Explanation:
Steganography is the practice of hiding information (such as code, text, or files) within another file, message, or image in a way that avoids detection. The goal is to conceal the existence of the hidden data, making it appear as ordinary content. For example, hiding text inside a graphical image by slightly altering pixel values is a common steganography technique.

Why the others are incorrect:

A. Symmetric encryption:
This is a cryptographic method that uses the same key to encrypt and decrypt data. It focuses on securing data by making it unreadable (ciphertext) but does not hide the data within another file.

B. Hashing:
This is a one-way process that converts data into a fixed-size string of characters (hash value) for integrity verification. It does not conceal data; it produces a digest that cannot be reversed to obtain the original data.

C. Data masking:
This is a technique used to protect sensitive data by replacing it with fictional but realistic values (e.g., masking credit card numbers with asterisks). It is used for privacy but does not involve hiding data inside other files like images.

Reference:
This aligns with SY0-701 Objective 2.2 ("Summarize cryptography fundamentals"). Steganography is often contrasted with cryptography: while cryptography secures the content of a message, steganography hides the existence of the message. It is mentioned in the context of data obfuscation and covert communication channels.

Explanation:
Shadow IT refers to the use of unauthorized hardware, software, or services within an organization without the approval or knowledge of the IT or security departments. When employees deploy unapproved software (e.g., cloud applications, personal devices, or unauthorized tools) on the corporate network, it introduces significant risks:

Unvetted software:
May contain vulnerabilities, malware, or misconfigurations.

Lack of oversight:
Bypasses security policies, updates, and compliance checks.

Increased attack surface:
Creates entry points for attackers.

This internal, unintentional threat is distinct from external threat actors like hacktivists, script kiddies, or competitors.

Why not the others?

A. Hacktivists:
External threat actors motivated by ideology; they attack networks but do not typically deploy unapproved software internally.

B. Script kiddies:
Inexperienced hackers using pre-made tools; they exploit existing vulnerabilities but do not introduce unapproved software via internal deployment.

C. Competitors:
External entities engaged in corporate espionage; they may steal data but are not responsible for internal policy violations like Shadow IT.

Reference:
Domain 1.2: "Compare and contrast common threat actors and motivations." Shadow IT is highlighted as an internal risk factor where employees inadvertently weaken security by bypassing controls, leading to vulnerabilities. The SY0-701 objectives emphasize the need for policies to mitigate such risks.

Explanation:
The key term in the question is "unintentional." This means the leakage is accidental, not the result of a malicious attack or sale.

A. Code repositories are correct.
Developers often use public code repositories (like GitHub, GitLab, or Bitbucket) to store and share code. A very common mistake is to accidentally hardcode sensitive information like API keys, access tokens, or corporate credentials directly into the source code and then push that code to a public or misconfigured repository. This exposes the credentials to anyone who can find the repository, making it a frequent and unintentional source of credential leakage.

B. Dark web is incorrect.
The dark web is a common destination for intentionally stolen and sold credentials. It is a source for threat actors to acquire credentials, but it is not the source of unintentional leakage from the corporation itself.

C. Threat feeds is incorrect.
Threat intelligence feeds provide information on known threats, indicators of compromise (IOCs), and malicious actors. They are a tool for defense, not a source of credential leakage.

D. State actors is incorrect.
State-sponsored actors are advanced threat groups that intentionally conduct espionage and cyber attacks to steal credentials and intellectual property. Their activities are malicious and intentional, not unintentional leakage.

E. Vulnerability databases is incorrect.
Databases like the National Vulnerability Database (NVD) catalog publicly disclosed software vulnerabilities (CVEs). They do not contain corporate credentials. A vulnerability might be exploited to gain credentials, but the database itself is not the source of the leakage.

Reference:
CompTIA Security+ SY0-701 Objective 4.2: "Explain the importance of appropriate data security and privacy practices." This includes concepts of data handling and the security risks associated with development practices, such as the exposure of secrets in code.

Explanation:

B) Changing the default password is the correct answer.
Many network appliances, including VPN gateways, come with pre-configured default administrator credentials (e.g., "admin/admin"). If these defaults are not changed, attackers can easily exploit them to gain unauthorized access. Changing the default password is a fundamental security measure that would most likely have prevented the unexpected login using the local administrator account.

Why the others are incorrect:

A) Using least privilege:
While least privilege is important for limiting user access, the issue here involves the local administrator account—which inherently has full privileges. Least privilege principles would not directly prevent misuse of this account if its credentials are compromised.

C) Assigning individual user IDs:
This practice ensures accountability by tying actions to specific users. However, it does not prevent the compromise of shared or default accounts (like the local admin account). Even with individual user IDs, if the default password remains unchanged, the account is still vulnerable.

D) Reviewing logs more frequently:
Log reviews are a detective control that might help identify unauthorized access after it occurs, but they do not prevent the login from happening in the first place.

Reference:
This question tests knowledge of Domain 3.2: Given a scenario, implement security hardening strategies. Changing default passwords is a basic yet critical step in securing network devices, as emphasized in the SY0-701 objectives. It aligns with best practices for preventing unauthorized access to systems and appliances.

Explanation:
When migrating infrastructure to an off-premises (cloud) solution, security of the architecture should be considered first. This involves designing a secure foundation for the cloud environment, including:

Network segmentation (e.g., VPCs, subnets).

Access controls (e.g., IAM roles, least privilege).

Data encryption (at rest and in transit).

Resilience against threats (e.g., DDoS protection, firewalls).

Starting with a secure architecture ensures that all subsequent components (e.g., applications, data) are built on a robust and protected base, reducing risks from the outset.

Why not the others?

A. Security of cloud providers:
While important, cloud providers (e.g., AWS, Azure) operate on a shared responsibility model. They secure the cloud infrastructure, but the customer (business) is responsible for securing their architecture and data within the cloud.

B. Cost of implementation:
Cost is a practical concern, especially with a small grant, but prioritizing security first prevents costly breaches or rework later.

C. Ability of engineers:
Staff skills are crucial for execution, but they should be applied within the framework of a secure design. Training or hiring can address skill gaps.

Reference:
Domain 2.2: "Compare and contrast concepts and strategies to protect data." The SY0-701 objectives emphasize the importance of secure cloud architecture design (e.g., zero trust, encryption) as a foundational step in migrations. This aligns with best practices like the Cloud Security Alliance (CSA) guidelines.

Explanation:
The scenario describes a test that involves attempting to bypass physical security controls (gaining entry to an unauthorized area) using a physical tool (an access badge). This falls outside the realm of pure network or software testing.

D. Physical is correct.
This is a physical penetration test. The goal is to assess the effectiveness of physical security measures like locks, doors, access control systems (badge readers), guards, and surveillance by attempting to gain unauthorized physical access to facilities, sensitive areas, or assets.

A. Defensive is incorrect.
A defensive test is one where the team is helping to defend against an attack, such as monitoring logs and responding to incidents during a penetration test. The scenario describes an active attempt to breach security, which is offensive in nature.

B. Passive is incorrect.
A passive test involves gathering information without interacting directly with the target systems, such as scanning public records or conducting OSINT (Open-Source Intelligence). The act of using a badge to try to enter a secured area is an active interaction with the target.

C. Offensive is incorrect.
While the action is offensive in the sense that it is an attack simulation, "offensive" is a broad term that typically encompasses cyber attacks like network penetration testing, social engineering, and application testing. The specific term for testing physical barriers and controls is physical security testing.

Reference:
CompTIA Security+ SY0-701 Objective 1.7: "Given a scenario, perform vulnerability management activities." Penetration testing is a key vulnerability management activity, and it includes various types of tests, such as physical penetration tests, which are designed to evaluate physical security controls.

Explanation: A red team is a group of security professionals who perform offensive security assessments covering penetration testing and social engineering. A red team simulates real-world attacks and exploits the vulnerabilities of a target organization, system, or network. A red team aims to test the effectiveness of the security controls, policies, and procedures of the target, as well as the awareness and response of the staff and the blue team. A red team can be hired as an external consultant or formed internally within the organization. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701, 9th Edition, Chapter 1, page 18. CompTIA Security+ (SY0-701) Certification Exam Objectives, Domain 1.8, page 4. Security Teams – SY0-601 CompTIA Security+ : 1.8

Explanation:
The requirement is exceptionally specific:
to allow data to be accessed and manipulated (computed on) while it remains encrypted. This is a unique property that is not offered by traditional encryption schemes.

C. Homomorphic encryption is correct.
This is a specialized form of encryption that allows complex mathematical operations to be performed directly on ciphertext. The results of these operations, when decrypted, match the results of the same operations as if they had been performed on the original plaintext. This means a cloud provider could process and analyze the encrypted financial data (e.g., calculating sums, averages, or other metrics) without ever possessing the decryption key or seeing the sensitive information in its unencrypted form. This perfectly matches the institution's requirement, and its acceptance of computational overhead aligns with the current main drawback of homomorphic encryption.

A. Asymmetric encryption is incorrect.
Asymmetric encryption (public-key cryptography) is excellent for key exchange and digital signatures. However, to perform computations on data encrypted with an asymmetric algorithm, it must first be decrypted, which violates the core requirement of keeping the data encrypted during manipulation.

B. Symmetric encryption is incorrect.
Symmetric encryption (using a shared key) is fast and efficient for encrypting data at rest and in transit. Like asymmetric encryption, data must be decrypted before any computations or manipulations can be performed on it. This would expose the sensitive data to the cloud service provider.

D. Ephemeral is incorrect.
Ephemeral keys are temporary keys used for a single session, often in key exchange protocols like Diffie-Hellman (e.g., in Perfect Forward Secrecy). While this enhances security by ensuring session keys are not stored long-term, it does not provide any capability for performing computations on encrypted data.

Reference:
CompTIA Security+ SY0-701 Objective 2.8: "Summarize cryptography concepts." While homomorphic encryption is an advanced topic, it falls under the umbrella of cryptographic techniques and is the only one that satisfies the unique requirement of processing data while it remains encrypted.

Explanation:
SMS-based OTP (One-Time Password) authentication is considered riskier than TOTP (Time-based One-Time Password) primarily due to the interception risk. SMS messages are transmitted over cellular networks and can be vulnerable to several attacks:

SIM swapping:
An attacker social engineers a mobile carrier to transfer the victim's phone number to a SIM card they control, intercepting all SMS messages (including OTP codes).

SS7 protocol exploits:
Vulnerabilities in the Signaling System No. 7 (SS7) used by telecom networks can allow attackers to redirect or intercept SMS messages.

Malware on mobile devices:
Malicious apps might read SMS messages containing OTP codes.

In contrast, TOTP codes are generated locally on a user's device (e.g., via an authenticator app like Google Authenticator or Authy) and do not rely on cellular networks. This makes them resistant to interception via telecom vulnerabilities or SIM swapping.

Why not the others?
A: While SMS OTP requires active mobile service, this is not the primary security risk; it is a usability or accessibility issue.

B: Longer validity windows (e.g., 15 minutes for SMS vs. 30 seconds for TOTP) do increase the window for attack, but the core risk is interception, not just time validity.

D: The algorithm strength is not the issue; both methods typically use similar cryptographic principles (e.g., HMAC-based OTPs). The weakness lies in the delivery mechanism (SMS vs. local generation).

Reference:
Domain 2.4: "Explain authentication and authorization controls." The SY0-701 objectives highlight the vulnerabilities of SMS-based MFA (e.g., interception risks) and recommend more secure methods like TOTP or hardware tokens. NIST guidelines also discourage SMS for high-risk scenarios due to these threats.