Free CompTIA SY0-701 Practice Questions 2026 - Page 28

Explanation:
Phishing is a type of social engineering attack where attackers send fraudulent messages (often emails) that appear to come from a reputable source, such as a payment website. The goal is to trick recipients into revealing sensitive information (like login credentials) or installing malware. In this scenario, the email impersonated a payment website and lured the employee into entering login information on a fake site, which is a classic phishing attack.

Why the other options are incorrect:

A. Brand impersonation:
This is a technique used within phishing attacks where the attacker mimics a well-known brand (like a payment website) to gain trust. However, it is not the overarching attack type itself—it is a component of the phishing attempt.

B. Pretexting:
This involves creating a fabricated scenario (a pretext) to steal information. For example, an attacker might pose as an IT support technician asking for a password. While the email created a false scenario, the specific mechanism of using a fake website and link is hallmark phishing.

C. Typosquatting:
This is a technique where attackers register domain names similar to legitimate ones (e.g., "paypai.com" instead of "paypal.com") to catch users who make typos. While the malicious site in this attack might have used a typosquatted domain, the primary attack vector was the deceptive email, making "phishing" the broader and more accurate category.

Reference:
This question tests the ability to identify specific social engineering techniques.

This falls under Domain 1.1: Compare and contrast common social engineering techniques of the CompTIA Security+ SY0-701 exam objectives.

Phishing is a well-documented attack method in frameworks like NIST SP 800-63 and the OWASP Top 10, and it remains one of the most common threats organizations face. The scenario describes a typical credential harvesting phishing attack.

Explanation: To reduce the number of individual operating systems while decommissioning physical servers, the company should use containerization. Containerization allows multiple applications to run in isolated environments on a single operating system, significantly reducing the overhead compared to running multiple virtual machines, each with its own OS. Containerization: Uses containers to run multiple isolated applications on a single OS kernel, reducing the need for multiple OS instances and improving resource utilization. Microservices: An architectural style that structures an application as a collection of loosely coupled services, which does not necessarily reduce the number of operating systems. Virtualization: Allows multiple virtual machines to run on a single physical server, but each VM requires its own OS, not reducing the number of OS instances. Infrastructure as code: Manages and provisions computing infrastructure through machine-readable configuration files, but it does not directly impact the number of operating systems.

Explanation:
The primary purpose of root cause analysis (RCA) in incident response is to identify the underlying, fundamental reason(s) an incident occurred. By understanding the root cause (e.g., a missing patch, misconfigured firewall, human error, or flawed process), organizations can implement corrective actions to address the weakness and prevent similar incidents from happening in the future. RCA transforms incident response from a reactive process into a proactive improvement cycle, enhancing overall security posture.

Analysis of Incorrect Options:

A. To gather IOCs for the investigation:
Indicators of Compromise (IOCs) are collected during the detection and analysis phases of incident response to identify malicious activity. RCA occurs later, focusing on why the incident happened, not just what happened.

B. To discover which systems have been affected:
Determining the scope of impact (affected systems) is part of the containment and analysis phases, not the goal of RCA. RCA digs deeper after the scope is known.

C. To eradicate any trace of malware on the network:
Eradication is a separate phase where threats are removed. RCA is a post-incident activity that follows eradication to learn from the event.

Reference:
This aligns with Domain 4.0: Security Operations, specifically the incident response lifecycle (NIST SP 800-61). RCA is a key step in the post-incident activity phase, aimed at continuous improvement. It is emphasized in frameworks like ISO/IEC 27035 (Incident Management) and best practices for turning incidents into lessons that strengthen defenses.

Explanation:
Social engineering is the broad term for psychological manipulation tactics used to deceive individuals into divulging confidential information or performing actions that compromise security. In this scenario, the attacker is impersonating human resources (a trusted entity) via email and using deceptive links (that do not lead to legitimate company sites) to trick the new employee. This is a classic social engineering attack, specifically a form of phishing.

Why the other options are incorrect:

A. Business email compromise (BEC):
This is a specific type of social engineering attack where attackers compromise legitimate business email accounts to conduct fraudulent activities (e.g., wire transfer fraud). While the email might appear to be from HR, the scenario does not indicate that a legitimate HR email account was compromised—only that the message is deceptive. The key indicator is the fraudulent links, which align more broadly with social engineering.

C. Unsecured network:
This refers to risks associated with using insecure Wi-Fi or networks where data can be intercepted. The attack is occurring via email content, not network eavesdropping.

D. Default credentials:
This involves attackers using unchanged default passwords to gain access to systems. The scenario focuses on deceptive email links, not credential exploitation.

Reference:
This question tests recognition of social engineering tactics, a core topic in security awareness.

This falls under Domain 1.1: Compare and contrast common social engineering techniques and Domain 5.2: Explain the importance of personnel security and security awareness training of the CompTIA Security+ SY0-701 exam objectives.

Training employees to verify email sources and hover over links to check URLs is a fundamental defense against social engineering, as emphasized in frameworks like NIST SP 800-50 (Building an Information Technology Security Awareness and Training Program).

Explanation:
A tabletop exercise is a discussion-based session where stakeholders gather to review and discuss their roles, responsibilities, and actions in response to a hypothetical scenario, such as a security incident or disaster. Participants talk through the steps they would take, identify gaps in plans, and improve coordination without actually executing any actions. This low-pressure environment helps ensure everyone understands their part in a real emergency.

Analysis of Incorrect Options:

A. Penetration test:
This is a hands-on simulated attack on systems to identify vulnerabilities, not a discussion of roles and responsibilities.

B. Continuity of operations planning:
This involves developing strategies to maintain essential functions during a disruption. While related, it is a broader planning process, not the specific meeting described.

D. Simulation:
A simulation is a more immersive, practice-based exercise that may involve executing responses (e.g., activating backup systems). The scenario describes a discussion, not an active simulation.

Reference:
This falls under Domain 4.0: Security Operations, specifically incident response and disaster recovery preparedness. Tabletop exercises are recommended in frameworks like NIST SP 800-61 (Incident Handling Guide) and are a key part of validating and refining response plans.

Explanation:
The scenario describes a security best practice known as network segmentation and the use of a jump server (also called a bastion host) to provide secure, controlled access to a sensitive network segment.

Jump Server:
This is a hardened server that provides a single, secured gateway for administrators to access devices in an isolated network segment (like one containing critical database servers). Instead of connecting directly to the database servers, the database administrator (DBA) first connects to the jump server. From there, the DBA can initiate a second connection to the target database server. This setup:

Reduces the attack surface by eliminating direct access paths to critical systems.

Centralizes logging and monitoring of all administrative access attempts.

Allows for stricter security controls (e.g., multi-factor authentication) on the jump server itself.

This approach ensures that administrative access is tightly controlled and audited, aligning with the principle of least privilege.

Why the other options are incorrect:
B. RADIUS (Remote Authentication Dial-In User Service):
RADIUS is a protocol used for centralized authentication, authorization, and accounting (AAA) for network access (e.g., for VPNs or Wi-Fi). It is not a tool for accessing servers; it is a backend service that validates credentials during the authentication process.

C. HSM (Hardware Security Module):
An HSM is a physical device that securely generates, stores, and manages cryptographic keys. It is used for tasks like encryption, decryption, and digital signatures. It does not provide access to servers or network segments.

D. Load Balanc:
A load balancer distributes network traffic across multiple servers to optimize resource use, maximize throughput, and ensure high availability. It is not used for administrative access to servers; it is a traffic-routing tool for client requests.

Exam Objective Reference:
This question relates to Domain 3.0: Architecture and Design, specifically the concepts of secure network architecture (segmentation) and security controls (jump servers) for managing privileged access to critical systems. It also touches on Domain 4.0: Operations and Incident Response regarding best practices for administrative access and auditing.

Explanation:
Input validation (C) is the correct answer. The policy describes using regular expressions to remove (or sanitize) specific special characters from user input collected via web forms. This is a classic example of input validation, a security technique designed to ensure that only properly formatted and expected data is processed by an application. By removing characters that have special meaning in command shells (e.g., $, |, ;, &, `, ?), the organization is preventing injection attacks (such as command injection or SQL injection) where attackers could trick the application into executing unintended commands.

Why the others are incorrect:

A. Identify embedded keys:
This refers to searching for and removing hardcoded secrets (like API keys or passwords) in source code. The policy is about sanitizing user input, not inspecting code for embedded credentials.

B. Code debugging:
Debugging is the process of finding and fixing bugs or errors in code functionality. While input validation might be added during debugging, the technique itself is a security measure, not a debugging activity.

D. Static code analysis (SAST):
This is an automated process of analyzing source code for vulnerabilities without executing it. While SAST tools might identify a lack of input validation, the policy describes the actual implementation of the validation technique, not the analysis method used to find the need for it.

Reference:
This question tests knowledge of Domain 3.2: Given a scenario, implement secure coding techniques. Input validation is a fundamental secure coding practice to mitigate injection attacks, which are a top vulnerability according to frameworks like OWASP Top 10. The specific characters mentioned ($, |, ;, etc.) are common in shell command injection attempts.

Explanation:
SaaS (Software as a Service) best represents an application that does not have an on-premises requirement and is accessible from anywhere. SaaS applications are hosted and maintained by a third-party provider and delivered over the internet. Users typically access them via a web browser or thin client, without needing to install or manage any infrastructure or software locally. Examples include Google Workspace, Microsoft Office 365, Salesforce, and Dropbox.

No on-premises requirement:
The application runs entirely in the cloud, eliminating the need for local servers or hardware.

Accessible from anywhere:
Users can access the application from any device with an internet connection, enabling remote work and mobility.

Why not the others?

A. PaaS (Platform as a Service):
PaaS provides a cloud-based platform for developing, testing, and deploying applications (e.g., AWS Elastic Beanstalk, Google App Engine). It is aimed at developers, not end-users accessing a ready-made application.

B. Hybrid cloud:
This is a cloud computing model that combines on-premises infrastructure with public and/or private cloud services. It may involve on-premises components, so it does not fully meet the "no on-premises requirement" condition.

C. Private cloud:
A private cloud is dedicated to a single organization and may be hosted on-premises or by a third party. It often requires on-premises infrastructure or dedicated private resources.

D. IaaS (Infrastructure as a Service):
IaaS provides virtualized computing resources over the internet (e.g., AWS EC2, Azure VMs). While it avoids on-premises hardware, users still need to manage OS, middleware, and applications, and it is not synonymous with a ready-to-use application.

Reference:
Domain 2.2: "Compare and contrast cloud service models." The SY0-701 objectives emphasize the characteristics of SaaS as a cloud service model where applications are centrally hosted and accessed remotely, with no local installation or maintenance required. This aligns perfectly with the description of an application accessible from anywhere without on-premises dependencies.

Explanation:
When moving an on-premises application to a cloud-based service model, the fundamental architecture shifts to a shared responsibility model and a multi-tenant environment. The core security best practice in this context is to ensure that your resources are properly isolated from those of other customers ("tenants") of the cloud provider.

A. Visualization and isolation of resources (Correct):
This is the best answer. In cloud computing, "virtualization" is the foundational technology that allows for the creation of isolated virtual machines, containers, and networks. "Isolation" is the critical security principle that ensures your company's data, applications, and network traffic are logically separated and inaccessible to other tenants in the cloud. Without strong isolation, multi-tenant cloud environments would be inherently insecure. This is the first and most critical control to ensure when building a new cloud environment.

Why the other options are important but not the best answer for this specific scenario:

B. Network Segmentation:
While absolutely a security best practice, network segmentation is a more granular control you implement within your own isolated cloud environment (e.g., creating separate subnets for web servers, application servers, and databases). The question is about the foundational requirement for operating securely in the cloud itself, which is isolation from other tenants, which is provided by the cloud provider's virtualization infrastructure.

C. Data Encryption:
Encrypting data at rest and in transit is a crucial best practice. However, encryption is a control that protects the confidentiality of your data after the foundational isolation of your environment is already in place. Isolation is the primary barrier preventing unauthorized access in the first place.

D. Strong Authentication Policies:
Implementing strong authentication (like MFA) is essential for controlling access to your cloud management console and resources. Like encryption, this is a vital control, but it is an identity and access management function that is applied on top of a properly isolated environment. It does not address the core architectural requirement of multi-tenancy.

Reference:
This question falls under Domain 2.0: Threats, Vulnerabilities, and Mitigations and Domain 3.0: Security Architecture. It specifically addresses cloud security concepts, including virtualization, shared responsibility, and secure cloud architecture principles. The core tenet of cloud security is achieving strong isolation in a multi-tenant environment.

Explanation:
Pushing a GPO (Group Policy Object) update is the most efficient and centralized method to enforce a new password policy across all systems in a Windows-based enterprise environment. GPOs are a core feature of Microsoft Active Directory and allow administrators to define and automatically apply security settings, including password complexity, length, age, and history, to all computers and users within specific organizational units (OUs). The update can be pushed from a domain controller and will apply to all targeted systems during their next policy refresh cycle, making it very quick and consistent.

Why the other options are incorrect:

A. Deploying PowerShell scripts:
While powerful, PowerShell scripts are generally less efficient and reliable for this specific task. They would need to be deployed and executed on every machine individually or via a separate deployment tool. A GPO is the native, designed-for-purpose tool for managing Windows security policies centrally.

C. Enabling PAP (Password Authentication Protocol):
PAP is an obsolete and highly insecure authentication protocol that transmits passwords in plaintext. It is never used in modern enterprise environments and has nothing to do with configuring a password policy on endpoints.

D. Updating EDR profiles:
EDR (Endpoint Detection and Response) tools are focused on threat detection, investigation, and response. Their "profiles" or policies are related to security monitoring and prevention rules (e.g., allowing/blocking applications), not core operating system configuration settings like password policy.

Reference:
This question tests knowledge of centralized security management tools in a Windows environment.

This aligns with Domain 3.1: Given a scenario, implement security configuration techniques on enterprise assets of the CompTIA Security+ SY0-701 exam objectives, which specifically includes "Group Policy" as a key method for configuring endpoints.

Using GPOs for password policy management is a standard practice outlined in security frameworks like those from CIS (Center for Internet Security) and Microsoft's own security baselines.