` into a public comment field, and other visitors see the script run in the…","url":"https://courseiva.com/questions/comptia/security-plus/a-user-enters-alert-test-into-a-public-comment-field-and-other"},{"@type":"ListItem","position":110,"name":"Which two statements describe authorization? Select two.","url":"https://courseiva.com/questions/comptia/security-plus/which-two-statements-describe-authorization-select-two"},{"@type":"ListItem","position":111,"name":"Your company is syncing design files to a cloud object store. The security team wants to reduce risk if the storage acco…","url":"https://courseiva.com/questions/comptia/security-plus/your-company-is-syncing-design-files-to-a-cloud-object-store-the"},{"@type":"ListItem","position":112,"name":"An ERP database is backed up nightly to a NAS that remains online and is managed with the same admin group as production…","url":"https://courseiva.com/questions/comptia/security-plus/an-erp-database-is-backed-up-nightly-to-a-nas-that-remains"},{"@type":"ListItem","position":113,"name":"A restricted server room opens only with a badge, and an alarm sounds if the door is left open too long. Which control t…","url":"https://courseiva.com/questions/comptia/security-plus/a-restricted-server-room-opens-only-with-a-badge-and-an-alarm"},{"@type":"ListItem","position":114,"name":"A support team wants to export customer tickets into a test analytics environment so developers can search real examples…","url":"https://courseiva.com/questions/comptia/security-plus/a-support-team-wants-to-export-customer-tickets-into-a-test"},{"@type":"ListItem","position":115,"name":"A security analyst is reviewing authentication logs from a corporate web application. The logs show thousands of failed …","url":"https://courseiva.com/questions/comptia/security-plus/a-security-analyst-is-reviewing-authentication-logs-from-a"},{"@type":"ListItem","position":116,"name":"Drag and drop the steps to perform a factory reset on a managed switch into the correct order.","url":"https://courseiva.com/questions/comptia/security-plus/drag-and-drop-the-steps-to-perform-a-factory-reset-on-a-mana-c0yk5"},{"@type":"ListItem","position":117,"name":"A security analyst observes a pattern where an account exhibits multiple failed login attempts from an IP address in a f…","url":"https://courseiva.com/questions/comptia/security-plus/a-security-analyst-observes-a-pattern-where-an-account-exhibits"},{"@type":"ListItem","position":118,"name":"Drag and drop the steps for a typical digital forensics investigation process in the correct order.","url":"https://courseiva.com/questions/comptia/security-plus/drag-and-drop-the-steps-for-a-typical-digital-forensics-inve-i8eh0"},{"@type":"ListItem","position":119,"name":"An organization is implementing a third-party vendor risk management program. Which three of the following should be inc…","url":"https://courseiva.com/questions/comptia/security-plus/an-organization-is-implementing-a-third-party-vendor-risk-management-program-whi-jxy5dddv"},{"@type":"ListItem","position":120,"name":"A manufacturing company is redesigning its plant network. PLCs must communicate with a SCADA server for telemetry, but n…","url":"https://courseiva.com/questions/comptia/security-plus/a-manufacturing-company-is-redesigning-its-plant-network-plcs"},{"@type":"ListItem","position":121,"name":"Based on the exhibit, what network attack is most likely occurring on the office LAN?","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-what-network-attack-is-most-likely"},{"@type":"ListItem","position":122,"name":"Based on the exhibit, what should be implemented to reduce the blast radius if a backup server is compromised later?\r\n\r\n…","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-what-should-be-implemented-to-reduce-the"},{"@type":"ListItem","position":123,"name":"Based on the exhibit, what is the best fix so role changes are reflected promptly in the application?\r\n\r\nToken and direc…","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-what-is-the-best-fix-so-role-changes-are"},{"@type":"ListItem","position":124,"name":"Match each security principle to the best description.","url":"https://courseiva.com/questions/comptia/security-plus/match-each-security-principle-to-the-best-description"},{"@type":"ListItem","position":125,"name":"A security tool reports repeated DNS requests for long, random-looking subdomains under the same domain name. What is th…","url":"https://courseiva.com/questions/comptia/security-plus/a-security-tool-reports-repeated-dns-requests-for-long-random"},{"@type":"ListItem","position":126,"name":"Match the security need to the best cryptographic solution.","url":"https://courseiva.com/questions/comptia/security-plus/match-the-security-need-to-the-best-cryptographic-solution"},{"@type":"ListItem","position":127,"name":"Based on the exhibit, what change would best protect the password database against precomputed attacks and make identica…","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-what-change-would-best-protect-the-password"},{"@type":"ListItem","position":128,"name":"A SaaS portal issues signed JWTs in a browser cookie. The help desk confirms a user logged out at 09:10, but SIEM logs s…","url":"https://courseiva.com/questions/comptia/security-plus/a-saas-portal-issues-signed-jwts-in-a-browser-cookie-the-help"},{"@type":"ListItem","position":129,"name":"During testing of a shopping portal, a POST request to /api/address/update succeeds even when the anti-CSRF token is rem…","url":"https://courseiva.com/questions/comptia/security-plus/during-testing-of-a-shopping-portal-a-post-request-to-api"},{"@type":"ListItem","position":130,"name":"After restoring a virtual file server from last night’s backup, users can browse shares, but finance reports that severa…","url":"https://courseiva.com/questions/comptia/security-plus/after-restoring-a-virtual-file-server-from-last-night-s-backup"},{"@type":"ListItem","position":131,"name":"A small enterprise is rebuilding its public customer portal. The web front end must be reachable from the internet, the …","url":"https://courseiva.com/questions/comptia/security-plus/a-small-enterprise-is-rebuilding-its-public-customer-portal-the"},{"@type":"ListItem","position":132,"name":"Based on the exhibit, what control type is the file integrity monitor providing?","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-what-control-type-is-the-file-integrity"},{"@type":"ListItem","position":133,"name":"EDR alerts show a finance laptop spawning an unsigned executable from %AppData%, attempting to read LSASS memory, and ma…","url":"https://courseiva.com/questions/comptia/security-plus/edr-alerts-show-a-finance-laptop-spawning-an-unsigned-executable"},{"@type":"ListItem","position":134,"name":"A business owner asks the security team to compare the cost of two controls for a legacy application in dollar terms. Th…","url":"https://courseiva.com/questions/comptia/security-plus/a-business-owner-asks-the-security-team-to-compare-the-cost-of"},{"@type":"ListItem","position":135,"name":"An employee receives a text message from \"IT Help\" saying their account will be disabled unless they tap a link and ente…","url":"https://courseiva.com/questions/comptia/security-plus/an-employee-receives-a-text-message-from-it-help-saying-their"},{"@type":"ListItem","position":136,"name":"A vulnerability scanner reports a critical issue on a Linux server. The administrator checks the application and confirm…","url":"https://courseiva.com/questions/comptia/security-plus/a-vulnerability-scanner-reports-a-critical-issue-on-a-linux"},{"@type":"ListItem","position":137,"name":"The email security team receives a suspicious invoice attachment from a vendor. The attachment is not blocked by signatu…","url":"https://courseiva.com/questions/comptia/security-plus/the-email-security-team-receives-a-suspicious-invoice-attachment"},{"@type":"ListItem","position":138,"name":"A firewall rule was changed in production to allow a new vendor IP range, and payroll users immediately lost access to a…","url":"https://courseiva.com/questions/comptia/security-plus/a-firewall-rule-was-changed-in-production-to-allow-a-new-vendor"},{"@type":"ListItem","position":139,"name":"A nightly patch script restarts services on 40 Linux servers. Security does not want an administrator to log in interact…","url":"https://courseiva.com/questions/comptia/security-plus/a-nightly-patch-script-restarts-services-on-40-linux-servers"},{"@type":"ListItem","position":140,"name":"Based on the exhibit, which change best improves accountability while still allowing emergency access?\r\n\r\nA finance team…","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-which-change-best-improves-accountability"},{"@type":"ListItem","position":141,"name":"Based on the exhibit, which control should be installed or expanded to provide the earliest warning of this hazard?","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-which-control-should-be-installed-or"},{"@type":"ListItem","position":142,"name":"An internal finance application has an RTO of 2 hours and an RPO of 30 minutes. Current backups restore in about 6 hours…","url":"https://courseiva.com/questions/comptia/security-plus/an-internal-finance-application-has-an-rto-of-2-hours-and-an-rpo"},{"@type":"ListItem","position":143,"name":"Match each audit request to the best evidence artifact.\r\n1. Auditors want proof that managers reviewed privileged access…","url":"https://courseiva.com/questions/comptia/security-plus/match-each-audit-request-to-the-best-evidence-artifact-1"},{"@type":"ListItem","position":144,"name":"A marketing analyst asks for a spreadsheet containing customer names, email addresses, purchase history, and government …","url":"https://courseiva.com/questions/comptia/security-plus/a-marketing-analyst-asks-for-a-spreadsheet-containing-customer"},{"@type":"ListItem","position":145,"name":"An investigator needs a copy of a suspect laptop drive for analysis without changing the original media. What should be …","url":"https://courseiva.com/questions/comptia/security-plus/an-investigator-needs-a-copy-of-a-suspect-laptop-drive-for"},{"@type":"ListItem","position":146,"name":"Employees in a server room often prop the door open while carrying equipment. What control best helps detect and prevent…","url":"https://courseiva.com/questions/comptia/security-plus/employees-in-a-server-room-often-prop-the-door-open-while"},{"@type":"ListItem","position":147,"name":"An HR analyst must share a spreadsheet with an external auditor. The spreadsheet includes employee names, Social Securit…","url":"https://courseiva.com/questions/comptia/security-plus/an-hr-analyst-must-share-a-spreadsheet-with-an-external-auditor"},{"@type":"ListItem","position":148,"name":"A SIEM alert shows five failed logins to a SaaS admin portal from one IP, followed by a successful login from a new city…","url":"https://courseiva.com/questions/comptia/security-plus/a-siem-alert-shows-five-failed-logins-to-a-saas-admin-portal"},{"@type":"ListItem","position":149,"name":"A help desk manager wants sample customer tickets copied into a test environment so developers can reproduce support iss…","url":"https://courseiva.com/questions/comptia/security-plus/a-help-desk-manager-wants-sample-customer-tickets-copied-into-a"},{"@type":"ListItem","position":150,"name":"A customer service application shows the same session ID being used from two countries within five minutes. The legitima…","url":"https://courseiva.com/questions/comptia/security-plus/a-customer-service-application-shows-the-same-session-id-being"}]}

Security+ SY0-701 (SY0-701) — Questions 76150

1152 questions total · 16pages · All types, answers revealed

Page 1

Page 2 of 16

Page 3
76
MCQmedium

A SIEM analyst reviews authentication logs and sees the following pattern over 15 minutes: 68 different user accounts each had one failed login attempt from the same source IP, followed by no lockouts, and then one of the accounts successfully authenticated from that same IP using a valid password. What is the most likely explanation?

A.A brute-force attack against a single account using many password guesses.
B.A password spraying attack using common passwords across many accounts.
C.A replay attack using captured authentication traffic.
D.A successful SSO federation event after a directory sync delay.
AnswerB

This pattern matches password spraying because the attacker tests a small number of common guesses against many accounts to avoid lockouts.

Why this answer

The pattern of 68 different user accounts each experiencing a single failed login attempt from the same source IP, followed by one successful authentication from that IP using a valid password, is the classic signature of a password spraying attack. In password spraying, the attacker tries a small number of common passwords (often just one) against many accounts to avoid triggering account lockout policies, which typically lock an account after a small number of consecutive failures (e.g., 3–5 attempts). The single success indicates the attacker found an account using a weak or common password.

Exam trap

CompTIA often tests the distinction between brute-force (many passwords, one account) and password spraying (one password, many accounts), and the trap here is that candidates see 'failed login attempts' and immediately assume brute-force without noticing the unique pattern of one failure per account.

How to eliminate wrong answers

Option A is wrong because a brute-force attack against a single account would show many failed attempts for that one account (e.g., dozens or hundreds), not one failure each across 68 different accounts. Option C is wrong because a replay attack would involve capturing and retransmitting valid authentication traffic (e.g., Kerberos tickets or NTLM hashes), not a pattern of failed logins followed by a single success; replay attacks do not generate failed login events from the attacker's perspective. Option D is wrong because an SSO federation event after a directory sync delay would not produce 68 failed logins from the same IP; SSO events typically show a single successful authentication via a token or assertion (e.g., SAML response), not a spray of failures.

77
MCQmedium

Security receives a company laptop used in an insider theft investigation. A manager wants the device moved to another office for review by legal staff. Which action best supports chain of custody?

A.Power on the laptop to confirm the user profile and recent activity before transport.
B.Place it in a labeled evidence bag, record the collector, time, location, and condition, and require signatures for each transfer.
C.Remove the drive and clone it without documenting the collection process.
D.Email a photo of the laptop to legal and leave the original on a desk.
AnswerB

Chain of custody depends on proving who handled the evidence, when, where, and in what condition. Documenting the device at collection, sealing it appropriately, and recording every transfer creates a defensible record that supports legal review. This approach reduces the risk of tampering claims and helps establish that the laptop was preserved from the moment it was seized until it reaches legal or forensic personnel.

Why this answer

Option B is correct because it follows the formal chain of custody process required for evidence handling. Placing the laptop in a labeled evidence bag with documented collector, time, location, and condition, along with requiring signatures for each transfer, ensures the integrity and admissibility of evidence by creating an unbroken audit trail. This aligns with NIST SP 800-86 and forensic best practices for maintaining custody of digital evidence.

Exam trap

CompTIA often tests the misconception that simply securing the device or performing preliminary analysis is sufficient, but the trap here is that any action altering the device state or lacking formal documentation breaks the chain of custody, even if the intent is to preserve evidence.

How to eliminate wrong answers

Option A is wrong because powering on the laptop alters system state, modifies timestamps, and can trigger encryption or anti-forensic mechanisms, thereby breaking the chain of custody and potentially destroying volatile evidence. Option C is wrong because removing the drive and cloning it without documenting the collection process violates chain of custody requirements; proper documentation of each step, including drive removal and cloning, is essential for evidence integrity. Option D is wrong because emailing a photo and leaving the original on a desk fails to secure the device, does not document transfer or condition, and provides no chain of custody, making the evidence inadmissible.

78
Matchingmedium

Match each awareness-program metric to the interpretation the security team should use. 1. 8% of users clicked the simulated phishing link. 2. 34% of users reported the simulation using the report-phish button. 3. The median time from message delivery to first user report was 12 minutes. 4. 96% of staff completed the annual awareness module.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Click rate

Report rate

Time to report

Training completion rate

Why these pairings

Each metric guides interpretation: click rate indicates susceptibility, report rate shows security culture, reaction time measures responsiveness, and completion rate reflects training adoption.

79
Matchingeasy

Match each control type to the most fitting example in a branch office.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Secure boot refuses to start untrusted boot code.

A log review process shows when an administrator changed a firewall rule.

A damaged endpoint is restored from a known-good image.

A camera above the server rack makes misuse less likely.

A written standard tells staff how to handle removable media.

A restricted jump box is used until direct admin access is approved again.

Why these pairings

Preventive controls block incidents; detective controls identify them; corrective controls restore operations; deterrent controls discourage attacks; compensating controls provide alternative protection; physical controls secure physical access.

80
MCQhard

A contractor signs in to a project portal that fronts several SaaS tools. Access must be granted only if all of the following are true: the user is assigned to the project, the device is managed, and the request occurs during the approved maintenance window. Which access model best supports this requirement?

A.Role-based access control because the contractor has one project role
B.Attribute-based access control because multiple runtime attributes determine access
C.Single sign-on because the user should not log in more than once
D.Privileged access management because the contractor needs temporary access
AnswerB

ABAC is the best fit because the decision depends on several attributes evaluated dynamically: user assignment, device status, and time of request. This lets the organization express a policy that is more precise than a static role and better aligned to least privilege. In a federated portal, ABAC can also work alongside identity assertions to make access decisions at sign-in and during session use.

Why this answer

Attribute-based access control (ABAC) evaluates multiple runtime attributes—such as user-project assignment, device management status, and time of request—against policies to grant access. This matches the requirement because all three conditions must be true simultaneously, and ABAC can combine subject, resource, and environment attributes in a single policy rule. Role-based access control (RBAC) would only check the user's role, not device or time attributes.

Exam trap

The trap here is that candidates see 'contractor' and 'project' and immediately think of RBAC roles, overlooking that the requirement explicitly demands evaluation of multiple runtime attributes (device managed, maintenance window) which only ABAC can handle dynamically.

How to eliminate wrong answers

Option A is wrong because RBAC grants access based solely on a user's role (e.g., 'contractor'), not on dynamic runtime attributes like device management status or time of day; it cannot enforce the multi-condition logic required. Option C is wrong because single sign-on (SSO) only provides a unified authentication experience (e.g., using SAML or OIDC) and does not enforce authorization policies based on device or time attributes. Option D is wrong because privileged access management (PAM) is designed to control and audit elevated access (e.g., admin credentials or just-in-time privileges), not to evaluate general access conditions like project assignment or device compliance.

81
MCQeasy

A user reports a suspicious pop-up on a workstation and the SOC suspects malware. Which action should the responder take first to contain the threat?

A.Disconnect the workstation from the network
B.Wipe the workstation immediately
C.Return the workstation to the user after restarting it
D.Wait until the next patch cycle to see if the issue disappears
AnswerA

Isolating the host quickly limits the malware's ability to spread or communicate outward.

Why this answer

Disconnecting the workstation from the network immediately isolates the suspected malware, preventing it from communicating with command-and-control (C2) servers, spreading laterally to other hosts, or exfiltrating data. This is the first step in the NIST incident response containment phase, as it stops network-based propagation without destroying forensic evidence.

Exam trap

CompTIA often tests the misconception that immediate eradication (wiping) is the first step, but the correct order is containment first to stop the spread, then eradication and recovery.

How to eliminate wrong answers

Option B is wrong because wiping the workstation destroys volatile data and forensic artifacts (e.g., memory dumps, logs, malware binaries) that are critical for analysis and attribution. Option C is wrong because restarting the workstation may allow malware to execute persistence mechanisms or trigger destructive payloads, and returning it to the user risks further compromise. Option D is wrong because waiting for the next patch cycle leaves the threat active, allowing the malware to spread, escalate privileges, or cause data loss, violating the principle of timely containment.

82
Matchinghard

Match each SOC alert artifact to the most useful investigation pivot. Each pivot should help determine whether the alert is a true incident, a false positive, or part of a broader campaign.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Check whether the pattern matches password spraying across accounts rather than a brute-force attempt on one user.

Pivot to parent-child process trees and script-block telemetry on the endpoint.

Compare the query pattern and periodicity for possible DNS tunneling or beaconing.

Correlate with scheduled tasks, recent file creation, and account activity for staging or exfiltration.

Review token/session logs and conditional-access telemetry to see whether a hijacked session or relay attack occurred.

Why these pairings

Each artifact is matched to a pivot that directly aids in verifying the alert's validity, whether by checking reputation, correlating with threat intelligence, or comparing against normal behavior.

83
MCQeasy

A user says their files suddenly have a new extension and a note appears demanding payment to restore access. Which type of malware is most likely involved?

A.Ransomware
B.Adware
C.Spam filter
D.Screen saver
AnswerA

Ransomware commonly encrypts files and leaves a payment demand, which matches the described symptoms.

Why this answer

Ransomware is the correct answer because it specifically encrypts files and appends a new extension, then displays a ransom note demanding payment for decryption. This matches the user's description of files becoming inaccessible with a new extension and a payment demand.

Exam trap

The trap here is that candidates may confuse ransomware with adware or other malware types, but the key differentiator is the combination of file encryption, extension change, and a ransom demand.

How to eliminate wrong answers

Option B (Adware) is wrong because adware displays unwanted advertisements and does not encrypt files or demand ransom payments. Option C (Spam filter) is wrong because a spam filter is a security tool that blocks unwanted email, not a type of malware that modifies files. Option D (Screen saver) is wrong because a screen saver is a benign utility that prevents screen burn-in and has no capability to encrypt files or demand payments.

84
MCQmedium

A Linux operations team is building a new production gold image for database servers. Security requires every build to disable password-based SSH, enable audit logging, use the company NTP servers, and remove the desktop package set. The admins need a document that defines these exact required settings and allows exceptions only through formal approval. Which artifact should be used?

A.Policy
B.Baseline
C.Guideline
D.Procedure
AnswerB

A baseline defines the approved, specific secure configuration that systems should meet. It fits exact required settings.

Why this answer

A baseline defines the minimum security configuration that must be applied to all systems, such as disabling password-based SSH, enabling audit logging, using specific NTP servers, and removing unnecessary packages. It is the correct artifact because it specifies required settings and allows exceptions only through formal approval, which aligns with the scenario's need for a mandatory configuration standard. Policies are high-level statements of intent, guidelines are recommendations, and procedures are step-by-step instructions, none of which enforce mandatory settings with exception control.

Exam trap

The trap here is confusing a policy (high-level intent) with a baseline (specific mandatory settings), leading candidates to choose 'Policy' because they think it governs all security, but baselines are the actual technical enforcement documents that require formal exceptions.

How to eliminate wrong answers

Option A is wrong because a policy is a high-level statement of management intent (e.g., 'All systems must be secure') and does not define specific technical settings like disabling password-based SSH or removing desktop packages. Option C is wrong because a guideline is a recommendation or best practice that is not mandatory and does not enforce required settings or require formal approval for exceptions. Option D is wrong because a procedure is a detailed step-by-step process for performing a task (e.g., how to install an OS), not a document that defines required configuration settings with exception control.

85
MCQmedium

A business unit is worried about the financial impact of a rare but severe data center outage. After reviewing the risk register, leadership decides to purchase cyber insurance and document the remaining exposure rather than redesign the entire platform. Which risk treatment is this?

A.Risk transfer
B.Risk avoidance
C.Risk mitigation
D.Risk acceptance
AnswerA

Risk transfer shifts some financial impact to a third party, such as through insurance or a contractual liability arrangement.

Why this answer

The correct answer is A (Risk transfer) because purchasing cyber insurance transfers the financial risk of a data center outage to an insurance provider. The business unit is not avoiding the risk by redesigning the platform, nor are they mitigating it through technical controls; they are simply documenting the residual exposure after transferring the monetary impact. This aligns with the risk treatment strategy of shifting the burden of loss to a third party.

Exam trap

The trap here is that candidates confuse risk transfer (shifting financial liability) with risk mitigation (reducing probability/impact via technical controls), especially when the scenario mentions 'documenting the remaining exposure'—which is a hallmark of risk acceptance, not mitigation.

How to eliminate wrong answers

Option B (Risk avoidance) is wrong because the business unit is not eliminating the risk by ceasing operations or redesigning the platform; they are accepting the outage's possibility and insuring against it. Option C (Risk mitigation) is wrong because mitigation involves implementing controls (e.g., redundancy, failover clusters, or backup power) to reduce the likelihood or impact of the outage, not purchasing insurance to cover financial losses.

86
MCQmedium

A help desk analyst receives a ticket stating that an employee got an urgent text message from someone claiming to be the CEO. The message asked the employee to buy gift cards and send the redemption codes immediately. What attack is most likely taking place?

A.Phishing, because the attacker is trying to steal information through a deceptive message sent to a user.
B.Smishing, because the attacker is using SMS or text messaging to trick the employee into taking an action.
C.Vishing, because the attacker is using a phone call to pressure the employee into complying.
D.Baiting, because the attacker is tempting the user with a reward in exchange for cooperation.
AnswerB

Smishing is phishing delivered through text messaging. The attacker is impersonating an executive and creating urgency to pressure the employee into buying gift cards and revealing codes. That combination of mobile delivery, impersonation, and urgency fits a text-based social engineering attack.

Why this answer

Option B is correct because the attack uses SMS/text messaging as the delivery vector, which is the defining characteristic of smishing. The urgent request to buy gift cards and send redemption codes is a classic social engineering tactic designed to exploit the employee's trust in the CEO's authority, not to steal credentials or install malware directly.

Exam trap

The trap here is that candidates may confuse smishing with general phishing (Option A) because both involve deceptive messages, but the exam specifically tests the delivery vector—SMS vs. email—as the key differentiator for attack classification.

How to eliminate wrong answers

Option A is wrong because phishing typically refers to broader email-based attacks, not specifically SMS/text messages; while smishing is a subset of phishing, the question explicitly describes a text message, making smishing the more precise term. Option C is wrong because vishing (voice phishing) requires a phone call, not a text message; the scenario lacks any mention of a voice interaction. Option D is wrong because baiting involves offering a fake reward or enticement (e.g., free download or USB drop) to trick the user, whereas this attack uses a direct request for action under false authority, not a lure.

87
MCQeasy

A team is moving an application to a cloud provider. The cloud provider will secure the physical data center and core infrastructure, while the company must still secure its own application settings and user access. What concept does this describe?

A.Fail-open design
B.Shared responsibility model
C.Air gap
D.Data masking
AnswerB

Cloud security duties are divided between the provider and the customer, depending on the service model.

Why this answer

The shared responsibility model defines the division of security obligations between a cloud provider and its customer. In this scenario, the provider secures the physical data center and core infrastructure (the 'security of the cloud'), while the company retains responsibility for application settings and user access (the 'security in the cloud'). This model is foundational to all major cloud providers, including AWS, Azure, and Google Cloud.

Exam trap

The trap here is that candidates often confuse the shared responsibility model with a simple 'provider does everything' or 'customer does everything' approach, failing to recognize that security obligations are split based on the service model (IaaS, PaaS, SaaS) and that the customer always retains responsibility for data and access management.

How to eliminate wrong answers

Option A is wrong because a fail-open design refers to a security mechanism that defaults to allowing access when it fails (e.g., a firewall that passes all traffic upon crash), not to the division of security responsibilities in cloud computing. Option C is wrong because an air gap is a physical or logical isolation of a network from unsecured networks (e.g., no network connection at all), which is unrelated to the shared security duties between a cloud provider and its customer. Option D is wrong because data masking is a technique used to obfuscate sensitive data (e.g., replacing real credit card numbers with fictitious ones for testing), not a model for distributing security controls between parties.

88
MCQmedium

A security analyst receives an alert that a user's workstation is communicating with a known malicious IP address during off-hours. The analyst reviews the firewall logs and confirms the connection was established. Which of the following should the analyst perform NEXT to contain the threat?

A.Disable the user's account immediately.
B.Isolate the workstation from the network.
C.Run a full antivirus scan on the workstation.
D.Notify the user's manager of the policy violation.
AnswerB

Isolating the workstation stops all network communication, including the connection to the malicious IP. This is a direct containment action that prevents further exfiltration, command-and-control activity, or lateral spread.

Why this answer

Isolating the workstation from the network (Option B) is the immediate containment step because it stops the active communication with the known malicious IP address, preventing further data exfiltration, lateral movement, or command-and-control (C2) activity. This aligns with the NIST incident response framework's containment phase, which prioritizes stopping the threat before investigation or remediation. Disabling the user account (A) does not stop the network-level communication if the malware is running as a service or using cached credentials, and running a scan (C) or notifying management (D) are post-containment actions.

Exam trap

CompTIA often tests the distinction between containment and remediation, trapping candidates who choose to run an antivirus scan (Option C) first, when the correct incident response order is to isolate the host to stop the active threat before any scanning or notification.

How to eliminate wrong answers

Option A is wrong because disabling the user account stops interactive logins but does not block network traffic from a compromised workstation that may be running malware under a system account or using stored credentials; the malicious communication continues at the network layer. Option C is wrong because running a full antivirus scan is a remediation step that should occur after containment (isolation) to avoid alerting the malware or allowing it to spread during the scan; it does not stop the active C2 traffic. Option D is wrong because notifying the user's manager is an administrative notification step that does not contain the technical threat; the immediate priority is to sever the network connection to the malicious IP.

89
MCQmedium

A security analyst in a SOC receives an alert indicating that a large volume of data was transferred from a user's workstation to an external IP address at 2:00 AM. The analyst suspects a data exfiltration attack. According to incident response best practices, what should the analyst do FIRST?

A.Block the external IP address at the firewall.
B.Review the user's login and activity logs.
C.Contact the user to inquire about the transfer.
D.Restore the workstation from a known good backup.
AnswerB

Reviewing logs is the correct first step. It allows the analyst to verify the alert, see if the user was logged in, identify the process responsible for the transfer, and gather details necessary for informed decision-making.

Why this answer

Option B is correct because, in incident response, the first step is to gather evidence and understand the scope of the incident. Reviewing the user's login and activity logs (e.g., Windows Event Logs, authentication logs, and process creation logs) allows the analyst to verify if the user was actually logged in at 2:00 AM, identify any anomalous behavior (e.g., use of unauthorized tools or unusual file access patterns), and determine whether the data transfer was initiated by the user or by malware. This aligns with the NIST SP 800-61 incident response lifecycle, specifically the identification and analysis phase, where initial triage focuses on log review before taking containment actions.

Exam trap

The trap here is that candidates often jump to immediate containment (blocking the IP) or recovery (restoring from backup) without first verifying the alert through log analysis, which is a fundamental incident response principle emphasized in the SY0-701 exam.

How to eliminate wrong answers

Option A is wrong because blocking the external IP address at the firewall is a containment action that should be taken only after confirming the alert is a true positive and understanding the full scope of the exfiltration; premature blocking could destroy evidence (e.g., the connection may still be active for forensic capture) and may disrupt legitimate traffic if the IP is shared or dynamic. Option C is wrong because contacting the user directly risks alerting a potential insider threat, could lead to evidence tampering, and is not a reliable method for initial verification—logs provide objective, timestamped data. Option D is wrong because restoring the workstation from a known good backup is a recovery step that destroys volatile evidence (e.g., memory, recent logs, and malware artifacts) and should only be performed after thorough forensic analysis and containment.

90
MCQmedium

Based on the exhibit, which network change best isolates finance workstations from general user PCs while still allowing printing and application access? VLAN table: - VLAN 20 Users: 10.20.20.0/24 - VLAN 30 Finance: 10.20.30.0/24 - VLAN 40 Printers: 10.20.40.0/24 - VLAN 50 Accounting App: 10.20.50.0/24 Current SVI routing policy: permit ip any any Management goal: Finance devices must not initiate traffic to User VLAN 20, but they must be able to print and access the accounting application.

A.Put finance workstations on the same VLAN as the printers to simplify access.
B.Add inter-VLAN ACLs that deny Finance VLAN access to User VLAN 20 while permitting Finance VLAN traffic to VLAN 40 and VLAN 50.
C.Remove routing between all VLANs and let users print through email attachments.
D.Place the accounting application in the User VLAN so finance devices no longer need segmentation.
AnswerB

This is the best option because it keeps the finance systems isolated from general user devices while still allowing the required business functions. The ACL can allow only the exact destinations and services needed for printing and the accounting application, which reduces lateral movement risk without breaking the workflow. It is a practical example of subnet isolation with traffic filtering.

Why this answer

Option B is correct because it uses inter-VLAN ACLs to enforce the principle of least privilege: denying traffic from the Finance VLAN (10.20.30.0/24) to the User VLAN (10.20.20.0/24) while explicitly permitting traffic to the Printer VLAN (10.20.40.0/24) and the Accounting App VLAN (10.20.50.0/24). This preserves the required segmentation and still allows the necessary services (printing and application access) without altering the existing VLAN structure or routing policy.

Exam trap

The trap here is that candidates often assume VLANs alone provide security isolation, forgetting that by default inter-VLAN routing permits all traffic (as shown by the 'permit ip any any' SVI policy), so additional ACLs are required to enforce directional restrictions while still allowing specific services.

How to eliminate wrong answers

Option A is wrong because placing finance workstations on the same VLAN as printers would collapse segmentation, allowing unrestricted traffic between finance devices and printers, and would not isolate finance from user PCs—it also violates the management goal of preventing finance-initiated traffic to the User VLAN. Option C is wrong because removing routing between all VLANs would completely block inter-VLAN communication, preventing finance devices from accessing the printers and accounting application, which directly contradicts the requirement to allow printing and application access. Option D is wrong because placing the accounting application in the User VLAN would expose it to all user PCs, defeating the purpose of segmentation and potentially allowing unauthorized access from the User VLAN to the application, while still not isolating finance workstations from user PCs.

91
MCQhard

Based on the exhibit, which risk should be prioritized first under the company's likelihood-impact scoring model?

A.R-101, because manual review means the risk is already partially controlled.
B.R-102, because a cheaper remediation always has priority over a higher total score.
C.R-103, because critical impact always outweighs likelihood in the matrix.
D.R-104, because it has the highest likelihood-impact score in the register.
AnswerD

R-104 scores 16, which is higher than the other listed risks under the stated 1-to-5 model. Since the organization can fund only one risk this quarter, the highest scored item should be prioritized first. The current backup power helps resilience, but it does not reduce the fact that this is the largest remaining risk in the matrix.

Why this answer

Option D is correct because R-104 has the highest likelihood-impact score (e.g., 5×5=25) in the risk register, and under a standard likelihood-impact scoring model, the risk with the highest product (or sum) of likelihood and impact is prioritized first for remediation. This aligns with the CompTIA SY0-701 objective of using quantitative risk analysis to rank risks by their overall severity.

Exam trap

CompTIA often tests the misconception that a single factor (like critical impact or low cost) overrides the composite risk score, but the correct prioritization always follows the calculated likelihood-impact product or sum as shown in the register.

How to eliminate wrong answers

Option A is wrong because manual review does not automatically reduce the risk score; it is a control that may lower likelihood or impact, but the exhibit shows R-101 has a lower total score than R-104, so it should not be prioritized first. Option B is wrong because cheaper remediation does not inherently take priority over a higher total score; risk prioritization is based on the likelihood-impact score, not cost, unless a cost-benefit analysis explicitly overrides. Option C is wrong because critical impact alone does not outweigh likelihood in the matrix; the scoring model multiplies or adds both factors, so a risk with lower likelihood but critical impact may have a lower total score than one with high likelihood and high impact.

92
MCQmedium

A legal team must send a confidential contract to a partner so only the intended recipient can read it, and the partner also needs assurance the file really came from your company. Which approach best meets both needs?

A.Hash the contract and email the hash value separately.
B.Encrypt the file with the recipient's public key and sign it with the sender's private key.
C.Use a shared symmetric key and send the key in the same email message.
D.Compress the file and password-protect the archive with a simple passphrase.
AnswerB

Using the recipient's public key ensures only the intended recipient can decrypt the file, which provides confidentiality. Adding a digital signature with the sender's private key gives the partner a way to verify the file came from your company and has not been altered. Together, these controls address both privacy and authenticity, which is exactly what the scenario requires.

Why this answer

Option B is correct because it uses asymmetric encryption to ensure confidentiality (encrypting with the recipient's public key ensures only the intended recipient can decrypt it with their private key) and digital signing (signing with the sender's private key provides non-repudiation and authenticity, proving the file came from the sender). This combination directly addresses both requirements: only the partner can read the contract, and the partner can verify the sender's identity.

Exam trap

The trap here is that candidates often confuse hashing with encryption or think that password-protecting a zip file provides strong security and sender authentication, when in fact only a proper public-key infrastructure (PKI) with encryption and digital signatures meets both confidentiality and non-repudiation requirements.

How to eliminate wrong answers

Option A is wrong because hashing the contract and emailing the hash separately only provides integrity verification (detecting tampering) but does not encrypt the contract or authenticate the sender; anyone can read the contract in the email, and the hash alone does not prove the sender's identity. Option C is wrong because using a shared symmetric key and sending it in the same email message completely defeats confidentiality; if an attacker intercepts the email, they have both the encrypted file and the key, allowing them to decrypt it immediately. Option D is wrong because compressing and password-protecting the archive with a simple passphrase is weak encryption that can be easily brute-forced or guessed, and it provides no cryptographic proof of the sender's identity; the recipient has no assurance the file truly came from your company.

93
MCQeasy

At a conference, employees connect to a Wi-Fi network named "CorpGuest" and then see certificate warnings in their browsers. The network has a stronger signal than the hotel's legitimate guest Wi-Fi. What attack is this?

A.Rogue access point
B.ARP poisoning
C.Replay attack
D.Denial of service
AnswerA

A rogue access point, often called an evil twin, imitates a real network to lure users onto it.

Why this answer

This scenario describes a rogue access point attack. The attacker sets up a Wi-Fi network named "CorpGuest" with a stronger signal than the legitimate hotel guest Wi-Fi, tricking employees into connecting to it. Once connected, the attacker can intercept traffic and present a fake certificate, causing browser certificate warnings.

This is a classic evil twin variant of a rogue access point attack.

Exam trap

The trap here is that candidates may confuse a rogue access point with ARP poisoning because both can enable man-in-the-middle attacks, but the key differentiator is the method of initial access — rogue AP uses a fake wireless network, while ARP poisoning operates on an existing wired or wireless LAN.

How to eliminate wrong answers

Option B (ARP poisoning) is wrong because ARP poisoning involves sending forged ARP messages over a local network to associate the attacker's MAC address with the IP address of a legitimate host, enabling man-in-the-middle attacks on switched networks; it does not involve setting up a fake Wi-Fi network. Option C (Replay attack) is wrong because a replay attack captures and retransmits valid data transmissions to trick the receiver, not to create a fraudulent wireless network or cause certificate warnings. Option D (Denial of service) is wrong because a denial of service attack aims to disrupt or degrade network services, not to impersonate a legitimate access point and intercept user traffic.

94
Matchinghard

Match each detection pattern to the most likely security issue. Each item has one best match.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Living-off-the-land or fileless malware execution

DNS tunneling or command-and-control beaconing

Password spraying or credential stuffing that succeeded

Compromised privileged credentials with persistence and post-exploitation activity

Why these pairings

Repeated login failures indicate brute-force; Outbound connections to malicious IPs suggest C2; Large data transfers at odd hours indicate exfiltration; Random DNS subdomains are typical of tunneling; Conflicting ARP replies show spoofing; Multiple ICMP requests from many sources indicate DDoS.

95
MCQmedium

Based on the exhibit, what security issue is most likely present?

A.Weak permissions, because the camera streams video to multiple ports.
B.Default credentials, because the admin login is enabled.
C.Exposed service, because management and streaming ports are listening on all interfaces and allowed from anywhere.
D.Outdated component, because firmware version 1.0.3 is listed.
AnswerC

The main issue is exposed service. The camera-web and RTSP services listen on 0.0.0.0, which means all interfaces, and the ACL allows any source to connect. That exposes the device to the network far beyond the intended management scope, creating an easy attack path.

Why this answer

Option C is correct because the exhibit shows that both the management interface (TCP 443) and the streaming interface (TCP 554) are bound to 0.0.0.0 (all interfaces) and the firewall rules allow traffic from 0.0.0.0/0 (any source). This exposes the camera's web management and RTSP streaming services to the entire internet, making it vulnerable to unauthorized access, reconnaissance, and potential exploitation. An exposed service of this nature is a common entry point for attackers to compromise IoT devices.

Exam trap

The trap here is that candidates may focus on the presence of default credentials or outdated firmware as obvious vulnerabilities, but the exhibit does not provide evidence of those—instead, the clear misconfiguration is the service exposure, which is a distinct and common threat in IoT and network device security.

How to eliminate wrong answers

Option A is wrong because streaming video to multiple ports is a normal function of an IP camera (e.g., RTSP on port 554 and HTTP on port 80 for web viewing), and does not inherently indicate weak permissions; weak permissions would refer to misconfigured access control lists or user privileges, not the number of ports used. Option B is wrong because the admin login being enabled is not itself a security issue; the vulnerability arises only if default credentials (e.g., admin/admin) are still in use, which is not indicated in the exhibit. Option D is wrong because firmware version 1.0.3 being listed does not automatically mean it is outdated or vulnerable; without a known CVE or version comparison, the version number alone is not evidence of an outdated component.

96
MCQhard

Based on the exhibit, which document type should the organization update if it wants the listed endpoint settings to be mandatory baseline requirements?

A.Policy, because it defines the organization's broad security intent and direction.
B.Standard, because it defines mandatory minimum settings that all systems must meet.
C.Procedure, because it provides the exact steps administrators follow to configure the setting.
D.Guideline, because it is the least restrictive document for endpoint protection.
AnswerB

Standards are the right place for mandatory, measurable requirements like encryption, lock timers, and password length. The exhibit already shows those exact settings in the standard excerpt. Policy states the broad intent, procedures describe how to implement it, and guidelines remain advisory rather than compulsory.

Why this answer

A standard is the correct document type because it defines mandatory, minimum-security configuration requirements that all systems must meet, such as specific endpoint settings. Unlike a policy, which states broad intent, a standard provides the enforceable baseline that ensures consistent security posture across the organization.

Exam trap

The trap here is confusing a policy's broad intent with a standard's enforceable baseline, leading candidates to select 'Policy' because they think it is the highest-level document, when in fact standards are the correct document type for mandatory technical requirements.

How to eliminate wrong answers

Option A is wrong because a policy defines the organization's broad security intent and direction, not the specific mandatory baseline settings for endpoints. Option C is wrong because a procedure provides the exact step-by-step instructions for administrators to configure settings, but it does not define the mandatory baseline requirements themselves. Option D is wrong because a guideline is advisory and the least restrictive document, offering recommendations rather than mandatory minimum requirements.

97
Multi-Selecteasy

An organization wants employees to sign in once and then access several SaaS applications without repeated logins. Which two technologies make this possible? Select two.

Select 2 answers
A.Single sign-on
B.Identity federation
C.Network address translation
D.Port forwarding
E.Full-disk encryption
AnswersA, B

Single sign-on lets a user authenticate once and reuse that session for multiple approved applications. It improves usability while reducing password fatigue and repeated logins.

Why this answer

Single sign-on (SSO) allows a user to authenticate once and then access multiple SaaS applications without re-entering credentials. It works by establishing a trusted session (often via SAML assertions or OIDC tokens) that is presented to each application, eliminating repeated logins. This directly meets the requirement for a single authentication event granting access to several services.

Exam trap

CompTIA often tests the distinction between SSO (which handles authentication within a single domain) and identity federation (which extends SSO across different trust domains), leading candidates to pick only one when both are required for the scenario.

98
Multi-Selectmedium

A regulated analytics workload is moving to a public cloud. The business wants the strongest practical tenant isolation without managing physical servers, and it also needs an audit trail for changes made to the cloud environment. Which two design choices best meet those requirements? Select two.

Select 2 answers
A.Place the workload in a dedicated account, project, or subscription with restricted cross-account access.
B.Enable cloud control-plane logging and retain the logs centrally.
C.Deploy the workload in a shared public subnet to simplify routing between tenants.
D.Assume the cloud provider will record every guest operating system event automatically.
E.Disable logging to reduce storage costs because the provider already has all necessary records.
AnswersA, B

A dedicated account, project, or subscription provides stronger logical isolation than placing the workload in a shared environment. Restricting cross-account access reduces accidental or unauthorized sharing and makes governance easier. This is a common cloud architecture pattern for regulated workloads that need separation without the overhead of managing physical infrastructure.

Why this answer

Option A is correct because placing the workload in a dedicated account, project, or subscription with restricted cross-account access provides strong logical isolation at the cloud provider's control plane. This approach meets the requirement for tenant isolation without managing physical servers, as it leverages the provider's built-in resource boundaries and IAM policies to prevent unauthorized access between tenants.

Exam trap

The trap here is that candidates often confuse network-level isolation (like subnets) with tenant isolation at the control plane, or assume cloud providers automatically handle guest OS auditing, leading them to select C or D instead of the correct combination of A and B.

99
MCQmedium

After a ransomware incident, management learns the attacker's stolen domain admin credentials were used to delete recent online backups from the same backup network. Which backup strategy would have most reduced the chance of permanent backup loss?

A.Nightly incremental backups stored on the same file server as production data.
B.Immutable backups stored in a separate repository or offline location.
C.Hypervisor snapshots only, because they are always safer than backups.
D.Longer retention on the same backup share to keep more versions available.
AnswerB

Immutable or offline backups reduce the chance that stolen administrative credentials can alter or delete recovery data.

Why this answer

Immutable backups stored in a separate repository or offline location prevent deletion or modification by an attacker, even with domain admin credentials. This is because immutability enforces a write-once-read-many (WORM) policy, often implemented via object lock (e.g., S3 Object Lock) or a physical air gap, ensuring that backups cannot be altered or deleted before their retention period expires. In this scenario, the attacker's ability to delete online backups from the same network is mitigated because the immutable repository is isolated and resistant to credential-based tampering.

Exam trap

The trap here is that candidates may assume longer retention or same-server backups are sufficient, but the key is that immutability and isolation (air gap) are required to prevent an attacker with elevated credentials from deleting backups, which is a core concept tested in SY0-701 Domain 3.0 (Security Operations).

How to eliminate wrong answers

Option A is wrong because nightly incremental backups stored on the same file server as production data are vulnerable to the same ransomware attack and credential compromise, as the attacker can delete or encrypt them using the same domain admin credentials. Option C is wrong because hypervisor snapshots are not always safer than backups; they are typically stored on the same storage array as the VMs and can be deleted by an attacker with administrative access to the hypervisor, and they lack the isolation and immutability features of dedicated backup solutions. Option D is wrong because longer retention on the same backup share does not protect against deletion; the attacker can still delete all versions from the same share using the stolen credentials, as retention policies do not enforce immutability or separation.

100
MCQmedium

After a phishing simulation, many users still almost submitted credentials to a fake Microsoft login page. Security wants to reduce repeat mistakes quickly without interrupting daily work. Which approach is best?

A.Send one enterprise-wide warning email listing every phishing indicator the users should memorize.
B.Require all employees to retake the full annual security course immediately.
C.Use short, targeted awareness messages with screenshots of the actual lure and an easy reporting path.
D.Remove email access for any user who clicked the simulation link.
AnswerC

This is the best balance because it addresses the specific mistake with focused coaching and minimal operational disruption.

Why this answer

Option C is correct because it uses just-in-time, context-specific training that directly addresses the observed behavior without disrupting workflow. By showing users the exact lure they encountered and providing a simple reporting path, the organization reinforces recognition of the specific phishing technique and encourages immediate reporting, which is more effective than generic warnings or lengthy retraining for reducing repeat mistakes quickly.

Exam trap

The trap here is that candidates may choose Option A (broad warning) because it seems quick and comprehensive, but they overlook that targeted, behavior-specific messaging is far more effective for changing user behavior than generic information overload.

How to eliminate wrong answers

Option A is wrong because a single enterprise-wide warning email listing every phishing indicator is too generic and overwhelming; users are unlikely to memorize a long list, and the lack of context-specific examples reduces retention and behavioral change. Option B is wrong because requiring all employees to retake the full annual security course immediately is disruptive to daily work, time-consuming, and not targeted to the specific phishing lure that was used, making it inefficient for quick remediation. Option D is wrong because removing email access for users who clicked the simulation link is punitive and counterproductive; it does not educate users, may create resentment, and removes the opportunity for them to practice safe reporting behaviors, while also potentially hindering their daily work.

101
Multi-Selectmedium

A help desk manager is hardening a fleet of Windows laptops. The goal is to prevent booting from untrusted external media and to ensure only approved software can run on the devices. Which two controls best address those goals? Select two.

Select 2 answers
A.Enable Secure Boot in firmware.
B.Implement application allowlisting or application control.
C.Rely only on full-disk encryption to stop unauthorized boot code.
D.Increase the screen-lock timeout so users are interrupted less often.
E.Use a stronger Wi-Fi password so malware cannot start.
AnswersA, B

Secure Boot helps ensure the device only starts trusted boot components that are signed by a trusted key. That reduces the risk of booting unapproved loaders or malicious recovery media. It is a platform hardening control that directly addresses firmware-level trust during startup, which is exactly what the scenario calls for.

Why this answer

Secure Boot is a UEFI firmware feature that verifies the digital signature of the bootloader against a database of trusted signatures stored in the firmware. By enabling Secure Boot, the system will refuse to boot from any external media (e.g., USB drives) that does not have a valid, trusted signature, directly preventing unauthorized boot code from executing.

Exam trap

The trap here is that candidates often confuse full-disk encryption with boot security, mistakenly thinking encryption prevents unauthorized boot media, when in fact encryption only protects data confidentiality and does not control the boot process or software execution.

102
MCQeasy

A company requires MFA, endpoint protection, and network filtering so that if one control misses a threat, another control still helps stop it. Which security principle is this?

A.Single sign-on
B.Defense in depth
C.Nonrepudiation
D.Data masking
AnswerB

Defense in depth uses multiple overlapping controls so a single failure does not expose the organization.

Why this answer

Defense in depth is a layered security strategy where multiple, independent controls (e.g., MFA, endpoint protection, network filtering) are deployed so that if one layer fails, another still provides protection. This ensures no single point of failure can compromise the entire system, directly matching the scenario where overlapping controls compensate for each other's gaps.

Exam trap

The trap here is that candidates confuse 'defense in depth' with 'single sign-on' because both involve multiple systems, but SSO is about convenience and identity federation, not layered security controls.

How to eliminate wrong answers

Option A is wrong because single sign-on (SSO) is an authentication mechanism that allows users to log in once and access multiple systems, not a layered security approach; it does not provide overlapping controls to catch missed threats. Option C is wrong because nonrepudiation ensures that a party cannot deny an action (e.g., via digital signatures or audit logs), but it does not involve multiple defensive layers to stop threats. Option D is wrong because data masking obscures sensitive data (e.g., replacing real credit card numbers with tokens) for privacy or testing, not to provide layered protection against threats.

103
MCQmedium

A software vendor distributes critical security updates for its application through a public download website. The vendor wants to allow customers to verify that each update originated from the vendor and has not been modified in transit. Which of the following cryptographic techniques should the vendor apply to the update files before posting them for download?

A.Digital signature
B.Cryptographic hash
C.Antivirus scan report
D.TLS certificate
AnswerA

Correct. A digital signature uses the vendor's private key to sign the update, and customers can verify it with the vendor's public key. This provides both source authentication and integrity.

Why this answer

A digital signature provides both authentication (proving the update originated from the vendor) and integrity (detecting any modification in transit). The vendor signs the file with their private key, and customers verify the signature using the vendor's public key, ensuring the file has not been altered since signing.

Exam trap

The trap here is that candidates confuse a cryptographic hash (which only ensures integrity) with a digital signature (which ensures both integrity and non-repudiation/authentication), or they mistakenly think TLS certificates alone can verify the file's origin after download.

How to eliminate wrong answers

Option B is wrong because a cryptographic hash (e.g., SHA-256) provides integrity but not authentication; an attacker could replace both the file and its hash, and the customer would have no way to verify the source. Option C is wrong because an antivirus scan report only indicates the file was malware-free at the time of scanning, but it does not cryptographically bind the file to the vendor or prevent tampering. Option D is wrong because a TLS certificate secures the communication channel (e.g., HTTPS) between the client and server, but it does not provide a verifiable signature on the file itself; once downloaded, the file's origin and integrity cannot be independently verified without a digital signature.

104
MCQmedium

An employee receives a text message from an unknown number pretending to be IT. It includes a shortened URL for "urgent MFA re-enrollment" and says the account will be locked in 15 minutes. What is the best response?

A.Open the link and enter the requested information if the page looks legitimate.
B.Report the message through the official security channel and verify the request using known IT contact information.
C.Forward the text to coworkers so they can check whether they received the same message.
D.Reply to the text asking for a company badge number before proceeding.
AnswerB

The safest response is to avoid the link and use an established internal reporting or verification process. This prevents credential theft and helps security track suspicious messages quickly. Verifying through a known contact method, not the message itself, protects the user from smishing and MFA baiting.

Why this answer

Option B is correct because it follows the principle of verifying unsolicited requests through trusted channels, which is a key defense against social engineering and phishing attacks. The message exhibits classic phishing indicators: an unknown sender, a shortened URL (which can mask the true destination), a false sense of urgency, and a request for MFA re-enrollment—a common pretext to harvest credentials or MFA tokens. Reporting through the official security channel ensures the incident is logged and investigated, while verifying with known IT contact information prevents falling for a spoofed or compromised source.

Exam trap

The trap here is that candidates may choose Option A because the message appears urgent and the page looks legitimate, overlooking that attackers can perfectly clone authentication portals and that shortened URLs are a common obfuscation technique in phishing campaigns.

How to eliminate wrong answers

Option A is wrong because opening a shortened URL from an unknown sender and entering credentials, even if the page looks legitimate, risks credential theft via a phishing site that may mimic the real MFA portal; attackers can clone login pages and intercept tokens in real time. Option C is wrong because forwarding the text to coworkers amplifies the threat by spreading a potential phishing link, increasing the likelihood of compromise across the organization; it also bypasses proper incident reporting procedures. Option D is wrong because replying to the text confirms the phone number is active and monitored, which can lead to targeted follow-up attacks, and asking for a badge number is ineffective since attackers can easily fabricate such identifiers.

105
MCQeasy

A security manager wants evidence that annual security awareness training was completed by employees. Which artifact is the best proof?

A.A training completion report exported from the learning system
B.A copy of the company logo used on the training slides
C.A list of office supplies purchased last quarter
D.A screenshot of the company's public homepage
AnswerA

A completion report directly shows who finished the training, when they completed it, and whether any users are still outstanding.

Why this answer

A training completion report exported from the learning system is the best proof because it provides a verifiable, timestamped record of each employee's completion status, including user IDs, course names, completion dates, and scores. This artifact directly demonstrates that the training was actually completed, not just assigned or attended, and can be audited against the organization's training policy.

Exam trap

The trap here is that candidates might think a visual artifact like a logo or homepage screenshot proves training occurred, but CompTIA tests the understanding that only a system-generated, auditable report with user-specific completion data constitutes valid evidence.

How to eliminate wrong answers

Option B is wrong because a copy of the company logo used on training slides is merely a branding element and provides no evidence of employee participation or completion. Option C is wrong because a list of office supplies purchased last quarter is unrelated to security awareness training and cannot demonstrate any training activity. Option D is wrong because a screenshot of the company's public homepage shows only the external-facing website and contains no data about internal training records or employee completion status.

106
Multi-Selectmedium

A company is designing a secure industrial control system (ICS) network that must be isolated from the corporate IT network. Which three of the following architectural controls should be implemented? (Choose three.)

Select 3 answers
.Deploy a unidirectional gateway to allow data to flow only from the ICS to the corporate network.
.Use a jump box (bastion host) with multi-factor authentication for administrative access to the ICS.
.Connect the ICS and corporate networks directly through a standard router for low latency.
.Implement a DMZ between the ICS and corporate networks to inspect and control traffic.
.Allow all ICS devices to use the same default credentials for ease of maintenance.
.Place the ICS historian directly on the internet for remote monitoring by vendors.

Why this answer

A unidirectional gateway (data diode) ensures that data can only flow from the ICS to the corporate network, preventing any external traffic from reaching the ICS. This is a critical security control for isolating sensitive industrial control systems from potential cyber threats originating from the corporate IT network.

Exam trap

The trap here is that candidates might think a standard router or direct connection is acceptable for low latency, but CompTIA emphasizes that isolation and security take precedence over performance in ICS environments.

107
MCQmedium

Leadership is deciding between two security controls for a customer portal outage risk. Finance wants to compare the options in dollars, using expected loss, not just a high/medium/low rating. Which approach should the analyst use?

A.Quantitative risk analysis, because it expresses likelihood and impact in monetary terms.
B.Qualitative risk analysis, because it uses categories like critical, medium, and low.
C.Business impact analysis, because it identifies which business processes are important.
D.Risk avoidance, because eliminating the activity removes the threat completely.
AnswerA

Quantitative risk analysis is the right method when decision-makers want financial comparisons. It uses numerical estimates such as annual loss expectancy, cost of control, and probable impact in dollars. That allows leadership to compare mitigation options against the expected reduction in loss and make a budget-based decision. In this situation, the business specifically wants a dollar-based analysis rather than a subjective ranking.

Why this answer

Quantitative risk analysis (A) is correct because it assigns monetary values to both the likelihood and impact of a risk, enabling a direct dollar-based comparison of expected loss. The Finance team's requirement for a dollar comparison rules out qualitative ratings, making quantitative analysis the only approach that meets their needs.

Exam trap

The trap here is that candidates often confuse qualitative risk analysis with quantitative, thinking that any risk assessment that uses categories is sufficient, but the question explicitly demands monetary comparison, which only quantitative analysis provides.

How to eliminate wrong answers

Option B is wrong because qualitative risk analysis uses categories like high/medium/low, not monetary values, so it cannot provide the dollar-based comparison Finance requested. Option C is wrong because a business impact analysis (BIA) identifies critical processes and recovery priorities, but it does not calculate expected loss in monetary terms for comparing security controls. Option D is wrong because risk avoidance eliminates the activity entirely, which is a risk treatment strategy, not an analysis method for comparing control costs in dollars.

108
MCQeasy

Before applying a major patch to a virtual machine, the administrator wants a quick way to return the VM to its exact pre-change state if the patch fails. What should the administrator create?

A.A full backup to removable media
B.A snapshot of the virtual machine
C.A separate VLAN for the virtual machine
D.A digital certificate for the patch server
AnswerB

A snapshot captures the VM state at a specific moment, making rollback fast after a failed patch.

Why this answer

A snapshot captures the exact state of the virtual machine (disk, memory, and power state) at a point in time, allowing the administrator to revert instantly if the patch fails. This is the fastest and most storage-efficient method for a quick rollback compared to a full backup, which is slower and more resource-intensive.

Exam trap

The trap here is that candidates confuse a snapshot with a full backup, but the question emphasizes 'quick way to return to exact pre-change state,' which is the defining characteristic of a snapshot, not a backup.

How to eliminate wrong answers

Option A is wrong because a full backup to removable media is a slower, more cumbersome process that requires restoring the entire VM from external storage, not a quick revert. Option C is wrong because a separate VLAN isolates network traffic but does not preserve or restore the VM's operating system or application state. Option D is wrong because a digital certificate authenticates the patch server but provides no mechanism to revert the VM to a previous state.

109
MCQeasy

A user enters `<script>alert('test')</script>` into a public comment field, and other visitors see the script run in their browsers. What attack is this?

A.Cross-site scripting
B.SQL injection
C.Broken authentication
D.Insecure deserialization
AnswerA

Cross-site scripting occurs when attacker-controlled script is stored or reflected and then runs in another user's browser. A comment field that executes script for later visitors is a textbook example.

Why this answer

This is a classic cross-site scripting (XSS) attack because the user-supplied input containing a script tag is echoed back to other visitors' browsers without proper sanitization or encoding. The script executes in the context of the victim's browser, allowing the attacker to steal cookies, redirect users, or deface the page. XSS exploits the trust a user has for a particular website, unlike SQL injection which targets the database.

Exam trap

The trap here is that candidates confuse client-side attacks (XSS) with server-side attacks (SQL injection) because both involve user input, but XSS targets the browser's execution context while SQL injection targets the database query parser.

How to eliminate wrong answers

Option B (SQL injection) is wrong because SQL injection involves injecting malicious SQL queries into input fields to manipulate a backend database, not to execute client-side scripts in a browser. Option C (Broken authentication) is wrong because broken authentication refers to flaws in session management or credential handling (e.g., weak passwords, session fixation), not the injection of client-side code that runs in other users' browsers.

110
Multi-Selecteasy

Which two statements describe authorization? Select two.

Select 2 answers
A.It determines what a user can access after sign-in
B.It usually happens after authentication
C.It proves a user is who they claim to be
D.It records every packet a device sends
E.It replaces the need for authentication
AnswersA, B

Authorization defines access rights after a user has been authenticated. It uses permissions, roles, group membership, or policy rules to decide which resources, functions, or data the user may use.

Why this answer

Authorization determines the resources and actions a user can access after successful authentication. It enforces access control policies, such as those defined by RBAC or ACLs, ensuring users only interact with permitted data or systems. This aligns with the NIST definition of authorization as the process of granting or denying rights to a user.

Exam trap

The trap here is confusing authorization with authentication, as many candidates mistakenly think proving identity (authentication) also grants access rights, but authorization is a distinct step that occurs after authentication.

111
MCQmedium

Your company is syncing design files to a cloud object store. The security team wants to reduce risk if the storage account is stolen and also protect the files while they travel across the internet. Which approach is the best fit?

A.Password-protect each archive and upload it over plain HTTP.
B.Encrypt data in transit with TLS and enable encryption at rest with managed keys.
C.Rename the files before upload so attackers cannot identify them.
D.Place the storage service on a private IP address and skip encryption.
AnswerB

Correct. TLS protects the files while they move across the network, and encryption at rest protects stored objects if the storage account or media is exposed. Using managed keys also reduces key-handling mistakes and keeps the protection aligned with standard cloud security practices. This combination addresses both major exposure points in the scenario.

Why this answer

Option B is correct because it addresses both risks: TLS (Transport Layer Security) encrypts data in transit, preventing interception or tampering during upload, while managed keys for encryption at rest protect the files if the storage account credentials are compromised. This dual-layer approach aligns with defense-in-depth and is a standard best practice for cloud object stores like Amazon S3 or Azure Blob Storage.

Exam trap

The trap here is that candidates may think renaming files (Option C) or using a private IP (Option D) provides security, but these measures do not address encryption requirements for data at rest or in transit as specified in the scenario.

How to eliminate wrong answers

Option A is wrong because password-protecting archives does not encrypt the data in transit over plain HTTP, leaving it vulnerable to eavesdropping and man-in-the-middle attacks; also, password protection is weaker than full encryption and can be brute-forced. Option C is wrong because renaming files provides no cryptographic protection; attackers who gain access to the storage account can still read the file contents regardless of the name. Option D is wrong because placing the storage service on a private IP address does not protect data in transit across the internet (it would still traverse public networks unless using a VPN or dedicated link), and skipping encryption leaves data at rest exposed if the account is stolen.

112
MCQmedium

An ERP database is backed up nightly to a NAS that remains online and is managed with the same admin group as production servers. After a ransomware incident, management wants the most effective change to improve recovery assurance without redesigning the whole environment. What should be implemented?

A.Increase the NAS capacity so more backup jobs can be stored.
B.Add another full backup each night to create more copies on the same NAS.
C.Use an offline or immutable backup copy and perform regular restore tests.
D.Compress the backup files to reduce network usage during the nightly job.
AnswerC

An offline or immutable backup reduces the chance that ransomware can encrypt or delete recovery data, and restore testing proves that the backups actually work. This combination improves resilience more effectively than simply storing more data on the same always-online system.

Why this answer

Option C is correct because an offline or immutable backup copy ensures that ransomware cannot encrypt or delete the backup data, and regular restore tests verify that the backups are actually recoverable. This directly addresses the core requirement of improving recovery assurance without redesigning the environment, as it protects the backup from the same attack vector that compromised the production servers and the NAS managed by the same admin group.

Exam trap

The trap here is that candidates often assume more copies or more storage (options A and B) improve recovery assurance, but they fail to recognize that all copies on the same online, writable NAS are equally vulnerable to ransomware encryption or deletion, making isolation and immutability the key differentiators.

How to eliminate wrong answers

Option A is wrong because increasing NAS capacity only stores more backup jobs but does not protect existing backups from being encrypted or deleted by ransomware if the NAS remains online and accessible to the same admin group. Option B is wrong because adding another full backup to the same NAS creates more copies that are all equally vulnerable to the same ransomware attack, offering no isolation or protection. Option D is wrong because compressing backup files reduces network usage but does not improve recovery assurance; compressed files on the same online NAS are still susceptible to encryption or deletion by ransomware.

113
MCQeasy

A restricted server room opens only with a badge, and an alarm sounds if the door is left open too long. Which control type is the alarm?

A.Preventive control
B.Detective control
C.Corrective control
D.Deterrent control
AnswerB

A door alarm is a detective control because it alerts staff after a condition occurs, such as the door being left open too long or forced open. It helps security personnel notice a problem quickly so they can respond. In this scenario, the badge controls access, while the alarm detects an abnormal state and signals that action is needed.

Why this answer

The alarm is a detective control because it detects and alerts when a door is left open too long, indicating a potential security breach. It does not prevent the door from being opened or correct the situation; it simply notifies personnel of an ongoing or past violation.

Exam trap

CompTIA often tests the distinction between detective and corrective controls, and the trap here is that candidates mistakenly think the alarm 'corrects' the situation by alerting, but corrective controls actually take action to restore security, such as automatically closing the door.

How to eliminate wrong answers

Option A is wrong because a preventive control would stop the door from being opened or prevent the alarm condition, such as a magnetic lock that keeps the door closed. Option C is wrong because a corrective control would actively remediate the issue after detection, like automatically closing and relocking the door. Option D is wrong because a deterrent control discourages unauthorized access before it occurs, such as a visible security camera or warning sign, not an alarm that triggers after the door is left open.

114
MCQmedium

A support team wants to export customer tickets into a test analytics environment so developers can search real examples while minimizing privacy exposure. The exported data includes names, email addresses, and account IDs that are not needed for the test. What is the best first step?

A.Export the full dataset and restrict access with a shared password
B.Remove or tokenize unneeded personal identifiers before export
C.Keep the data unchanged because the test environment is internal
D.Store the export indefinitely because development data is exempt from retention rules
AnswerB

Removing or tokenizing unnecessary personal data supports privacy-by-design and data minimization before the information leaves the production environment.

Why this answer

Option B is correct because data minimization is a core privacy principle: before exporting data to a test environment, any personally identifiable information (PII) not required for the analytics task should be removed or tokenized. This reduces the attack surface and ensures compliance with privacy regulations (e.g., GDPR, CCPA) without sacrificing the utility of the real customer ticket examples.

Exam trap

The trap here is that candidates assume internal environments are automatically secure, leading them to choose Option C, but the SY0-701 exam emphasizes that data protection controls must be applied consistently regardless of environment boundaries.

How to eliminate wrong answers

Option A is wrong because restricting access with a shared password does not remove the unneeded personal identifiers; it only adds a weak, shared credential that can be easily compromised, leaving the full PII exposed in the test environment. Option C is wrong because keeping the data unchanged assumes an internal test environment is inherently safe, which ignores the risk of insider threats, misconfigurations, or data leaks; privacy protections must be applied regardless of environment classification.

115
MCQmedium

A security analyst is reviewing authentication logs from a corporate web application. The logs show thousands of failed login attempts over the past hour. Each attempt uses a different username, but all attempts use the same password 'Spring2024!'. The source IP addresses are widely distributed across several different geographic regions. Which type of attack is the analyst most likely observing?

A.Brute-force attack
B.Password spraying attack
C.Credential stuffing attack
D.Dictionary attack
AnswerB

Password spraying involves using a small number of common passwords against a large number of user accounts. This matches the log pattern: different usernames, same password, many attempts.

Why this answer

The attack uses a single common password ('Spring2024!') against many different usernames, which is the hallmark of a password spraying attack. Unlike brute-force attacks that target one account with many passwords, password spraying avoids account lockout by trying one password across many accounts. The wide distribution of source IPs is consistent with a distributed password spraying campaign, often using botnets or proxies.

Exam trap

The trap here is confusing password spraying with credential stuffing: candidates see 'different usernames' and assume stolen credentials are being used, but the single reused password across all attempts is the key differentiator for password spraying.

How to eliminate wrong answers

Option A is wrong because a brute-force attack typically targets a single username with many password attempts, not a single password against many usernames. Option C is wrong because credential stuffing uses previously leaked username/password pairs from other breaches, not a single password across different usernames. Option D is wrong because a dictionary attack tries many passwords from a wordlist against a single account, not a single password against many accounts.

116
Drag & Dropmedium

Drag and drop the steps to perform a factory reset on a managed switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Factory reset clears all configuration; the exact method may vary by vendor, but typically involves holding a button during power-on.

117
MCQmedium

A security analyst observes a pattern where an account exhibits multiple failed login attempts from an IP address in a foreign country, followed by a successful login from the same account but from a different IP address in another foreign country minutes later. The analyst wants to deploy a control that can automatically detect and alert on this type of anomalous user behavior, even if the individual login events are not blocked by existing rules. Which of the following security controls is BEST suited for this task?

A.Geofencing
B.Account lockout policy
C.User Behavior Analytics (UBA)
D.SIEM correlation rules
AnswerC

UBA establishes baselines of normal user activity and uses analytics to detect anomalies such as a series of failed logins followed by a successful login from a new geographic region. It is designed to identify suspicious behavioral patterns that other controls might miss.

Why this answer

User Behavior Analytics (UBA) is the best control because it uses machine learning to establish a baseline of normal user behavior (e.g., typical login locations, times, and IP ranges) and then detects anomalies such as a rapid sequence of failed logins from one foreign country followed by a successful login from another foreign country. Unlike static rules, UBA can identify this pattern as suspicious even if each individual login event is not blocked by existing rules, triggering an alert for further investigation.

Exam trap

The trap here is that candidates often choose geofencing because they focus on the 'foreign country' aspect, but they miss that the question requires detection of a behavioral pattern (failed then successful logins from different locations), not just location-based blocking.

How to eliminate wrong answers

Option A is wrong because geofencing blocks or allows access based on geographic location rules, but it cannot detect the anomalous pattern of failed logins followed by a successful login from a different foreign country—it would simply block or permit each login attempt independently based on the user's current location, missing the behavioral sequence. Option B is wrong because an account lockout policy only triggers after a predefined number of consecutive failed attempts (e.g., 5 failures within 15 minutes), but it does not analyze the geographic disparity or the temporal relationship between failed and successful logins, and it would not alert on the successful login from a different foreign IP.

118
Drag & Dropmedium

Drag and drop the steps for a typical digital forensics investigation process in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Digital forensics follows a structured process: identification, preservation, collection, examination, analysis, and reporting.

119
Multi-Selectmedium

An organization is implementing a third-party vendor risk management program. Which three of the following should be included as key activities to maintain oversight of vendor security? (Choose three.)

Select 3 answers
.Performing due diligence assessments before onboarding new vendors
.Requiring all vendors to use the same password manager as the organization
.Including security requirements in contracts and service-level agreements
.Conducting periodic security reviews or audits of critical vendors
.Providing vendor staff with direct access to internal source code repositories
.Automatically renewing vendor contracts unless a security incident occurs

Why this answer

Performing due diligence assessments before onboarding new vendors is correct because it allows the organization to evaluate a vendor's security posture, compliance, and risk level before any contractual relationship begins. This proactive step helps identify potential vulnerabilities or gaps that could expose the organization to third-party risks, aligning with the NIST SP 800-161 supply chain risk management framework.

Exam trap

The trap here is that candidates may mistakenly think requiring vendors to use the same password manager is a valid oversight activity, but it is an operational control that violates vendor autonomy and does not fit the definition of key vendor risk management program activities.

120
MCQmedium

A manufacturing company is redesigning its plant network. PLCs must communicate with a SCADA server for telemetry, but neither the PLCs nor the SCADA server should be reachable from employee laptops or the internet. Which architecture best meets the requirement?

A.Place the PLCs and office workstations on the same VLAN and rely on endpoint antivirus.
B.Create a separate OT zone behind a firewall with explicit allow rules only to the SCADA server.
C.Publish the SCADA server through a public reverse proxy so vendors can reach it remotely.
D.Put the PLCs on the same subnet as user devices and hide them behind NAT.
AnswerB

This option isolates industrial devices in their own security zone and uses deny-by-default filtering, which is appropriate for production environments.

Why this answer

Option B is correct because it creates an isolated OT (Operational Technology) zone using a firewall, which enforces segmentation between the industrial control systems (PLCs and SCADA) and the corporate IT network. By placing the SCADA server and PLCs behind a firewall with explicit allow rules only for necessary SCADA-to-PLC telemetry, the architecture ensures that employee laptops and the internet cannot reach these devices, meeting the requirement for no reachability from those sources.

Exam trap

The trap here is that candidates may confuse network segmentation with security controls like antivirus or NAT, mistakenly believing that endpoint protection or address translation alone can prevent unauthorized access from the same subnet or from the internet.

How to eliminate wrong answers

Option A is wrong because placing PLCs and office workstations on the same VLAN eliminates network segmentation, allowing any device on that VLAN (including employee laptops) to directly communicate with the PLCs, and endpoint antivirus alone cannot prevent network-level attacks or unauthorized access. Option C is wrong because publishing the SCADA server through a public reverse proxy intentionally makes it reachable from the internet, directly violating the requirement that neither the PLCs nor the SCADA server should be reachable from the internet. Option D is wrong because putting PLCs on the same subnet as user devices and hiding them behind NAT still allows direct Layer 2 communication between user devices and PLCs on the same subnet, and NAT does not prevent inbound connections initiated from within the subnet; it only obscures outbound traffic, so employee laptops could still reach the PLCs.

121
MCQmedium

Based on the exhibit, what network attack is most likely occurring on the office LAN?

A.ARP poisoning, because a rogue system is sending false layer 2 address mappings.
B.Replay attack, because the same ARP reply appears multiple times.
C.Denial of service, because users notice certificate warnings.
D.DNS poisoning, because the users cannot reach internal sites cleanly.
AnswerA

ARP poisoning is the best answer because the capture shows false ARP replies mapping the gateway IP to a different MAC address. The alternating gateway cache entries and certificate warnings are consistent with traffic being redirected through an attacker in a man-in-the-middle position.

Why this answer

ARP poisoning is the correct answer because the exhibit shows a rogue system sending unsolicited ARP replies that map the gateway's IP address to the attacker's MAC address. This causes traffic destined for the gateway to be redirected to the attacker, enabling man-in-the-middle interception. The attack exploits the lack of authentication in ARP, allowing false layer 2 address mappings to corrupt the ARP cache of other hosts on the LAN.

Exam trap

The trap here is that candidates may confuse ARP poisoning with DNS poisoning because both involve false mappings, but ARP poisoning operates at layer 2 (MAC addresses) while DNS poisoning operates at the application layer (domain names), and the exhibit's focus on MAC address mappings clearly points to ARP.

How to eliminate wrong answers

Option B is wrong because replay attacks involve capturing and retransmitting valid packets, but the exhibit shows multiple identical ARP replies from a single rogue source, not a replay of a legitimate ARP response. Option C is wrong because certificate warnings are typically associated with TLS/SSL interception or rogue access points, not directly with ARP poisoning, and the exhibit does not indicate a denial of service condition. Option D is wrong because DNS poisoning targets the DNS resolver cache with false domain-to-IP mappings, whereas the exhibit shows ARP replies manipulating MAC-to-IP mappings at layer 2, not DNS records.

122
MCQhard

Based on the exhibit, what should be implemented to reduce the blast radius if a backup server is compromised later? Backup job configuration: algorithm=AES-256-GCM key_file=/opt/backup/key.bin rotation=disabled same_key_for_all_sites=true backup_media copied to an offsite vault each night

A.Use envelope encryption with unique data encryption keys protected by a KMS-managed key encryption key.
B.Store the same key in a password-protected ZIP archive on the backup server.
C.Replace AES with SHA-256 so the files cannot be opened directly.
D.Keep one key forever and increase the backup frequency.
AnswerA

Envelope encryption limits exposure because each backup can use a distinct data key protected by a stronger key hierarchy.

Why this answer

Envelope encryption with unique data encryption keys (DEKs) protected by a KMS-managed key encryption key (KEK) ensures that even if the backup server is compromised, the attacker cannot decrypt all backups because each backup uses a different DEK, and the KEK is stored externally in a KMS. This limits the blast radius to only the data encrypted with the compromised DEK, rather than exposing all historical backups encrypted with a single static key.

Exam trap

CompTIA often tests the distinction between encryption and hashing, and the trap here is that candidates may confuse SHA-256 (a hash) with AES (an encryption algorithm), or assume that storing the key in a password-protected archive provides adequate security, ignoring that the key is still co-located with the data on the compromised server.

How to eliminate wrong answers

Option B is wrong because storing the same key in a password-protected ZIP archive on the backup server does not reduce the blast radius; if the backup server is compromised, the attacker can access the ZIP file and attempt to crack the password, potentially exposing all backups. Option C is wrong because SHA-256 is a hashing algorithm, not an encryption algorithm; it cannot be used to encrypt files, and replacing AES with SHA-256 would make the data irreversible, not securely encrypted. Option D is wrong because keeping one key forever and increasing backup frequency actually increases the blast radius; if that single key is compromised, all backups (past and future) are exposed, and more frequent backups mean more data at risk.

123
MCQhard

Based on the exhibit, what is the best fix so role changes are reflected promptly in the application? Token and directory data: 09:10 Token issued for user jdoe groups=[Finance_Approver, Expense_Reviewer] auth_time=09:10 exp=17:10 09:15 HR updated directory: jdoe moved to Sales 11:00 The application still accepts the original token and allows expense approval 11:01 Identity provider logs show no token revocation event

A.Increase the token lifetime so users reauthenticate less often.
B.Shorten token and session lifetime and revoke active tokens when the directory role changes.
C.Move the application to a different subnet to isolate it from HR systems.
D.Disable group-based authorization and let any authenticated user approve expenses.
AnswerB

Shorter lifetimes reduce stale access, and revocation ensures authorization changes take effect quickly after role updates.

Why this answer

Option B is correct because the token's long lifetime (issued at 09:10, expires at 17:10) allows the application to continue accepting the original token even after the user's directory role changes at 09:15. Shortening the token lifetime forces more frequent reauthentication, and revoking active tokens when the directory role changes ensures that the application immediately reflects the updated authorization. This aligns with the principle of dynamic access control and token lifecycle management.

Exam trap

The trap here is that candidates may think increasing token lifetime improves user experience, but the question specifically asks for the best fix to reflect role changes promptly, which requires shorter lifetimes and revocation, not longer ones.

How to eliminate wrong answers

Option A is wrong because increasing the token lifetime would make the problem worse, as the stale token would remain valid even longer, delaying role change reflection. Option C is wrong because moving the application to a different subnet does not address the token validity or directory synchronization issue; it is a network isolation measure unrelated to authorization updates. Option D is wrong because disabling group-based authorization removes the security control entirely, allowing any authenticated user to approve expenses, which violates the principle of least privilege and could lead to unauthorized actions.

124
Matchingeasy

Match each security principle to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Preventing unauthorized disclosure of information.

Ensuring data is not altered without authorization.

Keeping systems and data accessible when needed.

Giving a user only the permissions required to do the job.

Limiting access to information that a person specifically needs for their role.

Why these pairings

These pairings match the CIA triad plus additional principles: confidentiality restricts access, integrity prevents unauthorized changes, availability ensures uptime, non-repudiation provides proof of actions, authentication verifies identity, and authorization defines permissions.

125
MCQeasy

A security tool reports repeated DNS requests for long, random-looking subdomains under the same domain name. What is the most likely explanation?

A.DNS tunneling used to hide command-and-control traffic.
B.A normal software update process from the operating system.
C.A successful password reset workflow for users.
D.A hardware failure on the network adapter.
AnswerA

Long, random subdomains can be a sign of DNS tunneling, where malware hides data or control traffic inside DNS queries.

Why this answer

DNS tunneling encodes non-DNS traffic (e.g., C2 commands) into DNS queries and responses, often using long, random-looking subdomains to evade detection. Repeated requests for such subdomains under a single domain are a classic indicator of data exfiltration or covert channel activity, as each query can carry a small payload.

Exam trap

The trap here is that candidates may confuse DNS tunneling with legitimate DNS behavior like load balancing or CDN resolution, but the randomness and repetition of subdomains under a single domain are the key differentiators for malicious covert channels.

How to eliminate wrong answers

Option B is wrong because normal software updates use predictable, vendor-specific domains and do not generate random-looking subdomains; they typically fetch files from known URLs or CDNs. Option C is wrong because password reset workflows involve HTTP/HTTPS traffic to a web application, not DNS queries with random subdomains; DNS is not used to carry password reset data.

126
Matchingeasy

Match the security need to the best cryptographic solution.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Use a hash value.

Use symmetric encryption.

Use asymmetric encryption.

Use a digital signature.

Why these pairings

Confidentiality uses encryption; integrity uses hashes; authentication uses certificates; non-repudiation uses signatures; access control uses PKI; availability uses redundancy.

127
MCQhard

Based on the exhibit, what change would best protect the password database against precomputed attacks and make identical passwords less obvious?

A.Encrypt each password with the same server key before storing it in the database.
B.Add a unique salt to each password before hashing it.
C.Use a digital signature on each password record so the database can verify authenticity.
D.Store the password hashes in uppercase so attackers cannot compare them easily.
AnswerB

Salting is the best fix because it adds unique random data to each password before hashing, so identical passwords no longer produce the same stored value. That defeats rainbow tables and makes precomputed attacks far less useful. It also means attackers cannot easily compare two users' hashes to confirm they chose the same password, which improves both security and privacy.

Why this answer

Adding a unique salt to each password before hashing ensures that even if two users have the same password, their hashes will differ. This defeats precomputed attacks like rainbow tables because the attacker would need to compute a separate table for each salt value, which is computationally infeasible. Salting is a standard defense recommended by NIST SP 800-63B and implemented in modern systems like bcrypt, scrypt, and PBKDF2.

Exam trap

The trap here is that candidates often confuse encryption with hashing or think that obfuscation techniques like case changes provide security, when in fact only salting with a unique random value prevents precomputed attacks and hides password equality.

How to eliminate wrong answers

Option A is wrong because encrypting passwords with a server key still allows identical passwords to produce identical ciphertexts, making them obvious to an attacker who obtains the encrypted database; encryption is reversible if the key is compromised, whereas hashing with salt is one-way. Option C is wrong because a digital signature verifies the integrity and authenticity of the password record but does not prevent precomputed attacks or mask identical passwords; it addresses tampering, not password storage security. Option D is wrong because converting hashes to uppercase is a trivial transformation that does not change the underlying hash value; an attacker can simply convert their rainbow table hashes to uppercase and still match identical passwords.

128
MCQhard

A SaaS portal issues signed JWTs in a browser cookie. The help desk confirms a user logged out at 09:10, but SIEM logs show the same token was accepted from a different IP at 09:12 and continued working until the token expired. The application does not keep a server-side revocation list. What weakness is most likely being abused?

A.SQL injection, because the attacker must be manipulating backend database logic to reuse the token.
B.Session hijacking or session abuse, because the attacker can replay a valid token after logout without revocation.
C.Insecure deserialization, because the token is being decoded and reconstructed on the server.
D.Cross-site request forgery, because the request is coming from a different IP address.
AnswerB

This is session hijacking or session abuse because the attacker is using a valid session token outside the original user context. JWTs are often stateless, so if the application does not track revocation, logout may not immediately invalidate a copied token. The cross-IP reuse after logout strongly suggests the token was stolen or replayed and remained acceptable until its normal expiration.

Why this answer

The correct answer is B because the scenario describes a classic session hijacking or session abuse attack. The application issues signed JWTs in cookies and does not maintain a server-side revocation list, meaning once a token is issued, it remains valid until its expiration. Even after the legitimate user logs out at 09:10, the attacker can replay the same JWT from a different IP at 09:12, and the server will accept it because there is no mechanism to invalidate the token.

This lack of revocation is the core weakness being exploited.

Exam trap

The trap here is that candidates may confuse session hijacking with CSRF, but CSRF requires a forged request from a different site, not simply a different IP address, and the key issue is the lack of token revocation after logout.

How to eliminate wrong answers

Option A is wrong because SQL injection involves manipulating database queries through input fields, not replaying a valid JWT; the attacker is not altering backend logic but simply reusing a stolen token. Option C is wrong because insecure deserialization refers to vulnerabilities when untrusted data is deserialized, potentially leading to remote code execution, but JWTs are typically decoded and verified using cryptographic signatures, not deserialized in a way that allows code injection. Option D is wrong because cross-site request forgery (CSRF) exploits the trust a site has in a user's browser by forging requests from a different origin, not by replaying a token from a different IP address; the IP change alone does not indicate CSRF.

129
Multi-Selecthard

During testing of a shopping portal, a POST request to /api/address/update succeeds even when the anti-CSRF token is removed. In a separate test, changing customerId=1842 to customerId=1843 in a GET request returns another user's invoice data. Which two vulnerabilities are present? Select two.

Select 2 answers
A.Cross-site request forgery is present because the state-changing request works without a valid anti-CSRF token.
B.Broken access control or IDOR is present because changing customerId reveals another user's invoice.
C.SQL injection is present because the customerId value changes in the URL.
D.Cross-site scripting is present because the invoice data is returned in the browser.
E.Insecure deserialization is present because the request uses JSON-like parameters.
AnswersA, B

If a state-changing request succeeds without a valid anti-CSRF token, the application is not reliably verifying that the request originated from the intended user session. That makes the action vulnerable to cross-site request forgery, where a malicious site can induce a logged-in user to submit an unauthorized request.

Why this answer

Option A is correct because the POST request to /api/address/update succeeds without the anti-CSRF token, which means the application does not validate the origin of the request. This allows an attacker to forge a cross-site request that changes the victim's address without their knowledge, a classic CSRF vulnerability.

Exam trap

The trap here is that candidates confuse IDOR with SQL injection because both involve manipulating a parameter in the URL, but IDOR is about missing access controls, not database injection.

130
MCQmedium

After restoring a virtual file server from last night’s backup, users can browse shares, but finance reports that several spreadsheet edits from yesterday are missing. What should the administrator verify next before declaring the restore successful?

A.Whether the backup job used the correct restore point and included the needed transaction logs.
B.Whether the file server antivirus signatures are fully up to date.
C.Whether the share permissions were tightened during the restore.
D.Whether the virtual machine has enough CPU and memory allocated.
AnswerA

This is the best next verification because the missing spreadsheet edits suggest the restore point may be older than the required recovery window, or application-related log data may not have been captured. Confirming the exact backup set, restore timestamp, and transaction log coverage helps determine whether the restore actually meets the business recovery objective. It also shows whether the issue is incomplete backup scope or simple user expectation mismatch.

Why this answer

Option A is correct because the missing spreadsheet edits indicate that the backup may have been taken before those changes were committed. The administrator must verify that the restore point includes the necessary transaction logs (e.g., from a VSS-aware backup or application-consistent snapshot) to recover the most recent data. Without these logs, any edits made after the last full backup are lost, so confirming the correct restore point and log inclusion is the next logical step before declaring success.

Exam trap

The trap here is that candidates assume a successful restore of shares means all data is intact, overlooking the critical distinction between crash-consistent and application-consistent backups and the role of transaction logs in recovering recent changes.

How to eliminate wrong answers

Option B is wrong because antivirus signature updates are unrelated to data loss from a backup restore; they address malware protection, not file version recovery. Option C is wrong because share permissions control access rights, not the content or version of files; tightening permissions during restore would not cause missing edits. Option D is wrong because CPU and memory allocation affect performance, not the integrity or completeness of restored data; insufficient resources might slow access but cannot cause specific edits to vanish.

131
Multi-Selectmedium

A small enterprise is rebuilding its public customer portal. The web front end must be reachable from the internet, the application tier should never be directly exposed, and the database must remain private even if the web server is compromised. Which two design changes best meet those goals? Select two.

Select 2 answers
A.Place the web front end in a DMZ behind a firewall rule allowing only HTTPS from the internet.
B.Put the database on the same subnet as the web front end so internal calls have lower latency.
C.Place the application tier on an internal subnet and allow only the web front end to reach it on the app port.
D.Allow the database to accept connections from the internet if strong passwords are used.
E.Disable all inbound filtering on the DMZ so troubleshooting is simpler.
AnswersA, C

A DMZ is the correct place for the internet-facing web front end because it limits exposure if the server is attacked. Allowing only HTTPS from the internet reduces unnecessary access and supports a tight inbound filtering strategy. This choice fits a common secure web architecture pattern and keeps the higher-value internal systems separate from direct public reach.

Why this answer

Option A is correct because placing the web front end in a DMZ behind a firewall rule that permits only HTTPS (TCP/443) from the internet ensures the public-facing component is isolated from internal networks. This design prevents direct inbound access to the application or database tiers, reducing the attack surface while still allowing legitimate web traffic.

Exam trap

The trap here is that candidates often assume placing the database on the same subnet as the web server improves performance (Option B) without recognizing that it sacrifices security isolation, which is the primary goal in this scenario.

132
MCQhard

Based on the exhibit, what control type is the file integrity monitor providing?

A.Preventive control, because the file monitor stopped the change from occurring.
B.Detective control, because the tool identifies the unauthorized change and alerts the SOC.
C.Corrective control, because the monitor automatically fixed the configuration after the change.
D.Directive control, because the alert tells administrators what they should review next.
AnswerB

Detective control is correct because the tool notices that a protected file changed and notifies the security team. It does not stop the change or restore the original configuration automatically. That means its role is to discover suspicious activity so analysts can investigate and respond. The recorded hashes and alert timing clearly show post-event detection.

Why this answer

A file integrity monitor (FIM) operates by comparing current file hashes against a known good baseline. When it detects a hash mismatch, it generates an alert to the Security Operations Center (SOC). This is a detective control because it identifies and reports the unauthorized change after it has occurred, rather than preventing or automatically correcting it.

Exam trap

The trap here is that candidates confuse the alerting mechanism of a detective control with the action of a preventive or corrective control, mistakenly thinking that because the tool 'monitors' it must be preventing or fixing changes.

How to eliminate wrong answers

Option A is wrong because a file integrity monitor does not stop changes from occurring; it only detects changes after they happen, making it a detective control, not a preventive one. Option C is wrong because corrective controls automatically remediate issues, but a standard FIM does not automatically fix configuration changes; it only alerts. Option D is wrong because directive controls are policies or guidelines that define acceptable behavior, not tools that generate alerts; the alert is a detective function, not a directive one.

133
MCQmedium

EDR alerts show a finance laptop spawning an unsigned executable from %AppData%, attempting to read LSASS memory, and making outbound HTTPS connections to a rare domain. The user says they only opened a spreadsheet attachment. What is the best immediate action?

A.Reboot the laptop to clear any malicious process from memory.
B.Isolate the laptop from the network using the EDR platform.
C.Run a full antivirus scan and wait for the results before taking further action.
D.Reset the user's password and keep the laptop online for monitoring.
AnswerB

Network isolation immediately stops outbound command-and-control traffic and reduces the chance of lateral movement. It also preserves the endpoint for later forensics better than powering it off or wiping it. Because the host is still active, isolation is the safest containment step while the team gathers volatile evidence and decides on eradication.

Why this answer

Option B is correct because the EDR alerts indicate a likely credential theft attempt (LSASS read) and C2 communication (rare domain). Isolating the laptop immediately stops data exfiltration and lateral movement, which is the priority before any remediation. Reboot, scan, or password reset would not prevent the attacker from already having access to credentials or the network.

Exam trap

The trap here is that candidates think rebooting or scanning is sufficient, but CompTIA emphasizes that containment (isolation) is the immediate step to stop active compromise before any remediation or investigation.

How to eliminate wrong answers

Option A is wrong because rebooting only clears volatile memory but does not prevent the malware from persisting via the %AppData% executable or re-establishing C2; it also destroys forensic evidence. Option C is wrong because running a full antivirus scan while the laptop remains online allows continued data exfiltration and potential lateral movement; waiting for results wastes critical time. Option D is wrong because resetting the user's password does not remove the malware or stop its outbound C2 traffic, and keeping the laptop online risks further compromise.

134
MCQmedium

A business owner asks the security team to compare the cost of two controls for a legacy application in dollar terms. The team estimates the annual chance of a breach, the potential loss per event, and the expected yearly loss after each control is applied. Which risk analysis approach is being used?

A.Qualitative risk analysis
B.Quantitative risk analysis
C.Business impact analysis
D.Risk acceptance
AnswerB

Quantitative analysis uses numeric values such as probability, impact, and annualized loss to compare controls financially.

Why this answer

The question describes a risk analysis that uses dollar values for the annual chance of a breach, potential loss per event, and expected yearly loss after controls are applied. This is the hallmark of quantitative risk analysis, which assigns monetary or numerical values to risk components (e.g., ALE = SLE × ARO) to compare control costs in objective financial terms. The scenario explicitly asks for a cost comparison in dollar terms, which only a quantitative approach can provide.

Exam trap

Cisco often tests the distinction between quantitative and qualitative risk analysis by embedding monetary terms in the scenario, leading candidates to mistakenly choose qualitative analysis when they see subjective-sounding phrases like 'annual chance' without recognizing that dollar values are the key indicator of a quantitative approach.

How to eliminate wrong answers

Option A is wrong because qualitative risk analysis uses subjective ratings (e.g., high/medium/low) rather than specific dollar amounts to assess risk, so it cannot produce the precise cost comparison described. Option C is wrong because business impact analysis (BIA) focuses on identifying critical business functions and their recovery priorities, not on comparing the cost of controls in dollar terms. Option D is wrong because risk acceptance is a risk treatment strategy where the organization acknowledges the risk without implementing additional controls, not a method for analyzing or comparing control costs.

135
Multi-Selecteasy

An employee receives a text message from "IT Help" saying their account will be disabled unless they tap a link and enter a one-time code. Five minutes later, someone calls claiming to be from IT and asks the employee to read back the same code. Which two social engineering delivery methods are used? Select two.

Select 2 answers
A.Smishing
B.Vishing
C.Baiting
D.Whaling
E.Tailgating
AnswersA, B

Smishing is phishing delivered by text message. The message uses urgency, a link, and a request for a one-time code, which are common smishing traits.

Why this answer

Smishing is correct because the initial contact is via SMS text message, which is the defining characteristic of smishing (SMS phishing). The attacker uses a text message to deliver a phishing lure, prompting the employee to tap a link and enter a one-time code.

Exam trap

The trap here is that candidates may confuse smishing with vishing or phishing, but the question explicitly asks for two delivery methods, and the combination of SMS (smishing) and voice call (vishing) is the key distinction.

136
MCQeasy

A vulnerability scanner reports a critical issue on a Linux server. The administrator checks the application and confirms the vulnerable package is installed, but the affected feature is not enabled anywhere in production. What should the security team do next?

A.Ignore the finding permanently because the package is installed
B.Validate whether the issue is a false positive or lower-risk finding before prioritizing remediation
C.Immediately shut down the server without further investigation
D.Apply an exception without documenting any compensating controls
AnswerB

When scan results do not match actual exposure, the next step is to validate the finding and confirm real risk.

Why this answer

Option B is correct because the vulnerability scanner reports a critical issue, but the administrator has confirmed the vulnerable package is installed while the affected feature is not enabled in production. This means the actual risk is lower than the scanner's severity rating, as exploitation requires the feature to be active. The security team should validate whether this is a false positive or a lower-risk finding to prioritize remediation efforts appropriately, ensuring resources are allocated to genuine threats.

Exam trap

The trap here is that candidates assume any 'critical' scanner finding must be immediately remediated or ignored, failing to recognize that risk assessment requires verifying the actual exploitability in the specific environment.

How to eliminate wrong answers

Option A is wrong because ignoring a finding permanently without further analysis violates security best practices; the package could be exploited if the feature is inadvertently enabled or if a different attack vector emerges. Option C is wrong because immediately shutting down the server is an overreaction that disrupts production without evidence of active exploitation, and it bypasses proper incident response procedures. Option D is wrong because applying an exception without documenting compensating controls fails to provide a risk acceptance record or mitigation strategy, which is required for auditability and future reference.

137
MCQmedium

The email security team receives a suspicious invoice attachment from a vendor. The attachment is not blocked by signature-based detection, but the team wants to observe its behavior in a safe environment before delivery to users. What tool best fits this requirement?

A.Sandboxing the attachment in an isolated analysis environment
B.Network access control for unmanaged devices
C.A data loss prevention rule on outbound email
D.An intrusion prevention system placed on the Wi-Fi network
AnswerA

Sandboxing is the best fit because it detonates the attachment in a controlled environment and reveals malicious behavior before users receive it.

Why this answer

A sandbox provides an isolated, controlled environment where the suspicious attachment can be executed and monitored for malicious behavior without risking the production network. This allows the security team to observe dynamic indicators such as file system changes, registry modifications, or outbound connections that signature-based detection might miss. The goal is to analyze the attachment's true intent before deciding whether to deliver it to users.

Exam trap

The trap here is that candidates may confuse signature-based detection with behavioral analysis, thinking that a signature-based tool (like an IPS or antivirus) can analyze unknown threats, when in fact only a sandbox can safely execute and observe the behavior of a suspicious file.

How to eliminate wrong answers

Option B is wrong because Network Access Control (NAC) is used to enforce security policies on devices attempting to connect to the network, not to analyze the behavior of email attachments. Option C is wrong because a Data Loss Prevention (DLP) rule on outbound email is designed to prevent sensitive data from leaving the organization, not to observe the behavior of an incoming attachment. Option D is wrong because an Intrusion Prevention System (IPS) on the Wi-Fi network monitors and blocks malicious network traffic in real time, but it cannot execute or sandbox an email attachment to observe its behavior.

138
Multi-Selectmedium

A firewall rule was changed in production to allow a new vendor IP range, and payroll users immediately lost access to an internal service. Which two change-management practices would have reduced the risk of this outage? Select two.

Select 2 answers
A.Test the rule in a staging environment with representative traffic before production deployment.
B.Require a rollback or backout plan that can quickly restore the previous rule set.
C.Make the change during the busiest business hour so the team can observe the effect immediately.
D.Remove logging on the firewall so only the new rule is visible during troubleshooting.
E.Skip approval because the vendor was already known to the organization.
AnswersA, B

Staging validation helps reveal rule-order problems, unintended blocks, and missing dependencies before users are affected. A representative test environment is especially important for firewall changes because small syntax or sequencing errors can have large business impacts. Testing reduces the chance that a production change will break unrelated services.

Why this answer

Option A is correct because testing the firewall rule in a staging environment with representative traffic allows you to validate that the new vendor IP range does not inadvertently block or conflict with existing rules before impacting production. This practice catches misconfigurations—such as an overly broad permit that shadows a deny rule for payroll users—without risking service disruption. Staging mirrors production ACL logic, so you can verify that the rule order and match criteria (e.g., source IP, destination port) behave as intended.

Exam trap

The trap here is that candidates often think testing in staging is unnecessary if the change seems small, or they confuse 'testing' with 'monitoring in production'—but the question specifically asks for practices that reduce risk before the outage occurs.

139
MCQmedium

A nightly patch script restarts services on 40 Linux servers. Security does not want an administrator to log in interactively, and the script should only have the permissions needed to install approved patches and restart those services. What is the best design?

A.Run the script with a dedicated automation account that has only the required sudo permissions
B.Use the root account for every scheduled execution to avoid permission errors
C.Hard-code the administrator password in the script so it never prompts
D.Ask each server owner to manually patch their system during the maintenance window
AnswerA

This satisfies least privilege while allowing unattended execution. A dedicated automation account can be limited to patching and service restart actions only.

Why this answer

Option A is correct because it follows the principle of least privilege by using a dedicated automation account with only the specific sudo permissions needed to install approved patches and restart services. This prevents interactive login (as the account is configured for non-interactive use) and ensures the script cannot perform unauthorized actions, aligning with security best practices for automated tasks.

Exam trap

The trap here is that candidates may assume root is necessary for scheduled tasks to avoid permission errors, overlooking that dedicated accounts with specific sudo rules can achieve the same goal with far less risk.

How to eliminate wrong answers

Option B is wrong because using the root account for every scheduled execution violates the principle of least privilege, granting full system access to the script, which increases the risk of accidental or malicious damage. Option C is wrong because hard-coding the administrator password in the script is a severe security risk; it exposes credentials in plaintext, allowing anyone with file read access to compromise the account, and it does not address the requirement to prevent interactive login.

140
MCQhard

Based on the exhibit, which change best improves accountability while still allowing emergency access? A finance team uses the following shared account on a jump host: 07:55:12 Account=FIN-ADMIN Action=ApproveInvoice Host=JUMP-02 IP=10.30.8.21 07:56:03 Account=FIN-ADMIN Action=ChangeVendorBank Host=JUMP-02 IP=10.30.8.21 07:57:44 Account=FIN-ADMIN Action=ExportReport Host=JUMP-02 IP=10.30.8.21 Note: FIN-ADMIN is used by three finance managers during after-hours support.

A.Require the shared account password to be changed every 24 hours.
B.Replace the shared account with named user accounts, role-based access, and a separate break-glass account for rare emergencies.
C.Enable automatic account lockout after five failed logons.
D.Restrict the jump host by MAC address and subnet only.
AnswerB

Named accounts preserve accountability, role-based access supports least privilege, and break-glass access preserves emergency availability.

Why this answer

Option B is correct because replacing the shared account with named user accounts ensures individual accountability through unique credentials and audit trails, while a separate break-glass account provides emergency access without compromising security. This aligns with the principle of least privilege and non-repudiation, as each finance manager's actions are logged under their own identity, and the break-glass account can be tightly controlled and monitored for rare use.

Exam trap

The trap here is that candidates often choose password rotation (Option A) thinking it improves security, but it fails to address the core issue of non-repudiation and accountability required for audit trails.

How to eliminate wrong answers

Option A is wrong because changing the shared password every 24 hours does not eliminate the lack of individual accountability; multiple users still share the same credentials, so logs cannot distinguish which manager performed which action. Option C is wrong because account lockout after five failed logons addresses brute-force prevention, not accountability or emergency access; it does not solve the shared account issue. Option D is wrong because restricting by MAC address and subnet only controls network-level access, not user identity; it still allows multiple users to share the same FIN-ADMIN account without individual audit trails.

141
MCQeasy

Based on the exhibit, which control should be installed or expanded to provide the earliest warning of this hazard?

A.Install or expand water-leak sensors under the raised floor and near the pipe path.
B.Add badge readers to every rack so the servers can be tracked physically.
C.Replace the cameras with motion detectors to improve environmental safety.
D.Increase automatic screen lock timeouts on all administrative workstations.
AnswerA

Water-leak sensors provide early warning when moisture reaches vulnerable areas near equipment. The exhibit shows condensation and an increasing humidity condition, so additional leak detection under the raised floor and along the pipe path would alert staff before water damages systems. This is an appropriate environmental-monitoring control for a server or data room.

Why this answer

Water-leak sensors provide the earliest possible warning of a liquid hazard by detecting moisture before it reaches equipment or causes electrical shorts. In a data center with raised floors and pipe paths, these sensors can be placed directly in the path of potential leaks, triggering alerts immediately upon contact with water. This proactive monitoring is critical for preventing costly downtime and equipment damage.

Exam trap

The trap here is that candidates confuse physical security controls (badge readers, cameras) with environmental monitoring controls, failing to recognize that water-leak sensors are the only option that directly detects the specific hazard described.

How to eliminate wrong answers

Option B is wrong because badge readers on racks track physical access to servers, not environmental hazards like water leaks; they address security, not safety. Option C is wrong because motion detectors detect movement, not water or environmental changes; replacing cameras with them would reduce visibility of the actual hazard. Option D is wrong because increasing automatic screen lock timeouts on workstations addresses unauthorized access risks, not environmental monitoring or early warning of water leaks.

142
MCQmedium

An internal finance application has an RTO of 2 hours and an RPO of 30 minutes. Current backups restore in about 6 hours because the team must rebuild the server from scratch. Which change best aligns the recovery design to the business requirement?

A.Add a warm standby or replicated recovery system that can be brought online within the RTO
B.Keep the same design and simply increase backup retention
C.Switch to weekly full backups only
D.Reduce logging on the application server to improve restore speed
AnswerA

A standby or replicated system shortens recovery time and better matches the business need for fast restoration after an outage.

Why this answer

The business requires an RTO of 2 hours and an RPO of 30 minutes, but current backups take 6 hours to restore because the server must be rebuilt from scratch. Adding a warm standby or replicated recovery system allows the application to be brought online within the RTO by maintaining a pre-configured, partially synchronized environment that can be activated quickly, reducing recovery time from hours to minutes. This aligns the recovery design with the business continuity requirements by meeting both the RTO and RPO targets.

Exam trap

The trap here is that candidates may think increasing backup frequency or retention solves the RTO problem, but RTO is about recovery time, not data loss tolerance (RPO), and only a pre-staged recovery system like a warm standby can reduce the time to bring the application online.

How to eliminate wrong answers

Option B is wrong because increasing backup retention only extends the history of backups, not the speed of recovery; it does nothing to address the 6-hour restore time that violates the 2-hour RTO. Option C is wrong because switching to weekly full backups only increases the RPO to up to 7 days, far exceeding the required 30-minute RPO, and does not improve restore speed. Option D is wrong because reducing logging on the application server may slightly decrease backup size but does not eliminate the need to rebuild the server from scratch, and it can compromise audit trails and security monitoring.

143
Matchingmedium

Match each audit request to the best evidence artifact. 1. Auditors want proof that managers reviewed privileged access last quarter. 2. Auditors want evidence that an emergency firewall change was approved before implementation. 3. Auditors want to verify that annual security training was completed by staff. 4. Auditors want to confirm that records were deleted after the retention period expired.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Access review attestation report

Approved change ticket

LMS completion export

Retention deletion log

Why these pairings

Each audit request requires specific evidence: access reviews show manager sign-offs, change requests prove pre-approval, training records confirm completion, and deletion logs demonstrate data disposal per policy.

144
MCQmedium

A marketing analyst asks for a spreadsheet containing customer names, email addresses, purchase history, and government ID numbers so the team can build a campaign list. What is the BEST security response?

A.Approve the request because the data is needed for any marketing activity.
B.Provide only the minimum fields required and remove the government ID numbers.
C.Send the full file, but ask the analyst not to store it permanently.
D.Classify the file as public so it can be shared more easily with the marketing team.
AnswerB

This follows data minimization and handling requirements by sharing only what is necessary for the business purpose. Government ID numbers are highly sensitive and are not needed for a typical marketing campaign. Limiting the dataset reduces privacy exposure, lowers compliance risk, and helps ensure the data is used appropriately.

Why this answer

The best security response is to apply the principle of least privilege and data minimization. Government ID numbers are sensitive personally identifiable information (PII) that are not necessary for building a marketing campaign list; providing only the minimum required fields (e.g., names and email addresses) reduces the risk of exposure and complies with data protection regulations like GDPR or CCPA.

Exam trap

The trap here is that candidates may think 'asking not to store it permanently' is a sufficient control, but the SY0-701 exam emphasizes that administrative controls without technical enforcement (like DLP policies or data classification labels) are ineffective against data leakage.

How to eliminate wrong answers

Option A is wrong because approving the request without any data reduction violates the principle of least privilege and exposes unnecessary sensitive PII, which could lead to compliance violations and data breaches. Option C is wrong because sending the full file with only a verbal request not to store it permanently provides no technical enforcement; data can be easily copied, stored, or leaked, and this approach ignores the need for access controls and data classification. Option D is wrong because classifying the file as public would allow unrestricted access to sensitive PII, directly contradicting security policies and data protection requirements.

145
MCQeasy

An investigator needs a copy of a suspect laptop drive for analysis without changing the original media. What should be used?

A.A simple file copy of the user folder
B.A full forensic image taken with a write blocker
C.A compressed archive of the desktop contents
D.The original drive mounted normally on the investigator machine
AnswerB

This is the best answer because a forensic image creates a bit-for-bit copy of the drive while a write blocker prevents accidental changes to the original media. That combination preserves evidentiary integrity and allows the investigator to analyze the copy safely. It is the standard approach when the original disk may later be needed in court or for formal review.

Why this answer

A full forensic image taken with a write blocker is the correct method because it creates a bit-for-bit copy of the entire drive, including all partitions, unallocated space, and metadata, without altering the original media. The write blocker hardware or software ensures that no write commands reach the suspect drive, preserving its integrity for legal and evidentiary purposes. This approach is required by forensic standards such as NIST SP 800-86 and ensures the copy is admissible as evidence.

Exam trap

The trap here is that candidates confuse a simple file copy or archive with a forensically sound image, overlooking the need for a bit-for-bit copy and write protection to preserve evidence integrity.

How to eliminate wrong answers

Option A is wrong because a simple file copy of the user folder only captures visible files, not deleted data, file system metadata, or unallocated space, and it does not prevent writes to the original drive. Option C is wrong because a compressed archive of the desktop contents similarly omits critical forensic artifacts like slack space, partition tables, and hidden data, and it does not use a write blocker to protect the original media. Option D is wrong because mounting the original drive normally on the investigator machine allows the operating system to write to the drive (e.g., updating timestamps, logs, or file system metadata), which alters the evidence and violates forensic best practices.

146
MCQeasy

Employees in a server room often prop the door open while carrying equipment. What control best helps detect and prevent this behavior?

A.Install a door-ajar alarm and use a self-closing door mechanism.
B.Add more desk chairs outside the server room for convenience.
C.Increase the screen brightness on the monitoring workstation.
D.Move backup tapes to a nearby shelf for easier access.
AnswerA

A door-ajar alarm combined with a self-closing mechanism directly addresses the problem by alerting staff when the door is left open and reducing the chance that it stays open. This is a practical physical security control because it supports both detection and prevention. It helps protect restricted areas without relying only on user behavior.

Why this answer

A door-ajar alarm provides immediate notification when the door is left open, while a self-closing door mechanism physically ensures the door closes automatically after each use. Together, they directly address the behavior of propping the door open by both detecting the violation and preventing it from remaining open, which is critical for maintaining physical security controls in a server room.

Exam trap

The trap here is that candidates may choose a convenience-based option (like adding chairs or moving tapes) thinking it addresses the root cause, but the question specifically asks for a control that both detects and prevents the behavior, which only a combination of a door-ajar alarm and a self-closing mechanism achieves.

How to eliminate wrong answers

Option B is wrong because adding more desk chairs outside the server room does not detect or prevent the door from being propped open; it only addresses convenience, not security. Option C is wrong because increasing screen brightness on the monitoring workstation has no effect on door position or access control; it is a display setting unrelated to physical security. Option D is wrong because moving backup tapes to a nearby shelf does not prevent or detect the door being propped open; it only changes storage location and could even increase risk by placing sensitive media outside the secure area.

147
Multi-Selectmedium

An HR analyst must share a spreadsheet with an external auditor. The spreadsheet includes employee names, Social Security numbers, bank account numbers, and salary data, but the auditor only needs employee names and total payroll. Which three actions best protect the data? Select three.

Select 3 answers
A.Remove fields the auditor does not need before sharing the file.
B.Send the file using an encrypted transfer method.
C.Share the file only with the named auditor account or approved firm contact.
D.Leave the full spreadsheet intact because the auditor requested a copy.
E.Post the spreadsheet in a shared public portal for easier access.
AnswersA, B, C

Data minimization reduces exposure by sharing only the information required for the audit task.

Why this answer

Option A is correct because removing unnecessary fields (e.g., Social Security numbers, bank account numbers) before sharing the spreadsheet minimizes the exposure of sensitive personally identifiable information (PII) and financial data. This practice, known as data minimization, aligns with the principle of least privilege and reduces the risk of unauthorized access or data breach. By stripping out extraneous columns, the HR analyst ensures the auditor receives only the required data (employee names and total payroll), thereby protecting the organization from compliance violations under regulations like GDPR or PCI DSS.

Exam trap

The trap here is that candidates may think leaving the full spreadsheet intact is acceptable because the auditor 'requested a copy,' but CompTIA tests the principle of least privilege and data minimization, meaning you must always remove unnecessary sensitive data before sharing with external parties.

148
Multi-Selectmedium

A SIEM alert shows five failed logins to a SaaS admin portal from one IP, followed by a successful login from a new city three minutes later. Which two actions are the best next steps for the analyst to validate the event before containment? Select two.

Select 2 answers
A.Review the identity provider and MFA logs to confirm the successful login came from the same account and device context.
B.Correlate the source IP with corporate VPN, CASB, or known cloud egress ranges.
C.Immediately disable the SaaS platform for every user until the investigation is finished.
D.Reimage the user’s laptop immediately to remove any possible malware.
E.Delete the failed login records to reduce noise in the SIEM.
AnswersA, B

This is the best first validation step because identity provider logs can confirm whether the login sequence used the expected MFA method, device, and authentication path. It helps distinguish suspicious access from legitimate use, such as a new browser session or a reauthentication event. Correlating the alert with authoritative identity logs also reduces reliance on a single SIEM record and improves triage accuracy.

Why this answer

Option A is correct because reviewing the identity provider (IdP) and MFA logs allows the analyst to verify whether the successful login originated from the same user account and device context as the failed attempts. This step is critical to determine if the successful login was an attacker who bypassed MFA or a legitimate user who eventually succeeded, providing evidence of account compromise or a false positive.

Exam trap

The trap here is that candidates may rush to containment (Option C) without first performing validation steps, failing to recognize that the question specifically asks for actions to 'validate the event before containment'.

149
MCQmedium

A help desk manager wants sample customer tickets copied into a test environment so developers can reproduce support issues. The tickets include names, phone numbers, and account details. Which action best reduces privacy exposure while still supporting testing?

A.Export the full tickets because the developers need realistic records.
B.Mask or tokenize the personal data and restrict access to approved testers only.
C.Copy the tickets to a shared cloud drive and protect it with a simple password.
D.Remove the account numbers only and leave the rest of the ticket untouched.
AnswerB

Masking or tokenizing personal data follows privacy-by-design principles by reducing exposure while preserving enough structure for testing. Limiting access further reduces the chance of improper handling. This approach allows developers to reproduce issues without using unnecessary real customer information, which supports data minimization and secure sharing requirements.

Why this answer

Option B is correct because masking or tokenizing personal data (e.g., replacing names with pseudonyms, scrambling phone numbers) ensures that developers can work with realistic data structures without exposing personally identifiable information (PII). Restricting access to approved testers further enforces the principle of least privilege, which is a core security control for test environments. This approach balances the need for functional testing with compliance requirements like GDPR or HIPAA.

Exam trap

The trap here is that candidates may choose Option A, thinking that 'realistic records' are essential for testing, without recognizing that realistic data can be achieved through masking rather than exposing raw PII.

How to eliminate wrong answers

Option A is wrong because exporting full tickets with unredacted PII directly violates data minimization and exposes sensitive data unnecessarily, increasing the risk of a breach even in a test environment. Option C is wrong because copying tickets to a shared cloud drive with only a simple password lacks encryption, access controls, and audit logging, which are essential for protecting PII; a simple password is easily compromised and does not meet security best practices for handling sensitive data.

150
MCQmedium

A customer service application shows the same session ID being used from two countries within five minutes. The legitimate user did not report a password change, but an order shipping address was modified successfully without reauthentication. What attack pattern is most likely?

A.Broken authentication, because the application failed to verify the user again.
B.Session abuse, because a stolen or replayed session token allowed unauthorized actions.
C.Cross-site request forgery, because the attacker may have tricked the browser into sending a request.
D.Credential stuffing, because the account was likely accessed using reused passwords.
AnswerB

Session abuse is the best fit when an attacker reuses a valid token or session ID to impersonate a user. The address change without reauthentication strongly suggests the attacker hijacked an active session instead of successfully guessing a password.

Why this answer

The simultaneous use of the same session ID from two different countries within five minutes, combined with a successful address change without reauthentication, indicates that an attacker has obtained and reused the legitimate user's session token. This is session abuse, where the attacker leverages a stolen or replayed session token to perform unauthorized actions, bypassing the need for credentials or reauthentication.

Exam trap

The trap here is that candidates confuse session abuse with broken authentication, but the key distinction is that the session token was already valid and reused, not that the authentication mechanism itself was flawed during login.

How to eliminate wrong answers

Option A is wrong because broken authentication typically refers to flaws in the login or credential verification process, not the reuse of a valid session token; the application did verify the user initially, but failed to detect token theft or enforce reauthentication for sensitive actions. Option C is wrong because cross-site request forgery (CSRF) relies on tricking the user's browser into making an unintended request using the user's existing session, but the scenario describes the same session ID being used from two different countries, which is a sign of token theft, not a forged request from the user's browser. Option D is wrong because credential stuffing involves using stolen username/password pairs to gain access, but the session ID is already active and the password was not changed, indicating the attacker bypassed authentication entirely by reusing the session token.

Page 1

Page 2 of 16

Page 3