Practice Free SY0-701 Exam Online Questions
An administrator discovers that some files on a database server were recently encrypted. The administrator sees from the security logs that the data was last accessed by a domain user.
Which of the following best describes the type of attack that occurred?
- A . Insider threat
- B . Social engineering
- C . Watering-hole
- D . Unauthorized attacker
A
Explanation:
An insider threat is a type of attack that originates from someone who has legitimate access to an organization’s network, systems, or data. In this case, the domain user who encrypted the files on the database server is an example of an insider threat, as they abused their access privileges to cause harm to the organization. Insider threats can be motivated by various factors, such as financial gain, revenge, espionage, or sabotage.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 1: General Security Concepts, page 251. CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 1: General Security Concepts, page 252.
A penetration tester visits a client’s website and downloads the site’s content.
Which of the following actions is the penetration tester performing?
- A . Unknown environment testing
- B . Vulnerability scan
- C . Due diligence
- D . Passive reconnaissance
D
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The described activity―visiting a website and downloading publicly accessible content―is a classic example of passive reconnaissance. Passive reconnaissance involves gathering information about a target without interacting with its internal systems or generating traffic that could be detected by security monitoring tools.
According to SY0-701, passive recon uses open-source intelligence (OSINT), such as:
Public websites
DNS records
News articles
Metadata
Public document repositories
The key distinction is that passive reconnaissance does not probe the system for vulnerabilities, nor does it send active scanning traffic.
Vulnerability scanning (B) requires active probing. Unknown environment testing (A) applies to black-box testing but still may involve active scanning. Due diligence (C) refers to risk assessment or compliance reviews, not technical reconnaissance.
Therefore, downloading the website’s content is a non-intrusive information-gathering technique, perfectly matching passive reconnaissance as defined in the exam materials under Threats, Vulnerabilities, Attack Vectors, and Pen Testing Phases.
Which of the following security concepts is accomplished with the installation of a RADIUS server?
- A . CIA
- B . AA
- C . ACL
- D . PEM
A security analyst is assessing several company firewalls.
Which of the following cools would the analyst most likely use to generate custom packets to use during the assessment?
- A . hping
- B . Wireshark
- C . PowerShell
- D . netstat
A
Explanation:
Monitoring outbound traffic is essential for detecting unauthorized data exfiltration from a system. A new vulnerability that allows malware to move data unauthorizedly would typically attempt to send this data out of the network. By monitoring outbound traffic, security tools can detect unusual data transfers, trigger alerts, and help prevent the exfiltration of sensitive information.
Reference =
CompTIA Security+ SY0-701 Course Content: Domain 04 Security Operations.
CompTIA Security+ SY0-601 Study Guide: Chapter on Threat Detection and Response.
Which of the following is the best reason to perform a tabletop exercise?
- A . To address audit findings
- B . To collect remediation response times
- C . To update the IRP
- D . To calculate the ROI
C
Explanation:
A tabletop exercise simulates incident scenarios to test and validate the effectiveness of an organization’s Incident Response Plan (IRP), identifying gaps and areas needing updates. It promotes team readiness without disrupting operations.
Addressing audit findings (A), collecting remediation times (B), and calculating ROI (D) are separate activities and not the primary purpose of tabletop exercises.
This practice is an integral part of Security Operations and Incident Response training in SY0-701 【 6:Chapter 14†CompTIA Security+ Study Guide 】 .
An organization has too many variations of a single operating system and needs to standardize the arrangement prior to pushing the system image to users.
Which of the following should the organization implement first?
- A . Standard naming convention
- B . Mashing
- C . Network diagrams
- D . Baseline configuration
D
Explanation:
Baseline configuration is the process of standardizing the configuration settings for a system or network. In this scenario, the organization needs to standardize the operating system configurations before deploying them across the network. Establishing a baseline configuration ensures that all systems adhere to the organization’s security policies and operational requirements.
Reference = CompTIA Security+ SY0-701 study materials, particularly in the domain of system hardening and configuration management.
Which of the following alert types is the most likely to be ignored over time?
- A . True positive
- B . True negative
- C . False positive
- D . False negative
C
Explanation:
A false positive is an alert that incorrectly identifies benign activity as malicious. Over time, if an alerting system generates too many false positives, security teams are likely to ignore these alerts, resulting in "alert fatigue." This increases the risk of missing genuine threats. True positives and true negatives are accurate and should be acted upon.
False negatives are more dangerous because they fail to identify real threats, but they are not "ignored" since they do not trigger alerts.
During a routine audit, an analyst discovers that a department uses software that was not vetted.
Which threat is this?
- A . Espionage
- B . Data exfiltration
- C . Shadow IT
- D . Zero-day
C
Explanation:
Shadow IT refers to software, hardware, cloud services, or applications deployed without approval from the IT or security department. In this scenario, a high school department is using an unvetted SIMULATION program―classic Shadow IT behavior.
Security+ SY0-701 explains that Shadow IT:
Introduces unknown vulnerabilities
Bypasses security controls
Creates compliance risks
Leads to data exposure
Interferes with standard configuration management
Espionage (A) involves intelligence gathering, not unauthorized software use. Data exfiltration (B) involves data theft, not unauthorized software deployment. Zero-day (D) refers to unknown vulnerabilities, not unapproved systems.
Thus, Shadow IT is the correct answer.
A forensic engineer determines that the root cause of a compromise is a SQL injection attack.
Which of the following should the engineer review to identify the command used by the threat actor?
- A . Metadata
- B . Application log
- C . System log
- D . Netflow log
B
Explanation:
To identify the exact command or input used during a SQL injection attack, the application log (B)is the most relevant. It records inputs, errors, and processing activities within the application layer. Under Domain 2.1, CompTIA emphasizes reviewing application logs to detect indicators of malicious activity, including web application attacks like SQL injection.
Reference: CompTIA Security+ SY0-701 Objectives, Domain 2.1 C “Indicators of malicious activity:
SQL injection; review application logs.”
SIMULATION
A security analyst is creating the first draft of a network diagram for the company’s new customer-facing payment application that will be hosted by a third-party cloud service provider.
Explanation:
Step 1: Understand Requirements & Security Principles
Requirements:
Customer-facing payment application (PCI DSS compliance applies)
Hosted on third-party cloud (e.g., AWS)
Must segment public-facing and internal resources
Needs to be scalable and resilient
Must have strong security controls
Step 2: Design the High-Level Network Layout
Core Components:
VPC (Virtual Private Cloud): Isolates your environment from other tenants in the cloud.
Subnets:
Public subnet: For resources that must communicate with the internet.
Private subnet: For internal resources, NOT directly exposed to the internet.
Step 3: Place Resources in Appropriate Subnets
Public Subnet:
Internet-facing Load Balancer (LB): Distributes traffic to application servers.
Web Application Firewall (WAF): Protects against web exploits.
Autoscaling Instances: EC2 (or VM) servers running your web front-end, automatically scaling as traffic grows.
Private Subnet:
Application servers: Back-end logic, not exposed to internet directly.
Database: Sensitive data storage, only accessible by application servers.
Internal Load Balancer: Manages traffic among app servers.
WAF: Can be used internally as well for defense-in-depth.
Step 4: Add Connectivity and Security Controls
Internet Gateway: Allows resources in public subnet to communicate with the internet.
NAT Gateway: Allows outbound internet traffic from private subnet without exposing private IPs. Security Groups: Firewalls at the instance level; allow only necessary traffic (e.g., LB to web server, web server to DB).
Network ACLs: Subnet-level firewalls for additional control.
Step 5: Network Diagram Explanation (Based on Your Images)
Public Subnet (Top Layer)
Load Balancer
Accepts HTTPS traffic from customers.
Sends only necessary HTTP/HTTPS to web servers in public subnet.
WAF (Web Application Firewall)
Sits in front of Load Balancer.
Filters malicious requests (SQLi, XSS, etc.).
Autoscaling Group
Multiple web servers for redundancy and scalability.
Placed in public subnet to respond to traffic spikes.
Private Subnet (Bottom Layer)
Application Servers
Receive requests from public subnet’s load balancer.
Not directly exposed to the internet.
Database
Only accessible from application servers, never public.
Security groups restrict all inbound traffic except from app servers.
Internal Load Balancer
Balances requests to application servers.
Step 6: Flow of Data (Step-by-Step)
Client -> Internet Gateway -> WAF -> Load Balancer (Public Subnet):
Customers initiate connections to your app over the internet.
Load Balancer -> Autoscaling Web Servers (Public Subnet): Load balancer routes requests to available web servers. Web Servers -> Application Logic (Private Subnet):
Web servers pass necessary requests to the internal application servers.
App Servers -> Database (Private Subnet):
Application servers query/update customer payment data in the database.
Outbound (NAT Gateway):
App servers may need to access updates or external APIs―use NAT Gateway for secure outbound
connections.
Step 7: Security Best Practices
Security Groups: Only allow necessary ports (e.g., 443 for HTTPS to LB, 3306 for MySQL between app server and DB).
Network ACLs: Add another layer of subnet-level restrictions.
Encryption: Use HTTPS for all external connections, encrypt data at rest and in transit (TLS, disk encryption).
IAM Roles/Policies: Principle of least privilege for accessing resources.
Monitoring/Logging: Enable VPC flow logs, cloud service logs, and application logging.
Patch Management: Automate patching for OS and applications.
Backups: Regular, secure backups of critical data.
Step 8: Compliance Considerations
For payment applications (PCI DSS):
Isolate cardholder data environment (CDE).
Strong access controls (multi-factor authentication, role separation).
Regular vulnerability assessments and penetration testing.
Retain logs for auditing.
Step 9: Draw the Architecture (Summary)
Internet Gateway: Allows inbound/outbound internet access.
Public Subnet: WAF, Load Balancer, Autoscaling group.
Private Subnet: App servers, DB, internal LB.
NAT Gateway: Outbound access for private resources.
Security Groups/ACLs: Control all traffic flows.
Monitoring/Logging: Enabled at all levels.
Bonus: Sample Security Group Rules
Web Server (Public Subnet):
Inbound: 443 (HTTPS) from Internet
Outbound: 80/443 to App Servers
App Server (Private Subnet):
Inbound: 80/443 from Web Servers
Outbound: 3306 (MySQL) to Database
Database (Private Subnet):
Inbound: 3306 from App Servers
Outbound: None (unless replication required)
Reference to Security+ Domains