SY0-701 Free Mock Exam — Full Exam Simulation

A security engineer writes a script that computes SHA-256 hashes of critical server configuration files every night and sends an alert if any hash value has changed since the previous night. Which security goal is this control primarily designed to protect?

A financial institution updates its access control policy to require that two different system administrators must approve and execute any changes to the core transaction processing database. Which security principle is this practice primarily designed to enforce?

A security analyst is reviewing web server logs from an e-commerce application. The logs show repeated requests containing URLs with appended strings such as: `' OR '1'='1' --` and `'; DROP TABLE Users; --`. The application returned HTTP 200 responses with unexpected data in several instances. Which type of attack is most likely being attempted?

A security analyst is reviewing the source code of a custom network service written in C. The service allocates a 256-byte buffer and uses the strcpy() function to copy incoming data into that buffer without verifying the length of the input. If an attacker sends a specially crafted payload that exceeds 256 bytes, which security control would be most effective at detecting and preventing the resulting exploitation at runtime?

A CFO at a mid-sized company receives an urgent email that appears to come from the CEO's email address, requesting an immediate wire transfer of $50,000 to a new vendor for a time-sensitive project. The email address displayed is 'ceo@cornpany.com' instead of the legitimate 'ceo@company.com'. The CFO follows the instruction and initiates the transfer. Later, the real CEO denies sending such a request. Which of the following security controls would have been MOST effective in preventing this type of attack from succeeding?

A user receives a phone call from someone who claims to be a member of the company's IT support team. The caller states that the user's account has been compromised and requests the user's username, password, and the current multi-factor authentication (MFA) code to 'verify identity and secure the account.' Which type of social engineering attack is being attempted?

A company is redesigning its network to host a public-facing web application that accesses a confidential database. The security team needs to minimize the risk of a direct attack against the database server while still allowing the web server to retrieve and update data. Which network architecture best achieves this objective?

A security architect is designing a new data center network that will host public-facing web servers and internal application servers handling confidential employee data. The architect places the web servers in a DMZ and the internal application servers on a separate internal network segment. A stateful firewall is configured to allow inbound HTTP/HTTPS traffic from the internet to the web servers only. The firewall also permits only the web servers to initiate outbound connections to the internal application servers on a specific TCP port, and all such traffic is encrypted using TLS. Which security architecture principle is this design primarily intended to enforce?

A company's current remote access solution uses a traditional VPN that grants users full network-layer access to the internal LAN once authenticated. The security architect wants to adopt a zero trust architecture to reduce the risk of lateral movement by compromised endpoints. Which of the following implementations best aligns with zero trust principles?

A SOC analyst receives an alert from the EDR system indicating that the process 'C:\Program Files\Vendor\Updater.exe' attempted to modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key on a user's workstation. The analyst checks the file hash and finds it matches a known legitimate software updater. Which of the following actions is most appropriate for the analyst to take?

A SOC analyst is reviewing logs from a Windows domain controller and notices a large number of failed logon attempts (Event ID 4625) from a single source IP address within a five-minute window. The account names used are random strings such as "a1b2c3", "x9y8z7", etc. The analyst then checks the source IP and finds it is a known external address from a foreign country. Which of the following is the most appropriate next step for the analyst to take?

A security operations analyst is tuning a SIEM correlation rule designed to detect brute-force password attacks against domain user accounts. The current rule generates an alert when a single user account has more than 10 failed logon attempts within a 5-minute window. The SOC team is overwhelmed by thousands of alerts each day, the vast majority of which are triggered by legitimate users who accidentally mistype their passwords. Which of the following modifications to the rule would most effectively reduce false positives while still detecting actual brute-force attacks?

A security analyst is responding to a potential ransomware incident on a Windows server that is still running. The analyst needs to preserve forensic evidence for analysis. Which of the following actions should the analyst perform first, based on the order of volatility?

A security analyst is monitoring logs from the cloud access security broker (CASB) and observes that a user account downloaded 500 GB of data from a highly sensitive SharePoint document library within a single hour. The user's historical baseline shows an average daily download of less than 10 MB. Additionally, the log shows the session originated from an IP address in a country where the company has no employees or business operations. Which of the following actions is the most appropriate for the analyst to take?

A company is evaluating a new cloud-based customer relationship management (CRM) provider. The provider’s documentation includes a SOC 2 Type II report, but the company’s compliance team specifically requires evidence that data in transit is encrypted using TLS 1.2 or higher, and data at rest is encrypted with AES-256. Which of the following actions best demonstrates that the company has performed proper due diligence in vendor risk management?