Practice Free SY0-701 Exam Online Questions
Question #121
A company processes a large volume of business-to-business transactions and prioritizes data confidentiality over transaction availability. The company’s firewall administrator must configure a new hardware-based firewall to replace the current one.
Which of the following should the administrator do to best align with the company requirements in case a security event occurs?
- A . Ensure the firewall data plane moves to fail-closed mode.
- B . Implement a deny-all rule as the last firewall ACL rule.
- C . Prioritize business-critical application traffic through the firewall.
- D . Configure rate limiting between the firewall interfaces.
Correct Answer: A
A
Explanation:
The best answer is A. Ensure the firewall data plane moves to fail-closed mode.
The key detail in this question is that the company prioritizes data confidentiality over transaction availability. In Security+ terms, when confidentiality is more important than keeping traffic flowing during a failure or security event, the preferred behavior is fail closed.
A fail-closed firewall blocks traffic if the device experiences a fault, failure, or security issue. This protects sensitive business data from being exposed or passed through an untrusted state. Even though this may interrupt business transactions, it aligns with the organization’s priority of protecting confidential information.
Why the other options are incorrect:
B. Implement a deny-all rule as the last firewall ACL rule. This is a standard firewall best practice, but it does not specifically address what should happen in case a security event occurs.
C. Prioritize business-critical application traffic through the firewall. This focuses on availability and performance, not confidentiality.
D. Configure rate limiting between the firewall interfaces. Rate limiting may help with traffic control or DoS reduction, but it does not best address the requirement to prioritize confidentiality during a security event.
From the SY0-701 perspective, when asked to choose between keeping systems available and preventing unauthorized access or data exposure, fail closed is the best security-focused answer.
A
Explanation:
The best answer is A. Ensure the firewall data plane moves to fail-closed mode.
The key detail in this question is that the company prioritizes data confidentiality over transaction availability. In Security+ terms, when confidentiality is more important than keeping traffic flowing during a failure or security event, the preferred behavior is fail closed.
A fail-closed firewall blocks traffic if the device experiences a fault, failure, or security issue. This protects sensitive business data from being exposed or passed through an untrusted state. Even though this may interrupt business transactions, it aligns with the organization’s priority of protecting confidential information.
Why the other options are incorrect:
B. Implement a deny-all rule as the last firewall ACL rule. This is a standard firewall best practice, but it does not specifically address what should happen in case a security event occurs.
C. Prioritize business-critical application traffic through the firewall. This focuses on availability and performance, not confidentiality.
D. Configure rate limiting between the firewall interfaces. Rate limiting may help with traffic control or DoS reduction, but it does not best address the requirement to prioritize confidentiality during a security event.
From the SY0-701 perspective, when asked to choose between keeping systems available and preventing unauthorized access or data exposure, fail closed is the best security-focused answer.
Question #122
A security engineer is working to address the growing risks that shadow IT services are introducing to the organization. The organization has taken a cloud-first approach end does not have an on-premises IT infrastructure.
Which of the following would best secure the organization?
- A . Upgrading to a next-generation firewall
- B . Deploying an appropriate in-line CASB solution
- C . Conducting user training on software policies
- D . Configuring double key encryption in SaaS platforms
Correct Answer: B
B
Explanation:
A Cloud Access Security Broker (CASB) solution is the most suitable option for securing an organization that has adopted a cloud-first strategy and does not have an on-premises IT infrastructure. CASBs provide visibility and control over shadow IT services, enforce security policies, and protect data across cloud services.
Reference = CompTIA Security+ SY0-701 study materials, particularly in the domain of cloud security and managing risks associated with shadow IT.
B
Explanation:
A Cloud Access Security Broker (CASB) solution is the most suitable option for securing an organization that has adopted a cloud-first strategy and does not have an on-premises IT infrastructure. CASBs provide visibility and control over shadow IT services, enforce security policies, and protect data across cloud services.
Reference = CompTIA Security+ SY0-701 study materials, particularly in the domain of cloud security and managing risks associated with shadow IT.
Question #123
An administrator wants to automate an account permissions update for a large number of accounts.
Which of the following would best accomplish this task?
- A . Security groups
- B . Federation
- C . User provisioning
- D . Vertical scaling
Correct Answer: B
Question #124
Which of the following best protects sensitive data in transit across a geographically dispersed Infrastructure?
- A . Encryption
- B . Masking
- C . Tokenization
- D . Obfuscation
Correct Answer: A
Question #125
During an investigation, a security analyst discovers traffic going out to a command-and-control server. The analyst must find out if any data exfiltration has occurred.
Which of the following would best help the analyst determine this?
- A . Application log
- B . Metadata
- C . Network log
- D . Packet capture
Correct Answer: D
D
Explanation:
To determine whether data exfiltration has occurred, the most effective tool is a packet capture (PCAP). Packet captures allow investigators to see exactly what data left the network, including file contents, payloads, headers, protocols, and destination information. PCAP files provide full-fidelity network evidence, enabling analysts to reconstruct sessions and review exfiltrated content byte-by-byte.
Security+ SY0-701 emphasizes PCAP as the gold standard for forensic network investigations, especially when dealing with:
Malware beaconing
Command-and-control (C2) traffic
Data leakage
Unauthorized transmissions
Network logs (C) provide summaries such as IP addresses, ports, and timestamps but do not show actual data contents. Metadata (B) gives descriptive information (e.g., file size, type) but not transmitted payloads. Application logs (A) show application-level events but do not capture network data.
If the analyst needs to confidently determine if sensitive information was exported to the attacker, only packet capture provides the required depth of visibility.
D
Explanation:
To determine whether data exfiltration has occurred, the most effective tool is a packet capture (PCAP). Packet captures allow investigators to see exactly what data left the network, including file contents, payloads, headers, protocols, and destination information. PCAP files provide full-fidelity network evidence, enabling analysts to reconstruct sessions and review exfiltrated content byte-by-byte.
Security+ SY0-701 emphasizes PCAP as the gold standard for forensic network investigations, especially when dealing with:
Malware beaconing
Command-and-control (C2) traffic
Data leakage
Unauthorized transmissions
Network logs (C) provide summaries such as IP addresses, ports, and timestamps but do not show actual data contents. Metadata (B) gives descriptive information (e.g., file size, type) but not transmitted payloads. Application logs (A) show application-level events but do not capture network data.
If the analyst needs to confidently determine if sensitive information was exported to the attacker, only packet capture provides the required depth of visibility.
Question #126
While considering the organization’s cloud-adoption strategy, the Chief Information Security Officer sets a goal to outsource patching of firmware, operating systems, and applications to the chosen cloud vendor.
Which of the following best meets this goal?
- A . Community cloud
- B . PaaS
- C . Containerization
- D . Private cloud
- E . SaaS
- F . laaS
Correct Answer: E
E
Explanation:
Software as a Service (SaaS) is the cloud model that best meets the goal of outsourcing the management, including patching, of firmware, operating systems, and applications to the cloud vendor. In a SaaS environment, the cloud provider is responsible for maintaining and updating the entire software stack, allowing the organization to focus on using the software rather than managing its infrastructure.
Reference = CompTIA Security+ SY0-701 study materials, particularly the domains related to cloud security models.
E
Explanation:
Software as a Service (SaaS) is the cloud model that best meets the goal of outsourcing the management, including patching, of firmware, operating systems, and applications to the cloud vendor. In a SaaS environment, the cloud provider is responsible for maintaining and updating the entire software stack, allowing the organization to focus on using the software rather than managing its infrastructure.
Reference = CompTIA Security+ SY0-701 study materials, particularly the domains related to cloud security models.
Question #127
4.9. A security analyst is creating an inbound firewall rule to block the IP address from accessing the organization’s network.
Which of the following fulfills this request?
- A . access-list inbound deny ig source 0.0.0.0/0 destination 10.1.4.9/32
- B . access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
- C . access-list inbound permit ig source 10.1.4.9/32 destination 0.0.0.0/0
- D . access-list inbound permit ig source 0.0.0.0/0 destination 10.1.4.9/32
Correct Answer: B
B
Explanation:
A firewall rule is a set of criteria that determines whether to allow or deny a packet to pass through the firewall. A firewall rule consists of several elements, such as the action, the protocol, the source address, the destination address, and the port number. The syntax of a firewall rule may vary depending on the type and vendor of the firewall, but the basic logic is the same. In this question, the security analyst is creating an inbound firewall rule to block the IP address 10.1.4.9 from accessing the organization’s network. This means that the action should be deny, the protocol should be any (or ig for IP), the source address should be 10.1.4.9/32 (which means a single IP address), the destination address should be 0.0.0.0/0 (which means any IP address), and the port number should be any.
Therefore, the correct firewall rule is:
access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
This rule will match any packet that has the source IP address of 10.1.4.9 and drop it. The other options are incorrect because they either have the wrong action, the wrong source address, or the wrong destination address. For example, option A has the source and destination addresses reversed, which means that it will block any packet that has the destination IP address of 10.1.4.9, which is not the intended goal.
Option C has the wrong action, which is permit, which means that it will allow the packet to pass through the firewall, which is also not the intended goal.
Option D has the same problem as option A, with the source and destination addresses reversed.
Reference = Firewall Rules C CompTIA Security+ SY0-401: 1.2, Firewalls C SY0-601 CompTIA Security+ : 3.3, Firewalls C CompTIA Security+ SY0-501, Understanding Firewall Rules C CompTIA Network+ N10-005: 5.5, Configuring Windows Firewall C CompTIA A+ 220-1102 C 1.6.
B
Explanation:
A firewall rule is a set of criteria that determines whether to allow or deny a packet to pass through the firewall. A firewall rule consists of several elements, such as the action, the protocol, the source address, the destination address, and the port number. The syntax of a firewall rule may vary depending on the type and vendor of the firewall, but the basic logic is the same. In this question, the security analyst is creating an inbound firewall rule to block the IP address 10.1.4.9 from accessing the organization’s network. This means that the action should be deny, the protocol should be any (or ig for IP), the source address should be 10.1.4.9/32 (which means a single IP address), the destination address should be 0.0.0.0/0 (which means any IP address), and the port number should be any.
Therefore, the correct firewall rule is:
access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
This rule will match any packet that has the source IP address of 10.1.4.9 and drop it. The other options are incorrect because they either have the wrong action, the wrong source address, or the wrong destination address. For example, option A has the source and destination addresses reversed, which means that it will block any packet that has the destination IP address of 10.1.4.9, which is not the intended goal.
Option C has the wrong action, which is permit, which means that it will allow the packet to pass through the firewall, which is also not the intended goal.
Option D has the same problem as option A, with the source and destination addresses reversed.
Reference = Firewall Rules C CompTIA Security+ SY0-401: 1.2, Firewalls C SY0-601 CompTIA Security+ : 3.3, Firewalls C CompTIA Security+ SY0-501, Understanding Firewall Rules C CompTIA Network+ N10-005: 5.5, Configuring Windows Firewall C CompTIA A+ 220-1102 C 1.6.
Question #128
Which of the following architecture models ensures that critical systems are physically isolated from the network to prevent access from users with remote access privileges?
- A . Segmentation
- B . Virtualized
- C . Air-gapped
- D . Serverless
Correct Answer: C
C
Explanation:
Anair-gapped (C)system is completely isolated from unsecured networks (like the internet) and other systems, preventing any form of remote access. This is often used in highly sensitive environments such as military, nuclear, or critical infrastructure systems.
This is mentioned under Domain 3.4: Given a scenario, apply cybersecurity resilience concepts in the CompTIA Security+ SY0-701 Exam Objectives, specifically under “Isolation (e.g., air-gapped)”.
Reference: CompTIA Security+ SY0-701 Objectives, Domain 3.4 C “Cybersecurity resilience: Isolation (e.g., air-gapped).”
C
Explanation:
Anair-gapped (C)system is completely isolated from unsecured networks (like the internet) and other systems, preventing any form of remote access. This is often used in highly sensitive environments such as military, nuclear, or critical infrastructure systems.
This is mentioned under Domain 3.4: Given a scenario, apply cybersecurity resilience concepts in the CompTIA Security+ SY0-701 Exam Objectives, specifically under “Isolation (e.g., air-gapped)”.
Reference: CompTIA Security+ SY0-701 Objectives, Domain 3.4 C “Cybersecurity resilience: Isolation (e.g., air-gapped).”
Question #129
A company’s antivirus solution is effective in blocking malware but often has false positives. The security team has spent a significant amount of time on investigations but cannot determine a root cause. The company is looking for a heuristic solution.
Which of the following should replace the antivirus solution?
- A . SIEM
- B . EDR
- C . DLP
- D . IDS
Correct Answer: B
B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Endpoint Detection and Response (EDR) platforms use behavioral analytics, machine learning, heuristics, and anomaly detection to identify malware and suspicious activity more accurately than traditional signature-based antivirus. EDR solutions also provide rich telemetry, process tracking, sandboxing, and automated investigation capabilities.
The SY0-701 exam emphasizes EDR as a replacement for legacy antivirus in modern threat environments. EDR can significantly reduce false positives by establishing behavioral baselines and analyzing file, process, and memory activity rather than relying solely on signatures. The scenario states the company wants a heuristic solution, which directly aligns with EDR’s advanced detection approach.
SIEM (A) is for log aggregation and correlation―not endpoint protection. DLP (C) prevents data exfiltration but does not detect malware. IDS (D) analyzes network traffic, not endpoint behavior.
Thus, EDR is the correct solution to reduce false positives and improve malware-detection accuracy.
B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Endpoint Detection and Response (EDR) platforms use behavioral analytics, machine learning, heuristics, and anomaly detection to identify malware and suspicious activity more accurately than traditional signature-based antivirus. EDR solutions also provide rich telemetry, process tracking, sandboxing, and automated investigation capabilities.
The SY0-701 exam emphasizes EDR as a replacement for legacy antivirus in modern threat environments. EDR can significantly reduce false positives by establishing behavioral baselines and analyzing file, process, and memory activity rather than relying solely on signatures. The scenario states the company wants a heuristic solution, which directly aligns with EDR’s advanced detection approach.
SIEM (A) is for log aggregation and correlation―not endpoint protection. DLP (C) prevents data exfiltration but does not detect malware. IDS (D) analyzes network traffic, not endpoint behavior.
Thus, EDR is the correct solution to reduce false positives and improve malware-detection accuracy.
Question #130
An administrator must replace an expired SSL certificate.
Which of the following does the administrator need to create the new SSL certificate?
- A . CSR
- B . OCSP
- C . Key
- D . CRL
Correct Answer: A
A
Explanation:
A Certificate Signing Request (CSR) is a request sent to a certificate authority (CA) to issue an SSL certificate. The CSR contains information like the public key, which will be part of the certificate.
Reference: Security+ SY0-701 Course Content, Security+ SY0-601 Book.
A
Explanation:
A Certificate Signing Request (CSR) is a request sent to a certificate authority (CA) to issue an SSL certificate. The CSR contains information like the public key, which will be part of the certificate.
Reference: Security+ SY0-701 Course Content, Security+ SY0-601 Book.