Practice Free SY0-701 Exam Online Questions
Question #191
An unknown source has attacked an organization’s network multiple times. The organization has a firewall but no other source of protection against these attacks.
Which of the following is the best security item to add?
- A . SIEM
- B . Load balancer
- C . UTM
- D . IPS
Correct Answer: D
D
Explanation:
An Intrusion Prevention System (IPS) is the most effective addition when an organization already has a firewall but continues to face repeated external attacks. Security+ SY0-701 states that an IPS operates inline and automatically blocks malicious traffic in real time based on signatures, anomaly behavior, or heuristics. Whereas a firewall filters traffic by rules, an IPS detects and prevents deeper-level threats such as exploits, malware, and command-and-control attempts.
A UTM (C) includes IPS features, but it is typically used to replace a firewall with an all-in-one appliance. The question states the organization already has a firewall, so the most efficient addition is a standalone IPS. A SIEM (A) aggregates and analyzes logs but does not block attacks. A load balancer (B) distributes traffic for performance―not security.
Thus, the best item to stop active inbound attacks is D: IPS.
D
Explanation:
An Intrusion Prevention System (IPS) is the most effective addition when an organization already has a firewall but continues to face repeated external attacks. Security+ SY0-701 states that an IPS operates inline and automatically blocks malicious traffic in real time based on signatures, anomaly behavior, or heuristics. Whereas a firewall filters traffic by rules, an IPS detects and prevents deeper-level threats such as exploits, malware, and command-and-control attempts.
A UTM (C) includes IPS features, but it is typically used to replace a firewall with an all-in-one appliance. The question states the organization already has a firewall, so the most efficient addition is a standalone IPS. A SIEM (A) aggregates and analyzes logs but does not block attacks. A load balancer (B) distributes traffic for performance―not security.
Thus, the best item to stop active inbound attacks is D: IPS.
Question #192
A cybersecurity incident response team at a large company receives notification that malware is present on several corporate desktops No known Indicators of compromise have been found on the network.
Which of the following should the team do first to secure the environment?
- A . Contain the Impacted hosts
- B . Add the malware to the application blocklist.
- C . Segment the core database server.
- D . Implement firewall rules to block outbound beaconing
Correct Answer: A
A
Explanation:
The first step in responding to a cybersecurity incident, particularly when malware is detected, is to contain the impacted hosts. This action prevents the spread of malware to other parts of the network, limiting the potential damage while further investigation and remediation actions are planned.
= CompTIA Security+ SY0-701 study materials, particularly on incident response procedures and the importance of containment in managing security incidents.
A
Explanation:
The first step in responding to a cybersecurity incident, particularly when malware is detected, is to contain the impacted hosts. This action prevents the spread of malware to other parts of the network, limiting the potential damage while further investigation and remediation actions are planned.
= CompTIA Security+ SY0-701 study materials, particularly on incident response procedures and the importance of containment in managing security incidents.
Question #193
An IT manager is increasing the security capabilities of an organization after a data classification initiative determined that sensitive data could be exfiltrated from the environment.
Which of the following solutions would mitigate the risk?
- A . XDR
- B . SPF
- C . DLP
- D . DMARC
Correct Answer: C
C
Explanation:
To mitigate the risk of sensitive data being exfiltrated from the environment, the IT manager should implement a Data Loss Prevention (DLP) solution. DLP monitors and controls the movement of sensitive data, ensuring that unauthorized transfers are blocked and potential data breaches are prevented.
XDR (Extended Detection and Response) is useful for threat detection across multiple environments but doesn’t specifically address data exfiltration.
SPF (Sender Policy Framework) helps prevent email spoofing, not data exfiltration.
DMARC (Domain-based Message Authentication, Reporting & Conformance) also addresses email security and spoofing, not data exfiltration.
C
Explanation:
To mitigate the risk of sensitive data being exfiltrated from the environment, the IT manager should implement a Data Loss Prevention (DLP) solution. DLP monitors and controls the movement of sensitive data, ensuring that unauthorized transfers are blocked and potential data breaches are prevented.
XDR (Extended Detection and Response) is useful for threat detection across multiple environments but doesn’t specifically address data exfiltration.
SPF (Sender Policy Framework) helps prevent email spoofing, not data exfiltration.
DMARC (Domain-based Message Authentication, Reporting & Conformance) also addresses email security and spoofing, not data exfiltration.
Question #194
Which of the following would be best suited for constantly changing environments?
- A . RTOS
- B . Containers
- C . Embedded systems
- D . SCADA
Correct Answer: B
B
Explanation:
Containers are a method of virtualization that allows applications to run in isolated environments with their own dependencies, libraries, and configurations. Containers are best suited for constantly changing environments because they are lightweight, portable, scalable, and easy to deploy and update. Containers can also support microservices architectures, which enable faster and more frequent delivery of software features.: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 10: Mobile Device Security, page 512 1
B
Explanation:
Containers are a method of virtualization that allows applications to run in isolated environments with their own dependencies, libraries, and configurations. Containers are best suited for constantly changing environments because they are lightweight, portable, scalable, and easy to deploy and update. Containers can also support microservices architectures, which enable faster and more frequent delivery of software features.: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 10: Mobile Device Security, page 512 1
Question #195
A company has yearly engagements with a service provider. The general terms and conditions are the same for all engagements. The company wants to simplify the process and revisit the general terms every three years.
Which of the following documents would provide the best way to set the
general terms?
- A . MSA
- B . NDA
- C . MOU
- D . SLA
Correct Answer: B
B
Explanation:
A Master Service Agreement (MSA)establishes the general terms and conditions for ongoing business engagements. This allows companies to reuse the same terms across multiple contracts, revisiting them periodically for updates.
NDA (B)protects confidential information but does not define service terms.
MOU (C)is a non-binding agreement, often used for partnerships, not formal service contracts. SLA (D)focuses on service performance expectations, not overall contract terms.
Reference: CompTIA Security+ SY0-701 Official Study Guide, Security Program Management and Oversight domain.
B
Explanation:
A Master Service Agreement (MSA)establishes the general terms and conditions for ongoing business engagements. This allows companies to reuse the same terms across multiple contracts, revisiting them periodically for updates.
NDA (B)protects confidential information but does not define service terms.
MOU (C)is a non-binding agreement, often used for partnerships, not formal service contracts. SLA (D)focuses on service performance expectations, not overall contract terms.
Reference: CompTIA Security+ SY0-701 Official Study Guide, Security Program Management and Oversight domain.
Question #196
Which of the following is the most likely reason a security analyst would review SIEM logs?
- A . To check for recent password reset attempts
- B . To monitor for potential DDoS attacks
- C . To assess the scope of a privacy breach
- D . To see correlations across multiple hosts
Correct Answer: D
D
Explanation:
One of the primary advantages of SIEM tools is their ability to correlate events across multiple hosts and devices to identify patterns that may indicate coordinated attacks or advanced threats. Reviewing logs for correlations helps detect complex incidents that might be missed when looking at individual systems.
Checking password resets (A) and monitoring DDoS (B) are possible but less common primary reasons. Assessing privacy breach scope (C) is usually done post-incident, not typically during initial SIEM log reviews.
Log correlation capabilities are a core SIEM feature described in Security Operations 【 6:Chapter 14†CompTIA Security+ Study Guide 】
D
Explanation:
One of the primary advantages of SIEM tools is their ability to correlate events across multiple hosts and devices to identify patterns that may indicate coordinated attacks or advanced threats. Reviewing logs for correlations helps detect complex incidents that might be missed when looking at individual systems.
Checking password resets (A) and monitoring DDoS (B) are possible but less common primary reasons. Assessing privacy breach scope (C) is usually done post-incident, not typically during initial SIEM log reviews.
Log correlation capabilities are a core SIEM feature described in Security Operations 【 6:Chapter 14†CompTIA Security+ Study Guide 】
Question #197
A systems administrator is creating a script that would save time and prevent human error when performing account creation for a large number of end users.
Which of the following would be a good use case for this task?
- A . Off-the-shelf software
- B . Orchestration
- C . Baseline
- D . Policy enforcement
Correct Answer: B
B
Explanation:
Orchestration is the process of automating multiple tasks across different systems and applications. It can help save time and reduce human error by executing predefined workflows and scripts. In this case, the systems administrator can use orchestration to create accounts for a large number of end users without having to manually enter their information and assign permissions.: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 457 1
B
Explanation:
Orchestration is the process of automating multiple tasks across different systems and applications. It can help save time and reduce human error by executing predefined workflows and scripts. In this case, the systems administrator can use orchestration to create accounts for a large number of end users without having to manually enter their information and assign permissions.: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 457 1
Question #198
Which of the following automation use cases would best enhance the security posture of an organization by rapidly updating permissions when employees leave a company?
- A . Provisioning resources
- B . Disabling access
- C . Reviewing change approvals
- D . Escalating permission requests
Correct Answer: B
B
Explanation:
Disabling access is an automation use case that would best enhance the security posture of an organization by rapidly updating permissions when employees leave a company. Disabling access is the process of revoking or suspending the access rights of a user account, such as login credentials, email, VPN, cloud services, etc. Disabling access can prevent unauthorized or malicious use of the account by former employees or attackers who may have compromised the account. Disabling access can also reduce the attack surface and the risk of data breaches or leaks. Disabling access can be automated by using scripts, tools, or workflows that can trigger the action based on predefined events, such as employee termination, resignation, or transfer. Automation can ensure that the access is disabled in a timely, consistent, and efficient manner, without relying on manual intervention or human error.
: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 5: Identity and Access Management, page 2131. CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 5: Identity and Access Management, page 2132.
B
Explanation:
Disabling access is an automation use case that would best enhance the security posture of an organization by rapidly updating permissions when employees leave a company. Disabling access is the process of revoking or suspending the access rights of a user account, such as login credentials, email, VPN, cloud services, etc. Disabling access can prevent unauthorized or malicious use of the account by former employees or attackers who may have compromised the account. Disabling access can also reduce the attack surface and the risk of data breaches or leaks. Disabling access can be automated by using scripts, tools, or workflows that can trigger the action based on predefined events, such as employee termination, resignation, or transfer. Automation can ensure that the access is disabled in a timely, consistent, and efficient manner, without relying on manual intervention or human error.
: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 5: Identity and Access Management, page 2131. CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 5: Identity and Access Management, page 2132.
Question #199
Which of the following is used to quantitatively measure the criticality of a vulnerability?
- A . CVE
- B . CVSS
- C . CIA
- D . CERT
Correct Answer: B
B
Explanation:
CVSS stands for Common Vulnerability Scoring System, which is a framework that provides a standardized way to assess and communicate the severity and risk of vulnerabilities. CVSS uses a set of metrics and formulas to calculate a numerical score ranging from 0 to 10, where higher scores indicate higher criticality. CVSS can help organizations prioritize remediation efforts and compare vulnerabilities across different systems and vendors. The other options are not used to measure the criticality of a vulnerability, but rather to identify, classify, or report them.: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 39
B
Explanation:
CVSS stands for Common Vulnerability Scoring System, which is a framework that provides a standardized way to assess and communicate the severity and risk of vulnerabilities. CVSS uses a set of metrics and formulas to calculate a numerical score ranging from 0 to 10, where higher scores indicate higher criticality. CVSS can help organizations prioritize remediation efforts and compare vulnerabilities across different systems and vendors. The other options are not used to measure the criticality of a vulnerability, but rather to identify, classify, or report them.: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 39
Question #200
Which of the following describes an executive team that is meeting in a board room and testing the company’s incident response plan?
- A . Continuity of operations
- B . Capacity planning
- C . Tabletop exercise
- D . Parallel processing
Correct Answer: C
C
Explanation:
A tabletop exercise involves the executive team or key stakeholders discussing and testing the company’s incident response plan in a simulated environment. These exercises are low-stress, discussion-based, and help to validate the plan’s effectiveness by walking through different scenarios without disrupting actual operations. It is an essential part of testing business continuity and incident response strategies.
Continuity of operations refers to the ability of an organization to continue functioning during and after a disaster but doesn’t specifically involve simulations like tabletop exercises.
Capacity planning is related to ensuring the infrastructure can handle growth, not incident response testing.
Parallel processing refers to running multiple processes simultaneously, which is unrelated to testing an incident response plan.
C
Explanation:
A tabletop exercise involves the executive team or key stakeholders discussing and testing the company’s incident response plan in a simulated environment. These exercises are low-stress, discussion-based, and help to validate the plan’s effectiveness by walking through different scenarios without disrupting actual operations. It is an essential part of testing business continuity and incident response strategies.
Continuity of operations refers to the ability of an organization to continue functioning during and after a disaster but doesn’t specifically involve simulations like tabletop exercises.
Capacity planning is related to ensuring the infrastructure can handle growth, not incident response testing.
Parallel processing refers to running multiple processes simultaneously, which is unrelated to testing an incident response plan.