×

Quiz Session - Attempts With Random Questions

CompTIA Security+ (SY0-701) Exam Questions

Page 2 of 50

21.

You have an ALE of 35 and an ARO of 5. What is your SLE?

  • 7

  • 40

  • 30

  • 175

Correct answer: 7

Single loss expectancy (SLE) measures the anticipated cost of a single instance of an incident. It is calculated as the product of the asset value (AV) and the exposure factor (EF), which measures the percentage of loss.

The annualized rate of occurrence (ARO) measures the anticipated frequency of an event occurring each year. This can be derived from various sources such as historical trends, insurance data, or statistical analysis.

Annualized loss expectancy (ALE) measures the anticipated cost of an event each year. It is calculated as the product of the SLE and ARO.

SLE = ALE/ARO = 35/5 = 7

22.

A start-up organization is looking to gain access to payment processing networks but has been told they need a documented IT environment before they can be reviewed. Of the following, which has the goal of providing an implementable set of security controls for the IT environment and documenting the processes, procedures, and policies used to perform the implementation?

  • Information security policy

  • Change management policy

  • BCP

  • DRP

Correct answer: Information security policy

An information security policy is a series of documented processes that are used to define policies and procedures for the implementation and ongoing management of information security controls in an enterprise environment.

A change management policy is used to prepare for adopting new technologies or changes with minimal disruptions. A business continuity plan (BCP) is used to ensure a company can continue operating during an outage. A disaster recovery plan (DRP) describes how a company will recover after an incident.

23.

A company wants to automate their vulnerability scanners so they are continually up-to-date with recent security configurations. Which protocol will they use to accomplish this?

  • SCAP

  • SIEM

  • SOAP

  • SNMP

Correct answer: SCAP

The Security Content Automation Protocol (SCAP) is a suite of specifications that standardizes the format by which software flaw and security configuration information is communicated. It includes various components, such as the Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE), and Common Vulnerability Scoring System (CVSS).

A SIEM involves collecting and analyzing log data for security alerts. SOAP is a protocol for exchanging structured information on the web. SNMP is used to manage and monitor network devices.

24.

Which stage of the incident response process focuses on reducing the risk of future attacks?

  • Lessons learned

  • Eradication

  • Recovery

  • Containment

Correct answer: Lessons learned

The Security+ exam defines a seven-step incident response process. The steps include:

  1. Preparation: Before an incident occurs, the organization should prepare by creating an incident response team (IRT) and defining the processes and procedures that they will follow when managing an incident. Also, the rest of the organization should be trained on their security responsibilities and how to respond if an incident occurs.
  2. Identification: At some point, a user may notice that a potential incident has occurred and alert the incident response team. A first responder will validate that an incident has occurred and either handle or escalate it.
  3. Analysis: An identified incident should be analyzed to see what its impact could be.
  4. Containment: After verifying the issue, the first responder should isolate it to manage the scope and impact of the incident. This might include disconnecting infected systems from the network to prevent the spread of a virus.
  5. Eradication: When the incident is contained, the incident response team will investigate it and develop and implement a remediation strategy. For example, the IRT might wipe a computer, use an endpoint security solution to remove a virus, update firewall rules, or take similar actions.
  6. Recovery: After the incident is over, the IRT can restore the system to a normal operation based on predefined procedures. For example, a verified-clean computer can be reconnected to the network.
  7. Lessons learned: After the recovery is complete, the IRT should perform a retrospective to determine what did and didn't go well. This might help with identifying inefficient IR processes or the root cause of the incident that can be corrected to prevent future, similar incidents from occurring.

25.

A security researcher wants to see firsthand how attackers sell stolen information. What threat feed source can they use to identify this type of activity in real time?

  • Dark web

  • ISAC

  • CTA

  • AIS

Correct answer: Dark web

The dark web is an area of the internet that is not indexed by search engines. On dark web websites, cybercriminals sell hacking tools as well as data from breaches.

An information sharing and analysis center (ISAC), the Cyber Threat Alliance (CTA), and Automated Indicator Sharing (AIS) are not places where cybercriminal activity is observed firsthand.

26.

An administrator is forming their BCP and trying to determine how much of the system should be restored in case of failure. What BEST describes what they are attempting to define?

  • RPO

  • RTO

  • MTTR

  • MTBF

Correct answer: RPO

The recovery point objective (RPO) is the maximum amount of data that can be lost in case of a failure. Some companies might require all data to be restored up to the point of failure, while others may allow for up to 24 hours of lost data.

The recovery time objective (RTO) is the time it should take to restore a service. The mean time to repair (MTTR) is the average time it takes to repair a system. The mean time between failures (MTBF) is the average time a system operates until a failure.

27.

A network administrator has just installed a router at a client site. The administrator now wants to ensure that the device is hardened and prepared to deal with malicious activity. What do most network devices include that should be changed immediately for security?

  • Default account

  • Outdated firmware

  • Console access

  • Browser-based administrative interface

Correct answer: Default account

Each network device includes a default account for configurations. This account is named "administrator" or "admin" or something similar. This is the first account an attacker attempts to hack, so the account name should immediately be changed, as well as the password.

Immediately updating firmware is not typically required unless there is a known vulnerability. Console access may be required to gain local, administrative access to a device. A browser-based administrative interface may be necessary to manage a device remotely.

28.

A company in the blockchain industry has experienced scammers sending fraudulent emails claiming to be from their company. They want to implement a solution that signs the body and header of email messages so that users can check that they are legitimate by comparing them against their public key that is stored in their public DNS entries. 

What type of solution will they implement?

  • DKIM

  • SPF

  • DMARC

  • S/MIME

Correct answer: DKIM

DomainKeys Identified Mail (DKIM) is a way to protect email by signing the message and headers. Readers can look up the public key in the sender's DNS records for verification.

SPF involves creating a list of authorized email servers. DMARC is a protocol that utilizes SPF and DKIM to automatically reject or deny messages. S/MIME is a standard for encrypting email.

29.

Which of the following policies is important to ensure that the appropriate individuals are informed of important developments as they are occurring during an incident response?

  • Stakeholder management plan

  • Retention policy

  • Business continuity plan

  • Disaster recovery plan

Correct answer: Stakeholder management plan

Some of the key policies and procedures for incident management include:

  • Stakeholder management plan: Understand who the stakeholders are, and their roles and goals in the incident response process. This plan is necessary to ensure that the IR plans meet the needs of the business.
  • Communication plan: Know how to reach all key stakeholders (IR team, management, etc.), including backups if the main communications lines are down.
  • Disaster recovery plan: Strategy for restoring the organization to normal operations after an incident.
  • Business continuity plan: Strategy for maintaining operations as an incident is occurring, including failover plans and an analysis of potential risks and how to manage them. A continuity of operations (COOP) plan is related to this and ensures that an organization can maintain all critical functions during an incident.
  • Retention policies: Policies that state how long certain types of data should be stored by the organization, including offsite storage and backups. This can be relevant to an organization's ability to detect, investigate, or recover from an incident.

30.

Which of the following is an Internet Engineering Task Force (IETF) standard suite of protocols that can be used to authenticate and encrypt IP packets when operating in tunnel mode?

  • IPsec

  • SSH

  • SSL

  • TLS

Correct answer: IPsec

Internet protocol security (IPsec) authenticates and encrypts IP packets. IPsec operates at the network layer of the OSI model. 

It differs from SSH, SSL, and TLS in that it is the only protocol that does not operate within the upper layers of the OSI model.

31.

Acme Inc. hires a set of penetration testers to review and inspect their network. The organization does not provide any information to the pen testers and allows them to perform their functions without hindrance. 

This would be an example of which of the following?

  • Unknown environment testing

  • Known environment testing

  • Partially known environment testing

  • Mostly known environment testing

Correct answer: Unknown environment testing

Unknown environment testing is a process in which penetration testers are not provided any information prior to the attack and approach it in the same way an attacker would if they were targeting the organization. Unknown environment testers often use fuzzing to perform testing for application vulnerabilities.

Known environment testing is performed when testers have full knowledge of the environment. Partially known environment testing is done when the testers have some knowledge of the environment. Mostly known environment testing is not a term for the Security+ exam.

32.

A healthcare company works with vendors to supply IT services. They need to ensure that the vendors adhere to the same strict internal controls that their own company does. What should they obtain from vendors so they can verify that they meet requirements?

  • Right-to-audit clause

  • MOA

  • SOW

  • Due care

Correct answer: Right-to-audit clause

A right-to-audit clause enables a company to commission an audit on the vendor. This can ensure that the vendor adheres to regulatory requirements or the same security standards as the company.

A memorandum of agreement (MOA) is a formal document that outlines responsibilities between two parties. A statement of work (SOW) is a work order that contains details about work to be performed. Due care is the actions that an organization performs to ensure that they remain in compliance with their standards.

33.

Which of the following hashing algorithms, designed by the NSA and published by the NIST, is grouped into four families of varying usage and currency?

  • SHA

  • MD5

  • AES

  • Blowfish

Correct answer: SHA

Secure Hash Algorithm (SHA) is one of the most widely used hashing algorithms. It employs a 160-bit hash. SHA-2 is considered a better version since it uses 256-bit block sizes. There are four families of the SHA algorithm:

  • SHA-0 is not used.
  • SHA-1 is an updated version that outputs 160-bit hashes similar to MD5 but with 160 bits instead of 125.
  • SHA-2 improves over SHA-1 and has several versions based on the length of hash output.
  • SHA-3 is a SHA-2 alternative that was created in a non-NSA public competition.

MD5 is another hashing algorithm, although it is subject to collisions. AES is a symmetric encryption algorithm. Blowfish is a symmetric key block cipher.

34.

An attacker has managed to extract a cookie from an organization's user and proceeds to use that cookie to impersonate the user and log in to a CRM that the organization uses. What type of attack is being performed after stealing the cookie data?

  • Session replay

  • DDoS

  • RFID cloning

  • Phishing

Correct answer: Session replay

After an attacker is able to steal a cookie from the client computer, they can use packet header manipulation to access data from the client. Attackers can gain access to data, services, or other resources on the machine, depending on the application.

A DDoS involves sending excessive data to a system from multiple systems. RFID cloning involves copying RFID cards. Phishing is a social engineering attack.

35.

Updates to firewall rules are MOST likely to be performed as part of which stage of the incident response process?

  • Eradication

  • Lessons learned

  • Analysis

  • Identification

Correct answer: Eradication

The Security+ exam defines a seven-step incident response process. The steps include:

  1. Preparation: Before an incident occurs, the organization should prepare by creating an incident response team (IRT) and defining the processes and procedures that they will follow when managing an incident. Also, the rest of the organization should be trained on their security responsibilities and how to respond if an incident occurs.
  2. Identification: At some point, a user may notice that a potential incident has occurred and alert the incident response team. A first responder will validate that an incident has occurred and either handle or escalate it.
  3. Analysis: An identified incident should be analyzed to see what its impact could be.
  4. Containment: After verifying the issue, the first responder should isolate it to manage the scope and impact of the incident. This might include disconnecting infected systems from the network to prevent the spread of a virus.
  5. Eradication: When the incident is contained, the incident response team will investigate it and develop and implement a remediation strategy. For example, the IRT might wipe a computer, use an endpoint security solution to remove a virus, update firewall rules, or take similar actions.
  6. Recovery: After the incident is over, the IRT can restore the system to a normal operation based on predefined procedures. For example, a verified-clean computer can be reconnected to the network.
  7. Lessons learned: After the recovery is complete, the IRT should perform a retrospective to determine what did and didn't go well. This might help with identifying inefficient IR processes or the root cause of the incident that can be corrected to prevent future, similar incidents from occurring.

36.

The CTO and COO at Acme Inc. are considering the cost savings that could be introduced if the organization did not have to supply a mobile device to each employee. Of the following, which document is created to outline permitted uses for employees' mobile devices?

  • BYOD policy

  • Group policy

  • TOS

  • NDA

Correct answer: BYOD policy

A BYOD (bring your own device) policy defines the acceptable use for a user's mobile device connected to a network. It can describe policies for antivirus software, acceptable apps, stored data, security such as locked home screens, and required corporate applications giving an administrator remote control.

Group policies are used to configure operating system settings. A terms of service (TOS) is a legal agreement between a service provider and its users. A non-disclosure agreement (NDA) is used to bind a user to secrecy over information they are given.

37.

What is the role of a policy enforcement point in a zero trust cybersecurity model?

  • To mediate requests by consulting with the policy administrator

  • To execute decisions made by the policy engine

  • To determine if subjects can access a resource based on policies

  • To limit the attack surface in case there is a security breach

Correct answer: To mediate requests by consulting with the policy administrator

The policy enforcement point acts as a gatekeeper that ensures only authorized actions are permitted. It forwards requests from clients and receives instructions from the policy administrator.

The policy administrator executes decisions made by the policy engine. The policy engine determines if subjects can access a resource based on policies. Threat scope reduction limits the attack surface in case there is a security breach. 

38.

A marketing firm is developing a new front end for potential customers. The site includes a contact form where interested users can submit a message and their contact information. 

What type of precaution should be implemented when using a form like this?

  • Input validation

  • Sandboxing

  • Secure cookies

  • Code signing

Correct answer: Input validation

Input validation ensures that the right type of input is used and filtered from the website server. It checks for the correct use of data and validates that malicious input is stripped out. Incorrect input can cause vulnerabilities and lead to data breaches. Penetration testing software can be used for input validation.

Sandboxing is used to test an application in an isolated environment. Secure cookies are used to maintain secure user sessions. Code signing is used to provide authenticity and integrity to applications.

39.

An administrator needs to use a protocol with IPSec that provides all three security services: authentication, integrity, and confidentiality. Which protocol should they use?

  • ESP

  • AH

  • L2TP

  • IKE

Correct answer: ESP

The Encapsulating Security Payload (ESP) protocol provides all three security services: authentication, integrity, and confidentiality. It can encrypt the header of packets while in tunnel mode for VPNs while not encrypting the header in transit mode for local networks.

Authentication Header (AH) does not provide confidentiality. L2TP does not offer authentication, integrity, or confidentiality on its own. IKE focuses on authentication.

40.

Which SSO system is commonly used by organizations for directory services?

  • LDAP

  • Auth0

  • Shibboleth

  • OpenID

Correct answer: LDAP

The Lightweight Directory Access Protocol (LDAP) is used for single sign-on, in addition to being used for directory services.

Auth0, Shibboleth, and OpenID are mainly used for SSO.

×