Practice Free SY0-701 Exam Online Questions
A Chief Information Security Officer wants to monitor the company’s servers for SQLi attacks and allow for comprehensive investigations if an attack occurs. The company uses SSL decryption to allow traffic monitoring.
Which of the following strategies would best accomplish this goal?
- A . Logging all NetFlow traffic into a SIEM
- B . Deploying network traffic sensors on the same subnet as the servers
- C . Logging endpoint and OS-specific security logs
- D . Enabling full packet capture for traffic entering and exiting the servers
D
Explanation:
Full packet capture is a technique that records all network traffic passing through a device, such as a router or firewall. It allows for analysis and investigation of network events, such as SQLi attacks, by providing the complete content and context of the packets. Full packet capture can help identify the source, destination, payload, and timing of an SQLi attack, as well as the impact on the server and database. Logging NetFlow traffic, network traffic sensors, and endpoint and OS-specific security logs can provide some information about network activity, but they do not capture the full content of the
packets, which may limit the scope and depth of the investigation.
Reference: CompTIA Security+
Study Guide: Exam SY0-701, 9th Edition, page 372-373
4.9. A security analyst is creating an inbound firewall rule to block the IP address from accessing the organization’s network.
Which of the following fulfills this request?
- A . access-list inbound deny ig source 0.0.0.0/0 destination 10.1.4.9/32
- B . access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
- C . access-list inbound permit ig source 10.1.4.9/32 destination 0.0.0.0/0
- D . access-list inbound permit ig source 0.0.0.0/0 destination 10.1.4.9/32
B
Explanation:
A firewall rule is a set of criteria that determines whether to allow or deny a packet to pass through the firewall. A firewall rule consists of several elements, such as the action, the protocol, the source address, the destination address, and the port number. The syntax of a firewall rule may vary depending on the type and vendor of the firewall, but the basic logic is the same. In this question, the security analyst is creating an inbound firewall rule to block the IP address 10.1.4.9 from accessing the organization’s network. This means that the action should be deny, the protocol should be any (or ig for IP), the source address should be 10.1.4.9/32 (which means a single IP address), the destination address should be 0.0.0.0/0 (which means any IP address), and the port number should be any.
Therefore, the correct firewall rule is:
access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
This rule will match any packet that has the source IP address of 10.1.4.9 and drop it. The other options are incorrect because they either have the wrong action, the wrong source address, or the wrong destination address. For example, option A has the source and destination addresses reversed, which means that it will block any packet that has the destination IP address of 10.1.4.9, which is not the intended goal. Option C has the wrong action, which is permit, which means that it will allow the packet to pass through the firewall, which is also not the intended goal. Option D has the same problem as option A, with the source and destination addresses reversed.
Reference: Firewall Rules C CompTIA Security+ SY0-401: 1.2, Firewalls C SY0-601 CompTIA Security+: 3.3, Firewalls C CompTIA Security+ SY0-501, Understanding Firewall Rules C CompTIA Network+ N10-005: 5.5, Configuring Windows Firewall C CompTIA A+ 220-1102 C 1.6.
A security analyst receives an alert from a corporate endpoint used by employees to issue visitor badges.
The alert contains the following details:
Which of the following best describes the indicator that triggered the alert?
- A . Blocked content
- B . Brute-force attack
- C . Concurrent session usage
- D . Account lockout
B
Explanation:
The activity described in the table, where multiple connection attempts are made on port 445 (used for SMB services), suggests a brute-force attack. The attacker likely used automated methods to guess credentials, causing multiple failures. Such attempts are a hallmark of brute-force attacks targeting shared resources.
Reference: CompTIA Security+ SY0-701 Study Guide, Domain 4: Security Operations, Section: "Indicators of Malicious Activity".
After a security incident, a systems administrator asks the company to buy a NAC platform.
Which of the following attack surfaces is the systems administrator trying to protect?
- A . Bluetooth
- B . Wired
- C . NFC
- D . SCADA
B
Explanation:
A NAC (network access control) platform is a technology that enforces security policies on devices that attempt to access a network. A NAC platform can verify the identity, role, and compliance of the devices, and grant or deny access based on predefined rules. A NAC platform can protect both wired and wireless networks, but in this scenario, the systems administrator is trying to protect the wired attack surface, which is the set of vulnerabilities that can be exploited through a physical connection to the network12.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 5, page 189; CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 5, page 237.
A security manager is implementing MFA and patch management.
Which of the following would best describe the control type and category? (Select two).
- A . Physical
- B . Managerial
- C . Detective
- D . Administrator
- E . Preventative
- F . Technical
E, F
Explanation:
Multi-Factor Authentication (MFA) and patch management are both examples of preventative and technical controls. MFA prevents unauthorized access by requiring multiple forms of verification, and patch management ensures that systems are protected against vulnerabilities by applying updates.
Both of these controls are implemented using technical methods, and they work to prevent security incidents before they occur.
Reference: CompTIA Security+ SY0-701 Course Content: Domain 1: General Security Concepts, and Domain 4: Identity and Access Management, which cover the implementation of preventative and technical controls.
A cybersecurity incident response team at a large company receives notification that malware is present on several corporate desktops No known Indicators of compromise have been found on the network.
Which of the following should the team do first to secure the environment?
- A . Contain the Impacted hosts
- B . Add the malware to the application blocklist.
- C . Segment the core database server.
- D . Implement firewall rules to block outbound beaconing
A
Explanation:
The first step in responding to a cybersecurity incident, particularly when malware is detected, is to contain the impacted hosts. This action prevents the spread of malware to other parts of the network, limiting the potential damage while further investigation and remediation actions are planned.
Reference: CompTIA Security+ SY0-701 study materials, particularly on incident response procedures and the importance of containment in managing security incidents.
Users at a company are reporting they are unable to access the URL for a new retail website because it is flagged as gambling and is being blocked.
Which of the following changes would allow users to access the site?
- A . Creating a firewall rule to allow HTTPS traffic
- B . Configuring the IPS to allow shopping
- C . Tuning the DLP rule that detects credit card data
- D . Updating the categorization in the content filter
D
Explanation:
A content filter is a device or software that blocks or allows access to web content based on predefined rules or categories. In this case, the new retail website is mistakenly categorized as gambling by the content filter, which prevents users from accessing it. To resolve this issue, the content filter’s categorization needs to be updated to reflect the correct category of the website, such as shopping or retail. This will allow the content filter to allow access to the website instead of blocking it.
Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 3: Technologies and Tools, page 1221. CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 3: Technologies and Tools, page 1222.
The security operations center is researching an event concerning a suspicious IP address A security analyst looks at the following event logs and discovers that a significant portion of the user accounts have experienced faded log-In attempts when authenticating from the same IP address:
Which of the following most likely describes attack that took place?
- A . Spraying
- B . Brute-force
- C . Dictionary
- D . Rainbow table
A cyber operations team informs a security analyst about a new tactic malicious actors are using to compromise networks.
SIEM alerts have not yet been configured.
Which of the following best describes what the security analyst should do to identify this behavior?
- A . [Digital forensics
- B . E-discovery
- C . Incident response
- D . Threat hunting
D
Explanation:
Threat hunting is the process of proactively searching for signs of malicious activity or compromise in a network, rather than waiting for alerts or indicators of compromise (IOCs) to appear. Threat hunting can help identify new tactics, techniques, and procedures (TTPs) used by malicious actors, as well as uncover hidden or stealthy threats that may have evaded detection by security tools. Threat hunting requires a combination of skills, tools, and methodologies, such as hypothesis generation, data collection and analysis, threat intelligence, and incident response. Threat hunting can also help improve the security posture of an organization by providing feedback and recommendations for security improvements.
Reference: CompTIA Security+ Certification Exam Objectives, Domain 4.1: Given a scenario, analyze potential indicators of malicious activity. CompTIA Security+ Study Guide (SY0-701), Chapter 4: Threat Detection and Response, page 153. Threat Hunting C SY0-701 CompTIA Security+: 4.1, Video 3:18. CompTIA Security+ Certification Exam SY0-701 Practice Test 1, Question 3.
45.101.121 —– [28/Jul/2022:10:27:22 -0300] "GET /query.php?qmp3%20players I HTTP/1.0" 200 14650
Which of the following should the analyst do first?
- A . Implement a WAF
- B . Disable the query .php script
- C . Block brute-force attempts on temporary users
- D . Check the users table for new accounts
D
Explanation:
The logs show an SQL injection attack. The first step is to verify if new accounts have been created, indicating a successful injection.