Explanation: To restrict activity from employees after hours, the systems administrator should implement time-of-day restrictions. This method allows access to network resources to be limited to specific times, ensuring that employees can only access systems during approved working hours. This is an effective part of a defense-in-depth strategy to mitigate risks associated with unauthorized access during off-hours, which could be a time when security monitoring might be less stringent. Time-of-day restrictions: These control access based on the time of day, preventing users from logging in or accessing certain systems outside of designated hours. Role-based restrictions: Control access based on a user’s role within the organization. Attribute-based restrictions: Use various attributes (such as location, department, or project) to determine access rights. Mandatory restrictions: Typically refer to non-discretionary access controls, such as those based on government or organizational policy.

Explanation:
Dynamic analysis is a security testing method that involves examining an application while it is running (during runtime). This is done in an environment that simulates production, allowing testers to observe the application's behavior, interaction with other systems, and responses to various inputs without needing access to the underlying source code. This makes it ideal for analyzing deployed applications.

Why not B?
Code review is a static analysis technique where the application's source code is examined line by line. This process is performed before the application is compiled and deployed, not during runtime.

Why not C?
Package monitoring typically refers to watching software packages for updates or changes in a repository. While important for security (e.g., detecting vulnerable library versions), it is not a method for identifying vulnerabilities within the application's runtime behavior itself. It is a dependency management activity.

Why not D?
Bug bounty is a program that incentivizes external security researchers to find and report vulnerabilities in an application. While researchers often use dynamic analysis as a technique to find bugs in a deployed application, the bug bounty program itself is the framework or policy, not the specific identification method.

Reference:
Domain 4.2: "Explain the security implications of proper hardware, software, and data asset management." This domain covers concepts like application security testing. The distinction between Static Application Security Testing (SAST - e.g., code review) and Dynamic Application Security Testing (DAST - e.g., dynamic analysis) is a key objective. DAST is explicitly for testing running applications.

Explanation:
FIM (File Integrity Monitoring) is a security process and technology that continuously monitors and checks files for changes. It creates a cryptographic baseline of files (e.g., system files, configuration files, critical data) and then regularly compares the current state against this baseline to detect any unauthorized modifications. If a change occurs, FIM generates an alert, allowing the security administrator to track and investigate the alteration. This directly meets the requirement to "secure data" and "track any changes."

Why not A?
SPF (Sender Policy Framework): SPF is an email authentication method used to prevent email spoofing by verifying that incoming mail from a domain comes from an authorized IP address. It is unrelated to monitoring file changes or data integrity.

Why not B?
GPO (Group Policy Object): GPOs are used in Windows environments to manage user and computer configurations centrally. While they can enforce security settings (e.g., permissions), they do not inherently monitor or track changes to files over time.

Why not C?
NAC (Network Access Control): NAC solutions enforce security policies on devices attempting to access a network (e.g., checking for antivirus installation). NAC controls network access but does not monitor file integrity or track changes to data.

Reference:
Domain 2.4: "Explain the purpose of mitigation techniques used to secure the enterprise." FIM is a critical control for detecting unauthorized changes, often required by compliance standards (e.g., PCI DSS). It aligns with the SY0-701 focus on implementing monitoring and integrity checks to protect data and systems.

Explanation: Given the scenario where an Intrusion Detection System (IDS) has detected a high rate of SQL injection attacks and the perimeter firewall is at capacity, the best action would be to set the appliance to Intrusion Prevention System (IPS) mode and place it in front of the company firewall. This approach has several benefits:
Intrusion Prevention System (IPS): Unlike IDS, which only detects and alerts on malicious activity, IPS can actively block and prevent those activities. Placing an IPS in front of the firewall means it can filter out malicious traffic before it reaches the firewall, reducing the load on the firewall and enhancing overall security. Reducing Traffic Load: By blocking SQL injection attacks and other malicious traffic before it reaches the firewall, the IPS helps maintain the firewall's performance and prevents it from becoming a bottleneck. Enhanced Security: The IPS provides an additional layer of defense, identifying and mitigating threats in real-time. Option B (Convert the firewall to a WAF and use IPSec tunnels) would not address the primary issue of reducing traffic to the firewall effectively. Option C (Set the firewall to fail open) would compromise security. Option D (Deep packet inspection) could be resourceintensive and might not alleviate the firewall capacity issue effectively.

Explanation:
The chmod (change mode) command is used to modify the permissions of files and directories in Linux. The /etc/shadow file contains encrypted user passwords and is highly sensitive. The minimum security baseline typically requires strict permissions (e.g., 640 or 600) to prevent unauthorized access. If the permissions are too permissive (e.g., world-readable), chmod is the correct tool to restrict them.

Why not B?
grep: grep is used for searching text within files. It does not change file permissions and is irrelevant to fixing permission issues.

Why not C?
dd: dd is a utility for copying and converting raw data (e.g., disk cloning). It is not used for modifying file permissions.

Why not D?
passwd: The passwd command is used to change user passwords. While it interacts with /etc/shadow, it does not alter the file's permissions.

Reference:
Domain 3.3: "Given a scenario, implement security hardening practices." The SY0-701 objectives emphasize hardening systems by configuring proper file permissions. The chmod command is a fundamental tool for enforcing security baselines on Linux systems.

Explanation:
Social engineering is the broad term for any technique that uses psychological manipulation to trick people into divulging confidential information or performing actions that compromise security. The scenario describes a phone call where the caller is using deception (pretending to act on behalf of the CFO and creating a false sense of urgency) to manipulate the user into providing credit card information. This is a classic social engineering attack.

Why the other options are incorrect:

A. Insider threat:
An insider threat involves a current or former employee, contractor, or business partner who has inside access and misuses that access to harm the organization. The scenario describes an external caller, not an insider.

B. Email phishing:
This is a specific type of social engineering attack that is carried out via email. The attack in the question was conducted over the phone, making this answer too narrow. The user recognized the broader manipulative tactic, not just the email-based version.

D. Executive whaling (or Whaling):
This is a highly targeted form of phishing aimed at high-level executives like the CFO. However, in this case, the attacker is pretending to represent the CFO to target a regular employee. The employee themself is not the "whale" or primary target; they are the means to get to the information. The user recognized the manipulative attempt, not necessarily that it was a whaling attack aimed at them.

Reference:
This question tests the understanding of social engineering techniques, a critical component of security awareness training.

This falls under Domain 5.2: Explain the importance of personnel security and security awareness training of the CompTIA Security+ SY0-701 exam objectives.

Recognizing and reporting all forms of social engineering (vishing, phishing, smishing, etc.) is a primary goal of effective security awareness programs. The user correctly identified the hallmarks of a social engineering attempt: authority, urgency, and a request for sensitive information.

Explanation:
The principle of two-person integrity (also known as two-person control or the two-man rule) is a security control designed to ensure that no single individual can complete a sensitive or high-risk task alone. This control directly addresses two key risks:

Malicious Activity:
It prevents a single unauthorized or rogue individual from performing a harmful action (e.g., transferring large sums of money, initiating a critical system change, accessing a secure vault).

Human Error:
It provides a built-in verification step, as the second person can review and confirm that the procedure is being performed correctly, thereby reducing the chance of mistakes.

The core purpose is to enforce collusion for sensitive operations, significantly increasing the difficulty of compromising the process, whether through error or malice.

Analysis of Incorrect Options:

A. To increase the chance that the activity will be completed in half of the time:
This is incorrect. Involving a second person typically increases the time required to complete a task due to the necessary coordination and verification steps. Speed or efficiency is not the goal of this control; security and oversight are.

B. To permit two users from another department to observe:
This describes an audit or oversight function, not two-person integrity. The control requires two authorized participants who are both actively involved in the process, not passive observers from another department.

D. To allow one person to perform the activity while being recorded:
This describes a detective control (CCTV monitoring) that records activity for review after the fact. Two-person integrity is a preventive control that actively prevents the task from being completed without simultaneous, collaborative action from two authorized individuals.

Reference:
This concept falls under Domain 1.0: General Security Concepts, specifically related to security controls. Two-person integrity is a classic example of a preventive administrative control designed to enforce separation of duties for critical tasks. It is a fundamental principle in high-security environments like financial institutions, nuclear facilities, and military operations.

Explanation:

Why D is Correct:
Metadata is data about data. For a file, metadata includes information such as the creation date, modification date, author, and other details embedded within the file itself. This information is stored in the file's headers and properties and can be accessed without needing external logs. Tools like exiftool (for various file types) or built-in system properties can reveal this metadata, directly providing the creation date and potentially the creator.

Why A is Incorrect:
Obtaining the SHA-256 hash of the file is useful for verifying the file's integrity and identifying known malware via hash databases. However, it does not provide any information about the creation date or the creator of the file.

Why B is Incorrect:
Using hexdump (or any hex editor) allows you to view the raw binary content of the file. While this might reveal some embedded metadata if you know where to look, it is a manual and error-prone process. Metadata is more efficiently and accurately extracted using dedicated tools rather than parsing hex dumps.

Why C is Incorrect:
Checking endpoint logs might show when the file was created or who accessed it, but this relies on the availability and integrity of logs. If logging was not enabled or logs were tampered with, this information may not be available. Metadata, however, is embedded in the file itself and is more directly accessible.

Reference:
This question falls under Domain 4.0: Operations and Incident Response, specifically covering digital forensics and investigation techniques. File metadata is a primary source of information for analysts during investigations, as it can provide crucial details about the origin and history of a file.

Explanation:
The question asks about attributing messages to individuals, meaning providing proof that a specific person sent a message and cannot deny having sent it.

B. Non-repudiation is correct.
Non-repudiation is a cryptographic and legal concept that provides undeniable proof of the origin and integrity of a message. It ensures that the sender of a message cannot later deny having sent it. This is typically achieved through digital signatures, which use asymmetric cryptography to bind a message to a specific private key, and by extension, to its owner.

A. Adaptive identity is incorrect.
This is not a standard security term related to attribution. Identity adaptation might refer to dynamic access controls, but it does not provide proof of origin for messages.

C. Authentication is incorrect.
Authentication is the process of verifying a user's or system's identity (e.g., with a password or biometrics). It confirms who someone is at the time of login but does not, by itself, provide undeniable proof that a specific message came from them after the fact. Non-repudiation builds upon authentication.

D. Access logs are incorrect.
Access logs are records of who accessed what resource and when. They are a form of auditing and can provide evidence for investigation, but they are not a cryptographic mechanism that guarantees the origin and integrity of a specific message. Logs can be altered or disputed; non-repudiation provides much stronger, cryptographically verifiable evidence.

Reference:
CompTIA Security+ SY0-701 Objective 2.8: "Summarize cryptography concepts." Non-repudiation is a key service provided by digital signatures and public key infrastructure (PKI), ensuring that the sender of a message cannot deny their actions.

Explanation:
The key detail in the question is that the breach was caused by an "SOL infection." This is a clear typo or misstatement; the intended term is SQL injection. SQL injection is a code injection technique that exploits vulnerabilities in an application's software by manipulating SQL queries sent to a database.

B. Input sanitization (Correct):
This is the primary and most effective defense against SQL injection attacks. Input sanitization involves cleaning and validating any user-supplied input to ensure it does not contain malicious characters or code that could alter the structure of an SQL query. Techniques include:

Prepared Statements (with Parameterized Queries):
This is the strongest method, where SQL code and data are sent separately, preventing the data from being interpreted as executable code.

Escaping User Input:
Adding a backslash before potentially dangerous characters in the input.

Whitelist Validation:
Only allowing input that matches a strict set of approved patterns

Why the other options are incorrect:

A. Secure cookies (Incorrect):
Secure cookies (with the Secure and HttpOnly flags) protect session tokens from being intercepted over unencrypted connections or accessed via client-side scripts. This helps prevent session hijacking but does nothing to stop SQL injection, which exploits how the server processes input, not how cookies are handled.

C. Code signing (Incorrect):
Code signing is used to verify the integrity and authenticity of software code to ensure it has not been tampered with after being signed by the developer. It is a method for establishing trust in software distribution (e.g., ensuring a downloaded application is legitimate). It does not prevent SQL injection vulnerabilities within the application's code itself.

D. Blocklist (Incorrect):
A blocklist (or blacklist) approach involves creating a list of known bad SQL keywords or patterns to reject. This is an inferior and often ineffective defense because it is easy for attackers to bypass by obfuscating their input (e.g., using variations, encoding, or alternative keywords). Input sanitization using whitelisting and parameterized queries is a much more robust and recommended approach.

Reference:
This question falls under Domain 3.0: Security Architecture, specifically covering secure application development and deployment. Mitig SQL injection is a core application security objective, and input validation/sanitization is the primary mitigation technique as outlined by resources like OWASP (Open Web Application Security Project).