CompTIA CompTIA Certifications SY0-701 Questions & Answers

• Question 61:

  A company tested and validated the effectiveness of network security appliances within the corporate network. The IDS detected a high rate of SQL injection attacks against the company's servers, and the company's perimeter firewall is at capacity. Which of the following would be the best action to maintain security and reduce the traffic to the perimeter firewall?

  A. Set the appliance to IPS mode and place it in front of the company firewall.

  B. Convert the firewall to a WAF and use IPSec tunnels to increase throughput.

  C. Set the firewall to fail open if it is overloaded with traffic and send alerts to the SIEM.

  D. Configure the firewall to perform deep packet inspection and monitor TLS traffic.

  Correct Answer: A

  Given the scenario where an Intrusion Detection System (IDS) has detected a high rate of SQL injection attacks and the perimeter firewall is at capacity, the best action would be to set the appliance to Intrusion Prevention System (IPS) mode and place it in front of the company firewall. This approach has several benefits: Intrusion Prevention System (IPS): Unlike IDS, which only detects and alerts on malicious activity, IPS can actively block and prevent those activities. Placing an IPS in front of the firewall means it can filter out malicious traffic before it reaches the firewall, reducing the load on the firewall and enhancing overall security. Reducing Traffic Load: By blocking SQL injection attacks and other malicious traffic before it reaches the firewall, the IPS helps maintain the firewall's performance and prevents it from becoming a bottleneck. Enhanced Security: The IPS provides an additional layer of defense, identifying and mitigating threats in real-time. Option B (Convert the firewall to a WAF and use IPSec tunnels) would not address the primary issue of reducing traffic to the firewall effectively. Option C (Set the firewall to fail open) would compromise security. Option D (Deep packet inspection) could be resource- intensive and might not alleviate the firewall capacity issue effectively. Reference: CompTIA Security+ SY0-701 Exam Objectives, Domain 2.5 - Mitigation techniques used to secure the enterprise.

• Question 62:

  An organization is adopting cloud services at a rapid pace and now has multiple SaaS applications in use. Each application has a separate log-in, so the security team wants to reduce the number of credentials each employee must maintain. Which of the following is the first step the security team should take?

  A. Enable SAML

  B. Create OAuth tokens.

  C. Use password vaulting.

  D. Select an IdP

  Correct Answer: D

  The first step in reducing the number of credentials each employee must maintain when using multiple SaaS applications is to select an Identity Provider (IdP). An IdP provides a centralized authentication service that supports Single Sign-On

  (SSO), enabling users to access multiple applications with a single set of credentials. Enabling SAML would be part of the technical implementation but comes after selecting an IdP.

  OAuth tokens are used for authorization, but selecting an IdP is the first step in managing authentication.

  Password vaulting stores multiple passwords securely but doesn't reduce the need for separate logins.

• Question 63:

  A security analyst is investigating an alert that was produced by endpoint protection software. The analyst determines this event was a false positive triggered by an employee who attempted to download a file. Which of the following is the most likely reason the download was blocked?

  A. A misconfiguration in the endpoint protection software

  B. A zero-day vulnerability in the file

  C. A supply chain attack on the endpoint protection vendor

  D. Incorrect file permissions

  Correct Answer: A

  The most likely reason the download was blocked, resulting in a false positive, is a misconfiguration in the endpoint protection software. False positives occur when legitimate actions are incorrectly identified as threats due to incorrect settings

  or overly aggressive rules in the security software.

  Misconfiguration in the endpoint protection software: Common cause of false positives, where legitimate activities are flagged incorrectly due to improper settings. Zero-day vulnerability: Refers to previously unknown vulnerabilities, which are

  less likely to be associated with a false positive. Supply chain attack: Involves compromising the software supply chain, which is a broader and more severe issue than a simple download being blocked. Incorrect file permissions: Would

  prevent access to files but not typically cause an alert in endpoint protection software.

  Reference: CompTIA Security+ SY0-701 Exam Objectives, Domain 4.3 - Explain various activities associated with vulnerability management (False positives).

• Question 64:

  Which of the following best represents an application that does not have an on-premises requirement and is accessible from anywhere?

  A. Pass

  B. Hybrid cloud

  C. Private cloud

  D. IaaS

  E. SaaS

  Correct Answer: E

  Software as a Service (SaaS) represents an application that is hosted in the cloud and accessible via the internet from anywhere, with no requirement for on-premises infrastructure. SaaS applications are managed by a third-party provider,

  allowing users to access them through a web browser, making them highly scalable and flexible for remote access.

  References:

  CompTIA Security+ SY0-701 Course Content: Domain 3: Security Architecture, where cloud service models such as SaaS are discussed, highlighting their accessibility and lack of on-premises requirements.

• Question 65:

  Which of the following would be used to detect an employee who is emailing a customer list to a personal account before leaving the company?

  A. DLP

  B. FIM

  C. IDS

  D. EDR

  Correct Answer: A

  To detect an employee who is emailing a customer list to a personal account before leaving the company, a Data Loss Prevention (DLP) system would be used. DLP systems are designed to detect and prevent unauthorized transmission of sensitive data. DLP (Data Loss Prevention): Monitors and controls data transfers to ensure sensitive information is not sent to unauthorized recipients. FIM (File Integrity Monitoring): Monitors changes to files to detect unauthorized modifications. IDS (Intrusion Detection System): Monitors network traffic for suspicious activity but does not specifically prevent data leakage. EDR (Endpoint Detection and Response): Monitors and responds to threats on endpoints but is not specifically focused on data leakage. Reference: CompTIA Security+ SY0-701 Exam Objectives, Domain 4.5 - Modify enterprise capabilities to enhance security (Data Loss Prevention).

• Question 66:

  Which of the following risks can be mitigated by HTTP headers?

  A. SQLi

  B. XSS

  C. DoS

  D. SSL

  Correct Answer: B

  HTTP headers can be used to mitigate risks associated with Cross-Site Scripting (XSS). Security-related HTTP headers such as Content Security Policy (CSP) and X-XSS-Protection can be configured to prevent the execution of malicious

  scripts in the context of a web page.

  XSS (Cross-Site Scripting): A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. HTTP headers like CSP help prevent XSS attacks by specifying which dynamic resources are allowed to load.

  SQLi (SQL Injection): Typically mitigated by using parameterized queries and input validation, not HTTP headers.

  DoS (Denial of Service): Mitigated by network and application-level defenses rather than HTTP headers.

  SSL (Secure Sockets Layer): Refers to securing communications and is not directly mitigated by HTTP headers; rather, it's implemented using SSL/TLS protocols.

  Reference: CompTIA Security+ SY0-701 Exam Objectives, Domain 3.3 - Protect data (HTTP headers for securing web applications).

• Question 67:

  A vendor needs to remotely and securely transfer files from one server to another using the command line. Which of the following protocols should be implemented to allow for this type of access? (Select two).

  A. SSH

  B. SNMP

  C. RDP

  D. S/MIME

  E. SMTP

  F. SFTP

  Correct Answer: AF

  Secure Shell (SSH) is a protocol used for secure command-line access to remote systems, while Secure File Transfer Protocol (SFTP) is an extension of SSH used specifically for securely transferring files. Both SSH and SFTP ensure that

  data is encrypted during transmission, protecting it from interception or tampering.

  References:

  CompTIA Security+ SY0-701 Course Content: Domain 03 Security Architecture. CompTIA Security+ SY0-601 Study Guide: Chapter on Secure Protocols and Encryption.

• Question 68:

  Which of the following describes the category of data that is most impacted when it is lost?

  A. Confidential

  B. Public

  C. Private

  D. Critical

  Correct Answer: D

  The category of data that is most impacted when it is lost is "Critical." Critical data is essential to the organization's operations and often includes sensitive information such as financial records, proprietary business information, and vital

  operational data. The loss of critical data can severely disrupt business operations and have significant financial, legal, and reputational consequences.

  Confidential: Refers to data that must be protected from unauthorized access to maintain privacy and security.

  Public: Refers to data that is intended for public disclosure and whose loss does not have severe consequences.

  Private: Typically refers to personal data that needs to be protected to ensure privacy.

  Critical: Refers to data that is essential for the operation and survival of the organization, and its loss can have devastating impacts. Reference: CompTIA Security+ SY0-701 Exam Objectives, Domain 5.2 - Risk management (Critical data

  identification and impact analysis).

• Question 69:

  A network administrator deployed a DNS logging tool that logs suspicious websites that are visited and then sends a daily report based on various weighted metrics. Which of the following best describes the type of control the administrator put in place?

  A. Preventive

  B. Deterrent

  C. Corrective

  D. Detective

  Correct Answer: D

  The tool that the network administrator deployed is described as one that logs suspicious websites and sends a daily report based on various weighted metrics. This fits the description of a detective control. Detective controls are designed to identify and log security events or incidents after they have occurred. By analyzing these logs and generating reports, the tool helps in detecting potential security breaches, thus allowing for further investigation and response. References: Based on the CompTIA Security+ SY0-701 Resources, specifically under the domain of Security Operations, which discusses different types of security controls, including detective controls.

• Question 70:

  Callers speaking a foreign language are using company phone numbers to make unsolicited phone calls lo a partner organization. A security analyst validates through phone system logs that the calls are occurring and the numbers are not being spoofed. Which of the following is the most likely explanation?

  A. The executive team is traveling internationally and trying to avoid roaming charges

  B. The company's SIP server security settings are weak.

  C. Disgruntled employees are making calls to the partner organization.

  D. The service provider has assigned multiple companies the same numbers

  Correct Answer: B

  If cadets are using company phone numbers to make unsolicited calls, and the logs confirm the numbers are not being spoofed, it suggests that the SIP (Session Initiation Protocol) server's security settings might be weak. This could allow

  unauthorized access or exploitation of the company's telephony services, potentially leading to misuse by unauthorized individuals.

  References: CompTIA Security+ SY0-701 study materials, especially on SIP security and common vulnerabilities.