CompTIA Security+ (SY0-701) Complete Course & Exam - 2

Jane, a database administrator at Dion Training, wants to ensure that a file has not changed since the last time she uploaded it to her cloud storage. She has created an SHA-256 hash digest of the file and will compare the stored file's hash digest against the one she calculated when she initially uploaded the file. Which of the following pillars of the CIANA pentagon is she focused on?

Integrity

Vikas, a developer at Dion Training, just digitally signed the company's new app before releasing it in the App Store. Before the app is installed, the user's device will validate the digitally signature to ensure that it was actually developed and uploaded by Dion Training. Which of the following pillars of the CIANA pentagon is she focused on?

Non-repudiation

Jason, an instructor at Dion Training, is logging into the company's exam application to write some new questions for the CompTIA Security+ exam. He enters his username/password at the login prompt and then receives a one-time code on his smartphone that he enters to validate his identity. Which of the following pillars of security was he focused on when performing this action?

Authentication

David, the CTO of Dion Training, just sent out a new policy that will require all of the company's users to reset their password every 60 days using a long, strong, and complex password. Which of the following type of security controls best classifies this policy?

Directive

Christle, a student support manager at Dion Training, is logging into the company's exam voucher application to help a student schedule their CompTIA Security+ exam. Even though she is already connected to the corporate network, the application asks her to validate her identity by sending her a one-time code on her smartphone that she enters to validate her identity. Which of the following security concepts is being utilized by the company's architecture?

Zero trust

Which of the following is a primary motivation for a hacktivist threat actor?

Ideological beliefs

Which attribute of a threat actor indicates the amount of financial, technological, and human resources they can use for their operations?

Their resource level

Which of the following threat actors primarily operates based primarily on financial motivations and is considered to be highly structured and sophisticated in their attacks?

Organized crime

Which type of threat actor would BEST describe a disgruntled employee who may exploit their legitimate access for malicious purposes?

Insider threat

Which deceptive technology is a piece of data or a system entity that exists solely to alert the organization when someone accesses it?

Honeytoken

Jennifer, a facilities manager at Dion Training, wants to prevent unauthorized vehicles from getting too close to the building and ramming into it. Which of the following physical security control measures should they utilize to achieve this?

Bollards

Jacob, a security manager at Dion Training, wants to protect a sensitive server room against unauthorized physical access without relying on electronic locking mechanisms. Which of the following door locks should they utilize to achieve this?

Cipher lock

Jonni, a security manager at Dion Training, wants to implement a physical security control measure at the main entrance of their new corporate headquarters. Their primary objective is to authenticate individuals in a space between two sets of doors to help prevent tailgating by ensuring that unauthorized persons don't follow authorized individuals inside. Which of the following security controls should he implement to best achieve this?

Access control vestibule

Sheryl, a penetration tester at Dion Training, wants to break into the RFID-protected server room. She sees Mazen sitting in a coffee shop, so she briefly places her purse near Mazen's backpack. Later, she uses a device from her purse to access the server room. She receives a message stating, "Welcome, Mazen" when she authenticates with the RFID-based lock using the device. Which of the following types of attacks did she utilize to gain access to the server room?

Access badge cloning

Which of the following sensors is used to detect changes in environmental heat that is typically emitted by warm bodies such as humans or animals?

Infrared sensors

Which of the following types of phishing attacks is used to specifically target high-level executives or important officials within an organization?

Whaling

During an anti-phishing campaign, what primary action should a company take after simulating a successful phishing attack on its employees?

Provide remedial training to employees who fell for the attack

Which social engineering technique involves searching through a target's trash or discarded items to obtain sensitive or valuable information?

Dumpster diving

Which social engineering attack involves an attacker creating a fabricated scenario to manipulate or deceive someone into divulging confidential information?

Pretexting

Which of the following is a common motivational trigger used in social engineering attacks to manipulate victims to act or respond without taking time to think about the consequences?

Urgency

Which of the following best describes a Trojan?

A Trojan is a malicious program disguised as legitimate software.

Which of the following is designed to give cybercriminals access to a system that can carry out malicious tasks, such as distributed denial-of-service (DDoS) attacks or to spread malware, without the user's knowledge?

Zombie

Which of the following is a type of malware that operates behind the scenes to deliver ads or track user activity?

Spyware

Which of the following BEST describes what a rootkit is used for?

Encrypt user files and demand payment for decryption

Hide malware activities and maintain privileged access to a system

Log the user's keystrokes to steal their credentials

Replicate themselves across networks without human intervention

A rootkit is used to hide malware activities while maintain privileged access to the system.

Which of these is a common indication of a malware attack?

Fewer logs than usual during peak hours

Which of the following data classifications is typically accessible by anyone and is not harmful if disclosed?

Public

Dion Training Solutions is revising its data governance approach to align with GDPR and other regulatory standards. They have designated Samantha, the Vice President of Operations, to determine data classification and access control. David, the Compliance Officer, ensures all data processing complies with legal standards. Rachel, an IT Services Partner, handles the processing of client data on cloud servers. Lastly, Mike, the Head of the IT Department, is in charge of data storage, transportation, and security policy enforcement. Based on these details, identify who among them fills the roles of data owner, data controller, data processor, and data custodian.

Samantha is the data owner, David is the data controller, Rachel is the data processor and Mike is the data custodian

Which of the following is NOT a recognized state of data in the context of data security?

Data in flux

Which type of data refers to any information about health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual?

Protected Health Information (PHI)

Dion Training is exploring Data Loss Prevention (DLP) systems. They want a system that will protect data while it's at rest on their on-premises server, using encryption or a watermark?

Storage DLP

Jennifer, a network administrator at Dion Training, wants to ensure that a secret communication between two servers remains confidential using a single key for both encryption and decryption processes. Which of the following should they utilize?

AES

Robert, a system engineer at Dion Training, wants to securely exchange cryptographic keys over a public channel to initiate encrypted communications with another department. Which of the following should they utilize?

Diffie-Hellman

Samantha, a cybersecurity analyst at Dion Training, wants to use the most secure hashing algorithm for ensuring the integrity of sensitive documents. Which of the following should she utilize?

SHA-256

Rebecca, a digital forensics expert at Dion Training, wants to discreetly embed a message within an image file without noticeably altering its apparent appearance or structure. Which of the following techniques should she utilize?

Steganography

Miguel, a cybersecurity specialist at Dion Training, is concerned about the potential threats that the evolving technologies, like qubit-powered computers, might pose to the company's current encryption algorithms and cryptographic implementation methods. Which of the following solutions should he explore to ensure future cryptographic resilience?

Post-quantum Cryptographic Algorithm

John is the owner of a small construction company. He recently signed a contract for a new project. The contract includes a clause stating that John's company will be responsible for any damages that occur during the construction process. As a result, John has decided to purchase insurance that will cover the cost of any damage that might occur during the construction process. Which risk management strategy is John using?

Risk Transference

Solarflare, an energy company, has identified a risk that, if it occurs, could halt their production line. They have determined that they can tolerate a disruption of up to 3 hours before it severely impacts their operations. Which of the following metrics does this scenario represent?

Recovery Time Objective (RTO)

What does the term 'Risk Appetite' refer to?

The amount of residual risk an organization is willing to accept

You are managing a construction project and a potential risk is the delay in delivery of critical materials. The likelihood of this risk is high and the impact is also high. What would be an appropriate mitigation strategy based on Qualitative Risk Analysis?

Secure multiple vendors

You are managing a company's IT infrastructure. One of your servers, valued at $20,000, has an Exposure Factor (EF) of 60% in the event of a crash. The server crashes once every five years.

What is the Annualized Loss Expectancy (ALE) for this server?

$2,400

Sarah, a compliance officer at Dion Training, is hiring a consultant. She wants to ensure that the consultant doesn't share information about the proprietary project he is being hired to complete. Which of the following should she utilize?

NDA

Jamie, a procurement manager at Dion Training, wants to ensure the quality, timelines, and scope of the services provided by a new third-party vendor. Which of the following should they utilize?

SLA

Alex, a project manager at Dion Training, wishes to provide details about specific tasks, deliverables, and timelines for a project so the vendor they hire will have a complete picture of the project. Which of the following should they utilize?

SOW

Samuel, an operations director at Dion Training, wants to hire his brother's company to provide security for Dion Training. He is told this is a bad idea. Which of the following would be the main problem with hiring his brother's company?

There would be a potential conflict of interest for Samuel

Which of the following is the BEST way for companies to limit the risks of using third-party vendors?

Conduct Due Diligence

Which of the following best describes the role of governance in an organization's IT operations?

Board of Directors

Which of the following policies outlines the steps an organization will take to continue its critical operations during and after a disruption or disaster?

Business Continuity Policy

Which of the following is NOT typically a part of physical security standards in an organization?

Regular software updates

Which of the following procedures involves tasks such as retrieving company property, disabling access to systems, and conducting exit interviews?

Offboarding

Which of the following is an example of a global governance consideration?

A European regulation affecting data collection practices worldwide

Which of the following terms best describes the requirement to comply with laws and regulations applicable to an organization's operations?

Regulatory considerations

Which of the following is a punitive measure taken by regulatory bodies to enforce compliance in the IT and cybersecurity world?

Sanctions

Jane, a business development manager at Dion Training, is working on finalizing an order for 50 courses and exam vouchers by one of the company's larger clients. This order would have an approximate cost of $25,000 and will be delivered to the company within the next 30 days. Which of the following should she expect to receive from the client to pay for these courses and exam vouchers?

Purchase order

David, an IT manager at Dion Training, wants to deploy mobile devices to employees while maintaining a high level of control and standardization, but also wants to give employees some choice in the type of device they use. Which of the following deployment models should he choose?

CYOD

Julia, a Data Security Analyst at Dion Training, wants to ensure that data on an old hard drive is made inaccessible and irretrievable, while still allowing the device to be reused. Which of the following should she use to accomplish this?

Cryptographic Erase

Maria, a Change Manager at Dion Training, wants to evaluate the consequences of a proposed change before she provides her approval. Which of the following should she utilize to accomplish this?

Impact Analysis

Fahad, a Network Administrator at Dion Training, is proposing to implement a new critical security patch for the company's main server during an upcoming scheduled maintenance window to patch a security vulnerability in the print spooler. The print server involved in this change is actively used by employees throughout the company and the change must be validated after being implemented to ensure that the security patch was correctly applied. Which of the following technical implications would be most important for him to consider before the change is scheduled and approved for implementation?

Service restarts

Which of the following is NOT typically a part of an internal IT audit?

Reviewing the organization's password policies.

Identifying potential threats to the organization's information systems.

Which type of penetration testing involves a proactive and aggressive approach to uncover as many vulnerabilities as possible?

Offensive

Jonathan, a penetration tester at Dion Training, has been asked to conduct reconnaissance for an upcoming penetration test. He was given little to no information about the target. Which of the following types of environments will Jonathan be conducting his penetration test on?

Unknown Environment

Which of the following would provide an attestation of their findings when conducting a penetration test for an organization that must prove they are in compliance with HIPAA regulations?

An external assessor

Which of the following terms refers to an evaluation conducted by an external organization that is not affiliated with the entity being evaluated and is often to ensure compliance with specific standards or regulations?

A third-party audit

Juan, a network administrator at Dion Training, wants to build a backup facility that is partially equipped with hardware and infrastructure to minimize downtime in case of a disaster. Which of the following types of redundant sites should they utilize?

Warm site

In preparing their disaster response strategy, the emergency management team at Dion Training wants to facilitate a scenario-based discussion among key stakeholders to evaluate their crisis preparedness and decision-making abilities without the need for deploying actual resources. Which of the following testing method should they employ?

Tabletop exercise

Which of the following backup methods involves creating point-in-time copies of data in a storage system to capture its state at specific moments to help facilitate data recovery and system consistency?

Snapshots

Which power backup technology typically provides a longer duration of power supply during extended outages and is often used as a primary source of backup power for critical systems, such as data centers?

Propane generator

Emile, a system administrator at Dion Training, wants to optimize both the performance and data redundancy of the company's critical data storage solution. Which of the following RAID configurations should they utilize?

RAID 10

Which term in cloud computing refers to the speed at which the system can adapt to changes in demand and why is it important for businesses to ensure a smooth customer experience?

Responsiveness

Which concept refers to the shifting of some risks from the customer to the cloud service provider?

Risk Transference

Which of the following is a solution to mitigate shared physical server vulnerabilities?

Implementing strong isolation mechanisms

What is a crucial step in preventing inadequate user access management?

Enforcing strong password policies

Which of the following statements about virtualization and containerization is NOT correct?

Type 1 hypervisors operate within a standard operating system, such as Windows, Mac or Linux

Which of the following is NOT a benefit of serverless computing?

Easier testing and debugging

Which of the following is a challenge in microservices architecture?

Network Latency

Which of the following is NOT a method of achieving logical separation in network infrastructure?

Physically disconnecting a system from other networks

Which of the following best describes the role of the control plane in Software-Defined Networking (SDN)?

It decides where traffic is sent across the network

What is a significant challenge in securing embedded systems?

Inability to Patch

In an Internet of Things (IoT) ecosystem, which component serves as the central point that connects all IoT devices and enables them to communicate?

Hub/Control System

Which of the following best describes a non-idempotent operation in the context of Infrastructure as Code (IaC)?

An operation that produces different results each time it is executed

Which of the following scenarios best illustrates a potential risk associated with a decentralized architecture?

The remote work arrangement exposes the network to additional threats, as each remote connection is a potential entry point for cybercriminals

Which system is typically used for geographically dispersed industrial processes?

SCADA

Lucia, a security analyst at Dion Training, wants a comprehensive solution that integrates various security features for her company's network, including antivirus, anti-spam, firewall, and intrusion detection capabilities in a single network appliance. Which of the following types of firewalls should she utilize to accomplish this?

UTM

Satoshi, a network administrator at Dion Training, wants to mediate requests from clients seeking resources from other servers by helping to simplify requests, improve performance, and filter content. Which of the following should he utilize to accomplish this?

Proxy server

Priya, a network engineer at Dion Training, wants to improve the management and operation of a wide area network by decoupling the networking hardware from its control mechanism. Which of the following should she utilize to accomplish this?

SD-WAN

Rajesh, a security specialist at Dion Training, wants to install a IDS or IPS so that is can actively block and prevent malicious traffic from entering a screened subnet in real-time. Which of the following should he do to accomplish this?

Install the IPS as an in-line device

Ling, a cybersecurity consultant at Dion Training, wants to select some effective security controls by prioritizing and implementing the controls based on the specific vulnerabilities and threats that the enterprise infrastructure is facing. Which of the following principles of effective control selection should they emphasize to more effectively use their limited resources while providing the best protection for the organization's infrastructure?

Risk-based Approach

Helena, a cybersecurity analyst at Dion Training, is analyzing a security alert and trying to determine which type of attack was being used by a threat actor. The alert details an incident where an attacker exploited a timing vulnerability that caused the system to process operations out of the intended sequence and allowing unauthorized actions. Which of the following BEST describes this type of attack?

Race Condition

Liam, a cybersecurity analyst at Dion Training, is analyzing a security alert and trying to determine which type of attack was being attempted by a threat actor. The following line in the log file appears to be suspicious:

2023-11-02 14:23:56 [IP:192.168.1.101] [ERROR] User login failed for username: 'admin' OR '1'='1';

Which of the following BEST describes the type of attack attempted by this threat actor?

SQL injection

Sasha, a cybersecurity analyst at Dion Training, is analyzing a security alert and trying to determine which type of attack was being used by a threat actor. The alert details an incident where an attacker sent unsolicited messages to a user's smartphone via Bluetooth without any evidence of taking control of the device. Which of the following BEST describes this type of attack?

Bluejacking

Cristian, a cybersecurity analyst at Dion Training, is analyzing a security alert and trying to determine which type of attack was being used by a threat actor. The alert details an incident where an attacker deliberately inputs an excessive amount of data into an application's buffer to try and cause the system to crash and potentially allow for the execution of arbitrary code. Which of the following BEST describes this type of attack?

Buffer Overflow

Jonathan, a cybersecurity analyst at Dion Training, is analyzing a security alert and trying to determine which type of attack was being used by a threat actor. The alert details an incident where an attacker inserted malicious scripts into input fields on a website, which were then executed in the browser of any user viewing that data. Which of the following BEST describes this type of attack?

Cross-site Scripting

Susan, a cybersecurity analyst at Dion Training, is analyzing a security alert and trying to determine which technique can enhance security by ensuring that only explicitly approved applications are allowed to run on a system. Which of the following BEST describes this technique?

Application Restriction

Sahra, a cybersecurity analyst at Dion Training, is reviewing a system's configurations and notices several software processes running that are not required for essential functionality. Which of the following actions should she take to enhance security?

Disable Unnecessary Services

Margo, a cybersecurity engineer at Dion Training, is tasked with establishing a safe starting point for the configurations of computer systems and networks. Which of the following BEST describes what she is aiming to create?

Secure Baselines

Roberto, a cybersecurity analyst at Dion Training, is responsible for maintaining the security and functionality of computer systems by systematically identifying, testing, deploying, and monitoring software updates. Which of the following BEST describes his responsibility?

Patch Management

Sonia, a cybersecurity analyst at Dion Training, is implementing a set of rules and configurations in a Windows environment to centrally manage and control user and computer settings. Which of the following BEST describes what she is configuring?

Secure Baselines

Which of the following answers can be used to describe technical security controls?

1) Sometimes called logical controls, 2) Executed by computer systems instead of people, 3) Implemented with technology

Which of the answers listed below refer to examples of technical security controls?

Encryption, IDS, Firewall

Which of the following answers refer to the characteristic features of managerial security controls

1) Also known as administrative controls, 2) Focused on reducing the risk of security incidents, 3) Documented in written policies

Examples of managerial security controls include:

Organizational security policy, risk assessments and security awareness training