Practice Free SY0-701 Exam Online Questions
Question #211
Which of the following architectures is most suitable to provide redundancy for critical business processes?
- A . Network-enabled
- B . Server-side
- C . Cloud-native
- D . Multitenant
Correct Answer: C
Question #212
Which of the following environments utilizes a subset of customer data and is most likely to be used to assess the impacts of major system upgrades and demonstrate system features?
- A . Development
- B . Test
- C . Production
- D . Staging
Correct Answer: D
D
Explanation:
A staging environment is a controlled setting that closely mirrors the production environment but uses a subset of customer data. It is used to test major system upgrades, assess their impact, and demonstrate new features before they are rolled out to the live production environment. This ensures that any issues can be identified and addressed in a safe environment before affecting end-users.
= CompTIA Security+ SY0-701 study materials, particularly in the domain of secure system development and testing environments.
D
Explanation:
A staging environment is a controlled setting that closely mirrors the production environment but uses a subset of customer data. It is used to test major system upgrades, assess their impact, and demonstrate new features before they are rolled out to the live production environment. This ensures that any issues can be identified and addressed in a safe environment before affecting end-users.
= CompTIA Security+ SY0-701 study materials, particularly in the domain of secure system development and testing environments.
Question #213
Which of the following methods will most likely be used to identify legacy systems?
- A . Bug bounty program
- B . Vulnerability scan
- C . Package monitoring
- D . Dynamic analysis
Correct Answer: B
B
Explanation:
A vulnerability scan is the most effective method for identifying legacy systems within an environment. Vulnerability scanners assess hosts for outdated operating systems, unsupported software versions, missing patches, deprecated services, and known Common Vulnerabilities and Exposures (CVEs). CompTIA Security+ SY0-701 highlights vulnerability scanning as a foundational security operation used to gain visibility into system age, patch status, and configuration weaknesses.
Legacy systems often stand out in scan results because they run end-of-life operating systems, use deprecated protocols, or lack current security updates. These indicators allow security teams to quickly flag systems that require isolation, compensating controls, or replacement.
Bug bounty programs (A) rely on external researchers and are not designed to inventory internal assets. Package monitoring (C) tracks software behavior and changes but does not identify system age or support status. Dynamic analysis (D) evaluates running applications for vulnerabilities, not infrastructure lifecycle status.
Because vulnerability scans provide broad visibility into system versions and supportability, the correct answer is B: Vulnerability scan.
B
Explanation:
A vulnerability scan is the most effective method for identifying legacy systems within an environment. Vulnerability scanners assess hosts for outdated operating systems, unsupported software versions, missing patches, deprecated services, and known Common Vulnerabilities and Exposures (CVEs). CompTIA Security+ SY0-701 highlights vulnerability scanning as a foundational security operation used to gain visibility into system age, patch status, and configuration weaknesses.
Legacy systems often stand out in scan results because they run end-of-life operating systems, use deprecated protocols, or lack current security updates. These indicators allow security teams to quickly flag systems that require isolation, compensating controls, or replacement.
Bug bounty programs (A) rely on external researchers and are not designed to inventory internal assets. Package monitoring (C) tracks software behavior and changes but does not identify system age or support status. Dynamic analysis (D) evaluates running applications for vulnerabilities, not infrastructure lifecycle status.
Because vulnerability scans provide broad visibility into system versions and supportability, the correct answer is B: Vulnerability scan.
Question #214
Executives at a company are concerned about employees accessing systems and information about sensitive company projects unrelated to the employees’ normal job duties.
Which of the following enterprise security capabilities will the security team most likely deploy to detect that activity?
- A . UBA
- B . EDR
- C . NAC
- D . DLP
Correct Answer: A
Question #215
A company is in the process of migrating to cloud-based services. The company’s IT department has limited resources for migration and ongoing support.
Which of the following best meets the company’s needs?
- A . IPS
- B . WAF
- C . SASE
- D . IAM
Correct Answer: C
Question #216
A user sends an email that includes a digital signature for validation.
Which of the following security concepts would ensure that a user cannot deny that they sent the email?
- A . Non-repudiation
- B . Confidentiality
- C . Integrity
- D . Authentication
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Non-repudiation ensures that a sender cannot deny sending a message. Digital signatures provide non-repudiation because they use the sender’s private key, which only the legitimate owner possesses. When the email recipient verifies the digital signature using the sender’s public key, it proves the email was sent by the true owner of the private key and has not been altered.
Confidentiality (B) ensures information is protected from unauthorized access and is usually achieved through encryption. Integrity (C) ensures data has not been modified, while authentication (D) verifies the identity of a user. Although digital signatures also support integrity and authentication, the specific property that prevents denial of sending the email is non-repudiation.
Security+ SY0-701 highlights digital signatures as a cryptographic mechanism used for authentication, integrity, and non-repudiation, especially in email security, PKI systems, and secure messaging.
Thus, the correct answer is Non-repudiation.
A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Non-repudiation ensures that a sender cannot deny sending a message. Digital signatures provide non-repudiation because they use the sender’s private key, which only the legitimate owner possesses. When the email recipient verifies the digital signature using the sender’s public key, it proves the email was sent by the true owner of the private key and has not been altered.
Confidentiality (B) ensures information is protected from unauthorized access and is usually achieved through encryption. Integrity (C) ensures data has not been modified, while authentication (D) verifies the identity of a user. Although digital signatures also support integrity and authentication, the specific property that prevents denial of sending the email is non-repudiation.
Security+ SY0-701 highlights digital signatures as a cryptographic mechanism used for authentication, integrity, and non-repudiation, especially in email security, PKI systems, and secure messaging.
Thus, the correct answer is Non-repudiation.
Question #217
A company’s web filter is configured to scan the URL for strings and deny access when matches are found.
Which of the following search strings should an analyst employ to prohibit access to non-encrypted websites?
- A . encryption=off
- B . http://
- C . www.*.com
- D . :443
Correct Answer: B
B
Explanation:
A web filter is a device or software that can monitor, block, or allow web traffic based on predefined rules or policies. One of the common methods of web filtering is to scan the URL for strings and deny access when matches are found. For example, a web filter can block access to websites that contain the words “gambling”, “porn”, or “malware” in their URLs. A URL is a uniform resource locator that identifies the location and protocol of a web resource.
A URL typically consists of the following components: protocol://domain:port/path?query#fragment.The protocol specifies the communication method used to access the web resource, such as HTTP, HTTPS, FTP, or SMTP. The domain is the name of the web server that hosts the web resource, such as www.google.com or www.bing.com. The port is an optional number that identifies the specific service or application running on the web server, such as 80 for HTTP or 443 for HTTPS. The path is the specific folder or file name of the web resource, such as /index.html or /images/logo.png. The query is an optional string that contains additional information or parameters for the web resource, such as ?q=security or ?lang=en. The fragment is an optional string that identifies a specific part or section of the web resource, such as #introduction or #summary.
To prohibit access to non-encrypted websites, an analyst should employ a search string that matches the protocol of non-encrypted web traffic, which is HTTP. HTTP stands for hypertext transfer protocol,
and it is a standard protocol for transferring data between web servers and web browsers. However, HTTP does not provide any encryption or security for the data, which means that anyone who intercepts the web traffic can read or modify the data. Therefore, non-encrypted websites are vulnerable to eavesdropping, tampering, or spoofing attacks. To access a non-encrypted website, the URL usually starts with http://, followed by the domain name and optionally the port number. For example, http://www.example.com or http://www.example.com:80. By scanning the URL for the string http://, the web filter can identify and block non-encrypted websites.
The other options are not correct because they do not match the protocol of non-encrypted web traffic. Encryption=off is a possible query string that indicates the encryption status of the web resource, but it is not a standard or mandatory parameter. Https:// is the protocol of encrypted web traffic, which uses hypertext transfer protocol secure (HTTPS) to provide encryption and security for the data. Www.*.com is a possible domain name that matches any website that starts with www and ends with .com, but it does not specify the protocol. :443 is the port number of HTTPS, which is the protocol of encrypted web traffic. = CompTIA Security+ Study Guide (SY0-701), Chapter 2: Securing Networks, page 69. Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 2.1: Network Devices and Technologies, video: Web Filter (5:16).
B
Explanation:
A web filter is a device or software that can monitor, block, or allow web traffic based on predefined rules or policies. One of the common methods of web filtering is to scan the URL for strings and deny access when matches are found. For example, a web filter can block access to websites that contain the words “gambling”, “porn”, or “malware” in their URLs. A URL is a uniform resource locator that identifies the location and protocol of a web resource.
A URL typically consists of the following components: protocol://domain:port/path?query#fragment.The protocol specifies the communication method used to access the web resource, such as HTTP, HTTPS, FTP, or SMTP. The domain is the name of the web server that hosts the web resource, such as www.google.com or www.bing.com. The port is an optional number that identifies the specific service or application running on the web server, such as 80 for HTTP or 443 for HTTPS. The path is the specific folder or file name of the web resource, such as /index.html or /images/logo.png. The query is an optional string that contains additional information or parameters for the web resource, such as ?q=security or ?lang=en. The fragment is an optional string that identifies a specific part or section of the web resource, such as #introduction or #summary.
To prohibit access to non-encrypted websites, an analyst should employ a search string that matches the protocol of non-encrypted web traffic, which is HTTP. HTTP stands for hypertext transfer protocol,
and it is a standard protocol for transferring data between web servers and web browsers. However, HTTP does not provide any encryption or security for the data, which means that anyone who intercepts the web traffic can read or modify the data. Therefore, non-encrypted websites are vulnerable to eavesdropping, tampering, or spoofing attacks. To access a non-encrypted website, the URL usually starts with http://, followed by the domain name and optionally the port number. For example, http://www.example.com or http://www.example.com:80. By scanning the URL for the string http://, the web filter can identify and block non-encrypted websites.
The other options are not correct because they do not match the protocol of non-encrypted web traffic. Encryption=off is a possible query string that indicates the encryption status of the web resource, but it is not a standard or mandatory parameter. Https:// is the protocol of encrypted web traffic, which uses hypertext transfer protocol secure (HTTPS) to provide encryption and security for the data. Www.*.com is a possible domain name that matches any website that starts with www and ends with .com, but it does not specify the protocol. :443 is the port number of HTTPS, which is the protocol of encrypted web traffic. = CompTIA Security+ Study Guide (SY0-701), Chapter 2: Securing Networks, page 69. Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 2.1: Network Devices and Technologies, video: Web Filter (5:16).
Question #218
A company’s website is www. Company. com Attackers purchased the domain wwww. company.com.
Which of the following types of attacks describes this example?
- A . Typosquatting
- B . Brand Impersonation
- C . On-path
- D . Watering-hole
Correct Answer: A
A
Explanation:
"Typo squatting, also known as URL hijacking, is a form of cybersquatting where attackers register domain names that are intentionally similar to legitimate ones, often differing by a single character or a common typographical error. For example, an attacker might register ‘wwww.company.com’ to mimic ‘www.company.com,’ tricking users who mistype the URL into visiting a malicious site. This attack exploits human error and can be used to steal credentials, distribute malware, or impersonate the legitimate entity."
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 1.0: General Security Concepts, Section: "Social Engineering Attacks and Threats" (Typosquatting is typically covered under threats related to domain misuse).
In this scenario, the attackers registered "wwww.company.com," which is a subtle variation of "www.company.com," relying on users mistyping or not noticing the extra "w." This fits the definition of typosquatting perfectly. Brand impersonation (B) is related but broader and doesn’t specifically tie to typographical errors. On-path (C) involves intercepting communication, and watering-hole (D) targets users via compromised legitimate sites―neither applies here.
A
Explanation:
"Typo squatting, also known as URL hijacking, is a form of cybersquatting where attackers register domain names that are intentionally similar to legitimate ones, often differing by a single character or a common typographical error. For example, an attacker might register ‘wwww.company.com’ to mimic ‘www.company.com,’ tricking users who mistype the URL into visiting a malicious site. This attack exploits human error and can be used to steal credentials, distribute malware, or impersonate the legitimate entity."
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 1.0: General Security Concepts, Section: "Social Engineering Attacks and Threats" (Typosquatting is typically covered under threats related to domain misuse).
In this scenario, the attackers registered "wwww.company.com," which is a subtle variation of "www.company.com," relying on users mistyping or not noticing the extra "w." This fits the definition of typosquatting perfectly. Brand impersonation (B) is related but broader and doesn’t specifically tie to typographical errors. On-path (C) involves intercepting communication, and watering-hole (D) targets users via compromised legitimate sites―neither applies here.
Question #219
A company is concerned about the theft of client data from decommissioned laptops.
Which of the following is the most cost-effective method to decrease this risk?
- A . Wiping
- B . Recycling
- C . Shredding
- D . Deletion
Correct Answer: A
A
Explanation:
Wiping involves securely erasing data by overwriting the hard drive, ensuring the information is unrecoverable. It is cost-effective compared to physical destruction methods like shredding.
A
Explanation:
Wiping involves securely erasing data by overwriting the hard drive, ensuring the information is unrecoverable. It is cost-effective compared to physical destruction methods like shredding.
Question #220
Employees sign an agreement that restricts specific activities when leaving the company. Violating the agreement can result in legal consequences.
Which of the following agreements does this best describe?
- A . SLA
- B . BPA
- C . NDA
- D . MOA
Correct Answer: C
C
Explanation:
A non-disclosure agreement (NDA) restricts employees from sharing proprietary or confidential information when they leave the company. Legal consequences may result from violating an NDA.
Reference: CompTIA Security+ SY0-701 Official Study Guide, Domain 5.2: "NDAs are legal agreements to prevent employees from disclosing sensitive information upon termination."
Exam Objectives 5.2: “Summarize business agreement and legal requirements.”
C
Explanation:
A non-disclosure agreement (NDA) restricts employees from sharing proprietary or confidential information when they leave the company. Legal consequences may result from violating an NDA.
Reference: CompTIA Security+ SY0-701 Official Study Guide, Domain 5.2: "NDAs are legal agreements to prevent employees from disclosing sensitive information upon termination."
Exam Objectives 5.2: “Summarize business agreement and legal requirements.”