Free CompTIA SY0-701 Practice Questions 2026 - Page 29

Explanation:
A penetration test conducted in an unknown environment (often called a "black box" test) most closely resembles an actual external attack. In this approach, the tester has no prior knowledge of the target systems, networks, or internal configurations. They must gather information from scratch, just as a real attacker would, using public sources and reconnaissance techniques.

Analysis of Incorrect Options:

A. Known environment ("white box" test):
The tester has full knowledge of the environment, including network diagrams, source code, and credentials. This is useful for deep assessment but does not simulate a real attacker's limited knowledge.

B. Partially known environment ("gray box" test):
The tester has some information (e.g., limited credentials or network details). While it balances efficiency and realism, it still does not fully replicate an external attacker's starting point.

C. Bug bounty:
This is a program where external researchers are incentivized to find and report vulnerabilities. It involves real attacks but is not a controlled penetration test with defined rules of engagement.

Reference:
This aligns with Domain 1.0: General Security Concepts, specifically penetration testing methodologies. Black box testing (unknown environment) is defined in standards like NIST SP 800-115 (Guide to Security Testing) and the Penetration Testing Execution Standard (PTES) as the most realistic simulation of an external threat actor.

Explanation:
Cyber insurance is a classic example of risk transfer. Let's break down the risk management strategies:

B. Transfer is correct.
Transferring risk means shifting the financial impact of a risk to a third party. By purchasing cyber insurance, the company is paying a premium to an insurance company. In the event of a cyber incident (e.g., data breach, ransomware attack, business interruption), the insurance company assumes the financial responsibility for covering the costs, as outlined in the policy. This transfers the monetary risk from the company to the insurer.

A. Accept is incorrect.
Risk acceptance means consciously acknowledging a risk and choosing to take no action to mitigate or transfer it, typically because the cost of addressing the risk outweighs the potential impact. Purchasing insurance is the opposite of acceptance; it is an active step to deal with the risk.

C. Mitigate is incorrect.
Risk mitigation involves taking steps to reduce the likelihood or impact of a risk. Implementing security controls like a firewall, training employees, or applying patches are examples of mitigation. Insurance does not reduce the chance of an attack happening or lessen its technical impact; it only provides financial compensation after the fact.

D. Avoid is incorrect.
Risk avoidance involves eliminating the risk entirely by discontinuing the activity that causes it. For example, a company could avoid the risk of a web application breach by shutting down its e-commerce site. This is not what insurance does; the company continues the risky activity (operating online) but transfers the financial consequences.

Reference:
CompTIA Security+ SY0-701 Objective 5.2: "Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture." This objective includes risk management concepts and strategies. Understanding the four primary risk responses—Avoid, Transfer, Mitigate, Accept—is a fundamental part of the security curriculum.

Explanation:
The scenario describes an internal system sending a large amount of unusual DNS queries to systems on the internet during non-business hours. This pattern is highly indicative of data exfiltration using DNS tunneling or other DNS-based covert channels. Attackers often use DNS queries to bypass traditional security controls (e.g., firewalls) because DNS traffic is usually allowed out of networks. The unusual volume and timing (non-business hours) suggest malicious activity aimed at stealing data without detection.

Why not A?
While worms can propagate via network traffic, they typically focus on spreading to other systems (e.g., via SMB, RDP) rather than generating excessive DNS queries to external systems.

Why not C?
A logic bomb might delete data, but it would not typically generate a large volume of DNS queries; it would cause local or network disruption.

Why not D?
Ransomware encryption is usually accompanied by local file changes, network shares being accessed, or calls to command-and-control servers, but not primarily unusual DNS queries. DNS might be used for C2, but the "large amount" and "short periods" align more with data exfiltration.

Reference:
Domain 1.3: "Given a scenario, analyze potential indicators of malicious activity." DNS exfiltration is a common technique for stealthily transferring data, and unusual DNS patterns (e.g., high query volume, non-standard domains) are key indicators. The SY0-701 objectives emphasize monitoring for such anomalies, especially during off-hours.

Explanation:
The scenario states that the user click-through rate has already exceeded the acceptable risk threshold, meaning users are clicking on phishing links despite awareness efforts. The management team wants to reduce the impact when a user clicks, not necessarily prevent the click itself.

Updating EDR (Endpoint Detection and Response) policies to block automatic execution of downloaded programs is a technical control that mitigates the damage after a click. For example, if a user downloads malicious software from a phishing link, EDR can prevent it from running automatically, containing the threat and reducing the impact (e.g., preventing ransomware execution or data exfiltration).

Why the others are incorrect:

A. Place posters around the office:
This is an awareness measure aimed at preventing clicks, not reducing impact after a click has occurred. It does not address the immediate impact of a successful phishing attempt.

B. Implement email security filters:
This is a preventive measure to stop phishing emails from reaching inboxes. While valuable, it is not foolproof (some emails may bypass filters), and the question focuses on reducing impact after a user clicks.

D. Create additional training:
This is another preventive measure to help users recognize phishing attempts. Like option A, it aims to reduce click-through rates but does not directly mitigate the impact if a user still clicks.

Reference:
This aligns with SY0-701 Objective 4.4 ("Given an incident, apply mitigation techniques or controls to secure an environment"). Defense-in-depth strategies include technical controls (like EDR) to contain threats even if human failures occur. EDR policies that restrict execution are a key layer for mitigating post-breach impact, as recommended in frameworks like NIST SP 800-83 ("Guide to Malware Incident Prevention and Handling").

Explanation:
The issue occurred because the new "deny any" policy blocked legitimate traffic, indicating that the policy was not thoroughly vetted. Testing the policy in a non-production environment (e.g., a lab or staging network) first would allow the technician to identify unintended consequences, such as blocking necessary server traffic, without impacting live operations. This is a core best practice in change management to validate configurations and avoid disruptions.

Analysis of Incorrect Options:

A. Documenting the new policy in a change request:
While documentation and change management are important, they do not inherently prevent misconfigurations. The change might still be approved and deployed without testing, leading to the same issue.

C. Disabling intrusion prevention signatures:
This is unrelated to ACL policies. Intrusion prevention systems (IPS) detect threats, while ACLs control traffic flow. Disabling IPS signatures would not prevent the "deny any" policy from blocking legitimate traffic.

D. Including an "allow any" policy above the "deny any" policy:
This would render the "deny any" policy ineffective, as all traffic would be allowed by the prior rule. It defeats the purpose of adding a restrictive policy and creates a security risk.

Reference:
This aligns with Domain 4.0: Security Operations, specifically change management and network configuration best practices. Testing in a non-production environment is emphasized in frameworks like ITIL and NIST SP 800-115 (Guide to Security Testing) to reduce risks associated with changes.

Explanation:
The penetration tester is performing active reconnaissance. Active reconnaissance involves directly interacting with the target system or network to gather information. In this case, port and service scans (e.g., using tools like Nmap) send packets to the target to discover open ports, running services, and other details. This type of reconnaissance is intrusive and can be detected by the target, as it generates traffic and may trigger security alerts.

Analysis of Incorrect Options:

B. Passive:
Passive reconnaissance involves gathering information without directly interacting with the target. Examples include reviewing public DNS records, social media profiles, or website archives. Since the tester is scanning the client environment, this is not passive.

C. Defensive:
Defensive reconnaissance is not a standard term in penetration testing. Defensive actions typically refer to security measures taken to protect systems, such as monitoring or intrusion detection.

D. Offensive:
While penetration testing is an offensive security activity, "offensive" is not a specific type of reconnaissance. Reconnaissance is categorized as either active or passive.

Reference:
This falls under Domain 1.0: General Security Concepts, specifically penetration testing phases. Active reconnaissance is a key step in the initial phase of a penetration test, as outlined in frameworks like NIST SP 800-115 (Guide to Security Testing and Assessment) and the Penetration Testing Execution Standard (PTES). It helps testers understand the attack surface before launching exploits.

Explanation:
The administrator is carrying out a data retention policy. This policy defines how long specific types of data (e.g., customer transactions) must be kept archived to meet legal, regulatory, or business requirements. Ensuring that information is stored for the proper time period directly aligns with retention rules, which often specify minimum and maximum durations for holding data before it can be securely disposed of.

Analysis of Incorrect Options:

A. Compromise:
This refers to a data breach or unauthorized access incident, not the archival of data for compliance.

C. Analysis:
Data analysis involves examining data to extract insights, not ensuring it is archived for a required duration.

D. Transfer:
Data transfer policies govern how data is moved between systems or locations (e.g., encryption during transit), not how long it is retained.

E. Inventory:
Data inventory involves cataloging what data exists, where it is stored, and how it is used, but it does not specify retention periods.

Reference:
This question falls under Domain 5.0: Security Program Management and Oversight, specifically data governance and compliance. Retention policies are critical for adhering to regulations like GDPR, HIPAA, or SOX, which mandate how long certain records must be preserved. NIST SP 800-53 (Control MP-6) and other frameworks emphasize the importance of proper data retention and disposal.

Explanation: Based on the logs, it seems that the host that originated the infection is 192.168.10.22. This host has a suspicious process named svchost.exe running on port 443, which is unusual for a Windows service. It also has a large number of outbound connections to different IP addresses on port 443, indicating that it is part of a botnet. The firewall log shows that this host has been communicating with 10.10.9.18, which is another infected host on the engineering network. This host also has a suspicious process named svchost.exe running on port 443, and a large number of outbound connections to different IP addresses on port 443. The other hosts on the R&D network (192.168.10.37 and 192.168.10.41) are clean, as they do not have any suspicious processes or connections.

Explanation: Data classification is the process of assigning labels or tags to data based on its sensitivity, value, and risk. Data classification is the first step in a data loss prevention (DLP) solution, as it helps to identify what data needs to be protected and how. By applying classifications to the data, the security administrator can define appropriate policies and rules for the DLP solution to prevent the exfiltration of sensitive customer data. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 8: Data Protection, page 323. CompTIA Security+ Practice Tests: Exam SY0-701, 3rd Edition, Chapter 8: Data Protection, page 327.

Answer: See the Explanation part for all the Solution.

Explanation: To configure the site-to-site VPN between the two branch offices according to the provided requirements, here are the detailed steps and settings that need to be applied to the VPN concentrators:
Requirements:
Most secure algorithms should be selected.
All traffic should be encrypted over the VPN.
A secret password will be used to authenticate the two VPN concentrators.
VPN Concentrator 1 Configuration:
Phase 1:
Peer IP address: 5.5.5.10 (The IP address of VPN Concentrator 2)
Auth method: PSK (Pre-Shared Key)
Negotiation mode: MAIN
Encryption algorithm: AES256
Hash algorithm: SHA256
DH key group: 14
Phase 2:
Mode: Tunnel
Protocol: ESP (Encapsulating Security Payload)
Encryption algorithm: AES256
Hash algorithm: SHA256
Local network/mask: 192.168.1.0/24
Remote network/mask: 192.168.2.0/24
VPN Concentrator 2 Configuration:
Phase 1:
Peer IP address: 5.5.5.5 (The IP address of VPN Concentrator 1)
Auth method: PSK (Pre-Shared Key)
Negotiation mode: MAIN
Encryption algorithm: AES256
Hash algorithm: SHA256
DH key group: 14
Phase 2:
Mode: Tunnel
Protocol: ESP (Encapsulating Security Payload)
Encryption algorithm: AES256
Hash algorithm: SHA256
Local network/mask: 192.168.2.0/24
Remote network/mask: 192.168.1.0/24
Summary:
Peer IP Address: Set to the IP address of the remote VPN concentrator.
Auth Method: PSK for using a pre-shared key.
Negotiation Mode: MAIN for the initial setup.
Encryption Algorithm: AES256, which is a strong and secure algorithm.
Hash Algorithm: SHA256, which provides strong hashing.
DH Key Group: 14 for strong Diffie-Hellman key exchange.
Phase 2 Protocol: ESP for encryption and integrity.
Local and Remote Networks: Properly configure the local and remote network addresses to match each branch office subnet.
By configuring these settings on both VPN concentrators, the site-to-site VPN will meet the requirements for strong security algorithms, encryption of all traffic, and authentication using a pre-shared key.