and validate SAML assertions. You cannot enable SAML without first selecting and configuring the IdP that will act as the SAML authority.

B. Create OAuth tokens:
OAuth is a protocol for authorization (delegated access), not primarily for authentication or credential reduction. While OAuth can be used in conjunction with OpenID Connect (OIDC) for SSO, it still relies on an underlying IdP to manage identities. Creating tokens is not the first step; establishing the IdP is.

C. Use password vaulting:
Password vaulting (or password managers) can help users manage multiple credentials, but it does not reduce the number of credentials—it only stores them securely. Each application still requires a separate password, and the organization does not gain centralized control over authentication. This is a workaround, not a solution for integrated SSO.

Reference:
This question falls under Domain 3.0: Security Architecture, specifically identity and access management in cloud environments. Implementing SSO via an IdP is a best practice for managing identities across multiple SaaS applications, as discussed in frameworks like NIST SP 800-63 (Digital Identity Guidelines) and cloud security recommendations. The IdP centralizes authentication, improves security, and enhances user experience.