Practice Free SY0-601 Exam Online Questions
A network administrator deployed a DNS logging tool that logs suspicious websites that are visited and then sends a daily report based on various weighted metrics.
Which of the following best describes the type of control the administrator put in place?
- A . Preventive
- B . Deterrent
- C . Corrective
- D . Detective
A security engineer is hardening existing solutions to reduce application vulnerabilities.
Which of the following solutions should the engineer implement FIRST? (Select TWO)
- A . Auto-update
- B . HTTP headers
- C . Secure cookies
- D . Third-party updates
- E . Full disk encryption
- F . Sandboxing
- G . Hardware encryption
AF
Explanation:
Auto-update can help keep the app up-to-date with the latest security fixes and enhancements, and reduce the risk of exploitation by attackers who target outdated or vulnerable versions of the app. Sandboxing can help isolate the app from other processes and resources on the system, and limit its access and permissions to only what is necessary. Sandboxing can help prevent the app from being affected by or affecting other applications or system components, and contain any potential damage in case of a breach.
Which of the following is MOST likely to outline the roles and responsibilities of data controllers and data processors?
- A . SSAE SOO 2
- B . PCI DSS
- C . GDPR
- D . ISO 31000
A company uses a drone for precise perimeter and boundary monitoring.
Which of the following should be MOST concerning to the company?
- A . Privacy
- B . Cloud storage of telemetry data
- C . GPS spoofing
- D . Weather events
A
Explanation:
The use of a drone for perimeter and boundary monitoring can raise privacy concerns, as it may capture video and images of individuals on or near the monitored premises. The company should take measures to ensure that privacy rights are not violated.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 8
A Security engineer needs to implement an MDM solution that complies with the corporate mobile device policy.
The policy states that in order for mobile users to access corporate resources on their devices, the following requirements must be met:
✑ Mobile device OSs must be patched up to the latest release.
✑ A screen lock must be enabled (passcode or biometric).
✑ Corporate data must be removed if the device is reported lost or stolen.
Which of the following controls should the security engineer configure? (Select two).
- A . Disable firmware over-the-air
- B . Storage segmentation
- C . Posture checking
- D . Remote wipe
- E . Full device encryption
- F . Geofencing
CD
Explanation:
Posture checking and remote wipe are two controls that the security engineer should configure to comply with the corporate mobile device policy. Posture checking is a process that verifies if a mobile device meets certain security requirements before allowing it to access corporate resources. For example, posture checking can check if the device OS is patched up to the latest release and if a screen lock is enabled. Remote wipe is a feature that allows the administrator to erase all data from a mobile device remotely, in case it is lost or stolen. This can prevent unauthorized access to corporate data on the device.
At the start of a penetration test, the tester checks OSINT resources for information about the client environment.
Which of the following types of reconnaissance is the tester performing?
- A . Active
- B . Passive
- C . Offensive
- D . Defensive
An enterprise has been experiencing attacks focused on exploiting vulnerabilities in older browser versions with well-known exploits.
Which of the following security solutions should be configured to best provide the ability to monitor and block these known signature-based attacks?
- A . ACL
- B . DLP
- C . IDS
- D . IPS
A company wants to ensure that all devices are secured properly through the MDM solution so that, if remote wipe fails, access to the data will still be inaccessible offline.
Which of the following would need to be configured?
- A . Full device encryption
- B . Geolocation
- C . Screen locks
- D . Content management
A company is auditing the manner in which its European customers’ personal information is handled.
Which of the following should the company consult?
- A . GDPR
- B . ISO
- C . NIST
- D . PCI DSS
A
Explanation:
GDPR stands for General Data Protection Regulation, which is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, EU data subjects. GDPR aims to protect the privacy and rights of EU citizens and residents regarding their personal data. GDPR defines personal data as any information relating to an identified or identifiable natural person, such as name, identification number, location data, online identifiers, or any factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. A company that is auditing the manner in which its European customers’ personal information is handled should consult GDPR to ensure compliance with its rules and obligations.
Reference:
https://www.gdpreu.org/the-regulation/key-concepts/personal-data/
https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/
A junior human resources administrator was gathering data about employees to submit to a new company awards program The employee data included job title business phone number location first initial with last name and race.
Which of the following best describes this type of information?
- A . Sensitive
- B . Non-Pll
- C . Private
- D . Confidential
B
Explanation:
Non-PII stands for non-personally identifiable information, which is any data that does not directly identify a specific individual. Non-PII can include information such as job title, business phone number, location, first initial with last name, and race. Non-PII can be used for various purposes, such as statistical analysis, marketing, or research. However, non-PII may still pose some privacy risks if it is combined or linked with other data that can reveal an individual’s identity.
Reference:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.investopedia.com/terms/n/non-personally-identifiable-information-npii.asp