Practice Free SY0-701 Exam Online Questions
Question #81
An organization experiences a cybersecurity incident involving a command-and-control server.
Which of the following logs should be analyzed to identify the impacted host? (Select two).
- A . Application
- B . Authentication
- C . DHCP
- D . Network
- E . Firewall
- F . Database
Correct Answer: C,E
C,E
Explanation:
To identify the impacted host in a command-and-control (C2) server incident, the following logs should be analyzed:
DHCP logs: These logs record IP address assignments. By reviewing DHCP logs, an organization can determine which host was assigned a specific IP address during the time of the attack.
Firewall logs: Firewall logs will show traffic patterns, including connections to external C2 servers.
Analyzing these logs helps to identify the IP address and port numbers of the communicating host.
Application, Authentication, and Database logs are less relevant in this context because they focus on internal processes and authentication events rather than network traffic involved in a C2 attack.
C,E
Explanation:
To identify the impacted host in a command-and-control (C2) server incident, the following logs should be analyzed:
DHCP logs: These logs record IP address assignments. By reviewing DHCP logs, an organization can determine which host was assigned a specific IP address during the time of the attack.
Firewall logs: Firewall logs will show traffic patterns, including connections to external C2 servers.
Analyzing these logs helps to identify the IP address and port numbers of the communicating host.
Application, Authentication, and Database logs are less relevant in this context because they focus on internal processes and authentication events rather than network traffic involved in a C2 attack.
Question #82
Which of the following data protection strategies can be used to confirm file integrity?
- A . Masking
- B . Encryption
- C . Hashing
- D . Obfuscation
Correct Answer: C
C
Explanation:
Hashing (C)is a one-way cryptographic function that produces a fixed-length digest representing the original data. If the file changes―even by one bit―the hash will change, making it ideal for verifying data integrity.
While encryption protects confidentiality, and masking/obfuscation protect data visibility, only hashing ensures integrity.
Reference: CompTIA Security+ SY0-701 Objectives, Domain 1.2 C “Data protection methods: Hashing for integrity verification.”
C
Explanation:
Hashing (C)is a one-way cryptographic function that produces a fixed-length digest representing the original data. If the file changes―even by one bit―the hash will change, making it ideal for verifying data integrity.
While encryption protects confidentiality, and masking/obfuscation protect data visibility, only hashing ensures integrity.
Reference: CompTIA Security+ SY0-701 Objectives, Domain 1.2 C “Data protection methods: Hashing for integrity verification.”
Question #83
A company’s website is www. Company. com Attackers purchased the domain wwww. company.com.
Which of the following types of attacks describes this example?
- A . Typo squatting
- B . Brand Impersonation
- C . On-path
- D . Watering-hole
Correct Answer: A
A
Explanation:
"Typo squatting, also known as URL hijacking, is a form of cybersquatting where attackers register domain names that are intentionally similar to legitimate ones, often differing by a single character or a common typographical error. For example, an attacker might register ‘wwww.company.com’ to mimic ‘www.company.com,’ tricking users who mistype the URL into visiting a malicious site. This attack exploits human error and can be used to steal credentials, distribute malware, or impersonate the legitimate entity."
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 1.0: General Security Concepts, Section: "Social Engineering Attacks and Threats" (Typosquatting is typically covered under threats related to domain misuse).
In this scenario, the attackers registered "wwww.company.com," which is a subtle variation of "www.company.com," relying on users mistyping or not noticing the extra "w." This fits the definition of typosquatting perfectly. Brand impersonation (B) is related but broader and doesn’t specifically tie to typographical errors. On-path (C) involves intercepting communication, and watering-hole (D) targets users via compromised legitimate sites―neither applies here.
A
Explanation:
"Typo squatting, also known as URL hijacking, is a form of cybersquatting where attackers register domain names that are intentionally similar to legitimate ones, often differing by a single character or a common typographical error. For example, an attacker might register ‘wwww.company.com’ to mimic ‘www.company.com,’ tricking users who mistype the URL into visiting a malicious site. This attack exploits human error and can be used to steal credentials, distribute malware, or impersonate the legitimate entity."
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 1.0: General Security Concepts, Section: "Social Engineering Attacks and Threats" (Typosquatting is typically covered under threats related to domain misuse).
In this scenario, the attackers registered "wwww.company.com," which is a subtle variation of "www.company.com," relying on users mistyping or not noticing the extra "w." This fits the definition of typosquatting perfectly. Brand impersonation (B) is related but broader and doesn’t specifically tie to typographical errors. On-path (C) involves intercepting communication, and watering-hole (D) targets users via compromised legitimate sites―neither applies here.
Question #84
A systems administrator needs to ensure the secure communication of sensitive data within the organization’s private cloud.
Which of the following is the best choice for the administrator to implement?
- A . IPSec
- B . SHA-1
- C . RSA
- D . TGT
Correct Answer: A
Question #85
Users at a company are reporting they are unable to access the URL for a new retail website because it is flagged as gambling and is being blocked.
Which of the following changes would allow users to access the site?
- A . Creating a firewall rule to allow HTTPS traffic
- B . Configuring the IPS to allow shopping
- C . Tuning the DLP rule that detects credit card data
- D . Updating the categorization in the content filter
Correct Answer: D
D
Explanation:
A content filter is a device or software that blocks or allows access to web content based on predefined rules or categories. In this case, the new retail website is mistakenly categorized as gambling by the content filter, which prevents users from accessing it. To resolve this issue, the content filter’s categorization needs to be updated to reflect the correct category of the website, such as shopping or retail. This will allow the content filter to allow access to the website instead of blocking it.
: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 3: Technologies and Tools, page 1221. CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 3: Technologies and Tools, page 1222.
D
Explanation:
A content filter is a device or software that blocks or allows access to web content based on predefined rules or categories. In this case, the new retail website is mistakenly categorized as gambling by the content filter, which prevents users from accessing it. To resolve this issue, the content filter’s categorization needs to be updated to reflect the correct category of the website, such as shopping or retail. This will allow the content filter to allow access to the website instead of blocking it.
: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 3: Technologies and Tools, page 1221. CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 3: Technologies and Tools, page 1222.
Question #86
During an investigation, a security analyst discovers traffic going out to a command-and-control server. The analyst must find out if any data exfiltration has occurred.
Which of the following would best help the analyst determine this?
- A . Application log
- B . Metadata
- C . Network log
- D . Packet capture
Correct Answer: D
D
Explanation:
To determine whether data exfiltration has occurred, the most effective tool is a packet capture (PCAP). Packet captures allow investigators to see exactly what data left the network, including file contents, payloads, headers, protocols, and destination information. PCAP files provide full-fidelity network evidence, enabling analysts to reconstruct sessions and review exfiltrated content byte-by-byte.
Security+ SY0-701 emphasizes PCAP as the gold standard for forensic network investigations, especially when dealing with:
Malware beaconing
Command-and-control (C2) traffic
Data leakage
Unauthorized transmissions
Network logs (C) provide summaries such as IP addresses, ports, and timestamps but do not show actual data contents. Metadata (B) gives descriptive information (e.g., file size, type) but not transmitted payloads. Application logs (A) show application-level events but do not capture network data.
If the analyst needs to confidently determine if sensitive information was exported to the attacker, only packet capture provides the required depth of visibility.
D
Explanation:
To determine whether data exfiltration has occurred, the most effective tool is a packet capture (PCAP). Packet captures allow investigators to see exactly what data left the network, including file contents, payloads, headers, protocols, and destination information. PCAP files provide full-fidelity network evidence, enabling analysts to reconstruct sessions and review exfiltrated content byte-by-byte.
Security+ SY0-701 emphasizes PCAP as the gold standard for forensic network investigations, especially when dealing with:
Malware beaconing
Command-and-control (C2) traffic
Data leakage
Unauthorized transmissions
Network logs (C) provide summaries such as IP addresses, ports, and timestamps but do not show actual data contents. Metadata (B) gives descriptive information (e.g., file size, type) but not transmitted payloads. Application logs (A) show application-level events but do not capture network data.
If the analyst needs to confidently determine if sensitive information was exported to the attacker, only packet capture provides the required depth of visibility.
Question #87
Which of the following is the most likely to be used to document risks, responsible parties, and thresholds?
- A . Risk tolerance
- B . Risk transfer
- C . Risk register
- D . Risk analysis
Correct Answer: C
C
Explanation:
A risk register is a document that records and tracks the risks associated with a project, system, or organization. A risk register typically includes information such as the risk description, the risk owner, the risk probability, the risk impact, the risk level, the risk response strategy, and the risk status. A risk register can help identify, assess, prioritize, monitor, and control risks, as well as communicate them to relevant stakeholders. A risk register can also help document the risk tolerance and thresholds of an organization, which are the acceptable levels of risk exposure and the criteria for escalating or mitigating risks. = CompTIA Security+ Certification Exam Objectives, Domain 5.1: Explain the importance of policies, plans, and procedures related to organizational security. CompTIA Security+ Study Guide (SY0-701), Chapter 5: Governance, Risk, and Compliance, page 211. CompTIA Security+ Certification Guide, Chapter 2: Risk Management, page 33. CompTIA Security+ Certification Exam SY0-701 Practice Test 1, Question 4.
C
Explanation:
A risk register is a document that records and tracks the risks associated with a project, system, or organization. A risk register typically includes information such as the risk description, the risk owner, the risk probability, the risk impact, the risk level, the risk response strategy, and the risk status. A risk register can help identify, assess, prioritize, monitor, and control risks, as well as communicate them to relevant stakeholders. A risk register can also help document the risk tolerance and thresholds of an organization, which are the acceptable levels of risk exposure and the criteria for escalating or mitigating risks. = CompTIA Security+ Certification Exam Objectives, Domain 5.1: Explain the importance of policies, plans, and procedures related to organizational security. CompTIA Security+ Study Guide (SY0-701), Chapter 5: Governance, Risk, and Compliance, page 211. CompTIA Security+ Certification Guide, Chapter 2: Risk Management, page 33. CompTIA Security+ Certification Exam SY0-701 Practice Test 1, Question 4.
Question #88
A security administrator needs to reduce the attack surface in the company’s data centers.
Which of the following should the security administrator do to complete this task?
- A . Implement a honeynet.
- B . Define Group Policy on the servers.
- C . Configure the servers for high availability.
- D . Upgrade end-of-support operating systems.
Correct Answer: D
D
Explanation:
Upgrading end-of-support operating systems Sone of the most effective ways to reduce the attack surface. Unsupported OS versions no longer receive security patches, making them prime targets for attackers. Removing outdated software ensures that known vulnerabilities cannot be exploited.
A (honeynet) is used for threat analysis, not reducing the attack surface.
B (Group Policy) helps enforce security policies but does not address outdated vulnerabilities.
C (High availability) focuses on uptime, not security risk reduction.
Reference: CompTIA Security+ SY0-701 Official Study Guide, Security Architecture domain.
D
Explanation:
Upgrading end-of-support operating systems Sone of the most effective ways to reduce the attack surface. Unsupported OS versions no longer receive security patches, making them prime targets for attackers. Removing outdated software ensures that known vulnerabilities cannot be exploited.
A (honeynet) is used for threat analysis, not reducing the attack surface.
B (Group Policy) helps enforce security policies but does not address outdated vulnerabilities.
C (High availability) focuses on uptime, not security risk reduction.
Reference: CompTIA Security+ SY0-701 Official Study Guide, Security Architecture domain.
Question #89
The Chief Information Security Officer of an organization needs to ensure recovery from ransomware would likely occur within the organization’s agreed-upon RPOs end RTOs.
Which of the following backup scenarios would best ensure recovery?
- A . Hourly differential backups stored on a local SAN array
- B . Dally full backups stored on premises in magnetic offline media
- C . Daly differential backups maintained by a third-party cloud provider
- D . Weekly full backups with daily incremental stored on a NAS drive
Correct Answer: D
D
Explanation:
A backup strategy that combines weekly full backups with daily incremental backups stored on a NAS (Network Attached Storage) drive is likely to meet an organization’s Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs). This approach ensures that recent data is regularly backed up and that recovery can be done efficiently, without significant data loss or lengthy downtime.
CompTIA Security+ SY0-701 Course Content: Domain 05 Security Program Management and Oversight.
CompTIA Security+ SY0-601 Study Guide: Chapter on Disaster Recovery and Backup Strategies.
D
Explanation:
A backup strategy that combines weekly full backups with daily incremental backups stored on a NAS (Network Attached Storage) drive is likely to meet an organization’s Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs). This approach ensures that recent data is regularly backed up and that recovery can be done efficiently, without significant data loss or lengthy downtime.
CompTIA Security+ SY0-701 Course Content: Domain 05 Security Program Management and Oversight.
CompTIA Security+ SY0-601 Study Guide: Chapter on Disaster Recovery and Backup Strategies.
Question #90
A company purchased cyber insurance to address items listed on the risk register.
Which of the following strategies does this represent?
- A . Accept
- B . Transfer
- C . Mitigate
- D . Avoid
Correct Answer: B
B
Explanation:
Cyber insurance is a type of insurance that covers the financial losses and liabilities that result from cyberattacks, such as data breaches, ransomware, denial-of-service, phishing, or malware. Cyber insurance can help a company recover from the costs of restoring data, repairing systems, paying ransoms, compensating customers, or facing legal actions. Cyber insurance is one of the possible strategies that a company can use to address the items listed on the risk register. A riskregister is a document that records the identified risks, their probability, impact, and mitigation strategies for a project or an organization. The four common risk mitigation strategies are:
Accept: The company acknowledges the risk and decides to accept the consequences without taking any action to reduce or eliminate the risk. This strategy is usually chosen when the risk is low or the cost of mitigation is too high.
Transfer: The company transfers the risk to a third party, such as an insurance company, a vendor, or a partner. This strategy is usually chosen when the risk is high or the company lacks the resources or expertise to handle the risk.
Mitigate: The company implements controls or measures to reduce the likelihood or impact of the risk. This strategy is usually chosen when the risk is moderate or the cost of mitigation is reasonable.
Avoid: The company eliminates the risk by changing the scope, plan, or design of the project or the organization. This strategy is usually chosen when the risk is unacceptable or the cost of mitigation is too high.
By purchasing cyber insurance, the company is transferring the risk to the insurance company, which will cover the financial losses and liabilities in case of a cyberattack. Therefore, the correct answer is B. Transfer. = CompTIA Security+ Study Guide (SY0-701), Chapter 8: Governance, Risk, and Compliance, page 377. Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 8.1: Risk Management, video: Risk Mitigation Strategies (5:37).
B
Explanation:
Cyber insurance is a type of insurance that covers the financial losses and liabilities that result from cyberattacks, such as data breaches, ransomware, denial-of-service, phishing, or malware. Cyber insurance can help a company recover from the costs of restoring data, repairing systems, paying ransoms, compensating customers, or facing legal actions. Cyber insurance is one of the possible strategies that a company can use to address the items listed on the risk register. A riskregister is a document that records the identified risks, their probability, impact, and mitigation strategies for a project or an organization. The four common risk mitigation strategies are:
Accept: The company acknowledges the risk and decides to accept the consequences without taking any action to reduce or eliminate the risk. This strategy is usually chosen when the risk is low or the cost of mitigation is too high.
Transfer: The company transfers the risk to a third party, such as an insurance company, a vendor, or a partner. This strategy is usually chosen when the risk is high or the company lacks the resources or expertise to handle the risk.
Mitigate: The company implements controls or measures to reduce the likelihood or impact of the risk. This strategy is usually chosen when the risk is moderate or the cost of mitigation is reasonable.
Avoid: The company eliminates the risk by changing the scope, plan, or design of the project or the organization. This strategy is usually chosen when the risk is unacceptable or the cost of mitigation is too high.
By purchasing cyber insurance, the company is transferring the risk to the insurance company, which will cover the financial losses and liabilities in case of a cyberattack. Therefore, the correct answer is B. Transfer. = CompTIA Security+ Study Guide (SY0-701), Chapter 8: Governance, Risk, and Compliance, page 377. Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 8.1: Risk Management, video: Risk Mitigation Strategies (5:37).