Practice Free SY0-701 Exam Online Questions
Question #230
Which of the following actions is best performed by ticketing automation to ensure that incidents receive the correct level of attention and response?
- A . Notification
- B . Creation
- C . Closure
- D . Escalation
Correct Answer: D
D
Explanation:
The key phrase is “ensure that incidents receive the correct level of attention and response.” In operations, that aligns most directly with escalation―moving high-severity or time-sensitive incidents to the right people/teams quickly and consistently, according to predefined criteria (severity, impacted systems, threat intel enrichment, SLA timers). The Study Guide lists ticketing and escalation explicitly as automation use cases: “Ticket creation: Automation can streamline the ticketing process, enabling immediate creation and routing of issues to the right teams.” and, crucially for this question, “Escalation: In case of a major incident, scripts can automate the escalation process, alerting key personnel quickly.”
While automation can also handle notification and ticket creation, escalation is the control that most directly enforces that the incident gets the proper priority and response path (for example: paging on-call, invoking the IR lead, opening a bridge, and applying “major incident” workflows). Closure is typically less suitable because it often requires validation and human judgment to ensure containment, eradication, and recovery steps are complete.
Reference: Automation use cases for ticketing, including escalation for major incidents.
D
Explanation:
The key phrase is “ensure that incidents receive the correct level of attention and response.” In operations, that aligns most directly with escalation―moving high-severity or time-sensitive incidents to the right people/teams quickly and consistently, according to predefined criteria (severity, impacted systems, threat intel enrichment, SLA timers). The Study Guide lists ticketing and escalation explicitly as automation use cases: “Ticket creation: Automation can streamline the ticketing process, enabling immediate creation and routing of issues to the right teams.” and, crucially for this question, “Escalation: In case of a major incident, scripts can automate the escalation process, alerting key personnel quickly.”
While automation can also handle notification and ticket creation, escalation is the control that most directly enforces that the incident gets the proper priority and response path (for example: paging on-call, invoking the IR lead, opening a bridge, and applying “major incident” workflows). Closure is typically less suitable because it often requires validation and human judgment to ensure containment, eradication, and recovery steps are complete.
Reference: Automation use cases for ticketing, including escalation for major incidents.
Question #232
Which of the following should a security administrator adhere to when setting up a new set of firewall rules?
- A . Disaster recovery plan
- B . Incident response procedure
- C . Business continuity plan
- D . Change management procedure
Correct Answer: D
D
Explanation:
A change management procedure is a set of steps and guidelines that a security administrator should adhere to when setting up a new set of firewall rules. A firewall is a device or software that can filter, block, or allow network traffic based on predefined rules or policies. A firewall rule is a statement that defines the criteria and action for a firewall to apply to a packet or a connection. For example, a firewall rule can allow or deny traffic based on the source and destination IP addresses, ports, protocols, or applications. Setting up a new set of firewall rules is a type of change that can affect the security, performance, and functionality of the network. Therefore, a change management procedure is necessary to ensure that the change is planned, tested, approved, implemented, documented, and reviewed in a controlled and consistent manner. A change management procedure typically includes the following elements:
A change request that describes the purpose, scope, impact, and benefits of the change, as well as the roles and responsibilities of the change owner, implementer, and approver.
A change assessment that evaluates the feasibility, risks, costs, and dependencies of the change, as well as the alternatives and contingency plans.
A change approval that authorizes the change to proceed to the implementation stage, based on the criteria and thresholds defined by the change policy.
A change implementation that executes the change according to the plan and schedule, and verifies the results and outcomes of the change.
A change documentation that records the details and status of the change, as well as the lessons learned and best practices.
A change review that monitors and measures the performance and effectiveness of the change, and identifies any issues or gaps that need to be addressed or improved.
A change management procedure is important for a security administrator to adhere to when setting up a new set of firewall rules, as it can help to achieve the following objectives:
Enhance the security posture and compliance of the network by ensuring that the firewall rules are aligned with the security policies and standards, and that they do not introduce any vulnerabilities or conflicts.
Minimize the disruption and downtime of the network by ensuring that the firewall rules are tested and validated before deployment, and that they do not affect the availability or functionality of the network services or applications.
Improve the efficiency and quality of the network by ensuring that the firewall rules are optimized and updated according to the changing needs and demands of the network users and stakeholders, and that they do not cause any performance or compatibility issues.
Increase the accountability and transparency of the network by ensuring that the firewall rules are documented and reviewed regularly, and that they are traceable and auditable by the relevant authorities and parties.
The other options are not correct because they are not related to the process of setting up a new set of firewall rules. A disaster recovery plan is a set of policies and procedures that aim to restore the normal operations of an organization in the event of a system failure, natural disaster, or other emergency. An incident response procedure is a set of steps and guidelines that aim to contain, analyze, eradicate, and recover from a security incident, such as a cyberattack, data breach, or malware infection. A business continuity plan is a set of strategies and actions that aim to maintain the essential functions and operations of an organization during and after a disruptive event, such as a pandemic, power outage, or civil unrest.
Reference = CompTIA Security+ Study Guide (SY0-701), Chapter 7: Resilience and Recovery, page 325. Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 1.3: Security Operations, video: Change Management (5:45).
D
Explanation:
A change management procedure is a set of steps and guidelines that a security administrator should adhere to when setting up a new set of firewall rules. A firewall is a device or software that can filter, block, or allow network traffic based on predefined rules or policies. A firewall rule is a statement that defines the criteria and action for a firewall to apply to a packet or a connection. For example, a firewall rule can allow or deny traffic based on the source and destination IP addresses, ports, protocols, or applications. Setting up a new set of firewall rules is a type of change that can affect the security, performance, and functionality of the network. Therefore, a change management procedure is necessary to ensure that the change is planned, tested, approved, implemented, documented, and reviewed in a controlled and consistent manner. A change management procedure typically includes the following elements:
A change request that describes the purpose, scope, impact, and benefits of the change, as well as the roles and responsibilities of the change owner, implementer, and approver.
A change assessment that evaluates the feasibility, risks, costs, and dependencies of the change, as well as the alternatives and contingency plans.
A change approval that authorizes the change to proceed to the implementation stage, based on the criteria and thresholds defined by the change policy.
A change implementation that executes the change according to the plan and schedule, and verifies the results and outcomes of the change.
A change documentation that records the details and status of the change, as well as the lessons learned and best practices.
A change review that monitors and measures the performance and effectiveness of the change, and identifies any issues or gaps that need to be addressed or improved.
A change management procedure is important for a security administrator to adhere to when setting up a new set of firewall rules, as it can help to achieve the following objectives:
Enhance the security posture and compliance of the network by ensuring that the firewall rules are aligned with the security policies and standards, and that they do not introduce any vulnerabilities or conflicts.
Minimize the disruption and downtime of the network by ensuring that the firewall rules are tested and validated before deployment, and that they do not affect the availability or functionality of the network services or applications.
Improve the efficiency and quality of the network by ensuring that the firewall rules are optimized and updated according to the changing needs and demands of the network users and stakeholders, and that they do not cause any performance or compatibility issues.
Increase the accountability and transparency of the network by ensuring that the firewall rules are documented and reviewed regularly, and that they are traceable and auditable by the relevant authorities and parties.
The other options are not correct because they are not related to the process of setting up a new set of firewall rules. A disaster recovery plan is a set of policies and procedures that aim to restore the normal operations of an organization in the event of a system failure, natural disaster, or other emergency. An incident response procedure is a set of steps and guidelines that aim to contain, analyze, eradicate, and recover from a security incident, such as a cyberattack, data breach, or malware infection. A business continuity plan is a set of strategies and actions that aim to maintain the essential functions and operations of an organization during and after a disruptive event, such as a pandemic, power outage, or civil unrest.
Reference = CompTIA Security+ Study Guide (SY0-701), Chapter 7: Resilience and Recovery, page 325. Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 1.3: Security Operations, video: Change Management (5:45).
Question #233
While a school district is performing state testing, a security analyst notices all internet services are unavailable. The analyst discovers that ARP poisoning is occurring on the network and then terminates access for the host.
Which of the following is most likely responsible for this malicious activity?
- A . Unskilled attacker
- B . Shadow IT
- C . Credential stuffing
- D . DMARC failure
Correct Answer: A
A
Explanation:
ARP poisoning (also known as ARP spoofing) is a basic man-in-the-middle (MITM)attack that involves sending fake ARP responses to redirect traffic. This technique is not sophisticated and can be easily executed using freely available tools like Cain & Abel, Ettercap, or Wireshark.
Such attacks are often attempted by unskilled attackers (script kiddies) testing their abilities, especially in environments like schools. The term “unskilled attacker “fits best here, as credential stuffing and DMARC are unrelated to ARP poisoning.
Reference: CompTIA Security+ SY0-701 Objectives, Domain 2.1 C “Attack techniques: MITM, ARP
poisoning; attacker types: Unskilled/script kiddie.”
A
Explanation:
ARP poisoning (also known as ARP spoofing) is a basic man-in-the-middle (MITM)attack that involves sending fake ARP responses to redirect traffic. This technique is not sophisticated and can be easily executed using freely available tools like Cain & Abel, Ettercap, or Wireshark.
Such attacks are often attempted by unskilled attackers (script kiddies) testing their abilities, especially in environments like schools. The term “unskilled attacker “fits best here, as credential stuffing and DMARC are unrelated to ARP poisoning.
Reference: CompTIA Security+ SY0-701 Objectives, Domain 2.1 C “Attack techniques: MITM, ARP
poisoning; attacker types: Unskilled/script kiddie.”
Question #234
A security analyst is reviewing logs to identify the destination of command-and-control traffic originating from a compromised device within the on-premises network.
Which of the following is the best log to review?
- A . IDS
- B . Antivirus
- C . Firewall
- D . Application
Correct Answer: D
Question #235
The Chief Information Security Officer of an organization needs to ensure recovery from ransomware would likely occur within the organization’s agreed-upon RPOs end RTOs.
Which of the following backup scenarios would best ensure recovery?
- A . Hourly differential backups stored on a local SAN array
- B . Dally full backups stored on premises in magnetic offline media
- C . Daly differential backups maintained by a third-party cloud provider
- D . Weekly full backups with daily incremental stored on a NAS drive
Correct Answer: D
D
Explanation:
A backup strategy that combines weekly full backups with daily incremental backups stored on a NAS (Network Attached Storage) drive is likely to meet an organization’s Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs). This approach ensures that recent data is regularly backed up and that recovery can be done efficiently, without significant data loss or lengthy downtime.
Reference =
CompTIA Security+ SY0-701 Course Content: Domain 05 Security Program Management and Oversight.
CompTIA Security+ SY0-601 Study Guide: Chapter on Disaster Recovery and Backup Strategies.
D
Explanation:
A backup strategy that combines weekly full backups with daily incremental backups stored on a NAS (Network Attached Storage) drive is likely to meet an organization’s Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs). This approach ensures that recent data is regularly backed up and that recovery can be done efficiently, without significant data loss or lengthy downtime.
Reference =
CompTIA Security+ SY0-701 Course Content: Domain 05 Security Program Management and Oversight.
CompTIA Security+ SY0-601 Study Guide: Chapter on Disaster Recovery and Backup Strategies.
Question #236
Which of the following control types describes an alert from a SIEM tool?
- A . Preventive
- B . Corrective
- C . Compensating
- D . Detective
Correct Answer: D
D
Explanation:
Alerts generated by SIEM (Security Information and Event Management) tools are detective controls, as they identify and notify about suspicious activities but do not prevent or correct the events themselves.
Preventive controls stop incidents before they occur, corrective controls remediate issues, and compensating controls are alternatives used when primary controls aren’t feasible.
Detective controls are foundational in Security Operations for incident detection and response 【 6:Chapter 14†CompTIA Security+ Study Guide 】 .
D
Explanation:
Alerts generated by SIEM (Security Information and Event Management) tools are detective controls, as they identify and notify about suspicious activities but do not prevent or correct the events themselves.
Preventive controls stop incidents before they occur, corrective controls remediate issues, and compensating controls are alternatives used when primary controls aren’t feasible.
Detective controls are foundational in Security Operations for incident detection and response 【 6:Chapter 14†CompTIA Security+ Study Guide 】 .
Question #237
Which of the following cryptographic solutions protects data at rest?
- A . Digital signatures
- B . Full disk encryption
- C . Private key
- D . Steganography
Correct Answer: B
Question #238
A network manager wants to protect the company’s VPN by implementing multifactor authentication that uses:
. Something you know
. Something you have
. Something you are
Which of the following would accomplish the manager’s goal?
- A . Domain name, PKI, GeolP lookup
- B . VPN IP address, company ID, facial structure
- C . Password, authentication token, thumbprint
- D . Company URL, TLS certificate, home address
Correct Answer: C
C
Explanation:
The correct answer is
C. Password, authentication token, thumbprint. This combination of authentication factors satisfies the manager’s goal of implementing multifactor authentication that uses something you know, something you have, and something you are.
Something you know is a type of authentication factor that relies on the user’s knowledge of a secret or personal information, such as a password, a PIN, or a security question. A password is a common example of something you know that can be used to access a VPN12 Something you have is a type of authentication factor that relies on the user’s possession of a physical object or device, such as a smart card, a token, or a smartphone. An authentication token is a common example of something you have that can be used to generate a one-time password (OTP) or a code that can be used to access a VPN12
Something you are is a type of authentication factor that relies on the user’s biometric characteristics, such as a fingerprint, a face, or an iris. A thumbprint is a common example of something you are that can be used to scan and verify the user’s identity to access a VPN12
Reference:
1: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 4: Identity and Access Management, page 177
2: CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 4: Identity and Access Management, page 179
C
Explanation:
The correct answer is
C. Password, authentication token, thumbprint. This combination of authentication factors satisfies the manager’s goal of implementing multifactor authentication that uses something you know, something you have, and something you are.
Something you know is a type of authentication factor that relies on the user’s knowledge of a secret or personal information, such as a password, a PIN, or a security question. A password is a common example of something you know that can be used to access a VPN12 Something you have is a type of authentication factor that relies on the user’s possession of a physical object or device, such as a smart card, a token, or a smartphone. An authentication token is a common example of something you have that can be used to generate a one-time password (OTP) or a code that can be used to access a VPN12
Something you are is a type of authentication factor that relies on the user’s biometric characteristics, such as a fingerprint, a face, or an iris. A thumbprint is a common example of something you are that can be used to scan and verify the user’s identity to access a VPN12
Reference:
1: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 4: Identity and Access Management, page 177
2: CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 4: Identity and Access Management, page 179
Question #239
A penetration testing report indicated that an organization should implement controls related to database input validation.
Which of the following best identifies the type of vulnerability that was likely discovered during the test?
- A . XSS
- B . Command injection
- C . Buffer overflow
- D . SQLi
Correct Answer: D
D
Explanation:
Poor input validation in databases typically leads to SQL Injection (SQLi) vulnerabilities, where attackers manipulate input fields to execute arbitrary SQL commands and gain unauthorized data access or control.
XSS (A) affects web applications’ output rendering, command injection (B) affects OS commands, and buffer overflow (C) affects memory management, so they don’t directly relate to database input validation.
SQLi is a critical vulnerability extensively covered in the Application Security domain 【 6:Chapter 6†CompTIA Security+ Study Guide 】 .
D
Explanation:
Poor input validation in databases typically leads to SQL Injection (SQLi) vulnerabilities, where attackers manipulate input fields to execute arbitrary SQL commands and gain unauthorized data access or control.
XSS (A) affects web applications’ output rendering, command injection (B) affects OS commands, and buffer overflow (C) affects memory management, so they don’t directly relate to database input validation.
SQLi is a critical vulnerability extensively covered in the Application Security domain 【 6:Chapter 6†CompTIA Security+ Study Guide 】 .
Question #240
A human resources (HR) employee working from home leaves their company laptop open on the kitchen table. A family member walking through the kitchen reads an email from the Chief Financial Officer addressed to the HR department. The email contains information referencing company layoffs. The family member posts the content of the email to social media.
Which of the following policies will the HR employee most likely need to review after this incident?
- A . Hybrid work environment
- B . Operations security
- C . Data loss prevention
- D . Social engineering
Correct Answer: B
B
Explanation:
Comprehensive and Detailed In-Depth
Operations security (OPSEC) focuses on identifying and protecting sensitive information to prevent unauthorized disclosure. In this scenario, the HR employee failed to safeguard confidential company
information, leading to its exposure on social media.
Training in OPSEC would reinforce the need to maintain security best practices, such as locking screens when away from a device and ensuring that sensitive data is not exposed in unsecured locations.
Hybrid work environment policies relate to managing remote and in-office work but do not specifically cover security risks like unauthorized data exposure.
Data loss prevention (DLP)deals with technology-based solutions to prevent unauthorized data transfers but does not address physical security practices.
Social engineering refers to deceptive tactics used by attackers to manipulate individuals, which is not applicable to this situation.
The HR employee should review operations security policies to prevent similar incidents in the future.
B
Explanation:
Comprehensive and Detailed In-Depth
Operations security (OPSEC) focuses on identifying and protecting sensitive information to prevent unauthorized disclosure. In this scenario, the HR employee failed to safeguard confidential company
information, leading to its exposure on social media.
Training in OPSEC would reinforce the need to maintain security best practices, such as locking screens when away from a device and ensuring that sensitive data is not exposed in unsecured locations.
Hybrid work environment policies relate to managing remote and in-office work but do not specifically cover security risks like unauthorized data exposure.
Data loss prevention (DLP)deals with technology-based solutions to prevent unauthorized data transfers but does not address physical security practices.
Social engineering refers to deceptive tactics used by attackers to manipulate individuals, which is not applicable to this situation.
The HR employee should review operations security policies to prevent similar incidents in the future.