SY0-701 Flashcards — Free Security+ SY0-701 Study Cards

Integrity

The use of cryptographic hashes to detect changes in files is a mechanism for enforcing data integrity. Integrity ensures that data has not been altered by unauthorized entities. In this scenario, the script ensures that any modification to the configuration files is promptly detected, preserving the trustworthiness of the data.

Separation of duties

Requiring two different administrators to approve and execute changes prevents any single individual from having unchecked control over critical operations. This directly supports the separation of duties principle, which reduces the risk of fraud, errors, or malicious activity by dividing responsibilities among multiple people.

SQL injection

The observed patterns are classic SQL injection attempts. The `' OR '1'='1' --` string attempts to bypass authentication by creating a true condition, and `'; DROP TABLE Users; --` attempts to execute a destructive SQL command. A successful SQL injection can allow an attacker to read, modify, or delete database contents. LDAP injection targets directory services, command injection executes OS commands, and XSS injects client-side scripts.

Stack canaries

The vulnerability is a classic buffer overflow that can overwrite the return address on the stack. Stack canaries are small values placed before the return address; if a buffer overflow occurs, the canary is corrupted, and the program terminates before control can be hijacked. This makes stack canaries the most direct runtime mitigation for stack-based buffer overflows. Transport Layer Security (TLS) encrypts data in transit but does not prevent buffer overflows in the application. Code signing ensures the integrity and authenticity of the binary but does not stop exploitation once the code runs. Data Execution Prevention (DEP) prevents execution of code in non-executable memory regions; however, attackers can bypass DEP using return-oriented programming (ROP), while a stack canary would still detect the overflow and abort.

Implementing a policy that all financial transfers over a certain threshold must be verbally verified via a known phone number before execution

This attack is a form of business email compromise (BEC) or CEO fraud, where the attacker spoofs or uses a lookalike domain to impersonate an executive. The most effective prevention is implementing a mandatory out-of-band verification procedure, such as a phone call to a known number, before processing financial requests. Email filtering might catch some spoofed emails, but lookalike domains often bypass filters. Multi-factor authentication (MFA) protects account logins, not email-based impersonation. Encryption ensures confidentiality but does not validate sender identity. Security awareness training is helpful but human error can still occur; a hard validation procedure is more reliable for high-risk actions.

Vishing

This scenario describes a vishing attack, which is a form of social engineering conducted over the phone. The attacker uses a fabricated pretext (a security emergency) to pressure the victim into disclosing sensitive credentials and MFA codes. Unlike spear phishing, which is email-based, vishing relies on voice communication. Pretexting is the broader act of creating a fabricated scenario, but the specific medium (phone) and goal (obtaining passwords and MFA) make vishing the most precise term. Tailgating involves physical unauthorized entry, not phone calls.

Place the web server in the DMZ and the database server on the internal network. Configure the firewall to allow inbound traffic from the web server to the database server on the required port only.

The preferred architecture for a public-facing web application with a backend database is to place the web server in a DMZ (or screened subnet) and the database server on the internal network with a firewall rule that permits only the web server's IP address to communicate with the database over the required port (e.g., 3306 for MySQL). This ensures that external users can only access the web server, and the database is not directly reachable from the internet. All other options introduce unnecessary exposure or complexity.

Defense in depth

The design incorporates multiple layers of security controls: network segmentation (DMZ vs. internal), restrictive firewall rules, and encryption of inter-server communications. This layered approach is the hallmark of defense in depth. While the design also applies least privilege by limiting which servers can communicate and on which ports, the primary intent of combining these different controls is to ensure that if one layer fails, other layers still provide protection. Separation of duties relates to dividing administrative privileges among multiple individuals, not network zoning. Zero trust would require continuous verification of every request, which is not fully implemented here because the firewall rule implicitly trusts the web servers to communicate with the internal application servers without further authentication.

Use a software-defined perimeter that authenticates each user and device before granting access only to specific applications.

Zero trust architecture operates on the principle of 'never trust, always verify' and typically grants access only to specific resources on a per-session basis after verifying user identity, device health, and other contextual factors. A software-defined perimeter (SDP) or a zero trust network access (ZTNA) solution directly enforces this by creating an encrypted, micro-segmented connection to each application rather than broad network access. Option C is the correct choice. Option A (firewall with strict rules) still provides network-layer access after authentication, which violates the least-privilege and micro-segmentation goals. Option B (secure web gateway) only handles web traffic and does not replace the need for application-specific zero trust controls for all remote services. Option D (MFA plus VPN with split tunneling) improves authentication but still grants broad LAN access once inside, failing to contain lateral movement.

Secure enclave (e.g., Intel SGX)

The scenario requires hardware-enforced isolation of runtime processes and memory from the underlying OS and hypervisor. This is a core capability of a secure enclave (e.g., Intel SGX, AMD SEV). A TPM provides attestation and secure storage but does not isolate runtime memory. An HSM protects cryptographic keys and operations but is not designed for general-purpose code execution isolation. Secure Boot ensures only trusted bootloaders are loaded but does not protect applications at runtime.

Investigate the user's recent activity and check for signs of process hollowing or DLL injection.

Legitimate processes can be abused by attackers using techniques such as process hollowing, DLL sideloading, or command-line injection. The analyst should not immediately assume the process is benign simply because the file hash matches a known good file. Further investigation, such as checking for suspicious parent-child process relationships, unusual command-line arguments, or signs of injection, is necessary to determine if the updater is being used maliciously. Creating an exception blindly could allow malicious activity to persist undetected, while disabling the updater may disrupt necessary software updates. Isolation and reimaging are too aggressive without confirmed compromise.

Investigate whether any of the attempted accounts correspond to actual domain users.

The pattern of failed logon attempts with random account names from an external IP is indicative of a password spraying or dictionary-based brute-force attack. The primary concern is whether any of the targeted accounts are valid domain users because a successful login could have occurred and might not appear as a failure. Before taking irreversible actions such as blocking the IP or escalating to legal, the analyst should investigate if any valid accounts were attempted, as that could indicate a potential compromise. Running an antivirus scan on the domain controller is not directly relevant to the immediate threat, and notifying legal is premature without more evidence.

Modify the rule to trigger only when the failed attempts originate from multiple distinct source IP addresses.

The goal is to distinguish between accidental mistypes (single IP, low volume) and true brute-force attacks (often distributed across multiple IPs). Option B achieves this by requiring the failed attempts to come from multiple distinct source IPs, which is a strong indicator of an automated attack using proxies/botnets. Option A simply raises the threshold, which may miss slower or cautious attackers. Option C targets password spraying (multiple accounts, single password) rather than single-account brute force. Option D is unreliable because users may not submit password reset requests, and it could be bypassed by an attacker who also requests a reset. Therefore, B is the most effective tuning technique.

Capture a full memory dump of the server

The order of volatility (OOV) dictates that the most volatile data (data that changes rapidly or is lost when power is removed) should be captured first. Memory (RAM) is the most volatile because it contains running processes, network connections, and encryption keys that disappear when the system is shut down or rebooted. Capturing a memory image before any other action ensures that this critical evidence is preserved. Disks contain persistent data but are less volatile, while shutting down the system would destroy volatile data. Running an antivirus scan alters the system state and can destroy evidence.

Initiate the organization's incident response process for a potential data exfiltration event.

This scenario describes a classic indicator of data exfiltration: a user account exhibiting behavior wildly outside its baseline (500 GB vs. <10 MB daily) combined with a login from an unexpected geographic location. The most appropriate action is to initiate the organization's incident response process, which will trigger a formal investigation, contain the threat, and preserve evidence. While contacting the user or temporarily blocking the account might seem reasonable, these steps should be performed under the guidance of the incident response plan to avoid alerting a potential attacker or destroying evidence. Disabling the entire SharePoint site is an overreaction that would disrupt all users.

A full packet capture of the network traffic from the workstation showing the complete DNS messages.

DNS tunneling exfiltrates data by encoding it into the subdomain portion of DNS queries. To confirm that the data from a specific file is being sent, the analyst needs to inspect the full content of the DNS query packet. A full packet capture of the network traffic includes the entire DNS message, including the complete subdomain string, which can be decoded and compared directly to the contents of the suspected file on the workstation. DNS server logs often truncate long subdomain names or may not log them at all, making them less reliable. Process creation logs show which program made the queries but not the transmitted data. Firewall logs only show connection metadata and cannot reveal the payload of the DNS queries.

Review the detailed control descriptions and auditor test results within the SOC 2 Type II report that address encryption of data in transit and at rest.

Proper due diligence in vendor risk management involves verifying that the vendor’s security controls meet the company’s specific requirements, not just accepting broad attestations. A SOC 2 Type II report contains detailed descriptions of controls, including encryption practices, and an auditor has tested their operating effectiveness over a period of time. Reviewing the relevant control descriptions and test results within the report is the most direct and reliable way to confirm the required encryption standards are in place. The other options are either insufficient, create unnecessary cost, or fail to provide evidence of actual control effectiveness.