SY0-701 General Security Concepts • Complete Question Bank
Complete SY0-701 General Security Concepts question bank — all 0 questions with answers and detailed explanations.
Based on the exhibit, what should be implemented to reduce the blast radius if a backup server is compromised later?
Backup job configuration: algorithm=AES-256-GCM key_file=/opt/backup/key.bin rotation=disabled same_key_for_all_sites=true backup_media copied to an offsite vault each night
Backup job configuration: algorithm=AES-256-GCM key_file=/opt/backup/key.bin rotation=disabled same_key_for_all_sites=true backup_media copied to an offsite vault each night
Based on the exhibit, what is the best fix so role changes are reflected promptly in the application?
Token and directory data:
09:10 Token issued for user jdoe groups=[Finance_Approver, Expense_Reviewer] auth_time=09:10 exp=17:10 09:15 HR updated directory: jdoe moved to Sales 11:00 The application still accepts the original token and allows expense approval 11:01 Identity provider logs show no token revocation event
09:10 Token issued for user jdoe
groups=[Finance_Approver, Expense_Reviewer]
auth_time=09:10
exp=17:10
09:15 HR updated directory: jdoe moved to Sales
11:00 The application still accepts the original token and allows expense approval
11:01 Identity provider logs show no token revocation eventBased on the exhibit, which change best improves accountability while still allowing emergency access?
A finance team uses the following shared account on a jump host:
07:55:12 Account=FIN-ADMIN Action=ApproveInvoice Host=JUMP-02 IP=10.30.8.21 07:56:03 Account=FIN-ADMIN Action=ChangeVendorBank Host=JUMP-02 IP=10.30.8.21 07:57:44 Account=FIN-ADMIN Action=ExportReport Host=JUMP-02 IP=10.30.8.21
Note: FIN-ADMIN is used by three finance managers during after-hours support.
07:55:12 Account=FIN-ADMIN Action=ApproveInvoice Host=JUMP-02 IP=10.30.8.21 07:56:03 Account=FIN-ADMIN Action=ChangeVendorBank Host=JUMP-02 IP=10.30.8.21 07:57:44 Account=FIN-ADMIN Action=ExportReport Host=JUMP-02 IP=10.30.8.21 Note: FIN-ADMIN is used by three finance managers during after-hours support.
Current controls on finance laptops: - Full-disk encryption enabled - SIEM alerting on impossible-travel logins - Weekly security awareness reminders - USB ports left enabled for engineering and finance teams Incident summary: - Two finance users copied monthly revenue files to personal flash drives after downloading them - Internet access and email must remain available for normal work
Based on the exhibit, what is the best governance improvement?
Data handling procedure: - Managers may approve external sharing exceptions verbally. - Staff record exceptions in email threads. - No retention period is defined for exception evidence.
Audit note: multiple exceptions could not be traced to an approver.
Data handling procedure: - Managers may approve external sharing exceptions verbally. - Staff record exceptions in email threads. - No retention period is defined for exception evidence. Audit note: multiple exceptions could not be traced to an approver.
Based on the exhibit, which document should be created or updated to make these settings mandatory and measurable?
Endpoint baseline draft: - Full-disk encryption should be enabled on all corporate laptops. - Screen lock should activate after 15 minutes of inactivity. - Users should choose strong passwords.
Related documents: Policy: Acceptable Use Policy Standard: none Procedure: Laptop imaging steps Guideline: Suggested hardening tips
Endpoint baseline draft: - Full-disk encryption should be enabled on all corporate laptops. - Screen lock should activate after 15 minutes of inactivity. - Users should choose strong passwords. Related documents: Policy: Acceptable Use Policy Standard: none Procedure: Laptop imaging steps Guideline: Suggested hardening tips
Current document excerpt: - Managers may approve external file sharing by email. - Employees should keep the approval email in their inbox. - Help desk records exceptions if time allows. Audit note: - No consistent evidence of approval or exception retention was found across departments. Management objective: - External sharing exceptions must be approved, retained, and auditable in a consistent way.
Based on the exhibit, which improvement best addresses the biggest cryptographic risk?
TLS inventory: - edge-vpn01 and edge-vpn02 present the same certificate and private key - private key file stored in a shared SMB folder - admins copy the key manually during maintenance - compromise of either gateway would expose the file path to the same share
TLS inventory: - edge-vpn01 and edge-vpn02 present the same certificate and private key - private key file stored in a shared SMB folder - admins copy the key manually during maintenance - compromise of either gateway would expose the file path to the same share
Application log excerpt:
10:20 HR updated jsmith from finance_approver to finance_viewer
10:35 invoice-approve allowed for jsmith by token claim role=finance_approver
11:05 jsmith still able to submit approval actions
JWT sample:
{
"sub": "jsmith",
"roles": ["finance_approver"],
"exp": "2026-05-01T18:00:00Z"
}
Identity team note: tokens remain valid for 8 hours after sign-in.Lobby access review: - 09:14:02 badge swipe accepted for employee j.tan - 09:14:07 an unknown person entered immediately behind j.tan - 09:14:19 CCTV shows the person had no badge visible - 09:16:44 the person exited through the same lobby door Current controls: - Badge reader on main entrance - CCTV camera facing the lobby - Monthly security awareness reminder about badge use
Phishing awareness summary: - 300 users received a fake help-desk phone call - 17 users disclosed a one-time code - 41 users reported the call - Most failures happened after the caller asked users to "verify" their account Sample call script: "Please read the code from your authenticator app so we can restore access." Training manager note: - Users recognize suspicious emails more often than suspicious phone calls.
Based on the exhibit, which control would most effectively reduce the remaining successful attacks?
Phishing awareness results: Team A: click rate 8%, report rate 6%, median report time 52 min Team B: click rate 7%, report rate 18%, median report time 14 min Team C: click rate 12%, report rate 21%, median report time 10 min
Incident summary: Team C had one mailbox takeover after a user approved an MFA push while traveling.
Phishing awareness results: Team A: click rate 8%, report rate 6%, median report time 52 min Team B: click rate 7%, report rate 18%, median report time 14 min Team C: click rate 12%, report rate 21%, median report time 10 min Incident summary: Team C had one mailbox takeover after a user approved an MFA push while traveling.
backup.sh excerpt: ``` openssl enc -aes-256-cbc -in finance.tar -out finance.tar.enc -kfile /opt/backup/finance.key chmod 600 /opt/backup/finance.key # same key file copied to all backup servers ``` Backup administrator note: - All sites use the same encryption key so restores are simple. - The key file is stored on the local backup server.
Based on the exhibit, what additional control is the best fit?
Current controls on the finance share: - SMB signing enabled - Weekly access review - Nightly backups to immutable storage - Antivirus scans at 02:00
Incident: a valid VPN account was used to access 40,000 files in 8 minutes and copy them to a local drive. Goal: detect unauthorized bulk access quickly before exfiltration completes.
Current controls on the finance share: - SMB signing enabled - Weekly access review - Nightly backups to immutable storage - Antivirus scans at 02:00 Incident: a valid VPN account was used to access 40,000 files in 8 minutes and copy them to a local drive. Goal: detect unauthorized bulk access quickly before exfiltration completes.
Jump host session log: ``` 10:02 sharedadmin login successful from 10.20.1.45 10:03 sudo /opt/deploy/apply_patch.sh 10:11 sudo systemctl restart appsvc 10:12 logout ``` Audit note: - Three administrators used the same shared account this week. - Logs do not identify which person executed which command. - Management still wants a break-glass option for after-hours maintenance.
Drag a concept onto its matching description — or click a concept then click the description.
MFA is required before a user can open the email system.
File integrity monitoring alerts when a protected file changes.
A compromised laptop is reimaged from a standard build.
A login banner warns that activity is monitored and audited.
A procedure tells staff to report lost devices within one hour.
Extra logging is enabled while a missing patch is being scheduled.
Drag a concept onto its matching description — or click a concept then click the description.
Secure boot refuses to start untrusted boot code.
A log review process shows when an administrator changed a firewall rule.
A damaged endpoint is restored from a known-good image.
A camera above the server rack makes misuse less likely.
A written standard tells staff how to handle removable media.
A restricted jump box is used until direct admin access is approved again.
Password audit snapshot: User Stored value alice 5baa61e4c9b93f3f0682250b6cf8331b bob 5baa61e4c9b93f3f0682250b6cf8331b carol 2bb80d537b1da3e38bd30361aa855686 Audit note: Two accounts have the same stored value, and the security team wants to reduce the value of rainbow-table attacks if the database is stolen.
File Integrity Monitor alert: Host: WEB-03 Path: /etc/ssh/sshd_config Time: 02:18:44 Old SHA-256: 7f2a9c8d2b0f9c7e6a0c... New SHA-256: 91cd1f3b84d7e2a7f44b... Action taken: alert sent to SOC; no rollback or automatic block occurred SOC note: An unauthorized change was detected during the overnight review.
Current access model: - Any laptop on the corporate VPN can reach 10.8.40.15:443. - The VPN checks device compliance only when the tunnel is created. - After login, the session remains valid for 12 hours. - Users can access the finance app from any managed or unmanaged device once connected. Security proposal: - Reevaluate device posture before each sensitive transaction. - Grant only application-specific access, not subnet-wide access. - Require MFA again if device risk changes during the session.
Drag a concept onto its matching description — or click a concept then click the description.
A help desk technician can reset passwords but cannot open payroll records.
A customer portal uses MFA, endpoint protection, and network filtering together.
The system rechecks trust before each sensitive action, even from a managed device.
One employee creates a payment batch and a different employee approves it.
An analyst sees only the case files assigned to that investigation.
Legacy payroll application notes: - Vendor confirms the admin console does not support MFA or SSO. - Direct inbound access to TCP/8443 is blocked from user VLANs. - Administrators must connect to jump host JH-02. - JH-02 requires MFA, records all sessions, and forwards admin traffic to PAY-LEG-01. - The target application itself cannot be modified before end of support.
Package verification steps: 1. sha256sum update.zip = 9f7c2a4b6f1d8e4c... 2. Vendor website shows the same hash 3. openssl dgst -sha256 -verify vendor_pub.pem -signature update.zip.sig update.zip Verified OK Audit note: The security team wants proof of origin, not just proof that the file content stayed the same.
Drag a concept onto its matching description — or click a concept then click the description.
A firewall blocks inbound remote desktop traffic from the internet.
A SIEM alert notifies analysts after multiple failed logins occur.
A clean backup is restored after malware is removed from a laptop.
A visible warning sign says the area is under video surveillance.
A policy requires users to lock their screens when stepping away.
A jump host is used temporarily until direct administration is safely allowed.
Drag a concept onto its matching description — or click a concept then click the description.
Protect the data if the laptop is stolen.
Check that the file was not changed during download.
Make identical passwords produce different hash values.
Confirm the file came from the expected sender and stayed intact.
Replace an encryption key on a planned schedule.
Drag a concept onto its matching description — or click a concept then click the description.
Give the user only the permissions needed to do the job.
Share only the information required for the assigned task.
Split important steps so one person cannot complete everything alone.
Verify each request instead of trusting a user just because they are internal.
Use multiple protective layers so one failure does not expose everything.
Firewall rule change #4219: - Requested by: NetworkOps1 - Approved by: NetworkOps1 - Implemented by: NetworkOps1 - Audit note: the same person can create, approve, and deploy production firewall changes. Proposed redesign: - Engineer drafts the change. - Security reviewer approves it. - A different administrator implements it during a maintenance window. - The change ticket is visible only to the people assigned to the task.
MDM remediation log: Device: FIN-LT-14 Issue: Local firewall profile modified by user Policy baseline: Company-Standard-Windows-14 Action: policy sync scheduled at next check-in Result: approved firewall rules reapplied automatically after the device reconnected Help desk note: The user changed local settings to troubleshoot a personal printer and did not restore them.
Backup vault policy: - Backup objects are encrypted with per-job data encryption keys (DEKs). - A key-encryption key (KEK) named vault-kek-v1 wraps the DEKs. - vault-kek-v1 will be rotated to vault-kek-v2 tonight. - Existing backup metadata still points to DEKs wrapped by vault-kek-v1. - Requirement: all backups from the last 18 months must remain restorable after rotation, with no mass re-encryption window.
Drag a concept onto its matching description — or click a concept then click the description.
Makes data unreadable to anyone who does not have the correct key.
Creates a fixed-size fingerprint to detect whether data changed.
Adds random data before hashing passwords so identical passwords look different.
Lets others verify who signed the file and that it was not altered.
Replaces an encryption key before its approved lifetime ends.
Access request: Requester: helpdesk_27 Task: reset one user's MFA enrollment and unlock one locked account Current access: - Helpdesk_ReadOnly: view user details only - Helpdesk_Admin: unlock accounts and reset MFA for assigned tickets - Domain_Admin: full server and directory administration Proposal: - Add helpdesk_27 to Domain_Admin for 7 days so the ticket can be completed quickly.
Drag a concept onto its matching description — or click a concept then click the description.
A database account can update records but cannot approve purchases.
A contractor can view only the log source tied to the assigned ticket.
One person prepares a wire transfer and another authorizes it.
The portal checks the device and user again before each sensitive action.
The application is protected by MFA, filtering, and endpoint controls.
Finance change workflow: Step 1: Create vendor record - AP Clerk Step 2: Enter invoice - AP Clerk Step 3: Approve payment above $5,000 - AP Manager Step 4: Update bank account - Treasury Admin Finding: The shared account finance_ops can perform all four steps, and two employees use the same credentials for convenience.
Drag a concept onto its matching description — or click a concept then click the description.
Least privilege
Need-to-know
Zero trust
Defense in depth
Availability
Drag a concept onto its matching description — or click a concept then click the description.
Preventing unauthorized disclosure of information.
Ensuring data is not altered without authorization.
Keeping systems and data accessible when needed.
Giving a user only the permissions required to do the job.
Limiting access to information that a person specifically needs for their role.
Drag a concept onto its matching description — or click a concept then click the description.
Use a hash value.
Use symmetric encryption.
Use asymmetric encryption.
Use a digital signature.
VPN and application audit 08:04 user rpatel authenticated from home laptop 08:05 VPN tunnel established 08:06 request: GET /finance/q4-forecast.xlsx 08:06 policy: allowed because prior login within 12 hours 08:07 note: device posture not checked; no step-up MFA
openssl verify -CAfile corp-root.pem signed-invoice.pdf signed-invoice.pdf: OK Signature report: - Signer: CN=Northwind Procurement - Issuer: CN=Corp Intermediate CA - Timestamp: 2026-04-14 16:22 UTC - Document digest: matches signature
Drag a concept onto its matching description — or click a concept then click the description.
Producing a fixed-length value used to detect changes.
Using the same secret key to encrypt and decrypt data.
Using a public key and private key pair for encryption or decryption.
Proving who signed something and showing it was not changed.
Creating, storing, rotating, and retiring cryptographic keys safely.
Share review: \\filesrv\Acquisition ACL: - Finance Dept: Modify - M&A Steering Team: Full Control - Audit Group: Read Notes: - Only three deal leads need access to target valuation models. - Other finance staff only need invoice-tracking files. - Valuation models are stored in the same folder as general deal documents.
Backup job design - Generate a random AES key to encrypt 8 TB of archive data - Encrypt the AES key with the backup server’s public key - Store the encrypted AES key alongside the archive - Secondary site must restore the data if the primary backup server is unavailable - Current design stores the corresponding private key only on the primary server
Legacy system constraints - Controller cannot support MFA - Controller cannot support modern encryption - Replacement will not occur for 9 months Compensating measures implemented - Dedicated management VLAN - Firewall ACLs limiting source IPs - Jump host with session recording - Daily configuration backups
Drag a concept onto its matching description — or click a concept then click the description.
A firewall blocks unauthorized inbound traffic.
A written policy requires manager approval before access is granted.
A badge reader controls entry to a server room.
A SIEM alert notifies the SOC about a failed login pattern.
Restoring a system from a known-good backup after a failure.
C:\Downloads> certutil -hashfile CU-2026-02.msu SHA256 SHA256 hash of CU-2026-02.msu: 9f2c3a1b8d4e0f77c0d2e6b5f0a4b1c8d9e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6 Vendor portal published hash: 9f2c3a1b8d4e0f77c0d2e6b5f0a4b1c8d9e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7
Drag a concept onto its matching description — or click a concept then click the description.
Stops a threat before it succeeds.
Identifies an event after or while it is happening.
Fixes a problem after it has occurred.
Discourages an attacker from trying.
Provides an alternate safeguard when the preferred control is not possible.
Drag a concept onto its matching description — or click a concept then click the description.
Issues and signs digital certificates.
Binds an identity to a public key.
Can be shared with others to encrypt data or verify signatures.
Must be kept secret and is used to decrypt or sign.
Removes trust from a certificate that should no longer be used.
Security event summary - Malicious attachment passed the email filter - Macro execution was blocked by application control - Process launch was contained by EDR - Stolen password alone could not reach the admin portal because MFA was required - Offline backups were used for recovery testing after the incident
Drag a concept onto its matching description — or click a concept then click the description.
A user must be verified each time they request access, even from inside the network.
The organization uses layered controls such as MFA, filtering, and endpoint protection.
A contractor can view only the project files required for assigned tasks.
A support technician receives only the minimum permissions needed to close tickets.
A website stays online after one server fails because another takes over.
Workstation baseline: - Standard users are local admins - Executables and scripts run from user-writable paths - Unauthorized persistence reappears after reimaging - Developers need to install approved tools, but not arbitrary software
Current behavior: - Users sign in once through SSO - App caches role assignments locally for the browser session - Role changes are only noticed after logout - No app-specific passwords are stored
Endpoint findings: - Local root certificate store was modified - Browser trusts a new enterprise-looking root CA - TLS warnings no longer appear for the internal portal - The user has local administrator rights
Server review: - Inbound firewall policy: allow any source to any port - Web service account: domain admin - Required flows: load balancer to web service, jump host to admin port - No other inbound access should be permitted
Deployment notes: - service.key is copied into the image layer - the same key is reused across several nodes - certificate renewal is manual and yearly - services authenticate to each other with TLS
Change request excerpt: - One engineer can submit a firewall rule and approve it alone - Security requires a second person review for production changes - The team wants a clear record of who approved and deployed the change
IAM review notes: - HR updates job changes in the HR system - SaaS apps maintain separate local accounts - Deprovisioning is manual and often delayed - Users keep permissions from their previous role
Audit summary: - Approval account: procure-approve - 12 employees know the password - Audit trail records only the shared account name - No digital signature or tamper-evident log is present
Access review summary User: Alicia M. Assigned roles: - Payroll Administrator - Finance Approver Effective permissions: - Modify payroll records - Approve payroll release - Export payment file Control note: - No secondary approval is required when Alicia approves her own prepared payroll batch.
Simplified network view Internet | Perimeter firewall | User VLAN 10 --------------------------- | Workstations | | File shares | | Domain services | | SSH allowed from User VLAN to all servers | --------------------------------------------- Current rule set: - TCP 22 from any device in VLAN 10 to internal Linux servers - TCP 3389 from any device in VLAN 10 to Windows servers - No dedicated admin network - No bastion host
Database sample users.password_hash -------------------------------- alex 5f4dcc3b5aa765d61d8327deb882cf99 mira 202cb962ac59075b964b07152d234b70 sam 098f6bcd4621d373cade4e832627b4f6 Developer note: - Passwords are hashed before storage - The application does not currently store any salt values
File access requirement Rules: - Users may open documents only if Department matches the file owner department - Contractors may access only files tagged Project=Orion and Clearance=Internal - Managers may access files for employees in their own business unit - Access decisions must consider user attributes and file tags at request time
Remote Access Security Requirement Must have all of the following: - Phishing-resistant second factor - Works without relying on SMS or email delivery - Suitable for privileged administrator logons Available methods under review: 1. SMS one-time code 2. Email one-time link 3. Authenticator app TOTP code 4. FIDO2 hardware security key
$ openssl s_client -connect pay.example.net:443 -servername pay.example.net CONNECTED(00000003) depth=0 CN = portal.example.net verify error:num=62:hostname mismatch verify return:1 --- Certificate chain 0 s:CN = portal.example.net i:CN = Example Issuing CA a:PKEY: rsaEncryption, 2048 (bit) Not After : May 10 2026 ---
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.