CompTIA SY0-701 Practice Test

Explanation:

Dashboard:
A dashboard is the most effective tool for presenting high-level, summarized data to executive leadership like a board of directors. It can visually represent key metrics (like the number of incidents per quarter, trends over time, incident severity, etc.) through charts, graphs, and scorecards. This format is designed for quick comprehension and strategic decision-making without overwhelming the audience with technical details.

Why the other options are incorrect:

A. Packet Captures:
These are raw, low-level network data files (pcaps) containing the contents of every packet. They are invaluable for deep technical analysis by security engineers but are completely unsuitable for a board report. They are not summarized, are extremely technical, and would be meaningless to a non-technical audience.

B. Vulnerability Scans:
These reports detail potential weaknesses in systems. While important for IT staff to prioritize patching, they represent potential risk, not actual incidents that have impacted the organization. Presenting a list of vulnerabilities would be irrelevant to the board's specific request for incident reports and would likely cause unnecessary alarm.

C. Metadata:
This is data about data (e.g., file creation date, author, size). While metadata can be crucial in a forensic investigation to understand an incident, it is not a tool for presentation. Presenting raw metadata to the board would be disjointed, lack context, and fail to provide the clear, aggregated summary they require.

Reference:
This scenario falls under security reporting and communication, a key part of governance and risk management. The ability to tailor reports for different audiences (technical staff vs. executive board) is a critical skill.

This aligns with Domain 5.3: Explain the importance of policies to organizational security and the general communication objectives found throughout the SY0-701 exam. Dashboards are a standard tool for executive-level risk reporting.

Explanation:
Modifying the content of recurring training is the best option to improve situational and environmental awareness for existing users during a transition from remote to in-office work. Recurring training ensures that all current employees receive updated information about the physical security policies, environmental risks (e.g., tailgating, desk cleanliness), and procedural changes specific to the office environment. This approach is proactive, structured, and directly addresses the need to reacclimate employees to the in-office context.

Why the other options are incorrect:

A. Send out periodic security reminders:
While reminders can reinforce key points, they are often informal, easily overlooked, and may not provide the comprehensive coverage needed for a significant transition like returning to the office. Training is more systematic and ensures deeper engagement.

B. Update the content of new hire documentation:
This only affects new employees joining the company. It does not address the need to retrain existing users who are transitioning back to the office.

D. Implement a phishing campaign:
Phishing campaigns test and raise awareness about email-based social engineering attacks. While valuable for cybersecurity, they do not specifically address situational and environmental awareness (e.g., physical security, office protocols) required for the in-office transition.

Reference:
This question tests knowledge of effective security awareness training strategies for changing work environments.

This falls under Domain 5.2: Explain the importance of personnel security and security awareness training of the CompTIA Security+ SY0-701 exam objectives.

Recurring training is emphasized in frameworks like NIST SP 800-50 (Building an Information Technology Security Awareness and Training Program) as a critical method to maintain and update employee awareness, especially during organizational changes. It ensures that all employees receive consistent and timely information tailored to current risks.

Explanation: To detect an employee who is emailing a customer list to a personal account before leaving the company, a Data Loss Prevention (DLP) system would be used. DLP systems are designed to detect and prevent unauthorized transmission of sensitive data. DLP (Data Loss Prevention): Monitors and controls data transfers to ensure sensitive information is not sent to unauthorized recipients. FIM (File Integrity Monitoring): Monitors changes to files to detect unauthorized modifications. IDS (Intrusion Detection System): Monitors network traffic for suspicious activity but does not specifically prevent data leakage. EDR (Endpoint Detection and Response): Monitors and responds to threats on endpoints but is not specifically focused on data leakage. Reference: CompTIA Security+ SY0-701 Exam Objectives, Domain 4.5 - Modify enterprise capabilities to enhance security (Data Loss Prevention).

Explanation:
Salting is a technique where a unique, random string of characters (called a "salt") is generated and added to each password before it is hashed. This random string (36 characters in this question) is then stored alongside the hash in the database. The primary purpose of a salt is to defeat precomputation attacks, such as rainbow table attacks, by ensuring that even if two users have the same password, their stored hashes will be different because of the unique salt. This forces an attacker to crack each password individually, significantly increasing the time and computational resources required.

Analysis of Incorrect Options:

A. Key Stretching:
Key stretching (e.g., using algorithms like PBKDF2, bcrypt, or Argon2) is a technique designed to make a weak key (like a password) more secure by making the hashing process intentionally slow and computationally expensive. It involves applying the hash function multiple times. While salting and key stretching are often used together, they are distinct concepts. The question specifically describes adding a random string, which is the definition of salting.

B. Tokenization:
Tokenization is the process of replacing sensitive data (like a Primary Account Number - PAN) with a non-sensitive equivalent, called a token, which has no exploitable value. The token can be mapped back to the original data only through a secure tokenization system. This is commonly used in payment processing systems, not for password storage.

C. Data Masking:
Data masking is a method of creating a structurally similar but inauthentic version of an organization's data. The goal is to protect sensitive data while providing a functional alternative for use in software testing, user training, or analytics. It obfuscates data but is not used in the password hashing process.

Reference:
This question falls under Domain 3.0: Security Architecture, specifically concerning cryptographic concepts. Salting is a fundamental and critical practice for secure password storage, directly related to the proper implementation of hashing functions

Explanation:
The goal is to allow outbound DNS traffic (port 53) only from the specific IP address 10.50.10.25 and block all other outbound DNS traffic. Firewall ACLs are typically processed in order, and the first matching rule is applied.

Option D correctly:
Permits outbound DNS traffic from the source IP 10.50.10.25/32 (a single host) to any destination (0.0.0.0/0).

Denies all other outbound DNS traffic (from any source to any destination on port 53).

This ensures only the specified device can send DNS requests outward.

Why the others are incorrect:

A: This denies traffic from 10.50.10.25 and permits all others — the opposite of the requirement.

B: This permits traffic from any source to the destination 10.50.10.25 (inbound traffic to that IP), not outbound from it.

C: This permits all outbound DNS traffic but denies traffic destined for 10.50.10.25 (inbound to that IP), which does not restrict outbound requests by source.

Reference:
This question tests knowledge of Domain 3.3: Given a scenario, implement secure network designs (firewall rules and ACLs). Understanding how to write ACLs to enforce traffic filtering based on source/destination IP and port is critical for network security.

Explanation:
The core function of a Research and Development (R&D) department is to create new products, designs, formulas, processes, and proprietary technologies. The primary output of their work is Intellectual Property (IP).

Intellectual Property refers to creations of the mind, such as inventions (patents), literary and artistic works (copyrights), designs, and symbols, names, and images used in commerce (trademarks). For a company, this is often its most valuable and sensitive asset.

The question states that these employees receive "extensive training" on protecting data. This highlights the extreme sensitivity of the data they handle. The loss or theft of intellectual property can cripple a company's competitive advantage, making it a paramount security concern. Therefore, it is the data type they are most likely to use and are specifically trained to protect.

Why the other options are incorrect:

A. Encrypted:
Encryption is a state of data (a security control), not a type of data. While the intellectual property handled by R&D should absolutely be encrypted (both at rest and in transit), this is not a classification of the data itself. All types of sensitive data, including intellectual property, critical data, and personal data, should be encrypted.

C. Critical:
Critical data is a broad classification for data that is essential for the continued operation of the business. While R&D data may also be considered critical, this term is too general. For example, financial transaction data or active directory data is also "critical," but it is not the primary focus of an R&D department. "Intellectual property" is a more precise and specific description of the data generated by R&D.

D. Data in transit:
This describes data that is moving across a network, not a type of data. Again, intellectual property (and other data types) will often be in transit, but this is a state of transfer, not a classification of the data's content or purpose. The R&D unit is focused on the content (IP), not solely on its transmission.

Exam Objective Reference:
This question relates to Domain 5.0: Governance, Risk, and Compliance, specifically understanding data classifications such as Intellectual Property (IP). It also touches on security awareness training tailored to specific roles and the data they handle.

Explanation:
The correct answer is A. Contain the impacted hosts.

Following the NIST Incident Response Lifecycle (Preparation, Detection & Analysis, Containment, Eradication, Recovery, Post-Incident Activity), the immediate priority after confirming an incident is to prevent further damage or spread. This is the goal of the Containment phase.

Containment is the first strategic action. The team has identified specific compromised assets ("several corporate desktops"). The most direct and effective way to secure the environment is to immediately isolate these known-threats.

This can be done by:
Disconnecting them from the n

etwork (logically or physically).

Isolating them in a VLAN. Using endpoint detection and response (EDR) tools to quarantine the devices.

This action directly stops the malware from communicating with a command-and-control (C2) server, spreading to other systems, or exfiltrating data. It contains the known problem before addressing potential downstream effects.

Why the other options are incorrect:

B. Add the malware to the application blocklist.
This is an important eradication and preparation step, but it is not the first thing to do. The malware is already active on the endpoints. A blocklist prevents future execution but does nothing to stop the currently running malicious processes on the infected machines. Containment must come first.

C. Segment the core database server.
This is a valuable long-term preventative control (part of the Preparation and Recovery phases), but it is not the most direct incident response action. It is based on an assumption that the database is the next target, but there is no evidence yet that the malware has spread or what its objective is. The immediate priority is to contain the known compromised systems, not to reconfigure the network around potential targets.

D. Implement firewall rules to block outbound beaconing.
While this seems logical, it is a less precise and potentially disruptive action than direct containment.

It may not be effective:
The malware could be using encrypted channels (e.g., HTTPS, DNS tunneling) that are difficult to distinguish from legitimate traffic with simple firewall rules.

It could cause collateral damage:
Blocking outbound traffic could accidentally disrupt legitimate business operations.

It's a secondary action:
The most precise and guaranteed method to stop beaconing from the known infected hosts is to contain those hosts themselves. Once they are contained, the team can analyze the malware to determine its call-home signatures and then implement more precise network-level blocks.

Reference:
This aligns directly with the Containment, Eradication, and Recovery phase of the incident response lifecycle as defined in NIST Special Publication 800-61, Revision 2. The guide emphasizes that the immediate goal of containment is "stopping the incident before it can cause further damage." The strategy is to choose containment measures that "provide the most time for response while minimizing damage." Isolating the known compromised hosts is the most direct application of this principle.

Explanation: To prevent the issuance of an MFA bypass code to an attacker posing as an employee, implementing identity proofing would be most effective. Identity proofing involves verifying the identity of individuals before granting access or providing sensitive information. Identity proofing: Ensures that the person requesting the MFA bypass is who they claim to be, thereby preventing social engineering attacks where attackers pose as legitimate employees.

Explanation: Within an organization's Software Development Life Cycle (SDLC), an Information Security Policy is a vital component. It outlines the rules and procedures for ensuring that the organization’s IT assets and data are protected throughout the development process. Ensuring secure coding practices, access controls, and regular security testing is fundamental in preventing vulnerabilities in applications. Other options like service-level agreements and branch protection requirements are less likely to be integral to SDLC processes. Penetration testing methodology, while useful, is generally considered outside the scope of the SDLC.

Explanation:
Serverless architecture (e.g., AWS Lambda, Azure Functions) allows developers to deploy code without managing underlying servers or infrastructure. The cloud provider automatically handles scaling, patching, and maintenance. This significantly reduces the time and expense associated with code deployment because:

Developers focus solely on writing code, not configuring servers.

Costs are based on actual usage (execution time/resources), not idle server time.

Deployment is streamlined through integrated CI/CD pipelines, accelerating release cycles.

Why the others are incorrect:

B. Thin clients:
These are lightweight devices that rely on a central server for processing. They reduce endpoint costs but do not directly impact code deployment processes or expenses.

C. Private cloud:
This involves dedicated cloud infrastructure managed by the organization. While it offers control, it still requires significant time and expense for maintenance, scaling, and deployment compared to serverless.

D. Virtual machines (VMs):
VMs require managing entire guest OS instances, including updates, scaling, and provisioning. This adds overhead and cost compared to serverless, where the provider abstracts infrastructure management.

Reference:
This aligns with SY0-701 Objective 3.2 ("Given a scenario, implement host or application security solutions") and cloud cost optimization principles. Serverless computing is highlighted in modern DevOps practices for its agility and cost-efficiency, as it eliminates operational overhead and aligns with "pay-as-you-go" models.