Practice Free SY0-701 Exam Online Questions
Question #221
A security analyst is investigating an alert that was produced by endpoint protection software. The analyst determines this event was a false positive triggered by an employee who attempted to download a file.
Which of the following is the most likely reason the download was blocked?
- A . A misconfiguration in the endpoint protection software
- B . A zero-day vulnerability in the file
- C . A supply chain attack on the endpoint protection vendor
- D . Incorrect file permissions
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Endpoint protection systems rely on policy rules, signatures, behavioral analytics, and heuristics. When the analyst identifies the event as a false positive, this indicates the file itself was not malicious, but the endpoint protection solution incorrectly identified it as a threat. According to CompTIA Security+ SY0-701 concepts, false positives commonly occur due to overly aggressive configuration settings, outdated rules, unrefined behavioral baselines, or incorrect threat signatures.
Zero-day vulnerabilities (B) would cause a true positive because the file contains unknown malware, not a false alert. A supply chain attack (C) would impact the vendor or update delivery, not a user download event. Incorrect file permissions (D) prevent access but do not trigger malware alerts.
Misconfigurations are identified in SY0-701 under Security Operations → Monitoring, alerting, tuning, and false positives, which emphasizes the need for refining security controls to reduce erroneous blocks. Therefore, the most likely cause of a blocked benign download is a misconfigured endpoint protection policy.
A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Endpoint protection systems rely on policy rules, signatures, behavioral analytics, and heuristics. When the analyst identifies the event as a false positive, this indicates the file itself was not malicious, but the endpoint protection solution incorrectly identified it as a threat. According to CompTIA Security+ SY0-701 concepts, false positives commonly occur due to overly aggressive configuration settings, outdated rules, unrefined behavioral baselines, or incorrect threat signatures.
Zero-day vulnerabilities (B) would cause a true positive because the file contains unknown malware, not a false alert. A supply chain attack (C) would impact the vendor or update delivery, not a user download event. Incorrect file permissions (D) prevent access but do not trigger malware alerts.
Misconfigurations are identified in SY0-701 under Security Operations → Monitoring, alerting, tuning, and false positives, which emphasizes the need for refining security controls to reduce erroneous blocks. Therefore, the most likely cause of a blocked benign download is a misconfigured endpoint protection policy.
Question #222
An alert references attacks associated with a zero-day exploit. An analyst places a bastion host in the network to reduce the risk.
Which type of control is being implemented?
- A . Compensating
- B . Detective
- C . Operational
- D . Physical
Correct Answer: A
A
Explanation:
A bastion host is a hardened system placed at a network boundary to absorb attacks and limit exposure. When deployed to mitigate risks from zero-day vulnerabilities, it acts as a compensating control. CompTIA Security+ SY0-701 defines compensating controls as alternative safeguards used when primary controls are insufficient or unavailable―such as when no patch exists for a zero-day.
Detective controls (B) identify issues but do not reduce exposure. Operational controls (C) refer to procedural or human-driven processes. Physical controls (D) secure physical environments (e.g., locks, cameras).
Because a bastion host compensates for the lack of a patch, the correct answer is A: Compensating.
A
Explanation:
A bastion host is a hardened system placed at a network boundary to absorb attacks and limit exposure. When deployed to mitigate risks from zero-day vulnerabilities, it acts as a compensating control. CompTIA Security+ SY0-701 defines compensating controls as alternative safeguards used when primary controls are insufficient or unavailable―such as when no patch exists for a zero-day.
Detective controls (B) identify issues but do not reduce exposure. Operational controls (C) refer to procedural or human-driven processes. Physical controls (D) secure physical environments (e.g., locks, cameras).
Because a bastion host compensates for the lack of a patch, the correct answer is A: Compensating.
Question #223
An attacker posing as the Chief Executive Officer calls an employee and instructs the employee to buy gift cards.
Which of the following techniques is the attacker using?
- A . Smishing
- B . Disinformation
- C . Impersonating
- D . Whaling
Correct Answer: D
D
Explanation:
Whaling is a type of phishing attack that targets high-profile individuals, such as executives, celebrities, or politicians. The attacker impersonates someone with authority or influence and tries to trick the victim into performing an action, such as transferring money, revealing sensitive information, or clicking on a malicious link. Whaling is also called CEO fraud or business email compromise2.
: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 3, page 97.
D
Explanation:
Whaling is a type of phishing attack that targets high-profile individuals, such as executives, celebrities, or politicians. The attacker impersonates someone with authority or influence and tries to trick the victim into performing an action, such as transferring money, revealing sensitive information, or clicking on a malicious link. Whaling is also called CEO fraud or business email compromise2.
: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 3, page 97.
Question #224
In which of the following will unencrypted PLC management traffic most likely be found?
- A . SDN
- B . IoT
- C . VPN
- D . SCADA
Correct Answer: D
D
Explanation:
SCADA (Supervisory Control and Data Acquisition) systems commonly manage industrial equipment, including PLCs (Programmable Logic Controllers). Historically, SCADA environments often lack encryption for management traffic due to legacy equipment and protocols. This makes SCADA the most likely environment where unencrypted PLC management traffic can be observed.
Reference: CompTIA Security+ SY0-701 Official Study Guide, Domain 3.2, “SCADA systems often transmit management traffic for PLCs without encryption, making them susceptible to interception.”
Exam Objectives 3.2: “Summarize security implications of embedded and specialized systems.”
D
Explanation:
SCADA (Supervisory Control and Data Acquisition) systems commonly manage industrial equipment, including PLCs (Programmable Logic Controllers). Historically, SCADA environments often lack encryption for management traffic due to legacy equipment and protocols. This makes SCADA the most likely environment where unencrypted PLC management traffic can be observed.
Reference: CompTIA Security+ SY0-701 Official Study Guide, Domain 3.2, “SCADA systems often transmit management traffic for PLCs without encryption, making them susceptible to interception.”
Exam Objectives 3.2: “Summarize security implications of embedded and specialized systems.”
Question #224
In which of the following will unencrypted PLC management traffic most likely be found?
- A . SDN
- B . IoT
- C . VPN
- D . SCADA
Correct Answer: D
D
Explanation:
SCADA (Supervisory Control and Data Acquisition) systems commonly manage industrial equipment, including PLCs (Programmable Logic Controllers). Historically, SCADA environments often lack encryption for management traffic due to legacy equipment and protocols. This makes SCADA the most likely environment where unencrypted PLC management traffic can be observed.
Reference: CompTIA Security+ SY0-701 Official Study Guide, Domain 3.2, “SCADA systems often transmit management traffic for PLCs without encryption, making them susceptible to interception.”
Exam Objectives 3.2: “Summarize security implications of embedded and specialized systems.”
D
Explanation:
SCADA (Supervisory Control and Data Acquisition) systems commonly manage industrial equipment, including PLCs (Programmable Logic Controllers). Historically, SCADA environments often lack encryption for management traffic due to legacy equipment and protocols. This makes SCADA the most likely environment where unencrypted PLC management traffic can be observed.
Reference: CompTIA Security+ SY0-701 Official Study Guide, Domain 3.2, “SCADA systems often transmit management traffic for PLCs without encryption, making them susceptible to interception.”
Exam Objectives 3.2: “Summarize security implications of embedded and specialized systems.”
Question #226
A security analyst investigates abnormal outbound traffic from a corporate endpoint. The traffic is encrypted and uses non-standard ports.
Which of the following data sources should the analyst use first to confirm whether this traffic is malicious?
- A . Application logs
- B . Vulnerability scans
- C . Endpoint logs
- D . Packet captures
Correct Answer: C
C
Explanation:
When investigating abnormal outbound traffic originating from a specific endpoint, endpoint logs are the most appropriate first data source to review. According to CompTIA Security+ SY0-701, endpoint logs provide detailed visibility into process execution, user actions, service creation, network connections initiated by applications, and security agent detections. This context is critical for determining which process initiated the encrypted traffic and why it is using non-standard ports.
Because the traffic is encrypted, packet captures (D) would reveal limited payload information and are more resource-intensive. Endpoint logs can quickly identify suspicious executables, command-line arguments, parent-child process relationships, and persistence mechanisms that indicate malware or command-and-control activity. Modern EDR tools rely heavily on endpoint telemetry for exactly this reason.
Application logs (A) may be useful later but are limited to specific applications. Vulnerability scans (B) identify weaknesses, not active malicious behavior.
Security+ SY0-701 emphasizes starting investigations as close to the suspected source as possible. Since the activity originates from a corporate endpoint, endpoint logs provide the fastest and most relevant confirmation of whether the traffic is malicious.
C
Explanation:
When investigating abnormal outbound traffic originating from a specific endpoint, endpoint logs are the most appropriate first data source to review. According to CompTIA Security+ SY0-701, endpoint logs provide detailed visibility into process execution, user actions, service creation, network connections initiated by applications, and security agent detections. This context is critical for determining which process initiated the encrypted traffic and why it is using non-standard ports.
Because the traffic is encrypted, packet captures (D) would reveal limited payload information and are more resource-intensive. Endpoint logs can quickly identify suspicious executables, command-line arguments, parent-child process relationships, and persistence mechanisms that indicate malware or command-and-control activity. Modern EDR tools rely heavily on endpoint telemetry for exactly this reason.
Application logs (A) may be useful later but are limited to specific applications. Vulnerability scans (B) identify weaknesses, not active malicious behavior.
Security+ SY0-701 emphasizes starting investigations as close to the suspected source as possible. Since the activity originates from a corporate endpoint, endpoint logs provide the fastest and most relevant confirmation of whether the traffic is malicious.