Practice Free SY0-701 Exam Online Questions
Which of the following is a type of vulnerability that involves inserting scripts into web-based applications in order to take control of the client’s web browser?
- A . SQL injection
- B . Cross-site scripting
- C . Zero-day exploit
- D . On-path attack
B
Explanation:
Cross-site scripting (XSS) vulnerabilities allow attackers to inject malicious scripts into a website, which are then executed in the user’s web browser, potentially leading to data theft or session hijacking.
Reference: Security+ SY0-701 Course Content, Security+ SY0-601 Book.
The internal audit team determines a software application is no longer in scope for external reporting requirements.
Which of the following will confirm management’s perspective that the application is no longer applicable?
- A . Data inventory and retention
- B . Right to be forgotten
- C . Due care and due diligence
- D . Acknowledgement and attestation
D
Explanation:
Acknowledgement and attestation involve formal confirmation that an application is no longer in scope for compliance, auditing, or reporting requirements. This typically includes documentation signed by relevant stakeholders confirming that the software no longer processes, stores, or transmits relevant data.
Data inventory and retention (A) is related to managing data assets, not software scope confirmation.
Right to be forgotten (B) pertains to privacy laws (e.g., GDPR), allowing individuals to request data deletion.
Due care and due diligence (C) focus on security best practices rather than software applicability.
Reference: CompTIA Security+ SY0-701 Official Study Guide, Security Program Management and Oversight domain.
An organization is required to provide assurance that its controls are properly designed and operating effectively.
Which of the following reports will best achieve the objective?
- A . Red teaming
- B . Penetration testing
- C . Independent audit
- D . Vulnerability assessment
A user is attempting to patch a critical system, but the patch fails to transfer.
Which of the following access controls is most likely inhibiting the transfer?
- A . Attribute-based
- B . Time of day
- C . Role-based
- D . Least privilege
D
Explanation:
The least privilege principle states that users and processes should only have the minimum level of access required to perform their tasks. This helps to prevent unauthorized or unnecessary actions that could compromise security. In this case, the patch transfer might be failing because the user or process does not have the appropriate permissions to access the critical system or the network resources needed for the transfer. Applying the least privilege principle can help to avoid this issue by granting the user or process the necessary access rights for the patching activity.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 931
A spoofed identity was detected for a digital certificate.
Which of the following are the type of unidentified key and the certificate mat could be in use on the company domain?
- A . Private key and root certificate
- B . Public key and expired certificate
- C . Private key and self-signed certificate
- D . Public key and wildcard certificate
C
Explanation:
A self-signed certificate is a certificate that is signed by its own private key rather than by a trusted certificate authority (CA). This means that the authenticity of the certificate relies solely on the issuer’s own authority. If a spoofed identity was detected, it could indicate that a private key associated with a self-signed certificate was compromised. Self-signed certificates are often used internally within organizations, but they carry higher risks since they are not validated by a third-party CA, making them more susceptible to spoofing.
Reference = CompTIA Security+ SY0-701 study materials, particularly the domains discussing Public Key Infrastructure (PKI) and certificate management.
A security analyst is prioritizing vulnerability scan results using a risk-based approach.
Which of the following is the most efficient resource for the analyst to use?
- A . Business impact analysis
- B . Common Vulnerability Scoring System
- C . Risk register
- D . Exposure factor
B
Explanation:
The Common Vulnerability Scoring System (CVSS) is a standardized framework for assessing the severity of vulnerabilities. It provides a numerical score (0-10) based on factors such as exploitability, impact, and complexity, helping security analysts prioritize remediation efforts based on risk. Business impact analysis (A) helps identify critical business functions but does not specifically prioritize vulnerabilities.
Risk register (C) tracks identified risks but does not classify vulnerabilities.
Exposure factor (D) is used in quantitative risk assessment but is not an industry standard for vulnerability prioritization.
Reference: CompTIA Security+ SY0-701 Official Study Guide, Risk Management domain.
Which of the following control types is AUP an example of?
- A . Physical
- B . Managerial
- C . Technical
- D . Operational
B
Explanation:
An Acceptable Use Policy (AUP) is an example of a managerial control. Managerial controls are policies and procedures that govern an organization’s operations, ensuring security through directives and rules. The AUP defines acceptable behavior and usage of company resources, setting guidelines for employees.
Physical controls refer to security measures like locks, fences, or security guards.
Technical controls involve security mechanisms such as firewalls or encryption.
Operational controls are procedures for maintaining security, such as backup and recovery plans.
An external vendor recently visited a company’s headquarters tor a presentation. Following the visit a member of the hosting team found a file that the external vendor left behind on a server. The file contained detailed architecture information and code snippets.
Which of the following data types best describes this file?
- A . Government
- B . Public
- C . Proprietary
- D . Critical
C
Explanation:
The file left by the external vendor, containing detailed architecture information and code snippets, is best described as proprietary data. Proprietary data is information that is owned by a company and is essential to its competitive advantage. It includes sensitive business information such as trade secrets, intellectual property, and confidential data that should be protected from unauthorized access.
Reference = CompTIA Security+ SY0-701 study materials, particularly in the domain of data classification and protection.
A company is adding a clause to its AUP that states employees are not allowed to modify the operating system on mobile devices.
Which of the following vulnerabilities is the organization addressing?
- A . Cross-site scripting
- B . Buffer overflow
- C . Jailbreaking
- D . Side loading
C
Explanation:
Jailbreaking is the process of removing the restrictions imposed by the manufacturer or carrier on a mobile device, such as an iPhone or iPad. Jailbreaking allows users to install unauthorized applications, modify system settings, and access root privileges. However, jailbreaking also exposes the device to potential security risks, such as malware, spyware, unauthorized access, data loss, and voided warranty. Therefore, an organization may prohibit employees from jailbreaking their mobile devices to prevent these vulnerabilities and protect the corporate data and network.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 10: Mobile Device Security, page 507 2
During a penetration test, a vendor attempts to enter an unauthorized area using an access badge Which of the following types of tests does this represent?
- A . Defensive
- B . Passive
- C . Offensive
- D . Physical
D
Explanation:
Attempting to enter an unauthorized area using an access badge during a penetration test is an example of a physical test. This type of test evaluates the effectiveness of physical security controls, such as access badges, security guards, and locks, in preventing unauthorized access to restricted areas.
Defensive and offensive testing typically refer to digital or network-based penetration testing strategies.
Passive testing involves observing or monitoring but not interacting with the environment.