Practice Free SY0-701 Exam Online Questions
Question #1
Which of the following security concepts is the best reason for permissions on a human resources fileshare to follow the principle of least privilege?
- A . Integrity
- B . Availability
- C . Confidentiality
- D . Non-repudiation
Correct Answer: C
C
Explanation:
Confidentiality is the security concept that ensures data is protected from unauthorized access or disclosure. The principle of least privilege is a technique that grants users or systems the minimum level of access or permissions that they need to perform their tasks, and nothing more. By applying the principle of least privilege to a human resources fileshare, the permissions can be restricted to only those who have a legitimate need to access the sensitive data, such as HR staff, managers, or auditors. This can prevent unauthorized users, such as hackers, employees, or contractors, from accessing, copying, modifying, or deleting the data. Therefore, the principle of least privilege can enhance the confidentiality of the data on the fileshare. Integrity, availability, and non-repudiation are other security concepts, but they are not the best reason for permissions on a human resources fileshare to follow the principle of least privilege. Integrity is the security concept that ensures data is accurate and consistent, and protected from unauthorized modification or corruption. Availability is the security concept that ensures data is accessible and usable by authorized users or systems when needed. Non-repudiation is the security concept that ensures the authenticity and accountability of data and actions, and prevents the denial of involvement or responsibility. While these concepts are also important for data security, they are not directly related to the level of access or permissions granted to users or systems.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 16-17, 372-373
C
Explanation:
Confidentiality is the security concept that ensures data is protected from unauthorized access or disclosure. The principle of least privilege is a technique that grants users or systems the minimum level of access or permissions that they need to perform their tasks, and nothing more. By applying the principle of least privilege to a human resources fileshare, the permissions can be restricted to only those who have a legitimate need to access the sensitive data, such as HR staff, managers, or auditors. This can prevent unauthorized users, such as hackers, employees, or contractors, from accessing, copying, modifying, or deleting the data. Therefore, the principle of least privilege can enhance the confidentiality of the data on the fileshare. Integrity, availability, and non-repudiation are other security concepts, but they are not the best reason for permissions on a human resources fileshare to follow the principle of least privilege. Integrity is the security concept that ensures data is accurate and consistent, and protected from unauthorized modification or corruption. Availability is the security concept that ensures data is accessible and usable by authorized users or systems when needed. Non-repudiation is the security concept that ensures the authenticity and accountability of data and actions, and prevents the denial of involvement or responsibility. While these concepts are also important for data security, they are not directly related to the level of access or permissions granted to users or systems.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 16-17, 372-373
Question #2
Which of the following is an example of implementing Zero Trust architecture?
- A . Building strong network boundaries to prevent intrusion
- B . Verifying user identity once at the start of the session
- C . Granting resource access after continuous validation
- D . Prioritizing perimeter defense to block external threats
Correct Answer: C
C
Explanation:
The best answer is C. Granting resource access after continuous validation.
Zero Trust architecture is based on the principle of never trust, always verify. Access should not be granted simply because a user or device is inside the network or was authenticated once earlier. Instead, access decisions should be based on continuous validation of identity, device health, context, and other relevant factors.
This means users and devices are evaluated repeatedly and granted only the minimum access necessary.
Why the other options are incorrect:
C
Explanation:
The best answer is C. Granting resource access after continuous validation.
Zero Trust architecture is based on the principle of never trust, always verify. Access should not be granted simply because a user or device is inside the network or was authenticated once earlier. Instead, access decisions should be based on continuous validation of identity, device health, context, and other relevant factors.
This means users and devices are evaluated repeatedly and granted only the minimum access necessary.
Why the other options are incorrect:
Question #3
Which of the following is a feature of a next-generation SIEM system?
- A . Virus signatures
- B . Automated response actions
- C . Security agent deployment
- D . Vulnerability scanning
Correct Answer: B
Question #4
A smart lighting system is deployed in an office building. The devices connect to the corporate Wi-Fi and are managed via a cloud portal.
Which of the following security techniques reduces risk for these IoT devices?
- A . Assigning static IP addresses to the devices
- B . Updating default credentials and applying network segmentation
- C . Connecting the devices to the guest Wi-Fi to prevent interactions with corporate IT
- D . Allowing the vendor to have remote access for day-to-day management
Correct Answer: B
B
Explanation:
The best answer is B. Updating default credentials and applying network segmentation.
IoT devices often present increased security risk because they may have weak default settings, limited security features, and persistent network connectivity. Two of the most effective ways to reduce this risk are:
Updating default credentials Many IoT devices come with default usernames and passwords that are widely known or easy to guess. Leaving default credentials unchanged creates a major security weakness.
Applying network segmentation Segmenting IoT devices onto a separate network or VLAN limits their ability to interact with critical corporate systems. If one device is compromised, segmentation helps contain the threat and reduces lateral movement.
Why the other options are incorrect:
B
Explanation:
The best answer is B. Updating default credentials and applying network segmentation.
IoT devices often present increased security risk because they may have weak default settings, limited security features, and persistent network connectivity. Two of the most effective ways to reduce this risk are:
Updating default credentials Many IoT devices come with default usernames and passwords that are widely known or easy to guess. Leaving default credentials unchanged creates a major security weakness.
Applying network segmentation Segmenting IoT devices onto a separate network or VLAN limits their ability to interact with critical corporate systems. If one device is compromised, segmentation helps contain the threat and reduces lateral movement.
Why the other options are incorrect:
Question #5
A company recently decided to allow employees to work remotely. The company wants to protect us data without using a VPN.
Which of the following technologies should the company Implement?
- A . Secure web gateway
- B . Virtual private cloud end point
- C . Deep packet Inspection
- D . Next-gene ration firewall
Correct Answer: A
A
Explanation:
A Secure Web Gateway (SWG) protects users by filtering unwanted software/malware from user-initiated web traffic and enforcing corporate and regulatory policy compliance. This technology allows the company to secure remote users’ data and web traffic without relying on a VPN, making it ideal for organizations supporting remote work.
Reference = CompTIA Security+ SY0-701 study materials, particularly in the domain of network security and remote access technologies.
A
Explanation:
A Secure Web Gateway (SWG) protects users by filtering unwanted software/malware from user-initiated web traffic and enforcing corporate and regulatory policy compliance. This technology allows the company to secure remote users’ data and web traffic without relying on a VPN, making it ideal for organizations supporting remote work.
Reference = CompTIA Security+ SY0-701 study materials, particularly in the domain of network security and remote access technologies.
Question #6
A company is experiencing issues with employees leaving the company for a competitor and taking customer contact information with them.
Which of the following tools will help prevent this from reoccurring?
- A . FIM
- B . NAC
- C . IDS
- D . UBA
Correct Answer: D
D
Explanation:
User Behavior Analytics (UBA) monitors user activities and detects anomalous behavior such as unauthorized data access or exfiltration, including when employees attempt to copy sensitive customer contact information before leaving. UBA can alert security teams to insider threats proactively.
File Integrity Monitoring (FIM) (A) detects unauthorized changes to files but is less effective against data exfiltration by insiders. Network Access Control (NAC) (B) controls device access to the network, and Intrusion Detection Systems (IDS) (C) detect suspicious network activity but do not specifically analyze user behaviors.
UBA is a critical tool for insider threat detection covered in Security Operations 【 6:Chapter 14†CompTIA Security+ Study Guide 】 .
D
Explanation:
User Behavior Analytics (UBA) monitors user activities and detects anomalous behavior such as unauthorized data access or exfiltration, including when employees attempt to copy sensitive customer contact information before leaving. UBA can alert security teams to insider threats proactively.
File Integrity Monitoring (FIM) (A) detects unauthorized changes to files but is less effective against data exfiltration by insiders. Network Access Control (NAC) (B) controls device access to the network, and Intrusion Detection Systems (IDS) (C) detect suspicious network activity but do not specifically analyze user behaviors.
UBA is a critical tool for insider threat detection covered in Security Operations 【 6:Chapter 14†CompTIA Security+ Study Guide 】 .
Question #7
In order to strengthen a password and prevent a hacker from cracking it, a random string of 36 characters was added to the password.
Which of the following best describes this technique?
- A . Key stretching
- B . Tokenization
- C . Data masking
- D . Salting
Correct Answer: D
D
Explanation:
Adding a random string of characters, known as a "salt," to a password before hashing it is known as salting. This technique strengthens passwords by ensuring that even if two users have the same password, their hashes will be different due to the unique salt, making it much harder for attackers to crack passwords using precomputed tables.
Reference: CompTIA Security+ SY0-701 course content and official CompTIA study resources.
D
Explanation:
Adding a random string of characters, known as a "salt," to a password before hashing it is known as salting. This technique strengthens passwords by ensuring that even if two users have the same password, their hashes will be different due to the unique salt, making it much harder for attackers to crack passwords using precomputed tables.
Reference: CompTIA Security+ SY0-701 course content and official CompTIA study resources.
Question #8
Which of the following would help ensure a security analyst is able to accurately measure the overall risk to an organization when a new vulnerability is disclosed?
- A . A full inventory of all hardware and software
- B . Documentation of system classifications
- C . A list of system owners and their departments
- D . Third-party risk assessment documentation
Correct Answer: A
A
Explanation:
A full inventory of all hardware and software is essential for measuring the overall risk to an organization when a new vulnerability is disclosed, because it allows the security analyst to identify which systems are affected by the vulnerability and prioritize the remediation efforts. Without a full inventory, the security analyst may miss some vulnerable systems or waste time and resources on irrelevant ones. Documentation of system classifications, a list of system owners and their departments, and third-party risk assessment documentation are all useful for risk management, but they are not sufficient to measure the impact of a new vulnerability.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 1221; Risk Assessment and Analysis Methods: Qualitative and Quantitative3
A
Explanation:
A full inventory of all hardware and software is essential for measuring the overall risk to an organization when a new vulnerability is disclosed, because it allows the security analyst to identify which systems are affected by the vulnerability and prioritize the remediation efforts. Without a full inventory, the security analyst may miss some vulnerable systems or waste time and resources on irrelevant ones. Documentation of system classifications, a list of system owners and their departments, and third-party risk assessment documentation are all useful for risk management, but they are not sufficient to measure the impact of a new vulnerability.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 1221; Risk Assessment and Analysis Methods: Qualitative and Quantitative3
Question #9
A staff member finds a USB drive in the office’s parking lot.
Which of the following should the staff member do?
- A . Notify the file owner after reviewing the contents of the drive.
- B . Use an air-gapped system to open the files without exposing the network.
- C . Wipe the drive immediately using a secure method.
- D . Submit the device to the security team without connecting it.
Correct Answer: D
D
Explanation:
The best answer is D. Submit the device to the security team without connecting it.
An unknown USB drive found in a parking lot is a classic example of a potential social engineering or malware delivery attack. Attackers may intentionally leave infected removable media where employees will find it and plug it into a system. The safest action is to not connect the device at all and instead turn it over to the security team for proper handling.
Why the other options are incorrect:
D
Explanation:
The best answer is D. Submit the device to the security team without connecting it.
An unknown USB drive found in a parking lot is a classic example of a potential social engineering or malware delivery attack. Attackers may intentionally leave infected removable media where employees will find it and plug it into a system. The safest action is to not connect the device at all and instead turn it over to the security team for proper handling.
Why the other options are incorrect:
Question #10
A company’s end users are reporting that they are unable to reach external websites. After reviewing the performance data for the DNS severs, the analyst discovers that the CPU, disk, and memory usage are minimal, but the network interface is flooded with inbound traffic. Network logs show only a small number of DNS queries sent to this server.
Which of the following best describes what the security analyst is seeing?
- A . Concurrent session usage
- B . Secure DNS cryptographic downgrade
- C . On-path resource consumption
- D . Reflected denial of service
Correct Answer: D
D
Explanation:
A reflected denial of service (RDoS) attack is a type of DDoS attack that uses spoofed source IP addresses to send requests to a third-party server, which then sends responses to the victim server. The attacker exploits the difference in size between the request and the response, which can amplify the amount of traffic sent to the victim server. The attacker also hides their identity by using the victim’s IP address as the source. A RDoS attack can target DNS servers by sending forged DNS queries that generate large DNS responses. This can flood the network interface of the DNS server and prevent it from serving legitimate requests from end users.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 215-216 1
D
Explanation:
A reflected denial of service (RDoS) attack is a type of DDoS attack that uses spoofed source IP addresses to send requests to a third-party server, which then sends responses to the victim server. The attacker exploits the difference in size between the request and the response, which can amplify the amount of traffic sent to the victim server. The attacker also hides their identity by using the victim’s IP address as the source. A RDoS attack can target DNS servers by sending forged DNS queries that generate large DNS responses. This can flood the network interface of the DNS server and prevent it from serving legitimate requests from end users.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 215-216 1