
Download Exam SY0-701 Practice Test Questions with 100% Verified Answers
Share Latest SY0-701Test Practice Test Questions, Exam Dumps
NEW QUESTION # 91
A systems administrator is redesigning now devices will perform network authentication. The following requirements need to be met:
* An existing Internal certificate must be used.
* Wired and wireless networks must be supported
* Any unapproved device should be Isolated in a quarantine subnet
* Approved devices should be updated before accessing resources
Which of the following would best meet the requirements?
- A. EAP
- B. 802.IX
- C. RADIUS
- D. WPA2
Answer: B
Explanation:
802.1X is a network access control protocol that provides an authentication mechanism to devices trying to connect to a LAN or WLAN. It supports the use of certificates for authentication, can quarantine unapproved devices, and ensures that only approved and updated devices can access network resources. This protocol best meets the requirements of securing both wired and wireless networks with internal certificates.
References = CompTIA Security+ SY0-701 study materials, particularly in the domain of network security and authentication protocols.
NEW QUESTION # 92
Which of the following are the best for hardening end-user devices? (Select two)
- A. Endpoint protection
- B. Group-level permissions
- C. Segmentation
- D. Proxy server
- E. Account lockout
- F. Full disk encryption
Answer: A,F
Explanation:
Full disk encryption ensures that data stored on the device is protected even if the device is physically stolen. This is a fundamental security control for end-user devices, especially laptops and mobile devices, to prevent data breaches.
Endpoint protection refers to anti-malware, antivirus, and host-based firewall solutions that safeguard end-user devices from malware, ransomware, and unauthorized access.
NEW QUESTION # 93
A Chief Information Security Officer wants to monitor the company's servers for SQLi attacks and allow for comprehensive investigations if an attack occurs. The company uses SSL decryption to allow traffic monitoring. Which of the following strategies would best accomplish this goal?
- A. Logging all NetFlow traffic into a SIEM
- B. Logging endpoint and OS-specific security logs
- C. Deploying network traffic sensors on the same subnet as the servers
- D. Enabling full packet capture for traffic entering and exiting the servers
Answer: D
Explanation:
Full packet capture is a technique that records all network traffic passing through a device, such as a router or firewall. It allows for detailed analysis and investigation of network events, such as SQLi attacks, by providing the complete content and context of the packets. Full packet capture can help identify the source, destination, payload, and timing of an SQLi attack, as well as the impact on the server and database. Logging NetFlow traffic, network traffic sensors, and endpoint and OS-specific security logs can provide some information about network activity, but they do not capture the full content of the packets, which may limit the scope and depth of the investigation. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 372-373
NEW QUESTION # 94
A company is using a legacy FTP server to transfer financial data to a third party. The legacy system does not support SFTP, so a compensating control is needed to protect the sensitive, financial data in transit. Which of the following would be the most appropriate for the company to use?
- A. Full disk encryption
- B. Patch installation
- C. SSH tunneling
- D. Telnet connection
Answer: C
NEW QUESTION # 95
Which of the following hardening techniques must be applied on a container image before deploying it to a production environment? (Select two).
- A. Disable Telnet.
- B. Delete the public certificate.
- C. Remove default applications.
- D. Install a NIPS.
- E. Add an SFTP server.
- F. Reconfigure the DNS
Answer: A,C
Explanation:
Container image hardening best practices include removing default or unnecessary applications (A) to reduce the attack surface and disabling insecure protocols like Telnet (C) to prevent exploitation.
Minimizing software components reduces vulnerabilities and limits potential exploits.
Installing a Network Intrusion Prevention System (NIPS) (B) is a network security measure, not typically embedded in a container image. Reconfiguring DNS (D), adding an SFTP server (E), or deleting public certificates (F) are unrelated or could disrupt container functionality.
These practices are part of securing containerized environments covered under Security Architecture topics in SY0-701#6:Chapter 10 CompTIA Security+ Study Guide#.
NEW QUESTION # 96
Which of the following is used to monitor suspicious traffic in real time between multiple systems within an organization?
- A. Honeynet
- B. Infrared sensors
- C. NetFlow
- D. Development network
Answer: C
Explanation:
NetFlow captures and analyzes real-time traffic flow data across multiple systems, enabling detection of suspicious patterns and anomalies.
NEW QUESTION # 97
An organization is leveraging a VPN between its headquarters and a branch location. Which of the following is the VPN protecting?
- A. Data sovereignty
- B. Data in transit
- C. Geographic restrictions
- D. Data in use
Answer: B
Explanation:
Explanation
Data in transit is data that is moving from one location to another, such as over a network or through the air.
Data in transit is vulnerable to interception, modification, or theft by malicious actors. A VPN (virtual private network) is a technology that protects data in transit by creating a secure tunnel between two endpoints and encrypting the data that passes through it2.
References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 4, page 145.
NEW QUESTION # 98
Which of the following data types best describes an AI tool developed by a company to automate the ticketing system under a specific contract?
- A. Open source
- B. Regulated information
- C. Classified
- D. Intellectual property
Answer: D
Explanation:
An AI tool developed internally for automating a ticketing system represents intellectual property (IP).
Security+ SY0-701 defines IP as proprietary creations developed by an organization, such as software, machine learning models, algorithms, and trade secrets. This type of data must be protected because it provides competitive advantage and is often contractually bound.
The scenario notes the tool is developed under a specific contract, meaning it is bound by ownership, licensing, and confidentiality agreements. Protecting IP is critical to prevent theft, unauthorized reuse, or compromise that could affect legal obligations or business value.
Classified (A) refers to government-protected national security information. Regulated information (B) includes data covered by laws such as HIPAA or PCI-DSS. Open source (C) refers to publicly shared code, which this AI tool is not.
Thus, the correct category for this data is D: Intellectual property.
NEW QUESTION # 99
An organization needs to monitor its users' activities to prevent insider threats. Which of the following solutions would help the organization achieve this goal?
- A. Network intrusion detection system
- B. Access control lists
- C. Behavioral analytics
- D. Identity and access management
Answer: C
Explanation:
Detailed Behavioral analytics tools monitor user actions and detect anomalies that may indicate insider threats, such as unauthorized access or unusual data exfiltration activities. These tools establish baselines for normal behavior and flag deviations. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 4: Security Operations, Section: "Behavioral Analytics and Monitoring".
NEW QUESTION # 100
Which of the following is a type of vulnerability that may result from outdated algorithms or keys?
- A. Hash collision
- B. Cryptographic
- C. Buffer overflow
- D. Input validation
Answer: B
Explanation:
A cryptographic vulnerability refers to weaknesses caused by the use of outdated or insecure cryptographic algorithms, protocols, or keys. These vulnerabilities make it easier for attackers to compromise encrypted data or communications. Use of deprecated ciphers or insufficient key lengths are typical examples.
Reference:
CompTIA Security+ SY0-701 Official Study Guide, Domain 2.3: "Cryptographic vulnerabilities arise from the use of weak or outdated cryptographic algorithms or keys." Exam Objectives 2.3: "Analyze potential indicators associated with network attacks."
NEW QUESTION # 101
A security analyst must prevent remote users from accessing malicious URLs. The sites need to be checked inline for reputation, content, or categorization. Which of the following technologies will help secure the enterprise?
- A. NGFW
- B. VPN
- C. SASE
- D. SD-WAN
Answer: C
Explanation:
SASE provides a cloud-delivered, inline secure web gateway with URL reputation, content inspection, and categorization for remote users without backhauling traffic through on-premises firewalls.
NEW QUESTION # 102
A company is experiencing issues with employees leaving the company for a competitor and taking customer contact information with them. Which of the following tools will help prevent this from reoccurring?
- A. IDS
- B. NAC
- C. FIM
- D. UBA
Answer: D
Explanation:
User Behavior Analytics (UBA) detects unusual or risky user activities, such as exfiltrating customer contact data, helping to identify and prevent insider threats before employees leave for a competitor.
NEW QUESTION # 103
Which of the following explains how a supply chain service provider could introduce a security vulnerability into an organization?
- A. Having privileged access to client systems and becoming a target for attackers
- B. Outsourcing customer service operations to a foreign call center
- C. Failing to encrypt data stored on the organization's internal database
- D. Delaying hardware shipments needed for system upgrades
Answer: A
Explanation:
The correct answer is having privileged access to client systems and becoming a target for attackers, which directly reflects a major risk discussed in the Security+ SY0-701 domain of Security Program Management and Oversight, specifically within third-party and supply chain risk management. Supply chain service providers often require elevated or privileged access to an organization's systems to perform maintenance, monitoring, software updates, or support services. This level of access significantly expands the organization' s attack surface.
When a vendor has privileged access, attackers may target the service provider as an indirect path into the primary organization. This type of compromise is especially dangerous because malicious activity may appear legitimate, using trusted credentials and authorized connections. The Security+ study guide emphasizes that third-party compromises can bypass traditional perimeter defenses, making them particularly difficult to detect and contain. As a result, vendors can unintentionally introduce vulnerabilities even if the organization's internal security controls are strong.
The other options do not directly introduce a security vulnerability. Delayed hardware shipments affect availability and project timelines but do not create a security weakness. Outsourcing customer service may introduce privacy or compliance concerns, but it does not inherently create a technical vulnerability unless combined with poor access controls. Failing to encrypt internal databases is an internal security failure, not a supply chain issue caused by a service provider.
From a Security+ perspective, managing this risk requires strong contractual controls, least-privilege access, continuous monitoring, and audit rights. Organizations must treat vendors as extensions of their own environment. Therefore, privileged access held by a supply chain provider-and the increased likelihood of that provider being targeted-is the most accurate explanation of how a supply chain service provider can introduce a security vulnerability.
NEW QUESTION # 104
A company is considering an expansion of access controls for an application that contractors and internal employees use to reduce costs. Which of the following risk elements should the implementation team understand before granting access to the application?
- A. Threshold
- B. Appetite
- C. Tolerance
- D. Register
Answer: C
NEW QUESTION # 105
A security audit of an organization revealed that most of the IT staff members have domain administrator credentials and do not change the passwords regularly. Which of the following solutions should the security learn propose to resolve the findings in the most complete way?
- A. Reviewing the domain administrator group, removing all unnecessary administrators, and rotating all passwords
- B. Securing domain administrator credentials in a PAM vault and controlling access with role-based access control
- C. Integrating the domain administrator's group with an IdP and requiring SSO with MFA for all access
- D. Creating group policies to enforce password rotation on domain administrator credentials
Answer: B
Explanation:
Using a Privileged Access Management (PAM) vault to secure domain administrator credentials and enforcing role-based access control (RBAC) is the most comprehensive solution. PAM systems help manage and control access to privileged accounts, ensuring that only authorized personnel can access sensitive credentials. This approach also facilitates password rotation, auditing, and ensures that credentials are not misused or left unchanged. Integrating PAM with RBAC ensures that access is granted based on the user's role, further enhancing security.
Reference =
CompTIA Security+ SY0-701 Course Content: Domain 05 Security Program Management and Oversight.
CompTIA Security+ SY0-601 Study Guide: Chapter on Identity and Access Management.
NEW QUESTION # 106
During the onboarding process, an employee needs to create a password for an intranet account. The password must include ten characters, numbers, and letters, and two special characters. Once the password is created, the company will grant the employee access to other company-owned websites based on the intranet profile.
Which of the following access management concepts is the company most likely using to safeguard intranet accounts and grant access to multiple sites based on a user's intranet account? (Select two).
- A. Identity proofing
- B. Password complexity
- C. Password manager
- D. Open authentication
- E. Default password changes
- F. Federation
Answer: B,F
Explanation:
Federation is an access management concept that allows users to authenticate once and access multiple resources or services across different domains or organizations. Federation relies on a trusted third party that stores the user's credentials and provides them to the requested resources or services without exposing them.
Password complexity is a security measure that requires users to create passwords that meet certain criteria, such as length, character types, and uniqueness. Password complexity can help prevent brute-force attacks, password guessing, and credential stuffing by making passwords harder to crack or guess. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 308-309 and 312-
313 1
NEW QUESTION # 107
After reviewing the following vulnerability scanning report:
Server:192.168.14.6
Service: Telnet
Port: 23 Protocol: TCP
Status: Open Severity: High
Vulnerability: Use of an insecure network protocol
A security analyst performs the following test:
nmap -p 23 192.168.14.6 -script telnet-encryption
PORT STATE SERVICE REASON
23/tcp open telnet syn-ack
I telnet encryption:
| _ Telnet server supports encryption
Which of the following would the security analyst conclude for this reported vulnerability?
- A. It is considered noise.
- B. A rescan is required.
- C. It is a false positive.
- D. Compensating controls exist.
Answer: C
Explanation:
A false positive is a result that indicates a vulnerability or a problem when there is none. In this case, the vulnerability scanning report shows that the telnet service on port 23 is open and uses an insecure network protocol. However, the security analyst performs a test using nmap and a script that checks for telnet encryption support. The result shows that the telnet server supports encryption, which means that the data transmitted between the client and the server can be protected from eavesdropping. Therefore, the reported vulnerability is a false positive and does not reflect the actual security posture of the server. The security analyst should verify the encryption settings of the telnet server and client and ensure that they are configured properly3. References: 3: Telnet Protocol - Can You Encrypt Telnet?
NEW QUESTION # 108
An employee fell for a phishing scam, which allowed an attacker to gain access to a company PC. The attacker scraped the PC's memory to find other credentials. Without cracking these credentials, the attacker used them to move laterally through the corporate network. Which of the following describes this type of attack?
- A. Privilege escalation
- B. Pass-the-hash
- C. Buffer overflow
- D. SQL injection
Answer: B
Explanation:
The scenario describes an attacker who obtained credentials from a compromised system's memory and used them without cracking to move laterally within the network. This technique is known as a "pass-the-hash" attack, where the attacker captures hashed credentials (e.g., NTLM hashes) and uses them to authenticate and gain access to other systems without needing to know the plaintext password. This is a common attack method in environments where weak security practices or outdated protocols are in use.
NEW QUESTION # 109
Which of the following are the first steps an analyst should perform when developing a heat map?
(Choose two.)
- A. Methodically walk around the office noting Wi-Fi signal strength.
- B. Remove possible impediments to radio transmissions.
- C. Create or obtain a layout of the office.
- D. Review access logs to determine the most active devices.
- E. Measure cable lengths between access points.
- F. Log in to each access point and check the settings.
Answer: A,C
NEW QUESTION # 110
A technician wants to improve the situational and environmental awareness of existing users as they transition from remote to in-office work. Which of the following is the best option?
- A. Modify the content of recurring training.
D Implement a phishing campaign - B. Send out periodic security reminders.
- C. Update the content of new hire documentation.
Answer: A
Explanation:
Explanation
Recurring training is a type of security awareness training that is conducted periodically to refresh and update the knowledge and skills of the users. Recurring training can help improve the situational and environmental awareness of existing users as they transition from remote to in-office work, as it can cover the latest threats, best practices, and policies that are relevant to their work environment. Modifying the content of recurring training can ensure that the users are aware of the current security landscape and the expectations of their roles. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701,
9th Edition, Chapter 5, page 232. CompTIA Security+ (SY0-701) Certification Exam Objectives, Domain 5.1, page 18.
NEW QUESTION # 111
During a security incident, the security operations team identified sustained network traffic from a malicious IP address:
10.1.4.9. A security analyst is creating an inbound firewall rule to block the IP address from accessing the organization's network. Which of the following fulfills this request?
- A. access-list inbound permit ig source 0.0.0.0/0 destination 10.1.4.9/32
- B. access-list inbound deny ig source 0.0.0.0/0 destination 10.1.4.9/32
- C. access-list inbound permit ig source 10.1.4.9/32 destination 0.0.0.0/0
- D. access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
Answer: D
Explanation:
A firewall rule is a set of criteria that determines whether to allow or deny a packet to pass through the firewall. A firewall rule consists of several elements, such as the action, the protocol, the source address, the destination address, and the port number. The syntax of a firewall rule may vary depending on the type and vendor of the firewall, but the basic logic is the same. In this question, the security analyst is creating an inbound firewall rule to block the IP address 10.1.4.9 from accessing the organization's network. This means that the action should be deny, the protocol should be any (or ig for IP), the source address should be
10.1.4.9/32 (which means a single IP address), the destination address should be 0.0.0.0/0 (which means any IP address), and the port number should be any. Therefore, the correct firewall rule is:
access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
This rule will match any packet that has the source IP address of 10.1.4.9 and drop it.
The other options are incorrect because they either have the wrong action, the wrong source address, or the wrong destination address. For example, option A has the source and destination addresses reversed, which means that it will block any packet that has the destination IP address of 10.1.4.9, which is not the intended goal. Option C has the wrong action, which is permit, which means that it will allow the packet to pass through the firewall, which is also not the intended goal. Option D has the same problem as option A, with the source and destination addresses reversed.
References = Firewall Rules - CompTIA Security+ SY0-401: 1.2, Firewalls - SY0-601 CompTIA Security+ :
3.3, Firewalls - CompTIA Security+ SY0-501, Understanding FirewallRules - CompTIA Network+ N10-005:
5.5, Configuring Windows Firewall - CompTIA A+ 220-1102 - 1.6.
NEW QUESTION # 112
A systems administrator is concerned about vulnerabilities within cloud computing instances Which of the following is most important for the administrator to consider when architecting a cloud computing environment?
- A. VM escape
- B. TOC/TOU
- C. Password spraying
- D. SQL injection
- E. Tokenization
Answer: A
NEW QUESTION # 113
Visitors to a secured facility are required to check in with a photo ID and enter the facility through an access control vestibule Which of the following but describes this form of security control?
- A. Technical
- B. Managerial
- C. Operational
- D. Physical
Answer: D
Explanation:
A physical security control is a device or mechanism that prevents unauthorized access to a physical location or asset. An access control vestibule, also known as a mantrap, is a physical security control that consists of a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens. This prevents unauthorized individuals from following authorized individuals into the facility, a practice known as piggybacking or tailgating. A photo ID check is another form of physical security control that verifies the identity of visitors. Managerial, technical, and operational security controls are not directly related to physical access, but rather to policies, procedures, systems, and processes that support security objectives.
NEW QUESTION # 114
An engineer moved to another team and is unable to access the new team's shared folders while still being able to access the shared folders from the former team. After opening a ticket, the engineer discovers that the account was never moved to the new group. Which of the following access controls is most likely causing the lack of access?
- A. Role-based
- B. Discretionary
- C. Time of day
- D. Least privilege
Answer: A
Explanation:
The most likely access control causing the lack of access is role-based access control (RBAC). In RBAC, access to resources is determined by the roles assigned to users. Since the engineer's account was not moved to the new group's role, the engineer does not have the necessary permissions to access the new team's shared folders.
Role-based access control (RBAC): Assigns permissions based on the user's role within the organization. If the engineer's role does not include the new group's permissions, access will be denied.
Discretionary access control (DAC): Access is based on the discretion of the data owner, but it is not typically related to group membership changes.
Time of day: Restricts access based on the time but does not affect group memberships.
Least privilege: Ensures users have the minimum necessary permissions, but the issue here is about group membership, not the principle of least privilege.
NEW QUESTION # 115
A newly identified network access vulnerability has been found in the OS of legacy loT devices.
Which of the following would best mitigate this vulnerability quickly?
- A. Segmentation
- B. Insurance
- C. Patching
- D. Replacement
Answer: A
Explanation:
Segmentation is a technique that divides a network into smaller subnetworks or segments, each with its own security policies and controls. Segmentation can help mitigate network access vulnerabilities in legacy loT devices by isolating them from other devices and systems, reducing their attack surface and limiting the potential impact of a breach. Segmentation can also improve network performance and efficiency by reducing congestion and traffic. Patching, insurance, and replacement are other possible strategies to deal with network access vulnerabilities, but they may not be feasible or effective in the short term. Patching may not be available or compatible for legacy loT devices, insurance may not cover the costs or damages of a cyberattack, and replacement may be expensive and time-consuming.
NEW QUESTION # 116
......
Positive Aspects of Valid Dumps SY0-701 Exam Dumps!: https://www.braindumpsit.com/SY0-701_real-exam.html
First Attempt Guaranteed Success in SY0-701 Exam: https://drive.google.com/open?id=13ssdMyrIbKsaU1mRz2NupVCcHzrDLPzl