Practice Free SY0-701 Exam Online Questions
Which of the following is the final step of the modem response process?
- A . Lessons learned
- B . Eradication
- C . Containment
- D . Recovery
A
Explanation:
The final step in the incident response process is "Lessons learned." This step involves reviewing and analyzing the incident to understand what happened, how it was handled, and what could be improved. The goal is to improve future response efforts and prevent similar incidents from occurring. It’s essential for refining the incident response plan and enhancing overall security posture.
Reference = CompTIA Security+ SY0-701 study materials, particularly in the domain of incident response and recovery.
To which of the following security categories does an EDR solution belong?
- A . Physical
- B . Operational
- C . Managerial
- D . Technical
An organization recently started hosting a new service that customers access through a web portal. A security engineer needs to add to the existing security devices a new solution to protect this new service.
Which of the following is the engineer most likely to deploy?
- A . Layer 4 firewall
- B . NGFW
- C . WAF
- D . UTM
C
Explanation:
The security engineer is likely to deploy a Web Application Firewall (WAF) to protect the new web portal service. A WAF specifically protects web applications by filtering, monitoring, and blocking HTTP requests based on a set of rules. This is crucial for preventing common attacks such as SQL injection, cross-site scripting (XSS), and other web-based attacks that could compromise the web service.
Layer 4 firewall operates primarily at the transport layer, focusing on IP address and port filtering, making it unsuitable for web application-specific threats.
NGFW (Next-Generation Firewall) provides more advanced filtering than traditional firewalls, including layer 7 inspection, but the WAF is tailored specifically for web traffic.
UTM (Unified Threat Management) offers a suite of security tools in one package (like antivirus, firewall, and content filtering), but for web application-specific protection, a WAF is the best fit.
A company discovered its data was advertised for sale on the dark web. During the initial investigation, the company determined the data was proprietary dat a.
Which of the following is the next step the company should take?
- A . Identity the attacker sentry methods.
- B . Report the breach to the local authorities.
- C . Notify the applicable parties of the breach.
- D . Implement vulnerability scanning of the company’s systems.
A security report shows that during a two-week test period. 80% of employees unwittingly disclosed their SSO credentials when accessing an external website. The organization purposely created the website to simulate a cost-free password complexity test.
Which of the following would best help reduce the number of visits to similar websites in the future?
- A . Block all outbound traffic from the intranet.
- B . Introduce a campaign to recognize phishing attempts.
- C . Restrict internet access for the employees who disclosed credentials.
- D . Implement a deny list of websites.
A new employee logs in to the email system for the first time and notices a message from human
resources about onboarding. The employee hovers over a few of the links within the email and discovers that the links do not correspond to links associated with the company.
Which of the following attack vectors is most likely being used?
- A . Business email
- B . Social engineering
- C . Unsecured network
- D . Default credentials
B
Explanation:
The employee notices that the links in the email do not correspond to the company’s official URLs, indicating that this is likely a social engineering attack. Social engineering involves manipulating individuals into divulging confidential information or performing actions that may compromise security. Phishing emails, like the one described, often contain fraudulent links to trick the recipient into providing sensitive information or downloading malware.
Business email refers to business email compromise (BEC), which typically involves impersonating a
high-level executive to defraud the company.
Unsecured network is unrelated to the email content.
Default credentials do not apply here, as the issue is with suspicious links, not login credentials.
An administrator was notified that a user logged in remotely after hours and copied large amounts of data to a personal device.
Which of the following best describes the user’s activity?
- A . Penetration testing
- B . Phishing campaign
- C . External audit
- D . Insider threat
D
Explanation:
An insider threat is a security risk that originates from within the organization, such as an employee, contractor, or business partner, who has authorized access to the organization’s data and systems. An insider threat can be malicious, such as stealing, leaking, or sabotaging sensitive data, or unintentional, such as falling victim to phishing or social engineering. An insider threat can cause significant damage to the organization’s reputation, finances, operations, and legal compliance. The user’s activity of logging in remotely after hours and copying large amounts of data to a personal device is an example of a malicious insider threat, as it violates the organization’s security policies and compromises the confidentiality and integrity of the data.
Reference = Insider Threats C CompTIA Security+ SY0-701: 3.2, video at 0:00; CompTIA Security+ SY0-701 Certification Study Guide, page 133.
A security engineer is installing an IPS to block signature-based attacks in the environment.
Which of the following modes will best accomplish this task?
- A . Monitor
- B . Sensor
- C . Audit
- D . Active
D
Explanation:
To block signature-based attacks, the Intrusion Prevention System (IPS) must be in active mode. In this mode, the IPS can actively monitor and block malicious traffic in real time based on predefined signatures. This is the best mode to prevent known attack types from reaching the internal network. Monitor mode and sensor mode are typically passive, meaning they only observe and log traffic without actively blocking it.
Audit mode is used for review purposes and does not actively block traffic.
An accounting clerk sent money to an attacker’s bank account after receiving fraudulent instructions over the phone to use a new account.
Which of the following would most likely prevent this activity in the future?
- A . Standardizing security incident reporting
- B . Executing regular phishing campaigns
- C . Implementing insider threat detection measures
- D . Updating processes for sending wire transfers
D
Explanation:
Comprehensive and Detailed In-Depth
Updating wire transfer processes to include verification steps (such as requiring dual approval or verifying account changes via a secondary communication method) can prevent fraudulent transactions. Attackers often use business email compromise (BEC) or pretexting to trick employees into transferring funds to fraudulent accounts.
Standardizing security incident reporting is useful for tracking security events but does not prevent fraud in real time.
Executing regular phishing campaigns improves awareness but does not enforce a verification process for financial transactions.
Implementing insider threat detection focuses on internal risks but does not specifically prevent external fraud.
A more secure wire transfer process with additional verification steps is the most effective measure against fraudulent transactions.
A company’s website is www. Company. com Attackers purchased the domain wwww.company.com.
Which of the following types of attacks describes this example?
- A . Typosquatting
- B . Brand Impersonation
- C . On-path
- D . Watering-hole
A
Explanation:
"Typo squatting, also known as URL hijacking, is a form of cybersquatting where attackers register domain names that are intentionally similar to legitimate ones, often differing by a single character or a common typographical error. For example, an attacker might register ‘wwww.company.com’ to mimic ‘www.company.com,’ tricking users who mistype the URL into visiting a malicious site. This attack exploits human error and can be used to steal credentials, distribute malware, or impersonate the legitimate entity."
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 1.0: General Security Concepts, Section: "Social Engineering Attacks and Threats" (Typosquatting is typically covered under threats related to domain misuse).
In this scenario, the attackers registered "wwww.company.com," which is a subtle variation of "www.company.com," relying on users mistyping or not noticing the extra "w." This fits the definition of typosquatting perfectly. Brand impersonation (B) is related but broader and doesn’t specifically tie to typographical errors. On-path (C) involves intercepting communication, and watering-hole (D) targets users via compromised legitimate sites―neither applies here.