A company has discovered unauthorized devices are using its WiFi network, and it wants to harden the access point to improve security.
Which f the following configuration should an analysis enable To improve security? (Select TWO.)
- A . RADIUS
- B . PEAP
- C . WPS
- D . WEP-EKIP
- E . SSL
- F . WPA2-PSK
A, F
Explanation:
To improve the security of the WiFi network and prevent unauthorized devices from accessing the network, the configuration options of RADIUS and WPA2-PSK should be enabled. RADIUS (Remote Authentication Dial-In User Service) is an authentication protocol that can be used to control access to the WiFi network. It can provide stronger authentication and authorization than WEP and WPA.
WPA2-PSK (WiFi Protected Access 2 with Pre-Shared Key) is a security protocol that uses stronger encryption than WEP and WPA. It requires a pre-shared key (PSK) to be entered on each device that wants to access the network. This helps prevent unauthorized devices from accessing the network.
During an incident a company CIRT determine it is necessary to observe the continued network-based transaction between a callback domain and the malware running on an enterprise PC.
Which of the following techniques would be BEST to enable this activity while reducing the risk of lateral spread and the risk that the adversary would notice any changes?
- A . Physical move the PC to a separate internet pint of presence
- B . Create and apply micro segmentation rules.
- C . Emulate the malware in a heavily monitored DM Z segment.
- D . Apply network blacklisting rules for the adversary domain
C
Explanation:
To observe the continued network-based transaction between a callback domain and the malware running on an enterprise PC while reducing the risk of lateral spread and the risk that the adversary would notice any changes, the best technique to use is to emulate the malware in a heavily monitored DMZ segment. This is a secure environment that is isolated from the rest of the network and can be heavily monitored to detect any suspicious activity. By emulating the malware in this environment, the activity can be observed without the risk of lateral spread or detection by the adversary.
Reference: https://www.sans.org/blog/incident-response-fundamentals-why-is-the-dmz-so-important/
Which of the following environment utilizes dummy data and is MOST to be installed locally on a system that allows to be assessed directly and modified easily wit each build?
- A . Production
- B . Test
- C . Staging
- D . Development
D
Explanation:
The environment that utilizes dummy data and is most likely to be installed locally on a system that allows it to be assessed directly and modified easily with each build is the development environment. The development environment is used for developing and testing software and applications. It is typically installed on a local system, rather than on a remote server, to allow for easy access and modification. Dummy data can be used in the development environment to simulate real-world scenarios and test the software’s functionality.
Reference: https://www.techopedia.com/definition/27561/development-environment
A desktop support technician recently installed a new document-scanning software program on a computer. However, when the end user tried to launch the program, it did not respond.
Which of the following is MOST likely the cause?
- A . A new firewall rule is needed to access the application.
- B . The system was quarantined for missing software updates.
- C . The software was not added to the application whitelist.
- D . The system was isolated from the network due to infected software
C
Explanation:
The most likely cause of the document-scanning software program not responding when launched by the end user is that the software was not added to the application whitelist. An application whitelist is a list of approved software applications that are allowed to run on a system. If the software is not on the whitelist, it may be blocked from running by the system’s security policies. Adding the software to the whitelist should resolve the issue and allow the program to run.
Reference: https://www.techopedia.com/definition/31541/application-whitelisting
A company recently experienced an attack during which its main website was Directed to the attacker’s web server, allowing the attacker to harvest credentials from unsuspecting customers,.
Which of the following should the
company implement to prevent this type of attack from occurring In the future?
- A . IPsec
- B . SSL/TLS
- C . ONSSEC
- D . SMIME
B
Explanation:
To prevent attacks where the main website is directed to the attacker’s web server and allowing the attacker to harvest credentials from unsuspecting customers, the company should implement SSL/TLS (Secure Sockets Layer/Transport Layer Security) to encrypt the communication between the web server and the clients. This will prevent attackers from intercepting and tampering with the communication, and will also help to verify the identity of the web server to the clients.
A security engineer is installing a WAF to protect the company’s website from malicious web requests over SSL.
Which of the following is needed to meet the objective?
- A . A reverse proxy
- B . A decryption certificate
- C . A split-tunnel VPN
- D . Load-balanced servers
B
Explanation:
A Web Application Firewall (WAF) is a security solution that protects web applications from various types of attacks such as SQL injection, cross-site scripting (XSS), and others. It is typically deployed in front of web servers to inspect incoming traffic and filter out malicious requests.
To protect the company’s website from malicious web requests over SSL, a decryption certificate is needed to decrypt the SSL traffic before it reaches the WAF. This allows the WAF to inspect the traffic
and filter out malicious requests.
A security analyst has received several reports of an issue on an internal web application. Users state they are having to provide their credentials twice to log in. The analyst checks with the application team and notes this is not an expected behavior.
After looking at several logs, the analyst decides to run some commands on the gateway and obtains the following output:
Which of the following BEST describes the attack the company is experiencing?
- A . MAC flooding
- B . URL redirection
- C . ARP poisoning
- D . DNS hijacking
C
Explanation:
The output of the “netstat -ano” command shows that there are two connections to the same IP address and port number. This indicates that there are two active sessions between the client and server.
The issue of users having to provide their credentials twice to log in is known as a double login prompt issue. This issue can occur due to various reasons such as incorrect configuration of authentication settings, incorrect configuration of web server settings, or issues with the client’s browser.
Based on the output of the “netstat -ano” command, it is difficult to determine the exact cause of the issue. However, it is possible that an attacker is intercepting traffic between the client and server and stealing user credentials. This type of attack is known as C. ARP poisoning.
ARP poisoning is a type of attack where an attacker sends fake ARP messages to associate their MAC address with the IP address of another device on the network. This allows them to intercept traffic between the two devices and steal sensitive information such as user credentials.
A company recently experienced an attack during which 5 main website was directed to the atack-er’s web server, allowing the attacker to harvest credentials from unsuspecting customers.
Which of the following should the company Implement to prevent this type of attack from occurring in the future?
- A . IPSec
- B . SSL/TLS
- C . DNSSEC
- D . S/MIME
C
Explanation:
The attack described in the question is known as a DNS hijacking attack. In this type of attack, an attacker modifies the DNS records of a domain name to redirect traffic to their own server. This allows them to intercept traffic and steal sensitive information such as user credentials.
To prevent this type of attack from occurring in the future, the company should implement C.
DNSSEC.
DNSSEC (Domain Name System Security Extensions) is a security protocol that adds digital signatures to DNS records. This ensures that DNS records are not modified during transit and prevents DNS hijacking attacks.
A security engineer is installing a WAF to protect the company’s website from malicious web requests over SSL.
Which of the following is needed to meet the objective?
- A . A reverse proxy
- B . A decryption certificate
- C . A spill-tunnel VPN
- D . Load-balanced servers
B
Explanation:
A Web Application Firewall (WAF) is a security solution that protects web applications from various types of attacks such as SQL injection, cross-site scripting (XSS), and others. It is typically deployed in front of web servers to inspect incoming traffic and filter out malicious requests.
To protect the company’s website from malicious web requests over SSL, a decryption certificate is needed to decrypt the SSL traffic before it reaches the WAF. This allows the WAF to inspect the traffic and filter out malicious requests.
Which of the following BEST describes a social-engineering attack that relies on an executive at a small business visiting a fake banking website where credit card and account details are harvested?
- A . Whaling
- B . Spam
- C . Invoice scam
- D . Pharming
A
Explanation:
A social engineering attack that relies on an executive at a small business visiting a fake banking website where credit card and account details are harvested is known as whaling. Whaling is a type of phishing attack that targets high-profile individuals, such as executives, to steal sensitive information or gain access to their accounts.
If a current private key is compromised, which of the following would ensure it cannot be used to decrypt ail historical data?
- A . Perfect forward secrecy
- B . Elliptic-curve cryptography
- C . Key stretching
- D . Homomorphic encryption
B
Explanation:
Perfect forward secrecy would ensure that it cannot be used to decrypt all historical data. Perfect forward secrecy (PFS) is a security protocol that generates a unique session key for each session between two parties. This ensures that even if one session key is compromised, it cannot be used to decrypt other sessions.
Which of the following environments can be stood up in a short period of time, utilizes either dummy data or actual data, and is used to demonstrate and model system capabilities and functionality for a fixed, agreed-upon duration of time?
- A . PoC
- B . Production
- C . Test
- D . Development
A
Explanation:
A proof of concept (PoC) environment can be stood up quickly and is used to demonstrate and model system capabilities and functionality for a fixed, agreed-upon duration of time. This environment can utilize either dummy data or actual data.
Reference: CompTIA Security+ Certification Guide, Exam SY0-501
After segmenting the network, the network manager wants to control the traffic between the segments.
Which of the following should the manager use to control the network traffic?
- A . A DMZ
- B . A VPN a
- C . A VLAN
- D . An ACL
D
Explanation:
After segmenting the network, a network manager can use an access control list (ACL) to control the traffic between the segments. An ACL is a set of rules that permit or deny traffic based on its characteristics, such as the source and destination IP addresses, protocol type, and port number.
Reference: CompTIA Security+ Certification Guide, Exam SY0-501
A security researcher is tracking an adversary by noting its attacks and techniques based on its capabilities, infrastructure, and victims.
Which of the following is the researcher MOST likely using?
- A . The Diamond Model of Intrusion Analysis
- B . The Cyber Kill Chain
- C . The MITRE CVE database
- D . The incident response process
A
Explanation:
The Diamond Model is a framework for analyzing cyber threats that focuses on four key elements: adversary, capability, infrastructure, and victim. By analyzing these elements, security researchers can gain a better understanding of the threat landscape and develop more effective security strategies.
A security engineer needs to create a network segment that can be used for servers thal require connections from untrusted networks.
Which of the following should the engineer implement?
- A . An air gap
- B . A hot site
- C . A VUAN
- D . A screened subnet
D
Explanation:
A screened subnet is a network segment that can be used for servers that require connections from untrusted networks. It is placed between two firewalls, with one firewall facing the untrusted network and the other facing the trusted network. This setup provides an additional layer of security by screening the traffic that flows between the two networks.
Reference: CompTIA Security+ Certification Guide, Exam SY0-501
one of the attendees starts to notice delays in the connection. and the HTTPS site requests are reverting to HTTP.
Which of the following BEST describes what is happening?
- A . Birthday collision on the certificate key
- B . DNS hacking to reroute traffic
- C . Brute force to the access point
- D . A SSL/TLS downgrade
D
Explanation:
The scenario describes a Man-in-the-Middle (MitM) attack where the attacker intercepts traffic and downgrades the secure SSL/TLS connection to an insecure HTTP connection. This type of attack is commonly known as SSL/TLS downgrade attack or a stripping attack. The attacker is able to see and modify the communication between the client and server.
A major clothing company recently lost a large amount of proprietary information. The security officer must find a solution to ensure this never happens again.
Which of the following is the BEST technical implementation to prevent this from happening again?
- A . Configure DLP solutions
- B . Disable peer-to-peer sharing
- C . Enable role-based
- D . Mandate job rotation
- E . Implement content filters
A
Explanation:
Data loss prevention (DLP) solutions can prevent the accidental or intentional loss of sensitive data. DLP tools can identify and protect sensitive data by classifying and categorizing it, encrypting it, or blocking it from being transferred outside the organization’s network.
The spread of misinformation surrounding the outbreak of a novel virus on election day led to eligible voters choosing not to take the risk of going the polls. This is an example of:
- A . prepending.
- B . an influence campaign.
- C . a watering-hole attack.
- D . intimidation.
- E . information elicitation.
B
Explanation:
This scenario describes an influence campaign, where false information is spread to influence or manipulate people’s beliefs or actions. In this case, the misinformation led eligible voters to avoid polling places, which influenced the outcome of the election.
A company is required to continue using legacy software to support a critical service.
Which of the following BEST explains a risk of this practice?
- A . Default system configuration
- B . Unsecure protocols
- C . Lack of vendor support
- D . Weak encryption
C
Explanation:
One of the risks of using legacy software is the lack of vendor support. This means that the vendor may no longer provide security patches, software updates, or technical support for the software. This leaves the software vulnerable to new security threats and vulnerabilities that could be exploited by attackers.
A security researcher has alerted an organization that its sensitive user data was found for sale on a website.
Which of the following should the organization use to inform the affected parties?
- A . A An incident response plan
- B . A communications plan
- C . A business continuity plan
- D . A disaster recovery plan
B
Explanation:
The organization should use a communications plan to inform the affected parties. A communications plan is a document that outlines how an organization will communicate with internal and external stakeholders during a crisis or incident. It should include details such as who will be responsible for communicating with different stakeholders, what channels will be used to communicate, and what messages will be communicated.
An incident response plan is a document that outlines the steps an organization will take to respond to a security incident or data breach. A business continuity plan is a document that outlines how an organization will continue to operate during and after a disruption. A disaster recovery plan is a document that outlines how an organization will recover its IT infrastructure and data after a disaster.
A company wants to modify its current backup strategy to modify its current backup strategy to minimize the number of backups that would need to be restored in case of data loss.
Which of the following would be the BEST backup strategy
- A . Incremental backups followed by differential backups
- B . Full backups followed by incremental backups
- C . Delta backups followed by differential backups
- D . Incremental backups followed by delta backups
- E . Full backup followed by different backups
B
Explanation:
The best backup strategy for minimizing the number of backups that need to be restored in case of data loss is full backups followed by incremental backups. This strategy allows for a complete restoration of data by restoring the most recent full backup followed by the most recent incremental backup.
Reference: CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) page 126
Which of the following is the MOST secure but LEAST expensive data destruction method for data that is stored on hard drives?
- A . Pulverizing
- B . Shredding
- C . Incinerating
- D . Degaussing
B
Explanation:
Shredding may be the most secure and cost-effective way to destroy electronic data in any media that contain hard drives or solid-state drives and have reached their end-of-life1. Shredding reduces electronic devices to pieces no larger than 2 millimeters2. Therefore, shredding is the most secure but least expensive data destruction method for data that is stored on hard drives.
A security analyst is investigating multiple hosts that are communicating to external IP addresses during the hours of 2:00 a.m – 4:00 am. The malware has evaded detection by traditional antivirus software.
Which of the following types of malware is MOST likely infecting the hosts?
- A . A RAT
- B . Ransomware
- C . Polymophic
- D . A worm
A
Explanation:
Based on the given information, the most likely type of malware infecting the hosts is a RAT (Remote Access Trojan). RATs are often used for stealthy unauthorized access to a victim’s computer, and they can evade traditional antivirus software through various sophisticated techniques. In particular, the fact that the malware is communicating with external IP addresses during specific hours suggests that it may be under the control of an attacker who is issuing commands from a remote location. Ransomware, polymorphic malware, and worms are also possible culprits, but the context of the question suggests that a RAT is the most likely answer.
Which of the following would be BEST for a technician to review to determine the total risk an organization can bear when assessing a "cloud-first" adoption strategy?
- A . Risk matrix
- B . Risk tolerance
- C . Risk register
- D . Risk appetite
B
Explanation:
To determine the total risk an organization can bear, a technician should review the organization’s risk tolerance, which is the amount of risk the organization is willing to accept. This information will help determine the organization’s "cloud-first" adoption strategy.
Reference: CompTIA Security+ Certification Exam Objectives (SY0-601)
Which of the following cryptographic concepts would a security engineer utilize while implementing non-repudiation? (Select TWO)
- A . Block cipher
- B . Hashing
- C . Private key
- D . Perfect forward secrecy
- E . Salting
- F . Symmetric keys
B, C
Explanation:
Non-repudiation is the ability to ensure that a party cannot deny a previous action or event. Cryptographic concepts that can be used to implement non-repudiation include hashing and digital signatures, which use a private key to sign a message and ensure that the signature is unique to the signer.
Reference: CompTIA Security+ Certification Exam Objectives (SY0-601)
A security analyst notices several attacks are being blocked by the NIPS but does not see anything on the boundary firewall logs. The attack seems to have been thwarted.
Which of the following resiliency techniques was applied to the network to prevent this attack?
- A . NIC Teaming
- B . Port mirroring
- C . Defense in depth
- D . High availability
- E . Geographic dispersal
C
Explanation:
Defense in depth is a resiliency technique that involves implementing multiple layers of security controls to protect against different types of threats. In this scenario, the NIPS likely provided protection at a different layer than the boundary firewall, demonstrating the effectiveness of defense in depth.
Reference: CompTIA Security+ Certification Exam Objectives (SY0-601)
Which of the following isa risk that is specifically associated with hesting applications iin the public cloud?
- A . Unsecured root accounts
- B . Zero day
- C . Shared tenancy
- D . Insider threat
C
Explanation:
When hosting applications in the public cloud, there is a risk of shared tenancy, meaning that multiple organizations are sharing the same infrastructure. This can potentially allow one tenant to access another tenant’s data, creating a security risk.
Reference: CompTIA Security+ Certification Exam Objectives (SY0-601)
A company is required to continue using legacy software to support a critical service.
Which of the following BEST explains a risk of this practice?
- A . Default system configuration
- B . Unsecure protocols
- C . Lack of vendor support
- D . Weak encryption
C
Explanation:
Using legacy software to support a critical service poses a risk due to lack of vendor support. Legacy software is often outdated and unsupported, which means that security patches and upgrades are no longer available. This can leave the system vulnerable to exploitation by attackers who may exploit known vulnerabilities in the software to gain unauthorized access to the system.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 1: Attacks, Threats, and Vulnerabilities
After a hardware incident, an unplanned emergency maintenance activity was conducted to rectify the issue. Multiple alerts were generated on the SIEM during this period of time.
Which of the following BEST explains what happened?
- A . The unexpected traffic correlated against multiple rules, generating multiple alerts.
- B . Multiple alerts were generated due to an attack occurring at the same time.
- C . An error in the correlation rules triggered multiple alerts.
- D . The SIEM was unable to correlate the rules, triggering the alerts.
A
Explanation:
Multiple alerts were generated on the SIEM during the emergency maintenance activity due to unexpected traffic correlated against multiple rules. The SIEM generates alerts when it detects an
event that matches a rule in its rulebase. If the event matches multiple rules, the SIEM will generate multiple alerts.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 3: Architecture and Design
A security administrator is setting up a SIEM to help monitor for notable events across the enterprise.
Which of the following control types does this BEST represent?
- A . Preventive
- B . Compensating
- C . Corrective
- D . Detective
D
Explanation:
A SIEM is a security solution that helps detect security incidents by monitoring for notable events across the enterprise. A detective control is a control that is designed to detect security incidents and respond to them. Therefore, a SIEM represents a detective control.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 3: Architecture and Design
A network analyst is setting up a wireless access point for a home office in a remote, rural location. The requirement is that users need to connect to the access point securely but do not want to have to remember passwords.
Which of the following should the network analyst enable to meet the requirement?
- A . MAC address filtering
- B . 802.1X
- C . Captive portal
- D . WPS
D
Explanation:
The network analyst should enable Wi-Fi Protected Setup (WPS) to allow users to connect to the wireless access point securely without having to remember passwords. WPS allows users to connect to a wireless network by pressing a button or entering a PIN instead of entering a password.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 4: Identity and Access Management
Which of the following environments utilizes dummy data and is MOST likely to be installed locally on a system that allows code to be assessed directly and modified easily with each build?
- A . Production
- B . Test
- C . Staging
- D . Development
D
Explanation:
A development environment is the environment that is used to develop and test software. It is typically installed locally on a system that allows code to be assessed directly and modified easily with each build. In this environment, dummy data is often utilized to test the software’s functionality.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 3: Architecture and Design
While reviewing pcap data, a network security analyst is able to locate plaintext usernames and passwords being sent from workstations to network witches.
Which of the following is the security analyst MOST likely observing?
- A . SNMP traps
- B . A Telnet session
- C . An SSH connection
- D . SFTP traffic
B
Explanation:
The security analyst is likely observing a Telnet session, as Telnet transmits data in plain text format, including usernames and passwords.
Reference: CompTIA Security+ Certification Exam Objectives, Exam SY0-601, 1.2 Given a scenario, analyze indicators of compromise and determine the type of malware.
A client sent several inquiries to a project manager about the delinquent delivery status of some critical reports. The project manager claimed the reports were previously sent via email, but then quickly generated and backdated the reports before submitting them as plain text within the body of a new email message thread.
Which of the following actions MOST likely supports an investigation for fraudulent submission?
- A . Establish chain of custody.
- B . Inspect the file metadata.
- C . Reference the data retention policy.
- D . Review the email event logs
D
Explanation:
Reviewing the email event logs can support an investigation for fraudulent submission, as these logs can provide details about the history of emails, including the message content, timestamps, and sender/receiver information.
Reference: CompTIA Security+ Certification Exam Objectives, Exam SY0-601, 3.2 Given a scenario, implement appropriate data security and privacy controls.
A new vulnerability in the SMB protocol on the Windows systems was recently discovered, but no patches are currently available to resolve the issue. The security administrator is concerned tf servers in the company’s DMZ will be vulnerable to external attack; however, the administrator cannot disable the service on the servers, as SMB is used by a number of internal systems and applications on the LAN.
Which of the following TCP ports should be blocked for all external inbound connections to the DMZ as a workaround to protect the servers? (Select TWO).
- A . 135
- B . 139
- C . 143
- D . 161
- E . 443
- F . 445
BF
Explanation:
To protect the servers in the company’s DMZ from external attack due to the new vulnerability in the SMB protocol on the Windows systems, the security administrator should block TCP ports 139 and 445 for all external inbound connections to the DMZ.
SMB uses TCP port 139 and 445. Blocking these ports will prevent external attackers from exploiting the vulnerability in SMB protocol on Windows systems.
Blocking TCP ports 139 and 445 for all external inbound connections to the DMZ can help protect the servers, as these ports are used by SMB protocol. Port 135 is also associated with SMB, but it is not commonly used. Ports 143 and 161 are associated with other protocols and services.
Reference: CompTIA Security+ Certification Exam Objectives, Exam SY0-601, 1.4 Compare and contrast network architecture and technologies.
When planning to build a virtual environment, an administrator need to achieve the following,
• Establish polices in Limit who can create new VMs
• Allocate resources according to actual utilization‘
• Require justification for requests outside of the standard requirements.
• Create standardized categories based on size and resource requirements.
Which of the following is the administrator MOST likely trying to do?
- A . Implement IaaS replication
- B . Product against VM escape
- C . Deploy a PaaS
- D . Avoid VM sprawl
D
Explanation:
The administrator is most likely trying to avoid VM sprawl, which occurs when too many VMs are created and managed poorly, leading to resource waste and increased security risks. The listed actions can help establish policies, resource allocation, and categorization to prevent unnecessary VM creation and ensure proper management.
Reference: CompTIA Security+ Certification Exam Objectives, Exam SY0-601, 3.6 Given a scenario, implement the appropriate virtualization components.
A security analyst wants to verify that a client-server (non-web) application is sending encrypted traffic.
Which of the following should the analyst use?
- A . openssl
- B . hping
- C . netcat
- D . tcpdump
A
Explanation:
To verify that a client-server (non-web) application is sending encrypted traffic, a security analyst can use OpenSSL. OpenSSL is a software library that provides cryptographic functions, including encryption and decryption, in support of various security protocols, including SSL/TLS. It can be used to check whether a client-server application is using encryption to protect traffic.
Reference: CompTIA Security+ Certification Exam Objectives – Exam SY0-601
Ann, a customer, received a notification from her mortgage company stating her PII may be shared with partners, affiliates, and associates to maintain day-to-day business operations.
Which of the following documents did Ann receive?
- A . An annual privacy notice
- B . A non-disclosure agreement
- C . A privileged-user agreement
- D . A memorandum of understanding
A
Explanation:
Ann received an annual privacy notice from her mortgage company. An annual privacy notice is a statement from a financial institution or creditor that outlines the institution’s privacy policy and explains how the institution collects, uses, and shares customers’ personal information. It informs the customer about their rights under the Gramm-Leach-Bliley Act (GLBA) and the institution’s practices for protecting their personal information.
Reference: CompTIA Security+ Certification Exam Objectives – Exam SY0-601
A large enterprise has moved all its data to the cloud behind strong authentication and encryption. A sales director recently had a
laptop stolen, and later, enterprise data was found to have been compromised from a local database.
Which of the following was the
MOST likely cause?
- A . Shadow IT
- B . Credential stuffing
- C . SQL injection
- D . Man in the browser
- E . Bluejacking
A
Explanation:
The most likely cause of the enterprise data being compromised from a local database is Shadow IT. Shadow IT is the use of unauthorized applications or devices by employees to access company resources. In this case, the sales director’s laptop was stolen, and the attacker was able to use it to access the local database, which was not secured properly, allowing unauthorized access to sensitive data.
Reference: CompTIA Security+ Certification Exam Objectives – Exam SY0-601
The following are the logs of a successful attack.
Which of the following controls would be BEST to use to prevent such a breach in the future?
- A . Password history
- B . Account expiration
- C . Password complexity
- D . Account lockout
C
Explanation:
To prevent such a breach in the future, the BEST control to use would be Password complexity. Password complexity is a security measure that requires users to create strong passwords that are difficult to guess or crack. It can help prevent unauthorized access to systems and data by making it more difficult for attackers to guess or crack passwords.
The best control to use to prevent a breach like the one shown in the logs is password complexity. Password complexity requires users to create passwords that are harder to guess, by including a mix of upper and lowercase letters, numbers, and special characters. In the logs, the attacker was able to guess the user’s password using a dictionary attack, which means that the password was not complex enough.
Reference: CompTIA Security+ Certification Exam Objectives – Exam SY0-601
During a Chief Information Security Officer (CISO) convention to discuss security awareness, the attendees are provided with a network connection to use as a resource. As the convention progresses, one of the attendees starts to notice delays in the connection, and the HIIPS site requests are reverting to HTTP.
Which of the following BEST describes what is happening?
- A . Birthday collision on the certificate key
- B . DNS hijacking to reroute traffic
- C . Brute force to the access point
- D . ASSLILS downgrade
B
Explanation:
The attendee is experiencing delays in the connection, and the HIIPS site requests are reverting to HTTP, indicating that the DNS resolution is redirecting the connection to another server. DNS hijacking is a technique that involves redirecting a user’s requests for a domain name to a different IP address. Attackers use DNS hijacking to redirect users to malicious websites and steal sensitive information, such as login credentials and credit card details.
Reference: https://www.cloudflare.com/learning/dns/dns-hijacking/
An organization would like to remediate the risk associated with its cloud service provider not meeting its advertised 99.999% availability metrics.
Which of the following should the organization consult for the exact requirements for the cloud provider?
- A . SLA
- B . BPA
- C . NDA
- D . MOU
A
Explanation:
The Service Level Agreement (SLA) is a contract between the cloud service provider and the organization that stipulates the exact requirements for the cloud provider. It outlines the level of service that the provider must deliver, including the minimum uptime percentage, support response times, and the remedies and penalties for failing to meet the agreed-upon service levels.
An enterprise has hired an outside security firm to facilitate penetration testing on its network and applications. The firm has agreed to pay for each vulnerability that ts discovered.
Which of the following BEST represents the type of testing that is being used?
- A . White-box
- B . Red-leam
- C . Bug bounty
- D . Gray-box
- E . Black-box
C
Explanation:
Bug bounty is a type of testing in which an organization offers a reward or compensation to anyone who can identify vulnerabilities or security flaws in their network or applications. The outside security firm has agreed to pay for each vulnerability found, which is an example of a bug bounty program.
A retail company that is launching @ new website to showcase the company’s product line and other information for online shoppers registered the following URLs:
* www companysite com
* shop companysite com
* about-us companysite com contact-us. companysite com secure-logon company site com
Which of the following should the company use to secure its website if the company is concerned with convenience and cost?
- A . A self-signed certificate
- B . A root certificate
- C . A code-signing certificate
- D . A wildcard certificate
- E . An extended validation certificate
D
Explanation:
The company can use a wildcard certificate to secure its website if it is concerned with convenience
and cost. A wildcard certificate can secure multiple subdomains, which makes it cost-effective and convenient for securing the various registered domains.
The retail company should use a wildcard certificate if it is concerned with convenience and cost12. A wildcard SSL certificate is a single SSL/TLS certificate that can provide significant time and cost savings, particularly for small businesses. The certificate includes a wildcard character (*) in the domain name field, and can secure multiple subdomains of the primary domain1
Which of the following disaster recovery tests is the LEAST time consuming for the disaster recovery team?
- A . Tabletop
- B . Parallel
- C . Full interruption
- D . Simulation
A
Explanation:
A tabletop exercise is a type of disaster recovery test that simulates a disaster scenario in a discussion-based format, without actually disrupting operations or requiring physical testing of recovery procedures. It is the least time-consuming type of test for the disaster recovery team.
A systems administrator is considering different backup solutions for the IT infrastructure. The company is looking for a solution that offers the fastest recovery time while also saving the most amount of storage used to maintain the backups.
Which of the following recovery solutions would be the BEST option to meet these requirements?
- A . Snapshot
- B . Differential
- C . Full
- D . Tape
B
Explanation:
Differential backup is a type of backup that backs up all data that has changed since the last full backup. This backup method offers faster recovery than a full backup, as it only needs to restore the full backup and the differential backup, reducing the amount of data that needs to be restored. It also uses less storage than a full backup as it only stores the changes made from the last full backup.
After a phishing scam fora user’s credentials, the red team was able to craft payload to deploy on a server. The attack allowed the installation of malicious software that initiates a new remote session.
Which of the following types of attacks has occurred?
- A . Privilege escalation
- B . Session replay
- C . Application programming interface
- D . Directory traversal
A
Explanation:
"Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user." In this scenario, the red team was able to install malicious software, which would require elevated privileges to access and install. Therefore, the type of attack that occurred is privilege escalation.
Reference: CompTIA Security+ Study Guide, pages 111-112
A cybersecurity administrator needs to implement a Layer 7 security control on a network and block potential attacks.
Which of the following can block an attack at Layer 7? (Select TWO).
- A . HIDS
- B . NIPS
- C . HSM
- D . WAF
- E . NAC
- F . NIDS
- G . Stateless firewall
DF
Explanation:
A WAF (Web Application Firewall) and NIDS (Network Intrusion Detection System) are both examples of Layer 7 security controls. A WAF can block attacks at the application layer (Layer 7) of the OSI model by filtering traffic to and from a web server. NIDS can also detect attacks at Layer 7 by monitoring network traffic for suspicious patterns and behaviors.
Reference: CompTIA Security+ Study Guide, pages 94-95, 116-118
During an incident, a company’s CIRT determines it is necessary to observe the continued network-based transactions between a callback domain and the malware running on an enterprise PC.
Which of the following techniques would be BEST to enable this activity while reducing the nsk of lateral spread and the risk that the adversary would notice any changes?
- A . Physically move the PC to a separate Internet point of presence.
- B . Create and apply microsegmentation rules,
- C . Emulate the malware in a heavily monitored DMZ segment
- D . Apply network blacklisting rules for the adversary domain
C
Explanation:
Emulating the malware in a heavily monitored DMZ segment is the best option for observing network-based transactions between a callback domain and the malware running on an enterprise PC. This approach provides an isolated environment for the malware to run, reducing the risk of lateral spread and detection by the adversary. Additionally, the DMZ can be monitored closely to gather intelligence on the adversary’s tactics and techniques.
Reference: CompTIA Security+ Study Guide, page 129
A business is looking for a cloud service provider that offers a la carte services, including cloud backups, VM elasticity, and secure networking.
Which of the following cloud service provider types should business engage?
- A . A laaS
- B . PaaS
- C . XaaS
- D . SaaS
A
Explanation:
Infrastructure as a Service (IaaS) providers offer a la carte services, including cloud backups, VM elasticity, and secure networking. With IaaS, businesses can rent infrastructure components such as virtual machines, storage, and networking from a cloud service provider.
Reference: CompTIA Security+ Study Guide, pages 233-234
A security analyst is responding to an alert from the SIEM. The alert states that malware was discovered on a host and was not automatically deleted.
Which of the following would be BEST for the analyst to perform?
- A . Add a deny-all rule to that host in the network ACL
- B . Implement a network-wide scan for other instances of the malware.
- C . Quarantine the host from other parts of the network
- D . Revoke the client’s network access certificates
C
Explanation:
When malware is discovered on a host, the best course of action is to quarantine the host from other parts of the network. This prevents the malware from spreading and potentially infecting other hosts. Adding a deny-all rule to the host in the network ACL may prevent legitimate traffic from being processed, implementing a network-wide scan is time-consuming and may not be necessary, and revoking the client’s network access certificates is an extreme measure that may not be warranted.
Reference: CompTIA Security+ Study Guide, pages 113-114
A cybersecurity administrator needs to allow mobile BYOD devices to access network resources.
As the devices are not enrolled to the domain and do not have policies applied to them, which of the following are best practices for authentication and infrastructure security? (Select TWO).
- A . Create a new network for the mobile devices and block the communication to the internal network and servers
- B . Use a captive portal for user authentication.
- C . Authenticate users using OAuth for more resiliency
- D . Implement SSO and allow communication to the internal network
- E . Use the existing network and allow communication to the internal network and servers.
- F . Use a new and updated RADIUS server to maintain the best solution
B, C
Explanation:
When allowing mobile BYOD devices to access network resources, using a captive portal for user authentication and authenticating users using OAuth are both best practices for authentication and infrastructure security. A captive portal requires users to authenticate before accessing the network and can be used to enforce policies and restrictions. OAuth allows users to authenticate using third-party providers, reducing the risk of password reuse and credential theft.
Reference: CompTIA Security+ Study Guide, pages 217-218, 225-226
An analyst is working on an email security incident in which the target opened an attachment containing a worm. The analyst wants to implement mitigation techniques to prevent further spread.
Which of the following is the BEST course of action for the analyst to take?
- A . Apply a DLP solution.
- B . Implement network segmentation
- C . Utilize email content filtering,
- D . isolate the infected attachment.
D
Explanation:
Network segmentation is the BEST course of action for the analyst to take to prevent further spread
of the worm. Network segmentation helps to divide a network into smaller segments, isolating the infected attachment from the rest of the network. This helps to prevent the worm from spreading to other devices within the network. Implementing email content filtering or DLP solution might help in preventing the email from reaching the target or identifying the worm, respectively, but will not stop the spread of the worm.
Reference: CompTIA Security+ Study Guide, Chapter 5: Securing Network Infrastructure, 5.2 Implement Network Segmentation, pp. 286-289
An enterprise needs to keep cryptographic keys in a safe manner.
Which of the following network appliances can achieve this goal?
- A . HSM
- B . CASB
- C . TPM
- D . DLP
A
Explanation:
Hardware Security Module (HSM) is a network appliance designed to securely store cryptographic keys and perform cryptographic operations. HSMs provide a secure environment for key management and can be used to keep cryptographic keys safe from theft, loss, or unauthorized access. Therefore, an enterprise can achieve the goal of keeping cryptographic keys in a safe manner by using an HSM appliance.
Reference: CompTIA Security+ Certification Exam Objectives, Exam Domain 2.0: Technologies and Tools, 2.4 Given a scenario, use appropriate tools and techniques to troubleshoot security issues, p. 21
An organization recently acquired an ISO 27001 certification.
Which of the following would MOST likely be considered a benefit of this certification?
- A . It allows for the sharing of digital forensics data across organizations
- B . It provides insurance in case of a data breach
- C . It provides complimentary training and certification resources to IT security staff.
- D . It certifies the organization can work with foreign entities that require a security clearance
- E . It assures customers that the organization meets security standards
E
Explanation:
ISO 27001 is an international standard that outlines the requirements for an Information Security Management System (ISMS). It provides a framework for managing and protecting sensitive information using risk management processes. Acquiring an ISO 27001 certification assures customers that the organization meets security standards and follows best practices for information security management. It helps to build customer trust and confidence in the organization’s ability to
protect their sensitive information.
Reference: CompTIA Security+ Certification Exam Objectives, Exam Domain 1.0: Attacks, Threats, and Vulnerabilities, 1.2 Given a scenario, analyze indicators of compromise and determine the type of malware, p. 7
A company would like to provide flexibility for employees on device preference. However, the company is concerned about supporting too many different types of hardware.
Which of the following deployment models will provide the needed flexibility with the GREATEST amount of control and security over company data and infrastructure?
- A . BYOD
- B . VDI
- C . COPE
- D . CYOD
D
Explanation:
Choose Your Own Device (CYOD) is a deployment model that allows employees to select from a predefined list of devices. It provides employees with flexibility in device preference while allowing the company to maintain control and security over company data and infrastructure. CYOD deployment model provides a compromise between the strict control provided by Corporate-Owned, Personally Enabled (COPE) deployment model and the flexibility provided by Bring Your Own Device (BYOD) deployment model.
Reference: CompTIA Security+ Study Guide, Chapter 6: Securing Application, Data, and Host Security, 6.5 Implement Mobile Device Management, pp. 334-335
A security analyst reports a company policy violation in a case in which a large amount of sensitive data is being downloaded after hours from various mobile devices to an external site. Upon further investigation, the analyst notices that successful login attempts are being conducted with impossible travel times during the same time periods when the unauthorized downloads are occurring. The analyst also discovers a couple of WAPs are using the same SSID, but they have non-standard DHCP configurations and an overlapping channel.
Which of the following attacks is being conducted?
- A . Evil twin
- B . Jamming
- C . DNS poisoning
- D . Bluesnarfing
- E . DDoS
A
Explanation:
The attack being conducted is an Evil twin attack. An Evil twin attack involves creating a rogue wireless access point (WAP) with the same Service Set Identifier (SSID) as a legitimate WAP to trick users into connecting to it. Once connected, the attacker can intercept traffic or steal login credentials. The successful login attempts with impossible travel times suggest that an attacker is using a stolen or compromised credential to access the external site to which the sensitive data is being downloaded. The non-standard DHCP configurations and overlapping channels of the WAPs suggest that the attacker is using a rogue WAP to intercept traffic.
Reference: CompTIA Security+ Certification Exam Objectives, Exam Domain 1.0: Attacks, Threats, and Vulnerabilities, 1.4 Compare and contrast types of attacks, p. 8
A security analyst must enforce policies to harden an MDM infrastructure.
The requirements are as follows:
* Ensure mobile devices can be tracked and wiped.
* Confirm mobile devices are encrypted.
Which of the following should the analyst enable on all the devices to meet these requirements?
- A . A Geofencing
- B . Biometric authentication
- C . Geolocation
- D . Geotagging
A
Explanation:
Geofencing is a technology used in mobile device management (MDM) to allow administrators to define geographical boundaries within which mobile devices can operate. This can be used to enforce location-based policies, such as ensuring that devices can be tracked and wiped if lost or stolen. Additionally, encryption can be enforced on the devices to ensure the protection of sensitive data in the event of theft or loss.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 7
A company installed several crosscut shredders as part of increased information security practices targeting data leakage risks.
Which of the following will this practice reduce?
- A . Dumpster diving
- B . Shoulder surfing
- C . Information elicitation
- D . Credential harvesting
A
Explanation:
Crosscut shredders are used to destroy paper documents and reduce the risk of data leakage through dumpster diving. Dumpster diving is a method of retrieving sensitive information from paper waste by searching through discarded documents.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 2
Which of the following conditions impacts data sovereignty?
- A . Rights management
- B . Criminal investigations
- C . Healthcare data
- D . International operations
D
Explanation:
Data sovereignty refers to the legal concept that data is subject to the laws and regulations of the country in which it is located. International operations can impact data sovereignty as companies operating in multiple countries may need to comply with different laws and regulations.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 5
Developers are writing code and merging it into shared repositories several times a day, where it is tested automatically.
Which of the following concepts does this BEST represent?
- A . Functional testing
- B . Stored procedures
- C . Elasticity
- D . Continuous integration
D
Explanation:
Continuous integration is a software development practice where developers merge their code into a shared repository several times a day, and the code is tested automatically. This ensures that code changes are tested and integrated continuously, reducing the risk of errors and conflicts.
A company uses a drone for precise perimeter and boundary monitoring.
Which of the following should be MOST concerning to the company?
- A . Privacy
- B . Cloud storage of telemetry data
- C . GPS spoofing
- D . Weather events
A
Explanation:
The use of a drone for perimeter and boundary monitoring can raise privacy concerns, as it may capture video and images of individuals on or near the monitored premises. The company should take measures to ensure that privacy rights are not violated.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 8
The security team received a report of copyright infringement from the IP space of the corporate network. The report provided a precise time stamp for the incident as well as the name of the copyrighted files. The analyst has been tasked with determining the infringing source machine and instructed to implement measures to prevent such incidents from occurring again.
Which of the following is MOST capable of accomplishing both tasks?
- A . HIDS
- B . Allow list
- C . TPM
- D . NGFW
D
Explanation:
Next-Generation Firewalls (NGFWs) are designed to provide advanced threat protection by combining traditional firewall capabilities with intrusion prevention, application control, and other security features. NGFWs can detect and block unauthorized access attempts, malware infections, and other suspicious activity. They can also be used to monitor file access and detect unauthorized copying or distribution of copyrighted material.
A next-generation firewall (NGFW) can be used to detect and prevent copyright infringement by analyzing network traffic and blocking unauthorized transfers of copyrighted material. Additionally, NGFWs can be configured to enforce access control policies that prevent unauthorized access to sensitive resources.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 6
A user reports trouble using a corporate laptop. The laptop freezes and responds slowly when writing documents and the mouse pointer occasional disappears.
The task list shows the following results
Which of the following is MOST likely the issue?
- A . RAT
- B . PUP
- C . Spyware
- D . Keylogger
C
Explanation:
Spyware is malicious software that can cause a computer to slow down or freeze. It can also cause the mouse pointer to disappear. The task list shows an application named "spyware.exe" running, indicating that spyware is likely the issue.
Reference: CompTIA Security+ Certification Exam Objectives 6.0: Given a scenario, analyze indicators of compromise and determine the type of malware.
CompTIA Security+ Study Guide, Sixth Edition, pages 125-126
Which of the following function as preventive, detective, and deterrent controls to reduce the risk of physical theft? (Select TWO).
- A . Mantraps
- B . Security guards
- C . Video surveillance
- D . Fences
- E . Bollards
- F . Antivirus
A, B
Explanation:
A – a mantrap can trap those personnal with bad intension(preventive), and kind of same as detecting, since you will know if someone is trapped there(detective), and it can deter those personnal from approaching as well(deterrent) B – security guards can sure do the same thing as above, preventing malicious personnal from entering(preventive+deterrent), and notice those personnal as well(detective)
A security assessment found that several embedded systems are running unsecure protocols. These Systems were purchased two years ago and the company that developed them is no longer in business.
Which of the following constraints BEST describes the reason the findings cannot be remediated?
- A . inability to authenticate
- B . Implied trust
- C . Lack of computing power
- D . Unavailable patch
D
Explanation:
If the systems are running unsecure protocols and the company that developed them is no longer in business, it is likely that there are no patches available to remediate the issue.
Reference: CompTIA Security+ Certification Exam Objectives 1.6: Given a scenario, implement secure protocols. CompTIA Security+ Study Guide, Sixth Edition, pages 35-36
Which of the following uses six initial steps that provide basic control over system security by including hardware and software inventory, vulnerability management, and continuous monitoring to minimize risk in all network environments?
- A . ISO 27701
- B . The Center for Internet Security
- C . SSAE SOC 2
- D . NIST Risk Management Framework
B
Explanation:
The Center for Internet Security (CIS) uses six initial steps that provide basic control over system security, including hardware and software inventory, vulnerability management, and continuous monitoring to minimize risk in all network environments.
Reference: CompTIA Security+ Certification Exam Objectives 1.1: Compare and contrast different types of security concepts.
CompTIA Security+ Study Guide, Sixth Edition, pages 15-16
The Chief Executive Officer announced a new partnership with a strategic vendor and asked the Chief Information Security Officer to federate user digital identities using SAML-based protocols.
Which of the following will this enable?
- A . SSO
- B . MFA
- C . PKI
- D . OLP
A
Explanation:
Federating user digital identities using SAML-based protocols enables Single Sign-On (SSO), which allows users to log in once and access multiple applications without having to enter their credentials for each one.
Reference: CompTIA Security+ Certification Exam Objectives 1.3: Explain authentication and access controls. CompTIA Security+ Study Guide, Sixth Edition, pages 41-42
A company was compromised, and a security analyst discovered the attacker was able to get access to a service account.
The following logs were discovered during the investigation:
Which of the following MOST likely would have prevented the attacker from learning the service account name?
- A . Race condition testing
- B . Proper error handling
- C . Forward web server logs to a SIEM
- D . Input sanitization
D
Explanation:
Input sanitization can help prevent attackers from learning the service account name by removing potentially harmful characters from user input, reducing the likelihood of successful injection attacks.
Reference: CompTIA Security+ Certification Exam Objectives 2.2: Given a scenario, implement secure coding techniques.
CompTIA Security+ Study Guide, Sixth Edition, pages 72-73
The SIEM at an organization has detected suspicious traffic coming a workstation in its internal
network. An analyst in the SOC the workstation and discovers malware that is associated with a botnet is installed on the device A review of the logs on the workstation reveals that the privileges of the local account were escalated to a local administrator.
To which of the following groups should the analyst report this real-world event?
- A . The NOC team
- B . The vulnerability management team
- C . The CIRT
- D . The read team
C
Explanation:
The Computer Incident Response Team (CIRT) is responsible for handling incidents and ensuring that the incident response plan is followed.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 9
A financial institution would like to store its customer data in a cloud but still allow the data to be accessed and manipulated while encrypted. Doing so would prevent the cloud service provider from being able to decipher the data due to its sensitivity. The financial institution is not concerned about computational overheads and slow speeds.
Which of the following cryptographic techniques would BEST meet the requirement?
- A . Asymmetric
- B . Symmetric
- C . Homomorphic
- D . Ephemeral
B
Explanation:
Symmetric encryption allows data to be encrypted and decrypted using the same key. This is useful when the data needs to be accessed and manipulated while still encrypted.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 6
A company reduced the area utilized in its datacenter by creating virtual networking through automation and by creating provisioning routes and rules through scripting.
Which of the following does this example describe?
- A . laC
- B . MSSP
- C . Containers
- D . SaaS
A
Explanation:
laaS (Infrastructure as a Service) allows the creation of virtual networks, automation, and scripting to reduce the area utilized in a datacenter.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 4
A global company is experiencing unauthorized logging due to credential theft and account lockouts caused by brute-force attacks. The company is considering implementing a third-party identity provider to help mitigate these attacks.
Which of the following would be the BEST control for the company to require from prospective vendors?
- A . IP restrictions
- B . Multifactor authentication
- C . A banned password list
- D . A complex password policy
B
Explanation:
Multifactor authentication (MFA) would be the best control to require from a third-party identity provider to help mitigate attacks such as credential theft and brute-force attacks.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 2
An organization wants to integrate its incident response processes into a workflow with automated decision points and actions based on predefined playbooks.
Which of the following should the organization implement?
- A . SIEM
- B . SOAR
- C . EDR
- D . CASB
B
Explanation:
Security Orchestration, Automation, and Response (SOAR) should be implemented to integrate incident response processes into a workflow with automated decision points and actions based on predefined playbooks.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 9
A bad actor tries to persuade someone to provide financial information over the phone in order to gain access to funds.
Which of the following types of attacks does this scenario describe?
- A . Vishing
- B . Phishing
- C . Spear phishing
- D . Whaling
A
Explanation:
Vishing is a social engineering attack that uses phone calls or voicemail messages to trick people into divulging sensitive information, such as financial information or login credentials.
Which of the following must be in place before implementing a BCP?
- A . SLA
- B . AUP
- C . NDA
- D . BIA
D
Explanation:
A Business Impact Analysis (BIA) is a critical component of a Business Continuity Plan (BCP). It identifies and prioritizes critical business functions and determines the impact of their disruption.
Reference: CompTIA Security+ Study Guide 601, Chapter 10
A developer is building a new portal to deliver single-pane-of-glass management capabilities to customers with multiple firewalls. To Improve the user experience, the developer wants to implement an authentication and authorization standard that uses security tokens that contain assertions to pass user Information between nodes.
Which of the following roles should the developer configure to meet these requirements? (Select TWO).
- A . Identity processor
- B . Service requestor
- C . Identity provider
- D . Service provider
- E . Tokenized resource
- F . Notarized referral
CD
Explanation:
An identity provider (IdP) is responsible for authenticating users and generating security tokens
containing user information. A service provider (SP) is responsible for accepting security tokens and granting access to resources based on the user’s identity.
An organization wants seamless authentication to its applications.
Which of the following should the organization employ to meet this requirement?
- A . SOAP
- B . SAML
- C . SSO
- D . Kerberos
C
Explanation:
Single Sign-On (SSO) is a mechanism that allows users to access multiple applications with a single set of login credentials.
Reference: CompTIA Security+ Study Guide 601, Chapter 6
A security analyst is running a vulnerability scan to check for missing patches during a suspected security rodent During which of the following phases of the response process is this activity MOST likely occurring?
- A . Containment
- B . Identification
- C . Recovery
- D . Preparation
B
Explanation:
Vulnerability scanning is a proactive security measure used to identify vulnerabilities in the network and systems.
Reference: CompTIA Security+ Study Guide 601, Chapter 4
A security engineer needs to build @ solution to satisfy regulatory requirements that stale certain critical servers must be accessed using MFA However, the critical servers are older and are unable to support the addition of MFA.
Which of the following will the engineer MOST likely use to achieve this objective?
- A . A forward proxy
- B . A stateful firewall
- C . A jump server
- D . A port tap
C
Explanation:
A jump server is a secure host that allows users to access other servers within a network. The jump server acts as an intermediary, and users can access other servers via the jump server after authenticating with MFA.
Which of the following environments would MOST likely be used to assess the execution of component parts of a system at both the hardware and software levels and to measure performance characteristics?
- A . Test
- B . Staging
- C . Development
- D . Production
A
Explanation:
The test environment is used to assess the execution of component parts of a system at both the hardware and software levels and to measure performance characteristics.
Reference: CompTIA Security+ Study Guide 601, Chapter 2
A company is implementing a new SIEM to log and send alerts whenever malicious activity is blocked by its antivirus and web content filters.
Which of the following is the primary use case for this scenario?
- A . Implementation of preventive controls
- B . Implementation of detective controls
- C . Implementation of deterrent controls
- D . Implementation of corrective controls
B
Explanation:
A Security Information and Event Management (SIEM) system is a tool that collects and analyzes security-related data from various sources to detect and respond to security incidents.
Reference: CompTIA Security+ Study Guide 601, Chapter 5
Which of the following in a forensic investigation should be priorities based on the order of volatility? (Select TWO).
- A . Page files
- B . Event logs
- C . RAM
- D . Cache
- E . Stored files
- F . HDD
C, D
Explanation:
In a forensic investigation, volatile data should be collected first, based on the order of volatility. RAM and Cache are examples of volatile data.
Reference: CompTIA Security+ Study Guide 601, Chapter 11
The Chief Technology Officer of a local college would like visitors to utilize the school’s WiFi but must be able to associate potential malicious activity to a specific person.
Which of the following would BEST allow this objective to be met?
- A . Requiring all new, on-site visitors to configure their devices to use WPS
- B . Implementing a new SSID for every event hosted by the college that has visitors
- C . Creating a unique PSK for every visitor when they arrive at the reception area
- D . Deploying a captive portal to capture visitors’ MAC addresses and names
D
Explanation:
A captive portal is a web page that requires visitors to authenticate or agree to an acceptable use policy before allowing access to the network. By capturing visitors’ MAC addresses and names, potential malicious activity can be traced back to a specific person.
An analyst Is generating a security report for the management team. Security guidelines recommend disabling all listening unencrypted services.
Given this output from Nmap:
Which of the following should the analyst recommend to disable?
- A . 21/tcp
- B . 22/tcp
- C . 23/tcp
- D . 443/tcp
A
Explanation:
As part of a company’s ongoing SOC maturation process, the company wants to implement a method to share cyberthreat intelligence data with outside security partners.
Which of the following will the company MOST likely implement?
- A . TAXII
- B . TLP
- C . TTP
- D . STIX
A
Explanation:
Trusted Automated Exchange of Intelligence Information (TAXII) is a standard protocol that enables the sharing of cyber threat intelligence between organizations. It allows organizations to automate the exchange of information in a secure and timely manner.
Reference: CompTIA Security+ Certification Exam Objectives – 3.6 Given a scenario, implement secure network architecture concepts. Study Guide: Chapter 4, page 167.
A security incident has been resolved.
Which of the following BEST describes the importance of the final phase of the incident response plan?
- A . It examines and documents how well the team responded discovers what caused the incident, and determines how the incident can be avoided in the future
- B . It returns the affected systems back into production once systems have been fully patched, data restored and vulnerabilities addressed
- C . It identifies the incident and the scope of the breach how it affects the production environment, and the ingress point
- D . It contains the affected systems and disconnects them from the network, preventing further spread of the attack or breach
A
Explanation:
The final phase of an incident response plan is the post-incident activity, which involves examining and documenting how well the team responded, discovering what caused the incident, and determining how the incident can be avoided in the future.
Reference: CompTIA Security+ Certification Exam Objectives – 2.5 Given a scenario, analyze potential indicators to determine the type of attack. Study Guide: Chapter 5, page 225.
Which of the following describes a maintenance metric that measures the average time required to troubleshoot and restore failed equipment?
- A . RTO
- B . MTBF
- C . MTTR
- D . RPO
C
Explanation:
Mean Time To Repair (MTTR) is a maintenance metric that measures the average time required to troubleshoot and restore failed equipment.
Reference: CompTIA Security+ Certification Exam Objectives – 4.6 Explain the importance of secure coding practices. Study Guide: Chapter 7, page 323.
Which of the following should a technician consider when selecting an encryption method for data that needs to remain confidential for a specific length of time?
- A . The key length of the encryption algorithm
- B . The encryption algorithm’s longevity
- C . A method of introducing entropy into key calculations
- D . The computational overhead of calculating the encryption key
B
Explanation:
When selecting an encryption method for data that needs to remain confidential for a specific length of time, the longevity of the encryption algorithm should be considered to ensure that the data remains secure for the required period.
Reference: CompTIA Security+ Certification Exam Objectives – 3.2 Given a scenario, use appropriate cryptographic methods. Study Guide: Chapter 4, page 131.
A network analyst is investigating compromised corporate information. The analyst leads to a theory that network traffic was intercepted before being transmitted to the internet.
The following output was captured on an internal host:
Based on the IoCS, which of the following was the MOST likely attack used to compromise the network communication?
- A . Denial of service
- B . ARP poisoning
- C . Command injection
- D . MAC flooding
B
Explanation:
ARP poisoning (also known as ARP spoofing) is a type of attack where an attacker sends falsified ARP messages over a local area network to link the attacker’s MAC address with the IP address of another host on the network.
Reference: CompTIA Security+ Certification Exam Objectives – 2.5 Given a scenario, analyze potential indicators to determine the type of attack. Study Guide: Chapter 6, page 271.
A security analyst is investigating a phishing email that contains a malicious document directed to the company’s Chief Executive Officer (CEO).
Which of the following should the analyst perform to understand the threat and retrieve possible IoCs?
- A . Run a vulnerability scan against the CEOs computer to find possible vulnerabilities
- B . Install a sandbox to run the malicious payload in a safe environment
- C . Perform a traceroute to identify the communication path
- D . Use netstat to check whether communication has been made with a remote host
B
Explanation:
To understand the threat and retrieve possible Indicators of Compromise (IoCs) from a phishing email containing a malicious document, a security analyst should install a sandbox to run the malicious payload in a safe environment.
Reference: CompTIA Security+ Certification Exam Objectives – 2.5 Given a scenario, analyze potential indicators to determine the type of attack. Study Guide: Chapter 5, page 209.
A customer has reported that an organization’s website displayed an image of a smiley (ace rather
than the expected web page for a short time two days earlier.
A security analyst reviews log tries and sees the following around the lime of the incident:
Which of the following is MOST likely occurring?
- A . Invalid trust chain
- B . Domain hijacking
- C . DNS poisoning
- D . URL redirection
C
Explanation:
The log entry shows the IP address for "www.example.com" being changed to a different IP address, which is likely the result of DNS poisoning. DNS poisoning occurs when an attacker is able to change the IP address associated with a domain name in a DNS server’s cache, causing clients to connect to the attacker’s server instead of the legitimate server.
Reference: CompTIA Security+ SY0-601 Exam Objectives: 3.2 Given a scenario, implement secure network architecture concepts.
Which of the following would produce the closet experience of responding to an actual incident response scenario?
- A . Lessons learned
- B . Simulation
- C . Walk-through
- D . Tabletop
B
Explanation:
A simulation exercise is designed to create an experience that is as close as possible to a real-world incident response scenario. It involves simulating an attack or other security incident and then having security personnel respond to the situation as they would in a real incident.
Reference: CompTIA Security+ SY0-601 Exam Objectives: 1.1 Explain the importance of implementing security concepts, methodologies, and practices.
A security analyst was deploying a new website and found a connection attempting to authenticate on the site’s portal. While Investigating.
The incident, the analyst identified the following Input in the username field:
Which of the following BEST explains this type of attack?
- A . DLL injection to hijack administrator services
- B . SQLi on the field to bypass authentication
- C . Execution of a stored XSS on the website
- D . Code to execute a race condition on the server
B
Explanation:
The input "admin’ or 1=1–" in the username field is an example of SQL injection (SQLi) attack. In this case, the attacker is attempting to bypass authentication by injecting SQL code into the username field that will cause the authentication check to always return true.
Reference: CompTIA Security+ SY0-601 Exam Objectives: 3.1 Given a scenario, use appropriate software tools to assess the security posture of an organization.
The Chief Information Security Officer directed a risk reduction in shadow IT and created a policy requiring all unsanctioned high-risk SaaS applications to be blocked from user access.
Which of the following is the BEST security solution to reduce this risk?
- A . CASB
- B . VPN concentrator
- C . MFA
- D . VPC endpoint
A
Explanation:
A Cloud Access Security Broker (CASB) can be used to monitor and control access to cloud-based applications, including unsanctioned SaaS applications. It can help enforce policies that prevent access to high-risk SaaS applications and provide visibility into the use of such applications by employees.
Reference: CompTIA Security+ SY0-601 Exam Objectives: 3.3 Given a scenario, implement secure mobile solutions.
After a WiFi scan of a local office was conducted, an unknown wireless signal was identified Upon investigation, an unknown Raspberry Pi device was found connected to an Ethernet port using a single connection.
Which of the following BEST describes the purpose of this device?
- A . loT sensor
- B . Evil twin
- C . Rogue access point
- D . On-path attack
C
Explanation:
A Raspberry Pi device connected to an Ethernet port could be configured as a rogue access point, allowing an attacker to intercept and analyze network traffic or perform other malicious activities.
Reference: CompTIA Security+ SY0-601 Exam Objectives: 3.2 Given a scenario, implement secure network architecture concepts.
Remote workers in an organization use company-provided laptops with locally installed applications and locally stored data Users can store data on a remote server using an encrypted connection. The organization discovered data stored on a laptop had been made available to the public.
Which of the following security solutions would mitigate the risk of future data disclosures?
- A . FDE
- B . TPM
- C . HIDS
- D . VPN
A
Explanation:
Based on these definitions, the best security solution to mitigate the risk of future data disclosures from a laptop would be FDE123. FDE would prevent unauthorized access to the data stored on the laptop even if it is stolen or lost. FDE can also use TPM to store the encryption key and ensure that only trusted software can decrypt the data3. HIDS and VPN are not directly related to data encryption, but they can provide additional security benefits by detecting intrusions and protecting network traffic respectively.
A security researcher has alerted an organization that its sensitive user data was found for sale on a website.
Which of the following should the organization use to inform the affected parties?
- A . An incident response plan
- B . A communications plan
- C . A business continuity plan
- D . A disaster recovery plan
B
Explanation:
A communications plan should be used to inform the affected parties about the sale of sensitive user data on a website. The communications plan should detail how the organization will handle
media inquiries, how to communicate with customers, and how to respond to other interested parties.
An organization’s Chief Information Security Officer is creating a position that will be responsible for implementing technical controls to protect data, including ensuring backups are properly maintained.
Which of the following roles would MOST likely include these responsibilities?
- A . Data protection officer
- B . Data owner
- C . Backup administrator
- D . Data custodian
- E . Internal auditor
D
Explanation:
The responsibilities of ensuring backups are properly maintained and implementing technical controls to protect data are the responsibilities of the data custodian role.
Reference: CompTIA Security+ Study Guide by Emmett Dulaney, Chapter 7: Securing Hosts and Data, Data Custodian
Which of the following would MOST likely be identified by a credentialed scan but would be missed by an uncredentialed scan?
- A . Vulnerabilities with a CVSS score greater than 6.9.
- B . Critical infrastructure vulnerabilities on non-IP protocols.
- C . CVEs related to non-Microsoft systems such as printers and switches.
- D . Missing patches for third-party software on Windows workstations and servers.
D
Explanation:
An uncredentialed scan would miss missing patches for third-party software on Windows workstations and servers. A credentialed scan, however, can scan the registry and file system to determine the patch level of third-party applications.
Reference: CompTIA Security+ Study Guide by Emmett Dulaney, Chapter 4: Identity and Access Management, The Importance of Credentialing Scans