CompTIA Security+ (SY0-701) Exam Questions

Page 1 of 50

1.

Which type of authentication factor is being used when a smartphone uses a fingerprint scan for authenticating?

  • Something you are

  • Something you know

  • Something you have

  • Something you can do

Correct answer: Something you are

Multi-factor authentication (MFA) uses two or more different types of factors. Factors can include:

  • Something you know: Password, PIN, etc.
  • Something you have: Smartphone, security token, etc.
  • Something you are: Fingerprint, facial, voice recognition, etc.
  • Somewhere you are: Geolocation, IP address
  • Something you can do: Connecting dots on a picture, etc.
  • Something you exhibit: Gait, behavior, etc.
  • Someone you know: Password reset based on trusted party, etc.

Facial and fingerprint recognition are more common on mobile devices than on other systems.

2.

A company is downsizing and needs to lay off numerous employees. They do not want any of the employees who are being fired to be able to cause harm to the organization, so they disable their user credentials before informing them they will be let go. 

What attack motivation is the company concerned about?

  • Revenge

  • Ethical

  • Financial gain

  • Espionage

Correct answer: Revenge

Revenge is a motivation of attackers when they feel they have to get even with someone. Disgruntled employees sometimes seek revenge against a former employer when they are fired.

An ethical hacker searches for vulnerabilities with the intent of fixing problems rather than causing harm. Organized crime is primarily interested in financial gain. Nation-states and competing organizations are motivated by espionage.

3.

An organization wants to block attempts to make unencrypted connections to their web server. How should they configure their firewall?

  • Block incoming traffic on port 80

  • Block outgoing TCP connections

  • Block incoming traffic from IP address 0.0.0.0

  • Block traffic with a destination IP address of 0.0.0.0

Correct answer: Block incoming traffic on port 80

Unencrypted web traffic uses the HTTP protocol on port 80. Traffic should instead travel through port 443 for HTTPS.

Blocking all TCP connections would also block encrypted connections. Blocking IP addresses would not address the issue.

4.

An administrator is concerned that a computer with sensitive information can be tampered with or rendered inoperable. Despite the system's hard drive being secured with encryption along with a username and password combination, they want to ensure that the computer cannot be sabotaged through changes in the system's firmware. 

What technique can they use to ensure that firmware has not been compromised?

  • Secure boot

  • Secure enclave

  • Steganography

  • Sandbox

Correct answer: Secure boot

Boot integrity can be realized by using a solution called secure boot. It uses a key to validate the signature of UEFI firmware.

A secure enclave is used for a secure environment for storing and processing sensitive information. Steganography involves hiding sensitive information in different media. A sandbox is an environment that is isolated from the rest of the system.

5.

An administrator is investigating unusual network traffic originating from several workstations in the HR department. Upon further inspection, the administrator notices that the workstations are making many thousands of requests to a specific web forum. As the administrator is searching for more information, they discover that the web forum in question is currently unavailable, for unknown reasons. 

Which of the following is likely the reason for what is occurring?

  • The workstations are part of a botnet that is carrying out a DDoS against the web forum

  • A keylogger is sending information back to the attacker

  • A DNS attack is being perpetrated against the web forum

  • A buffer overflow attack has taken down the web forum

Correct answer: The workstations are part of a botnet that is carrying out a DDoS against the web forum

A botnet is a group of infected machines all serving under a command and control center. It consists of bots, or zombies, which are infected servers or workstations that perform the operations as commanded by the bot herder. These botnets are often used to launch distributed denial-of-service (DDoS) attacks.

Keyloggers do not cause excessive traffic. DNS attacks involve altering the system that a DNS query directs users to. A buffer overflow attack does not require multiple systems sending requests.

6.

A company sets up a proxy server to filter web content that employees can access. Their filtering solution will look at the history of websites that users request access to and determine their trustworthiness based on that. 

What method of web filtering are they using?

  • Reputation-based

  • Content categorization

  • Block rules

  • URL scanning

Correct answer: Reputation-based

Reputation-based web filtering looks at the history of a website before deciding to allow access to it. It can look at other factors, such as community feedback, to decide if a site is trustworthy.

Content categorization considers the category of website that a site belongs to before making a decision. Block rules allow for an administrator to decide which sites to block. URL scanning blocks based on the known malicious URLs.

7.

Through a risk assessment, Smith Consulting has determined that there is a risk present within their networking hardware that can be reduced or removed with updated firmware. What is it called when a risk is reduced or eliminated altogether?

  • Risk mitigation

  • Risk transfer

  • Risk avoidance

  • Risk acceptance

Correct answer: Risk mitigation

Risk mitigation is when a risk is reduced or eliminated altogether. For instance, installing an antivirus and configuring it to auto-update to catch the latest threat is a form of risk mitigation. Another example would be ensuring that the workstations and servers, along with any other devices, are updated/patched regularly to lessen the risk of vulnerabilities.

Risk transfer involves using a third party to handle the risk. Risk avoidance involves not engaging in the risky activity. Risk acceptance involves not implementing additional controls to mitigate a risk.

8.

A junior network administrator is being trained on the configuration of the network components, such as routers and firewalls. He asks how the firewall knows to block or permit traffic and where that information is stored. 

What does a firewall use to store these rules?

  • ACL

  • CAM table

  • ARP table

  • ASLR

Correct answer: ACL

A firewall inspects traffic that passes through it and permits or denies that traffic based on rules set by an administrator. The rules for whether traffic passes are stored in an access control list (ACL).

A CAM table associates MAC addresses with port locations. An ARP table maps IP addresses and MAC addresses. Address space layout randomization (ASLR) is used to secure memory used by a system.

9.

A malicious individual has managed to gain access to a user's system through a spear phishing email. The attacker extracted usernames and passwords from the local registry files and proceeded to obtain administrator privileges to continue the attack. 

What term is given to an attack like this, in which a hacker manages to use a lower-access account to amass more permissions and gain access to resources that they shouldn't have?

  • Privilege escalation

  • Downgrade attack

  • Memory leak

  • Brute force

Correct answer: Privilege escalation

Privilege escalation happens when a bug or flaw in software allows an attacker to gain access to resources that they normally wouldn't. This usually happens when input has not been validated by the developer or security team. Penetration testing can help identify this issue.

A downgrade attack is when a system tries to negotiate with a server to use an older, less secure protocol. A memory leak is when an application does not properly release memory. A brute force attack is used to crack passwords.

10.

Which aspect of zero trust cybersecurity architecture refers to minimizing the impact in case there is a security breach?

  • Threat scope reduction

  • Adaptive identity

  • Policy enforcement point

  • Policy-driven access control

Correct answer: Threat scope reduction

Threat scope reduction refers to limiting the attack surface that can be exploited in a breach. Principles such as least privilege and identity-based network segmentation can aid in threat scope reduction.

Adaptive identity takes context into account when granting access rights. A policy enforcement point acts as a gatekeeper that ensures only authorized actions are permitted. Policy-driven access control refers to the automation of enforcing security policies.

11.

What type of hardening technique should be applied on a web application server?

  • Promptly applying security patches

  • Changing default SSIDs

  • Segmenting interfaces into virtual networks

  • Blocking or allowing access through interfaces based on rulesets

Correct answer: Promptly applying security patches

Web application servers interface directly with the internet and need to be continually updated with the latest security patches. 

SSIDs are used with wireless access points. Switches are in charge of segmenting networks. Dedicated firewalls are used to efficiently evaluate traffic based on rulesets.

12.

Which physical security control is often the first line of defense and can be augmented with barbed wire or razor wire at the top?

  • Fencing

  • Bollards

  • Access control vestibules

  • Honeynet

Correct answer: Fencing

Fencing is often the first line of defense for protecting a building. An 8-foot fence with barbed wire installed at a 45-degree angle is recommended to deter determined intruders.

Bollards are used to prevent vehicles from entering an area. An access control vestibule is used to allow only one authorized user at a time to enter an area. A honeynet is a fake network designed to entice attackers so they can be monitored.

13.

Which of the following is a short-range (less than a few centimeters) wireless connectivity standard that uses magnetic field induction to enable communication?

  • Near-field communication

  • Wi-Fi

  • Infrared

  • GPS

Correct answer: Near-field communication

Near-field communication (NFC) is a short-range (less than a few centimeters) wireless connectivity standard that uses magnetic field induction to enable communication. It can be used in instances where data needs to be transferred, such as when two Bluetooth devices need to be synced and communicate with each other. When employed this way, it can automatically pair two mobile devices. It can also be used to pair a Bluetooth device with a workstation and to transmit data over short distances.

Wi-Fi can have a range of up to 100 meters. Infrared communications use line-of-sight. GPS uses satellite communications.

14.

An organization is having trouble with their wireless access point. When talking to customer service, they discover that their wireless access point is a counterfeit. What type of supply chain vulnerability have they encountered?

  • Hardware provider

  • Service provider

  • Software provider

  • Identify provider

Correct answer: Hardware provider

When an organization procures hardware from a third party, they need to be aware of counterfeit hardware. Fake devices can be infected with malware or introduce other vulnerabilities.

Service provider vulnerabilities can lead to problems such as data breaches, service disruptions, or unauthorized access. Software provider vulnerabilities can lead to issues such as malicious software or data breaches. An identity provider provides authentication services and vulnerabilities can lead to issues such as unauthorized access. 

15.

A zero trust security model divides logical components into what two types of planes?

  • Data and control

  • In-band and out-of-band

  • Block and stream

  • Symmetric and asymmetric

Correct answer: Data and control

A zero trust security model uses a data plane and a control plane. The data plane moves information, while the control plane manages intelligence around routing.

In-band and out-of-band refer to methods of network management. Block and stream are different ways to encrypt data. Symmetric and asymmetric are methods of key generation and sharing.

16.

Which vulnerability emerges when a cloud service provider does not properly sanitize disks before provisioning them to new clients?

  • Resource reuse

  • VM escape

  • VM sprawl

  • Legacy

Correct answer: Resource reuse

When a cloud service provider does not sanitize disks, there may be sensitive data on them when they are provisioned to a new user. This is one problem with resource reuse.

VM escape refers to a vulnerability in the hypervisor that lets a client break out of their virtual machine. VM sprawl refers to not deprovisioning VMs when they are no longer needed. Legacy vulnerabilities refer to running systems that are no longer supported by their manufacturer.

17.

Two users are communicating with each other through email. User 1 encrypts the message with a key made available by the recipient, user 2. The recipient is then able to read the message with their secret key so that only they can see the information. In response, user 2 sends a message back encrypted with the public key of user 1. 

What type of key algorithm are they using?

  • Asymmetric

  • Symmetric

  • Private

  • Public

Correct answer: Asymmetric

Asymmetric key algorithms use a set of two different keys to encrypt and decrypt messages. The keys can be related, like symmetric keys, but it's not necessary. Two asymmetric keys are only related mathematically.

Symmetric algorithms do not use a public key. Private and public are two key types in asymmetric cryptography.

18.

Which of the following risks is MOST associated with employee offboarding?

  • IP theft

  • Legacy systems

  • Software compliance/licensing

  • Multiparty

Correct answer: IP Theft

An organization's intellectual property can be stolen by an internal or external party. For example, a departing employee may take sensitive corporate data with them. Encryption and access control are common controls for protecting against IP theft.

Legacy systems may not be supported by vendors and may contain outdated software or hardware. As a result, they are more likely to contain exploitable vulnerabilities. Software compliance/licensing issues can arise if an organization doesn't keep track of its software usage and purchases insufficient licenses. Also, software commonly includes third-party libraries, which may have associated licenses that an organization may not be aware of or compliant with. Multiparty risks are commonly external because they originate from an organization's relationships with other organizations.

19.

The acronyms TOTP and HOTP relate to which type of authentication factor?

  • Something you have

  • Something you know

  • Something you are

  • Something you exhibit

Correct answer: Something you have

Multi-factor authentication (MFA) uses two or more different types of factors. Factors can include:

  • Something you know: Password, PIN, etc.
  • Something you have: Smartphone, security token, etc.
  • Something you are: Fingerprint, facial, voice recognition, etc.
  • Somewhere you are: Geolocation, IP address
  • Something you can do: Connecting dots on a picture, etc.
  • Something you exhibit: Gait, behavior, etc.
  • Someone you know: Password reset based on trusted party, etc.

Time-based One-Time Password (TOTP) and Hash-based One-Time Password (HOTP) are algorithms used in authenticator apps, which are installed on a smartphone or other device (something you have).

20.

After issues with the domain controllers, an administrator is ensuring that all of the servers synchronize their time with one another. This is being done with all systems, using the network time protocol (NTP). 

Which of the following is sensitive to time differences and is likely the cause of the administrator's recent steps to synchronize them all?

  • Kerberos

  • DNS

  • IPv4

  • RDP

Correct answer: Kerberos

By design, Kerberos uses time in its tokens and therefore requires clients to be time-synchronized within five minutes of each other. Microsoft’s Active Directory uses Kerberos for authentication and will have the individual domain controls periodically sync their time with a reliable internet server running the network time protocol (NTP).

DNS, IPv4, and RDP are not sensitive to minor time differences.