CompTIA SY0-701 Dumps

Web-filtering effectiveness heavily relies on content categorization to correctly identify and block access to malicious or inappropriate websites. If users are still visiting malicious links, it is likely that the categorization database or configuration needs updating or correction.

Intrusion prevention systems (A) protect against network attacks but do not filter web content by category. Encryption (C) is unrelated to web filtering, and DNS services (D) assist with domain resolution but do not directly categorize content.

Proper configuration and maintenance of content categorization are essential to effective web filtering, as emphasized in the Security Operations domain of SY0-701【6:Chapter 12†CompTIA Security+ Study Guide】.

Air-gapping is the most effective way to protect an application server running unsupported software from network threats. By physically isolating the server from any network connection (no wired or wireless communication), it is protected from external cyber threats. While other options like port security or a screened subnet can provide some level of protection, an air gap offers the highest level of security by preventing any network-based attacks entirely.

References =

CompTIA Security+ SY0-701 Course Content: Domain 03 Security Architecture​.

CompTIA Security+ SY0-601 Study Guide: Chapter on Secure System Design​.

Allowing risky protocols like SMB and RDP from the internet to a controlled VLAN is commonly done to create a honeynet, a deliberately vulnerable network environment used to attract attackers and study their behaviors without risking production systems.

Building a file-sharing site (A) or preparing for a pentest (B) typically wouldn ' t require exposing SMB and RDP broadly. SASE integration (C) focuses on cloud security access and doesn ' t involve opening such protocols indiscriminately.

Honeynets are described as a deception technology in the Security Architecture domain【6:Chapter 9†CompTIA Security+ Study Guide】.

Wiping involves securely erasing data by overwriting the hard drive, ensuring the information is unrecoverable. It is cost-effective compared to physical destruction methods like shredding.

=================

A buffer overflow is a vulnerability that occurs when an application writes more data to a memory buffer than it can hold, causing the excess data to overwrite adjacent memory locations. A register is a small storage area in the CPU that holds temporary data or instructions. An attacker can exploit a buffer overflow to overwrite a register with a malicious address that points to a shellcode, which is a piece of code that gives the attacker control over the system. By doing so, the attacker can bypass the normal execution flow of the application and execute arbitrary commands.

Business Email Compromise (BEC)is atargeted phishing attackin whichattackers impersonate executives or high-ranking officials(such as a CEO) to manipulate employees intotransferring money or providing sensitive data. Since the request is coming from the CEO’s corporate email (possibly spoofed or compromised), this is aclassic example of BEC.

Phishing (B)is a broader term but typically involvesmassfraudulent emails rather than targeted executive impersonation.

Brand impersonation (C)involves faking a company’s identity (e.g., fake PayPal emails).

Pretexting (D)involves social engineering tactics but does not necessarily involve email compromise.

Comprehensive and Detailed Explanation From Exact Extract:

Key escrow is the process of storing encryption keys (or copies of them) with a trusted third party so data can be recovered if the primary decryption key is lost. In Security+ SY0-701, escrow is emphasized as a required safeguard for organizations that rely heavily on encryption, especially for regulated data or systems requiring guaranteed recoverability.

A CSR (A) is a Certificate Signing Request and does not store keys. Salting (B) is used with hashing to prevent password attacks and does not assist in data recovery. A root of trust (C) ensures secure hardware initialization but does not store backup decryption keys.

Key escrow directly addresses scenarios where encryption keys are misplaced, corrupted, deleted, or lost due to employee departure or system failure. Without escrow, encrypted data could become permanently inaccessible.

Thus, the correct answer is Escrow, the only mechanism specifically designed to allow recovery when decryption keys are unavailable.

 A geolocation policy is a policy that restricts or allows access to data or resources based on the geographic location of the user or device. A geolocation policy can be implemented using various methods, such as IP address filtering, GPS tracking, or geofencing. A geolocation policy can help the company’s legal department to prevent unauthorized access to sensitive documents from individuals in high-risk countries12.

The other options are not effective ways to limit access based on location:

Data masking: This is a technique of obscuring or replacing sensitive data with fictitious or anonymized data. Data masking can protect the privacy and confidentiality of data, but it does not prevent access to data based on location3.

Encryption: This is a process of transforming data into an unreadable format using a secret key or algorithm. Encryption can protect the integrity and confidentiality of data, but it does not prevent access to data based on location. Encryption can also be bypassed by attackers who have the decryption key or method4.

Data sovereignty regulation: This is a set of laws or rules that govern the storage, processing, and transfer of data within a specific jurisdiction or country. Data sovereignty regulation can affect the availability and compliance of data, but it does not prevent access to data based on location. Data sovereignty regulation can also vary depending on the country or region.

References = 1: CompTIA Security+ SY0-701 Certification Study Guide, page 972: Account Policies – SY0-601 CompTIA Security+ : 3.7, video by Professor Messer3: CompTIA Security+ SY0-701 Certification Study Guide, page 1004: CompTIA Security+ SY0-701 Certification Study Guide, page 101. : CompTIA Security+ SY0-701 Certification Study Guide, page 102.

The correct answer is Compensating because a bastion host is being used as an alternative safeguard to reduce risk when a primary control cannot yet be fully implemented. In the context of the Security+ SY0-701 objectives, compensating controls are designed to provide protection when standard preventive controls are not available, effective, or feasible—such as during a zero-day exploit where no vendor patch or permanent fix exists.

A zero-day exploit represents a vulnerability that is actively being exploited before developers or vendors have released a fix. Since patching is not immediately possible, organizations must rely on compensating controls to limit exposure and reduce the likelihood or impact of exploitation. A bastion host is a hardened system placed in a network segment—often in a demilitarized zone (DMZ)—that acts as a controlled access point between untrusted and trusted networks. By routing access through this tightly secured host, the analyst reduces the attack surface and restricts direct access to internal systems that may be vulnerable to the zero-day.

Option B, Detective, is incorrect because detective controls are focused on identifying or alerting on malicious activity after it occurs, such as logging, monitoring, or intrusion detection systems. Option C, Operational, refers to processes and procedures carried out by people, such as incident response or change management, rather than a technical safeguard. Option D, Physical, applies to tangible protections like locks, cameras, or fencing, which are not relevant in this network-based scenario.

The SY0-701 study guide emphasizes the importance of layered security and adaptive risk management. When preventive controls fail or are temporarily unavailable, compensating controls like bastion hosts, network segmentation, and access restrictions allow organizations to maintain security posture and continuity of operations while longer-term solutions are developed.

Side loading is the process of installing applications from unofficial sources, often bypassing standard app stores. This increases the risk of installing malicious software, such as a rootkit, which is a type of malware designed to provide persistent privileged access while hiding its presence.

VM escape allows an attacker to break out of a virtual machine to access the hypervisor or other adjacent virtual machines on the same host, effectively moving laterally to adjacent systems.

Side loading (B) involves loading malicious code in place of legitimate components. Remote code execution (C) allows running arbitrary code remotely. Resource exhaustion (D) causes denial of service by overusing resources.

VM escape is a known virtualization vulnerability detailed in SY0-701【6:Chapter 2†CompTIA Security+ Study Guide】.

To identify the impacted host in a command-and-control (C2) server incident, the following logs should be analyzed:

DHCP logs: These logs record IP address assignments. By reviewing DHCP logs, an organization can determine which host was assigned a specific IP address during the time of the attack.

Firewall logs: Firewall logs will show traffic patterns, including connections to external C2 servers. Analyzing these logs helps to identify the IP address and port numbers of the communicating host.

Application, Authentication, and Database logs are less relevant in this context because they focus on internal processes and authentication events rather than network traffic involved in a C2 attack​​​.

The log entries clearly show an attacker attempting to access sensitive system files by manipulating the filename parameter. The use of ../../../ is a classic indicator of a directory traversal attack, also called path traversal. This technique is used to move outside the intended web directory and access restricted locations on the server’s filesystem.

In this case, the attacker is attempting to read:

/etc/passwd — contains user account information

/etc/shadow — contains hashed password entries and is even more sensitive

The CompTIA Security+ SY0-701 exam describes directory traversal as an attack where unvalidated user input allows navigation to system directories, often using sequences like ../ to bypass file path restrictions. This is exactly what is shown in the logs.

File injection (A) would involve inserting malicious files or code, not reading system files.

Privilege escalation (B) requires exploiting a system to gain higher privileges, not just reading files.

Cookie forgery (D) involves manipulating session cookies and does not match the observed behavior.

Because the attacker is using path traversal patterns to access protected files, the correct answer is C. Directory traversal.

Memory injection vulnerabilities allow unauthorized code or commands to be executed within a software program, leading to abnormal behavior such as generating outbound traffic over random high ports. This issue often arises from software not properly validating or encoding input, which can be exploited by attackers to inject malicious code.References: CompTIA Security+ SY0-701 course content and official CompTIA study resources.

Containment (C)is thefirst critical stepduring a security incident tostop the spreadof the attack. This could include isolating affected systems, disabling accounts, or blocking malicious traffic.

According to theIncident Response Lifecycle, the order is typically:Identification → Containment → Eradication → Recovery → Lessons Learned.

Detailed Explanation:The Common Vulnerability Scoring System (CVSS) is a standardized metric used to assess the severity of vulnerabilities, aiding organizations in prioritizing their response based on risk. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 2: Vulnerabilities, Section: " Vulnerability Prioritization and Metrics " ​​.

The $10,000 is the estimated cost per incident (per single occurrence). In quantitative risk analysis, that value is the Single Loss Expectancy (SLE)—the financial impact expected each time a risk event occurs. The Study Guide defines these terms and calculations clearly: “The single loss expectancy (SLE) is the amount of financial damage expected each time a risk materializes.” It also explains how annual impact is derived: “The annualized loss expectancy (ALE) is the amount of damage expected from a risk each year. It is calculated by multiplying the SLE and the ARO.”

Here, the event occurs twice per year, so the Annualized Rate of Occurrence (ARO) is 2.0, and the annual expected loss (ALE) would be SLE × ARO = $10,000 × 2 = $20,000, which matches the recommended budget. That confirms $10,000 is not ARO (a frequency), not ALE (annual total), and not RPO (a disaster recovery metric about acceptable data loss window).

The security engineer is likely to deploy a Web Application Firewall (WAF) to protect the new web portal service. A WAF specifically protects web applications by filtering, monitoring, and blocking HTTP requests based on a set of rules. This is crucial for preventing common attacks such as SQL injection, cross-site scripting (XSS), and other web-based attacks that could compromise the web service.

Layer 4 firewall operates primarily at the transport layer, focusing on IP address and port filtering, making it unsuitable for web application-specific threats.

NGFW (Next-Generation Firewall) provides more advanced filtering than traditional firewalls, including layer 7 inspection, but the WAF is tailored specifically for web traffic.

UTM (Unified Threat Management) offers a suite of security tools in one package (like antivirus, firewall, and content filtering), but for web application-specific protection, a WAF is the best fit​​​.

 A compensating control is a security measure that is implemented to mitigate the risk of a vulnerability or a weakness that cannot be resolved by the primary control. A compensating control does not prevent or eliminate the vulnerability or weakness, but it can reduce the likelihood or impact of an attack. A host-based firewall on a legacy Linux system that allows connections from only specific internal IP addresses is an example of a compensating control, as it can limit the exposure of the system to potential threats from external or unauthorized sources. A host-based firewall is a software application that monitors and filters the incoming and outgoing network traffic on a single host, based on a set of rules or policies. A legacy Linux system is an older version of the Linux operating system that may not be compatible with the latest security updates or patches, and may have known vulnerabilities or weaknesses that could be exploited by attackers. References = Security Controls – SY0-601 CompTIA Security+ : 5.1, Security Controls – CompTIA Security+ SY0-501 – 5.7, CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701, 9th Edition, Chapter 5, page 240. CompTIA Security+ (SY0-701) Certification Exam Objectives, Domain 5.1, page 18.

The best answer is D. WAF .

A WAF (Web Application Firewall) is designed to inspect and filter malicious HTTP and HTTPS traffic aimed at a web application. If a site is receiving a large number of malicious requests that are causing performance problems, a WAF is the best control among these options because it can detect and block harmful web requests before they impact the application.

This can help mitigate attacks such as:

malicious web requests

application-layer abuse

some denial-of-service style request floods

common web exploits

Why the other options are incorrect:

A. IPSec IPSec secures network-layer communications, not malicious web request filtering.

B. TLS TLS encrypts data in transit, but it does not stop malicious requests.

C. SDN Software-defined networking helps manage network architecture, but it is not the most direct preventive control for malicious web traffic.

From a Security+ standpoint, malicious requests against a web application are best mitigated by a WAF , so D is correct.

Local data protection regulations are the first thing that a cloud-hosting provider should consider before expanding its data centers to new international locations. Data protection regulations are laws or standards that govern how personal or sensitive data is collected, stored, processed, and transferred across borders. Different countries or regions may have different data protection regulations, such as the General Data Protection Regulation (GDPR) in the European Union, the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, or the California Consumer Privacy Act (CCPA) in the United States. A cloud-hosting provider must comply with the local data protection regulations of the countries or regions where it operates or serves customers, or else it may face legal penalties, fines, or reputational damage. Therefore, a cloud-hosting provider should research and understand the local data protection regulations of the new international locations before expanding its data centers there. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701, 9th Edition, Chapter 7, page 269. CompTIA Security+ SY0-701 Exam Objectives, Domain 5.1, page 14.

Detailed Explanation:Avoidance involves choosing not to engage in activities or markets where certain risks are present. This is a proactive approach to risk management. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 5: Security Program Management, Section: " Risk Management Strategies " ​​.

The scenario describes an instance where an employee receives a fraudulent invoice from a vendor that is not recognized in the company ' s vendor management system. This is a classic example of an invoice scam, where attackers attempt to trick organizations into making payments for fake or non-existent services. These scams often rely on social engineering tactics to bypass financial controls.

References = CompTIA Security+ SY0-701 study materials, particularly in the context of social engineering attacks and common scams​​.

Comprehensive and Detailed In-Depth Explanation:

AWeb Application Firewall (WAF)is designed toprotect web applications from attackssuch asCross-Site Scripting (XSS)by filtering and monitoring HTTP traffic between the internet and a web application.

Next-Generation Firewalls (NGFW) (A)provide advanced network security but are not specifically designed to protect web applications from XSS attacks.

Unified Threat Management (UTM) (B)provides multiple security functions but lacks the specialized application-layer protection needed to mitigate XSS.

Network Access Control (NAC) (D)controls device access to the network but does not prevent web-based attacks.

AWAF is the best solutionfor protecting web servers fromXSS, SQL injection, and other web-based threats.

Input validation is a security technique that checks the user input for any malicious or unexpected data before processing it by the application. Input validation can prevent various types of attacks, such as injection, cross-site scripting, buffer overflow, and command execution, that exploit the vulnerabilities in the application code. Input validation can be performed on both the client-side and the server-side, using methods such as whitelisting, blacklisting, filtering, sanitizing, escaping, and encoding. By including regular expressions in the source code to remove special characters from the variables set by the forms in the web application, the organization adopted input validation as a security technique. Regular expressions are patterns that match a specific set of characters or strings, and can be used to filter out any unwanted or harmful input. Special characters, such as $, |, ;, & , `, and ?, can be used by attackers to injectcommands or scripts into the application, and cause damage or data theft. By removing these characters from the input, the organization can reduce the risk of such attacks.

Identify embedded keys, code debugging, and static code analysis are not the security techniques that the organization adopted by making this addition to the policy. Identify embedded keys is a process of finding and removing any hard-coded keys or credentials from the source code, as these can pose a security risk if exposed or compromised. Code debugging is a process of finding and fixing any errors or bugs in the source code, which can affect the functionality or performance of the application. Static code analysis is a process of analyzing the source code without executing it, to identify any vulnerabilities, flaws, or coding standards violations. These techniques are not related to the use of regular expressions to remove special characters from the input.

References = CompTIA Security+ SY0-701 Certification Study Guide, page 375-376; Professor Messer’s CompTIA SY0-701 Security+ Training Course, video 4.1 - Vulnerability Scanning, 8:00 - 9:08; Application Security – SY0-601 CompTIA Security+ : 3.2, 0:00 - 2:00.

A two-person integrity security control is implemented to minimize the risk of errors or unauthorized actions. This control ensures that at least two individuals are involved in critical operations, which helps to verify the accuracy of the process and prevents unauthorized users from acting alone. It ' s a security measure commonly used in sensitive operations, like financial transactions or access to critical systems, to ensure accountability and accuracy.

References =

CompTIA Security+ SY0-701 Course Content: Domain 05 Security Program Management and Oversight​.

CompTIA Security+ SY0-601 Study Guide: Chapter on Security Operations and Management​.

The best answer is C. Software is migrated to a cloud that offers increased flexibility in its updates.

A change management policy defines how changes are requested, reviewed, approved, tested, documented, and implemented. When an organization migrates software to a cloud environment that supports more dynamic, frequent, or automated updates, the change management process may need to be revised to reflect the new operational model.

Cloud environments often introduce:

faster deployment cycles

infrastructure as code

automated updates

continuous integration and continuous delivery

different approval and rollback processes

These changes can significantly affect how the organization governs system changes, so revising the policy is likely necessary.

Why the other options are incorrect:

A. An engineer adds a new feature to the production service.This is an example of a change that should follow policy, not necessarily a reason to revise the policy itself.

B. A production server continuously runs at its maximum load.This is more of a performance or capacity issue than a direct reason to revise change management policy.

D. A legacy server lacks support for new regulatory requirements.This points more toward compliance remediation or system replacement, not specifically revising change management policy.

From the SY0-701 perspective, major shifts in how systems are updated and maintained, especially through cloud adoption, are strong reasons to update change management governance. Therefore, C is correct.

Deploying a Security Information and Event Management (SIEM) solution allows for efficient log aggregation, correlation, and analysis across an organization’s infrastructure, providing real-time security insights.References: Security+ SY0-701 Course Content​, Security+ SY0-601 Book​.

Steganography is the process of hiding information within another medium, such as an image, audio, video, or text file. The hidden information is not visible or noticeable to the casual observer, and can only be extracted by using a specific technique or key. Steganography can be used for various purposes, such as concealing secret messages, watermarking, or evading detection by antivirus software12

Segmentation is a network design technique that divides the network into smaller and isolated segments based on logical or physical boundaries. Segmentation can help improve network security by limiting the scope of an attack, reducing the attack surface, and enforcing access control policies. Segmentation can also enhance network performance, scalability, and manageability. To accomplish the goal of storing customer data on a separate part of the network, the administrator can use segmentation technologies such as subnetting, VLANs, firewalls, routers, or switches. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 308-309 1

Comprehensive and Detailed Explanation From Exact Extract:

End-of-life (EOL) systems no longer receive security patches, vendor support, or vulnerability updates. Because of this, they are highly susceptible to exploitation, especially if attackers can reach them over a network. When the system is business-critical and cannot be decommissioned, the most effective strategy is isolation, also known as network segmentation, air-gapping, or restrictive network zoning. Isolation removes direct exposure to external and internal threats by limiting communication paths to only essential systems and users.

According to the Security+ SY0-701 guidance, isolating legacy systems helps reduce the attack surface when patching is no longer possible. Monitoring (A) is useful for detection but does not prevent exploitation. Decommissioning (C) would be ideal but is not possible for business-critical systems, as stated in the question. Encryption (D) protects data confidentiality but does not stop an attacker from exploiting vulnerabilities in an unpatched OS or application.

Isolation is a recommended compensating control for legacy and unsupported systems in SY0-701’s Security Architecture & Resilience domain, which emphasizes micro-segmentation, firewalls, and restricted access to minimize risk when systems cannot be replaced or patched.

The best answer is A. 2 .

ARO (Annualized Rate of Occurrence) is the expected number of times an incident will occur per year .

The company expects:

10 incidents

over 5 years

So:

ARO = 10 / 5 = 2

That means the equipment is expected to experience 2 incidents per year .

Why the other options are incorrect:

B. 5 This does not match the yearly average from the scenario.

C. 10 This is the total number of incidents over five years, not the annualized value.

D. 50 This is not supported by the information given.

From a SY0-701 perspective, ARO is a standard quantitative risk calculation used to estimate how frequently an event occurs in a year.

Attempting to enter an unauthorized area using an access badge during a penetration test is an example of a physical test. This type of test evaluates the effectiveness of physical security controls, such as access badges, security guards, and locks, in preventing unauthorized access to restricted areas.

Defensive and offensive testing typically refer to digital or network-based penetration testing strategies.

Passive testing involves observing or monitoring but not interacting with the environment​​.

The presence of another device providing internet access that bypasses the content filtering system indicates the existence of a rogue access point. Rogue access points are unauthorized devices that can create a backdoor into the network, allowing users to bypass security controls like content filtering. This presents a significant security risk as it can expose the network to unauthorized access and potential data breaches.

References =

CompTIA Security+ SY0-701 Course Content: Rogue access points are highlighted as a major security risk, allowing unauthorized access to the network and bypassing security measures​​.

The best answer is A. Ensure the firewall data plane moves to fail-closed mode.

The key detail in this question is that the company prioritizes data confidentiality over transaction availability. In Security+ terms, when confidentiality is more important than keeping traffic flowing during a failure or security event, the preferred behavior is fail closed.

A fail-closed firewall blocks traffic if the device experiences a fault, failure, or security issue. This protects sensitive business data from being exposed or passed through an untrusted state. Even though this may interrupt business transactions, it aligns with the organization’s priority of protecting confidential information.

Why the other options are incorrect:

B. Implement a deny-all rule as the last firewall ACL rule.This is a standard firewall best practice, but it does not specifically address what should happen in case a security event occurs.

C. Prioritize business-critical application traffic through the firewall.This focuses on availability and performance, not confidentiality.

D. Configure rate limiting between the firewall interfaces.Rate limiting may help with traffic control or DoS reduction, but it does not best address the requirement to prioritize confidentiality during a security event.

From the SY0-701 perspective, when asked to choose between keeping systems available and preventing unauthorized access or data exposure, fail closed is the best security-focused answer.

ACertificate Revocation List (CRL)is adigitally signed list maintained by a Certificate Authority (CA)that containsrevoked or expired certificates. This prevents clients from trustingcompromised or outdated certificates.

TPM (A)is a hardware security module, unrelated to certificate revocation.

PKI (C)is the overall system managing digital certificates, but it does not store revocation lists.

CSR (D)is a request to obtain a certificate, not to revoke one.

The requirements point to a cloud-delivered, remote-user-first architecture that provides secure connectivity and security controls as an integrated service. Secure Access Service Edge (SASE) matches this because it combines remote connectivity capabilities (often replacing or modernizing traditional VPN approaches) with cloud-based security services, including firewalling, in a way that supports distributed users and resilient global access. The Study Guide explicitly states: “Secure Access Service Edge (SASE… ) combines virtual private networks, SD-WAN, and cloud-based security tools like firewalls, cloud access security brokers (CASBs), and zero-trust networks to provide secure access for devices regardless of their location.” This directly aligns with a fully remote workforce (“regardless of their location”), VPN capability, and an integrated firewall (“cloud-based security tools like firewalls”).

Why the other options don’t fit as well: IPS is a specific protective control, not an end-to-end remote access architecture; SIEM is for log aggregation/correlation and monitoring, not VPN + firewall delivery; and CASB is a component used to enforce cloud policy, but the guide distinguishes it as a policy enforcement point rather than a full connectivity + firewall architecture: “A CASB is a policy enforcement point…” . Therefore, SASE is the best match.

The principle of least privilege is a security concept that limits access to resources to the minimum level needed for a user, a program, or a device to perform a legitimate function. It is a cybersecurity best practice that protects high-value data and assets from compromise or insider threat. Least privilege can be applied to different abstraction layers of a computing environment, such as processes, systems, or connected devices. However, it is rarely implemented in practice.

In this scenario, the IT manager is setting up the principle of least privilege by restricting access to the administrator console of the help desk software to only two authorized users: the IT manager and the help desk lead. This way, the IT manager can prevent unauthorized or accidental changes to the software configuration, data, or functionality by other help desk staff. The other help desk staff will only have access to the normal user interface of the software, which is sufficient for them to perform their job functions.

The other options are not correct. Hardening is the process of securing a system by reducing its surface of vulnerability, such as by removing unnecessary software, changing default passwords, or disabling unnecessary services. Employee monitoring is the surveillance of workers’ activity, such as by tracking web browsing, application use, keystrokes, or screenshots. Configuration enforcement is the process of ensuring that a system adheres to a predefined set of security settings, such as by applying a patch, a policy, or a template.

References = 

Active reconnaissance is a type of reconnaissance that involves sending packets or requests to a target and analyzing the responses. Active reconnaissance can reveal information such as open ports, services, operating systems, and vulnerabilities. However, active reconnaissance is also more likely to be detected by the target or its security devices, such as firewalls or intrusion detection systems. Port and service scans are examples of active reconnaissance techniques, as they involve probing the target for specific information. References = CompTIA Security+ Certification Exam Objectives, Domain 1.1: Given a scenario, conduct reconnaissance using appropriate techniques and tools. CompTIA Security+ Study Guide (SY0-701), Chapter 2: Reconnaissance and Intelligence Gathering, page 47. CompTIA Security+ Certification Exam SY0-701 Practice Test 1, Question 1.

Virtualization (D)allows multiple systems and services to be hosted onfewer physical machines, therebyreducing the total number of physical devicesand consequently thehardware attack surface. This also allows for better patching, monitoring, and control.

The fewer devices you manage physically, the fewer entry points there are for attackers to exploit hardware-level vulnerabilities.

To enhance security for a system running an end-of-life operating system, placing the system in an isolated VLAN is the most effective approach. By isolating the system from the rest of the network, you can limit its exposure to potential threats while maintaining its functionality. This segmentation helps protect the rest of the network from any vulnerabilities in the outdated system.

Installing HIDS (Host-based Intrusion Detection System) can help detect intrusions but won ' t mitigate the risks posed by an unsupported OS.

Decommissioning may not be feasible if the system is critical.

Encrypting the system ' s hard drive protects data at rest but doesn ' t address vulnerabilities from an outdated OS​​​.

The right to be forgotten refers to an individual’s legal right, under regulations such as GDPR, to request the deletion of all personal data held about them by an organization. This gives individuals control over their digital footprint and privacy.

Risk threshold is the maximum amount of risk that an organization is willing to accept for a given activity or decision. It is also known as risk appetite or risk tolerance. Risk threshold helps an organization to prioritize and allocate resources for risk management. Risk indicator, risk level, and risk score are different ways of measuring or expressing the likelihood and impact of a risk, but they do not describe the maximum allowance of accepted risk. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 34; Accepting Risk: Definition, How It Works, and Alternatives

A backout plan provides a documented procedure to revert or undo a change if it fails or causes issues, helping to restore the environment quickly and prevent extended downtime. Having a backout plan in place minimizes impact during failed changes.

User notification (A) informs users but does not prevent failures. Change approval (B) and risk analysis (C) occur before the change and cannot fix issues after failure.

Backout planning is a best practice in Change Management covered in Security Program Management【6:Chapter 16†CompTIA Security+ Study Guide】

Adding a random string of characters, known as a " salt, " to a password before hashing it is known as salting. This technique strengthens passwords by ensuring that even if two users have the same password, their hashes will be different due to the unique salt, making it much harder for attackers to crack passwords using precomputed tables.References: CompTIA Security+ SY0-701 course content and official CompTIA study resources.

Theprimary goal of corrective controls in financial systems is to ensure that errors do not propagate across interconnected systems. Financial transactions are ofteninterdependent, meaning one incorrect or unauthorized change can affect multiple systems. Regulations often mandate these controls tomaintain accuracy and prevent cascading failures.

A (insider threats altering banking details)is a concern, but thisscenario focuses on corrective controls, not insider threats specifically.

C (business insurance)is unrelated to why corrective controls are implemented.

D (preventing unauthorized changes)falls underpreventive, notcorrectivecontrols.

Detailed Explanation:

Baseline enforcement ensures that all systems adhere to predefined security configurations, such as approved OS versions and patch levels, improving compliance and reducing vulnerabilities. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 4: Security Operations, Section: " System Baselines and Monitoring " ​​.

Baseline enforcement involves establishing standard configurations and operational baselines that allow a service provider to scale services efficiently while ensuring consistent performance and security. By enforcing baselines, automation can be applied, reducing manual intervention and variability, which supports rapid, cost-effective expansion.

Increasing workforce (B) adds operational cost and may introduce inconsistency. Escalation support (A) is reactive and does not inherently support scaling. Technical debt (D) refers to accumulated suboptimal design or quick fixes that hamper future scalability and is a negative factor.

Baseline enforcement is recognized as a best practice in the Security Program Management domain for scaling services reliably【6:Chapter 16†CompTIA Security+ Study Guide】.

An intrusion prevention system (IPS) is a security device that monitors network traffic and blocks or modifies malicious packets based on predefined rules or signatures. An IPS can prevent attacks that exploit known vulnerabilities in older browser versions by detecting and dropping the malicious packets before they reach the target system. An IPS can also perform other functions, such as rate limiting, encryption, or redirection. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 3: Securing Networks, page 132.

A cryptographic vulnerability refers to weaknesses caused by the use of outdated or insecure cryptographic algorithms, protocols, or keys. These vulnerabilities make it easier for attackers to compromise encrypted data or communications. Use of deprecated ciphers or insufficient key lengths are typical examples.

A Virtual Private Network (VPN) is the best solution to allow remote employees secure access to company resources without interception concerns. A VPN establishes an encrypted tunnel over the internet, ensuring that data transferred between remote employees and the company is secure from eavesdropping.

Proxy server helps with web content filtering and anonymization but does not provide encrypted access.

NGFW (Next-Generation Firewall) enhances security but is not the primary tool for enabling remote access.

Security zone is a network segmentation technique but does not provide remote access capabilities​​​.

A service level agreement (SLA) is a document that defines the level of service expected by a customer from a service provider, indicating the metrics by which that service is measured, and the remedies or penalties, if any, should the agreed-upon levels not be achieved. An SLA can specify the minimum uptime or availability of a service, such as 99.99%, and the consequences for failing to meet that standard. A memorandum of agreement (MOA), a statement of work (SOW), and a memorandum of understanding (MOU) are other types of documents that can be used to establish a relationship between parties, but they do not typically include the details of service levels and performance metrics that an SLA does. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 16-17

Full disk encryption (A)ensures that data stored on the device is protected even if the device is physically stolen. This is a fundamental security control for end-user devices, especially laptops and mobile devices, to prevent data breaches.

Endpoint protection (D)refers to anti-malware, antivirus, and host-based firewall solutions that safeguard end-user devices from malware, ransomware, and unauthorized access.

These measures are explicitly referenced in theCompTIA Security+ SY0-701exam objective2.2: Given a scenario, apply security concepts in support of organizational risk mitigationunderDevice hardening.

Data in transit is data that is moving from one location to another, such as over a network or through the air. Data in transit is vulnerable to interception, modification, or theft by malicious actors. A VPN (virtual private network) is a technology that protects data in transit by creating a secure tunnel between two endpoints and encrypting the data that passes through it2.

The correct answer is Data classification because it is the primary mechanism used to determine the sensitivity and criticality of information involved in a security incident. According to the Security+ SY0-701 governance and risk management concepts, data classification assigns labels—such as public, internal, confidential, or restricted—to information based on its sensitivity, value to the organization, and potential impact if disclosed, altered, or destroyed. When a breach occurs, these classifications allow security teams and management to quickly assess how severe the incident is and what regulatory, legal, or business consequences may apply.

In this scenario, the compromised cloud-hosted solution contains customer information. By referencing the organization’s data classification scheme, incident responders can determine whether the exposed data includes personally identifiable information (PII), financial data, health records, or other regulated data types. This directly influences breach notification requirements, incident escalation, response prioritization, and communication with stakeholders. The SY0-701 study guide emphasizes that effective security governance depends on having clearly defined classification standards before an incident occurs, so decisions during response are consistent and defensible.

The other options do not meet the goal of determining sensitivity. Permission restrictions are access control mechanisms used to prevent unauthorized access, not to evaluate the importance of data after a compromise. Tabletop exercises are preparedness and training activities designed to test incident response plans, not to classify real data. Asset inventory identifies systems, hardware, software, and data locations, but it does not define how sensitive the data is; it only helps locate what may be affected.

Therefore, data classification is the most appropriate strategy for determining the sensitivity level of the breach, aligning directly with Security+ SY0-701 objectives related to risk management, privacy, and incident impact assessment.

An Acceptable Use Policy (AUP) is an example of a managerial control. Managerial controls are policies and procedures that govern an organization ' s operations, ensuring security through directives and rules. The AUP defines acceptable behavior and usage of company resources, setting guidelines for employees.

Physical controls refer to security measures like locks, fences, or security guards.

Technical controls involve security mechanisms such as firewalls or encryption.

Operational controls are procedures for maintaining security, such as backup and recovery plans​​.

Software as a Service (SaaS) is the cloud model that best meets the goal of outsourcing the management, including patching, of firmware, operating systems, and applications to the cloud vendor. In a SaaS environment, the cloud provider is responsible for maintaining and updating the entire software stack, allowing the organization to focus on using the software rather than managing its infrastructure.

References = CompTIA Security+ SY0-701 study materials, particularly the domains related to cloud security models​​.

Jailbreaking is a primary security concern for a company setting up a BYOD (Bring Your Own Device) program. Jailbreaking is the process of removing the manufacturer’s or the carrier’s restrictions on a device, such as a smartphone or a tablet, to gain root access and install unauthorized or custom software. Jailbreaking can compromise the security of the device and the data stored on it, as well as expose it to malware, viruses, or hacking. Jailbreaking can also violate the warranty and the terms of service of the device, and make it incompatible with the company’s security policies and standards. Therefore, a company setting up a BYOD program should prohibit jailbreaking and enforce device compliance and encryption. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701, 9th Edition, Chapter 2, page 76. CompTIA Security+ SY0-701 Exam Objectives, Domain 2.4, page 11.

The best answer is A. Helping identify unauthorized or unmanaged devices connected to the network .

An effective IT asset tracking system maintains visibility into the hardware, software, and devices that are authorized to exist in the environment. One major security benefit is that it helps identify systems that are:

unauthorized

unmanaged

missing required security controls

unknown to administrators

This improves inventory control and helps security teams detect rogue or noncompliant devices.

Why the other options are incorrect:

B. Preventing prohibited data exfiltration from endpoints on the network Preventing exfiltration is more directly the role of DLP and related controls, not asset tracking alone.

C. Assisting with automated root cause analysis for all security incidents on the network Asset tracking can support investigations, but it does not automatically perform root cause analysis for all incidents.

D. Ensuring proper data backup and recovery procedures are in place Backup and recovery are separate operational processes, not a direct benefit of asset tracking itself.

From the SY0-701 perspective, maintaining an accurate asset inventory is foundational for identifying unauthorized or unmanaged devices , so A is the correct answer.

Rules of engagement are the detailed guidelines and constraints regarding the execution of information security testing, such as penetration testing. They define the scope, objectives, methods, and boundaries of the test, as well as the roles and responsibilities of the testers and the clients. Rules of engagement help to ensure that the test is conducted in a legal, ethical, and professional manner, and that the results are accurate and reliable. Rules of engagement typically include the following elements:

The type and scope of the test, such as black box, white box, or gray box, and the target systems, networks, applications, or data.

The client contact details and the communication channels for reporting issues, incidents, or emergencies during the test.

The testing team credentials and the authorized tools and techniques that they can use.

The sensitive data handling and encryption requirements, such as how to store, transmit, or dispose of any data obtained during the test.

The status meeting and report schedules, formats, and recipients, as well as the confidentiality and non-disclosure agreements for the test results.

The timeline and duration of the test, and the hours of operation and testing windows.

The professional and ethical behavior expectations for the testers, such as avoiding unnecessary damage, disruption, or disclosure of information.

Supply chain analysis, right to audit clause, and due diligence are not related to the terms of a test with a third-party penetration tester. Supply chain analysis is the process of evaluating the security and risk posture of the suppliers and partners in a business network. Right to audit clause is a provision in a contract that gives one party the right to audit another party to verify their compliance with the contract terms and conditions. Due diligence is the process of identifying and addressing the cyber risks that a potential vendor or partner brings to an organization.

References =

Detailed Explanation:Privileged Access Management (PAM) solutions enhance security by enforcing strong authentication, rotation of credentials, and access control for shared accounts. This is especially critical in scenarios like SSO failures. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 5: Security Program Management, Section: " Privileged Access and Identity Management " ​​.

The best answer is A. Peer review requirements .

The question asks about information security policies related to the software development methodology . At the policy level, a CISO is most likely to define broad organizational requirements that apply across development activities. Peer review requirements are a common secure development policy control because they require code or design review before deployment.

This helps reduce:

coding errors

insecure logic

weak implementations

missed vulnerabilities

Why the other options are less appropriate:

B. Multifactor authentication MFA is an important security control, but it is not specifically a software development methodology requirement.

C. Branch protection tests This is more of a technical repository configuration detail than a broad policy statement.

D. Secrets management configurations Secrets management is important, but specific configurations are generally procedural or technical implementation details rather than the most likely policy-level content.

From a Security+ perspective, software development governance documents often include secure coding and review requirements , making A the best answer.

A high-availability network is a network that is designed to minimize downtime and ensure continuous operation of critical services and applications. To achieve this goal, a high-availability network must consider two important factors: ease of recovery and attack surface.

Ease of recovery refers to the ability of a network to quickly restore normal functionality after a failure, disruption, or disaster. A high-availability network should have mechanisms such as redundancy, failover, backup, and restore to ensure that any single point of failure does not cause a complete network outage. A high-availability network should also have procedures and policies for incident response, disaster recovery, and business continuity to minimize the impact of any network issue on the organization’s operations and reputation.

Attack surface refers to the exposure of a network to potential threats and vulnerabilities. A high-availability network should have measures such as encryption, authentication, authorization,firewall, intrusion detection and prevention, and patch management to protect the network from unauthorized access, data breaches, malware, denial-of-service attacks, and other cyberattacks. A high-availability network should also have processes and tools for risk assessment, threat intelligence, vulnerability scanning, and penetration testing to identify and mitigate any weaknesses or gaps in the network security.

A tabletop exercise involves the executive team or key stakeholders discussing and testing the company’s incident response plan in a simulated environment. These exercises are low-stress, discussion-based, and help to validate the plan ' s effectiveness by walking through different scenarios without disrupting actual operations. It is an essential part of testing business continuity and incident response strategies.

Continuity of operations refers to the ability of an organization to continue functioning during and after a disaster but doesn ' t specifically involve simulations like tabletop exercises.

Capacity planning is related to ensuring the infrastructure can handle growth, not incident response testing.

Parallel processing refers to running multiple processes simultaneously, which is unrelated to testing an incident response plan​​.

Infrastructure as Code (IaC) enables organizations to automate the provisioning, configuration, and deployment of servers through machine-readable scripts rather than manual processes. SY0-701 emphasizes IaC as a key component of DevOps and secure deployment pipelines. By using IaC, server builds become repeatable, standardized, version-controlled, and much faster.

This directly addresses the company ' s goals:

Better control: IaC ensures predictable, consistent configuration across all servers.

Standardization: Scripts eliminate drift by applying identical configurations.

Lower build time: Automation significantly accelerates server creation and eliminates manual intervention.

IoT (A) refers to Internet-connected smart devices and is unrelated to server deployment. PaaS (C) offers development platforms but does not automate infrastructure builds. ICS (D) refers to industrial control systems, not IT server architecture.

Therefore, the only correct architecture that meets all objectives is IaC, a foundational technology for modern automated infrastructure.

A tabletop exercise is a discussion-based simulation where incident response (IR) team members walk through hypothetical security scenarios to understand roles, responsibilities, escalation paths, and communication processes. According to Security+ SY0-701, tabletop exercises are ideal for familiarizing participants with the incident response process and improving organizational readiness without the pressure or resource demands of full-scale simulations.

These exercises highlight:

IR workflow clarity

Decision-making processes

Coordination between technical and non-technical teams

Communication procedures

Identification of gaps in policies or documentation

Option B (rules of engagement) is part of penetration testing planning, not tabletop exercises. Option C refers to real breach analysis, not simulations. Option D refers to forensic operations, not tabletop objectives.

Thus, A is correct.

A vulnerability scan is the most likely method to identify legacy systems. These scans assess an organization ' s network and systems for known vulnerabilities, including outdated or unsupportedsoftware (i.e., legacy systems) that may pose a security risk. The scan results can highlight systems that are no longer receiving updates, helping IT teams address these risks.

Bug bounty programs are used to incentivize external researchers to find security flaws, but they are less effective at identifying legacy systems.

Package monitoring tracks installed software packages for updates or issues but is not as comprehensive for identifying legacy systems.

Dynamic analysis is typically used for testing applications during runtime to find vulnerabilities, but not for identifying legacy systems​​.

A Mobile Device Management (MDM) platform protects organizational mobile devices by enforcing security policies, restricting unauthorized configuration changes, and detecting compromised devices. One of the major vulnerabilities MDM mitigates is jailbreaking, which occurs when a user removes manufacturer restrictions to gain unrestricted access to the file system and install unapproved apps.

Security+ SY0-701 explains that jailbroken devices:

Bypass built-in security protections

Are more susceptible to malware

Can be used for data exfiltration

Violate corporate mobile security policies

MDM solutions detect jailbroken or rooted devices and automatically block them from accessing corporate resources, enforce compliance rules, and remotely wipe devices if necessary.

TPM (A) is a hardware security chip unrelated to MDM. Buffer overflow (B) and SQL injection (D) are software development vulnerabilities, not mobile device policy issues.

Thus, the correct answer is C: Jailbreaking.

If cadets are using company phone numbers to make unsolicited calls, and the logs confirm the numbers are not being spoofed, it suggests that the SIP (Session Initiation Protocol) server ' s security settings might be weak. This could allow unauthorized access or exploitation of the company ' s telephony services, potentially leading to misuse by unauthorized individuals.

References = CompTIA Security+ SY0-701 study materials, especially on SIP security and common vulnerabilities​​.

A bug bounty is a program that rewards security researchers for finding and reporting vulnerabilities in an application or system. Bug bounties are often used by companies to improve their security posture and incentivize ethical hacking. A bug bounty program typically defines the scope, rules, and compensation for the researchers. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701, 9th Edition, Chapter 1, page 10. CompTIA Security+ (SY0-701) Certification Exam Objectives, Domain 1.1, page 2.

Detailed Explanation:MAC filtering allows network administrators to control device access by specifying allowed MAC addresses. This prevents unauthorized devices, such as a laptop plugged into a network port, from gaining access. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 2: Threats and Vulnerabilities, Section: " Network Access Control Methods " ​​.

 A user provisioning script is an automation technique that uses a predefined set of instructions or commands to create, modify, or delete user accounts and assign appropriate access or permissions. A user provisioning script can help to streamline account creation by reducing manual errors, ensuring consistency and compliance, and saving time and resources12.

The other options are not automation techniques that can streamline account creation:

Guard rail script: This is a script that monitors and enforces the security policies and rules on a system or a network. A guard rail script can help to prevent unauthorized or malicious actions, such as changing security settings, accessing restricted resources, or installing unwanted software3.

Ticketing workflow: This is a process that tracks and manages the requests, issues, or incidents that are reported by users or customers. A ticketing workflow can help to improve the communication, collaboration, and resolution of problems, but it does not automate the account creation process4.

Escalation script: This is a script that triggers an alert or a notification when a certain condition or threshold is met or exceeded. An escalation script can help to inform the relevant parties or authorities of a critical situation, such as a security breach, a performance degradation, or a service outage.

References = 1: CompTIA Security+ SY0-701 Certification Study Guide, page 1022: User Provisioning – CompTIA Security+ SY0-701 – 5.1, video by Professor Messer3: CompTIA Security+ SY0-701 Certification Study Guide, page 1034: CompTIA Security+ SY0-701 Certification Study Guide, page 104. : CompTIA Security+ SY0-701 Certification Study Guide, page 105.

A partially known environment is a type of penetration test where the tester has some information about the target, such as the IP address, the operating system, or the device type. This can help the tester focus on specific vulnerabilities and reduce the scope of the test. A partially known environment is also called a gray box test1.

The best answer is C. Ensuring DPAs are in place with third-party vendors.

When a company handles personal data across multiple countries, one of the most important legal and regulatory requirements is ensuring that any third parties processing that data are contractually bound to protect it appropriately. A DPA (Data Processing Agreement) defines how a vendor may collect, process, store, share, and protect personal data. This is a key requirement in many privacy frameworks and regulations.

This matters because organizations are often still responsible for customer data even when a third-party provider handles it. A DPA helps establish:

the roles and responsibilities of each party

the legal basis and limits for data processing

security and privacy obligations

breach notification expectations

cross-border data handling requirements

Why the other options are incorrect:

A. Storing all customer data on encrypted local serversEncryption is important, but this alone does not ensure compliance with international privacy laws. Legal compliance involves governance, lawful processing, third-party handling, and contractual obligations.

B. Hiring a data privacy officer to review contractsA privacy officer may be helpful or required in some situations, but simply hiring one is not as directly critical as having the actual data processing agreements in place.

D. Using strong passwords and firewalls on all endpointsThese are valuable security controls, but they are not sufficient for legal compliance with global privacy regulations.

From a Security+ perspective, privacy compliance often involves third-party risk management, contractual controls, and lawful data handling, making DPAs the most critical answer here.

Detailed Explanation:This scenario highlights the need for training on the secure use of removable media. Users should learn to avoid using untrusted external storage devices to prevent malware infections. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 4: Security Operations, Section: " Removable Media Controls and User Awareness Training " ​​.

Comprehensive and Detailed Explanation From Exact Extract:

The described activity—visiting a website and downloading publicly accessible content—is a classic example of passive reconnaissance. Passive reconnaissance involves gathering information about a target without interacting with its internal systems or generating traffic that could be detected by security monitoring tools.

According to SY0-701, passive recon uses open-source intelligence (OSINT), such as:

Public websites

DNS records

News articles

Metadata

Public document repositories

The key distinction is that passive reconnaissance does not probe the system for vulnerabilities, nor does it send active scanning traffic.

Vulnerability scanning (B) requires active probing. Unknown environment testing (A) applies to black-box testing but still may involve active scanning. Due diligence (C) refers to risk assessment or compliance reviews, not technical reconnaissance.

Therefore, downloading the website’s content is a non-intrusive information-gathering technique, perfectly matching passive reconnaissance as defined in the exam materials under Threats, Vulnerabilities, Attack Vectors, and Pen Testing Phases.

Packet capture data can be very large and may not need to be stored for extended periods compared to other logs essential for security audits.

=================

Salting involves adding a unique value (salt) to each password before hashing it. This means that even if two users have the same password, the added salts ensure their hash values are different. This protects against attacks that exploit identical hash values, such as rainbow table attacks.

The IT manager is creating a Business Continuity Plan (BCP). A BCP describes how an organization will continue to operate during and after a disaster or global incident. It ensures that critical business functions remain operational despite adverse conditions, with a focus on minimizing downtime and maintaining essential services.

Physical security relates to protecting physical assets.

Change management ensures changes in IT systems are introduced smoothly, without disrupting operations.

Disaster recovery is a subset of business continuity but focuses specifically on recovering from IT-related incidents​​.

The best answer is C. Chain of custody.

Chain of custody is the documented process used to track forensic evidence from the moment it is collected until it is presented, stored, transferred, or disposed of. It records:

who handled the evidence

when it was handled

where it was stored

how it was transferred

how its integrity was preserved

This is critical to ensure the evidence remains credible and admissible.

Why the other options are incorrect:

A. Acquisition of evidenceAcquisition refers to collecting or imaging evidence, but it does not specifically cover the full documentation of handling over time.

B. E-discoveryE-discovery relates to identifying and producing electronically stored information for legal matters, not specifically preserving forensic handling records.

D. Forensic tabletop exercisesThese are discussion-based practice activities, not evidence handling procedures.

From a Security+ perspective, preserving and documenting forensic evidence handling is the definition of chain of custody.

Organized crime is a type of threat actor that is motivated by financial gain and often operates across national borders. Organized crime groups may be hired by foreign governments to conduct cyberattacks on critical systems located in other countries, such as power grids, military networks, or financial institutions. Organized crime groups have the resources, skills, and connections to carry out sophisticated and persistent attacks that can cause significant damage and disruption12. References = 1: Threat Actors - CompTIA Security+ SY0-701 - 2.1 2: CompTIA Security+ SY0-701 Certification Study Guide

Monitoring outbound traffic is essential for detecting unauthorized data exfiltration from a system. A new vulnerability that allows malware to move data unauthorizedly would typically attempt to send this data out of the network. By monitoring outbound traffic, security tools can detect unusual data transfers, trigger alerts, and help prevent the exfiltration of sensitive information.

References =

CompTIA Security+ SY0-701 Course Content: Domain 04 Security Operations​.

CompTIA Security+ SY0-601 Study Guide: Chapter on Threat Detection and Response​.

A tabletop exercise is a discussion-based exercise where stakeholders gather to walk through the roles and responsibilities they would have during a specific situation, such as a security incident or disaster. This type of exercise is designed to identify gaps in planning and improve coordination among team members without the need for physical execution.

References = CompTIA Security+ SY0-701 study materials, particularly in the domain of security operations and disaster recovery planning​​.

The scenario describes a situation where a user unknowingly triggers an unwanted action, such as changing their password, by clicking a malicious link. This is indicative of a Cross-Site Request Forgery (CSRF) attack, where an attacker tricks the user into executing actions they did not intend to perform on a web application in which they are authenticated.

References = CompTIA Security+ SY0-701 study materials, particularly in the domain of web application security and common attack vectors like CSRF​​.

Federation is an access management concept that allows users to authenticate once and access multiple resources or services across different domains or organizations. Federation relies on a trusted third party that stores the user’s credentials and provides them to the requested resources or services without exposing them. Password complexity is a security measure that requires users to create passwords that meet certain criteria, such as length, character types, and uniqueness. Password complexity can help prevent brute-force attacks, password guessing, and credential stuffing by making passwords harder to crack or guess. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 308-309 and 312-313 1

The best answer is C. Execute the file in a sandbox.

A sandbox is an isolated environment used to safely run suspicious files and observe their behavior without risking production systems. In this case, the analyst only used antivirus scanning, which may miss new, obfuscated, or previously unknown ransomware. By executing the file in a sandbox, the analyst could have observed malicious behaviors such as:

file encryption attempts

process spawning

registry changes

network beaconing

suspicious system modifications

This makes sandboxing a much better method for analyzing potentially malicious files than relying only on signature-based antivirus.

Why the other options are incorrect:

A. Review the file in a code editor.This might help in limited cases, but many malicious files are compiled, packed, or obfuscated. It is not a reliable primary analysis method.

B. Monitor the file connections with netstat.Netstat only shows network connections and would not fully reveal ransomware behavior, especially if the malware acts locally before making network connections.

D. Retrieve the file hash and check with OSINT.Hash reputation checks can help identify known malware, but they do not detect new or modified ransomware samples that do not yet appear in threat intelligence sources.

From the SY0-701 perspective, suspicious files should be analyzed using dynamic analysis in a sandbox to identify behavior that static tools may miss. That is why C is the best answer.

Encryption is the standard method for protecting data in transit, ensuring that intercepted communications cannot be read without the appropriate decryption key.

Containmentis the phase wherean organization attempts to minimize the damage caused by a security incident. This may involve isolating affected systems, blocking malicious traffic, or temporarily shutting down compromised services to prevent further impact.

Recovery (A)focuses on restoring normal operations after an incident.

Preparation (C)involves planning and readiness before an incident occurs.

Analysis (D)involvesinvestigating the root causeand assessing the damage.

The company should request a certification from the vendor that confirms the storage array has been disposed of securely and in compliance with the company’s policies and standards. A certification provides evidence that the vendor has followed the proper procedures and methods to destroy the classified data and prevent unauthorized access or recovery. A certification may also include details such as the date, time, location, and method of disposal, as well as the names and signatures of the personnel involved. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 3, page 1441

Data exfiltration is a technique that attackers use to steal sensitive data from a target system or network by transmitting it through DNS queries and responses. This method is often used in advanced persistent threat (APT) attacks, in which attackers seek to persistently evade detection in the target environment. A large amount of unusual DNS queries to systems on the internet over short periods of time during non-business hours is a strong indicator of data exfiltration. A worm, a logic bomb, and ransomware would not use DNS queries to communicate with their command and control servers or perform their malicious actions. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 487; Introduction to DNS Data Exfiltration; Identifying a DNS Exfiltration Attack That Wasn’t Real — This Time

Detailed Explanation:Access control lists (ACLs) allow administrators to fine-tune file permissions by specifying which users or groups have access to a file and defining the level of access. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 3: Security Architecture, Section: " Access Control Mechanisms " ​​.

WPA2-Enterprise is designed for environments where users authenticate with unique, individual credentials backed by an enterprise identity store, rather than a shared preshared key. The Study Guide explicitly states: “WPA2-Enterprise relies on a RADIUS authentication server as part of an 802.1X implementation for authentication. Users can thus have unique credentials and be individually identified.” That maps directly to the requirement that users verify identity against the company’s identity services using individual credentials. It further explains how this is implemented operationally: “802.1X is an IEEE standard for access control… In wireless networks, 802.1X is used to integrate with RADIUS servers, allowing enterprise users to authenticate and gain access to the network.”

Therefore, the correct configuration step is enabling 802.1X and tying authentication into the organization’s identity source (commonly a corporate directory). The other choices don’t correctly “apply RADIUS” for WPA2-Enterprise: self-signed certs are not universally required for all EAP types and can introduce trust issues; MAC filters are weak and spoofable; and MFA might be beneficial but is not the fundamental step that enables RADIUS-backed WPA2-Enterprise authentication.

A site survey is the formal assessment used to determine the optimal number and placement of wireless access points (APs). According to Security+ SY0-701, wireless site surveys evaluate factors such as building layout, RF interference, wall material density, antenna propagation, and signal overlap. The goal is to ensure full wireless coverage while minimizing the number of APs needed, maximizing performance, and reducing dead zones.

During a site survey, technicians analyze:

Signal strength patterns

Interference sources (microwaves, metal shelving, wiring, etc.)

Required coverage zones

Capacity needs (number of users, devices)

Although heat maps (C) visually represent wireless signal distribution, they are a result of a site survey, not the process itself. WPA3 (B) is a security protocol unrelated to determining coverage. A signal locator (A) is not an enterprise-grade planning tool.

Therefore, the correct answer is D: Site survey.

Confidentiality is the security concept that ensures data is protected from unauthorized access or disclosure. The principle of least privilege is a technique that grants users or systems the minimum level of access or permissions that they need to perform their tasks, and nothing more. By applying the principle of least privilege to a human resources fileshare, the permissions can be restricted to only those who have a legitimate need to access the sensitive data, such as HR staff, managers, or auditors. This can prevent unauthorized users, such as hackers, employees, or contractors, from accessing, copying, modifying, or deleting the data. Therefore, the principle of least privilege can enhance the confidentiality of the data on the fileshare. Integrity, availability, and non-repudiation are other security concepts, but they are not the best reason for permissions on a human resources fileshare to follow the principle of least privilege. Integrity is the security concept that ensures data is accurate and consistent, and protected from unauthorized modification or corruption. Availability is the security concept that ensures data is accessible and usable by authorized users or systems when needed. Non-repudiation is the security concept that ensures the authenticity and accountability of data and actions, and prevents the denial of involvement or responsibility. While these concepts are also important for data security, they are not directly related to the level of access or permissions granted to users or systems. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 16-17, 372-373

Detailed Explanation:Standard operating procedures (SOPs) outline the steps to be followed to maintain a secure baseline, such as testing and deploying patches while minimizing risk to the system. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 4: Security Operations, Section: " Patch Management and Baseline Compliance " ​​.

Compromised vendor email accounts often lead to business email compromise (BEC) attacks where attackers send malicious or unexpected requests appearing from trusted sources. Training users to be alert to unexpected requests even if they appear to come from familiar addresses is critical in preventing such attacks.

Refraining from clicking images (A) is less effective than being vigilant about suspicious content and requests. Deleting emails from unknown providers (B) is not practical, as some legitimate emails come from unknown senders. Requiring invoices as attachments (C) can increase risk by encouraging users to open potentially malicious attachments.

This user awareness tactic is emphasized in the Security Program Management and Security Awareness training in SY0-701【6:Chapter 16†CompTIA Security+ Study Guide】.

CVSS stands for Common Vulnerability Scoring System, which is a framework that provides a standardized way to assess and communicate the severity and risk of vulnerabilities. CVSS uses a set of metrics and formulas to calculate a numerical score ranging from 0 to 10, where higher scores indicate higher criticality. CVSS can help organizations prioritize remediation efforts and compare vulnerabilities across different systems and vendors. The other options are not used to measure the criticality of a vulnerability, but rather to identify, classify, or report them. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 39

The best answer is C. Hacktivists often target organizations without prior access or internal affiliation.

The clearest distinction between hacktivists and insider threats is that insider threats typically have authorized access or internal affiliation with the organization, while hacktivists usually act from the outside.

Hacktivists are often motivated by political, ideological, or social causes, but the strongest differentiator in this comparison is that they generally do not begin with legitimate internal access.

Why the other options are less correct:

A. Hacktivists often act based on ideological or political beliefs rather than organizational access.This is true about motivation, but it does not distinguish them as directly as the lack of internal access does.

B. Hacktivists are generally employed by the target organization at the time of attack.This describes insiders, not hacktivists.

D. Hacktivists are primarily motivated by personal conflicts or employment-related dissatisfaction.This is more typical of some insider threats, not hacktivists.

From the SY0-701 perspective, the strongest distinction is external targeting without prior authorized access, so C is the best answer.

Failure to comply with right-to-be-forgotten (data privacy) regulations can lead to significant fines imposed by regulatory authorities like GDPR enforcers. Such laws require companies to delete personal data upon user request.

Data breaches (B) are security incidents; revenue loss (C) and blackmail (D) may occur indirectly but fines are the direct legal consequence.

Regulatory compliance and consequences are critical topics in Security Program Management【6:Chapter 16†CompTIA Security+ Study Guide】

A watering-hole attack is a type of cyberattack that targets groups of users by infecting websites that they commonly visit. The attackers exploit vulnerabilities to deliver a malicious payload to the organization’s network. The attack aims to infect users’ computers and gain access to a connected corporate network. The attackers target websites known to be popular among members of a particular organization or demographic. The attack differs from phishing and spear-phishing attacks, which typically attempt to steal data or install malware onto users’ devices1

In this scenario, the compromised industry blog is the watering hole that the attackers used to spread malware across the company’s network. The attackers likely chose this blog because they knew that the employees of the company were interested in its content and visited it frequently. The attackers may have injected malicious code into the blog or redirected the visitors to a spoofed website that hosted the malware. The malware then infected the employees’ computers and propagated to the network.

References1: Watering Hole Attacks: Stages, Examples, Risk Factors & Defense …

Infrastructure as Code (IaC)enables automated provisioning and configuration of infrastructure, making environmentsrepeatable, consistent, and scalable. The ability tobetter manage and replicate configurations (B)ensures that security settings are not missed and reduces misconfigurations.

According to theCompTIA Security+ SY0-701exam objectives underDomain 4.1 (Explain the security implications of different architecture models),IaCprovides the ability to " automatically enforce security controls " and manageconsistent configuration states, reducing human error.

Detailed Explanation:A version control tool, such as Git, tracks changes made to code, maintains history, and allows developers to manage and revert to earlier versions when needed. This ensures accountability and control over modifications. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 3: Security Architecture, Section: " Version Control and Documentation " ​​.

The best answer is C. Firewall logs.

The PowerShell command shown is suspicious because it uses:

-exec bypass to bypass PowerShell execution policy

IEX (Invoke-Expression) to execute downloaded content in memory

Net.WebClient.DownloadString() to retrieve a remote script from the IP address 176.30.40.50

The question asks which logs will help confirm an established connection to that IP address. The best source for confirming that network communication actually occurred is firewall logs, because they record allowed and blocked inbound or outbound network connections between systems and remote IP addresses.

Why the other options are incorrect:

A. System event logsThese may show local operating system events, but they are not the best source for confirming a network connection to a specific external IP.

B. EDR logsEDR logs may show suspicious PowerShell execution and related behavior, and in some environments they may also show network activity. However, when the question specifically asks to confirm an established connection to a particular IP, firewall logs are the most direct and standard answer.

D. Application logsApplication logs generally track application-specific events and are not the best source for validating outbound network connections to a suspicious IP.

From a Security+ perspective, suspicious script execution should be correlated with network logs to validate command-and-control or malware download activity. That makes firewall logs the best choice.

AnAPI (B)or Application Programming Interface is the best option when you want toautomate data exchangebetween systems. APIs provide structured, secure, and efficient ways for systems to communicate and are widely used in automation and orchestration tasks.

SOAR (A)is used for broader security orchestration and may use APIs under the hood but is more complex.

SFTP (C)is for manual/automated file transfers.

RDP (D)is for remote desktop access, not data automation.

This is referenced inDomain 1.5: Explain the importance of automation and orchestration in cybersecurityunder“Application programming interfaces (APIs).”

 The correct answer is A because multifactor authentication (MFA) is a method of verifying a user’s identity by requiring more than one factor, such as something the user knows (e.g., password), something the user has (e.g., token), or something the user is (e.g., biometric). MFA can prevent unauthorized access even if the user’s password is compromised, as the attacker would need to provide another factor to log in. The other options are incorrect because they do not address the root cause of the attack, which is weak authentication. Permissions assignment (B) is the process of granting or denying access to resources based on the user’s role or identity. Access management © is the process of controlling who can access what and under what conditions. Password complexity (D) is the requirement of using strong passwords that are hard to guess or crack, but it does not prevent an attacker from using a stolen password. References =You can learn more about multifactor authentication and other security concepts in the following resources:

CompTIA Security+ SY0-701 Certification Study Guide, Chapter 1: General Security Concepts1

Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 1.2: Security Concepts2

Multi-factor Authentication – SY0-601 CompTIA Security+ : 2.43

TOTAL: CompTIA Security+ Cert (SY0-701) | Udemy, Section 3: Identity and Access Management, Lecture 15: Multifactor Authentication4

CompTIA Security+ Certification SY0-601: The Total Course [Video], Chapter 3: Identity and Account Management, Section 2: Enabling Multifactor Authentication5

User Behavior Analytics (UBA)is specifically designed to detectanomalous or suspicious behaviorsby users that may indicate insider threats. UBA toolsestablish a baseline of normalbehaviorfor users and alert security teams when deviations occur (e.g., accessing sensitive files at odd hours, downloading large volumes of data, etc.).

Malicious insiders often bypass perimeter defenses like firewalls or IDS/IPS systems because they arelegitimate users. UBA offersvisibility into internal behavior patterns, which is essential for detecting these threats.

Hashing is used to verify data integrity. By comparing the hash value of the data before and after transmission, it is possible to determine if the data has been altered in transit. If the hash values match, the data has not been modified.

Push notifications offer a seamless and user-friendly method of multi-factor authentication (MFA) that can easily integrate into a user’s workflow. This method leverages employee-owned devices, like smartphones, to approve authentication requests through a push notification. It ' s convenient, quick, and doesn ' t require the user to input additional codes, making it a preferred choice for seamless integration with existing workflows.

References =

CompTIA Security+ SY0-701 Course Content: Domain 04 Security Operations​.

CompTIA Security+ SY0-601 Study Guide: Chapter on Identity and Access Management​.

Container image hardening best practices include removing default or unnecessary applications (A) to reduce the attack surface and disabling insecure protocols like Telnet (C) to prevent exploitation. Minimizing software components reduces vulnerabilities and limits potential exploits.

Installing a Network Intrusion Prevention System (NIPS) (B) is a network security measure, not typically embedded in a container image. Reconfiguring DNS (D), adding an SFTP server (E), or deleting public certificates (F) are unrelated or could disrupt container functionality.

These practices are part of securing containerized environments covered under Security Architecture topics in SY0-701【6:Chapter 10†CompTIA Security+ Study Guide】.

The scenario indicates that a user downloaded an unofficial patch, applied it, and afterward system files changed—detected by FIM. This strongly suggests the presence of a rootkit, which is designed to deeply embed itself into the operating system, altering core system files, modifying kernels, and hiding its presence.

Rootkits commonly replace or modify OS-level files, which results in changed file hashes—exactly what FIM is detecting. Rootkits often gain privileged, persistent control and are frequently disguised as legitimate updates or patches.

A logic bomb (A) is triggered by an event but does not typically modify OS files. A keylogger (B) captures keystrokes but doesn’t modify system files broadly. Ransomware (C) encrypts files, not silently alters system components.

Thus, the best match is D: Rootkit.

You want to place these technologies to reduce attack surface and enable secure protocols for the web architecture.

Suggested placements (following typical best practices for web architectures):

First node after Internet (Inbound Traffic Point):

FirewallControls and filters incoming traffic from the internet to block unwanted access.

Next node (Internal Traffic Control):

RouterRoutes packets inside the network and can apply some filtering.

Next layer (Between router and web infrastructure):

WAF (Web Application Firewall)Protects web servers from attacks like XSS, SQL injection, CSRF, directory traversal by inspecting HTTP/HTTPS traffic.

Web Servers:

Web serverHosts the application.

PKI Certificate:

Applied on the web server or WAF to enable HTTPS and secure protocols (TLS).

Part 2:

 An acceptable use policy (AUP) is a set of rules that govern how users can access and use a corporate network or the internet. The AUP helps companies minimize their exposure to cyber security threats and limit other risks. The AUP also serves as a notice to users about what they are not allowed to do and protects the company against misuse of their network. Users usually have to acknowledge that they understand and agree to the rules before accessing the network1.

An AUP best represents a preventive security control type, because it aims to deter or stop potential security incidents from occurring in the first place. A preventive control is proactive and anticipates possible threats and vulnerabilities, and implements measures to prevent themfrom exploiting or harming the system or the data. A preventive control can be physical, technical, or administrative in nature2.

Some examples of preventive controls are:

Locks, fences, or guards that prevent unauthorized physical access to a facility or a device

Firewalls, antivirus software, or encryption that prevent unauthorized logical access to a network or a system

Policies, procedures, or training that prevent unauthorized or inappropriate actions or behaviors by users or employees

An AUP is an example of an administrative preventive control, because it defines the policies and procedures that users must follow to ensure the security and proper use of the network and the IT resources. An AUP can prevent users from engaging in activities that could compromise the security, performance, or availability of the network or the system, such as:

Downloading or installing unauthorized or malicious software

Accessing or sharing sensitive or confidential information without authorization or encryption

Using the network or the system for personal, illegal, or unethical purposes

Bypassing or disabling security controls or mechanisms

Connecting unsecured or unapproved devices to the network

By enforcing an AUP, a company can prevent or reduce the likelihood of security breaches, data loss, legal liability, or reputational damage caused by user actions or inactions3.

References = 1: How to Create an Acceptable Use Policy - CoreTech, 2: [Security Control Types: Preventive, Detective, Corrective, and Compensating], 3: Why You Need A Corporate Acceptable Use Policy - CompTIA

Integrating each SaaS solution with an Identity Provider (IdP) is the most effective way to address the security issue. This approach allows for Single Sign-On (SSO) capabilities, where users can access multiple SaaS applications with a single set of credentials while maintaining strong password policies across all services. It simplifies the user experience and ensures consistent security enforcement across different SaaS platforms.

References =

CompTIA Security+ SY0-701 Course Content: Domain 05 Security Program Management and Oversight​.

CompTIA Security+ SY0-601 Study Guide: Chapter on Identity and Access Management​.

The best answer is A. Data masking.

When production data is copied into a UAT (User Acceptance Testing) environment, sensitive information should be protected so that testers cannot view real confidential values such as personal data, account numbers, or other regulated information. Data masking replaces sensitive data with realistic but fictional or hidden values while preserving the format and usability of the data for testing.

This makes it ideal for non-production environments where the application still needs data that looks real, but the testing team should not be able to see actual sensitive information.

Why the other options are incorrect:

B. Data tokenizationTokenization replaces sensitive values with tokens, but it is more commonly used to protect data in operational processing systems, such as payment environments. It is not the best fit here compared with masking for UAT visibility concerns.

C. Data obfuscationObfuscation is a broader term and can mean making data harder to understand, but data masking is the more precise and standard control for protecting test data from being viewed.

D. Data encryptionEncryption protects data at rest or in transit, but once authorized testers access and use the UAT system, the application may decrypt and display the data. That does not solve the problem of testers viewing sensitive values.

From a Security+ perspective, when moving production data into development, test, or UAT environments, the preferred control to prevent exposure of real sensitive data is data masking.

= A change control request is a document that describes the proposed change to a system, the reason for the change, the expected impact, the approval process, the testing plan, the implementation plan, the rollback plan, and the communication plan. A change control request is a best practice for applying any patch to a production system, especially a high-priority one, as it ensures that the change is authorized, documented, tested, and communicated. A change control request also minimizes the risk of unintended consequences, such as system downtime, data loss, or security breaches. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701, 9th Edition, Chapter 6, page 235. CompTIA Security+ SY0-701 Exam Objectives, Domain 4.1, page 13.

" Typosquatting, also known as URL hijacking, is a form of cybersquatting where attackers register domain names that are intentionally similar to legitimate ones, often differing by a single character or a common typographical error. For example, an attacker might register ' ' to mimic ' ' tricking users who mistype the URL into visiting a malicious site. This attack exploits human error and can be used to steal credentials, distribute malware, or impersonate the legitimate entity. "

The scenario describes legacy, business-critical devices with minimal vendor support that must be segmented and closely monitored. This strongly matches embedded systems commonly found in manufacturing environments (e.g., industrial machinery controllers, sensors, ICS/SCADA components). The Study Guide defines embedded systems as: “Embedded systems are computer systems that are built into other devices. Industrial machinery, appliances, and cars are all places where you may have encountered embedded systems.” Manufacturing organizations often can’t easily replace or patch these systems because they have long lifecycles and may depend on specialized firmware/RTOS and proprietary integrations. The same guide warns that legacy/unsupported platforms create risk due to lack of vendor security patches and recommends compensating controls: “Lack of support implies that no new security patches… will be released… In cases where the organization simply must continue using an unsupported operating system, best practice dictates isolating the system as much as possible… and applying as many compensating security controls as possible, such as increased monitoring and implementing strict network firewall rules.”

That guidance directly supports the question’s “segmented and monitored closely” language. Workstations typically have stronger patch/support options; core routers and DNS servers are important, but they are not usually described as embedded legacy devices with minimal vendor support in a manufacturing context.

Application allow listing is the most effective technique to prevent bloatware, unauthorized software, or unnecessary applications from running on devices. Allow lists work by permitting only pre-approved, trusted applications to execute, blocking everything else by default. This is a recommended best practice in Security+ SY0-701 for reducing attack surface, preventing malware, and maintaining lean, hardened system images.

Bloatware often comes pre-installed on devices or is unintentionally installed by users. An allow list ensures only authorized applications required for business functions can run, thereby eliminating bloatware risks.

Disabling ports/protocols (A) hardens network access but does not prevent software installation. Default password changes (C) improve authentication security but are unrelated to software control. Access control permissions (D) restrict who can access what but do not prevent installation of unnecessary apps.

Thus, the correct answer is B: Application allow list.

The correct answer is B because regular patching directly reduces security risk by remediating known vulnerabilities before attackers can exploit them. Within the Security+ SY0-701 objectives, patch management is a foundational component of vulnerability management and secure operations. Vendors routinely release patches to fix security flaws that have already been identified, documented, and, in many cases, actively targeted by threat actors.

Attackers frequently scan enterprise environments for systems that are missing patches related to publicly disclosed vulnerabilities. Once a vulnerability is known, exploit code often becomes widely available, dramatically increasing the likelihood of compromise. Regular patching shortens the “window of exposure,” which is the time between vulnerability disclosure and remediation. By applying patches promptly, organizations significantly reduce the attack surface and limit opportunities for exploitation.

Option A is incorrect because while patches may incidentally improve stability or performance, that is not their primary security purpose. Option C is incorrect because patching does not replace other security controls; firewalls and intrusion detection systems remain essential for layered defense. Option D is also incorrect because antivirus tools serve a different role, such as detecting and responding to malware, and cannot be replaced by patching alone.

The SY0-701 study guide emphasizes that effective patch management requires structured processes, including testing, maintenance windows, rollback planning, and prioritization based on risk and asset criticality. Patching is classified as a preventive technical control, stopping attacks before they occur rather than reacting after compromise.

In summary, regular patching mitigates enterprise risk by proactively addressing known software vulnerabilities before they can be exploited. This makes it one of the most effective and widely emphasized security practices in the Security+ SY0-701 exam and in real-world security operations.

An image backup, also known as a full system backup, captures the entire contents of a system, including the operating system, applications, settings, and all data. This type of backup allows for a complete recovery of the system in case of a disaster, as it includes everything needed to restore the system to its previous state. This makes it the ideal choice for a systems administrator who needs to ensure the ability to recover the entire system, including the OS.

References = CompTIA Security+ SY0-701 study materials, domain on Security Operations​​.

ATabletop exercise (D)is adiscussion-based simulationof an incident scenario. It allows security teams towalk through procedures, responsibilities, and communicationsin alow-pressure environment, improving readiness without impacting operations.

It is specifically designed toprepare teams for real-world incident handling.

SOAR (Security Orchestration, Automation, and Response) platforms enable security teams to automate workflows, prioritize alerts, and manage remediation activities, helping to handle the volume of cloud misconfiguration alerts efficiently.

CASB (A) provides visibility and control for cloud services but is less focused on orchestration. IAM (B) manages identities and permissions, and XDR (D) is extended detection but does not provide workflow automation.

SOAR integration is critical for cloud security operations discussed in Security Operations【6:Chapter 14†CompTIA Security+ Study Guide】.

LDAP authentication on the printer (C)would require users toauthenticate before printing, enablingsecure print release. This ensures that documents arenot printed until the authorized user is physically present, which directly addresses the issue of missing confidential documents.

As perCompTIA Security+ SY0-701, Domain 3.1 (Access management), integratingauthentication mechanisms like LDAPimproves physical and document security in shared environments.

To identify authentication weaknesses in a customer-facing web application, the best method is dynamic analysis, also known as Dynamic Application Security Testing (DAST). Dynamic analysis evaluates an application while it is running, allowing testers to observe real-world interactions, session handling, login mechanisms, credential validation, access control failures, and runtime vulnerabilities such as brute-force weaknesses or authentication bypass conditions.

Security+ SY0-701 outlines DAST as the preferred approach for testing live web applications because it uncovers:

Weak session management

Broken authentication flows

Input validation failures

Misconfigurations in login portals

Runtime vulnerabilities that static code review cannot detect

Static analysis (A) only analyzes source code and may overlook logic flaws in authentication. Packet capture (B) inspects network traffic but cannot evaluate internal authentication logic. Agent-based scanning (C) is used for hosts, not web applications. Network-based scanning (E) finds port-level vulnerabilities but cannot assess application authentication mechanisms.

Therefore, dynamic analysis (D) is the most effective and accurate technique for discovering authentication weaknesses in live web applications.

Port 445 is used by the SMB protocol on Windows systems. Large volumes of unexpected traffic on TCP 445 are commonly associated with worms that exploit SMB vulnerabilities (such as WannaCry or NotPetya). Worms are self-replicating malware that spread rapidly across a network, consuming bandwidth, causing high latency, and often resulting in network outages. This matches the scenario given, where network unavailability and abnormal port 445 traffic are observed.

The key phrase is “ensure that incidents receive the correct level of attention and response.” In operations, that aligns most directly with escalation—moving high-severity or time-sensitive incidents to the right people/teams quickly and consistently, according to predefined criteria (severity, impacted systems, threat intel enrichment, SLA timers). The Study Guide lists ticketing and escalation explicitly as automation use cases: “Ticket creation: Automation can streamline the ticketing process, enabling immediate creation and routing of issues to the right teams.” and, crucially for this question, “Escalation: In case of a major incident, scripts can automate the escalation process, alerting key personnel quickly.”

While automation can also handle notification and ticket creation, escalation is the control that most directly enforces that the incident gets the proper priority and response path (for example: paging on-call, invoking the IR lead, opening a bridge, and applying “major incident” workflows). Closure is typically less suitable because it often requires validation and human judgment to ensure containment, eradication, and recovery steps are complete.

A legal hold (also known as a litigation hold) is a notification sent from an organization’s legal team to employees instructing them not to delete electronically stored information (ESI) or discard paper documents that may be relevant to a new or imminent legal case. A legal hold is intended to preserve evidence and prevent spoliation, which is the intentional or negligent destruction of evidence that could harm a party’s case. A legal hold can be triggered by various events, such as a lawsuit, a regulatory investigation, or a subpoena12

In this scenario, the company’s attorneys have requested that the security team initiate a legal hold in response to the lawsuit filed by the customers after the company was compromised. This means that the security team will most likely be required to retain any communications related to the security breach until further notice. This could include emails, instant messages, reports, logs, memos, or any other documents that could be relevant to the lawsuit. The security team should also inform the relevant custodians (the employees who have access to or control over the ESI) of their preservation obligations and monitor their compliance. The security team should also document the legal hold process and its scope, as well as take steps to protect the ESI from alteration, deletion, or loss34

A bastion host is a hardened system placed at a network boundary to absorb attacks and limit exposure. When deployed to mitigate risks from zero-day vulnerabilities, it acts as a compensating control. CompTIA Security+ SY0-701 defines compensating controls as alternative safeguards used when primary controls are insufficient or unavailable—such as when no patch exists for a zero-day.

Detective controls (B) identify issues but do not reduce exposure. Operational controls (C) refer to procedural or human-driven processes. Physical controls (D) secure physical environments (e.g., locks, cameras).

Because a bastion host compensates for the lack of a patch, the correct answer is A: Compensating.

Effective change management requires structured planning, testing, review, approval, deployment, and rollback capabilities. According to CompTIA Security+ SY0-701, one of the most critical components of change management is having a backout plan, which allows the organization to safely revert changes if the update or patch causes issues, operational disruption, or security instability. A proper backout plan reduces downtime, maintains system availability, and protects against unexpected failures.

Approving a change after deployment (A) violates standard change management protocols. Approval must occur before live implementation. Using a spreadsheet (C) is not considered an effective or secure change management mechanism. Automatic bypassing of change controls (D) is dangerous, even for security patches, because changes must be tested to avoid service outages or unintended vulnerabilities.

Therefore, the best description of effective change management is B: Having a backout plan when a patch fails.

An air-gapped network is a network that is physically isolated from other networks, such as the internet, to prevent unauthorized access and data leakage. However, an air-gapped network can still be compromised by removable devices, such as USB drives, CDs, DVDs, or external hard drives, that are used to transfer data between the air-gapped network and other networks. Removable devices can carry malware, spyware, or other malicious code that can infect the air-gapped network or exfiltrate data from it. Therefore, removable devices are the most common data loss path for an air-gapped network. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 9: Network Security, page 449 1

The best answer is C. Configure a NAC solution to enforce 802.1X authentication with device certificates and implement endpoint security checks .

NAC (Network Access Control) is used to determine whether a device is allowed to connect to the network. The most secure and effective approach is to require:

802.1X authentication for network admission

device certificates to validate trusted devices

endpoint posture/security checks to ensure compliance

This method verifies both the device identity and its security condition before granting access.

Why the other options are incorrect:

A. Deploy a NAC solution to block wireless connections until devices can be verified against the baseline configuration. This only addresses wireless access and is too limited.

B. Set the NAC solution to only accept handshakes initiated from a static set of IP addresses. IP addresses are not reliable trust indicators and can be spoofed or reassigned.

D. Implement a NAC solution that redirects all devices to the guest Wi-Fi for holding until a security analyst can validate the security compliance. This is inefficient and not the strongest access control model.

From the SY0-701 perspective, the strongest NAC deployment uses 802.1X, certificates, and posture assessment , so C is the correct answer.

Web serverBotnet Enable DDoS protectionUser RAT Implement a host-based IPSDatabase server Worm Change the default application passwordExecutive KeyloggerDisable vulnerable servicesApplication Backdoor Implement 2FA using push notification

A screenshot of a computer program Description automatically generated with low confidence

 A rootkit is a type of malware that modifies or replaces system files or processes to hide its presence and activity. A rootkit can change the hash of the cmd.exe file, which is a command-line interpreter for Windows systems, to avoid detection by antivirus or file integrity monitoring tools. A rootkit can also grant the attacker remote access and control over the infected system, as well as perform malicious actions such as stealing data, installing backdoors, or launching attacks on other systems. A rootkit is one of the most difficult types of malware to remove, as it can persist even after rebooting or reinstalling the OS. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701, 9th Edition, Chapter 4, page 147. CompTIA Security+ SY0-701 Exam Objectives, Domain 1.2, page 9.

A Service Level Agreement (SLA) is a formal document between a service provider and a client that defines the expected level of service, including what resources will be provided and the agreed-upon time frames. It typically includes metrics to evaluate performance, uptime guarantees, and response times.

MOU (Memorandum of Understanding) and MOA (Memorandum of Agreement) are less formal and may not specify the exact level of service.

BPA (Business Partners Agreement) focuses more on the long-term relationship between partners​​.

Detailed Explanation:

Tokenization replaces sensitive data with non-sensitive surrogate values that retain the necessary format but are meaningless without access to the original data. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 3: Security Architecture, Section: " Data Masking and Tokenization " ​​.

A hash is an algorithm used to verify data integrity by generating a fixed-size string of characters from input data. If even a single bit of the input data changes, the hash value will change, allowing users to detect any modification to the data. Hashing algorithms like SHA-256 and MD5 are commonly used to ensure data has not been altered.

The best answer is C. Data retention.

To avoid unnecessary liability after the end of a legal contract obligation with a third party, an organization should follow a proper data retention policy. Data retention policies define how long data must be kept and when it should be deleted or securely destroyed once it is no longer needed for legal, contractual, regulatory, or business purposes.

Keeping third-party data longer than necessary can increase:

legal exposure

privacy risk

breach impact

storage and governance burden

Why the other options are incorrect:

A. Data encryptionEncryption protects data confidentiality, but it does not address whether the data should still be retained at all.

B. Data classificationClassification helps determine sensitivity and handling requirements, but it does not define when data should be disposed of.

D. Data inventoryAn inventory helps identify what data exists, but it does not by itself reduce liability after contractual obligations end.

From the SY0-701 perspective, reducing liability after contractual or legal obligations end requires proper retention schedules and secure disposal, so C is the correct answer.

A diagram of a computer AI-generated content may be incorrect.

Step 1: Understand Requirements & Security Principles

Requirements:

Customer-facing payment application (PCI DSS compliance applies)

Hosted on third-party cloud (e.g., AWS)

Must segment public-facing and internal resources

Needs to be scalable and resilient

Must have strong security controls

Step 2: Design the High-Level Network Layout

Core Components:

VPC (Virtual Private Cloud): Isolates your environment from other tenants in the cloud.

Subnets:

Public subnet: For resources that must communicate with the internet.

Private subnet: For internal resources, NOT directly exposed to the internet.

Step 3: Place Resources in Appropriate Subnets

Public Subnet:

Internet-facing Load Balancer (LB): Distributes traffic to application servers.

Web Application Firewall (WAF): Protects against web exploits.

Autoscaling Instances: EC2 (or VM) servers running your web front-end, automatically scaling as traffic grows.

Private Subnet:

Application servers: Back-end logic, not exposed to internet directly.

Database: Sensitive data storage, only accessible by application servers.

Internal Load Balancer: Manages traffic among app servers.

WAF: Can be used internally as well for defense-in-depth.

Step 4: Add Connectivity and Security Controls

Internet Gateway: Allows resources in public subnet to communicate with the internet.

NAT Gateway: Allows outbound internet traffic from private subnet without exposing private IPs.

Security Groups: Firewalls at the instance level; allow only necessary traffic (e.g., LB to web server, web server to DB).

Network ACLs: Subnet-level firewalls for additional control.

Step 5: Network Diagram Explanation (Based on Your Images)

Public Subnet (Top Layer)

Load Balancer

Accepts HTTPS traffic from customers.

Sends only necessary HTTP/HTTPS to web servers in public subnet.

WAF (Web Application Firewall)

Sits in front of Load Balancer.

Filters malicious requests (SQLi, XSS, etc.).

Autoscaling Group

Multiple web servers for redundancy and scalability.

Placed in public subnet to respond to traffic spikes.

Private Subnet (Bottom Layer)

Application Servers

Receive requests from public subnet’s load balancer.

Not directly exposed to the internet.

Database

Only accessible from application servers, never public.

Security groups restrict all inbound traffic except from app servers.

Internal Load Balancer

Balances requests to application servers.

Step 6: Flow of Data (Step-by-Step)

Client - > Internet Gateway - > WAF - > Load Balancer (Public Subnet):Customers initiate connections to your app over the internet.

Load Balancer - > Autoscaling Web Servers (Public Subnet):Load balancer routes requests to available web servers.

Web Servers - > Application Logic (Private Subnet):Web servers pass necessary requests to the internal application servers.

App Servers - > Database (Private Subnet):Application servers query/update customer payment data in the database.

Outbound (NAT Gateway):App servers may need to access updates or external APIs—use NAT Gateway for secure outbound connections.

Step 7: Security Best Practices

Security Groups: Only allow necessary ports (e.g., 443 for HTTPS to LB, 3306 for MySQL between app server and DB).

Network ACLs: Add another layer of subnet-level restrictions.

Encryption: Use HTTPS for all external connections, encrypt data at rest and in transit (TLS, disk encryption).

IAM Roles/Policies: Principle of least privilege for accessing resources.

Monitoring/Logging: Enable VPC flow logs, cloud service logs, and application logging.

Patch Management: Automate patching for OS and applications.

Backups: Regular, secure backups of critical data.

Step 8: Compliance Considerations

For payment applications (PCI DSS):

Isolate cardholder data environment (CDE).

Strong access controls (multi-factor authentication, role separation).

Regular vulnerability assessments and penetration testing.

Retain logs for auditing.

Step 9: Draw the Architecture (Summary)

Internet Gateway: Allows inbound/outbound internet access.

Public Subnet: WAF, Load Balancer, Autoscaling group.

Private Subnet: App servers, DB, internal LB.

NAT Gateway: Outbound access for private resources.

Security Groups/ACLs: Control all traffic flows.

Monitoring/Logging: Enabled at all levels.

Bonus: Sample Security Group Rules

Web Server (Public Subnet):

Inbound: 443 (HTTPS) from Internet

Outbound: 80/443 to App Servers

App Server (Private Subnet):

Inbound: 80/443 from Web Servers

Outbound: 3306 (MySQL) to Database

Database (Private Subnet):

Inbound: 3306 from App Servers

Outbound: None (unless replication required)

References to Security+ Domains

1.0 General Security Concepts: Principle of least privilege, defense in depth.

2.0 Threats, Vulnerabilities, Mitigations: WAF, segmentation, patching.

3.0 Security Architecture: Network segmentation, secure design.

4.0 Security Operations: Monitoring, logging, response.

5.0 Security Program Management: Compliance, policy.

A Certificate Signing Request (CSR) is a request sent to a certificate authority (CA) to issue an SSL certificate. The CSR contains information like the public key, which will be part of the certificate.References: Security+ SY0-701 Course Content​, Security+ SY0-601 Book​.

An evil twin attack involves setting up a fraudulent Wi-Fi access point that mimics a legitimate one to intercept network traffic or steal credentials. This attack exploits insecure wireless networks and is focused on network infrastructure.

Impersonation, watering hole, and pretexting are social engineering or web-based attacks, not primarily network attacks.

The evil twin attack is a well-known wireless threat discussed under Threats and Vulnerabilities in SY0-701【6:Chapter 2†CompTIA Security+ Study Guide】.

The scenario describes a large number of unsolicited emails sent to multiple users. This is characteristic of phishing, which SY0-701 defines as mass-distributed fraudulent messages designed to trick recipients into clicking malicious links, downloading malware, or divulging sensitive information.

Phishing campaigns typically involve:

High volume

Non-targeted messaging

Use of spoofed addresses or fake content

Delivery through email systems

A watering-hole attack (A) compromises a legitimate website frequented by targets—not email. Typosquatting (B) relies on malicious websites with deceptive URLs. Business Email Compromise (C) involves highly targeted spear-phishing or impersonation attacks, not bulk email blasts.

Because this incident involves “hundreds of messages” delivered to “multiple users,” it clearly matches the characteristics of a phishing attack, not a sophisticated targeted attack type.

Phishing is the most common form of social engineering and is emphasized heavily in the Security+ exam due to its frequency and effectiveness.

A high-availability network is a network that is designed to minimize downtime and ensure continuous operation even in the event of a failure or disruption. A high-availability network must consider the following factors12:

Ease of recovery: This refers to the ability of the network to restore normal functionality quickly and efficiently after a failure or disruption. Ease of recovery can be achieved by implementing backup and restore procedures, redundancy and failover mechanisms, fault tolerance and resilience, and disaster recovery plans.

Attack surface: This refers to the amount of exposure and vulnerability of the network to potential threats and attacks. Attack surface can be reduced by implementing security controls such as firewalls, encryption, authentication, access control, segmentation, and hardening.

The other options are not directly related to high-availability network design:

Ability to patch: This refers to the process of updating and fixing software components to address security issues, bugs, or performance improvements. Ability to patch is important for maintaining the security and functionality of the network, but it is not a specific factor for high-availability network design.

Physical isolation: This refers to the separation of network components or devices from other networks or physical environments. Physical isolation can enhance the security and performance of the network, but it can also reduce the availability and accessibility of the network resources.

Responsiveness: This refers to the speed and quality of the network’s performance and service delivery. Responsiveness can be measured by metrics such as latency, throughput, jitter, and packet loss. Responsiveness is important for ensuring customer satisfaction and user experience, but it is not a specific factor for high-availability network design.

Extensible authentication: This refers to the ability of the network to support multiple and flexible authentication methods and protocols. Extensible authentication can improve the security and convenience of the network, but it is not a specific factor for high-availability network design.

References = 1: CompTIA Security+ SY0-701 Certification Study Guide, page 972: High Availability – CompTIA Security+ SY0-701 – 3.4, video by Professor Messer.

Endpoint management software is a tool that allows security engineers to monitor and control the configuration, security, and performance of workstations and servers from a central console. Endpoint management software can help detect and prevent unauthorized changes and software installations, enforce policies and compliance, and provide reports and alerts on the status of the endpoints. The other options are not as effective or comprehensive as endpoint management software for this purpose. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 137 1

This is a classic example of Business Email Compromise (BEC), where attackers spoof or compromise trusted email accounts to trick employees into performing unauthorized financial transactions.

Vishing (B) is voice phishing, spear phishing (C) targets individuals with customized messages, and impersonation (D) is a general term for identity deception but BEC specifically describes financial fraud via email.

BEC is a major threat covered in the Threats domain of SY0-701【6:Chapter 2†CompTIA Security+ Study Guide】

The correct answer is Attack surface because opening multiple common service ports unnecessarily increases the number of potential entry points an attacker can target. In the Security+ SY0-701 exam objectives, the attack surface is defined as the total number of exposed interfaces, services, ports, protocols, and access points that an attacker could attempt to exploit. Each open port corresponds to a listening service, and every exposed service represents an opportunity for reconnaissance, exploitation, or abuse.

In this scenario, the business intends to open ports for FTP, SSH, SMTP, HTTP, and HTTPS without clearly limiting access. While some of these services may be required, opening all of them broadly—especially to a screened subnet—significantly expands the attack surface. If any of these services are misconfigured, unpatched, or vulnerable, attackers could exploit them to gain unauthorized access. The SY0-701 study guide emphasizes minimizing exposed services as a foundational defensive strategy, often referred to as reducing attack surface area.

Option C, least privilege, is related but not the best answer. Least privilege focuses on granting users or systems only the minimum access required, whereas this question specifically concerns exposed network services rather than access rights. Option A, secure access service edge (SASE), is a cloud-based architecture model and is unrelated to basic firewall port exposure decisions. Option D, separation of duties, applies to role and responsibility distribution, not network exposure.

By advising against opening multiple common ports, the consultant is recommending a reduction in exposed services to limit opportunities for attack. This aligns directly with SY0-701 guidance on secure network design, firewall hardening, and minimizing externally accessible services.

In summary, limiting open ports reduces the organization’s attack surface, making Attack surface the correct and best answer.

Secure Access Service Edge (SASE) is the technology best suited for preventing remote users from accessing malicious URLs. According to the CompTIA Security+ SY0-701 framework, SASE integrates cloud-native security capabilities such as DNS filtering, secure web gateways, CASB, and URL categorization, all delivered inline. This means every URL request from a remote user is checked in real time for reputation, content, and category before access is granted.

This solution is specifically designed for remote workforces because security enforcement happens in the cloud, regardless of user location—eliminating reliance on on-premise proxies or VPN routing. SASE also enables consistent policy application and real-time enforcement across distributed networks.

A VPN (A) only encrypts traffic; it does not perform URL reputation checks. IDS (C) detects malicious activity but does not block URL access. SD-WAN (D) optimizes WAN routing but is not focused on content filtering or URL reputation.

Therefore, SASE is the correct and most effective solution for inline URL inspection and preventing remote users from reaching malicious sites.

Because the organization performs the risk assessment each year, it is being done on a regular, scheduled interval. In Security+ terminology, that makes it a recurring risk assessment, not ad hoc, one-time, or continuous. The Study Guide differentiates these modes and states: “Recurring risk assessments are performed at regular intervals, such as annually or quarterly.” This matches the scenario exactly (annually = each year).

To avoid confusion with the other options: a one-time assessment is described as a “point-in-time view” performed when the organization wants a snapshot (often tied to a specific need), while ad hoc assessments are triggered by a specific event or situation (like a new project or significant change). In contrast, the key distinguishing factor of recurring is the planned cadence used to “track the evolution of risks over time” and ensure risk management adapts. The guide also notes continuous risk assessment involves ongoing monitoring and analysis, often supported by automated scanning and frequent updates, which is different from a once-per-year schedule. Therefore, the annual assessment described is best classified as recurring.

The requirement is to prevent the accidental disclosure of national identity information—highly sensitive personal data. The best solution is DLP (Data Loss Prevention). DLP tools monitor, detect, and block unauthorized transmission or exposure of sensitive data across:

Email

Cloud storage

Endpoints

Networks

Databases

In Security+ SY0-701, DLP is specifically recommended for ensuring compliance with privacy regulations, including those related to national identifiers (e.g., Social Security numbers, national ID numbers).

A SIEM (A) aggregates logs but does not prevent data leakage. SCAP (B) provides standardized security configuration assessments, unrelated to data protection. A WAF (D) helps protect web applications but does not prevent sensitive data exfiltration.

Since the requirement focuses on preventing accidental disclosure, DLP is the only technology capable of detecting, labeling, blocking, and reporting attempts to move or expose sensitive national identity data. Therefore, the correct answer is C.

The best answer is A. An exploit will give an attacker access to system functions that span multiple applications .

Operating system vulnerabilities are especially concerning because the OS sits underneath and supports many applications and services. If an attacker exploits an OS-level flaw, the impact can extend across the entire system and affect multiple applications, services, and security controls.

This makes OS-based vulnerabilities particularly serious because compromise at the operating system level can provide broad control over:

system processes

memory and storage access

user accounts and privileges

network services

multiple installed applications

Why the other options are incorrect:

B. The OS vendor ' s patch cycle is not frequent enough to mitigate the large number of threats. This is not a universal or defining concern with OS-based vulnerabilities.

C. Most users trust the core operating system features and may not notice if the system has been compromised. This may be true in some situations, but it is not the best explanation of the inherent risk of OS vulnerabilities.

D. Exploitation of an operating system vulnerability is typically easier than any other vulnerability. This is too absolute and not generally true.

From a Security+ standpoint, OS vulnerabilities are especially dangerous because they can affect the foundational functions of the system and potentially impact many applications at once, making A the best answer.

Detailed Explanation:Smishing is a type of phishing attack that uses SMS text messages to deceive recipients into taking actions such as revealing sensitive information. The urgency in the text indicates this vector. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 2: Threats, Section: " Social Engineering Techniques " ​​.

The correct answer is Zero Trust because it directly aligns with all three stated requirements: creating secure zones, enforcing consistent access control policies across the organization, and reducing the overall threat surface. In the Security+ SY0-701 framework, Zero Trust is a modern security architecture model based on the principle of never trust, always verify. It assumes that threats may already exist inside or outside the network and therefore requires continuous validation of users, devices, and sessions.

Zero Trust architectures segment environments into secure zones, often using microsegmentation, to prevent lateral movement by attackers. This directly reduces the scope of threats by limiting what an attacker can access even if one component is compromised. Enforcing company-wide access control policies is another core Zero Trust principle, as access decisions are centrally governed and based on identity, device posture, context, and least privilege rather than network location.

Option B, AAA (Authentication, Authorization, and Accounting), is an access control framework, but it does not inherently define secure zones or reduce threat scope through segmentation. Option C, Non-repudiation, ensures actions cannot be denied later and is primarily related to auditing and accountability, not access control architecture. Option D, CIA, refers to confidentiality, integrity, and availability—fundamental security goals rather than an implementation model.

The SY0-701 study guide emphasizes Zero Trust as a strategic approach to minimizing attack surfaces, enforcing least privilege, and protecting enterprise resources regardless of user location or network boundaries. By continuously validating access and restricting trust, Zero Trust architectures significantly reduce risk and improve resilience against both internal and external threats.

In summary, the combination of secure zones, centralized access control enforcement, and reduced threat exposure clearly indicates the implementation of a Zero Trust architecture.

The final step in the incident response process is " Lessons learned. " This step involves reviewing and analyzing the incident to understand what happened, how it was handled, and what could be improved. The goal is to improve future response efforts and prevent similar incidents from occurring. It ' s essential for refining the incident response plan and enhancing overall security posture.

References = CompTIA Security+ SY0-701 study materials, particularly in the domain of incident response and recovery​​.

To analyze malware behavior in detail, the best approach is toexecute the malware in a sandbox (D)andcapture its network activity. This providesreal-time analysisof how the malware behaves, spreads, and communicates.

This method is highlighted inDomain 2.1under " Analyzing indicators of compromise " and usingsandboxing and packet captureto study malware.

OCSP stands for Online Certificate Status Protocol. It is a protocol that allows applications to check the revocation status of a certificate in real-time. It works by sending a query to an OCSP responder, which is a server that maintains a database of revoked certificates. The OCSP responder returns a response that indicates whether the certificate is valid, revoked, or unknown. OCSP is faster and more efficient than downloading and parsing Certificate Revocation Lists (CRLs), which are large files that contain the serial numbers of all revoked certificates issued by a Certificate Authority (CA). References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 337 1

To determine whether the connection was successful after a user clicked on a link in a phishing email, the most relevant log source to analyze would be the network logs. These logs would provide information on outbound and inbound traffic, allowing the analyst to see if the user’s system connected to the remote server specified in the phishing link. Network logs can includedetails such as IP addresses, domains accessed, and the success or failure of connections, which are crucial for understanding the impact of the phishing attempt.

References =

CompTIA Security+ SY0-701 Course Content: Domain 04 Security Operations​.

CompTIA Security+ SY0-601 Study Guide: Chapter on Incident Response​.

" Network segmentation is a security practice that divides a network into smaller, isolated segments to limit access and reduce the attack surface. Firewalls are commonly used to enforce segmentation by creating rules that allow or deny traffic based on source, destination, and port. Tomeet compliance requirements, such as restricting access to internal servers, firewall rules can be configured to block all external traffic while permitting only authorized internal systems to communicate with the segmented servers. This ensures that sensitive resources are isolated from unauthorized access. "

Placing a false (decoy) text file in a sensitive location (such as /docs/salaries) is an example of a honeytoken or deception technique. This technique is used to attract insider attackers and monitor their actions when they attempt to access the file.

IPS stands for intrusion prevention system, which is a network security device that monitors and blocks malicious traffic in real time. IPS is different from IDS, which only detects and alerts on malicious traffic, but does not block it. IPS would have mitigated the spread of ransomware by preventing the hacker from accessing the system via the phishing link, or by stopping the ransomware from communicating with its command and control server or encrypting the files.

Cyber insurance is a type of insurance that covers the financial losses and liabilities that result from cyberattacks, such as data breaches, ransomware, denial-of-service, phishing, or malware. Cyber insurance can help a company recover from the costs of restoring data, repairing systems, paying ransoms, compensating customers, or facing legal actions. Cyber insurance is one of the possible strategies that a company can use to address the items listed on the risk register. A riskregister is a document that records the identified risks, their probability, impact, and mitigation strategies for a project or an organization. The four common risk mitigation strategies are:

Accept: The company acknowledges the risk and decides to accept the consequences without taking any action to reduce or eliminate the risk. This strategy is usually chosen when the risk is low or the cost of mitigation is too high.

Transfer: The company transfers the risk to a third party, such as an insurance company, a vendor, or a partner. This strategy is usually chosen when the risk is high or the company lacks the resources or expertise to handle the risk.

Mitigate: The company implements controls or measures to reduce the likelihood or impact of the risk. This strategy is usually chosen when the risk is moderate or the cost of mitigation is reasonable.

Avoid: The company eliminates the risk by changing the scope, plan, or design of the project or the organization. This strategy is usually chosen when the risk is unacceptable or the cost of mitigation is too high.

By purchasing cyber insurance, the company is transferring the risk to the insurance company, which will cover the financial losses and liabilities in case of a cyberattack. Therefore, the correct answer is B. Transfer. References = CompTIA Security+ Study Guide (SY0-701), Chapter 8: Governance, Risk, and Compliance, page 377. Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 8.1: Risk Management, video: Risk Mitigation Strategies (5:37).

This describes a watering hole attack, where an attacker compromises a website frequently visited by the target group and delivers malicious payloads, such as automatic downloads.

XSS (A) injects scripts into web pages, typosquatting (C) involves fake websites with misspelled URLs, and buffer overflow (D) exploits memory but does not involve website compromise with automatic downloads.

Watering hole attacks are well-known web-based threats covered in SY0-701【6:Chapter 2†CompTIA Security+ Study Guide】.

In this scenario, employees are attempting to navigate to spoofed websites, which is being blocked by the web filter. To address this issue, the administrator should implement security awareness training. Training helps employees recognize phishing and other social engineering attacks, reducing the likelihood that they will attempt to access malicious websites in the future.

Deploying multifactor authentication (MFA) would strengthen authentication but does not directly address user behavior related to phishing websites.

Decreasing the level of the web filter would expose the organization to more threats.

Updating the acceptable use policy may clarify guidelines but is not as effective as hands-on training for improving user behavior​​​.

The best answer is B. It replaces the original data with reference values that do not hold exploitable meaning .

Tokenization protects sensitive data by substituting the original value with a token , which is a non-sensitive reference value. The token has no meaningful value to an attacker if it is intercepted or exposed. The real sensitive data is stored separately in a protected system, often called a token vault.

This is commonly used for:

payment card data

personally identifiable information

sensitive customer records

Why the other options are incorrect:

A. It permanently deletes sensitive information from production systems. Tokenization does not necessarily delete the original data permanently. It replaces exposed operational use with tokens while the real data is retained securely elsewhere.

C. It stores sensitive data across multiple cloud environments to prevent data loss. This is unrelated to tokenization.

D. It conceals data by converting it into unreadable ciphertext using symmetric encryption. This describes encryption , not tokenization.

From a SY0-701 perspective, tokenization reduces exposure by replacing real sensitive values with non-exploitable substitutes , so B is correct.

The best answer is A. Access lists .

To ensure that only authorized devices can enter or connect to an environment, the organization needs a control that explicitly allows approved devices and denies unapproved ones. Access lists are used to define which devices, systems, or addresses are permitted access.

This can include allowlists based on:

device identifiers

MAC addresses

IP addresses

approved system entries

predefined access control rules

Why the other options are incorrect:

B. Remote connection This is a method of connecting, not a control that determines which devices are authorized.

C. Screened subnets A screened subnet helps separate public-facing systems from internal systems, but it does not directly ensure only authorized devices can enter.

D. Centralized proxy A proxy mediates traffic requests, but it is not the primary control for allowing only authorized devices into an environment.

From a Security+ perspective, restricting access to only approved devices is best aligned with allow/deny rules through access lists , so A is the strongest answer.

The correct answer is A because the primary distinction between a Memorandum of Understanding (MOU) and a Statement of Work (SOW) lies in their legal enforceability and purpose. In the Security+ SY0-701 governance and third-party risk management context, an MOU is generally a formal but nonbinding agreement that outlines mutual expectations, responsibilities, and cooperation between parties. It establishes intent and alignment but typically does not impose enforceable obligations or penalties if terms are not met.

An SOW, on the other hand, is legally binding and serves as a contractual document that defines specific deliverables, timelines, performance metrics, and acceptance criteria. The SY0-701 study guide emphasizes that SOWs are critical in vendor and service provider relationships because they clearly define what work will be performed, how success is measured, and what happens if requirements are not met. This makes the SOW enforceable in legal and regulatory contexts, especially when dealing with sensitive systems or data.

Option B is incorrect because both MOUs and SOWs can identify engagement participants, but this is not their defining difference. Option C is incorrect because both documents typically require agreement from all involved parties, and signature requirements vary by organization and jurisdiction. Option D is incorrect because it reverses the actual level of detail: MOUs are high-level and conceptual, while SOWs are detailed and task-specific.

In security programs, MOUs are often used for cooperative arrangements, such as information sharing between organizations or government entities. SOWs are used when accountability, compliance, and measurable outcomes are required. Understanding this distinction is essential for managing third-party risk, enforcing security requirements, and maintaining compliance with Security+ SY0-701 governance objectives.

Cloud-based models provide strong security with features like encryption, redundancy, and disaster recovery, making it a secure choice for international operations.

=================

An Intrusion Prevention System (IPS) is the most effective addition when an organization already has a firewall but continues to face repeated external attacks. Security+ SY0-701 states that an IPS operates inline and automatically blocks malicious traffic in real time based on signatures, anomaly behavior, or heuristics. Whereas a firewall filters traffic by rules, an IPS detects and prevents deeper-level threats such as exploits, malware, and command-and-control attempts.

A UTM (C) includes IPS features, but it is typically used to replace a firewall with an all-in-one appliance. The question states the organization already has a firewall, so the most efficient addition is a standalone IPS. A SIEM (A) aggregates and analyzes logs but does not block attacks. A load balancer (B) distributes traffic for performance—not security.

Thus, the best item to stop active inbound attacks is D: IPS.

Hashing is the correct mechanism for ensuring that a software release has not been modified prior to reaching the end user. Hashing provides integrity verification by generating a fixed-length digest (such as SHA-256) from the original software package. When users download the software, they can compute the hash locally and compare it to the hash value published by the vendor. If the values match, the software has not been altered; if they differ, tampering or corruption has occurred.

CompTIA Security+ SY0-701 emphasizes hashing as a core cryptographic control used to verify integrity for files, updates, patches, and software distributions. Hashing is extremely sensitive to change—altering even a single bit in the file results in a completely different hash value.

Encryption (B) protects confidentiality, not integrity. Tokenization (A) replaces sensitive data with tokens and is unrelated to software integrity. Obfuscation (D) makes code harder to read but does not guarantee it has not been modified.

Therefore, hashing is the most appropriate and reliable method to ensure software integrity before release.

An air-gapped system is physically isolated from unsecured networks (like the public Internet), ensuring that there is no direct or indirect network connection. This is the most effective way to prevent Internet-based access to sensitive systems.

A physical security control is a device or mechanism that prevents unauthorized access to a physical location or asset. An access control vestibule, also known as a mantrap, is a physical security control that consists of a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens. This prevents unauthorized individuals from following authorized individuals into the facility, a practice known as piggybacking or tailgating. A photo ID check is another form of physical security control that verifies the identity of visitors. Managerial, technical, and operational security controls are not directly related to physical access, but rather to policies, procedures, systems, and processes that support security objectives. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 341; Mantrap (access control) - Wikipedia2