Practice Free SY0-701 Exam Online Questions
Question #91
Which of the following is most likely in a responsibility matrix in a cloud computing environment?
- A . The customer is responsible for information and data regardless of the cloud model used.
- B . The cloud provider is responsible for account and identity management for connected devices.
- C . The customer and the cloud provider share responsibility for the physical network infrastructure.
- D . The cloud provider is responsible for the security of endpoints connected to the infrastructure.
Correct Answer: A
A
Explanation:
The best answer is A. The customer is responsible for information and data regardless of the cloud model used.
In cloud environments, a shared responsibility model defines which security duties belong to the cloud provider and which remain with the customer. While the exact split depends on whether the service is IaaS, PaaS, or SaaS, one responsibility that almost always remains with the customer is accountability for their information and data.
The provider secures the cloud infrastructure, but the customer remains responsible for how their data is classified, handled, protected, and governed.
Why the other options are incorrect:
B. The cloud provider is responsible for account and identity management for connected
devices. Identity and access management is typically at least partly the customer’s responsibility, and often primarily so.
C. The customer and the cloud provider share responsibility for the physical network infrastructure. Physical infrastructure is usually the cloud provider’s responsibility, not shared in the way stated here.
D. The cloud provider is responsible for the security of endpoints connected to the infrastructure. Endpoint security is normally the customer’s responsibility.
From the SY0-701 perspective, a responsibility matrix in cloud computing reflects the shared responsibility model, and the most consistently true statement here is A.
A
Explanation:
The best answer is A. The customer is responsible for information and data regardless of the cloud model used.
In cloud environments, a shared responsibility model defines which security duties belong to the cloud provider and which remain with the customer. While the exact split depends on whether the service is IaaS, PaaS, or SaaS, one responsibility that almost always remains with the customer is accountability for their information and data.
The provider secures the cloud infrastructure, but the customer remains responsible for how their data is classified, handled, protected, and governed.
Why the other options are incorrect:
B. The cloud provider is responsible for account and identity management for connected
devices. Identity and access management is typically at least partly the customer’s responsibility, and often primarily so.
C. The customer and the cloud provider share responsibility for the physical network infrastructure. Physical infrastructure is usually the cloud provider’s responsibility, not shared in the way stated here.
D. The cloud provider is responsible for the security of endpoints connected to the infrastructure. Endpoint security is normally the customer’s responsibility.
From the SY0-701 perspective, a responsibility matrix in cloud computing reflects the shared responsibility model, and the most consistently true statement here is A.
Question #92
Which of the following is a compensating control for providing user access to a high-risk website?
- A . Enabling threat prevention features on the firewall
- B . Configuring a SIEM tool to capture all web traffic
- C . Setting firewall rules to allow traffic from any port to that destination
- D . Blocking that website on the endpoint protection software
Correct Answer: A
Question #93
An important patch for a critical application has just been released, and a systems administrator is identifying all of the systems requiring the patch.
Which of the following must be maintained in order to ensure that all systems requiring the patch are updated?
- A . Asset inventory
- B . Network enumeration
- C . Data certification
- D . Procurement process
Correct Answer: A
A
Explanation:
To ensure that all systems requiring the patch are updated, the systems administrator must maintain an accurate asset inventory. This inventory lists all hardware and software assets within the organization, allowing the administrator to identify which systems are affected by the patch and ensuring that none are missed during the update process.
Network enumeration is used to discover devices on a network but doesn’t track software that requires patching.
Data certification and procurement process are unrelated to tracking systems for patching purposes.
A
Explanation:
To ensure that all systems requiring the patch are updated, the systems administrator must maintain an accurate asset inventory. This inventory lists all hardware and software assets within the organization, allowing the administrator to identify which systems are affected by the patch and ensuring that none are missed during the update process.
Network enumeration is used to discover devices on a network but doesn’t track software that requires patching.
Data certification and procurement process are unrelated to tracking systems for patching purposes.
Question #94
Which of the following tools is best for logging and monitoring in a cloud environment?
- A . IPS
- B . FIM
- C . NAC
- D . SIEM
Correct Answer: D
Question #95
A security operations center determines that the malicious activity detected on a server is normal.
Which of the following activities describes the act of ignoring detected activity in the future?
- A . Tuning
- B . Aggregating
- C . Quarantining
- D . Archiving
Correct Answer: A
A
Explanation:
Tuning is the activity of adjusting the configuration or parameters of a security tool or system to optimize its performance and reduce false positives or false negatives. Tuning can help to filter out the normal or benign activity that is detected by the security tool or system, and focus on the malicious or anomalous activity that requires further investigation or response. Tuning can also help to improve the efficiency and effectiveness of the security operations center by reducing the workload and alert fatigue of the analysts. Tuning is different from aggregating, which is the activity of collecting and combining data from multiple sources or sensors to provide a comprehensive view of the security posture. Tuning is also different from quarantining, which is the activity of isolating a potentially infected or compromised device or system from the rest of the network to prevent further damage or spread. Tuning is also different from archiving, which is the activity of storing and preserving historical data or records for future reference or compliance. The act of ignoring detected activity in the future that is deemed normal by the security operations center is an example of tuning, as it involves modifying the settings or rules of the security tool or system to exclude the activity from the detection scope. Therefore, this is the best answer among the given options.
Reference = Security Alerting and Monitoring Concepts and Tools C CompTIA Security+ SY0-701: 4.3, video at 7:00; CompTIA Security+ SY0-701 Certification Study Guide, page 191.
A
Explanation:
Tuning is the activity of adjusting the configuration or parameters of a security tool or system to optimize its performance and reduce false positives or false negatives. Tuning can help to filter out the normal or benign activity that is detected by the security tool or system, and focus on the malicious or anomalous activity that requires further investigation or response. Tuning can also help to improve the efficiency and effectiveness of the security operations center by reducing the workload and alert fatigue of the analysts. Tuning is different from aggregating, which is the activity of collecting and combining data from multiple sources or sensors to provide a comprehensive view of the security posture. Tuning is also different from quarantining, which is the activity of isolating a potentially infected or compromised device or system from the rest of the network to prevent further damage or spread. Tuning is also different from archiving, which is the activity of storing and preserving historical data or records for future reference or compliance. The act of ignoring detected activity in the future that is deemed normal by the security operations center is an example of tuning, as it involves modifying the settings or rules of the security tool or system to exclude the activity from the detection scope. Therefore, this is the best answer among the given options.
Reference = Security Alerting and Monitoring Concepts and Tools C CompTIA Security+ SY0-701: 4.3, video at 7:00; CompTIA Security+ SY0-701 Certification Study Guide, page 191.
Question #96
After multiple phishing simul-ations, the Chief Security Officer announces a new program that incentivizes employees to not click phishing links in the upcoming quarter.
Which of the following security awareness execution techniques does this represent?
- A . Computer-based training
- B . Insider threat awareness
- C . SOAR playbook
- D . Gamification
Correct Answer: D
D
Explanation:
Gamification refers to the use of game elements such as points, rewards, competitions, and incentives to motivate users and enhance engagement in activities such as security awareness training. Incentivizing employees to avoid clicking phishing links by rewarding positive behavior is a classic example of gamification. Computer-based training (A) is traditional online training without game elements. Insider threat awareness (B) focuses on educating about internal threats. SOAR playbook (C) refers to automated incident response workflows, unrelated to employee training methods. Gamification is recognized in the Security Program Management domain as an effective technique to improve user engagement and security behavior 【 7:Chapter 5†CompTIA Security+ Practice Tests 】 .
D
Explanation:
Gamification refers to the use of game elements such as points, rewards, competitions, and incentives to motivate users and enhance engagement in activities such as security awareness training. Incentivizing employees to avoid clicking phishing links by rewarding positive behavior is a classic example of gamification. Computer-based training (A) is traditional online training without game elements. Insider threat awareness (B) focuses on educating about internal threats. SOAR playbook (C) refers to automated incident response workflows, unrelated to employee training methods. Gamification is recognized in the Security Program Management domain as an effective technique to improve user engagement and security behavior 【 7:Chapter 5†CompTIA Security+ Practice Tests 】 .
Question #97
A company is aware of a given security risk related to a specific market segment. The business chooses not to accept responsibility and target their services to a different market segment.
Which of the following describes this risk management strategy?
- A . Exemption
- B . Exception
- C . Avoid
- D . Transfer
Correct Answer: C
C
Explanation:
Detailed Avoidance involves choosing not to engage in activities or markets where certain risks are present. This is a proactive approach to risk management.
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 5: Security Program Management, Section: "Risk Management Strategies".
C
Explanation:
Detailed Avoidance involves choosing not to engage in activities or markets where certain risks are present. This is a proactive approach to risk management.
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 5: Security Program Management, Section: "Risk Management Strategies".
Question #98
A security analyst investigates abnormal outbound traffic from a corporate endpoint. The traffic is encrypted and uses non-standard ports.
Which of the following data sources should the analyst use first to confirm whether this traffic is malicious?
- A . Application logs
- B . Vulnerability scans
- C . Endpoint logs
- D . Packet captures
Correct Answer: C
C
Explanation:
When investigating abnormal outbound traffic originating from a specific endpoint, endpoint logs are the most appropriate first data source to review. According to CompTIA Security+ SY0-701, endpoint logs provide detailed visibility into process execution, user actions, service creation, network connections initiated by applications, and security agent detections. This context is critical for determining which process initiated the encrypted traffic and why it is using non-standard ports.
Because the traffic is encrypted, packet captures (D) would reveal limited payload information and are more resource-intensive. Endpoint logs can quickly identify suspicious executables, command-line arguments, parent-child process relationships, and persistence mechanisms that indicate malware or command-and-control activity. Modern EDR tools rely heavily on endpoint telemetry for exactly this reason.
Application logs (A) may be useful later but are limited to specific applications. Vulnerability scans (B) identify weaknesses, not active malicious behavior.
Security+ SY0-701 emphasizes starting investigations as close to the suspected source as possible. Since the activity originates from a corporate endpoint, endpoint logs provide the fastest and most relevant confirmation of whether the traffic is malicious.
C
Explanation:
When investigating abnormal outbound traffic originating from a specific endpoint, endpoint logs are the most appropriate first data source to review. According to CompTIA Security+ SY0-701, endpoint logs provide detailed visibility into process execution, user actions, service creation, network connections initiated by applications, and security agent detections. This context is critical for determining which process initiated the encrypted traffic and why it is using non-standard ports.
Because the traffic is encrypted, packet captures (D) would reveal limited payload information and are more resource-intensive. Endpoint logs can quickly identify suspicious executables, command-line arguments, parent-child process relationships, and persistence mechanisms that indicate malware or command-and-control activity. Modern EDR tools rely heavily on endpoint telemetry for exactly this reason.
Application logs (A) may be useful later but are limited to specific applications. Vulnerability scans (B) identify weaknesses, not active malicious behavior.
Security+ SY0-701 emphasizes starting investigations as close to the suspected source as possible. Since the activity originates from a corporate endpoint, endpoint logs provide the fastest and most relevant confirmation of whether the traffic is malicious.
Question #99
A security administrator needs a method to secure data in an environment that includes some form of checks so that the administrator can track any changes.
Which of the following should the administrator set up to achieve this goal?
- A . SPF
- B . GPO
- C . NAC
- D . FIM
Correct Answer: D
D
Explanation:
FIM stands for File Integrity Monitoring, which is a method to secure data by detecting any changes or modifications to files, directories, or registry keys. FIM can help a security administrator track any unauthorized or malicious changes to the data, as well as verify the integrity and compliance of the data. FIM can also alert the administrator of any potential breaches or incidents involving the data.
Some of the benefits of FIM are:
It can prevent data tampering and corruption by verifying the checksums or hashes of the files.
It can identify the source and time of the changes by logging the user and system actions.
It can enforce security policies and standards by comparing the current state of the data with the baseline or expected state.
It can support forensic analysis and incident response by providing evidence and audit trails of the changes.
Reference: CompTIA Security+ SY0-701 Certification Study Guide, Chapter 5: Technologies and Tools, Section 5.3:
Security Tools, p. 209-210
CompTIA Security+ SY0-701 Certification Exam Objectives, Domain 2: Technologies and Tools, Objective 2.4: Given a scenario, analyze and interpret output from security technologies, Sub-objective: File integrity monitor, p. 12
D
Explanation:
FIM stands for File Integrity Monitoring, which is a method to secure data by detecting any changes or modifications to files, directories, or registry keys. FIM can help a security administrator track any unauthorized or malicious changes to the data, as well as verify the integrity and compliance of the data. FIM can also alert the administrator of any potential breaches or incidents involving the data.
Some of the benefits of FIM are:
It can prevent data tampering and corruption by verifying the checksums or hashes of the files.
It can identify the source and time of the changes by logging the user and system actions.
It can enforce security policies and standards by comparing the current state of the data with the baseline or expected state.
It can support forensic analysis and incident response by providing evidence and audit trails of the changes.
Reference: CompTIA Security+ SY0-701 Certification Study Guide, Chapter 5: Technologies and Tools, Section 5.3:
Security Tools, p. 209-210
CompTIA Security+ SY0-701 Certification Exam Objectives, Domain 2: Technologies and Tools, Objective 2.4: Given a scenario, analyze and interpret output from security technologies, Sub-objective: File integrity monitor, p. 12
Question #100
An organization is struggling with scaling issues on its VPN concentrator and internet circuit due to remote work. The organization is looking for a software solution that will allow it to reduce traffic on the VPN and internet circuit, while still providing encrypted tunnel access to the data center and monitoring of remote employee internet traffic.
Which of the following will help achieve these objectives?
- A . Deploying a SASE solution to remote employees
- B . Building a load-balanced VPN solution with redundant internet
- C . Purchasing a low-cost SD-WAN solution for VPN traffic
- D . Using a cloud provider to create additional VPN concentrators
Correct Answer: A
A
Explanation:
SASE stands for Secure Access Service Edge. It is a cloud-based service that combines network and security functions into a single integrated solution. SASE can help reduce traffic on the VPN and internet circuit by providing secure and optimized access to the data center and cloud applications for remote employees. SASE can also monitor and enforce security policies on the remote employee internet traffic, regardless of their location or device. SASE can offer benefits such as lower costs, improved performance, scalability, and flexibility compared to traditional VPN solutions.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 457-458 1
A
Explanation:
SASE stands for Secure Access Service Edge. It is a cloud-based service that combines network and security functions into a single integrated solution. SASE can help reduce traffic on the VPN and internet circuit by providing secure and optimized access to the data center and cloud applications for remote employees. SASE can also monitor and enforce security policies on the remote employee internet traffic, regardless of their location or device. SASE can offer benefits such as lower costs, improved performance, scalability, and flexibility compared to traditional VPN solutions.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 457-458 1