Practice Free SY0-701 Exam Online Questions
An engineer moved to another team and is unable to access the new team’s shared folders while still being able to access the shared folders from the former team. After opening a ticket, the engineer discovers that the account was never moved to the new group.
Which of the following access controls is most likely causing the lack of access?
- A . Role-based
- B . Discretionary
- C . Time of day
- D . Least privilege
Which of the following technologies can achieve microsegmentation?
- A . Next-generation firewalls
- B . Software-defined networking
- C . Embedded systems
- D . Air-gapped
B
Explanation:
Software-defined networking (SDN) enables microsegmentation by allowing administrators to create fine-grained, dynamic network segments at the software layer independent of physical network topology. This capability isolates workloads and controls traffic flows between segments, enhancing security within data centers and cloud environments.
Next-generation firewalls (A) provide advanced filtering and inspection but do not inherently deliver the granular segmentation flexibility of SDN. Embedded systems (C) and air-gapped systems (D) refer to specific hardware or physical isolation techniques but do not implement microsegmentation as a network control method.
The concept of microsegmentation through SDN is detailed in the Security Architecture domain of the SY0-701 exam 【 6:Chapter 3†CompTIA Security+ Study Guide 】 .
Which of the following provides resilience by hosting critical VMs within different IaaS providers while being maintained by internal application owners?
- A . Multicloud architectures
- B . SaaS provider diversity
- C . On-premises server load balancing
- D . Corporate-owned, off-site locations
A
Explanation:
Multicloud architectures involve distributing workloads across multiple Infrastructure as a Service (IaaS) providers to improve resilience, reduce vendor lock-in, and increase fault tolerance.
SaaS diversity (B) relates to software services, load balancing (C) typically applies to on-premises, and off-site locations (D) are physical backups.
Multicloud strategies are key cloud architecture concepts in SY0-701 【 6:Chapter 10†CompTIA Security+ Study Guide 】 .
A network engineer is increasing the overall security of network devices and needs to harden the devices.
Which of the following will best accomplish this task?
- A . Configuring centralized logging
- B . Generating local administrator accounts
- C . Replacing Telnet with SSH
- D . Enabling HTTP administration
Which of the following can a security director use to prioritize vulnerability patching within a company’s IT environment?
- A . SOAR
- B . CVSS
- C . SIEM
- D . CVE
B
Explanation:
The Common Vulnerability Scoring System (CVSS) is a standardized framework for assessing the severity of security vulnerabilities. It helps organizations prioritize vulnerability patching by providing a numerical score that reflects the potential impact and exploitability of a vulnerability. CVSS scores are used to gauge the urgency of patching vulnerabilities within a company’s IT environment.
Reference =
CompTIA Security+ SY0-701 Course Content: Domain 05 Security Program Management and Oversight.
CompTIA Security+ SY0-601 Study Guide: Chapter on Vulnerability Management.
Which of the following documents details how to accomplish a technical security task?
- A . Standard
- B . Policy
- C . Guideline
- D . Procedure
D
Explanation:
Aprocedureprovides step-by-step instructions on how to complete a specific security task, ensuring consistency and accuracy. Unlike policies, which define high-level security expectations, procedures are detailed and operational. For example, a password reset procedure would outline the exact steps IT support must follow when assisting users.
Policy: Defines security objectives and rules (e.g., "All passwords must be complex").
Standard: Specifies required technologies or configurations.
Guideline: Provides recommendations but is not mandatory.
Procedure: Gives exact instructions to perform tasks.
Reference: CompTIA Security+ SY0-701 Official Study Guide, Security Program Management and Oversight domain.
A security administrator needs to reduce the attack surface in the company’s data centers.
Which of the following should the security administrator do to complete this task?
- A . Implement a honeynet.
- B . Define Group Policy on the servers.
- C . Configure the servers for high availability.
- D . Upgrade end-of-support operating systems.
D
Explanation:
Upgrading end-of-support operating systems Sone of the most effective ways to reduce the attack surface. Unsupported OS versions no longer receive security patches, making them prime targets for attackers. Removing outdated software ensures that known vulnerabilities cannot be exploited.
A (honeynet) is used for threat analysis, not reducing the attack surface.
B (Group Policy) helps enforce security policies but does not address outdated vulnerabilities.
C (High availability) focuses on uptime, not security risk reduction.
Reference: CompTIA Security+ SY0-701 Official Study Guide, Security Architecture domain.
SIMULATION
An organization has learned that its data is being exchanged on the dark web. The CIO has requested that you investigate and implement the most secure solution to protect employee accounts.
INSTRUCTIONS
Review the data to identify weak security practices and provide the most appropriate security solution to meet the CIO’s requirements.
Explanation:
Step 1: Analyze the Data and Question
Scenario:
Company data (directory, compensation report, user data) is found on the dark web.
CIO asks you to investigate and implement the most secure protection for employee accounts.
Task:
Identify weak password practices.
Choose the best containment step that keeps evidence on the host uncompromised.
Step 2: Identify Weak Password Practices
Prompt: Select all weak password practices from the list:
Age
Reuse
Length
Expiration
Complexity
Let’s analyze each:
Age: If passwords are used for a long time without change, it’s a weak practice (passwords become easier to compromise over time).
Reuse: Reusing passwords across accounts is a serious weak practice (if one gets leaked, all accounts are at risk).
Length: Short passwords are weak; password length matters. If passwords are too short, that’s a weak practice.
Expiration: Forcing frequent expiration can lead to weaker passwords (users pick simple ones), but not expiring passwords at all is also risky. (For most exams, "expiration" by itself isn’t usually called a weak practice unless the policy is poorly set.)
Complexity: Lack of complexity (not requiring numbers, symbols, etc.) is a weak practice.
So, select all that are truly weak practices:
Answer for weak password practices (check all that apply):
✔️ Age
✔️ Reuse
✔️ Length
✔️ Complexity
(Expiration is more controversial; on the exam, the main focus is usually on Age, Reuse, Length, and Complexity.)
Step 3: Choose the Best Containment Step
Prompt:
Select the containment step that will leave potential evidence on the host uncompromised:
PIN code
FIDO security key
SMS authentication
OTP token
Containment step means “what security solution can you implement to protect employee accounts going forward, while preserving digital evidence on potentially compromised systems?”
The most secure solution for account protection among these, that also doesn’t interfere with host evidence, is FIDO security key.
Why?
PIN code: Not strong enough; also may be stored locally.
SMS authentication: Can be intercepted; often leaves traces on the host (like SMS logs).
OTP token: Similar risks, some implementations might log to the host.
FIDO security key: Hardware-based, phishing-resistant, no codes sent to the host, and doesn’t alter host evidence―authentication happens off the device.
So, the best answer is:
FIDO security key
Step 4: Solution Recap and Justification
Detailed Solution Recap:
Identify weak password practices:
Weaknesses: passwords are reused, not long enough, lack complexity, and used for a long time.
Select the best security solution:
Implement FIDO security keys for employees.
Most secure among listed options.
Hardware-based; resistant to phishing, interception, and does not leave evidence on the compromised host (which is important for forensics).
SIMULATION
An organization has learned that its data is being exchanged on the dark web. The CIO has requested that you investigate and implement the most secure solution to protect employee accounts.
INSTRUCTIONS
Review the data to identify weak security practices and provide the most appropriate security solution to meet the CIO’s requirements.
Explanation:
Step 1: Analyze the Data and Question
Scenario:
Company data (directory, compensation report, user data) is found on the dark web.
CIO asks you to investigate and implement the most secure protection for employee accounts.
Task:
Identify weak password practices.
Choose the best containment step that keeps evidence on the host uncompromised.
Step 2: Identify Weak Password Practices
Prompt: Select all weak password practices from the list:
Age
Reuse
Length
Expiration
Complexity
Let’s analyze each:
Age: If passwords are used for a long time without change, it’s a weak practice (passwords become easier to compromise over time).
Reuse: Reusing passwords across accounts is a serious weak practice (if one gets leaked, all accounts are at risk).
Length: Short passwords are weak; password length matters. If passwords are too short, that’s a weak practice.
Expiration: Forcing frequent expiration can lead to weaker passwords (users pick simple ones), but not expiring passwords at all is also risky. (For most exams, "expiration" by itself isn’t usually called a weak practice unless the policy is poorly set.)
Complexity: Lack of complexity (not requiring numbers, symbols, etc.) is a weak practice.
So, select all that are truly weak practices:
Answer for weak password practices (check all that apply):
✔️ Age
✔️ Reuse
✔️ Length
✔️ Complexity
(Expiration is more controversial; on the exam, the main focus is usually on Age, Reuse, Length, and Complexity.)
Step 3: Choose the Best Containment Step
Prompt:
Select the containment step that will leave potential evidence on the host uncompromised:
PIN code
FIDO security key
SMS authentication
OTP token
Containment step means “what security solution can you implement to protect employee accounts going forward, while preserving digital evidence on potentially compromised systems?”
The most secure solution for account protection among these, that also doesn’t interfere with host evidence, is FIDO security key.
Why?
PIN code: Not strong enough; also may be stored locally.
SMS authentication: Can be intercepted; often leaves traces on the host (like SMS logs).
OTP token: Similar risks, some implementations might log to the host.
FIDO security key: Hardware-based, phishing-resistant, no codes sent to the host, and doesn’t alter host evidence―authentication happens off the device.
So, the best answer is:
FIDO security key
Step 4: Solution Recap and Justification
Detailed Solution Recap:
Identify weak password practices:
Weaknesses: passwords are reused, not long enough, lack complexity, and used for a long time.
Select the best security solution:
Implement FIDO security keys for employees.
Most secure among listed options.
Hardware-based; resistant to phishing, interception, and does not leave evidence on the compromised host (which is important for forensics).
Which of the following exercises should an organization use to improve its incident response process?
- A . Tabletop
- B . Replication
- C . Failover
- D . Recovery
A
Explanation:
A tabletop exercise is a simulated scenario that tests the organization’s incident response plan and procedures. It involves key stakeholders and decision-makers who discuss their roles and actions in response to a hypothetical incident. It can help identify gaps, weaknesses, and improvement areas in the incident response process. It can also enhance communication, coordination, and collaboration among the participants.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 525 1