Download CompTIA Security+ SY0-701 Exam Study Guide 2025: Complete Certification Prep and more Exams Computer Security in PDF only on Docsity!
CompTIA Security+ SY0-701 Exam Study Guide
2025: Complete Certification Prep with Core
Concepts, Real-World Cybersecurity Examples,
and Expert Practice Questions
Here are the multiple-choice questions with rationales and the correct answers indicated: Question 1: A company has three divisions, each with its own networks and services. The company decides to make its secure web portal accessible to all employees utilizing their existing usernames and passwords. The security administrator has elected to use SAML to support authentication. In this scenario, which of the following will occur when users try to authenticate to the portal? (Select two) A. The portal will function as a service provider and request an authentication assertion
- Correct Answer B. The portal will function as an identity provider and issue an authentication assertion C. The portal will request an authentication ticket from each network that is transitively trusted D. The back-end networks will function as an identity provider and issue an authentication assertion - Correct Answer E. The back-end networks will request authentication tickets from the portal, which will act as the third-party service provider authentication store F. The back-end networks will verify the assertion token issued by the portal functioning as the identity provider Rationale:
- A. The portal will function as a service provider and request an authentication assertion: In a SAML scenario, the application the user is trying to access (the secure web portal) acts as the Service Provider (SP). When a user attempts to access the portal, the SP redirects the user to the Identity Provider for authentication. As part of this process, the SP requests an authentication assertion.
- D. The back-end networks will function as an identity provider and issue an authentication assertion: Since employees are using their existing usernames and passwords from their respective division networks, these existing authentication systems will act as the Identity Providers (IdPs). When the portal (SP) redirects the user, the user will authenticate against their division's network (IdP), which will then issue a SAML authentication assertion.
- B. The portal will function as an identity provider and issue an authentication assertion: The portal itself is not the system holding the users' credentials; the individual division networks are. Therefore, the portal will not act as the IdP.
- C. The portal will request an authentication ticket from each network that is transitively trusted: SAML uses assertions, not tickets like Kerberos. Transitive trust is a concept related to domain relationships, not directly to SAML authentication flow in this scenario.
- E. The back-end networks will request authentication tickets from the portal, which will act as the third-party service provider authentication store: The portal is the service being accessed, not the authentication store in this case. The back-end networks (IdPs) handle authentication.
- F. The back-end networks will verify the assertion token issued by the portal functioning as the identity provider: The portal is the SP and requests the assertion. The back-end networks (IdPs) issue the assertion, which the portal (SP) will verify. Question 2: A company wants to hose a publicity available server that performs the following functions:
- Evaluates MX record lookup
- Can perform authenticated requests for A and AAA records
- Uses RRSIG Which of the following should the company use to fulfill the above requirements? A. LDAPS B. DNSSEC - Correct Answer C. SFTP D. nslookup E. dig Rationale:
- A. Keylogger: Keyloggers record keystrokes. Their network traffic would typically involve sending the captured keystrokes, not error messages related to hyperlinks.
- B. Ransomware: Ransomware encrypts files and demands a ransom. Its network traffic would primarily involve communication with command and control servers for key exchange or payment instructions, not generic error messages like this.
- C. Logic bomb: A logic bomb is a piece of code intentionally inserted into software that lies dormant until a specific condition is met, at which point it triggers a malicious action. The network capture doesn't provide enough context to suggest a timed or condition-based malicious action. Question 4: The computer resource center issued smartphones to all first-level and above managers. The managers have the ability to install mobile tools. Which of the following tools should be implemented to control the types of tools the managers install? A. Download manager B. Content manager C. Segmentation manager D. Application manager - Correct Answer Rationale:
- D. Application manager (or Mobile Application Management - MAM): An application manager or a Mobile Application Management (MAM) solution allows organizations to control the deployment, configuration, management, security, and removal of mobile applications on managed devices. This includes the ability to whitelist or blacklist specific applications, enforce app installation policies, and prevent the installation of unauthorized or risky tools.
- A. Download manager: A download manager assists with downloading files but doesn't control which applications users can install.
- B. Content manager: A content manager focuses on managing and distributing digital content (documents, media, etc.) on mobile devices, not the applications themselves.
- C. Segmentation manager: Segmentation typically refers to network segmentation, dividing the network into smaller, isolated segments for security purposes. It doesn't control application installations on devices.
Question 5: A datacenter recently experienced a breach. When access was gained, an RF device was used to access an air-gapped and locked server rack. Which of the following would BEST prevent this type of attack? A. Faraday cage - Correct Answer B. Smart cards C. infrared detection D. Alarms Rationale:
- A. Faraday cage: A Faraday cage is an enclosure made of conductive material that blocks electromagnetic fields, including radio frequencies (RF). Enclosing the air-gapped server rack in a Faraday cage would prevent RF signals from entering or leaving it, effectively blocking the RF device used in the attack.
- B. Smart cards: Smart cards are physical access tokens and wouldn't prevent RF signals from being transmitted to the server rack.
- C. Infrared detection: Infrared detection systems detect heat signatures and movement but are not effective against RF signals used for data transmission.
- D. Alarms: Alarms can alert personnel to unauthorized physical access but wouldn't prevent RF signals from being used to access the server rack. Question 6: A security analyst captures forensic evidence from a potentially compromised system for further investigation. The evidence is documented and securely stored to FIRST: A. maintain the chain of custody B. preserve the data - Correct Answer C. obtain a legal hold D. recover data at a later time Rationale:
- B. preserve the data: The absolute first priority when handling forensic evidence is to preserve the data in its original state. This prevents any accidental or intentional alteration, ensuring the integrity and admissibility of the evidence for later analysis.
A security administrator receives an alert from a third-party vendor that indicates a certificate that was installed in the browser has been hijacked at the root of a small public C The security administrator knows there are at least four different browsers in use on more than a thousand computers in the domain worldwide. Which of the following solutions would be BEST for the security administrator to implement to most efficiently assist with this issue? A. SSL B. CRL - Correct Answer C. PKI D. ACL Rationale:
- B. CRL (Certificate Revocation List): Given that a root CA has been compromised, the most efficient way to address this issue across a large number of diverse browsers is to utilize a Certificate Revocation List (CRL). The compromised CA would ideally issue a CRL revoking all certificates issued under that root. Browsers that properly check CRLs would then recognize the hijacked certificate as invalid and prevent its use, regardless of the browser type. Distributing and ensuring all browsers consult the updated CRL is the most effective way to mitigate this widespread risk.
- A. SSL (Secure Sockets Layer): SSL is a cryptographic protocol that provides secure communication. While relevant to certificate usage, it doesn't directly address the revocation of a compromised certificate.
- C. PKI (Public Key Infrastructure): PKI is the overall framework for managing digital certificates. While the organization has a PKI, the immediate need is to revoke trust in the compromised CA's certificates, which is done through CRLs.
- D. ACL (Access Control List): ACLs are used to control access to resources, not to manage the validity of digital certificates within browsers. Question 9: A network technician is setting up a segmented network that will utilize a separate ISP to provide wireless access to the public area for a company. Which of the following wireless security methods should the technician implement to provide basic accountability for access to the public network? A. Pre-shared key
B. Enterprise C. WiFi Protected Setup D. Captive portal - Correct Answer Rationale:
- D. Captive portal: A captive portal is a web page that users are redirected to when they first connect to a public Wi-Fi network. It often requires users to agree to terms of service, provide contact information (like an email address), or authenticate before granting internet access. This provides a basic level of accountability by logging who accessed the network and when.
- A. Pre-shared key (PSK): PSK provides encryption but doesn't offer individual accountability. Everyone with the key has the same access.
- B. Enterprise (802.1x): Enterprise mode provides strong authentication using protocols like RADIUS, but it typically requires individual user accounts and is more complex to set up and manage for a public network.
- C. WiFi Protected Setup (WPS): WPS is a convenience feature that can be insecure and doesn't provide accountability for individual users on a public network. A company's loss control department identifies theft as a recurring loss type over the past year. Based on the department's report, the Chief Information Office wants to detect theft of datacenter equipment. Which of the following controls should be implemented? A. Biometrics B. Cameras C. Motion detectors D. Mantraps - - correct ans- - C A security analyst receives a notification from the IDS after working hours, indicating a spike in network traffic. Which of the following BEST describes this type of IDS? A. Anomaly-based
then rm - rf/ fi Based on the above information, which of the following types of malware was installed on the server /local/? A. Logic bomb B. Trojan C. Backdoor D. Ransomware E. Rootkit - - correct ans- - C In terms of encrypting data, which of the following is BEST described as a way to safeguard password data by adding random data to it in storage? A. Using salt B. Using hash algorithms C. Implementing elliptical curve D. Implementing PKI - - correct ans- - A A system administrator wants to provide for and enforce wireless access accountability during events where external speakers are invited to make presentations to a mixed audience of employees and non-employees. Which of the following should the administrator implement? A. Shared accounts B. Preshared passwords C. Least privilege D. Sponsored guest - - correct ans- - D
Which of the following would MOST likely appear in an uncredentialed vulnerability scan? A. Self-signed certificates B. Missing patches C. Auditing parameters D. Inactive local accounts - - correct ans- - D When identifying a company's most valuable assets as part of a BIA, which of the following should be the FIRST priority? A. Life B. Intellectual property C. Sensitive data D. Public reputation - - correct ans- - A An organization needs to implement a large PKI. Network engineers are concerned that repeated transmission of the OCSP will impact network performance. Which of the following should the security analyst recommend in lieu of an OCSP? A. CSR B. CRL C. CA D. OID - - correct ans- - B When considering a third-party cloud service provider, which of the following criteria would be the BEST to include in the security assessment process? (Select two)
An organization's file server has been virtualized to reduce costs. Which of the following types of backups would be MOST appropriate for the particular file server? A. Snapshot B. Full C. Incremental D. Differential - - correct ans- - C A wireless network uses a RADIUS server that is connected to an authenticator, which in turn connects to a supplicant. Which of the following represents the authentication architecture in use? A. Open systems authentication B. Captive portal C. RADIUS federation D. 802.1x - - correct ans- - D An employer requires that employees use a key-generating app on their smartphones to log into corporate applications. In terms of authentication of an individual, this type of access policy is BEST defined as: A. Something you have B. Something you know C. Something you do D. Something you are - - correct ans- - A Adhering to a layered security approach, a controlled access facility employs security guards who verify the authorization of all personnel entering the facility. Which of the following terms BEST describes the security control being employed?
A. Administrative B. Corrective C. Deterrent D. Compensating - - correct ans- - A A security analyst is hardening a web server, which should allow a secure certificate- based session using the organization's PKI infrastructure. The web server should also utilize the latest security techniques and standards. Given this set of requirements, which of the following techniques should the analyst implement to BEST meet these requirements? (Select two) A. Install an X- 509 - compliant certificate B. Implement a CRL using an authorized CA C. Enable and configure TLS on the server D. Install a certificate signed by a public CA E. Configure the web server to use a host header - - correct ans- - AC A manager wants to distribute a report to several other managers within the company. Some of them reside in remote locations that are not connected to the domain but have a local server. Beacuse there is sensitive data within the report and the size of the report is beyond the limit of the email attachment size, emailing the report is not an option. Which of the following protocols should be implemented to distribute the report securely? (Select three) A. S/MIME B. SSH C. SNMPv D. FTPS E. SRTP F. HTTPS G. LDAPS - - correct ans- - BDF
D. Passive scan - - correct ans- - A Which of the following cryptography algorithms will produce a fixed-length, irreversible output? A. AES B. 3DES C. RSA D. MD5 - - correct ans- - D A technician suspects that a system has been compromised. The technician reviews the following log entry: WARNING- hash mismatch: C:\Window\SysWOW64\user32.dll WARNING- hash mismatch: C:\Window\SysWOW64\kernel32.dll Based solely on the information above, which of the following types of malware is MOST likely installed on the system? A. Rootkit B. Ransomware C. Trojan D. Backdoor - - correct ans- - A A new firewall has been placed into service at an organization. However, a configuration has not been entered on the firewall. Employees on the network segment covered by the new firewall report are unable to access the network. Which of the following steps should be completed to BEST resolve the issue? A. The firewall should be configured to prevent user traffic from matching the implicit deny rule
B. The firewall should be configured with access lists to allow inbound and outbound traffic C. The firewall should be configured with port security to allow traffic D. The firewall should be configured to include an explicit deny rule - - correct ans- - A A security analyst is testing both Windows and Linux systems for unauthorized DNS zone transfers within a LAN on comptia.org from example.org. Which of the following commands should the security analyst use? (Select two) A. nslookupcomptia.orgset type=ANYIs-d example.org B. nslookupcomptia.orgset type=MXexample.org C. dig - axfr comptia.org@example.org D. ipconfig/flushDNS E. ifconfig eth0 downifconfig eth0 updhclient renew F. dig@example.org comptia.org - - correct ans- - AC Which of the following are the MAIN reasons why a systems administrator would install security patches in a staging environment before the patches are applied to the production server? (Select two) A. To prevent server availability issues B. To verify the appropriate patch is being installed C. To generate a new baseline hatch after patching D. To allow users to test functionality E. To ensure users are trained on new functionality - - correct ans- - AD A Chief Information Officer drafts an agreement between the organization and its employees. The agreement outlines ramifications for releasing information without consent and/for approvals. Which of the following BEST describes this type of agreement?
D. Enable an SSL certificate for IMAP services - - correct ans- - D Before an infection was detected, several of the infected devices attempted to access a URL that was similar to the company name but with two letters transported. Which of the following BEST describes the attack vector used to infect the devices? A. Cross-site scripting B. DNS poisoning C. Typo squatting D. URL hijacking - - correct ans- - C Joe, a security administrator, needs to extend the organization's remote access functionality to be used by staff while traveling. Joe needs to maintain separate access control functionalities for internal, external, and VOIP services. Which of the following represents the BEST access technology for Joe to use? A. RADIUS B. TACACS+ C. Diameter D. Kerberos - - correct ans- - B The availability of a system has been labeled as the highest priority. Which of the following should be focused on the MOST to ensure the objective? A. Authentication B. HVAC C. Full-disk encryption D. File integrity checking - - correct ans- - B
As part of the SDLC, a third party is hired to perform a penetration test. The third party will have access to the source code, integration tests, and network diagrams. Which of the following BEST describes the assessment being performed? A. Black box B. Regression C. White box D. Fuzzing - - correct ans- - C A dumpster diver recovers several hard drives from a company and is able to obtain confidential data from one of the hard drives. The company then discovers its information is posted online. Which of the following methods would have MOST likely prevented the data from being exposed? A. Removing the hard drive from its enclosure B. Using software to repeatedly rewrite over the disk space C. Using Blowfish encryption on the hard drives D. Using magnetic fields to erase the data - - correct ans- - D Which of the following are methods to implement HA in a web application server environment? (Select two) A. Load balancers B. Application layer firewalls C. Reverse proxies D. VPN concentrators E. Routers - - correct ans- - AB
