Free CompTIA SY0-701 Practice Questions 2026 - Page 33

Explanation:
In digital forensics, the process of creating a forensic image (a bit-for-bit copy) of a storage device is specifically known as the Acquisition stage. This is a critical step where investigators obtain the data from the original evidence in a forensically sound manner to ensure its integrity for analysis.

Why not B?
Preservation: The Preservation stage involves securing the original evidence to prevent tampering, alteration, or damage. This includes documenting the state of the device, bagging it, and storing it securely. While preservation ensures the evidence is intact for acquisition, the actual act of creating the forensic image is acquisition.

Why not C?
Reporting: The Reporting stage occurs after analysis, where findings are compiled into a formal document or report for legal or administrative purposes. This is the final output, not the data gathering step.

Why not D?
E-discovery: E-discovery (electronic discovery) is a legal process focused on identifying, collecting, and producing electronically stored information (ESI) in response to a litigation request. While it may involve acquiring data, it is a broader legal procedure, not the specific forensic term for the technical process of obtaining a forensic image.

Reference:
Domain 4.5: "Explain key aspects of digital forensics." The SY0-701 objectives outline the forensic process, which includes the following steps: Identification

Acquisition (Creating a forensic image)

Analysis

Reporting

Explanation:
Rules of Engagement (RoE) is the formal document that defines the scope, parameters, and guidelines for a penetration test. It is a critical document agreed upon by the penetration testing team and the client organization before any testing begins. The RoE specifies precisely what is allowed and what is off-limits, including:

Target Systems & Networks:
Which IP addresses, domains, and systems can be tested.

Testing Methods:
Which techniques are permitted (e.g., social engineering, phishing, denial-of-service simulations).

Timing:
The specific dates and times when testing can occur (e.g., only during business hours or only after hours).

Data Handling:
How any sensitive data discovered during the test must be handled and destroyed.

Communication & Escalation:
Points of contact and procedures for reporting critical findings immediately.

Why the others are incorrect:

B) Rules of acceptance:
This is not a standard term in penetration testing or cybersecurity. It may be confused with "Acceptable Use Policy (AUP)" or "Terms of Acceptance," but it does not describe the procedures for a test.

C) Rules of understanding:
This is not a standard industry term for governing a penetration test. While mutual understanding is crucial, the specific, agreed-upon procedures are formally documented in the Rules of Engagement.

D) Rules of execution:
This is not a standard term. The phase where testing activities are carried out is simply called the "execution phase," but it is governed by the pre-established Rules of Engagement.

Reference:
This aligns with SY0-701 Objective 4.1 ("Given a scenario, analyze indicators of malicious activity"). While focused on analysis, the exam objectives require an understanding of the penetration testing process. The concept of Rules of Engagement is a foundational element in professional penetration testing frameworks and standards, such as those from NIST (e.g., SP 800-115) and the Penetration Testing Execution Standard (PTES), ensuring tests are conducted legally, safely, and with clear authorization.

The Common Vulnerability Scoring System (CVSS) is a standardized metric used to assess the severity of vulnerabilities, aiding organizations in prioritizing their response based on risk.

Explanation:

Why B is Correct:
An Access Control List (ACL) is a specific, granular mechanism that defines which users or system processes are granted access to objects (like files), as well as what operations (read, write, execute) are allowed on those objects. "Tuning permissions" is the direct function of modifying an ACL. A systems administrator would use commands like chmod (on Linux) or edit the security properties (on Windows) to modify the ACL for a specific file, adding or removing user/group permissions as needed.

Why A is Incorrect:
Patching is the process of applying updates (patches) to software or firmware to fix security vulnerabilities and bugs. It is a critical security function but is unrelated to the day-to-day task of modifying file and folder permissions.

Why C is Incorrect:
Configuration enforcement is a broader policy or automated process that ensures systems adhere to a predefined security baseline (e.g., using tools like SCAP, Azure Policy, or AWS Config). It is used to check and maintain configurations across many systems, not to manually "tune" a single file's permissions.

Why D is Incorrect:
Least privilege is a core security principle, not a tool or mechanism. It is the concept that users and processes should only have the minimum levels of access necessary to perform their functions. A systems administrator would use an ACL (the mechanism) to implement the principle of least privilege on a file.

Reference:
This question falls under Domain 3.0: Security Architecture, specifically covering the implementation of identity and access management controls. Understanding the difference between security principles (like least privilege) and the mechanisms that enforce them (like ACLs) is key for the SY0-701 exam.

Third-party attestation involves an external, independent party performing a network security assessment and providing documented proof, ensuring objectivity and compliance with regulatory or client requirements.

Explanation:

Why A is Correct:
A simulated failover is the most comprehensive way to validate both the integrity (data consistency and accuracy) and availability (readiness and operational status) of a disaster recovery (DR) site. This test involves:

Integrity:
Verifying that data replicated to the DR site is complete, uncorrupted, and consistent with the primary site.

Availability:
Confirming that systems, networks, and applications at the DR site can be brought online successfully and perform as expected under simulated disaster conditions. This active test provides real-world validation that the DR site functions as intended, exposing any issues in replication, configuration, or operational procedures.

Why B is Incorrect:
A tabletop exercise is a discussion-based session where team members walk through hypothetical disaster scenarios. It is valuable for validating plans, roles, and communication strategies but does not actively test the technical functionality, integrity, or availability of the DR site itself.

Why C is Incorrect:
Periodically testing generators validates the power infrastructure of the DR site, which is a component of availability. However, it is a narrow test that does not address data integrity, application functionality, or overall system readiness for failover.

Why D is Incorrect:
Developing requirements for database encryption is a preventive security measure to protect data confidentiality. It is unrelated to validating the operational readiness (availability) or data correctness (integrity) of a DR site.

Reference:
This question falls under Domain 4.0: Operations and Incident Response, specifically covering disaster recovery testing strategies. The exam emphasizes the importance of active testing (e.g., failover simulations) to ensure DR sites meet recovery time objectives (RTO) and recovery point objectives (RPO), validating both integrity and availability.

Explanation:
Avoid is the correct risk management strategy. This strategy involves eliminating the risk entirely by discontinuing the activity that introduces the risk. In this scenario, the company is aware of a security risk inherent to a specific market segment. By choosing not to accept responsibility and by targeting their services to a different market segment, they are completely avoiding the business activity that creates the risk. The risk is not mitigated, transferred, or accepted; it is sidestepped altogether by changing business operations.

Why the Other Options are Incorrect:

A. Exemption:
This is not a standard risk management strategy. An exemption is a release from a liability, duty, or rule granted by an authority, but it does not describe the proactive decision to change business operations to eliminate a risk.

B. Exception:
An exception in a security context typically refers to allowing a system or user to bypass a security control or policy. It is a form of risk acceptance for a specific case, not a broad strategy to change the business's target market.

D. Transfer:
Transferring risk involves shifting the financial burden of a risk to a third party, such as by purchasing cybersecurity insurance or outsourcing a risky operation through a contract. The company in this scenario is not transferring the risk; it is stopping the risky activity entirely. They are not making another party responsible for it; they are simply not engaging with it.

Reference:
This question falls under CompTIA SY0-701 Objective 5.4: "Explain the importance of policies to organizational security." Understanding and applying fundamental risk management strategies—Avoid, Transfer, Mitigate, Accept—is a core requirement for developing effective organizational policies and making informed business decisions.

Firewall logs provide details of all network traffic, including connections to and from IoT devices. They are typically the first source of evidence for identifying the time of an exploit.

Explanation:
Behavioral analytics (also known as User and Entity Behavior Analytics - UEBA) is specifically designed to address the insider threat problem. It works by establishing a baseline of normal activity for each user and system (entity). It then uses advanced analytics, machine learning, and statistical algorithms to continuously monitor and analyze user behavior in real-time, looking for significant deviations from this established baseline

Examples of activities it can detect that may indicate an insider threat include:
A user accessing sensitive data they have never needed before.

A user downloading large volumes of data outside of business hours.

Logging in from an unusual geographic location in a short timeframe.

Multiple failed access attempts followed by a successful one.

By identifying these anomalous behaviors early, the organization can investigate and potentially stop a malicious insider or compromised account before significant damage is done. This makes it the most direct and effective tool among the choices for monitoring activities to prevent insider threats.

Why the other options are incorrect:

B. Access control lists (ACLs):
ACLs are a preventive control that dictates what a user is permitted to access (e.g., which files, systems, or network resources). They are fundamental to security but are a static permissions tool. They do not monitor or analyze user activity; they only enforce access rules. An insider threat would already have legitimate access that they could misuse, which an ACL would not prevent or detect.

C. Identity and access management (IAM):
IAM is a framework of policies and technologies for ensuring the right individuals have the appropriate access to technology resources. It is crucial for provisioning and de-provisioning access (a preventive control) but is not primarily focused on the continuous monitoring of user activity after access has been granted. It manages who has access, not how they are using it.

D. Network intrusion detection system (NIDS):
A NIDS monitors network traffic for known attack signatures and patterns of malicious activity. It is excellent for detecting threats originating from outside the network (e.g., hackers) or malware beaconing out. However, it is generally ineffective against most insider threats because the malicious activity is conducted using legitimate credentials and often does not generate the malicious network traffic patterns a NIDS is designed to look for.

Exam Objective Reference:
This question relates to Domain 1.0: Threats, Attacks, and Vulnerabilities, specifically the concept of insider threats, and Domain 4.0: Operations and Incident Response, covering security solutions like User Behavior Analysis (UBA) for monitoring and detection.

Explanation:
For controlling on-premises physical access, the best security controls are those that enforce authentication and authorization at entry points (e.g., doors, gates). These typically involve something you have (a physical token) and/or something you are (a biological trait):

A. Swipe card (or access card):
A physical token (something you have) that grants access when presented to a reader. It is widely used for its balance of security and convenience.

D. Biometric scanner (e.g., fingerprint, retina scan):
Uses unique biological traits (something you are) for high-assurance authentication. It is difficult to forge or share, making it effective for restricting access.

Why the others are incorrect:

B. Picture ID:
While useful for visual verification by security personnel, it relies on human judgment and is prone to forgery or social engineering. It is not an automated access control mechanism.

C. Phone authentication application:
This is typically used for logical access (e.g., multi-factor authentication for apps or systems), not physical access to facilities.

E. Camera:
A detective control used for surveillance and auditing, but it does not actively prevent or control access. It records events after they occur.

F. Memorable (e.g., passwords/PINs):
Used for logical access (something you know), not physical access. PINs are sometimes combined with cards but are weaker alone due to sharing or guessing risks.

Reference:
This aligns with Domain 5.5: Explain the importance of physical security controls. Physical access controls often combine multiple factors (e.g., card + biometric) to enhance security, as outlined in best practices for protecting facilities and critical infrastructure.