06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
- Expert Verified, Online, Free.
Prepare for your SY0-601 exam with additional products
Study Guide
920 PDF Pages
$19.99
Buy Now
Video Course
201 Lectures
$19.99
Buy Now
Custom View Settings
https://www.examtopics.com/exams/comptia/sy0-601/view/
1/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1 - Single Topic
Topic 1
Question #1
A user is attempting to navigate to a website from inside the company network using a desktop. When the user types in the URL,
https://www.site.com, the user is presented with a certificate mismatch warning from the browser. The user does not receive a warning when
visiting http://www.anothersite.com. Which of the following describes this attack?
A. On-path
B. Domain hijacking
C. DNS poisoning
D. Evil twin
Correct Answer: B
Community vote distribution
C (55%)
comeragh
B (31%)
Highly Voted
10%
1 year, 4 months ago
Selected Answer: C
I would go with C/DNS poisoning here.
upvoted 24 times
SolventCourseisSCAM
Highly Voted
1 year, 2 months ago
C is the correct answer. By the way, there is a course in north carolina and they are receiving $4000 in advance and showing you 6-hour prerecorded videos every saturday. There is no human intervention and no update over time. They are lying and giving you fake promises before
signing up to course and then there is no contact after you became member. Be careful because they are completely SCAMMER.
upvoted 20 times
Ninja12345
Most Recent
1 day, 8 hours ago
Selected Answer: C
This instance is considered DNS poisoning
upvoted 1 times
cybertechb 2 days, 1 hour ago
Hey guys, I passed the exam today 01/03/2024. This helped tremendously with my study session. Continue with this site, however do not take
ever answer given as the correct answer. Pay close attention to the discussion points and do some fact checking and cross references. All in all
tis site definitely aided in me passing the exam. I'm stoked. Good luck everyone and many blessings/
upvoted 2 times
ibn_e_nazir 1 week, 4 days ago
THIS IS WHAT WIKIPEDIA SAYS ABOUT DOMAIN HIJAKING:
Domain hijacking can be done in several ways, generally by unauthorized access to, or exploiting a vulnerability in the domain name registrar's
system, through social engineering, or getting into the domain owner's email account that is associated with the domain name registration.[4]
https://en.wikipedia.org/wiki/Domain_hijacking#:~:text=Domain%20hijacking%20can%20be%20done,with%20the%20domain%20name%20reg
istration.
ANOTHER REFERENCE FROM OLD GOOGLE SEARCH SAYS THITS:
Domain hijacking is the act of changing the registration of a domain name without the permission of the original owner or by abuse of privileges
on domain hosting and domain registrar systems.
upvoted 1 times
vviplifeee 2 weeks, 1 day ago
I would go with C.
Also, just passed the exam. It had 90% of this questions. make sure you do them all at least 3 times. memorize activity questions. You will be
good. I wish I knew about this website sooner. Pay most attention to hard questions with 2 answers, and questions "choose two options" good
luck!
https://medium.com/@boscowjohn128/top-original-comptia-sy0-701-exam-questions-authentic-comptia-dumps-top-tips-2024-4cb3757cdddc
upvoted 2 times
cyberPunk28 3 weeks ago
Selected Answer: C
C. DNS poisoning
upvoted 1 times
Andy_QH 3 weeks, 2 days ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
2/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: C
C is correct. B Domain Hijacking typically changes the registration of the webpage through technical or other means.
upvoted 1 times
kitkat007 1 month ago
I would go with C.
Also, just passed the exam. It had 90% of this questions. make sure you do them all at least 3 times. memorize activity questions. You will be
good. I wish I knew about this website sooner. Pay most attention to hard questions with 2 answers, and questions "choose two options" good
luck!
upvoted 5 times
thea_smith 1 month, 1 week ago
Get in touch at thea.smith20@outlook.com to get full questions
upvoted 1 times
dizzydwarf 1 month, 1 week ago
Selected Answer: C
The answer is DNS Poisoning because DNS hijacking would allow the attacker to change the certificate settings and bypass certificate warnings,
DNS Poisoning simply changes which IP address a domain name is resolved to but the certificate is still going to be incorrect.
They don't get the warning when using http because certificates are only used in https, or they might have only poisoned the first url.
upvoted 1 times
adamer91 1 month, 3 weeks ago
Selected Answer: A
A. On-path
In an on-path attack, the attacker intercepts communication between two parties and can manipulate the data being exchanged. The certificate
mismatch warning suggests that the user's communication is being intercepted, and the attacker might be presenting a different certificate,
leading to the warning.
upvoted 2 times
cloudenthusiast 1 month, 3 weeks ago
Selected Answer: C
DNS poisoning is a type of cyber attack in which an attacker corrupts the DNS cache of a domain name server with fake information.
upvoted 1 times
ProdamGarazh 1 month, 3 weeks ago
Selected Answer: B
I'd say B because all current browsers warn the user if the certificate is not publicly trusted, if the name doesn't match or in case of any other
problems. DNS hijacking without the ability to present a valid certificate would have been noticed by users and administrators and action
could’ve been taken soon after the DNS hijack.
upvoted 1 times
sujon_london 1 month, 3 weeks ago
Guys as a matter of broader community support and feedback towards other cybersecurity students or practitioners; who preparing for this SEc+
exam. I would like to say this this portal is very helpful i would not say the percentage has come common in my exam but sensibly say very
crucial portal. Get this round hope success will come. I just passed today with 769. Thanks to Examtopics for creating and portraying such a
helpful portal. Exceptional!
upvoted 2 times
5StarNinja 1 month, 3 weeks ago
C. DNS Poisoning
Attacker alters the domain-name-to-IP-address mappings in a DNS system. May redirect traffic to a rogue system OR perform denial-of-service
against system. "denial of service" which is the site that can't be visited.
upvoted 1 times
AceVander 2 months ago
C. DNS hijacking
When the user visits the "https://www.site.com" they get a certificate mismatch error but they do not get this error visiting
"http://anothersite.com"
- even though "http" is unencrypted traffic, it was previously stated that the user was "inside the company network"
- Suggesting the company encrypts all "internal traffic" because the browser's response on the "internal network" was a certificate mismatch
error
- Certificates are stored internally
-If the DNS was poisoned, the user would receive a certificate mismatch error for all internal traffic or both of the websites they tried to visit
- Since "certificate mismatch error" occurs specifically for https://www.site.com and not http://www.anothersite.com, I would have to assume
Domain Hijacking: changes to the domain registration, settings, or configurations
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
3/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #2
Which of the following tools is effective in preventing a user from accessing unauthorized removable media?
A. USB data blocker
B. Faraday cage
C. Proximity reader
D. Cable lock
Correct Answer: A
Community vote distribution
A (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: A
USB data blocker ->
A USB data blocker, also known as a “USB condom” (really, no kidding!), is a device that allows you to plug into USB charging ports including
charging kiosks, and USB ports on gadgets owned by other people.
The main purpose of using one is to eliminate the risk of infecting your phone or tablet with malware, and even prevent hackers to install/execute
any malicious code to access your data.
upvoted 17 times
i_luv_stoneface 10 months, 3 weeks ago
do u wear condom
upvoted 7 times
comeragh
Highly Voted
1 year, 4 months ago
Selected Answer: A
A is the only reasonable answer here I believe
upvoted 10 times
vviplifeee
Most Recent
2 weeks, 1 day ago
I would go with A
Also, just passed the exam. It had 90% of this questions. make sure you do them all at least 3 times. memorize activity questions. You will be
good. I wish I knew about this website sooner. Pay most attention to hard questions with 2 answers, and questions "choose two options" good
luck!
https://medium.com/@boscowjohn128/top-original-comptia-sy0-701-exam-questions-authentic-comptia-dumps-top-tips-2024-4cb3757cdddc
upvoted 3 times
Talavjs 2 weeks, 2 days ago
I took my test today and passed with a 762. I bought the bundle and reviewed thoroughly about 500 of them. Honestly this site covers about
60% of the exam. For the labs jump over to a different site called surepassexam.com it had every single lab on my test which was 4 PBQ. Its a
grind guys there was about 40% of the exam that i had to use what knowledge I had to figure the question out. GOODLUCK, YOU GOT TS.
upvoted 1 times
cyberPunk28 3 weeks ago
Selected Answer: A
A. USB data blocker
upvoted 1 times
lsalc 3 weeks, 4 days ago
i answered USB data blockers on the test
upvoted 1 times
Bianca6924 2 months ago
Selected Answer: A
The USB data blocker will stop someone from being able to read the data on the device through the USB port. it is a device that is plugged in.
upvoted 1 times
ebukiba 4 months, 2 weeks ago
A is correct.
upvoted 2 times
D111111 4 months, 3 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
4/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Guys, I must say, if you browse all 600 questions that are attached to this site and listen to the community dialogue you'll pass easily. With no
base I went in four days from clueless to passing, just follow the discussions and you'll do fine.
upvoted 9 times
sarah2023 4 months, 3 weeks ago
A usb data blocker
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
ChatGPT answer as of 7/22/2023:
The tool that is effective in preventing a user from accessing unauthorized removable media is:
A. USB data blocker
A USB data blocker, also known as a USB data isolator or USB condom, is a hardware device that blocks data transfer between a USB port and
a USB device while still allowing power to flow through. It is commonly used to protect against potential threats from public charging stations or
untrusted USB ports, where unauthorized data transfer or malware infection could occur. By using a USB data blocker, users can charge their
devices safely without risking data theft or unauthorized access to their removable media.
The other options listed (B. Faraday cage, C. Proximity reader, D. Cable lock) are not specifically designed to prevent access to unauthorized
removable media.
So, the correct answer is A. USB data blocker.
upvoted 1 times
Faisel 5 months, 3 weeks ago
Selected Answer: A
A for sure
upvoted 1 times
reverse01 6 months, 2 weeks ago
USB Blocker. The answer is A.
upvoted 1 times
ApplebeesWaiter1122 6 months, 3 weeks ago
Selected Answer: A
The most effective tool among the options listed for preventing a user from accessing unauthorized removable media is a USB data blocker. A
USB data blocker, also known as a USB condom or USB defender, is a small device that blocks data transfer while allowing charging capabilities.
It achieves this by disabling the data pins in a USB connection, preventing any data exchange between the device and the computer. This
prevents the risk of malware infection or unauthorized data transfer when connecting to unknown or potentially compromised USB devices.
upvoted 1 times
CyberMrT 8 months, 2 weeks ago
Selected Answer: A
A is correct
upvoted 1 times
mosher21 8 months, 3 weeks ago
Selected Answer: A
The question wording makes no sense at all but considering options it can only be A.
upvoted 2 times
leobro 8 months, 3 weeks ago
Selected Answer: A
I go with A
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
5/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #3
A Chief Security Officer is looking for a solution that can provide increased scalability and flexibility for back-end infrastructure, allowing it to be
updated and modified without disruption to services. The security architect would like the solution selected to reduce the back-end server
resources and has highlighted that session persistence is not important for the applications running on the back-end servers. Which of the
following would BEST meet the requirements?
A. Reverse proxy
B. Automated patch management
C. Snapshots
D. NIC teaming
Correct Answer: C
Community vote distribution
A (94%)
ender1701
Highly Voted
6%
1 year, 4 months ago
Selected Answer: A
I'm not sure who the "expert verifier" is for some of these answers, but there are multiple questions that have the wrong answer selected, such as
this question being labeled as answer "C", when the real answer is "A". A snapshot doesn't do anything listed in the question, it's just a snap of
the state of a server at a specific time, used to restore from backup. I advise all participants on this site to check your answers.
upvoted 43 times
ronah 1 year, 2 months ago
here is the thing about this website. the comptia allow these sites as long they don't give the right answer. This is the only place people made
a comment or argue their answer. AND it does help you to search also the right answer. Where on earth do you get a questions like these?
upvoted 41 times
shmoeee 2 months, 2 weeks ago
I've learned that since Comptia doesn't share the answers after an exam, there are many sources available with various answers. I suggest
anyone taking the test to read discussions on answers, do research, then take the most educated guess for some of these questions. This
one is obviously not snapshots though
upvoted 2 times
BholroBadsha 3 months, 2 weeks ago
Thanks man , i was upset for most of my answers getting wrong , even questions are very odd.
upvoted 2 times
Ribeiro19
Highly Voted
1 year, 4 months ago
Selected Answer: A
its the way to distribute load across different servers, at the same time you can remove from the cluster each server that you want to update.
upvoted 20 times
Papee 1 year, 2 months ago
why this is not NIC Teaming ? Any body with a better explanation
upvoted 2 times
8c55165 4 days, 8 hours ago
The key word is "Back-end servers". That's what Reverse Proxies are used for. :)
upvoted 1 times
Mercious 11 months, 3 weeks ago
They're looking for ways to provide increased scalability and flexibility for back-end infrastructure, not availability or fault tolerance. NIC
Teaming does not provide increased scalability and flexibility.
upvoted 7 times
nerdboy1992 1 year ago
NIC Teaming combines the throughput of 2 or more network adapters to provide a higher speed than a single connection. This would help
with increasing the speed, but the requirements between the CSO and architect were increase scalability, increase flexibility, allowed to
make changes without service disruption, reduce back-end server resources, and session persistence being insignificant for the backend
applications. Since increased speed is not a requirement, NIC Teaming would NOT be the correct answer.
upvoted 10 times
Joe1984 1 year, 4 months ago
Agreed answer is A
upvoted 5 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
6/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
vviplifeee
Most Recent
2 weeks, 1 day ago
I would go with A
Also, just passed the exam. It had 90% of this questions. make sure you do them all at least 3 times. memorize activity questions. You will be
good. I wish I knew about this website sooner. Pay most attention to hard questions with 2 answers, and questions "choose two options" good
luck!
https://medium.com/@boscowjohn128/top-original-comptia-sy0-701-exam-questions-authentic-comptia-dumps-top-tips-2024-4cb3757cdddc
upvoted 3 times
lsalc 3 weeks, 4 days ago
i answered A on the test
upvoted 1 times
Qinin 4 months ago
Selected Answer: A
Answer:A
upvoted 1 times
david124 4 months, 1 week ago
Selected Answer: A
Based on the requirements provided, a Reverse Proxy would be the best choice to meet the objectives of both the Chief Security Officer and the
security architect. Here's a breakdown of why each option may or may not suit your needs:
A. Reverse Proxy:
Increased Scalability: Reverse proxies can distribute incoming requests to various back-end servers, improving scalability and ensuring high
availability.
Flexibility for Updates: Since the reverse proxy handles client requests, backend servers can be taken down for maintenance or updates without
causing service disruption.
Reduced Server Resources: By caching content and offloading SSL termination, reverse proxies can reduce the load on back-end servers.
Session Persistence Not Important: A reverse proxy can operate without needing to maintain session persistence, aligning with your requirement.
upvoted 8 times
ebukiba 4 months, 2 weeks ago
A is correct
upvoted 1 times
CharlieHope1Pass 4 months, 4 weeks ago
A is defo the answer! I have no clue how a snap is going to do anything!
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
A reverse proxy acts as an intermediary server between clients and back-end servers. It receives requests from clients, forwards those requests
to the appropriate back-end servers, and then sends the responses back to the clients. Reverse proxies are often used for load balancing,
security, and improving performance.
1. Increased scalability and flexibility: Reverse proxies can distribute client requests across multiple back-end servers, providing increased
scalability. They also allow for easier modification and updating of the back-end infrastructure without disrupting services, as changes can be
made to the back-end servers without affecting the clients directly.
2. Reduced back-end server resources: By distributing client requests across multiple back-end servers, a reverse proxy can balance the load,
reducing the burden on individual back-end servers and optimizing resource utilization.
3. Session persistence not important: In some scenarios, session persistence is critical to maintain user state across requests. However, in this
case, session persistence is explicitly stated as not important. This means the reverse proxy doesn't need to manage sticky sessions, further
simplifying the setup.
upvoted 8 times
david124 6 months ago
A reverse proxy would be the best solution for increased scalability and flexibility for back-end infrastructure. Explanation: Correct option
Because a reverse proxy can give enhanced scalability and flexibility for back-end infrastructure .
upvoted 1 times
reverse01 6 months, 2 weeks ago
I would go with C, snapshots, can provide increased scalability and flexibility for back-end infrastructure while reducing back-end server
resources. By taking snapshots of the server's state, you can capture a point-in-time image of the server configuration, which can be easily
restored if any modifications or updates cause disruptions.
Snapshots can also be used for rapid deployment of new server instances, as well as for testing and development purposes. They allow you to
quickly spin up new instances based on the captured snapshot, reducing the time and resources required for provisioning new servers.
upvoted 1 times
Kraken84 5 months ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
7/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
uh, no
upvoted 1 times
ApplebeesWaiter1122 6 months, 3 weeks ago
Selected Answer: A
A reverse proxy would be the best solution to meet the requirements described. A reverse proxy sits between the clients and the back-end
servers, handling client requests on behalf of the servers. It provides increased scalability and flexibility by allowing the back-end infrastructure to
be updated and modified without disruption to services. The reverse proxy can distribute client requests across multiple back-end servers,
reducing the resource load on individual servers. Since session persistence is not important for the applications running on the back-end servers,
the reverse proxy can handle the requests in a load-balanced manner without the need for session affinity. This allows for better resource
utilization and flexibility in managing the back-end infrastructure.
upvoted 3 times
Gaurabdon 7 months, 2 weeks ago
Selected Answer: A
The answer is without a doubt A. That is what reverse proxy is for. It takes the burdens out of the backend by load balancing and SSL termination
off the client devices.
upvoted 2 times
BevMe 9 months ago
Selected Answer: A
In this context, scalability refers to the ability of a system to handle increasing levels of traffic or workload.
Flexibility, on the other hand, refers to the ability of a system to adapt to changing requirements or circumstances with minimal disruption to
services.
By using a reverse proxy, the back-end servers can be updated or modified without disrupting services, as the proxy can redirect requests to
different servers as needed.
upvoted 2 times
Hiattech 9 months, 1 week ago
Selected Answer: A
Snapshots make no sense as the answer. They are literally only there to restore data if need be. This doesn't help as the solution for this in the
least.
upvoted 3 times
princajen 10 months ago
Selected Answer: A
A. Reverse proxy.
A reverse proxy is a type of server that sits in front of back-end servers and directs client requests to those servers. It can provide increased
scalability and flexibility for back-end infrastructure by allowing the back-end servers to be updated and modified without disrupting services. A
reverse proxy can also reduce the back-end server resources by caching frequently requested content and serving it from the cache instead of
the back-end servers.
upvoted 6 times
attesco 10 months ago
Selected Answer: C
I strongly believe the right answer is C. Because the snapshot takes the configuration of the server and compares it with the other backend
servers to ensure that there is no mistakes
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
8/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #4
Which of the following describes a social engineering technique that seeks to exploit a person's sense of urgency?
A. A phishing email stating a cash settlement has been awarded but will expire soon
B. A smishing message stating a package is scheduled for pickup
C. A vishing call that requests a donation be made to a local charity
D. A SPIM notification claiming to be undercover law enforcement investigating a cybercrime
Correct Answer: C
Community vote distribution
A (94%)
Joe1984
Highly Voted
6%
1 year, 4 months ago
Selected Answer: A
Answer is A
upvoted 32 times
derfnick
Highly Voted
1 year, 4 months ago
Selected Answer: A
Because of the part "will expire soon"
upvoted 19 times
Ninja12345
Most Recent
1 day, 8 hours ago
Selected Answer: A
A is the answer
upvoted 1 times
8c55165 4 days, 8 hours ago
I am convinced the answers are intentially picked wrong because it is definitely not C lol. DYOR! ChatGPT will absolutely help with this
upvoted 1 times
sammy001 2 weeks ago
A is the answer
upvoted 1 times
vviplifeee 2 weeks, 1 day ago
I would go with A
Also, just passed the exam. It had 90% of this questions. make sure you do them all at least 3 times. memorize activity questions. You will be
good. I wish I knew about this website sooner. Pay most attention to hard questions with 2 answers, and questions "choose two options" good
luck!
https://medium.com/@boscowjohn128/top-original-comptia-sy0-701-exam-questions-authentic-comptia-dumps-top-tips-2024-4cb3757cdddc
upvoted 2 times
thea_smith 1 month, 1 week ago
Anyone need full questions? contact me thea.smith20@outlook.com
upvoted 1 times
DirtyDann 1 month, 4 weeks ago
Selected Answer: A
A. The answer defines urgency, stating "expires soon".
upvoted 1 times
5eba813 2 months, 1 week ago
Selected Answer: A
Answer A, urgency it mention in the question
upvoted 1 times
TheWizardKing 2 months, 2 weeks ago
why would C even be in the running. I'd say if there was another answer, I need to pick up my package soon but it's not logical to this question. A
falls into the urgent
upvoted 1 times
Trunim 2 months, 3 weeks ago
There's absolutely no urgency in donating for charity. Answer is A hands down no argument
https://www.examtopics.com/exams/comptia/sy0-601/view/
9/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Thurams 2 months, 3 weeks ago
A. A phishing email stating a cash settlement has been awarded but will expire soon.
This option describes a social engineering technique known as the "sense of urgency" tactic. It involves creating a situation that makes the victim
feel a strong sense of urgency or time pressure, often accompanied by a threat or promise of a reward. In this case, the phishing email claims
that a cash settlement has been awarded but will expire soon, creating a sense of urgency to act quickly. This is a common tactic used by
cybercriminals to manipulate individuals into taking actions they might not otherwise take.
upvoted 1 times
AriesAE 3 months, 1 week ago
Why would the answer be C? Is it the implications of a video call?
upvoted 1 times
LO353 3 months, 2 weeks ago
A is the answer
upvoted 2 times
Buddada 3 months, 3 weeks ago
Selected Answer: A
A is a better example of urgency
upvoted 1 times
Qinin 4 months ago
Selected Answer: A
Answer is A
upvoted 1 times
malibi 4 months, 1 week ago
Selected Answer: A
because of the word expiring soon
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
10/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #5
A security analyst is reviewing application logs to determine the source of a breach and locates the following log:
https://www.comptia.com/login.php?id='%20or%20'1'1='1
Which of the following has been observed?
A. DLL Injection
B. API attack
C. SQLi
D. XSS
Correct Answer: C
Community vote distribution
C (100%)
Joe1984
Highly Voted
1 year, 4 months ago
Selected Answer: C
1=1 is true. SQL injection
upvoted 18 times
Proctored_Expert
Highly Voted
1 year ago
Selected Answer: C
SQLi (SQL injection) has been observed.
SQL injection is a type of cyber attack that involves injecting malicious code into a database through a vulnerable web application. The malicious
code is typically designed to manipulate or extract data from the database, allowing the attacker to gain unauthorized access to sensitive
information.
The log provided in the question appears to be a URL for a login page, with a string of text appended to the end. This string includes the text "or
'1'1='1", which is a common syntax used in SQL injection attacks. This indicates that an SQL injection attack may have been attempted or
successfully carried out against the website.
upvoted 16 times
DirtyDann
Most Recent
1 month, 4 weeks ago
Selected Answer: C
C. SQL injection all day.
upvoted 1 times
FK_AY 2 months ago
C: SQLi
upvoted 1 times
AriesAE 3 months, 1 week ago
So how to quickly identify this?
upvoted 2 times
ebukiba 4 months, 2 weeks ago
c is correct
upvoted 1 times
darkhat 5 months, 2 weeks ago
SQL Injection is a type of cybersecurity attack where an attacker injects malicious SQL code into a web application's input fields to manipulate
the application's database. In this case, the URL parameter "id" is being manipulated with the input "' or '1'1='1".
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
The observed log indicates a potential SQL injection (SQLi) attack.
SQL injection is a type of cyberattack where an attacker manipulates the input of a web application to execute malicious SQL queries. In the
given log, the URL parameter "id" seems to be vulnerable to SQL injection as it includes the payload "' or '1'1='1". This payload is a classic
technique used in SQL injection to make the application's query always evaluate to true, which can lead to unauthorized access or data leakage.
Let's break down the payload:
The single quote ' after "id=" might be used to terminate the intended query.
The "or" keyword is then used to introduce a new condition.
https://www.examtopics.com/exams/comptia/sy0-601/view/
11/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
"1'1='1" is a condition that always evaluates to true. In SQL, '1'='1' is always true.
By appending this payload to the URL parameter "id," the attacker might be attempting to trick the application's database into returning data
that it shouldn't, potentially bypassing authentication mechanisms or accessing sensitive information.
Therefore, the correct answer is C. SQLi.
upvoted 1 times
reverse01 6 months, 2 weeks ago
A big C. SQLi stands for SQL Injection. It is a type of web security vulnerability that occurs when an attacker is able to inject malicious SQL code
into a web application's database query. This can happen when the application does not properly validate or sanitize user-supplied input before
using it in SQL queries.
upvoted 1 times
ApplebeesWaiter1122 6 months, 3 weeks ago
Selected Answer: C
The provided log entry indicates a potential SQL injection (SQLi) attack. In SQLi attacks, an attacker injects malicious SQL code into an
application's database query to manipulate or bypass the intended query logic. In this case, the presence of the "or '1'1='1" payload suggests an
attempt to bypass authentication or authorization checks by injecting a condition that always evaluates to true. This type of attack can allow
unauthorized access to sensitive data or perform unauthorized actions within the application's database.
upvoted 1 times
Hiattech 9 months, 1 week ago
Selected Answer: C
SQL Injection Attack
upvoted 1 times
ApplebeesWaiter1122 11 months ago
Selected Answer: C
Correct answer is C
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
C. '1'1=1 indicator i=of an SQL injection
upvoted 2 times
xxxdolorxxx 11 months, 3 weeks ago
Selected Answer: C
I vote for C
upvoted 1 times
sauna28 1 year ago
Selected Answer: C
1=1 is SQL INJECTION
upvoted 1 times
BillHealy 1 year, 2 months ago
Selected Answer: C
Sql injection attempt
upvoted 1 times
DCrest 1 year, 3 months ago
In an SQL injection attack, when a hacker enters " ' or 1 = 1 - - " in the user name and password field, why does this result in a successful login?
3 answers
·
16 votes:
The server interprets everything after the “—” as a comment, so ignores it.
upvoted 4 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
12/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #6
An audit identified PII being utilized in the development environment of a critical application. The Chief Privacy Officer (CPO) is adamant that this
data must be removed; however, the developers are concerned that without real data they cannot perform functionality tests and search for
specific data. Which of the following should a security professional implement to BEST satisfy both the CPO's and the development team's
requirements?
A. Data anonymization
B. Data encryption
C. Data masking
D. Data tokenization
Correct Answer: A
Community vote distribution
C (55%)
Boogie_79
A (44%)
Highly Voted
1 year, 4 months ago
Selected Answer: A
Data anonymization is the alteration process of personally identifiable information (PII) in a dataset, to protect individual identification. This way
the data can be used and still be protected.
upvoted 33 times
TinyTrexArmz 11 months, 2 weeks ago
I agree this is the right answer in this case because Data Masking would not allow them to search for specific data results. BUT as a protector
of privacy you should be careful when implementing this solution as it takes a certain amount of data to truly make it to where a data analyst
cannot figure out individuals. (Source: My partner is a data analyst and she has to approve the use of anonymized data before it can be used
for testing such as this)
upvoted 4 times
ThreeKings 9 months ago
That makes sense to an extent, but the answer would be more helpful and complete if it could be known how the data analyst handles
requests for data that is masked.
upvoted 2 times
Proctored_Expert
Highly Voted
1 year ago
Selected Answer: C
Data masking would best satisfy both the CPO's and the development team's requirements.
Data masking is a technique for obscuring sensitive data in a database or other data store, while still preserving the structure and format of the
data. Data masking can be used to protect personally identifiable information (PII) or other sensitive data from being accessed or exposed in the
development environment.
In this case, the CPO is concerned about PII being utilized in the development environment, and is adamant that it must be removed. At the same
time, the development team needs real data in order to perform functionality tests and search for specific data. Data masking would allow the
CPO's requirement to be satisfied, while still providing the development team with real data to work with.
upvoted 27 times
scorpion_king149 4 months, 1 week ago
Data masking involves replacing sensitive data with fictional or scrambled data. While this could address the CPO's concerns, the
development team's need for real data to perform functionality tests might not be met.
Data anonymization strikes a balance between privacy and functionality, making it the most suitable option in this scenario.
upvoted 6 times
lockupmanjc 1 month, 1 week ago
I think it satisfies both. For instance, some of the customers' card number could be masked leaving only the last 4 digits.
upvoted 1 times
TheFivePips 2 months ago
I think you could also argue that any real data, even if it is ananoymized, still left in the application, would be contrary to what the CPO is
requesting and therefore would not be the most suitable. I don't think they would need actual customer data to perform their tests
upvoted 1 times
CS3000 4 months, 1 week ago
I'm going to piggyback off this comment to explain in more detail WHY data masking is truly the answer! Let's compare data masking vs data
anonymization!
https://www.examtopics.com/exams/comptia/sy0-601/view/
13/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Data anonymization:
- Generalization of data (reducing the level of detail in the data)
- Aggregation (combining the data into groups to prevent identification [total sales per region])
- Randomization (adding noise to individual records to make them indistinguishable)
- Suppression (removing certain columns or data points that could lead to identification)
Data Masking:
- Substitution (replacing original data with fake but structurally similar [henry ford -> john doe]
- Shuffling (reordering the data in a column to break any connections between original values)
- Encryption & decryption
- Tokenization
Data masking is combining the ability to hide the data, anonymize it, encrypt & decrypt and also the ability to tokenize it!
Open to discussion!
upvoted 3 times
Secure_Abhi
Most Recent
3 days, 18 hours ago
C. Data masking
Data masking involves replacing sensitive information with realistic-looking but fictitious data. This method allows developers to perform
functional tests and use specific data while ensuring that the actual PII is not exposed in the development environment. It protects sensitive
information by transforming or obscuring it, thereby complying with the CPO's requirement to remove PII.
Data anonymization, on the other hand, involves altering data in such a way that it cannot be linked back to an individual. While anonymization is
helpful for various purposes, it might not retain the necessary realism or relationships needed for comprehensive functional testing.
upvoted 1 times
ImBleghk 6 days, 15 hours ago
In this scenario, the best solution to satisfy both the Chief Privacy Officer's (CPO) concerns about PII exposure and the development team's need
for real data for testing is data masking. Data masking involves replacing, encrypting, or scrambling sensitive information in non-production
environments while still maintaining the format and functional aspects of the data.
So, the correct answer is:
C. Data masking
upvoted 1 times
geocis 1 week, 1 day ago
Selected Answer: A
Data anonymization removes classified, personal, or sensitive information from datasets, while data masking obscures confidential data with
altered values. Data anonymization will meet both requirements to satisfy both parties.
upvoted 1 times
AceVander 3 weeks ago
This question appears twice but in the second time it is asked, Data anonymization is not listed as a choice.
There is another question that asks: Which of the following allows for functional test data to be used in new systems for testing and training
purposes to protect the real data?
ANSWER: Data Masking
upvoted 1 times
lsalc 3 weeks, 4 days ago
i answered A on the test
upvoted 1 times
thea_smith 1 month, 1 week ago
Get in touch at thea.smith20@outlook.com to get full questions
upvoted 1 times
Mercury07 1 month, 1 week ago
C. Data masking is the correct answer.
upvoted 1 times
Teleco0997 1 month, 2 weeks ago
Selected Answer: C
from the official study guide:
"...fully anonymized data set is one where individual subjects can no longer be identified, even if the data set is combined with other data
sources. Identifying information is permanently removed. Ensuring full anonymization and preserving the utility of data for analysis is usually very
difficult, however. Consequently, pseudo-anonymization methods ARE TYPICALLY USED INSTEAD..."
this means that for processing data (for analysis purposes) data is partially anonymized = data masking
upvoted 3 times
MortG7 1 month, 3 weeks ago
Comparing the two, data anonymization emphasizes irreversible privacy protection, while data masking focuses on secure data usage.
Anonymization offers higher security against unauthorized access, while masking balances usability and security.
upvoted 1 times
adamer91 1 month, 3 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
14/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: C
Masking. Anonymization involves removing personally identifiable information entirely. While it may satisfy the CPO's requirement, it might limit
the development team's ability to perform realistic tests.
upvoted 3 times
rrrrovi 1 month, 4 weeks ago
C. Data masking : Data masking or data obfuscation is the process of modifying sensitive data in such a way that it is of no or little value to
unauthorized intruders while still being usable by software or authorized personnel. Data masking can also be referred as anonymization, or
tokenization, depending on different context.
upvoted 2 times
FK_AY 2 months ago
Data masking
upvoted 1 times
kj0699 2 months ago
Data Masking, from a Pearson Vue practice test: Data masking desensitizes or removes sensitive or personal data, but the data is still usable.
The data is substituted for false data that appears real. This is commonly required for application development, particularly where realistic test
data is required. Like tokenization, data masking can preserve format at referential integrity.
upvoted 1 times
TheFivePips 2 months ago
Selected Answer: C
Even if the data is anonymized, it still seems contrary to what the CPO is requesting, and I see no reason they couldn't do their tests on fake data
upvoted 1 times
fran25 2 months ago
Data anonymization removes classified, personal, or sensitive information from datasets, while data masking obscures confidential data with
altered values.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
15/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #7
A company is implementing a DLP solution on the file server. The file server has PII, financial information, and health information stored on it.
Depending on what type of data that is hosted on the file server, the company wants different DLP rules assigned to the data. Which of the
following should the company do to help accomplish this goal?
A. Classify the data.
B. Mask the data.
C. Assign the application owner.
D. Perform a risk analysis.
Correct Answer: A
Community vote distribution
A (100%)
stoneface
Highly Voted
1 year, 4 months ago
Data classification and typing schemas tag data assets so that they can be managed through the information life cycle. A data classification
schema is a decision tree for applying one or more tags or labels to each data asset. Many data classification schemas are based on the degree
of confidentiality required:
Public (unclassified)—there are no restrictions on viewing the data. Public information presents no risk to an organization if it is disclosed but
does present a risk if it is modified or not available.
Confidential (secret)—the information is highly sensitive, for viewing only by approved persons within the owner organization, and possibly by
trusted third parties under NDA.
Critical (top secret)—the information is too valuable to allow any risk of its capture. Viewing is severely restricted.
upvoted 14 times
Ribeiro19
Highly Voted
1 year, 4 months ago
Selected Answer: A
Classify the data. permit to DLP distinguish the types of data, with intended to apply different rules depending on the classification.
upvoted 9 times
DirtyDann
Most Recent
1 month, 4 weeks ago
Selected Answer: A
A. Classify that ish
upvoted 2 times
FK_AY 2 months ago
Classify the data
upvoted 1 times
HackBishop 4 months, 1 week ago
You first perform a risk analysis before classifying data
upvoted 1 times
tannuc 5 months ago
Selected Answer: A
A. Classify the Data: By classifying the data, the different DLP rules can be applied.
---B. Mask the data: Making the data involves obscuring specific data (like password, or credit card number) *****1235 or ******
C. Assign the application owner: not relate to DLP, just put someone is in charge of this application
D. Perform a risk analysis: Of course, not relate to DLP.
upvoted 1 times
darkhat 5 months, 2 weeks ago
Data classification is the process of categorizing data based on its sensitivity, value, and regulatory requirements. By classifying the data on the
file server, the company can identify and label different types of data such as PII, financial information, and health information. Each category can
then be associated with specific DLP rules that are appropriate for the sensitivity and requirements of that type of data.
For example, the company can create DLP rules that trigger alerts or prevent certain actions (such as copying or emailing) when sensitive data,
like PII or health information, is detected being accessed or transmitted outside of authorized channels. Different rules can be applied to financial
data based on its specific requirements.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
https://www.examtopics.com/exams/comptia/sy0-601/view/
16/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Classifying the data involves categorizing and labeling the data based on its sensitivity and criticality. By classifying the data, the company can
identify which files contain PII (Personally Identifiable Information), financial information, health information, or other sensitive data. Each category
of data can then be assigned different Data Loss Prevention (DLP) rules and security controls based on its classification.
For example, files containing PII might have stricter DLP rules to prevent unauthorized access or data leakage, while files with less sensitive
information may have less stringent restrictions. This approach allows the company to tailor the DLP policies according to the data's specific
requirements and compliance needs.
upvoted 1 times
reverse01 6 months, 2 weeks ago
Data Classification. A
upvoted 1 times
ApplebeesWaiter1122 6 months, 3 weeks ago
Selected Answer: A
To accomplish the goal of assigning different DLP rules based on the type of data hosted on the file server, the company should classify the data.
Data classification involves categorizing and labeling data based on its sensitivity, importance, and regulatory requirements. By classifying the
data, the company can assign specific DLP rules and policies to each classification category.
By classifying the data, the company can effectively differentiate between PII, financial information, and health information stored on the file
server. This allows for the implementation of tailored DLP rules and policies that are appropriate for each type of data. For example, stricter DLP
rules might be applied to PII compared to less sensitive financial information.
upvoted 1 times
princajen 10 months ago
Selected Answer: A
A. Classify the data.
Once the data has been classified, the company can apply different DLP rules to different categories of data, based on the sensitivity and
importance of the data. For example, files containing PII might require stricter controls, while financial information might be subject to different
types of restrictions.
upvoted 1 times
thisguyfucks 11 months ago
Its going to be A - Data classification is the process an organization follows to develop an understanding of its information assets, assign a value
to those assets, and determine the effort and cost required to properly secure the most critical of those information assets.
upvoted 1 times
sauna28 1 year ago
Selected Answer: A
Classify data is no 1 before you proceed to the step
upvoted 1 times
[Removed] 1 year, 1 month ago
Selected Answer: A
Yep, fully agree with A. The other options make no sense
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
17/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #8
A forensics investigator is examining a number of unauthorized payments that were reported on the company's website. Some unusual log entries
show users received an email for an unwanted mailing list and clicked on a link to attempt to unsubscribe. One of the users reported the email to
the phishing team, and the forwarded email revealed the link to be:
<a href="https://www.company.com/payto.do?routing=00001111&acct=22223334&amount=250">Click here to unsubscribe</a>
Which of the following will the forensics investigator MOST likely determine has occurred?
A. SQL injection
B. Broken authentication
C. XSS
D. XSRF
Correct Answer: B
Community vote distribution
D (92%)
dylansmith064
Highly Voted
7%
1 year, 8 months ago
CSRF or XSRF redirects you to something you didn't intend to go to when clicking a link
upvoted 53 times
fboy 1 year, 7 months ago
thank you!
upvoted 5 times
tannuc
Highly Voted
5 months ago
Selected Answer: D
XSRF or CSRF is the correct one, let me tell you why?
-> using the Process of Elimination, we eliminate A and B, there is no thing to deal with SQL injection and Broken Authentication in this case.
-> Only C (XXS) and D (XSRF). Remember about XXS, Cross-site scripting occurs when attackers try to inject JavaScript into the client's website.
But D (XSRF), Cross-site-request-forgery, will inject the POST request to change email, address of shipping, or transfer funds.
-> Pick D because the <a> link includes: routing=00001111&acct=22223334&amount=250
upvoted 14 times
Ninja12345
Most Recent
1 day, 2 hours ago
Selected Answer: D
XSRF is the correct answer. There are so many questions with wrong answers, I want my money back!
upvoted 1 times
ImBleghk 6 days, 15 hours ago
Selected Answer: C
Based on the provided information, the forensics investigator will likely determine that a Cross-Site Scripting (XSS) attack has occurred. In an
XSS attack, an attacker injects malicious scripts into web pages that are viewed by other users. In this case, the link provided for unsubscribing
contains HTML code (<a> tag), suggesting that the injected script could have been executed when users clicked on the link.
The presence of a clickable link and the fact that users reported receiving unwanted emails and clicking on the link to unsubscribe are typical
indicators of an XSS attack.
Therefore, the most likely scenario is:
C. XSS (Cross-Site Scripting)
upvoted 1 times
Enzoxx 2 weeks, 3 days ago
Selected Answer: D
In addition to writing the reason for the answer, I advise everyone to indicate a link to the official source of the information, so we are all certain of
the correct answer. In this question the answer is D. The link is :
https://www.imperva.com/learn/application-security/csrf-cross-site-request-forgery/
upvoted 2 times
Comicbookman 1 month, 2 weeks ago
Conversely, XSS is "two-way", in that the attacker's injected script can issue arbitrary requests, read the responses, and exfiltrate data to an
external domain of the attacker's choosing.
upvoted 1 times
Comicbookman 1 month, 2 weeks ago
The fact that the link was embedded in an email suggests that the attacker was trying to trick users into clicking on it (a social engineering
tactic often used in phishing attacks). Based on this behavior, it's likely that the unauthorized payments reported on the company's website
were the result of a successful XSS attack, and the forensics investigator would focus on gathering evidence to support this conclusion.
https://www.examtopics.com/exams/comptia/sy0-601/view/
18/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
MortG7 2 months, 1 week ago
What is CSRF?
Also known as session riding or the one-click attack, a Cross-site request forgery (CSRF) is a web application cyberattack that tricks victims into
unknowingly performing actions on the attacker’s behalf. CSRF attacks exploit a security flaw in web applications that cannot differentiate
between a bad and legitimate request within an authenticated user session.
Adversaries typically launch CSRF attacks using social engineering techniques to trick the victim user into loading a page or clicking a link
containing a malicious request. The link sends a malicious request from the authenticated user’s browser to the target website.
upvoted 4 times
Thurams 2 months, 3 weeks ago
C. XSS (Cross-Site Scripting)
The provided email link appears to be a classic example of a potential XSS attack. In this scenario, when a user clicks on the link to
"unsubscribe," it may execute a malicious script that interacts with the company's website, specifically the "payto.do" page. The unusual log
entries, including the email recipients clicking on the link, suggest that the website may be vulnerable to an XSS attack.
Cross-Site Scripting involves injecting malicious code (scripts) into web applications, which are then executed by unsuspecting users. In this
case, it's possible that the "unsubscribe" link contains a script that performs actions such as making unauthorized payments, as described in the
scenario. The forensics investigator is likely to focus on XSS as the root cause of these unauthorized payments and investigate further to confirm
this suspicion.
upvoted 3 times
233Matis 3 weeks ago
XSS is usually written in JavaScript. This is not written in any language here and especially not JavaScript.
upvoted 1 times
M43 3 months ago
C. XSS (Cross-Site Scripting)
The provided link <a href="https://www.company.com/payto.do?routing=00001111&acct=22223334&amount=250">Click here to
unsubscribe</a> seems to be an attempt to trick users into clicking it to unsubscribe from a mailing list. However, it may be a part of a CrossSite Scripting (XSS) attack where malicious code is injected into the website to execute unauthorized actions, steal user data, or perform other
malicious activities. In this case, it could be used to steal sensitive information or perform unauthorized payments, which aligns with the
unauthorized payments reported on the company's website.
upvoted 3 times
malibi 4 months, 1 week ago
Selected Answer: B
not csrf nor xsrf. assuming the user is log on to their banking website. if they click the link from this email, it is like session hijacking but since the
session is on, the link broke the authentication since it doesn't need to authenticate since the session is still active.
upvoted 1 times
malibi 4 months, 1 week ago
Broken authentication refers to any vulnerabilities involving the attackers impersonating the original users on applications. In other words,
authentication is broken when attacks can assume user identities by compromising passwords, session tokens, user account information and
other details.
upvoted 2 times
MyBJ 5 months, 1 week ago
The correct answer is B.
The subject of the question is "...examining a number of unauthorized payments...".
This simply points to broken authentication as the answer.
XSRF got the users there but that was not the subject of the investigation, rather it was what caused the unauthorized payments.
upvoted 1 times
RevolutionaryAct 5 months ago
Nah, it's D https://brightsec.com/blog/csrf-example/
Broken authentication is not even a security+ term
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
Cross-Site Request Forgery (XSRF) involves exploiting the trust that a website has in a user's browser by using the user's active session to
invoke unauthorized actions on behalf of the victim. This is typically done by tricking the victim's browser into making unintended requests to a
website, without the user's knowledge or consent.
In the given example URL:
https://www.company.com/payto.do?routing=00001111&acct=22223334&amount=250
If the website does not have proper security measures in place, an attacker could craft a malicious email with the link to this URL, and if a
logged-in user clicks on the link while their session is active, the website may process the request as if the user intended it. As a result, the
unauthorized payment of $250 could occur without the user's knowledge.
Since the user reported the email to the phishing team, it suggests that the email was part of a malicious attempt to trick users into performing an
https://www.examtopics.com/exams/comptia/sy0-601/view/
19/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
unwanted action.
Therefore, based on the details provided, the most likely occurrence is XSRF (Cross-Site Request Forgery).
upvoted 3 times
reverse01 6 months, 2 weeks ago
Definitely XSRF. D
upvoted 1 times
ApplebeesWaiter1122 6 months, 3 weeks ago
Selected Answer: D
In a CSRF attack, an attacker tricks a victim into unknowingly executing unwanted actions on a web application in which the victim is
authenticated. The attacker typically achieves this by crafting a malicious link or script that makes use of the victim's authenticated session.
In the given scenario, the email contains a link that appears to be for unsubscribing from a mailing list. However, when the user clicks on the link,
it leads to a payment-related action on the company's website. This indicates that the user's authenticated session was exploited to perform
unauthorized payments.
Therefore, the most likely determination by the forensics investigator would be that a Cross-Site Request Forgery (CSRF or XSRF) attack has
occurred, where the attacker manipulated the victim into unknowingly initiating the unauthorized payments through a crafted link.
upvoted 3 times
z3phyr 9 months, 1 week ago
Selected Answer: D
It's D. With XSRF/CSRF you are force the user into performing an action they are already allowed to do. In this case you are tricking the user to
click a link forcing them to transfer funds.
upvoted 2 times
SophyQueenCR82 9 months, 2 weeks ago
The forensics investigator will most likely determine that a Cross-Site Request Forgery (CSRF) attack has occurred. In this attack, the attacker
tricks the victim into clicking on a link that will perform an unwanted action on a website the victim is authenticated to. The link in the email
appears to be an attempt to unsubscribe from a mailing list but actually contains a hidden request to make an unauthorized payment on the
company's website.
upvoted 3 times
GS1011 9 months, 4 weeks ago
D
“Cross site request forgery (CSRF), also known as XSRF, Sea Surf or Session Riding, is an attack vector that tricks a web browser into executing
an unwanted action in an application to which a user is logged in.
A successful CSRF attack can be devastating for both the business and user. It can result in damaged client relationships, unauthorized fund
transfers, changed passwords and data theft—including stolen session cookies.
CSRFs are typically conducted using malicious social engineering, such as an email or link that tricks the victim into sending a forged request to
a server. As the unsuspecting user is authenticated by their application at the time of the attack, it’s impossible to distinguish a legitimate request
from a forged one.”
This link: https://www.imperva.com/learn/application-security/csrf-cross-site-request-forgery/ has more details.
upvoted 5 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
20/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #9
A report delivered to the Chief Information Security Officer (CISO) shows that some user credentials could be exfiltrated. The report also indicates
that users tend to choose the same credentials on different systems and applications. Which of the following policies should the CISO use to
prevent someone from using the exfiltrated credentials?
A. MFA
B. Lockout
C. Time-based logins
D. Password history
Correct Answer: A
Community vote distribution
D (52%)
Ribeiro19
Highly Voted
A (48%)
1 year, 4 months ago
Selected Answer: A
is the only one that obligate to have more info than a password to login in the system
upvoted 21 times
Papee 1 year, 2 months ago
Prevent users from using the exfiltrated account. MFA would better security not prevent.
upvoted 9 times
Skymaster8182 2 months, 1 week ago
You can’t “use” the account if you can’t log into it without the 2nd part of authentication. The problem with this question that I really hate is
it leads to 2 different answers because it says prevent use but yet also talks about “policy”. Password History won’t do anything to prevent
stolen credentials unless the policy being implemented instantly forces everyone to change their password “right now” which password
history normally just means you can’t reuse the same password again after you are forced to change it be it a 30 days or 60 days later.
MFA may not be a policy but it insantly prevents the issue of stolen credentials being used to log in after MFA has been enabled.
It’s a stupid catch 22 question because MFA would fix the stolen credentials problem instantly. The moment the thieves use the password,
a prompt for a Token digit (or whatever the 2nd authentication is) will be requested. MFA would definitely prevent.
upvoted 4 times
STODDY69
Highly Voted
4 months, 3 weeks ago
Selected Answer: D
CompTIA Sec+ Objectives 3.7 Account policies:
- Password complexity
- Password history
- Password reuse
- Network location
- Geofencing
- Geotagging
- Geolocation
- Time-based logins
- Access policies
- Account permissions
- Account audits
- Impossible travel time/risky login - Lockout
- Disablement
2FA is not an account policy, has to be D
upvoted 18 times
DrCo6991
Most Recent
1 week, 1 day ago
Selected Answer: D
The question asks which POLICY should be used. MFA is not a policy. However, password history is. Though, for the scenerio, MFA is a better
solution to the potential exfiltration. I have to keep focused on the final question and not get tricked by all the information. Very tricky question.
upvoted 2 times
geocis 1 week, 1 day ago
Selected Answer: D
So, I can't retract my selected answer initially (A).
After repeatedly reviewing the question...it's asking (Which of the POLICIES should the CISO use to prevent someone from using the exfiltrated
credentials).
MFA would make sense and would prevent anyone from using exfiltrated credentials, but MFA is not a policy. The answers provided show three
policies out of the four, and (D) makes the most sense. So, I'm going with (D) Password history.
https://www.examtopics.com/exams/comptia/sy0-601/view/
21/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Trickster_ATK 1 week, 2 days ago
Selected Answer: D
The question is to prevent someone from using the exfiltrated credentials. MFA increases security but does not prevent the use of exfiltrated
credentials. It's D.
upvoted 1 times
jakesmith45 2 weeks ago
Selected Answer: A
key phase " Which of the following policies should the CISO use to prevent someone from using the exfiltrated credentials?" This reads to me as
the CISo wants to prevent someone who stole the creds from logging in. Password history won't prevent this until the time is up to change the
PW. MFA will prevent this.
upvoted 1 times
shaneo007 2 weeks, 1 day ago
I think the answer would be A in this case. If the CISO received a report that suggests that the passwords could be exfiltratet because of the
users using the same password. So in this case there is a potential for the passwords to be stolen. So to strengthen the system you would need
to use MFA. And reason people use the same password it's easy to remember.
upvoted 1 times
DarkSonicHDD 2 weeks, 5 days ago
Selected Answer: D
D.
Key words are "Choose the same credentials". You do not want your employees reusing previous passwords.
upvoted 1 times
jijuk 2 weeks, 5 days ago
MFA is the best answer.
Once password is lost, enforcing the policy would not be good for stolen passwords,MFA prevents login with stolen password
upvoted 1 times
geocis 3 weeks, 3 days ago
Selected Answer: A
The question reads, Which of the following policies should the CISO use to prevent someone from using the exfiltrated credentials?
So, the passwords are already exfiltrated. Applying the password history policy after the fact won't stop you from using it. With that said, MFA
would PREVENT anyone with an exfiltrated password from gaining unauthorized access to the system.
upvoted 1 times
g0dofnub 3 weeks, 4 days ago
Selected Answer: A
A is the right answer
upvoted 2 times
Mima08 3 weeks, 6 days ago
Key point is exfiltratated credentials
upvoted 1 times
dizzydwarf 1 month ago
ChatGPT's answer:
By enforcing MFA, the CISO significantly strengthens the authentication process and mitigates the risk of unauthorized access using
compromised credentials. It provides an additional layer of defense that goes beyond the reliance on passwords alone, addressing the specific
challenge highlighted in the report about users choosing the same credentials across different systems.
upvoted 3 times
Dogeo 1 month ago
Selected Answer: A
The best policy to prevent someone from using the exfiltrated credentials would be A. MFA (Multi-Factor Authentication).
MFA adds an additional layer of security by requiring users to provide two or more verification factors to gain access to a resource such as an
application, online account, or a VPN. If one factor is compromised or broken, an attacker still has at least one more barrier to breach before
successfully breaking into the target.
Even if users tend to choose the same credentials on different systems and applications, MFA would require them to provide another piece of
evidence, like a fingerprint or a temporary code sent to their phone, making it much harder for an attacker to gain access with just the stolen
credentials.
upvoted 1 times
Jacksoms 1 month ago
Selected Answer: D
MFA would better security not prevent. So D
upvoted 2 times
Trunim 3 weeks, 5 days ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
22/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
credentials were already ex-filtrated, deploying MFA would make the exfiltrated credentials of no use
upvoted 1 times
thea_smith 1 month, 1 week ago
Get in touch at thea.smith20@outlook.com to get full questions
upvoted 1 times
Teleco0997 1 month, 2 weeks ago
Selected Answer: D
D is the only option that address what is being asked "PREVENT users from using exfiltrated passwords"
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
23/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #10
A company wants to simplify the certificate management process. The company has a single domain with several dozen subdomains, all of which
are publicly accessible on the internet. Which of the following BEST describes the type of certificate the company should implement?
A. Subject alternative name
B. Wildcard
C. Self-signed
D. Domain validation
Correct Answer: B
Community vote distribution
B (93%)
Ay_ma
Highly Voted
6%
1 year, 4 months ago
Selected Answer: B
B- Wildcard SSL(Secure Sockets Layer) Certificate: Wildcard SSL certificates are for a single domain and all its subdomains.
www.cloudfare.com
upvoted 19 times
Ha89
Highly Voted
3 months, 4 weeks ago
Selected Answer: B
This question was on the exam and it's B. I took the test last week and passed! About 60% of the questions on my test is on exam topics. 2 0f
the 3 PBQs were from exam topics I focused on PBQs about 2 hours before my exam. I recommend you read each discussion and learn about
the correct answer. I have zero experience in IT but thanks to exam topics(best $39 spent), Dion training, and professor Messer they helped me a
lot in my transition into cyber security. a friendly recommendation to those with little to no experience like myself. Before starting your course of
study, I suggest you memorize all the acronyms on the Comptia Security+ objective along with the 35 necessary ports(available on Dion training)
memorize them very good, even if doesn't make sense. Once you start studying, they start to make sense and make your study and the actual
exam a lot easier!
upvoted 10 times
Gb88 2 months, 1 week ago
Sent you an email.
upvoted 1 times
TreeeSon 3 months, 3 weeks ago
anywhere i can reach you?
upvoted 2 times
Ha89 3 months, 2 weeks ago
sure thing. harez.indy@gmail.com
upvoted 2 times
hello2022 3 months ago
hi Ha89, did you go over all 700+ questions
upvoted 2 times
thea_smith
Most Recent
1 month, 1 week ago
Anyone need full questions? contact me thea.smith20@outlook.com
upvoted 2 times
marshhead 1 month, 1 week ago
itexamslab.com
I passed my exam
upvoted 1 times
Aytaj19 2 days, 14 hours ago
Hi. Can u send me exam tests which you said about this comment?
upvoted 1 times
Broflovski 2 months, 3 weeks ago
Example:
SAN>: dns:www.acc-companyname.com, dns:www.tst-companyname.com (specific subdomains)
Wildcard>: dns:www.*-companyname.com (*=numerous subdomains)
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
24/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
8c55165 4 days, 7 hours ago
Great example, thank you!!
upvoted 1 times
fpvred 3 months, 2 weeks ago
B-WILDCARD
upvoted 1 times
darkhat 5 months, 2 weeks ago
wildcard certificate is the best for a company with a single domain and multiple subdomains
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
The company should implement:
B. Wildcard certificate.
A Wildcard certificate is the best option for the company with a single domain and several dozen subdomains. It simplifies the certificate
management process by securing not only the main domain but also all its subdomains with a single certificate.
Here's how a Wildcard certificate works:
1. It is issued for a specific domain, such as ".example.com," where the asterisk () is a wildcard character that covers all subdomains of
"example.com."
2. With a single Wildcard certificate, the company can secure any number of subdomains (e.g., mail.example.com, shop.example.com,
blog.example.com, etc.) without needing separate certificates for each subdomain.
3. Wildcard certificates are especially beneficial when there are numerous subdomains to manage, as it significantly reduces the administrative
overhead and simplifies the renewal and deployment processes.
Therefore, a Wildcard certificate is the most appropriate choice for the company with a single domain and several dozen subdomains, providing a
streamlined and efficient certificate management process.
upvoted 3 times
reverse01 6 months, 2 weeks ago
B. wildcard.
wildcards are used as placeholders to match multiple subdomains or URLs within a specific domain. The wildcard character (*) is commonly used
for this purpose.
upvoted 1 times
ApplebeesWaiter1122 6 months, 3 weeks ago
Selected Answer: B
A Wildcard certificate is designed to secure a domain and all its subdomains with a single certificate. It is denoted by an asterisk () in the leftmost
position of the domain name, such as ".example.com". This means that the certificate can be used to secure any subdomain under the main
domain.
In the case of the company with multiple subdomains, a Wildcard certificate would simplify the certificate management process. Instead of
obtaining and managing individual certificates for each subdomain, a single Wildcard certificate can be used to secure them all. This reduces
administrative overhead, simplifies the deployment process, and ensures consistent security across the domain and its subdomains.
upvoted 2 times
Gaurabdon 7 months, 1 week ago
Selected Answer: B
The reason to choose option B is because the question mentions "single domain". SAN covers multiple domains (different domains) with a single
cert. WildCard certificate supports multiple subdomains off of a single domain. Hence, the answer is B.
upvoted 1 times
Dutch012 8 months, 1 week ago
Selected Answer: B
Wildcard: covers unlimited subdomains with a single Cert
SAN: covers multiple domains names with a single Cert
source: https://opensrs.com/blog/san-and-wildcard-certificates-whats-the-difference/
upvoted 1 times
Mroljrtnrty 8 months, 2 weeks ago
Just Passed! 4/23/23 - This question was on the test but it was worded differently. They did mention wanting to simplify certificate management.
I chose wrong. Should have picked Wildcard but hey i still passed lol
upvoted 2 times
Dutch012 8 months, 1 week ago
good for you!, I am going to take it soon, and I am going to survive since I am a big fan of The Walking Dead.
upvoted 1 times
princajen 10 months ago
Selected Answer: A
https://www.examtopics.com/exams/comptia/sy0-601/view/
25/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
In this case, the best option would be a Subject Alternative Name (SAN) certificate, also known as a Unified Communications Certificate (UCC). A
SAN certificate can cover multiple domains, subdomains, and hostnames under a single certificate. This would allow the company to cover its
main domain and all subdomains, as well as any future domains or subdomains that may be added. SAN certificates are commonly used in
environments with multiple domains or subdomains.
upvoted 1 times
princajen 10 months ago
After reviewing, the best option is a wildcard SSL certificate.
upvoted 4 times
DALLASCOWBOYS 11 months, 1 week ago
B. Wildcard. Helps with a main domain, with multiple subdomains on websites.
upvoted 1 times
ShivP2 11 months, 1 week ago
A. Subject alternative name (SAN) certificate would be the best option for a company with a single domain and several dozen subdomains that
are publicly accessible on the internet. SAN certificates allow a single certificate to be associated with multiple domain names, allowing the
company to secure all of its subdomains with a single certificate, simplifying the certificate management process.
A wildcard certificate would also be a valid option for a company with a single domain and several dozen subdomains that are publicly accessible
on the internet. It allows a single certificate to be associated with all subdomains of a domain, making it easy to secure all the subdomains under
one certificate. However, a Wildcard certificate would only work for subdomains and would not cover the main domain or any other domain that
is not a subdomain of the main domain, in this case if the company wants to add any other domain in the future it would require another
certificate.
upvoted 1 times
xxxdolorxxx 11 months, 2 weeks ago
Selected Answer: B
My vote goes to b.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
26/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #11
Which of the following is an effective tool to stop or prevent the exfiltration of data from a network?
A. DLP
B. NIDS
C. TPM
D. FDE
Correct Answer: A
Community vote distribution
A (93%)
Fitzd
Highly Voted
7%
1 year, 3 months ago
Just passed, what you see is what you get.....these dissussion help a lot.....thanks guys and this site is all the luck you need
upvoted 25 times
ELLEWOODS45 1 year, 3 months ago
DID YOU REVIEW THE OLD DUMPS OR JUST THIS ONE
I AM TRYING TO PASS
, I NEED HELP
😥
😭
upvoted 2 times
banditring 1 year, 3 months ago
theres an old dump? I must find it. I take the exam in 2 weeks and freaking out!!
upvoted 2 times
Dachosenone
Highly Voted
1 year, 4 months ago
Selected Answer: A
Data loss prevention (DLP) makes sure that users do not send sensitive or critical information outside the corporate network.
upvoted 18 times
lsalc
Most Recent
3 weeks, 4 days ago
i answered A on the test
upvoted 1 times
gamingseller 1 month, 4 weeks ago
Selected Answer: A
DLP systems are specifically designed to detect and prevent the unauthorized use and transmission of confidential information. They can be set
up to monitor data at rest, in use, and in motion, and can take action to block unauthorized data transfers.
upvoted 3 times
OlasecureMe 3 months, 1 week ago
DLP is that data bank account. Nothing gets transferred without proper authorization.
upvoted 3 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
DLP is a comprehensive security solution designed to identify, monitor, and protect sensitive data from unauthorized access, use, or exfiltration.
It helps organizations prevent data breaches and leakage by monitoring data movement both within the network and when data is being
transferred to external destinations, such as the internet.
1. Content inspection: DLP solutions inspect data in real-time and at rest to identify sensitive information, such as Personally Identifiable
Information (PII), financial data, intellectual property, or other confidential information.
2. Policy-based controls: Organizations can define policies that specify how sensitive data should be handled and protected. DLP tools enforce
these policies by taking appropriate actions when data matches predefined criteria, such as blocking, encrypting, or quarantining the data.
3. Network monitoring: DLP solutions monitor network traffic and endpoints to detect suspicious activities and potential data exfiltration
attempts.
4. Data encryption: DLP tools can include encryption capabilities, which add an extra layer of protection to sensitive data, making it unreadable
to unauthorized parties even if it is somehow intercepted.
upvoted 6 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: A
https://www.examtopics.com/exams/comptia/sy0-601/view/
27/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
DLP systems are designed to monitor and control the flow of sensitive information within an organization's network. They can detect and prevent
unauthorized data transfers, whether intentional or accidental, by monitoring network traffic, data storage systems, and endpoints. DLP systems
can identify sensitive data based on predefined policies, such as personally identifiable information (PII), credit card numbers, or intellectual
property, and take actions to prevent its unauthorized disclosure.
upvoted 2 times
JR2463 8 months, 2 weeks ago
I echo that these discussions really helped. I just passed as well.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
A. DLP tracks data moving within the network, and can block the data when it is in danger of leaving the corporate network.
upvoted 3 times
Zonas 11 months, 2 weeks ago
Correct Answer : A
upvoted 1 times
Nirmalabhi 1 year, 1 month ago
Selected Answer: A
the answers right in front of you. option A
upvoted 1 times
Imok 1 year, 2 months ago
Selected Answer: A
Data Loss Prevention
upvoted 1 times
be9z 1 year, 2 months ago
FDE performs full disk encryption but it can not stop or prevent data exfiltration. The answer is A - Data Loss Prevention (DLP)
upvoted 2 times
VendorPTS 1 year, 3 months ago
Selected Answer: A
Data Loss Prevention is the clear winner here.
upvoted 1 times
groger999 1 year, 3 months ago
Correct Answer: DLP
upvoted 2 times
Ribeiro19 1 year, 4 months ago
Selected Answer: A
it prevents data to be extracted form a corporate network.
upvoted 5 times
comeragh 1 year, 4 months ago
Selected Answer: A
DLP correct here
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
28/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #12
Several attempts have been made to pick the door lock of a secure facility. As a result, the security engineer has been assigned to implement a
stronger preventative access control. Which of the following would BEST complete the engineer's assignment?
A. Replacing the traditional key with an RFID key
B. Installing and monitoring a camera facing the door
C. Setting motion-sensing lights to illuminate the door on activity
D. Surrounding the property with fencing and gates
Correct Answer: A
Community vote distribution
A (97%)
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: A
Replacing the traditional key with an RFID key - For this question, there is mention of "attempts have been made to pick the door lock". Out of
the options provided, only the option to replace the current door key with an RFID key directly addresses this issue. The other options can be
viewed as preventative access control systems/ deterrents as well.
============================
Helpful Info
Preventative access control - An access control that is used to stop unwanted or unauthorized activity from occurring, these could be policies,
firewalls, physical barriers etc.
RFID (Radio Frequency Identification) - A type of key card/fob access control system that uses a radio frequency signals to communicate
between a reader and an RFID tag. You would place the tag/card near the reader and if the reader identifies the signal as belonging to an
authorized user, they will be allowed access.
upvoted 16 times
Ribeiro19
Highly Voted
1 year, 4 months ago
Selected Answer: A
B, C and D, are not a access control. So, A is the only XD
upvoted 5 times
saucehozz 1 month, 1 week ago
Haha. All options are are PREVENTIVE access controls.
upvoted 1 times
be9z 1 year, 2 months ago
A and D are access controls, however, A is the correct answer because it focuses on securing the door and not the other security perimeter of
a facility. Hence RFID protects both external (who is not supposed to have access to the building) and internal threats (staff who are not
authorised to enter the room)
upvoted 6 times
Halaa 1 year, 4 months ago
they are access control
upvoted 3 times
stoneface 1 year, 4 months ago
YES, 'access control'
upvoted 2 times
5StarNinja
Most Recent
1 month, 3 weeks ago
Selected Answer: A
This address the "traditional key" that is being picked. Replacing with RFID takes out the physical key hole and only authorized users will
possess a RFID key to access.
upvoted 1 times
gamingseller 1 month, 4 weeks ago
Selected Answer: A
The best option to complete the engineer's assignment of implementing a stronger preventative access control at the door would be:
A. Replacing the traditional key with an RFID key. This method directly enhances the security of the door's locking mechanism, making it more
difficult for unauthorized persons to gain entry by picking the lock.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
29/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
TheFivePips 2 months ago
Replacing a traditional key with an RFID key (Option A) is indeed a strong security measure, especially for preventing unauthorized physical
access. RFID keys offer enhanced security because they are often more difficult to duplicate or pick compared to traditional keys. This option is a
valid choice for improving access control and preventing unauthorized entry.
However, the choice between Option A (RFID key) and Option D (fencing and gates) may depend on various factors, including the specific
security needs, budget, and the facility's location. If the primary concern is unauthorized physical access at the door, then Option A (RFID key)
would be an effective choice. On the other hand, if there are broader security concerns, such as unauthorized access from multiple points or the
need to secure the entire perimeter, Option D (fencing and gates) may be the more comprehensive solution.
Ultimately, both options (A and D) can enhance security, but the choice may vary depending on the specific security requirements of the facility.
I hate it here
upvoted 2 times
Sebatian20 2 months, 2 weeks ago
I did entertain C: cause I don't know about you guys.. if I am trying to pick a lock and suddenly, I get staged lights shined down on me.. I am
getting my arse out of the area!
upvoted 1 times
JCrain 2 months, 4 weeks ago
IMO the option is to add fencing around the perimeter of the facility. Adding an RFID reader is not going to stop the door from being picked any
less than it already is. RFID readers provides Authorization and Accounting. If you limit who can be in there with a barrier you’re goal is achieved.
Defense in Depth.
This should go back to the defense in depth
upvoted 3 times
PropheticBettor 2 months, 2 weeks ago
Agreed and also Fences/Bollards/Gates are identified as preventative access controls by Comptia
upvoted 1 times
M43 3 months ago
The correct answer is
D. Surrounding the property with fencing and gates
To implement a stronger preventative access control in this scenario, surrounding the property with fencing and gates would be the most
effective option. This physical security measure creates a physical barrier that prevents unauthorized individuals from even reaching the door,
making it much more difficult for someone to attempt to pick the lock or gain access to the secure facility in the first place.
While options like replacing the traditional key with an RFID key, installing a camera, and setting motion-sensing lights can enhance security, they
primarily address issues after an unauthorized access attempt has been made or are focused on surveillance and identification rather than
preventing physical access to the facility. Fencing and gates, on the other hand, provide a proactive and physical deterrent to unauthorized
access.
upvoted 3 times
RevolutionaryAct 4 months ago
Selected Answer: A
The reason it is A and not D is because there is nothing in the question indicating that it is not an insider threat, so if it is one then gates and
fences won't stop them. Theoretically they don't have access to this area as an insider (otherwise why pick it) and an RFID card would work
better.
upvoted 2 times
NetTech 4 months, 1 week ago
Like many of these questions, the wording is not great in this one. A & D are both access controls. A door that has an RFID reader on it may still
have a door knob with a key hole and could still be picked. In fact you would likely still want a keyed lock on the door if there was a power failure,
the door would fail secure, but could be opened with a key in an emergency. Only a door that has a maglock on it that is released after a card
scan would address the issue. The answer is probably A but these questions need better editing by the authors.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
Replacing the traditional key with an RFID (Radio Frequency Identification) key is a stronger form of access control compared to a physical key.
RFID keys use radio waves to communicate with an RFID reader, which grants access to the facility if the key is authorized. This technology
provides several advantages over traditional keys:
1. Increased security: RFID keys are more difficult to duplicate compared to physical keys, reducing the risk of unauthorized key copying.
2. Access control management: RFID keys can be easily activated or deactivated from the access control system, allowing the security team to
grant or revoke access quickly.
3. Audit trail: An RFID access control system can provide an audit trail, showing the times and dates of access attempts, successful entries, and
denied entries, which can aid in security investigations.
upvoted 1 times
reverse01 6 months, 2 weeks ago
I took my exam today and passed with an 800. Thanks, everyone, for the great discussions and input; really helped me through the exam.
https://www.examtopics.com/exams/comptia/sy0-601/view/
30/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 3 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: A
replacing the traditional key with an RFID key, could also be a viable solution for implementing a stronger preventative access control for the
secure facility. This option introduces an electronic access control mechanism that can provide enhanced security compared to traditional keys.
By replacing the traditional key with an RFID key, the security engineer can leverage technology to improve access control. RFID keys typically
contain a unique identifier that can be scanned by a reader to grant or deny access. This system allows for more granular control over who can
enter the facility, as access can be restricted based on the specific RFID key credentials.
RFID keys can also offer additional features such as logging access events, enabling centralized access management, and facilitating quick
revocation of access in case of lost or stolen keys. These benefits enhance the overall security posture of the facility.
upvoted 1 times
Confuzed 8 months, 4 weeks ago
Selected Answer: A
As said previously, the key to this question is "PREVENTATIVE". CompTIA defines it thus:
Preventive—the control acts to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack
can take place.
None of the other answers are both preventative, and meet the other terms in the question. However effective they might be to help mitigate the
risk.
upvoted 2 times
Adji91 9 months, 2 weeks ago
Happy to pass my exam with a 799 score. This question was on that.
upvoted 3 times
princajen 10 months ago
Selected Answer: A
A. Replacing the traditional key with an RFID key would be the BEST option in this scenario. The use of an RFID key system provides more
secure access control than traditional keys, as the keys cannot be duplicated easily, and the access logs are easier to maintain. Additionally, an
RFID key system allows the security team to more effectively monitor access to the facility and to limit access to specific areas as necessary.
Installing a camera or setting motion-sensing lights would be helpful for monitoring, but they would not necessarily prevent unauthorized access.
Surrounding the property with fencing and gates can also help with security, but it would not be the BEST option in this scenario as it does not
directly address the issue of the lock being picked.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
A. Replace with an RFID Key. For B., Camera will act as a deterrent but won't prevent someone from attempting to pick lock. D Fencing, and
security gates generally people can still get around, it wont prevent them from picking the lock
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
31/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #13
Which of the following can be used by a monitoring tool to compare values and detect password leaks without providing the actual credentials?
A. Hashing
B. Tokenization
C. Masking
D. Encryption
Correct Answer: A
Community vote distribution
A (100%)
Ribeiro19
Highly Voted
1 year, 4 months ago
Selected Answer: A
Hashing, is the answer. Why? Because, with Hashing the tool can identify a credential without knowing the exact credential , by a mathematical
method (ex: multiply the credential by a number, and all different credentials have different results). comparing the Hashing of the local credential
with the Hashing of the web credentials the tool can extrapolate if the credential was compromised.
upvoted 25 times
lsalc
Most Recent
3 weeks, 4 days ago
i answered A on the test
upvoted 1 times
kennyboy23 1 month ago
Security engineer just put a fence around the property. But I'm the property grounds keeper. And I'm trying to break into the R&D building. And
his fence did zero to keep me out since I was already authorized to be on the property.
upvoted 1 times
DirtyDann 1 month, 4 weeks ago
Selected Answer: A
A. Hashing and all that goes along with it
upvoted 2 times
AbdullxHanan 5 months ago
Selected Answer: A
hashing is corect
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
Hashing is a cryptographic technique that takes input data (in this case, passwords) and converts it into a fixed-size string of characters, which is
the hash value. The hashing process is one-way, meaning it is not feasible to reverse the hash and obtain the original password from the hash
value alone.
When monitoring tools need to compare values (such as passwords) to detect password leaks, they can hash the values and then compare the
resulting hash values against a known database of leaked or compromised password hashes. If the hash of the user's password matches any
entry in the database, it indicates that the password has been compromised without actually revealing the original password itself.
This approach is widely used in password security practices, especially in situations where it's essential to protect the actual credentials from
exposure.
In conclusion, the most suitable option for a monitoring tool to compare values (passwords) and detect password leaks without providing the
actual credentials is A. Hashing.
upvoted 2 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: A
Hashing is a one-way mathematical function that takes an input (in this case, passwords) and produces a fixed-size string of characters, known
as a hash value or hash code. The important property of hashing is that it is computationally infeasible to reverse-engineer the original input from
the hash value
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
A. Hashing
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
32/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Deeppain90 11 months, 2 weeks ago
Selected Answer: A
Hashing
upvoted 1 times
xxxdolorxxx 11 months, 3 weeks ago
Selected Answer: A
A makes the most sense to me.
upvoted 1 times
FMMIR 1 year, 1 month ago
Selected Answer: A
Because, with Hashing the tool can identify a credential without knowing the exact credential, by a mathematical method (ex: multiply the
credential by a number, and all different credentials have different results). comparing the Hashing of the local credential with the Hashing of the
web credentials the tool can extrapolate if the credential was compromised.
upvoted 2 times
okay123 1 year, 1 month ago
"Hashing is used to assure the authenticity of websites with which they may share personal and private information, in password storage
applications (personal or used by entities they interact with online), and is likely used by the antivirus solution they trust to keep their devices free
of malware." So if Hashing is used to validate the integrity of data, you can compare hashes to figure out if the data (password or whatever it is)
was compromised
https://www.uscybersecurity.net/csmag/what-the-hash-data-integrity-and-authenticity-in-american-jurisprudence/
upvoted 1 times
Sultan1990 1 year, 4 months ago
i thinks C.
upvoted 1 times
Sultan1990 1 year, 4 months ago
sorry A is answer
upvoted 6 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
33/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #14
A security engineer is building a file transfer solution to send files to a business partner. The users would like to drop off the files in a specific
directory and have the server send the file to the business partner. The connection to the business partner is over the internet and needs to be
secure. Which of the following can be used?
A. S/MIME
B. LDAPS
C. SSH
D. SRTP
Correct Answer: C
Community vote distribution
C (93%)
rodwave
Highly Voted
4%
1 year, 1 month ago
Selected Answer: C
Answer: SSH - SSH or (Secure Shell) is a protocol that enables two computers to communicate securely by encrypting the connection. Since the
question is looking to transfer files over the internet to a specific directory, the FTP protocol can be used for the file transfer itself. As SSH can be
used with the FTP protocol, this allows for secure(SSH) file transfer(FTP) over the internet.
========================
Other Choices:
S/MIME (Secure/Multipurpose internet Mail Extensions) - Digitally signs and encrypts the contents of email messages.
LDAPS(Lightweight Directory Access Protocol) - Provides authentication for directory-based traffic
SRTP (Secure Real-time Transport Protocol) - Provides authentication/encryption for transmitted audio and video traffic.
upvoted 40 times
kiosk99
Highly Voted
1 year, 4 months ago
Selected Answer: C
A File Transfer Protocol (FTP) server is typically configured with several public directories, hosting files, and user accounts.
SSH FTP (SFTP)
LDAP Secure (LDAPS)—the server is installed with a digital certificate, which it uses to set up a secure tunnel for the user credential exchange.
File transfer. Answer: SSH
upvoted 9 times
lsalc
Most Recent
3 weeks, 4 days ago
i answered A on the test
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
SSH (Secure Shell) is a network protocol that provides secure encrypted communication over an unsecured network, such as the internet. It is
commonly used for secure remote access to servers and also for secure file transfer.
In the given scenario, the security engineer can set up an SSH server on the destination server hosted by the business partner. The users from
the company can then use an SSH client (such as OpenSSH) to securely transfer files to the specific directory on the business partner's server.
Here's how the file transfer process works using SSH:
1. The business partner sets up an SSH server (SSH daemon) on their server.
2. The security engineer configures the server to allow secure file transfer (SCP/SFTP) using SSH.
3. Users from the company can use SSH clients like OpenSSH (or graphical SFTP clients) to securely connect to the business partner's server
and transfer files to the designated directory.
With SSH, the file transfer process is secure and encrypted, protecting the data in transit from eavesdropping and tampering.
upvoted 1 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: C
SSH is a network protocol that provides secure remote access and file transfer capabilities. It encrypts the communication between the client
and server, ensuring confidentiality and integrity of the transferred data. SSH provides secure authentication and encryption mechanisms, making
it suitable for secure file transfer scenarios.
With SSH, the users can securely drop off the files in the specific directory on the server, and then the server can initiate a secure file transfer to
the business partner using SSH's file transfer capabilities (e.g., SCP - Secure Copy or SFTP - SSH File Transfer Protocol).
https://www.examtopics.com/exams/comptia/sy0-601/view/
34/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
z3phyr 9 months, 1 week ago
Selected Answer: C
SFTP is a file transfer protocol that uses SSH to create the secure connection.
upvoted 1 times
Guseyayi 10 months, 3 weeks ago
Selected Answer: C
SSH is a secure method of connecting to remote servers over a
network because it encrypts data transmitted over a network.
upvoted 1 times
uday1985 12 months ago
I think its D , but the messed up the letters SFTP became SRTP!
I dare you who have answered SSH to use the same answer when SFTP is next to it!
upvoted 1 times
[Removed] 12 months ago
There is such thing as SRTP...
upvoted 3 times
CTE_Instructor 10 months, 2 weeks ago
His point is OP typo'd and wrote SRTP instead of SFTP. If SFTP was an option, it would be the more accurate answer for this question.
CompTIA rarely puts bogus acronyms in their questions, so it's more likely that OP simply typo'd SFTP as a bogus SRTP.
upvoted 1 times
CTE_Instructor 10 months, 2 weeks ago
Self correction: SRTP is Secure Real-Time Protocol, and is an objective on the Security+ 601. It's primarily used for real-time media
stream security like video & VoIP. It is not the correct answer for this question.
upvoted 3 times
Mr_BuCk3th34D 1 year ago
Actually, a better answer would be SFTP (SSH with FTP), but since this is not an alternative, I'll go with SSH.
upvoted 1 times
lordguck 1 year, 2 months ago
C: LDAPS (B) is for authentication but that does not answer the question about the data transfer. SSH on the other hand can do both e.g. with
user/password or better yet certificates.
upvoted 1 times
be9z 1 year, 2 months ago
The answer is SSH. SSH can be used to transfer data from one computer to another over internet. And it is a secure connection
upvoted 1 times
RawToast 1 year, 2 months ago
Selected Answer: C
SSH is a suite of three utilities. SSH: Secure Shell for secure connection and command execution. SCP: Secure Copy Protocol, and slogin:
enables secure login. Both ends of an SSH connection are encrypted. SSH would allow for all of the criteria to be met.
upvoted 3 times
Mondicles 1 year, 3 months ago
Selected Answer: C
This is definitely C.
LDAP is used to provide a central place for directory service authentication.
S/MIME is an internet standard to digitally sign and encrypt email messages. It ensures the integrity of email messages remains intact while being
received.
SSH can be used with FTP which is called SFTP, file transfer over encrypted tunnel.
upvoted 4 times
mark9999 1 year, 4 months ago
LDAPS is for directory based traffic and S/MIME for email traffic. Sending files to another server using SSH will achieve the aim. Try it out on linux
based machines.
upvoted 1 times
monsteracid 1 year, 3 months ago
LDAPS is used for authentication ONLY. It does not perform any encryption of files.
upvoted 1 times
Wiggie 1 year, 4 months ago
LDAPS
https://library.netapp.com/ecmdocs/ECMP1366834/html/GUID-0E97E7F2-D46D-4883-B95B-A066B0D52B3D.html
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
35/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Dachosenone 1 year, 4 months ago
Selected Answer: C
You can transfer files from server to server using SSH.
https://tecadmin.net/download-file-using-ssh/
upvoted 2 times
comeragh 1 year, 4 months ago
On review it looks to be LDAPS. Other sites also saying LDAPS.
upvoted 1 times
monsteracid 1 year, 3 months ago
LDAPS is used for authentication ONLY. It does not perform any encryption of files.
upvoted 2 times
varun0 1 year, 4 months ago
Selected Answer: C
S/MIME is the format used for email attachments, there is no way for the users to upload files to the directory and have it automatically sent to
the business partner. SSH can do this by sshing to the required directory and placing the files there. And having it sent using various ssh based
file transfer protocols like sftp, scp.
upvoted 4 times
Wiggie 1 year, 4 months ago
https://www.miniorange.com/guide-to-setup-ldaps-on-windows-server
https://www.techtarget.com/searchmobilecomputing/definition/LDAP
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
36/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #15
An administrator needs to protect user passwords and has been advised to hash the passwords. Which of the following BEST describes what the
administrator is being advised to do?
A. Perform a mathematical operation on the passwords that will convert them into unique strings.
B. Add extra data to the passwords so their length is increased, making them harder to brute force.
C. Store all passwords in the system in a rainbow table that has a centralized location.
D. Enforce the use of one-time passwords that are changed for every login session.
Correct Answer: A
Community vote distribution
A (93%)
varun0
Highly Voted
7%
1 year, 4 months ago
Selected Answer: A
A 100% sure
upvoted 9 times
Protract8593
Highly Voted
5 months, 2 weeks ago
Selected Answer: A
Hashing is a cryptographic process that takes an input (such as a user password) and transforms it into a fixed-size, unique string of characters,
known as the hash value or hash code. The hashing algorithm performs a one-way function, meaning it is not possible to reverse the process and
retrieve the original password from the hash value alone. The resulting hash value is unique to the input, meaning different passwords will result in
different hash values.
By storing only the hash values of passwords instead of the passwords themselves, the administrator ensures that even if the database is
compromised, the actual passwords are not exposed to attackers. When a user attempts to log in, the password they provide is hashed and
compared to the stored hash value. If the hash values match, the password is considered correct, and access is granted.
upvoted 5 times
ApplebeesWaiter1122
Most Recent
6 months, 2 weeks ago
Selected Answer: A
The administrator is being advised to hash the passwords. Hashing is a process of applying a mathematical algorithm to a password, resulting in
a unique string of characters known as a hash value or hash code. The hash value is typically of fixed length, regardless of the input password's
length.
When passwords are hashed, they are transformed into irreversible representations. Hash functions are designed in such a way that it is
computationally infeasible to reverse-engineer the original password from the hash value. This ensures that even if the hashed passwords are
compromised, the actual passwords remain protected.
Hashing is a widely used technique to securely store passwords. Instead of storing the passwords themselves, the system stores the hash
values. During the authentication process, the user's entered password is hashed and compared to the stored hash value. If the hashes match,
the password is considered correct.
upvoted 1 times
Navigator 7 months, 2 weeks ago
Selected Answer: A
This is the most meaningful answer here.
upvoted 1 times
princajen 10 months ago
Selected Answer: A
The administrator is being advised to perform a mathematical operation on the passwords that will convert them into unique strings. Therefore,
the correct option is:
A. Perform a mathematical operation on the passwords that will convert them into unique strings.
Hashing is a process that takes a password as input, performs a mathematical operation on it, and generates a fixed-length string of characters
as output, called a hash. The hash can be stored in a database and used to authenticate the user. When the user enters their password, the same
mathematical operation is performed on it, and the resulting hash is compared to the stored hash. If the two hashes match, the user is
authenticated. The use of hashing is a widely accepted method for securing passwords.
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
A. is the definition of hashing
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
37/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
xxxdolorxxx 11 months, 3 weeks ago
Selected Answer: A
A.
Hashing pushes the data through a one way algorithm resulting in a string that you can use to compare against the original value.
All other answers don't really make any sense.
upvoted 1 times
KingDrew 12 months ago
Selected Answer: A
Basically a cryptography method.
upvoted 1 times
whiteLightning0820 1 year, 2 months ago
Selected Answer: A
ITS A FO SHO
upvoted 1 times
alayeluwa 1 year, 2 months ago
Selected Answer: A
It is A
Option be will be salting.
upvoted 1 times
Mondicles 1 year, 3 months ago
This question wants to test if you know that definition of a hash function which is described in OPTION A.
upvoted 2 times
FT1 1 year, 4 months ago
A - What's Hashing About?
By dictionary definition, hashing refers to "chopping something into small pieces" to make it look like a "confused mess". That definition closely
applies to what hashing represents in computing.
In cryptography, a hash function is a mathematical algorithm that maps data of any size to a bit string of a fixed size. We can refer to the function
input as message or simply as input. The fixed-size string function output is known as the hash or the message digest. As stated by OWASP,
hash functions used in cryptography have the following key properties:
upvoted 2 times
dj450 1 year, 4 months ago
Selected Answer: A
Admin is being advised to hash. A is the definition of hashing
upvoted 2 times
Ribeiro19 1 year, 4 months ago
Selected Answer: A
Guys, don't invent the wheel again. The question is stating what the told the guy to do! That us hashing. And the answer A is the definition of
hash. You can find on google
upvoted 3 times
examprepkt 1 year, 4 months ago
Seems like B would be the best option,
What is password salting? Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters
and then hashing them. Salting prevents hackers who breach an enterprise environment from reverse-engineering passwords and stealing them
from the database.
https://www.techtarget.com/searchsecurity/definition/salt
upvoted 2 times
Mondicles 1 year, 3 months ago
Option A literally defines what a hash is. Read the question carefully.
upvoted 3 times
stoneface 1 year, 4 months ago
You are not adding any data when you are hashing - adding randomized value 'salting'
upvoted 3 times
KetReeb 1 year, 4 months ago
A - Common uses of hashing algorithms are to store computer passwords and to ensure message integrity. The idea is that hashing can produce
a unique value that corresponds to the data entered, but the hash value is also reproducible by anyone else running the same algorithm against
the data.
upvoted 3 times
comeragh 1 year, 4 months ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
38/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: B
B here for me seems the one that fits best.
upvoted 2 times
Ay_ma 1 year, 4 months ago
That's 'salting'. The question didn't indicate that anything was added to the process.
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
39/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #16
Which of the following would be indicative of a hidden audio file found inside of a piece of source code?
A. Steganography
B. Homomorphic encryption
C. Cipher suite
D. Blockchain
Correct Answer: A
Community vote distribution
A (100%)
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: A
Steganography is the technique of hiding secret data within an ordinary, non-secret, file or message in order to avoid detection. It's essentially
being able to hide in plain sight. The question is referring to a hidden file not some form of encryption, Steganography is not an encryption
method but can be used with encryption to add an extra step for protecting data.
==============================
Other Choices:
Homomorphic encryption - An encryption algorithm designed to allow calculations to be performed on the encrypted data without requiring
access to a secret key to decrypt the data. The result of such a computation remains in encrypted form, and can at a later point, the original data
can be accessed with the proper decryption key. This allows critical and sensitive data to be outsourced to third-parties without posing a serious
risk to the original owner of that data.
Cipher suite - Algorithms/Instructions required to enable secure network connections between servers and clients through TLS(SSL).
Blockchain - A shared, immutable ledger that facilitates the process of recording transactions and tracking assets in a business network.
upvoted 21 times
adam1p 6 months, 3 weeks ago
When's the next album dropping?
upvoted 3 times
Ribeiro19
Highly Voted
1 year, 4 months ago
Selected Answer: A
Steganography is the art of punting information inside of information. Is like hiding something in front of everyone eyes.
upvoted 10 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: A
Steganography is the practice of concealing information or files within other seemingly innocuous files or data to hide their existence. In the
context of the question, an audio file could be hidden inside a piece of source code using steganography techniques.
Steganography does not alter the functionality or appearance of the carrier file (in this case, the source code) but embeds the hidden information
in a way that is not apparent to casual observation. It can be used to hide various types of files, including audio, images, or documents, within
other files.
upvoted 1 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: A
Steganography is the practice of concealing information within other files or data in such a way that it is not easily detectable. In the context of
digital files, steganography techniques can be used to hide one file, such as an audio file, within another file, such as source code.
By employing steganography, the audio file can be embedded within the source code file without raising suspicion or altering the appearance of
the code. This hidden audio file can only be extracted by using specific methods or tools designed to detect and extract steganographic content.
upvoted 1 times
Guseyayi 10 months, 3 weeks ago
Selected Answer: A
Steganography is the art of using cryptographic techniques to embed
secret messages within another message.
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
A. Steganography which is the art of using cryptogaphuc techniques to embed secret messages within another file.
https://www.examtopics.com/exams/comptia/sy0-601/view/
40/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
KingDrew 12 months ago
Selected Answer: A
Steganography = Hiding secret data within other data
In this case, secret audio file is hidden within source code data
upvoted 1 times
batuhanzeyad 12 months ago
Selected Answer: A
This is the right antwort
upvoted 1 times
mr_reyes 1 year ago
Sooooo many of these are "A", and I believe it is right here also.
upvoted 1 times
[Removed] 1 year, 1 month ago
A is the right answer
upvoted 1 times
whiteLightning0820 1 year, 2 months ago
Selected Answer: A
I think its A
upvoted 1 times
rindrasakti 1 year, 2 months ago
Ofcurse steganographi A
upvoted 1 times
comeragh 1 year, 4 months ago
Selected Answer: A
Agree with A on this one
upvoted 1 times
IQ30 1 year, 4 months ago
Selected Answer: A
Professor Messer notes :
Other steganography types
• Audio steganography
– Modify the digital audio file
– Interlace a secret message within the audio
– Similar technique to image steganography
upvoted 4 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
41/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #17
A user enters a username and a password at the login screen for a web portal. A few seconds later the following message appears on the screen:
Please use a combination of numbers, special characters, and letters in the password field.
Which of the following concepts does this message describe?
A. Password complexity
B. Password reuse
C. Password history
D. Password age
Correct Answer: A
Community vote distribution
A (100%)
Ribeiro19
Highly Voted
1 year, 4 months ago
Selected Answer: A
Password complexity - is the method that obligate users to use passwords this some characteristics. (like more than X characters, use numbers
symbols and letters) .
upvoted 8 times
comeragh
Highly Voted
1 year, 4 months ago
Selected Answer: A
A correct answer here
upvoted 6 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: A
Password complexity refers to the practice of requiring passwords to meet certain criteria to make them stronger and more resistant to
unauthorized access. The message instructs the user to create a password that includes a combination of numbers, special characters, and
letters, which are characteristics commonly associated with a complex password.
By using a combination of numbers, special characters (e.g., !, @, #, $, etc.), uppercase letters, and lowercase letters, the resulting password
becomes more difficult to guess or crack using brute-force or dictionary attacks.
upvoted 1 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: A
Password complexity refers to the requirements or rules set for creating a password that includes a combination of different character types such
as numbers, special characters, uppercase letters, and lowercase letters. By enforcing password complexity, the system aims to enhance the
security of user passwords.
In this case, the message is instructing the user to include a combination of numbers, special characters, and letters in their password. By using
a variety of character types, the resulting password becomes more resistant to common password cracking methods such as brute force or
dictionary attacks.
upvoted 1 times
ExamPasser420 8 months, 1 week ago
Selected Answer: A
if you don't think its A.. idk what to tell you
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
A. Making passwords more complex makes them harder to crack
upvoted 1 times
alwaysrollin247 1 year, 1 month ago
CompTIA is frustrating. My first thought here is that, this user is logging in not creating an account which would tell me this is the password age
expiring. However, the question asks what the message describes which, leaving out the rest of the question, the message itself describes
complexity.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
42/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #18
A company recently experienced an inside attack using a corporate machine that resulted in data compromise. Analysis indicated an unauthorized
change to the software circumvented technological protection measures. The analyst was tasked with determining the best method to ensure the
integrity of the systems remains intact and local and remote boot attestation can take place. Which of the following would provide the BEST
solution?
A. HIPS
B. FIM
C. TPM
D. DLP
Correct Answer: C
Community vote distribution
C (97%)
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: C
In this question, an attack has already occurred so preventative measures such as HIPS, FIM, or DLP would not be helpful. Also, the analyst
wants to check the integrity of the system, and boot attestation can take place. TPM chips have mechanisms to prevent system tampering and
boot attestation can be done with TPM based hardware to verify the state of the firmware, bootloader, etc. TPM is the best option here.
=====================
Other Choices
HIPS (Host Intrustion Prevention System) - An installed software package which monitors a single host for suspicious activity by analyzing events
occurring within that host. This aims to stop malware by monitoring the behavior of code.
FIM (File Integrity Monitoring) - Technology that monitors and detects file changes that could be indicative of a cyberattack. FIM specifically
involves examining files to see if and when they change, how they change, who changed them, and what can be done to restore those files if
those modifications are unauthorized.
DLP (Data Loss Prevention) - A set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized
users.
upvoted 61 times
ELLEWOODS45 1 year, 1 month ago
I wish there was a way we could chat with each other, do y’all have a way you communicate ?
upvoted 10 times
BlackMamba_4 5 months, 2 weeks ago
Discord, professor messer discord
upvoted 2 times
David_Drake_KC 2 months ago
Not a valid name
upvoted 1 times
Protract8593
Highly Voted
5 months, 2 weeks ago
Selected Answer: C
TPM (Trusted Platform Module) is a hardware-based security component that is designed to provide secure cryptographic functions and protect
sensitive data on a computer or server. It is commonly used to ensure the integrity and security of a system's boot process and to support local
and remote attestation.
Here's how TPM can provide the solution:
1. Boot integrity: TPM can store cryptographic measurements of the system's boot process, including the firmware, bootloader, and operating
system components. These measurements are known as Platform Configuration Registers (PCRs) and create a "hash chain" that represents the
system's boot state. Any unauthorized changes to the boot process will result in a different hash value, indicating potential tampering.
2. Remote attestation: TPM enables remote attestation, where the system can provide proof of its boot integrity to a remote server or entity. This
is crucial for verifying that the system's software and configurations have not been altered by unauthorized parties. Remote attestation can be
used to ensure the integrity of the system before allowing access to sensitive data or services.
upvoted 10 times
BigIshai 5 months, 1 week ago
@Protract8593, Thank you for the breakdown. very detailed.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
43/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
RuMMeL
Most Recent
1 month, 1 week ago
Selected Answer: C
talks about system boot - instantly think of TPM
upvoted 1 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: C
TPM is a hardware-based security feature that provides cryptographic functions and secure storage for cryptographic keys. It offers a secure
environment for verifying the integrity of a system's boot process and critical components. By leveraging TPM, the analyst can establish a trusted
platform and ensure that the system's integrity is maintained.
Local boot attestation involves verifying the integrity of the system during the boot process on the local machine. TPM can measure and store
hashes of critical components and compare them against known good values, ensuring that unauthorized changes or tampering are detected.
Remote boot attestation enables the verification of a system's integrity even when it is booted remotely or in a networked environment. TPM can
generate and securely store cryptographic keys, which can be used for remote attestation and establishing trust with other systems or services.
upvoted 1 times
fouserd 8 months ago
Selected Answer: C
A Trusted Platform Module (TPM) would provide the BEST solution to ensure the integrity of the systems remains intact and local and remote
boot attestation can take place. A TPM is a hardware-based security device that generates and stores cryptographic keys and can be used to
verify the integrity of a system’s boot process.
upvoted 1 times
davsharma 8 months, 2 weeks ago
Selected Answer: B
Correct Answer is FIM
File Integrity Monitoring (FIM) is a security practice which consists of verifying the integrity of operating systems and application software files to
determine if tampering or fraud has occurred by comparing them to a trusted "baseline."
upvoted 1 times
Treasureprecious 9 months ago
Thank you rodwave for your explanations
upvoted 3 times
princajen 10 months ago
Selected Answer: C
The best solution to ensure the integrity of the system remains intact and local and remote boot attestation can take place would be to use a
Trusted Platform Module (TPM). TPM is a specialized chip on the motherboard of a computer that provides hardware-based security, which can
help protect against unauthorized access to a computer's data. It can be used to perform boot-time measurements and provide secure storage
of encryption keys and passwords, ensuring the system's integrity. With TPM, the system can perform secure boot attestation, which can detect
unauthorized changes to the software or firmware that could compromise system security. HIPS, FIM, and DLP are not designed to provide boottime measurements or to provide secure storage of encryption keys and passwords, which are essential for boot attestation.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
C. TPM which is the Trusted Platform Module, which helps prevent unauthorized changes to firmware or software
upvoted 2 times
mlonz 11 months, 3 weeks ago
A trusted platform module is a hardware chip included on many laptops and mobile devicces. It provides full disk encryption
and supports a secure boot process and remote attestation. A TPM includes a unique RSA asymmetric key burned into the
chip that provides a hardware root of trust
upvoted 1 times
nerdboy1992 1 year ago
Though File Integrity Monitoring (FIM) detects any changes to software, it wouldn't be correct in this instance. This is due to the question stating
"remote boot attestation". Trusted Platform Module (TPM) provides this feature.
upvoted 1 times
okay123 1 year, 1 month ago
Remote attestation: -Device provides an operational report to a verifcation server
- Encrypted and digitally signed with a TPM
So before a remote boot attestation can take place, TPM chips are needed
upvoted 2 times
Check_mate 1 year, 2 months ago
Selected Answer: B
It's clearly FIM it's a security Practice for ensuring integrity tPM is a trusted Platform Model for securing cryptoprocess
upvoted 2 times
Sandon 11 months, 2 weeks ago
It's clearly not
https://www.examtopics.com/exams/comptia/sy0-601/view/
44/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 3 times
Mondicles 1 year, 3 months ago
Selected Answer: C
The answer is C.
TPM protects the device against unauthorized firmware and software modification by hashing critical sections of firmware and software.
upvoted 2 times
Ay_ma 1 year, 4 months ago
The key sentence in the question is: "The analyst was tasked with determining the best method to ensure the integrity of the systems remains
intact and local and remote boot attestation can take place"
The attack already happened. 'HIPS' looks out for attacks. But in the situation of trying to restore, TPM seems like the best option.
upvoted 10 times
comeragh 1 year, 4 months ago
Selected Answer: C
Sorry my earlier comment suggested HIPS. On further reading going with C - TPM
upvoted 3 times
Ribeiro19 1 year, 4 months ago
Selected Answer: C
check this out guys https://docs.microsoft.com/en-us/azure/security/fundamentals/measured-boot-host-attestation
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
45/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #19
Which of the following is a reason to publish files' hashes?
A. To validate the integrity of the files
B. To verify if the software was digitally signed
C. To use the hash as a software activation key
D. To use the hash as a decryption passphrase
Correct Answer: A
Community vote distribution
A (100%)
securityexam101
Highly Voted
1 year, 4 months ago
Hashes = Integrity always
upvoted 11 times
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: A
A seems obvious to me.
upvoted 7 times
DChilds
Most Recent
3 months ago
Selected Answer: A
Hashing ensure integrity.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
Publishing files' hashes is a common practice used to validate the integrity of files and ensure that they have not been tampered with or
corrupted. A hash value is a unique fixed-size string of characters generated from the contents of a file using a cryptographic hashing algorithm.
Even a minor change in the file's content will result in a completely different hash value.
When files are distributed, users can independently calculate the hash value of the received file and compare it to the published hash value. If the
calculated hash matches the published hash, it means that the file has not been altered during transit, ensuring its integrity. If the hash values do
not match, it indicates that the file may have been tampered with, corrupted, or modified, and users should exercise caution before using the file.
upvoted 4 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: A
Publishing files' hashes is primarily done to validate the integrity of the files. Hash functions generate unique hash values based on the content of
a file. By calculating and publishing the hash values for files, users can compare them to verify the integrity of the files they possess.
When a file is downloaded or received from an untrusted source, comparing the calculated hash of the file with the published hash allows users
to determine if the file has been altered or tampered with during transmission. If the calculated hash matches the published hash, it indicates that
the file has not been modified and remains intact.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
A. Publishing hashes allows the comparison of hash values to verifiy integrity
upvoted 2 times
GetBuckets 1 year, 1 month ago
I believe it's 'B'. Software vendors publish the hashes of their software products so the end users (in case they downloaded the software from
3rd-party websites) can verify if the software has not been tampered with (added malware or malicious code). Digital signatures use hashes.
upvoted 1 times
TinyTrexArmz 11 months, 2 weeks ago
But a hash does not prove that it was digitally signed. You take a plain txt file and, using a hash generator, create a hash for it. If I then share
the text file with you and you wanted to make sure what is currently in the text file is the same as what I sent you then you'd use a compatible
hash generator to generate a hash for the file you received. If our hashes match then the file wasn't changed. If the hash is different then
something happened in transit and you can't trust that txt file. To accomplish this I didn't have to digitally sign it or encrypt it or anything. Just
share the file with you along with my original hash.
upvoted 4 times
rodwave 1 year, 1 month ago
Selected Answer: A
https://www.examtopics.com/exams/comptia/sy0-601/view/
46/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
To validate the integrity of the files - Hash function algorithms compares the file's original and current hash values. And if a byte or even a piece
of the file's data has been changed, the original and current hash values will be different, and therefore you will know whether it's the same file or
not.
upvoted 3 times
lordguck 1 year, 2 months ago
"A" is right obviously, but I have an question training dump from Okt/22 whicht says, "B" (rubbish if you ask me).
upvoted 1 times
Ribeiro19 1 year, 4 months ago
Selected Answer: A
To validate the integrity of the files
upvoted 2 times
stoneface 1 year, 4 months ago
Selected Answer: A
A - hashing
upvoted 3 times
comeragh 1 year, 4 months ago
Selected Answer: A
Agree with A being correct answer here
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
47/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #20
A security manager has tasked the security operations center with locating all web servers that respond to an unsecure protocol. Which of the
following commands could an analyst run to find the requested servers?
A. nslookup 10.10.10.0
B. nmap -p 80 10.10.10.0/24
C. pathping 10.10.10.0 -p 80
D. ne -l -p 80
Correct Answer: B
Community vote distribution
B (100%)
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: B
Answer: nmap -p 80 10.10.10.0/24 - Nmap or network mapper is a network discovery and security auditing tool mainly used to find services,
hosts, and open ports on a network. In this case, nmap will check for the HTTP port 80.
====================================
Other Choices
Nslookup - This command queries DNS servers to obtain DNS records
Pathping - This command provides information about network latency and packet loss at hops between a source and destination. Used for
troubleshooting network issues.
ne - Honestly not 100% here
upvoted 30 times
CTE_Instructor 10 months, 2 weeks ago
The ne command would be used to see traffic on one specific interface, while nmap would scan the entire network and show which ports are
open on discovered IP addresses. For this question, nmap would be a more comprehensive scan and would show any IP address on the
network which has port 80 open.
upvoted 5 times
TinyTrexArmz 11 months, 2 weeks ago
I agree the answer is nmap but I'll also say that the command would not find "all web servers" It would only find web servers on the
10.10.10.0/24 subnet.
Because of this fact and my not being familiar with that "ne" command, I chose it initially. Which I think is why it's there. To trick people like
me that get hung up on the word phrase "all web servers." As far as my search goes, I've not found a system that uses the "ne" command.
upvoted 2 times
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: B
nmap is looking for the unsecure port 80 (http), pathping only shows packet drops and latency.
upvoted 15 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: B
1. nmap: nmap is a powerful network scanning tool used to discover hosts and services on a computer network.
2. -p 80: This option specifies that nmap should scan for open ports on port 80, which is the default port used for HTTP (unsecure web)
communication.
3. 10.10.10.0/24: This is the target network range or IP address range that the analyst wants to scan. The /24 indicates a subnet mask of
255.255.255.0, meaning it will scan all IP addresses in the 10.10.10.0 network.
By running this command, the security operations center analyst can identify all web servers within the specified network range (10.10.10.0/24)
that are responding on port 80, which is indicative of unsecure HTTP services. This information can then be used to further investigate and
secure those servers if needed.
upvoted 6 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: B
To find web servers that respond to an unsecure protocol, an analyst can run the command "nmap -p 80 10.10.10.0/24".
Explanation:
"nmap" is a popular network scanning tool used for host discovery and service enumeration.
"-p 80" specifies the port to scan, in this case, port 80, which is the default port for HTTP.
"10.10.10.0/24" represents the IP address range to scan. The "/24" denotes a CIDR notation indicating all IP addresses within the subnet.
https://www.examtopics.com/exams/comptia/sy0-601/view/
48/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
By running this command, the analyst will scan the IP range 10.10.10.0/24 for open port 80. If a web server is listening on port 80, it indicates
that it is responding to unsecure HTTP requests.
upvoted 2 times
princajen 10 months ago
Selected Answer: B
B. nmap -p 80 10.10.10.0/24
The nmap command is a powerful network exploration and security auditing tool, which can be used to scan a range of IP addresses to
determine which ports are open and which services are running on those ports. In this case, the security operations center has been tasked with
locating web servers that respond to an unsecure protocol. Port 80 is the standard port for HTTP, which is an unsecure protocol. Therefore, the
nmap command can be used to scan the IP range specified (10.10.10.0/24) and check if any servers are running an HTTP service on port 80.
upvoted 1 times
xxxdolorxxx 11 months, 2 weeks ago
Selected Answer: B
Nmap seems right to me. Done this a number of times when going for my eJPT.
upvoted 1 times
comeragh 1 year, 4 months ago
Selected Answer: B
B correct here
upvoted 4 times
stoneface 1 year, 4 months ago
Selected Answer: B
b) nmap -p 80 10.10.10.0/24 ->
upvoted 5 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
49/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #21
Which biometric error would allow an unauthorized user to access a system?
A. False acceptance
B. False entrance
C. False rejection
D. False denial
Correct Answer: A
Community vote distribution
A (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: A
FAR ( False Acceptance Rate ) ->
where an interloper is accepted (Type II error or false match rate [FMR]). FAR is measured as a percentage.
False rejection cause inconvenience to users, but false acceptance can lead to security breaches, and so is usually considered the most
important metric.
upvoted 17 times
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: A
False Acceptance - There are only two metrics that are used to determine the performance of biometrics: FAR (False Acceptance Rate) & FRR
(False Rejection Rate). False Acceptance Rate is a metric for biometric performance that determines the number of instances where unauthorized
persons were incorrectly authorized. For this question, a biometric error would mean that someone was authorized when they weren't supposed
to be authorized.
upvoted 11 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: A
False acceptance, also known as a "false positive," occurs when the biometric system incorrectly matches the biometric input of an unauthorized
user to the biometric template of an authorized user. In other words, the system incorrectly identifies the unauthorized user as an authorized user
and grants them access.
This type of error is a security concern because it allows unauthorized individuals to gain access to the system, potentially compromising
sensitive data or resources. Reducing the false acceptance rate is essential for improving the overall security of the biometric system and
ensuring that only authorized users are granted access.
upvoted 2 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: A
False acceptance refers to a biometric system incorrectly accepting the identity of an unauthorized user as a legitimate user. It occurs when the
system incorrectly matches the biometric data of an unauthorized individual with that of an authorized user, granting access to someone who
should not have it.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
A. False acceptance allows unauthorized user and accepts them as valid.
upvoted 1 times
varun0 1 year, 4 months ago
Selected Answer: A
False Acceptance Rate - accepts wrong info
upvoted 5 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
50/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #22
A company is auditing the manner in which its European customers' personal information is handled. Which of the following should the company
consult?
A. GDPR
B. ISO
C. NIST
D. PCI DSS
Correct Answer: A
Community vote distribution
A (100%)
comeragh
Highly Voted
1 year, 4 months ago
Selected Answer: A
GDPR correct here
upvoted 12 times
secplusme 1 year, 3 months ago
GDPR is countries in the EU not all of Europe
upvoted 1 times
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: A
GDPR - Privacy law for Europeans citizens
upvoted 9 times
Jacksoms
Most Recent
1 month ago
Guys whenever you see "Europe" in any question just click GDPR and go next lol
upvoted 3 times
Thurams 2 months, 3 weeks ago
GDPR IS CORRECT!
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
GDPR is a comprehensive data protection regulation that governs the handling and processing of personal data of individuals located in the
European Union (EU). It sets strict requirements and guidelines for organizations that collect, store, or process personal data of EU citizens,
regardless of where the organization is based.
upvoted 1 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: A
The General Data Protection Regulation (GDPR) is a comprehensive data protection and privacy regulation in the European Union (EU). It outlines
the rules and requirements for handling personal data of individuals within the EU, including how personal information should be collected,
processed, stored, and protected.
Given that the company is auditing the handling of its European customers' personal information, GDPR is highly relevant. It provides specific
guidelines and obligations for organizations regarding the privacy and security of personal data.
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
A. GDPR is the General Data Protection Regulation implements security and privacy requirements for personal info of European residents
worldwide.
upvoted 4 times
rodwave 1 year, 1 month ago
Selected Answer: A
Answer: GDPR - General Data Protection Regulation is a regulation in EU laws that requires businesses to protect the personal data and privacy
of EU citizens for transactions that occur within EU member states.
==============================
Other Choices:
ISO (International Organization for Standardization) - An independent, non-governmental organization that develops standards to ensure the
quality, safety and efficiency of products, services and systems.
https://www.examtopics.com/exams/comptia/sy0-601/view/
51/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
NIST (National Institute of Standards and Technology) - A non-regulatory US government agency created to develop cybersecurity standards,
guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public.
PCI DSS (Payment Card Industry Data Security Standard) - A set of security standards for organizations that handle credit cards from major card
schemes.
upvoted 8 times
grinop 1 year, 2 months ago
From what I see Global Data Protection Regulations is EU but not sure all of Europe
upvoted 1 times
ExamTopicsDiscussor 1 year, 3 months ago
GDPR is for Europe.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
52/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #23
Which of the following are common VoIP-associated vulnerabilities? (Choose two.)
A. SPIM
B. Vishing
C. Hopping
D. Phishing
E. Credential harvesting
F. Tailgating
Correct Answer: AB
Community vote distribution
BE (46%)
serginljr
AB (39%)
Highly Voted
Other
1 year, 4 months ago
Hopping does not exist in exam objectives
upvoted 35 times
NerdAlert 9 months, 1 week ago
heads up - vlan hopping one was of the choices on my exam, but credential harvesting was not! IDK which one is correct besides vishing, but
cred harvesting wasnt there.
upvoted 9 times
user82 8 months, 3 weeks ago
So the only reason "hopping" is not the answer is because it's not in the exam objectives? So I guess it's SPIM and credential harvesting
upvoted 2 times
BlackMamba_4 5 months, 2 weeks ago
Spim and vishing
upvoted 8 times
MENAMONGMEN 8 months, 2 weeks ago
he just said cred harvesting is NOT on the test.. :(
upvoted 3 times
k9_462
Highly Voted
1 year, 4 months ago
Selected Answer: BE
after heavy consideration and reading through multiple sec+ books, i m kinda going with B & D. vishing and credential harvesting as being the
most common attacks, as hopping doesnt ever seem to come up in the material.
https://fitsmallbusiness.com/voip-security-threats/
upvoted 28 times
k9_462 1 year, 4 months ago
although they dont specifically mention VOMIT, a common result of VOMIT would be credntial harvesting.
"VOMIT, is a VoIP hacking technique that extracts confidential data and voice packets directly from calls. VOMIT works by eavesdropping on
phone calls and converting phone conversations into files straight from your business phone system. This makes it easy to obtain company
information, including usernames, passwords, bank details, phone numbers, and call origin."
upvoted 15 times
DrCo6991
Most Recent
1 week, 1 day ago
Selected Answer: AB
Vishing is an obvious choice. However, all the others are questionable. Considering what's left, I'd say SPIM is the best logical conclusion (SPIT
would be better but not listed). If you agree with credential harvesting, you have to agree with Phishing because that's how Professor Messer
says credential harvesting takes place (by sending a malicious attachment over email and a user clicking it). Hopping from what I looked up has
to do with moving around different avenues to gain access to a system or environment. I guess it could include using the phone. However, I
looked up IM over VOIP and it appears to be possible. I could be wrong though. If I get the question, I'm going with A and B on the test.
upvoted 1 times
_deleteme_ 3 weeks, 2 days ago
In the DION course the below is stated. SMS messages may be accessible to attackers via VoIP or other systems. AB it is for me
NIST's SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication
because they may be accessible to attackers.
https://www.examtopics.com/exams/comptia/sy0-601/view/
53/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
lsalc 3 weeks, 4 days ago
i answered BC on the test
upvoted 1 times
ComPCertOn 1 month, 3 weeks ago
Selected Answer: AB
guys, I have done extensive research on this. the only good answers are A and B. all the rest are not VoIP or not in the exam objective
upvoted 4 times
ComPCertOn 2 months, 2 weeks ago
Selected Answer: AB
The only two sensible answers here judging by others
upvoted 3 times
ha33yp0tt3r69 2 months, 2 weeks ago
Selected Answer: BE
B. Vishing: Vishing (voice phishing) is a social engineering attack in which attackers use voice communication (typically over VoIP) to deceive
individuals into revealing sensitive information such as login credentials, credit card numbers, or personal information.
E. Credential harvesting: VoIP systems, like other online systems, can be vulnerable to credential harvesting attacks. Attackers may attempt to
steal login credentials to gain unauthorized access to VoIP accounts or systems.
upvoted 2 times
DashRyde 2 months, 2 weeks ago
Selected Answer: BD
Why not Vishing and Phishing? Phishing is a common cyber attack that can also affect VoIP systems, tricking users into revealing sensitive
information.
upvoted 2 times
MrBeansBeans 1 month, 1 week ago
Phishing is for emails. Vishing is VOIP. They are not one in the same.
upvoted 1 times
Sublime_Cheese 2 months, 3 weeks ago
Would SPIM on a VOIP app be considered a VOIP Vulnerability? Professor Messer mentions this briefly in an old SY0-401 video:
https://www.professormesser.com/security-plus/sy0-401/spam-2/
upvoted 2 times
Thurams 2 months, 3 weeks ago
The common VoIP-associated vulnerabilities are:
B. Vishing (Voice Phishing): Vishing is a type of social engineering attack that targets VoIP systems. Attackers use phone calls to manipulate
individuals into revealing sensitive information or taking certain actions.
E. Credential harvesting: VoIP systems can be vulnerable to credential harvesting, where attackers attempt to steal usernames and passwords,
allowing unauthorized access to the system.
The other options are not typically associated with VoIP vulnerabilities:
A. SPIM (SPam over Internet Messaging) is related to instant messaging, not VoIP.
C. Hopping is a broad term and not specific to VoIP vulnerabilities.
D. Phishing is a common form of cyberattack but not specific to VoIP.
F. Tailgating refers to physical security breaches, not VoIP-related vulnerabilities.
upvoted 3 times
AbuBakarFarid 3 months ago
guys please listen to me and upvote this as much as possible. I took the exam with this question. please pay attention to the following.
1. credential harvesting wasn't an option
2. it said VLAN hopping which has nothing to do with the question.
3. the only option that made sense was spim and vishing
upvoted 21 times
above 3 months ago
Selected Answer: BE
Credential Harvesting can result from VOMIT - VOMIT involves converting a phone call into a file that can be shared anywhere. Hackers often sell
this data to competitors or use it to blackmail companies. In the same way, they are able to eavesdrop on ongoing calls, obtaining access to
confidential information, such as usernames and passwords, call origin, and financial details.
upvoted 1 times
LLuis_L 3 months ago
B & D Read chapt 4 page 68
Smishing is phishing via Txt mgs or vishing via telephone. Vishing or phishing via telephone
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
54/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Abbey2 4 months, 1 week ago
The common VoIP-associated vulnerabilities are:
B. Vishing (Voice Phishing)
E. Credential Harvesting
Explanation:
Vishing (Voice Phishing) (Option B) involves using phone calls to deceive individuals into revealing sensitive information, such as passwords,
credit card numbers, or other personal details. Attackers manipulate victims into trusting the caller's identity and legitimacy.
Credential Harvesting (Option E) involves attempting to steal usernames, passwords, or other credentials from users. In the context of VoIP,
attackers might try to trick users into revealing their authentication information, potentially leading to unauthorized access.
upvoted 1 times
NetTech 4 months, 1 week ago
Selected Answer: AB
I'm going with A SPIM and B Vishing. The questions is asking for "common" vulnerabilities. While RTP packets can be captured and listened to, I
don't think this is a common occurrence so not credential harvesting. Hopping or VLAN hopping can be used to move from the VoIP network
over the data network, but again I feel this would be uncommon.
upvoted 6 times
harakara 4 months, 1 week ago
Out of the given options, the common VoIP-associated vulnerabilities are:
A. SPIM
B. Vishing
SPIM is Unsolicited messages sent over VoIP messaging systems. It's similar to email spam but targets VoIP users, especially on instant
messaging platforms.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
55/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #24
Which of the following describes the exploitation of an interactive process to gain access to restricted areas?
A. Persistence
B. Buffer overflow
C. Privilege escalation
D. Pharming
Correct Answer: C
Community vote distribution
C (84%)
varun0
Highly Voted
B (16%)
1 year, 4 months ago
Selected Answer: C
exploitation of interactive process is the commandline from where exploits can be run to gain root permissions in a system
upvoted 19 times
NICKJONRIPPER
Highly Voted
1 year, 1 month ago
Selected Answer: B
interactive means input, gain restrict area means modify memory that not allowed to the application, this is buffer overflow. No mention to gain
another account(privilege escalation).
upvoted 6 times
PropheticBettor 2 months, 2 weeks ago
I agree. No one refers to an admin account as a restricted area. Input has been used to overload and reach restricted memory
upvoted 1 times
PropheticBettor 2 months, 2 weeks ago
Also privilege escalation does not have to be interactive. In order to overflow the buffer you must interact with it
upvoted 1 times
Sandon 11 months, 3 weeks ago
That ain't it
upvoted 4 times
Dutch012 8 months ago
Agree with ya
upvoted 1 times
NICKJONRIPPER 1 year, 1 month ago
key is gain "area", not gain "account"
upvoted 3 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: C
Privilege escalation is the process of exploiting a vulnerability or weakness in a system to gain higher-level access or privileges than the user
originally had. It involves elevating one's privileges from a standard or restricted user to an administrative or superuser level. By doing so, an
attacker can gain access to sensitive or restricted areas of the system, perform unauthorized actions, and potentially take control over the entire
system.
Privilege escalation can occur through various means, such as exploiting software vulnerabilities, misconfigurations, or weaknesses in access
controls. It is a critical security concern and is often used as part of sophisticated cyberattacks to gain deeper access to a targeted system or
network.
upvoted 1 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: C
Privilege escalation is the process of elevating one's privileges or access level beyond what is initially granted. In the context of security, it
typically refers to gaining higher privileges within a system or application to access restricted areas or perform unauthorized actions.
Exploiting an interactive process refers to taking advantage of a running program or process to manipulate it in a way that grants higher privileges
or access rights. By exploiting vulnerabilities or weaknesses in the interactive process, an attacker can escalate their privileges and gain
unauthorized access to restricted areas of the system.
upvoted 2 times
LeonardSnart 8 months ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
56/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: C
I thought it was B at first, but after checking the book C seems to be correct.
"There are a couple of ways to achieve privilege escalation. One way is to use existing privileges to perform an action that steals a better set of
credentials. You can obtain “better” credentials by using sniffers to grab credentials or by getting the Windows Security Account Manager (SAM)
or the Linux/Unix etc/passwd file. Another method is by exploiting
vulnerabilities or weaknesses in processes that are running with escalated privileges. Injecting malicious code into these processes can also
achieve escalated privilege."
-All-in-one Comptia Security+ SY0-601 by Conklin, White, et al
upvoted 2 times
princajen 10 months ago
Selected Answer: C
C. Privilege escalation.
Privilege escalation is the exploitation of an interactive process to gain access to resources that are normally unavailable to an unauthorized user.
This can occur when an attacker gains access to a low-privileged account on a system and then uses that access to escalate privileges to a
higher level, allowing the attacker to perform actions they wouldn't normally be able to do. For example, an attacker might use a privilege
escalation exploit to gain administrative access to a system or to gain access to sensitive data.
upvoted 4 times
DALLASCOWBOYS 11 months, 1 week ago
C. Privilege Escalation seeks to increase the level of access that a user normally doesn't have. A restricted access area is an increased level of
access.
upvoted 1 times
xxxdolorxxx 11 months, 2 weeks ago
Selected Answer: C
Priv esc.
upvoted 1 times
FMMIR 1 year, 1 month ago
Selected Answer: C
With Privilege Escalation, hackers can use a NON-INTERACTIVE program (application) to gain access. Privilege escalation happens when a
malicious user exploits a bug, design flaw, or configuration error in an APPLICATION (either a batch program or an interactive program) or
OPERATING SYSTEM utility program to gain elevated access to resources that should normally be unavailable to that user.
upvoted 1 times
comeragh 1 year, 3 months ago
Selected Answer: C
Agree with C here being the correct answer
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
57/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #25
An organization is planning to open other data centers to sustain operations in the event of a natural disaster. Which of the following
considerations would BEST support the organization's resiliency?
A. Geographic dispersal
B. Generator power
C. Fire suppression
D. Facility automation
Correct Answer: A
Community vote distribution
A (100%)
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: A
Placing that datacenter far away, maybe in another country can help protect against disasters like an earthquake
upvoted 15 times
Gravoc
Highly Voted
1 year, 3 months ago
At least 90 miles away for natural disaster industry standard guidelines.
upvoted 7 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: A
Geographic dispersal refers to the practice of establishing data centers or facilities in different geographical locations, often at a considerable
distance from one another. By having data centers located in diverse geographic regions, the organization can increase its resiliency and ensure
continuity of operations even in the face of natural disasters or regional disruptions.
upvoted 3 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: A
Geographic dispersal refers to the strategic placement of data centers in different geographical locations. By having data centers spread across
diverse geographic areas, the organization ensures that its operations can continue even if one or more locations are affected by a natural
disaster.
If a natural disaster, such as a hurricane, earthquake, or flood, occurs in one region, the organization's other data centers in unaffected areas can
sustain operations and maintain business continuity. Geographic dispersal reduces the risk of a single point of failure and increases the overall
resiliency of the organization's infrastructure.
upvoted 1 times
LeonardSnart 8 months ago
"Geographic Dispersal The gold standard for system redundancy is to make perfect copies of the same system and spread them apart
geographically, then use the Internet to keep the copies identical. Geographic dispersal protects from natural disasters and widespread Internet
disruption. You can set up your own dispersed servers, but virtualization services make it easy."
-Mike Meyers Security+ Certification Guide Third Edition SY0-601
upvoted 3 times
DALLASCOWBOYS 11 months, 1 week ago
A. Geographic dispersal. Placing facilities in areas that are not going to be affected by the same disaster.
upvoted 3 times
kasper13 1 year, 1 month ago
Selected Answer: A
Away from natural disasters and overheating
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
58/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #26
A security engineer is deploying a new wireless network for a company. The company shares office space with multiple tenants. Which of the
following should the engineer configure on the wireless network to ensure that confidential data is not exposed to unauthorized users?
A. EAP
B. TLS
C. HTTPS
D. AES
Correct Answer: D
Community vote distribution
A (50%)
Gravoc
Highly Voted
D (49%)
1 year, 3 months ago
EAP has to be incorrect. EAP is an AUTHENTICATION protocol, and authentication does not provide confidentiality. Authentication encompasses
processes that allows systems and networks to determine if a user is who they say they are. That provides integrity, not confidentiality.
Confidentiality ensures that secret information is protected from UNAUTHORIZED disclosure.
The question also ends with "unauthorized users".
HTTPS is just HTTP that uses TLS to encrypt network traffic that is in-transit.
A stated above, TLS encrypts in-transit data.
This question specifically states preventing exposed data to unauthorized users. TLS and HTTPS only encrypt in-transit data. Data-at-rest in a
network is insecure, though.
Only AES meets the criteria of providing confidentiality to both data-at-rest and data-in-transit, preventing unauthorized users from seeing either.
upvoted 98 times
Sir_Learnalot 1 year, 1 month ago
For me it is exactly the last phrase you reference here which make me think "A". You want to prevent confidential information from leaking to
"unautorized users", so you should make sure only authorized users have access to your Wireless network. Therefor you should use EAP. I
agree on AES beeing the ovious choise for confidentiality but from the wording of the question I´d go with EAP
upvoted 21 times
hieptran 11 months, 4 weeks ago
AES is not commonly used for data encryption in transit.
Also, the question mentioned, "prevent unauthorized access". AES is only cryptographic and does not provide any authorization to the
network... just keep it simple
upvoted 9 times
MikeM3 8 months, 4 weeks ago
AES (Advanced Encryption Protocol) is a widely used encryption standard that provides strong encryption for dat at rest or in transit it is
considered one of the most secure encryptions algorithms available
upvoted 2 times
CTE_Instructor 10 months, 2 weeks ago
The question prompt is to provide confidentiality from unauthorized users - the question is asking to configure authentication. The truest
answer is configuring EAP-TLS, but unfortunately CompTIA split them into to separate options. I would select EAP among these options
because that is an authentication protocol, and further specify in the actual real-world configuration page to use EAP-TLS, which is
authentication using TLS encryption.
upvoted 1 times
CTE_Instructor 10 months, 2 weeks ago
I suppose when considering EAP with no encryption like TLS added, it would not solve the problem of confidentiality, in which case AES
would provide security to the wireless network. It's a bit of a misleading question in all honesty.
upvoted 3 times
Ay_ma
Highly Voted
1 year, 4 months ago
EAP- Extensible Authentication Protocol (EAP), an authentication framework that provides general guidance for authentication methods. IEEE
802.1x servers typically use one of these methods to increase the level of security during the authentication process
TLS- Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are encryption protocols that have been commonly used to encrypt data-intransit. For example, it is common to encrypt HTTPS with either SSL or TLS to ensure confidentiality of data transmitted over the Internet. They
can also be used to encrypt other transmissions such as File Transfer Protocol Secure (FTPS). However, TLS is now a replacement for SSL as
SSL is deprecated and shouldn't be used.
https://www.examtopics.com/exams/comptia/sy0-601/view/
59/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
AES- Advanced Encryption Standard. A strong symmetric block cipher that encrypts data in 128-bit blocks. AES can use key sizes of 128 bits,
192 bits, or 256 bits.
HTTPS- Hypertext Transfer Protocol Secure. A protocol used to encrypt HTTP traffic. HTTPS encrypts traffic with TLS using TCP port 443.
Definitions are from Gibson Darril's Study. Guide
upvoted 29 times
maggie22
Most Recent
3 days, 3 hours ago
Selected Answer: D
AES - Advanced Encryption Standard short formed as AES falls under the symmetric encryption category. Thus, in AES the sender and the
recipient of the data uses the same key to encrypt and decrypt the data. AES is a FIPS-approved symmetric algorithm that can be used for
protecting the data and maintaining confidentiality and integrity of the data.
upvoted 1 times
8c55165 4 days, 7 hours ago
It has to be AES. This isn't about authentication, it's about exposure. What prevents exposure of confidential data? Encryption. What encrypts
data? AES.
upvoted 1 times
Makamaka 5 days, 10 hours ago
Selected Answer: A
Authentication is the key word in question, therefore A.
upvoted 1 times
aspiritualbeing 4 days, 22 hours ago
I believe you need to re-read the question,mate!
upvoted 2 times
ImBleghk 6 days, 13 hours ago
Selected Answer: A
EAP ensures that only authorized users can connect to the wireless network, helping to prevent unauthorized access and potential exposure of
confidential data.
upvoted 1 times
getriecom 3 weeks ago
WPA3 uses AES GCMP mode of operation
upvoted 1 times
lsalc 3 weeks, 4 days ago
EAP was not a choice on my test i went with AES
upvoted 2 times
Dogeo 1 month ago
Selected Answer: D
The best option to ensure that confidential data is not exposed to unauthorized users in a shared wireless network environment would be D. AES
(Advanced Encryption Standard).
AES is a symmetric encryption algorithm that is highly secure and widely used. It provides strong security for data transmission over wireless
networks. When configured on a wireless network, it encrypts the data transmitted between the wireless device and the wireless access point,
thus preventing unauthorized users from intercepting and reading the data.
upvoted 1 times
saucehozz 1 month, 1 week ago
Selected Answer: D
WPA3 uses AES to protect communications.
upvoted 1 times
toluwalase022 1 month, 1 week ago
To ensure that confidential data is not exposed to unauthorized users on the wireless network, the security engineer should configure EAP
(Extensible Authentication Protocol) for authentication and encryption. This protocol provides a secure method for verifying the identity of users
and encrypting data transmission over the network. By implementing EAP, the wireless network can protect confidential data from unauthorized
access.
AES (Advanced Encryption Standard) is actually an encryption algorithm, not a specific configuration for a wireless network. While AES is a
strong encryption algorithm commonly used in securing data, it is not directly configured on a wireless network. Instead, it is used as part of
encryption protocols like WPA2 or WPA3 to provide secure communication. So, in this case, option A, EAP, would be the more appropriate choice
for securing the wireless network. Hope that clarifies it for you ALL.
upvoted 4 times
Teleco0997 1 month, 2 weeks ago
Selected Answer: A
I am going to give the CompTIA Security+ 2021 context, where the emphasis is often on a holistic security approach: user authentication and
access control are typically considered FUNDAMENTAL, therefore, prioritizing EAP (Extensible Authentication Protocol) would align well with the
goal of ensuring that confidential data is not exposed to UNauthorized users.
https://www.examtopics.com/exams/comptia/sy0-601/view/
60/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
EAP helps establish the identity of users and ensures that only authenticated and authorized individuals gain access to the network. While AES is
crucial for encrypting data during transmission, EAP's focus on authentication directly addresses the prevention of unauthorized access.
upvoted 1 times
Teleco0997 1 month, 2 weeks ago
Selected Answer: D
While EAP (Extensible Authentication Protocol) is indeed important for authentication and securing wireless networks, it primarily addresses the
authentication aspect rather than data encryption and confidentiality.
To ensure that confidential data is not exposed to unauthorized users, the encryption of data in transit is crucial. Therefore, configuring encryption
protocols such as WPA2 (Wi-Fi Protected Access 2) or WPA3 with strong encryption algorithms like AES (Advanced Encryption Standard) on the
wireless network is essential. This ensures that even if unauthorized users gain access to the network, the data they intercept is encrypted and
not easily readable.
In summary, while EAP helps in authenticating users on the network, it's not sufficient on its own to ensure the confidentiality of data. The
combination of strong authentication mechanisms and robust data encryption (such as AES) is recommended for a comprehensive security
approach in wireless network deployments.
upvoted 1 times
halfkoreanmike 1 month, 3 weeks ago
it's EAP. think wireless specific solution.
upvoted 2 times
Samu64 1 month, 3 weeks ago
Selected Answer: D
AES
Siete delle sole
upvoted 1 times
subrift 2 months ago
Selected Answer: A
Unauthorized = unauthenticated. EAP = extensible authentication protocol.
upvoted 2 times
FK_AY 2 months ago
The answer is: EAP
EAP is an authentication framework used in wireless networks and Point-to-Point connections. It provides a method for secure communication
during the authentication phase. By implementing EAP, the security engineer can ensure that only authorized users can access the wireless
network, thus protecting confidential data from unauthorized access.
AES (Advanced Encryption Standard): AES is a symmetric encryption algorithm used to encrypt data. While encryption is essential for protecting
data, AES alone does not handle user authentication and access control on a wireless network.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
61/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #27
The Chief Compliance Officer from a bank has approved a background check policy for all new hires. Which of the following is the policy MOST
likely protecting against?
A. Preventing any current employees' siblings from working at the bank to prevent nepotism
B. Hiring an employee who has been convicted of theft to adhere to industry compliance
C. Filtering applicants who have added false information to resumes so they appear better qualified
D. Ensuring no new hires have worked at other banks that may be trying to steal customer information
Correct Answer: C
Community vote distribution
B (91%)
YusufMadkour
Highly Voted
9%
1 year, 4 months ago
Selected Answer: B
B
Source: https://www.pcicomplianceguide.org/what-does-the-pci-dss-say-about-employee-background-checks/
PCI DSS requires background checks for employees handling credit card holder data.
upvoted 25 times
inkedia3
Highly Voted
1 year, 4 months ago
It think the wording is a problem if you guys are considering B. Background checks is to identify falsification and misrepresentation. Answer is C
upvoted 19 times
andrizo 1 year, 2 months ago
A background check would not even verify anything on your resume.
upvoted 9 times
[Removed] 1 year ago
That's incorrect completely. Background checks do include employment history.
upvoted 2 times
z3phyr 9 months, 1 week ago
The answer is clearly B. We are talking about a Compliance Officer here. He wants to ensure new hires comply with the current hiring policy.
upvoted 2 times
z3phyr 9 months, 1 week ago
Not to mention this is a bank. No person with a criminal history would EVER be allowed to work at a bank.
upvoted 5 times
Renfri 1 year, 1 month ago
You think the compliance officer wants to go through the trouble of doing a background check just so they can verify your experience? Lol
upvoted 11 times
rhocale 1 year ago
speaking from experience a background check does not verify anything on a resume.
upvoted 11 times
Ninja12345
Most Recent
1 day, 1 hour ago
So is the answer B or C? This site is very confusing and frustrating!
upvoted 1 times
Happy2267 1 week, 3 days ago
Selected Answer: B
CompTIA SYS-601 Sec+ (pg. 522) study guide states "includes background checks designed to uncover any ciminal activity or any other past
behavior that may indicate that a potential employee poses an undetected risk"
upvoted 2 times
PreparationH 2 weeks, 3 days ago
Since CCO's have intricate knowledge of compliance rules and their responsibilities includes compliance training and ensuring that industry
compliance is followed, answer B is the correct choice since the last part of the answer indicates "adhere to industry compliance". This is policy
is protecting compliance.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
62/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
utied 2 months, 3 weeks ago
The answer is 'C'. The reason for background checks is to check the integrity of the person applying. Yes you will also catch criminal records, but
it's still most dishonest people will tell little lies, this shows they have low integrity.
upvoted 3 times
iTomi 3 months ago
Selected Answer: C
ChatGPT says:
The policy MOST likely protecting against is:
C. Filtering applicants who have added false information to resumes so they appear better qualified
A background check policy is primarily designed to verify the accuracy of information provided by job applicants and to ensure that applicants do
not falsify their qualifications or experience. This helps in maintaining the integrity of the hiring process and ensuring that candidates are
accurately representing themselves.
upvoted 2 times
Dwaynomite 1 month, 3 weeks ago
I think it is important to indicate to ChatGPT that the question is in the context of CompTIA material. This is the response I got:
In the context of the scenario described and considering CompTIA-related knowledge, the policy approved by the Chief Compliance Officer
for a bank is most likely protecting against:
B. Hiring an employee who has been convicted of theft to adhere to industry compliance
Background check policies are often implemented to verify the suitability of candidates for employment, especially in roles where trust and
integrity are critical, such as in a bank. Checking for criminal records, including convictions related to theft or fraud, is a common component
of background checks to ensure compliance with industry standards and regulations. This helps the organization make informed decisions
about the suitability of individuals for positions that involve handling sensitive financial information.
upvoted 2 times
Ga2so 3 months, 1 week ago
Answer in this scenario is definitely B. Key words here are "Compliance Officer" and "Industry Compliance". CO gave that approval in order to
comply with industry standards. HR could give another approval for the purpose of verifying claims on CV but it was to comply with regulation in
this case
upvoted 2 times
RevolutionaryAct 4 months ago
Selected Answer: C
C (Filtering applicants who have added false information to resumes so they appear better qualified) makes the most sense because it covers B
(failure to disclose convictions, and thus if you were convicted of theft you'd be in prison and have to lie about where you were during that time).
upvoted 1 times
awscody 3 months, 1 week ago
You don't put if you have been convicted on a Resume. Compliance officers don't check backgrounds for Resume info, they check it for
personal info not job experience. Answer is B.
upvoted 2 times
Skymaster8182 2 months, 1 week ago
A background check is not just criminal history. A background check includes work history and helps when applicants LIE about their work
history. Everything on your résumé is what YOU say it is. A background check captures a lot of information to verify if that is true on top of
Criminal History. I can see why B is a good answer but I don’t see why C is neglected. This is once again, another misleading question
because a background check provides information beyond just criminal history.
upvoted 1 times
algiggio90 4 months, 1 week ago
Selected Answer: C
is true
upvoted 1 times
algiggio90 4 months, 1 week ago
Selected Answer: C
is True
upvoted 1 times
AmesCB 5 months, 1 week ago
Maybe it is a bit too much but the question is about new hires, not applicants, so the solution should not be for applicants no?
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
The background check policy is designed to screen potential new hires for any criminal history, including convictions for theft or other crimes.
This policy helps the bank adhere to industry compliance and regulatory requirements by ensuring that employees with certain criminal
backgrounds are not hired for positions that may pose a risk to the organization or its customers.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
63/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
frejus 6 months ago
Answer is B, Here is why
From the official book of Comptia S+ "A background check determines that a person is who they say they are and are
not concealing criminal activity, bankruptcy, or connections that would make them
unsuitable or risky. Employees working in high confidentiality environments or with
access to high value transactions will obviously need to be subjected to a greater
degree of scrutiny. For some jobs, especially federal jobs requiring a security clearance,
background checks are mandatory. Some background checks are performed internally,
whereas others are done by an external third party".
upvoted 3 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: B
By implementing a background check policy, the bank ensures that potential employees' backgrounds are thoroughly reviewed, including any
criminal records. This helps to identify individuals who may have been convicted of theft or other relevant crimes, thus ensuring compliance with
industry regulations and standards.
upvoted 3 times
Confuzed 8 months, 4 weeks ago
Selected Answer: B
The key clue in this question is who ordered the background checks. The Chief COMPLIANCE Officer wouldn't care about people padding
resumes or nepotism. They are only concerned with regulations compliance (PCI DSS at a bank). Therefore B is the right answer.
upvoted 2 times
dagsrevy1 9 months, 1 week ago
Selected Answer: B
Tempting to go for A... but B
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
64/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #28
An engineer recently deployed a group of 100 web servers in a cloud environment. Per the security policy, all web-server ports except 443 should
be disabled.
Which of the following can be used to accomplish this task?
A. Application allow list
B. SWG
C. Host-based firewall
D. VPN
Correct Answer: B
Community vote distribution
C (72%)
YusufMadkour
B (28%)
Highly Voted
1 year, 4 months ago
Selected Answer: C
Not A or D.
Was not sure whether it should be B or C until I read the definition of SWGs in the official guide from CompTIA.
"An on-premises SWG is a proxy-based firewall, content filter, and intrusion detection/prevention system that mediates user access to Internet
sites and services"
upvoted 30 times
NICKJONRIPPER 1 year, 1 month ago
So must be B, same result, but you can not configure 100 host-based firewall as C
upvoted 5 times
daddylonglegs 2 months, 3 weeks ago
No. A secure web gateway protects users going out to the internet.
You can easily configure the host-based firewall through GPO and apply it to all machines at once.
upvoted 4 times
shitgod 1 year ago
Why not? It's so common and easy with cloud orchestration tools.
upvoted 4 times
RevolutionaryAct 4 months ago
Except these servers are not on-premises they are all on the cloud, meaning they are IaaS and virtualized, and thus there are not hosts to
base these firewalls on.
Secure Web Gateway works on OSI Layer 4, which blocks ports
https://www.ibm.com/products/securegateway#:~:text=The%20Secure%20Gateway%20service%20represents,server%2Dside%20and%20mutual%20authentication.
upvoted 2 times
Mondicles
Highly Voted
1 year, 3 months ago
Selected Answer: C
This one asks which one is used for port blocking in WEB SERVERS.
SWG is primarily used to protect USERS from accessing or being infected by web threats.
I'll go with firewalls to explicitly allow 443.
upvoted 24 times
ykt
Most Recent
1 week, 4 days ago
Selected Answer: C
I did this as a part of my job; it's C. You make a baseline configuration that disables all ports except 443 and spawns all of them at once.
upvoted 1 times
getriecom 3 weeks ago
Host-based firewall (or personal firewall)—implemented as a software application running on a single host designed to protect that host only. As
well as enforcing packet filtering ACLs, a personal firewall can be used to allow or deny software processes from accessing the network. SWG-A
software application or gateway that filters client requests for various types of internet content (web, FTP, IM, and so on).
upvoted 1 times
_deleteme_ 3 weeks, 2 days ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
65/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Secure Web Gateway (SWG) is a security solution that prevents unsecured internet traffic from entering an organization's internal network. Cloudbased proxy that enforces standards on URL filtering. I am going with B
https://www.comptia.org/blog/sase-secure-access-service-edge
upvoted 1 times
Saullostone 4 weeks ago
How can a HOST based firewall be a solution for cloud servers not 1 or 2 but 100. dont see HOST based firewall covering the issue
upvoted 1 times
toluwalase022 1 month, 1 week ago
Selected Answer: C
To accomplish the task of disabling all web-server ports except 443, the most suitable option would be a host-based firewall. A host-based
firewall can be configured to allow only specific ports, such as port 443 for secure web traffic, while blocking all other ports. This helps enforce
the security policy and restrict access to the web servers. So, the correct answer is C. Host-based firewall.
While a Secure Web Gateway (SWG) can provide security features like URL filtering and malware protection, it may not be the best choice for this
specific task of disabling web-server ports. SWGs are typically used for monitoring and securing web traffic, rather than controlling access to
specific ports on individual servers. In this case, a host-based firewall would be more appropriate for the task at hand. Hope that clarifies things
for you all.
upvoted 3 times
Nick5535 1 month, 2 weeks ago
Selected Answer: B
Right Answer is B as SWG is deployed in CLOUD Environments where as host based firewall is Deployed on HOSTS
upvoted 1 times
hapy 1 month, 4 weeks ago
Selected Answer: C
A Secure Web Gateway (SWG) is typically used to protect the network at a perimeter level and focuses on filtering web traffic for security threats,
content filtering, and enforcing security policies for outbound web traffic.
upvoted 1 times
bzona 2 months, 1 week ago
Selected Answer: B
SWG can help you force policies that can deny/allow traffic on a huge scale instead of configuring 100 firewalls one by one.
upvoted 1 times
utied 2 months, 3 weeks ago
Selected Answer: C
SWG is for (content filtering, malware protection, url redirection, time/resource policing) of the local network users out to the internet. NGFW is for
external threats.
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
Selected Answer: C
It's host-based firewalls.
Those saying you can't configure a host-based firewall on a virtual machine have probably never configured a virtual machine, because you
absolutely can. A Secure Web Gateway protects users against malicious content on the Internet. It does nothing at all about traffic coming IN and
reaching internal servers from the Internet. Those of you that choose B are focusing waaaaay too much about whether the definition of a secure
web gateway could match the requirement for blocking traffic without thinking critically and actually considering the content of the question. Yes,
you absolutely can configure a host-based firewall on a virtual machine. As for applying it to 100 machines, you can create an image that already
has the firewall properly configured and then just boot the VMs with that image, or you can apply it through group policy or something similar.
Even if you had to do all 100 by hand manually that's still more applicable to the question than a secure web gateway.
upvoted 3 times
aman_s07 3 months ago
Selected Answer: B
from cloudflare
A security policy is a rule that all data and network traffic within a company must conform to. For instance, suppose a company sets up a policy
that all network traffic must be encrypted. Enforcing this policy would involve blocking websites that do not use HTTPS. A secure web gateway is
one way to implement this policy, as it can filter out all non-HTTPS network traffic.
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
That is for blocking web content. Not for preventing traffic coming IN, but to prevent users from even going out to specific sites. Remember
what a gateway is, it's your way OUT.
upvoted 1 times
Cisco103 3 months, 4 weeks ago
Selected Answer: C
according to offical guide "Content filters are now usually implemented as a class of product called a secure web gateway (SWG). As well as
filtering, a SWG performs threat analysis and often integrates the functionality of data loss prevention (DLP) and cloud access security brokers
(CASB) to protect against the full range of unauthorized egress threats, including malware command and control and data exfiltration"
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
66/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
RevolutionaryAct 4 months ago
Selected Answer: B
THERE ARE NO HOSTS to put firewalls on since all 100 web servers are hosted on the cloud! (Well, aside from the hypervisor) Servers are not
on-premises they are all on the cloud, meaning they are IaaS and virtualized, and thus host based firewalls is wrong.
Secure Web Gateway works on OSI Layer 4, which blocks ports
https://www.ibm.com/products/securegateway#:~:text=The%20Secure%20Gateway%20service%20represents,server%2Dside%20and%20mutual%20authentication.
upvoted 2 times
daddylonglegs 2 months, 3 weeks ago
You are just completely wrong.
You can absolutely configure a host-based firewall on a virtual machine. Regardless of whether they are virtual or physical, on-prem or cloudhosted.
upvoted 1 times
[Removed] 4 months, 2 weeks ago
Answer is C
upvoted 1 times
sujon_london 5 months ago
It SWG
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
67/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #29
A technician was dispatched to complete repairs on a server in a data center. While locating the server, the technician entered a restricted area
without authorization. Which of the following security controls would BEST prevent this in the future?
A. Use appropriate signage to mark all areas.
B. Utilize cameras monitored by guards.
C. Implement access control vestibules.
D. Enforce escorts to monitor all visitors.
Correct Answer: B
Community vote distribution
C (68%)
Mamun1
Highly Voted
D (30%)
1 year, 4 months ago
Selected Answer: C
How would the guard know every individual and their access rights?
The access control vestibule (AKA Mantrap) seems to be more appropriate to me.
upvoted 24 times
rhocale 1 year ago
it wouldnt stop them just inform them
upvoted 3 times
DriftandLuna
Highly Voted
5 months, 2 weeks ago
Selected Answer: D
I chose escort as it mentions the tech is already in the DC. In my experience a mantrap is usually located near the entrance, the question seems
to suggest he is already in the DC and walking around.
It's a poorly worded question IMO though. When they talk about an area are they referring to say a few rows where racks are in a DC or are the
talking about a room? If its a room then mantrap, if its the fortmer then escort.
upvoted 8 times
ProdamGarazh 1 month, 3 weeks ago
I disagree. Many companies have restricted areas within their perimeter, and they are usually accessed with the badge by employees with a
specific clearance.
upvoted 1 times
LO353 3 months, 2 weeks ago
confusing because after the mantraps engineer can access anywhere
upvoted 2 times
Ninja12345
Most Recent
1 day, 1 hour ago
Selected Answer: C
The access control vestibule
upvoted 1 times
Cruzan 2 days, 6 hours ago
It all depends on the Data Center because I personally worked as an Engineer, and we had to notify the site ahead of time that we were coming
onsite. At that time, they would issue us a badge that would give access to the room we needed to enter to work on a server. At other sites they
have someone who would escort you to the room you suppose to enter, and they have cameras everywhere to monitor if you are wondering the
halls. So the Mantrap in my opinion would be the best choice. The Mantrap makes sure you can only enter the room they give you access to.
upvoted 2 times
wompywompwomp 2 months ago
Selected Answer: C
Not sure why it says answer is B. That may not prevent it in the future. A mantrap would
upvoted 1 times
TheFivePips 2 months ago
Selected Answer: C
Only C and D actually could prevent access, and of the two, C seems a lot more plausible than having an escort for each visitor.
upvoted 1 times
MortG7 2 months, 1 week ago
Former telco guy here..in the past I used to frequently visit our colo and was always escorted by a DC staff member and made sure I went into
"OUR" cage where our equipment resided. However, since Comptia is in love with "mantraps" and "vestibules", I am going with that..horrible
https://www.examtopics.com/exams/comptia/sy0-601/view/
68/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
question
upvoted 3 times
Fiftypeso 3 months, 2 weeks ago
Selected Answer: C
Question, states techie entered (just strolling along) into a restricted area without "authorization" there's only one answer that has access control
in it. I'm going with Vestibules... you can have one without access control but this one is top'o the line probably has a cute little beep when you
tap your RFID on it and it validates access... or not (for this person anyways)
upvoted 1 times
guestionme 4 months, 1 week ago
No clue what the correct answer is but I'll go with "Implement access control vestibules." It's probably the closest to what CompTIA is thinking:
"access control"
upvoted 1 times
Lildj4sho 4 months, 3 weeks ago
Selected Answer: C
Honestly our perspective,D is the right answer believe me I know I work in IT and based on certain projects to go in the Data Center/Classified
Comm room visitors need to sign a sheet and be escorted sometimes set appointment to even get escorted. CompTIA is tricky so we need to go
base on what they think and honestly just an escort I highly doubt Comptia would have that as there answer I’ll go with C
upvoted 3 times
HCM1985 4 months, 1 week ago
I actuallt went right ahead with letter D for the same reason
upvoted 2 times
Kraken84 5 months ago
He is not a visitor he is a technician who did not have access...."Access" >'keyword'<
upvoted 1 times
RevolutionaryAct 5 months ago
You could make an argument for either
Implement access control vestibules OR
Enforce escorts to monitor all visitors
But no way would cameras "prevent" such a thing from recurring. Bad question.
upvoted 1 times
assfedassfinished 5 months, 1 week ago
Selected Answer: D
Definitely not B
We have visitor badges that state escort required for just such a scenario. The AC Vestibule would not control un/authorized access to the DC
unless we're supposed to assume that directly following the AC Vestibule is the DC.
upvoted 1 times
darkhat 5 months, 2 weeks ago
honestly, i am confused, whats the correct answer according to comptia guys ?
upvoted 2 times
BonCheshire 3 months, 4 weeks ago
go ask them
upvoted 3 times
Odisman1 5 months, 2 weeks ago
A is the correct answer
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
An access control vestibule, also known as a mantrap, is a physical security measure that creates an intermediate space between two secure
areas. It typically consists of a small enclosed area with two or more interlocking doors. To gain access to the second secure area, a person must
pass through the first door, which then closes and locks before the second door opens. This helps ensure that only one authorized person can
enter the restricted area at a time, preventing unauthorized access and tailgating.
upvoted 3 times
LiteralGod 5 months, 3 weeks ago
Selected Answer: D
I know from experience that an escort is common place when directing engineers to the correct equipment in datacentres.
A mantrap would be fine for access into the front of the data centre where there are manned security but this would not work for every area within
the data centre. It can be done but it basically isn't done.
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
69/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #30
Which of the following would BEST provide a systems administrator with the ability to more efficiently identify systems and manage permissions
and policies based on location, role, and service level?
A. Standard naming conventions
B. Domain services
C. Baseline configurations
D. Diagrams
Correct Answer: B
Community vote distribution
A (58%)
yoloson
B (42%)
Highly Voted
1 year, 4 months ago
Selected Answer: A
Quoting from the official guide below.
A standard naming convention for hardware assets, and for digital assets such as accounts and virtual machines, makes the environment more
consistent. This means that errors are easier to spot and that it is easier to automate through scripting. The naming strategy should allow
administrators to identify the type and function of any particular resource or location at any point in the CMDB or network directory. Each label
should conform to rules for host and DNS names.
upvoted 39 times
Dutch012 8 months, 3 weeks ago
But it does not manage "permissions and policies", I choose B.
upvoted 5 times
jcrittendon 2 months, 3 weeks ago
IDENTIFY
upvoted 2 times
Jacob75 8 months, 1 week ago
It is only asking what provides the admin with the ability to more efficiently identify systems and manage permissions and policies. Not
asking what is actually doing the managing. A is correct
upvoted 8 times
Kraken84 5 months ago
Keywords! 'identify'
upvoted 4 times
mademade 1 month, 2 weeks ago
"and" manage permissions and policies ......
upvoted 1 times
snrk 1 month, 1 week ago
it's like trying to give a "Yes/No" answer to a multipart question "XXX and YYY?" where XXX and YYY contradict each other :-/
upvoted 1 times
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: A
Answer: Standard naming conventions
These are naming frameworks used for naming hardware assets, and for digital assets such as accounts and virtual machines in a consistent
way. The naming strategy should allow administrators to identify the type and function of any particular resource or location at any point.
=============================
Helpful Info:
Domain Services - Services that stores centralized directory information and lets users and domains communicate. When a user attempts to
connect to a device or resource on a network, this service provides login authentication, verifying the user's login credentials and access
permissions.
Baseline configuration - A documented set of specifications for an information system, or a configuration item within a system, that has been
formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures.
upvoted 16 times
icaktan
Most Recent
1 week, 3 days ago
Selected Answer: B
https://www.examtopics.com/exams/comptia/sy0-601/view/
70/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Answer must be B. A would be correct if its ok "identify". But "manage permissions and policies" makes the difference here. So its Domain
Services.
upvoted 2 times
ganymede 3 weeks, 3 days ago
Selected Answer: B
B. Domain services
upvoted 1 times
Petercx 1 month ago
Selected Answer: B
Domain services would best provide a systems administrator with the ability to more efficiently identify systems and manage permissions and
policies based on location, role, and service level. Domain services, such as Microsoft’s Active Directory, provide a centralized and standardized
system for managing users, computers, and other devices on a network. They allow administrators to set policies and permissions based on a
variety of factors, including a user’s role, location, and service level. So, the correct answer is B. Domain services.
upvoted 2 times
subrift 2 months ago
Selected Answer: B
In the questions it mentions "manage permissions and policies based on role, location, and service level".
"In Active Directory, data is stored as objects, which include users, groups, applications, and devices, and these objects are categorized
according to their name and attributes." Naming conventions are super easy to make a mistake on so they're not reliable. ADDS is software, so it
is definitely able to properly manage permissions and policies.
upvoted 2 times
TheFivePips 2 months ago
Selected Answer: B
Standard naming conventions (Option A) are indeed essential for efficiently identifying systems, as they provide a consistent and structured way
to name and categorize resources. They can help with organization and documentation.
However, when it comes to managing permissions and policies based on location, role, and service level, domain services (Option B) are typically
more comprehensive and effective. Domain services, such as Active Directory, offer centralized control over user and computer accounts, group
policies, access controls, and resource management. They allow for fine-grained access control and policy enforcement based on various
attributes, including location and role.
So, while both standard naming conventions and domain services play crucial roles in system administration, the domain services provide a
broader range of capabilities for managing permissions and policies, making them the preferred choice for achieving these specific tasks in many
network environments.
upvoted 3 times
MortG7 2 months, 1 week ago
Another drunk person at comptia...
upvoted 6 times
DRadulescu 2 months, 1 week ago
A. Standard naming conventions
upvoted 1 times
ganymede 2 months, 2 weeks ago
Selected Answer: B
B. Domain Services
upvoted 1 times
ComPCertOn 2 months, 2 weeks ago
Selected Answer: A
A makes sense, identify only!
upvoted 1 times
toluwalase022 1 month, 1 week ago
you clearly didnt see the "and manage". you only went with identify
upvoted 2 times
RevolutionaryAct 4 months ago
Selected Answer: B
Absolutely Domain Services, everything is here:
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview
Definitely NOT naming conventions as that does not include locations, roles, permissions, policies.
upvoted 3 times
ComPCertOn 2 months, 2 weeks ago
NC provide these services !
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
71/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
MO233 4 months, 1 week ago
Am systems admin and i literally use AD(Domain services) to do all of these things.
upvoted 8 times
je123 4 months, 2 weeks ago
Selected Answer: A
A over B as without A, having B won't be as effective. This is a tough question imo.
upvoted 1 times
sujon_london 5 months ago
Under Active Directory (AD) in a Windows environment, provide centralized management and organization of network resources, including
computers, users, and groups. It allows for efficient identification and grouping of systems based on various attributes, such as location, role,
and service level. With domain services, systems administrators can implement standardized naming conventions, manage permissions and
access control. Therefore B
upvoted 1 times
Nikamy 5 months, 1 week ago
Selected Answer: B
Domain Services
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
Domain services, specifically Active Directory (AD) in a Windows environment, provide centralized management and organization of network
resources, including computers, users, and groups. It allows for efficient identification and grouping of systems based on various attributes, such
as location, role, and service level.
With domain services, systems administrators can implement standardized naming conventions, manage permissions and access control
through group policies, and assign users to specific groups based on their roles and responsibilities. This centralized management makes it
easier to apply consistent configurations, policies, and permissions to different sets of users and systems, streamlining the administration
process.
upvoted 4 times
Protract8593 5 months, 2 weeks ago
Why A is incorrect per ChatGPT:
A. Standard naming conventions: While standard naming conventions can assist in identifying systems, they may not be as effective as
domain services for managing permissions and policies based on attributes like location, role, and service level.
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
72/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #31
Which of the following would detect intrusions at the perimeter of an airport?
A. Signage
B. Fencing
C. Motion sensors
D. Lighting
E. Bollards
Correct Answer: E
Community vote distribution
C (95%)
ender1701
Highly Voted
2%
1 year, 4 months ago
Selected Answer: C
Seriously, how does Bollards get identified as the correct answer on this site? It doesn't detect, it deters. It's a post.
upvoted 47 times
4342421222 1 year, 3 months ago
Right, but the first rule of security is physical. That's why it's correct. You would detect a vehicle driving up to a Bollard. Motion Senors are
similar to IDS's. Important, but physical is the more important part of the question.
upvoted 3 times
cybertechb 2 weeks, 4 days ago
a bollard is a physial control used to prevent not detect. the correct answer is motion sensor. motion sensors are used to detect movement
upvoted 1 times
Secplas 1 month, 3 weeks ago
Sensors can be put at the perimeter in areas which can't be covered. If you want to test this theory, drive close to an army base or NSA.
You won't see any bollard but you will surely see a cop car following you in a minute.
upvoted 2 times
Skymaster8182 2 months, 1 week ago
Over complicate the question if you like but the truth is, You’re going to fail the exam really quick with that kind of thinking. Bollards are just
a Post in the ground, It is a type of “Prevention” and NOT a type of “Detection”. Sensors DETECT. Which was the exact point of the
question.
upvoted 1 times
BlackMamba_4 5 months, 2 weeks ago
They have to mark the incorrect answer to avoid CompTIA cease and desist
upvoted 5 times
Pharaoh301 10 months, 3 weeks ago
If you hit a bollard, it would definitely be detected.
upvoted 10 times
Skymaster8182 2 months, 1 week ago
That bollard will appear on screen with a big fat FAIL if you choose that answer on the exam.
upvoted 1 times
iTomi 3 months ago
Only If you can see or hear it.
upvoted 1 times
lili00 8 months, 2 weeks ago
=)))) haha
upvoted 2 times
Sklark 1 year, 2 months ago
Hahaha your response is priceless! "Oh no! We must be very stealthy. We wouldn't want the bollards to see us!!"
upvoted 12 times
m33lz
Highly Voted
1 year ago
who reviews these questions and answers . Bollards seriously .. its difficult to study when 60% of the answers are wrong .
upvoted 21 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
73/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Confuzed 8 months, 4 weeks ago
Not at all. None of us KNOW what the right answer is according to CompTIA, they don't tell you which questions you get right or wrong.
That's why there are discussions.
Most likely the wrong answers are identified by the first vote, or perhaps by the person who provided the question. Or as some speculate,
they are wrong on purpose so that CompTIA can't say that this site is providing all the correct answers to their actual exam questions.
Personally, I would rather they left the "correct answer" off altogether and just let our votes dictate the "right" answer. I find that I research the
answers myself if the community seems split, thus I learn more.
upvoted 10 times
piff4sale 3 months, 1 week ago
amen to that. they definitely do this on purpose so we discuss. If they were all correct, would we even have to? It's genius. They make it
fun to learn!
upvoted 1 times
kennyboy23
Most Recent
1 month ago
We got folks talking about PIDS and fiber optics as they relate to detection systems on a fence, light, or bollard. Are ya serious? It's a motion
sensor. Number one synonym for sensor? Detector! Key word is perimeter? Okay. Can't have a motion sensing light on top of a bollard next to a
fence with signs on it without a motion sensor. Motion sensor. Motion sensor.
upvoted 1 times
Nameoffun 1 month, 2 weeks ago
Selected Answer: C
Detect intrusion...not prevent,detect
upvoted 1 times
Lagerthax 1 month, 3 weeks ago
I Thought at first motion sensor then i read the question " airport perimeter" you can not install motion sensors in an area as vast as airport
perimeter thats why you see ballards all around the airport buildings just google airport bollards there are 2 types one gated that let cars in and
one static preventing entry non of those are detective but bollards are the only method airport use on perimeter
upvoted 2 times
skydirt 2 months, 1 week ago
Selected Answer: C
Its C like...
upvoted 1 times
TheFool999 2 months, 4 weeks ago
Selected Answer: C
I may be kind of new at this, but its obviously C. I saw someone else say this answer is wrong on purpose, and I believe that. I've seen several
that were SUPER obviously wrong. :)
upvoted 2 times
daddylonglegs 2 months, 3 weeks ago
You are correct. A bollard is a preventative or a deterrent control, not a detective one.
upvoted 1 times
iTomi 3 months ago
Selected Answer: C
The correct answer for detecting intrusions at the perimeter of an airport is:
C. Motion sensors
Motion sensors are specifically designed to detect movement, and they are commonly used as part of an intrusion detection system to monitor
and alert security personnel to any unauthorized activity along the perimeter. While other options like fencing and lighting play essential roles in
perimeter security, motion sensors are the primary choice for actively detecting intrusions.
upvoted 1 times
markt310 3 months, 1 week ago
Here
https://www.bing.com/ck/a?!&&p=dc50e4c786ab64c0JmltdHM9MTY5NTYwMDAwMCZpZ3VpZD0xYWVkN2VhMC1jZGI1LTYzNDQtMWRkYi02Y
2MyY2M5OTYyNjkmaW5zaWQ9NTUyNw&ptn=3&hsh=3&fclid=1aed7ea0-cdb5-6344-1ddb6cc2cc996269&u=a1aHR0cHM6Ly94d2Fsay5jb20vcHJvZHVjdC1jYXRlZ29yaWVzL2FjdGl2YXRpb24tZGV2aWNlcy9ib2xsYXJkcy9wZWRlc3RyaW
FuLWRldGVjdGlvbi1waG90by1zZW5zb3ItYm9sbGFyZHMvIzpOnRleHQ9VHlwaWNhbGx5JTJDJTIwYSUyMHBhaXIlMjBvZiUyMGJvbGxhcmRzJTIwaXMlMjBwbGFjZWQlMjBhdCwlRTIlODAlOThicm9rZW4lRTIl
ODAlOTklMkMlMjBhbmQlMjB0aGUlMjBjcm9zc3dhbGslMjBsaWdodGluZyUyMHN5c3RlbSUyMGlzJTIwYWN0aXZhdGVkLg&ntb=1
upvoted 1 times
BlackSpider 3 months, 2 weeks ago
Selected Answer: C
C. Motion sensors - These devices actively detect movement. They are designed to pick up on unauthorized movements or intrusions and can
trigger alarms when such movements are detected, making them a prime choice for detecting intrusions.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
74/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
RevolutionaryAct 5 months ago
Selected Answer: E
Unpopular opinion but there is evidence that bollards do in fact detect motion:
https://www.manchester.gov.uk/info/500283/road_and_pavement_problems/560/bollards/5
Using the bollards and number plate recognition
Using the bollard system
The bollard system has a traffic light situated in the driver's line of sight.
You must wait for the signal to give you a green light. You can then move safely through the automatic bollards.
You must never try to access the system if the traffic indicator column is showing a red light. The bollards have safety loops which detect when a
vehicle is over the bollard system and so will not rise under a vehicle.
There is no intercom at the bollard system and so the bollards cannot be lowered by request.
You will not be able to access an area secured with automatic bollards if you have not pre-registered your vehicle and personal details for a
permit.
upvoted 2 times
daddylonglegs 2 months, 3 weeks ago
Just because it can detect motion does not mean that it is a "detective" security control. The function of a bollard is to *prevent* someone
from driving a vehicle into a restricted area. Using motion detection as a method to deploy the bollard at a specific time doesn't change that it
is a preventative or deterrent. Remember definitions.
Regardless, how is a bollard with a motion sensor a better answer for a question about *detective* controls than just a motion sensor?
upvoted 1 times
TreeeSon 3 months, 3 weeks ago
I disagree because it just mentions detection. It doesn't specify whether it's exclusively vehicle detection. A bollard isn't going to detect
someone on foot trying to intrude.
upvoted 1 times
Tejjo 5 months, 1 week ago
Selected Answer: C
A bollard is a sturdy, short, vertical post. The term originally referred to a post on a ship or quay used principally for mooring boats.
upvoted 1 times
lamrine04 5 months, 1 week ago
Selected Answer: C
Motion sensors detect motion. Examtopics probably had to mark this answer to make sure they stay compliant with some agreement they have
with CompTIA.
upvoted 3 times
Shir0E 5 months, 1 week ago
Why answer is E? Giving incorrect answer intentionally.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
Motion sensors are devices used to detect movement or motion within their coverage area. They are commonly deployed as part of a security
system to monitor the perimeter of a facility, such as an airport, and detect unauthorized intrusions. When someone or something moves within
the range of a motion sensor, it triggers an alert, notifying security personnel of potential intruders.
In conclusion, according to CompTIA Security+, the correct option to detect intrusions at the perimeter of an airport is C. Motion sensors. These
sensors provide an active intrusion detection capability by alerting security personnel of potential unauthorized movement within the airport's
perimeter.
upvoted 1 times
md4946 5 months, 3 weeks ago
got it wrong
upvoted 1 times
rueyb 8 months, 2 weeks ago
Selected Answer: C
Bollards dont detect anything
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
75/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #32
A security analyst is concerned about critical vulnerabilities that have been detected on some applications running inside containers. Which of the
following is the
BEST remediation strategy?
A. Update the base container Image and redeploy the environment.
B. Include the containers in the regular patching schedule for servers.
C. Patch each running container individually and test the application.
D. Update the host in which the containers are running.
Correct Answer: B
Community vote distribution
A (72%)
rodwave
Highly Voted
C (15%)
8%
1 year, 1 month ago
Selected Answer: A
Answer: Update the base container image and redeploy the environment (A)
In the scenario, the vulnerabilities found were critical meaning that patches would need to be applied immediately.
The options to patch the containers (B &C) could work, however, patching would likely take months, seeing how this vulnerability is critical,
neither would address the concern's urgency.
The option to update the host (D) also could work, however, the scenario specified that the vulnerabilities have been detected only on some
applications and not on the host itself. While a container runs on a host machine, it does not mean they share the same vulnerabilities. So
updating the host would likely not patch the vulnerabilities that were found in the containers.
Out of the given options, the option to update on the base container image would 1.) addresses where the vulnerabilities were found and what
needs to be updated and 2.) addresses the urgency to patch the critical vulnerability.
upvoted 39 times
LePecador 5 months, 3 weeks ago
very helpful indeed
upvoted 2 times
Faisel 6 months ago
very good explanation, well done!
upvoted 4 times
Gravoc
Highly Voted
1 year, 3 months ago
A is incorrect. The answer is D. Really shows that the voters don't know much about containers here. A container is merely a text file that
allocates resources and libraries to a virtual environment, which in turn allows an application to function in an isolated environment. That's it
The containers share the same Kernel as the base host system. Only the system Kernel and a text file of allocated resources and libraries stands
between a critical vulnerability, and gaining access to the standard host computing environment. Swiss Cheese model and Defense-in-Depth
applies here. Since there's no update to be applied to the container, and the base host & containers all are reliant on the same Kernel. Keeping
the host system up to date with all security patches and firmware patches is the best way to prevent a critical vulnerability from breaking out of a
container.
Look up the container hierarchy, "dirty-pipe-exploit', and Docker software.
Hardware > OS > Virtual Machine > Docker > Container
Updating the host machine is absolutely the answer.
upvoted 37 times
MikeM3 8 months, 4 weeks ago
well this comment didn't age well. option D is a good sec measurer but it doesn't address the vulnerabilities in the containerized applications
themselves. the vulnerabilities may be specific to the containerized apps themselves and not the host itself so updating the host may not
address the issue. Option A is the correct answer.
upvoted 12 times
daddylonglegs 2 months, 3 weeks ago
Yes THANK you
upvoted 2 times
daddylonglegs 2 months, 3 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
76/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
The question is about vulnerable APPLICATIONS running INSIDE the container, not at all about the kernel
upvoted 6 times
BevMe 8 months, 3 weeks ago
What is the host is managed by a third-party provider or if there are other applications running on the host that could be affected by the
update?
upvoted 2 times
BevMe 8 months, 3 weeks ago
*What if I mean
upvoted 1 times
Hiattech 9 months, 1 week ago
This isn't necessarily true. Containers running can run on ESXI which is linux based. Updating ESXI is NOT going to update the individual
Windows machines. However, A is not correct either since redeploying a bunch of virtuals isn't an option either. The best option is to update
the machines individually, preferably on a schedule and with testing on dev machines.
upvoted 1 times
HCM1985 4 months, 1 week ago
ESXi's kernel is not a Linux kernel. Although it indeed uses a lot of opensource software for its tools, the kernel itself is proprietary.
About the question: we're talking about applications vulnerabilities inside the container, not the host OS's.
And updating an image and redeploying apps quickly with little to no downtime it's actually not very complex
upvoted 1 times
jijuk
Most Recent
4 days, 15 hours ago
Answer A is correct.
The hirearchy provided by Gravoc Hardware > OS > Virtual Machine > Docker > Container is correct. However, the vulnerabilities found in the
app has to be addressed in the container at the first place, before going to upper level. If the vulnerabilities can be patched on the container level,
then the container can be redeployed fixing the issue.
upvoted 1 times
ykt 1 week, 3 days ago
Selected Answer: A
Some of the containers may be compromised, best solution is to update the base image with all security patches and updates, re-deploy all
containers.
upvoted 1 times
toluwalase022 1 month, 1 week ago
Selected Answer: C
When it comes to remediating critical vulnerabilities in applications running inside containers, the best strategy would be option C: Patch each
running container individually and test the application.
Updating the base container image and redeploying the environment (option A) can be time-consuming and may not address vulnerabilities in the
existing containers. Including the containers in the regular patching schedule for servers (option B) might not provide timely updates specifically
for the containers. Updating the host in which the containers are running (option D) may not address vulnerabilities within the containers
themselves.
By patching each running container individually and testing the application (option C), you can ensure that the vulnerabilities within the containers
are addressed directly. This approach allows for targeted remediation and reduces the risk of leaving any vulnerable containers in the
environment.
upvoted 2 times
Teleco0997 1 month, 2 weeks ago
Selected Answer: A
For the ones who consider D as the correct answer:
Updating the host system might enhance overall security, but it won't necessarily address vulnerabilities specific to the applications running
inside containers. Each container is expected to be a self-contained unit, and updating the host won't automatically update the content of the
containers.
upvoted 1 times
Lagerthax 1 month, 3 weeks ago
base container image is an empty image therefore answer A is wrong
upvoted 1 times
Dlove 2 months ago
From my experience with this website so far I appreciate the questions and the discussion even more. If you answer is different from the revealed
answer you are doing just fine.
upvoted 1 times
TheFivePips 2 months ago
Selected Answer: A
Update the base container image
Isolation and Consistency: Containers are designed to be lightweight and isolated instances. By updating the base container image, you ensure
that all containers created from that updated image will have the latest patches and fixes. This approach maintains consistency across your
environment.
Efficiency: Updating the base image and redeploying is more efficient than patching each running container individually. It's easier to manage and
less error-prone.
https://www.examtopics.com/exams/comptia/sy0-601/view/
77/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Testing: You can thoroughly test the updated base image and application to ensure they work correctly before deploying them in production.
Options B and C may be less efficient and more error-prone, as they involve patching each running container individually. Option D, updating the
host, may not necessarily address the vulnerabilities within the containers, as containers are designed to be isolated from the host system.
Therefore, updating the base container image and redeploying the environment is the preferred approach for addressing critical vulnerabilities in
containerized applications.
upvoted 1 times
MortG7 2 months, 1 week ago
The Vulnerability is not with the container (base image)..it is with the app within the container. C
upvoted 1 times
BossCatKodi 4 months ago
Patch or Update the Vulnerable Components:
Identify the specific vulnerabilities and the affected components (e.g., libraries, dependencies) within the containerized applications.
Determine if patches or updates are available to address these vulnerabilities. Many software vendors release security updates and patches for
known vulnerabilities.
If patches or updates are available, apply them to the affected containers. This might involve rebuilding the container image with the patched
components and deploying the updated image.
upvoted 1 times
bolom2365 4 months, 2 weeks ago
The best remediation strategy for critical vulnerabilities found in containerized applications is to update the base container image and redeploy
the environment.
The advantages of this approach are:
Containers are meant to be ephemeral and rebuilt frequently. Updating the image allows rebuilding secure containers.
Patching the base image once fixes the issue for all containers using that image. Individual container patching is inefficient.
Host patching does not fix vulnerabilities within the container images themselves.
Rebuilding from a patched base image is faster than live container or host patching.
Testing can be done on new containers from the updated image before redeploying en masse.
upvoted 1 times
RevolutionaryAct 5 months ago
Selected Answer: B
B. Makes the most sense here - think of containers like the apps on your smartphone.
Though critical, these are not going to affect the phone itself. Do automatic patching and you are good. Second best is patch each and test.
upvoted 1 times
Pezo 5 months, 2 weeks ago
A is the correct answer. This option ensures that all containers launched from the updated base image will have the necessary security patches
applied, effectively addressing the vulnerabilities across the entire containerized environment. It is a proactive approach that helps prevent future
instances of the same vulnerabilities and ensures consistency across deployments.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
Container images serve as the foundation for containers, and vulnerabilities in the base image can affect all containers created from that image.
By updating the base container image to one that includes the necessary security patches and fixes, the security analyst ensures that new
containers deployed from the updated image will not contain the known vulnerabilities. Redeploying the environment with the updated image
helps address the security concerns across all instances of the application running in containers.
Why D is wrong:
D. Update the host in which the containers are running: Updating the host is essential for security, but it does not directly address the
vulnerabilities within the container images. The vulnerabilities are specific to the containers themselves, and updating the host would not
automatically resolve the issues within the containers.
In conclusion, according to CompTIA Security+, the BEST remediation strategy for addressing critical vulnerabilities in applications running inside
containers is A. Update the base container image and redeploy the environment. This approach ensures that new containers will not contain the
known vulnerabilities, providing a more secure foundation for the application.
upvoted 3 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: C
Patch each running container individually and test the application would be the best remediation strategy for addressing critical vulnerabilities
detected in applications running inside containers.
Containers provide a lightweight and isolated environment for applications, but they can still be vulnerable to security vulnerabilities. To
effectively remediate these vulnerabilities, it is important to patch the containers themselves.
The recommended approach is to patch each running container individually. This involves applying updates or patches specifically to the
container images or container runtime environment. By patching each container individually, you can ensure that the vulnerabilities are addressed
within the specific context of each application.
https://www.examtopics.com/exams/comptia/sy0-601/view/
78/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
After patching, it is crucial to thoroughly test the application to ensure that the updates do not introduce any compatibility issues or unexpected
behavior. Testing helps validate the functionality and security of the patched containerized application.
upvoted 1 times
user82 8 months, 3 weeks ago
Selected Answer: A
Updating the base container image is replacing the current image with a new one with better security patches, bug fixes, etc. which addresses
vulnerabilities
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
79/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #33
An organization has decided to purchase an insurance policy because a risk assessment determined that the cost to remediate the risk is greater
than the five- year cost of the insurance policy. The organization is enabling risk:
A. avoidance.
B. acceptance.
C. mitigation.
D. transference.
Correct Answer: D
Community vote distribution
D (100%)
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: D
Answer: Risk Transference
Risk Transference is transferring risk to a third party such as a vendor. In cyber security, that can be through utilizing cyber-risk insurance. Cyber
insurance generally covers a business' liability for a data breach involving sensitive customer information, such as account numbers, credit card
numbers, health records etc.
==============================================
Other Choices:
Risk Avoidance - Strategy that eliminates risk by avoiding activities that would expose themselves to the risk.
Risk Mitigation - the practice of reducing the impact of risks through preventative and reactive planning
Risk Acceptance - When a business or individual accepts the potential loss from a risk. Generally occurs when the business or individual feels
that the risk does not warrant the countermeasures.
upvoted 12 times
[Removed]
Highly Voted
1 year, 4 months ago
Selected Answer: D
D. transference.
upvoted 11 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: D
The organization is enabling risk transference by purchasing an insurance policy to cover the potential financial losses associated with the
identified risk. Transference involves shifting the financial impact of a risk to another party, such as an insurance provider. In this scenario, the
organization is accepting the risk (by not investing in remediation) and transferring the financial consequences to the insurance policy provider.
upvoted 3 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: D
In this scenario, the organization has decided to purchase an insurance policy to cover the potential financial losses associated with a risk. By
transferring the risk to an insurance provider, the organization is shifting the financial burden and responsibility of managing the risk to the
insurance company. This allows the organization to mitigate the potential impact of the risk by having the insurance policy cover the costs of
remediation or any losses incurred.
upvoted 2 times
Otik 7 months, 2 weeks ago
D, prime example of transferance
upvoted 1 times
Denniswhyz 8 months, 1 week ago
Selected Answer: D
Insurance = transference
upvoted 1 times
dagsrevy1 9 months, 1 week ago
Selected Answer: D
Paying the insurance company to share the risk. D
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
80/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Paramus 10 months, 3 weeks ago
Selected Answer: D
Transferring
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
D. Any time insurance is used, you are transferring the risk to the insurance company
upvoted 3 times
Gr3gg3 1 year, 2 months ago
Selected Answer: D
D. Transferring the risk to a Third Party
upvoted 1 times
Jossie_C 1 year, 2 months ago
You're transferring the risk to the insurer. D. TRANSFERENCE.
upvoted 1 times
banditring 1 year, 3 months ago
whenever I see insurance I always go with transference
upvoted 2 times
varun0 1 year, 4 months ago
Transference as the financial loss if the risk materializes is transferred to the insurance company
upvoted 7 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
81/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #34
A security analyst receives an alert from the company's SIEM that anomalous activity is coming from a local source IP address of 192.168.34.26.
The Chief
Information Security Officer asks the analyst to block the originating source. Several days later, another employee opens an internal ticket stating
that vulnerability scans are no longer being performed properly. The IP address the employee provides is 192.168.34.26. Which of the following
describes this type of alert?
A. True negative
B. True positive
C. False positive
D. False negative
Correct Answer: A
Community vote distribution
C (90%)
redsidemanc2
Highly Voted
6%
1 year, 3 months ago
Selected Answer: C
True Positive: A legitimate attack which triggers to produce an alarm. You have a brute force alert, and it triggers. You investigate the alert and
find out that somebody was indeed trying to break into one of your systems via brute force methods.
False Positive: An event signalling to produce an alarm when no attack has taken place. You investigate another of these brute force alerts and
find out that it was just some user who mistyped their password a bunch of times, not a real attack.
False Negative: When no alarm is raised when an attack has taken place. Someone was trying to break into your system, but they did so below
the threshold of your brute force attack logic. For example, you set your rule to look for ten failed login in a minute, and the attacker did only 9.
The attack occurred, but your control was unable to detect it.
True Negative: An event when no attack has taken place and no detection is made. No attack occurred, and your rule didn’t make fire.
upvoted 22 times
redsidemanc2 1 year, 3 months ago
alarms triggered and ciso blocked scanner ip. later scanner is not working cause ciso blocked the scanner
upvoted 3 times
ronniehaang
Highly Voted
11 months, 1 week ago
Selected Answer: C
C. False positive. A false positive is a security alert that is generated when there is no actual threat or security violation, but the security system
identifies it as such. In this scenario, the IP address 192.168.34.26 was blocked based on a security alert from the SIEM, but it turns out that the
IP address was associated with a legitimate source (vulnerability scans). This results in the false positive, where the security system is blocking a
legitimate activity.
upvoted 19 times
Kennee
Most Recent
1 month, 2 weeks ago
True Positive (Option B): An alert or detection correctly identifies a true security incident.
True Negative (Option A): The system correctly identifies that no security incident is occurring, and no action is taken.
False Positive (Option C): An alert or detection incorrectly identifies normal or legitimate activity as a security incident, leading to unnecessary
actions.
False Negative (Option D): The system fails to detect a real security incident, leading to a lack of action when action is needed.
The Answer is C False Positive
upvoted 1 times
G_logic44 1 month, 2 weeks ago
Here's the explanation:
The SIEM alert initially flagged the local source IP address (192.168.34.26) as anomalous, leading to the decision to block it.
However, the subsequent internal ticket indicates that the IP address is associated with vulnerability scans, and blocking it has caused an issue
with the vulnerability scanning process.
In this case, the original alert, which led to blocking the IP, was a false positive because the flagged activity was not actually malicious but part of
legitimate vulnerability scanning.
upvoted 2 times
TheFool999 2 months, 3 weeks ago
Selected Answer: C
https://www.examtopics.com/exams/comptia/sy0-601/view/
82/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
It's C. Its the only one that makes sense.
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
Selected Answer: C
Let me break it down for those that think this is true negative.
The SIEM alerted on activity from the IP address as malicious.
The IP was blocked, and then the analyst received the ticket that the vulnerability scanner with that IP was not working properly.
So it's a POSITIVE because there was a detection and alert about potential malicious activity. But it's a FALSE POSITIVE because this was
legitimate activity from a vulnerability scanner and not actually malicious. Definitely not a false or true negative because there was an alert. Not a
true positive because the IP is verified to be legitimate activity from the vuln scanner
upvoted 3 times
mjr131 3 months ago
the security analyst blocked a legitimate IP address for vulnerability scanning, thinking it was malicious activity. The subsequent issue with
vulnerability scans not being performed properly indicates that the initial alert was a false positive.
upvoted 1 times
Rider2053 4 months, 3 weeks ago
C is the correct answer: as that Ip is used for Scanning purposes, there is no suspicious activity happeing with that IP>
upvoted 1 times
feroze895 5 months ago
Selected Answer: A
Answer is A
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
Answer is C. True negative implies that the SIEM did not alert at all.
upvoted 1 times
RevolutionaryAct 5 months ago
Selected Answer: C
There's no way it is a true negative as there would be no detection in the first place if this were the case, which alone eliminates the two choices
with negative in the answer. What makes it a false positive is that it said there was malicious activity but instead there was none.
upvoted 3 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
In this scenario, the SIEM generates an alert indicating anomalous activity from the local source IP address 192.168.34.26. The Chief Information
Security Officer (CISO) instructs the security analyst to block the originating source. However, after blocking the IP address, another employee
reports that vulnerability scans are no longer being performed properly, and the provided IP address is also 192.168.34.26.
A false positive occurs when a security tool, like the SIEM in this case, generates an alert for an event that is not actually malicious or a security
threat. In other words, the initial alert was triggered incorrectly, and the activity from the IP address was not actually anomalous or malicious.
Blocking the IP address based on the false positive alert caused unintended consequences and disrupted legitimate network activity, leading to
the reported issues with vulnerability scans.
upvoted 3 times
david124 5 months, 3 weeks ago
True positive: An alert generated by a security system that correctly identifies actual malicious activity or a real security threat.
True negative: When a security system correctly identifies that no malicious activity is occurring, and there is no actual security threat.
False positive: An alert generated by a security system for an event or activity that is not malicious or threatening, causing unnecessary actions or
disruptions.
False negative: When a security system fails to detect actual malicious activity or a real security threat, resulting in a missed detection.
In this case, the alert from the SIEM was a false positive as it led to blocking a benign internal IP address that was associated with vulnerability
scans.
upvoted 1 times
LiteralGod 5 months, 3 weeks ago
Selected Answer: C
The wording of the question is terrible but considering the initial anomalous activity was in fact a legitimate process (vulnerability scan), this
would be classified as a false positive.
upvoted 1 times
md4946 5 months, 3 weeks ago
Selected Answer: A
everyone here is dumb and dont know what is true negative , it is a scenario when legitimate activity is defined as legit and illegitimate is defined
as illegal. Here the officer blocked the IP so whoever will access it will get notification not permissible , its so obvious its true negative. How
people here are dumb and many of them even got their Security+ certificate , I suggest those certificate of those people who got this answer
wrong should be revoked or dismissed , because this question is one of the main terms and basic terms of security+ exam.
upvoted 2 times
daddylonglegs 2 months, 3 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
83/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Imagine saying "everyone here is dumb" then being completely wrong. The false positive was the initial alert from the SIEM that alerted on
LEGITIMATE vulnerability scanner activity as ILLEGITIMATE. The part about the CISO asking the IP be blocked is to add further context to the
question so that we learn that the activity is from a vulnerability scanner.
upvoted 1 times
imuetic 5 months, 4 weeks ago
...Several days later, another employee opens an internal ticket stating that vulnerability scans are no longer being performed properly. The IP
address the employee provides is 192.168.34.26. Which of the following describes this type of alert?
Answer is A...note that no attack occured days after the initial attack and when the ip was blocked.
True Negative: An event when no attack has taken place and no detection is made. No attack occurred, and your rule didn’t make fire.
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
Except there WAS a detection which is why they wanted to block the IP in the first place then they later realized it was legitimate activity from
a vulnerability scanner. False Positive. Anything else is wrong.
upvoted 1 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: C
This situation indicates a false positive alert. A false positive occurs when a security system incorrectly identifies legitimate activity as malicious
or anomalous. In this case, the initial SIEM alert misidentified the activity originating from IP address 192.168.34.26 as anomalous, leading to the
decision to block it. However, the subsequent issue with vulnerability scans suggests that the IP address is actually a legitimate internal resource
required for proper scanning.
upvoted 3 times
darklion 9 months ago
Selected Answer: C
Answer: C. False positive
Explanation:
A false positive is an alert that incorrectly indicates that something is wrong when it is not. In this case, the initial alert about anomalous activity
coming from the IP address 192.168.34.26 was a false positive. The SIEM incorrectly identified the activity as suspicious or malicious, leading the
security analyst to take action by blocking the IP address. However, this action caused a legitimate process or service to be disrupted, leading to
a new ticket being opened about the vulnerability scans not working properly.
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
84/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #35
A security analyst wants to reference a standard to develop a risk management program. Which of the following is the BEST source for the analyst
to use?
A. SSAE SOC 2
B. ISO 31000
C. NIST CSF
D. GDPR
Correct Answer: C
Community vote distribution
B (85%)
stoneface
Highly Voted
C (15%)
1 year, 4 months ago
Selected Answer: B
ISO 31000 The ISO 31000 Risk Management framework is an international standard that provides businesses with guidelines and principles for
risk management from the International Organization for Standardization. Regulatory compliance initiatives are usually specific to a particular
country and applicable to certain sized businesses or businesses in specific industries. However, ISO 31000 is designed to be used in
organizations of any size. Its concepts work equally well in the public and the private sector, in large or small businesses and nonprofit
organizations.
upvoted 40 times
carpathia
Highly Voted
1 year, 1 month ago
Depends how you define Security Analyst, if it's cyber then is NIST CSF, if he/she deals with general risk (not pnly cyber) then it's the ISO31000.
God help us with Comptia style questions...
upvoted 15 times
carpathia 1 year, 1 month ago
Coming back to my post, they mention "standard". I don't think NIST CSF is a standard per se, just recommendations. ISO is definitely a
standard.
upvoted 12 times
RevolutionaryAct 5 months ago
This is why it's NIST https://www.onetrust.com/blog/iso-27001-vs-nist-cybersecurity-framework
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
That link gives no information as to why it's NIST CSF over ISO 31000. In fact your link talks about ISO 27001 which isn't even part of
the question. NIST CSF is an overall cybersecurity framework, ISO 31000 is specific to risk management.
Also this is the third time I've seen you giving blatantly wrong answers, makes me think you are out here deliberately misinforming
people...
upvoted 7 times
_deleteme_
Most Recent
3 weeks, 2 days ago
According to professor Messer, NIST CSF industry standards has 3 cores. Framework Implementation addresses risks and processes to manage
risk. ISO 31000 is an international standard for risk management. C is looking like the right answer unless the question needed an international
standard.
https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/security-frameworks/
upvoted 1 times
Petercx 1 month ago
Selected Answer: B
The best source for a security analyst to use when developing a risk management program would be the ISO 31000 standard. This is a
foundation standard on risk management that explains the fundamental concepts and principles of risk management, describes a framework,
and outlines the processes of risk identification and management.
upvoted 2 times
toluwalase022 1 month, 1 week ago
Selected Answer: C
When it comes to developing a risk management program, the best source for the security analyst to use would be option C: NIST CSF (National
Institute of Standards and Technology Cybersecurity Framework).
The NIST CSF provides a comprehensive framework for managing and reducing cybersecurity risks. It offers a set of guidelines, best practices,
and standards that organizations can follow to assess and improve their cybersecurity posture. It covers areas such as risk assessment, threat
mitigation, and incident response.
https://www.examtopics.com/exams/comptia/sy0-601/view/
85/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
While options A, B, and D are also relevant in their respective domains, the NIST CSF is specifically designed to address cybersecurity risk
management and is widely recognized and adopted by organizations worldwide.
upvoted 1 times
Nick5535 1 month, 2 weeks ago
Selected Answer: B
ISO 31000 is an Standard and NIST CSF is a Cybersecurity Framework
upvoted 1 times
sohti 1 month, 3 weeks ago
Both NIST and ISO 31000 are solid choices, and the best one for you depends on your specific needs and context. If you're primarily focused on
information security and want a detailed framework, NIST might be more suitable. On the other hand, if you're looking for a broader approach
that can be applied across different types of risks, ISO 31000 is a great option.
upvoted 2 times
YaadFox 2 months, 3 weeks ago
Selected Answer: C
Option B, "ISO 31000," is indeed a well-regarded international standard for risk management. However, it's a general risk management standard,
and while it provides valuable principles and guidelines for risk management, it does not specifically focus on cybersecurity risk management.
If the security analyst's primary goal is to develop a risk management program for cybersecurity and information security, then a more specific
framework or standard like the NIST Cybersecurity Framework (NIST CSF) would be a more suitable reference. The NIST CSF is designed
explicitly for managing and mitigating cybersecurity risks, providing detailed guidance on protecting critical information and infrastructure.
upvoted 1 times
tarakrishna1692 2 months, 4 weeks ago
Selected Answer: B
ISO 31000 — Risk management
upvoted 1 times
HackBishop 4 months, 1 week ago
Since the question refers to standard I will go with ISO 31000, if not the nist csf would have been my option
upvoted 1 times
RevolutionaryAct 5 months ago
Selected Answer: C
Did a little digging and the key phrase is "management program" and BEST.
The main reason NIST is superior here is because ISO 31000 CANNOT be used for certification purposes whereas NIST CSF can be used:
https://www.iso.org/iso-31000-risk-management.html
Also NIST is free whereas ISO is not, so that's another advantage for NIST: https://www.auditboard.com/blog/nist-vs-iso-whats-the-difference/
upvoted 2 times
daddylonglegs 2 months, 3 weeks ago
"Certification purposes" are mentioned nowhere in the question, so tell me again how that's the main reason NIST is superior?
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
ISO 31000 is an international standard for risk management issued by the International Organization for Standardization (ISO). It provides
principles, framework, and guidelines for managing risks effectively and efficiently in any organization. The standard focuses on the entire risk
management process and helps organizations identify, analyze, evaluate, treat, and monitor risks systematically.
upvoted 1 times
Kraken84 5 months ago
ISO 31000 unfortunately cannot manage anything though...
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
None of the answers can because they are all just guidelines. They are meant to guide organizations in CREATING a risk management
program. Neither ISO nor NIST alone manage anything.
upvoted 2 times
LiteralGod 5 months, 3 weeks ago
Selected Answer: B
ISO 32000 is a risk framework
upvoted 2 times
ApplebeesWaiter1122 6 months, 2 weeks ago
Selected Answer: B
ISO 31000 is an international standard that provides principles and guidelines for effective risk management. It offers a comprehensive
framework that organizations can utilize to establish, implement, and continuously improve their risk management processes. The standard
emphasizes a systematic and proactive approach to identifying, assessing, treating, and monitoring risks across the organization.
https://www.examtopics.com/exams/comptia/sy0-601/view/
86/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
new_to_this 8 months, 2 weeks ago
Selected Answer: C
What is the difference between ISO 27001 and NIST CSF?
It is a standard you follow and with guidelines that are dependent on your own organizational security needs. Both NIST and ISO 27001 have
their own specific place in a security roadmap. NIST CSF is meant to guide your security needs, while ISO 27001 helps to prove your security.
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
The question is about ISO 31000. ISO 27001 is not mentioned in the question at all.
upvoted 1 times
TheGuitarMan_61 9 months ago
Per COMPTIA guide page 531, ISO 31000 = Risk Management.
upvoted 2 times
darklion 9 months ago
Selected Answer: B
ISO 31000 is the best source for the analyst to use in order to develop a risk management program. ISO 31000 is a globally recognized risk
management standard that provides principles, framework, and a process for managing risk. It is applicable to any organization, regardless of
size or industry, and is widely accepted as a best practice for risk management. The other options are more focused on specific areas such as
cybersecurity (NIST CSF), auditing (SSAE SOC 2), and privacy (GDPR).
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
87/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #36
The Chief Information Security Officer (CISO) requested a report on potential areas of improvement following a security incident. Which of the
following incident response processes is the CISO requesting?
A. Lessons learned
B. Preparation
C. Detection
D. Containment
E. Root cause analysis
Correct Answer: A
Community vote distribution
A (93%)
rodwave
Highly Voted
7%
1 year, 1 month ago
Selected Answer: A
Answer: Lessons learned
Lessons learned is the final step in the incident response where the organization reviews their incident response and prepare for a future attack.
This is where you understand how/why an incident occurred, identify any weaknesses in your organization's practices, any positive elements or
practices that went well, and things that could be done to prepare for a future incident.
=========================
Incident Response - A set of instructions or procedures an IT staff follows to detect, respond to, recover and recover from a security incident.
Phases in the Incident Response Plan
1. Preparation: The organization plans out how they will respond to attack, this can involve:
2. Identification: Detecting and determining whether an incident has occurred.
3. Containment: Once a threat has been identified, the organization must limit or prevent any further damage.
4. Eradication: The removal of the threat
5. Recovery: Restoring systems affected by the incident
6. Lessons Learned: Where the organization reviews their incident response and prepare for a future attack
upvoted 22 times
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: A
What are lessons learned ? The Project Management Institute (PMI) defined as “the learning gained from the process of performing the project”.
In the context of security incidents, they usually take place after a security incident has occurred and has been mitigated.
upvoted 5 times
Ruger
Most Recent
2 months, 2 weeks ago
Selected Answer: E
E. Root cause analysis
The Chief Information Security Officer (CISO) is requesting a report on potential areas of improvement following a security incident. This
corresponds to a root cause analysis process. Root cause analysis involves investigating the incident to identify the underlying causes,
vulnerabilities, or weaknesses that led to the security incident. It aims to understand why the incident occurred, what weaknesses were exploited,
and how to address those weaknesses to prevent similar incidents in the future.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
The Chief Information Security Officer (CISO) is requesting a report on potential areas of improvement following a security incident. This indicates
that the CISO wants to conduct a lessons-learned process. Lessons learned is a critical phase in incident response that involves analyzing the
incident after it has been resolved to identify what went wrong, what worked well, and what areas need improvement. This process helps
organizations enhance their incident response procedures and make adjustments to prevent similar incidents in the future.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
Option A, "Lessons learned," refers to the practice of capturing and documenting the knowledge and insights gained from a security incident. It
involves analyzing the incident response process, identifying what worked well and what didn't, and extracting key takeaways and
recommendations for improvement.
By conducting a lessons learned analysis, the organization can identify gaps or deficiencies in their incident response procedures, technical
controls, staff training, or other areas that may have contributed to the incident or hindered the response efforts. The report generated from the
https://www.examtopics.com/exams/comptia/sy0-601/view/
88/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
lessons learned process provides valuable information for enhancing the organization's security posture and strengthening its incident response
capabilities in the future.
upvoted 1 times
fouserd 9 months ago
Selected Answer: A
The incident response process that the CISO is requesting is lessons learned. The lessons learned process involves reviewing the incident and
identifying areas where improvements can be made to prevent similar incidents from occurring in the future. This can include changes to policies
and procedures, additional training for employees, or changes to technical controls.
upvoted 1 times
Scott_wu 9 months, 2 weeks ago
Selected Answer: E
potential areas of improvement
upvoted 1 times
assfedassfinished 5 months ago
Potential areas of improvement are gleaned from lessons learned.
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
A. Lessons Learned. Evaluates the response plan and procedures and improve them as necessary
upvoted 1 times
mlonz 11 months, 3 weeks ago
something straightforward
upvoted 1 times
mlonz 11 months, 3 weeks ago
something straighforward
upvoted 1 times
Korokokokokoko 1 year, 1 month ago
Selected Answer: A
This is the correct answer
upvoted 1 times
comeragh 1 year, 4 months ago
Selected Answer: A
A - Lessons Learned agree with
upvoted 3 times
varun0 1 year, 4 months ago
Selected Answer: A
Lessons learned is a process in incident response to learn from the incident and improve.
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
89/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #37
A company is providing security awareness training regarding the importance of not forwarding social media messages from unverified sources.
Which of the following risks would this training help to prevent?
A. Hoaxes
B. SPIMs
C. Identity fraud
D. Credential harvesting
Correct Answer: A
Community vote distribution
A (78%)
babyzilla
Highly Voted
B (15%)
7%
1 year, 2 months ago
I read the comments below. Many of you are associating social media messages with fake news which is leading you to the answer: Hoax.
However, social media messages are usually just that, messages. Think of a DM via Instagram. That is a direct message through a social media
application. Most social medias have IM features. I think there is a false notion of fake news with this question. For this reason, I believe it is
SPIM.
upvoted 23 times
CTE_Instructor 10 months, 1 week ago
The key phrase in this question is "unverified sources" - The main idea/principle of the question is to avoid spreading messages that have not
been verified as truth. This is to reduce hoaxes/misinformation from spreading, which are also primarily spread via social media.
SPIM is for instant message spam and is seen in the form of unsolicited messages on an instant messaging platform. From CompTIA's
perspective, instant messaging DMs and social media messages are not the same. Also, the training the company would do would not affect
SPIM anyway.
upvoted 12 times
Joe1984
Highly Voted
1 year, 4 months ago
Selected Answer: A
Hoaxes
upvoted 15 times
z3phyr 9 months, 1 week ago
You are right Joe
upvoted 1 times
fercho2023
Most Recent
3 months, 1 week ago
If we agree on the following definition: "SPIM are spam messages symptomatic of widely-used free instant messaging apps like Messenger,
Whatsapp, Viber, Telegram, Skype and WeChat. These spam messages are usually commercial-type spam but can contain malware and
spyware." Then choosing SPIM over Hoax makes more sense.
upvoted 3 times
assfedassfinished 5 months ago
Selected Answer: A
Spammers send spam/spim.
If you fwd unverified mail, described in the question, that's a hoax.
upvoted 4 times
BigIshai 5 months, 1 week ago
I believe the reason a company would not want their employees to forward unverified messages would be so that they do not give credence to
possible fake news and stake the reputation of the organization carelessly. The truth is once the unverified source is proven wrong, the news will
read that an employee of a reputable organization, posted....... Bad press/ publicity is never good for business no matter how innocent. I would
go with A. (Hoaxes)
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
Security awareness training that emphasizes not forwarding social media messages from unverified sources would help to prevent hoaxes. A
hoax is a deceptive message or information that is spread with the intention to mislead or deceive recipients. By educating employees not to
forward social media messages from unverified sources, the company can reduce the spread of false or misleading information, thereby
minimizing the impact of hoaxes.
upvoted 4 times
XTN 5 months, 3 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
90/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Fake News
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
The training regarding not forwarding social media messages from unverified sources would help to prevent A. Hoaxes.
Hoaxes are deceptive messages or information that are spread widely, often through social media platforms or email, with the intention to
mislead or deceive recipients. These hoaxes may contain false claims, fabricated stories, or misleading information, and they can be harmful or
cause panic if shared without verification.
By training employees not to forward social media messages from unverified sources, individuals become more cautious and discerning about
the information they share. They are encouraged to verify the authenticity and accuracy of the content before spreading it further. This helps to
prevent the spread of hoaxes and reduces the potential negative impacts associated with misinformation.
upvoted 1 times
LeonardSnart 8 months ago
Selected Answer: A
"We’ve all probably received the e-mails stating that little Timmy is dying of a serious disease and wants his e-mail forwarded to 10,000 people,
or that Bill Gates is giving away his fortune and you can receive a part of it if you forward the e-mail to 10 of your friends. You’ve probably also
seen e-mails asking you to provide bank account information so that a deposed prince or forgotten relative can deposit millions of dollars into
your bank account to save their fortune.
Hoaxes aren’t confined to e-mail; hoaxers can use fake Web sites, social media sites, and even telephone calls to perpetrate a hoax. Their goal
may be to get donations, spread a fake story, or even simply see how many people will fall for it. As with most other social engineering attacks,
an organization’s best defense against hoaxes is a good security education and training program for users."
-Mike Meyers, Security+ Cert Guide Third Edition SY0-601
upvoted 3 times
TheWaraba 8 months, 4 weeks ago
I read most of the comments here but I think what can help pick between Hoaxes and SPIM, is that a end user training would not prevent SPIM
per se, it would prevent user's from clicking on links in SPIM but not receiving them.
An end user training would definitely help users be aware of hoaxes and not spread them.
upvoted 3 times
diztrik 9 months, 2 weeks ago
Selected Answer: B
I believe SPIM is the correct answer here.
upvoted 4 times
asabi 9 months, 4 weeks ago
Selected Answer: C
These types of training sessions would help to prevent identity fraud, as they help people to recognize the signs of malicious attacks or scams
that could be used to steal their identities or other personal info.
upvoted 1 times
goat23 11 months ago
chatgpt says its a. hoaxes
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
A. Hoax. Is designed to convince targets to perform an action that would reduce or harm their IT security. often encourages victims to spread the
word. Since they are concerned with forwarding unverified sources, suggests it is a hoax they are concerned with.
upvoted 3 times
shi_ 11 months, 1 week ago
Selected Answer: B
this question really have vague answers options.... i was contemplating between hoaxes and SPIM however imo in term of loss, hoaxes don't
cost much for a company(example, resulting in a sense of urgency to forward threatening/frightening massages that affect company) however
SPIM can be quite fatal for a company error (for example, clicking a link resulting in malware/spyware)
upvoted 3 times
JustIyke 11 months, 4 weeks ago
Context is important in this question. Per COMPTIA definitions, the answer is SPIM because the message comes from Social Media. Hoax or any
other option will be correct in conventional terms, but for the purpose of this test I am 100% sure the answer is SPIM
upvoted 6 times
blacktaliban 1 year, 2 months ago
Selected Answer: A
Sharing unverifiable information on social media might as well say its fake news
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
91/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #38
A security analyst is receiving numerous alerts reporting that the response time of an internet-facing application has been degraded. However, the
internal network performance was not degraded. Which of the following MOST likely explains this behavior?
A. DNS poisoning
B. MAC flooding
C. DDoS attack
D. ARP poisoning
Correct Answer: C
Community vote distribution
C (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: C
Most denial of service (DoS) attacks against websites and gateways are distributed DoS (DDoS). This means that the attack is launched from
multiple hosts simultaneously. Typically, a threat actor will compromise machines to use as handlers in a command and control network. The
handlers are used to compromise hundreds or thousands or millions of hosts with DoS tools (bots) forming a botnet.
The internal network has not been affected by the attack.
upvoted 28 times
varun0 1 year, 4 months ago
Agreed
upvoted 3 times
C_M_M
Highly Voted
9 months, 2 weeks ago
In Ddos, both internal and external performance would be affected. This is because DDos consumes the resources of the server in question. In
that case, the server will be slow irrespective of whether it's being accessed internally or externally.
I don't think it's Ddos.
Maybe DNS poisoning. Those external users have been redirected to another fake server which is slow, but the real server is working just fine.
upvoted 6 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: C
The scenario described, where the response time of an internet-facing application has been degraded while the internal network performance
remains unaffected, is indicative of a Distributed Denial of Service (DDoS) attack.
A DDoS attack involves overwhelming a target server or network with a large volume of traffic or requests from multiple sources, rendering the
target's services slow or unavailable. In this case, the application's internet-facing infrastructure is under attack, resulting in degraded response
times for external users trying to access the application.
upvoted 5 times
sujon_london 5 months ago
Agreed
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: C
The behavior described, where the response time of an internet-facing application is degraded while internal network performance remains
unaffected, is indicative of a Distributed Denial of Service (DDoS) attack.
A DDoS attack involves a large number of compromised or malicious systems flooding a target network or application with a high volume of
traffic, overwhelming its resources and causing service degradation or complete unavailability. The purpose of a DDoS attack is to disrupt the
normal functioning of a system or service by exhausting its resources.
In this scenario, the numerous alerts reporting degraded response time for the internet-facing application suggest that the application is under
heavy traffic load from the external network. The internal network performance remains unaffected because the attack is specifically targeting the
application from the internet, not the internal network infrastructure.
upvoted 3 times
princajen 10 months ago
Selected Answer: C
C. DDoS attack
DNS poisoning, MAC flooding, and ARP poisoning are all types of attacks that can affect network performance, but they do not typically result in
the degradation of a single internet-facing application while leaving the rest of the network unaffected.
https://www.examtopics.com/exams/comptia/sy0-601/view/
92/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 4 times
ronniehaang 11 months, 1 week ago
Selected Answer: C
C. DDoS attack.
A Distributed Denial of Service (DDoS) attack is a type of cyber attack in which multiple compromised computers are used to flood a targeted
system with high volumes of traffic, overloading it and making it unavailable for its intended users. If the targeted system is an internet-facing
application, it could result in degraded response times or even complete unavailability. In such cases, the internal network performance may not
be degraded, but the internet-facing application would be impacted by the increased traffic from the DDoS attack.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
B. MAC Flooding. In MAC Flooding the attacker is not getting into the path between the client and server. Question states internal network was
not degraded. DDos denies service, The question stated performance was degraded, not denied.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Keyword: "internet-facing application".
This means that the attack was from the outside, so the answer can't be an OSI layer 2 (Data Link Layer - MAC) attack. Rather, it must be a
layer 3 (Network - IP) attack. Why? Because if the attacker were from inside the network, then it would be a layer 2 (MAC) attack, but the
question doesn't mention that. Moreover, the question mentions that the internal network performance was fine, so the attack was definitely
from the outside, targeting a specific host that was open to the public internet.
For more information: https://www.cloudflare.com/learning/ddos/layer-3-ddos-attacks/
upvoted 2 times
TheWaraba 8 months, 4 weeks ago
DDoS can either degrade performance or deny service, depends on many factors. DDoS doesn't always mean that there's an actual denial of
the service.
upvoted 1 times
EvelynStandford 10 months, 3 weeks ago
i thought this also wor the words used in the question sadly there is no way to be 100% sure of the answer here
upvoted 1 times
duagreg 1 year, 1 month ago
DDoS for sure
upvoted 1 times
Iamboolean 1 year, 3 months ago
Selected Answer: C
Answer C = Distributed Denial Of Service.
upvoted 1 times
comeragh 1 year, 4 months ago
Good spot stoneface
upvoted 1 times
varun0 1 year, 4 months ago
Selected Answer: C
DDOS seems obvious to me.
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
93/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #39
Which of the following will increase cryptographic security?
A. High data entropy
B. Algorithms that require less computing power
C. Longer key longevity
D. Hashing
Correct Answer: A
Community vote distribution
A (96%)
stoneface
Highly Voted
3%
1 year, 4 months ago
Selected Answer: A
Entropy is a measure of disorder. A plaintext will usually exhibit low entropy as it represents a message in a human language or programming
language or data structure. The plaintext must be ordered for it to be intelligible to a person, computer processor, or database. One of the
requirements of a strong cryptographic algorithm is to produce a disordered ciphertext. Put another way, the ciphertext must exhibit a high level
of entropy. If any elements of order from the plaintext persist, it will make the ciphertext vulnerable to cryptanalysis, and the algorithm can be
shown to be weak.
upvoted 77 times
Kraken84 4 months ago
What level of Entropy does America now exhibit? I learned me a new word
upvoted 2 times
Iamboolean 1 year, 3 months ago
Very good explanation, thanks!
upvoted 2 times
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: A
Entropy seems obvious to me.
upvoted 6 times
toluwalase022
Most Recent
1 month, 1 week ago
Selected Answer: A
Among the options you mentioned, there are a couple that can increase cryptographic security. One of them is high data entropy, which means
having a good amount of randomness in the data being encrypted. This randomness makes it harder for attackers to predict and break the
encryption.
Another option is longer key longevity. Using longer cryptographic keys can enhance security because longer keys have a larger key space,
making them more difficult to crack through brute force attacks.
So, the correct answers would be A. High data entropy and C. Longer key longevity. These measures can help strengthen cryptographic security.
upvoted 2 times
_Bihari_ 1 month, 4 weeks ago
Selected Answer: C
The option that will increase cryptographic security is:
C. Longer key longevity:
Increasing the length of cryptographic keys enhances security by making it more difficult for attackers to perform brute-force attacks.
Longer key lengths generally provide a higher level of security, as they increase the number of possible combinations, making it computationally
infeasible for attackers to break the encryption by trying all possible keys.
upvoted 1 times
Noumenon72 3 days, 11 hours ago
Longer key _longevity_ is not longer key _lengths_, but using the same key for longer without rotating it. This gives attackers more time to
acquire and use the key and decreases security.
upvoted 1 times
gho5tface 4 months, 1 week ago
Selected Answer: D
Going against the crowd
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
94/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
daddylonglegs 2 months, 3 weeks ago
Then explain why hashing is the answer
upvoted 1 times
faha83 5 months, 2 weeks ago
not really familiar with Entropy. happy to learn
upvoted 4 times
daddylonglegs 2 months, 3 weeks ago
Stoneface's answer at the top of this thread is a good explanation
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
Increasing cryptographic security involves strengthening the randomness and unpredictability of cryptographic elements, such as keys, data, or
initialization vectors. High data entropy refers to data with a high degree of randomness, making it more challenging for attackers to predict or
guess. The use of high data entropy in cryptographic processes helps increase the security and effectiveness of encryption.
upvoted 5 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
Data entropy refers to the randomness and unpredictability of data. High data entropy means that the data has a high degree of randomness,
making it difficult for an attacker to analyze or predict patterns within the data. When cryptographic algorithms operate on data with high entropy,
it adds an extra layer of security because the resulting encrypted data becomes more resistant to various cryptographic attacks, including bruteforce attacks and statistical analysis.
upvoted 3 times
[Removed] 9 months, 1 week ago
Selected Answer: C
Data entropy has nothing to do security. Key or Password Entropy however affects security. Answer is C because Key Longevity makes sure that
the key will remain secure even after more powerful computers try to break it in the future.
upvoted 2 times
TheWaraba 8 months, 4 weeks ago
Read this, entropy is definitely relevant in security.
https://www.thesecuritybuddy.com/encryption/what-is-entropy-in-cryptography/2/
upvoted 2 times
ronniehaang 11 months, 1 week ago
Selected Answer: A
A. High data entropy
High data entropy refers to the unpredictability and randomness of data used as input to a cryptographic system. The higher the entropy, the
more difficult it is for an attacker to guess the input data, thereby increasing the cryptographic security of the system.
For example, in a password-based encryption system, high entropy in the password input would result in a more secure encryption key, making it
more difficult for an attacker to crack the encryption and access the protected data.
upvoted 3 times
DALLASCOWBOYS 11 months, 1 week ago
A. high data entropy. The higher the randomness, the greater the security.
upvoted 4 times
CL_QRT 12 months ago
A is the answer
upvoted 1 times
03allen 1 year, 3 months ago
Anyone can tell me why C and D are not right? It doesn't say the best one, right?
upvoted 1 times
lordguck 1 year, 2 months ago
C decreases security, as it gives attackes more time to break/use (e.g. if stolen and no one noticed) the keys.
D is not applicable, as the question already talks about crytographic security and this includes for all relevant methods in use, ways to detect
tampering.
upvoted 2 times
lordguck 1 year, 2 months ago
Sorry, I was wrong here due to a misunderstanding of the used term "key longevity". "longevity" refers to the trust one has in the qualities
(e.g. time to break) of an encryption method (Topic 5C handbook) and NOT to the lifetime of an certificate ("key" got me there).
Nevertheless I vote for A, as C "longevity" is not measurable in contrast to A.
upvoted 2 times
CTE_Instructor 10 months, 1 week ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
95/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Key longevity is the time length the key encryption method is secure, whether due to brute forcing or by encryption algorithm cracking.
Longer key longevity is a good thing.
D is definitely relevant as hashing increases cryptographic security by providing a 1-way function to prevent attackers from seeing the
original data.
Honestly, A, C, and D are all possible answers. The question doesn't ask for "best", which makes this a poorly worded question. There isn't
any "best" answer either, because A, C, and D should all be used, and different situations will prioritize different solutions.
upvoted 2 times
alayeluwa 1 year, 2 months ago
The keyword in the question is “Increase”. Increase = best one.
upvoted 1 times
Ay_ma 1 year, 3 months ago
Selected Answer: A
High data entropy: In cryptography, entropy is used to produce random numbers, which in turn are used to produce security keys to protect data
while it's in storage or in transit. The greater the quality of random number generation (RNG), the greater the quality of random keys produced,
and thus the higher the security value of the key
upvoted 4 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
96/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #40
Which of the following statements BEST describes zero-day exploits?
A. When a zero-day exploit is discovered, the system cannot be protected by any means.
B. Zero-day exploits have their own scoring category in CVSS.
C. A zero-day exploit is initially undetectable, and no patch for it exists.
D. Discovering zero-day exploits is always performed via bug bounty programs.
Correct Answer: C
Community vote distribution
C (100%)
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: C
I'll go with C.
A says it can be protected by ANY means which is not true, sure the exploit itself doesn't have a patch yet but we can isolate the effected system
or have some kind of compensating control in place.
upvoted 11 times
aellonfol 10 months, 2 weeks ago
you mean CAN'T be protected
upvoted 1 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: C
The statement that BEST describes zero-day exploits is that they are initially undetectable, and no patch for them exists. A zero-day exploit is a
security vulnerability or weakness in software or hardware that is unknown to the vendor or developers and, therefore, has no official patch or fix
available. As a result, attackers can take advantage of the vulnerability without any defense or mitigation in place.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: C
The statement that best describes zero-day exploits is that they are initially undetectable, and no patch for them exists.
A zero-day exploit refers to a security vulnerability or weakness in software or systems that is unknown to the vendor or developer and, therefore,
lacks a patch or fix. The term "zero-day" signifies that the vulnerability is exploited on the same day it is discovered, with no prior knowledge or
defense against it.
upvoted 1 times
Paramus 10 months, 3 weeks ago
Selected Answer: C
Unknown vulnerability with no patch available
upvoted 1 times
ronniehaang 11 months, 1 week ago
Selected Answer: C
C. A zero-day exploit is initially undetectable, and no patch for it exists.
A zero-day exploit refers to a type of cyber attack that utilizes a previously unknown vulnerability in software or hardware that hasn't been
identified or fixed by the manufacturer. As a result, there is no existing protection or patch to defend against it, making it a significant risk to
organizations and individuals. When a zero-day exploit is discovered, the first priority is to alert the vendor and hope that they can develop a
patch as quickly as possible.
upvoted 3 times
DALLASCOWBOYS 11 months, 1 week ago
C. zero day attacks are attacks that exploit a vulnerablity that is unknown, therefore, no patch is available.
upvoted 1 times
KingDrew 12 months ago
Selected Answer: C
Zero-day = Never seen before attack
Therefore it cannot be patched or recognized in a database if it has not occurred or been documented before.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
97/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Iamboolean 1 year, 3 months ago
Selected Answer: C
Answer C = A zero-day exploit is initially undetectable, and no patch for it exists.
The other closest answer could be -->
"A = When a zero-day exploit is discovered, the system cannot be protected by any means."
However, this statement is not precise as it implies the system cannot be protected by any means, which is not true.
Other answers are not as precise. Therefore, answer corresponds to letter C in my opinion...
upvoted 1 times
comeragh 1 year, 4 months ago
Selected Answer: C
Agree with C being the best choice answer here
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
98/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #41
A company wants to restrict emailing of PHI documents. The company is implementing a DLP solution. In order to restrict PHI documents, which
of the following should be performed FIRST?
A. Retention
B. Governance
C. Classification
D. Change management
Correct Answer: C
Community vote distribution
C (100%)
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: C
Data has to be first classified for the DLP to know which data can leave the network and which can't.
upvoted 14 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: C
The first step the company should perform to restrict emailing of PHI (Protected Health Information) documents is Classification. In a Data Loss
Prevention (DLP) solution, classification involves identifying and labeling data based on its sensitivity or classification level. In this case, the
company would classify documents containing PHI as sensitive or confidential. This classification allows the DLP solution to recognize and
enforce policies that restrict the emailing of such documents or prevent them from being transmitted outside the organization.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: C
In order to restrict emailing of PHI (Protected Health Information) documents, the first step should be to perform classification. Classification
involves identifying and categorizing data based on its sensitivity and importance. By classifying documents containing PHI as sensitive or
confidential, the company can implement appropriate security controls and restrictions.
Once the documents are classified, the DLP (Data Loss Prevention) solution can be configured to recognize and enforce policies specific to PHI
documents. The DLP solution can monitor outgoing emails, analyze the content and attachments, and prevent the transmission of PHI
documents based on the defined policies.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
C. Classification. Data classification is the primary means by which data is protected based on its need for secrecy, sensitivity and confidentiality.
upvoted 1 times
BadPlayer 8 months, 2 weeks ago
Explain in football terms?
upvoted 1 times
IYKMba 1 year, 2 months ago
Selected Answer: C
Classification is the first step to determine what data contains PHI
upvoted 2 times
xxxdolorxxx 11 months, 2 weeks ago
This is sort of what I'm thinking. Before knowing how to stop PHI from leaving...need to know exactly what data has PHI.
upvoted 1 times
hackerguy 1 year, 2 months ago
Selected Answer: C
Data Classification:
Category based on the value to the organization and the sensitivity of the
information if it were to be disclosed
upvoted 1 times
[Removed] 1 year, 4 months ago
Classification, sure... But I also think Change management, because changing any sort of business process typically starts with that.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
99/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Gravoc 1 year, 3 months ago
Change management doesn't make sense in this context, because its asking what needs to be implemented first to assist the DPL in
preventing PHI from being emailed. Classification is the first thing the DLP needs to properly do it's job. Change management would be like
going through the approval process to add DLP as a tool to your security framework. In this case, the question already informed us that the
DLP is in place. Meaning we can assume that the change management approval process has already been completed in regards to the DLP,
and any implications imposed by the DLP. You wouldn't approve the use of the DLP without also approving the classification of sensitive and
proprietary information.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
100/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #42
A security analyst is investigating some users who are being redirected to a fake website that resembles www.comptia.org. The following output
was found on the naming server of the organization:
Which of the following attacks has taken place?
A. Domain reputation
B. Domain hijacking
C. Disassociation
D. DNS poisoning
Correct Answer: B
Community vote distribution
D (94%)
stoneface
Highly Voted
6%
1 year, 4 months ago
Selected Answer: D
DNS server cache poisoning aims to corrupt the records held by the DNS server itself. This can be accomplished by performing DoS against the
server that holds the authorized records for the domain, and then spoofing replies to requests from other name servers. Another attack involves
getting the victim name server to respond to a recursive query from the attacking host. A recursive query compels the DNS server to query the
authoritative server for the answer on behalf of the client.
upvoted 28 times
RileyG
Highly Voted
8 months ago
Domain Hijacking is the act of changing the registration of a domain name without the permission of the original owner, or by abuse of privileges
on domain hosting and domain registrar systems.
DNS poisoning is when false information is entered into a DNS Cache, so that DNS queries return an incorrect response that directs users to the
wrong website.
The answer is D because the question says "redirected to a fake website" - and we are also looking at a DNS table in the picture which means
the answer is D.
upvoted 7 times
Tolis21
Most Recent
1 month, 1 week ago
I don't get something who decides the correct answer?
upvoted 2 times
geocis 1 week ago
It's up to you to do the research and figure out which one is the correct answer. If this site had all the right answers, it would probably be shut
down. The way I see it, at least you're presented with all the possible questions on the test.
upvoted 1 times
Teleco0997 1 month, 2 weeks ago
Selected Answer: D
"SOME users are being redirected to a fake website" = DNS poisoning
it cant be domain hijacking as it would be all users
upvoted 2 times
Teleco0997 1 month, 2 weeks ago
also, using the info of the DNS table: in this case, the DNS server has incorrect mappings, associating the legitimate www.comptia.org with
the malicious IP address 192.168.1.10. When users attempt to access www.comptia.org, they are redirected to that fake website
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
101/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
n00r1 1 month, 3 weeks ago
DNS poisoning is the corruption of the dns, domain hijacking requires the domain be transferred to unauthorized party.
upvoted 1 times
BlackSpider 3 months, 2 weeks ago
Selected Answer: D
it is only happening to some users. This is the key here.
upvoted 2 times
vitasaia 1 month, 3 weeks ago
They're not saying "only". It could be that the others have not tried or reported it. It's not clear.
upvoted 1 times
DannaD 4 months, 4 weeks ago
I believe this is hijacking because the attacker has already hijacked the DNS management before attempting to poison the DNS
upvoted 1 times
RevolutionaryAct 5 months ago
Selected Answer: B
It's hijacking as that is another DNS not your own (which would be DNS poisoning)
https://www.malwarebytes.com/cybersecurity/business/what-is-dns-hijacking
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
4th time
upvoted 1 times
Mpololo 2 months, 1 week ago
Literally....
upvoted 1 times
sujon_london 5 months ago
Answer is B.
After a domain hijacking incident, the attackers may have full control over the domain name settings, including the ability to change the domain
name and IP address associated with it.
Change Domain Name: The attackers can modify the domain's DNS settings and point it to a different domain name.
In this scenario exactly happen domain hijacked maybe through phishing or by other means, then changed the dns name or IP addresses.
Considering first domain hijacked and then changes IP address. Where most comments suggesting DNS poisoning.
Indeed answer should be B followed by question given sequence clues.
As many things can happen once domain hijacked.
upvoted 4 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
The given scenario describes a DNS poisoning attack. In this attack, the attacker has manipulated the DNS records on the naming server to
associate the domain name "www.comptia.org" with a malicious IP address (192.168.1.10). As a result, when users try to access the legitimate
website www.comptia.org, they are redirected to a fake website hosted at the malicious IP address.
upvoted 4 times
Kraken84 5 months ago
SOUNDS GOOD, but what in this question instigates that 192.168.1.10 is a malicious IP address? I wanna believe your answer, but no where
does it state that this is a malicious IP address.
upvoted 2 times
Kingbumi777 3 months, 4 weeks ago
The IP 192.168.1.10 doesn't follow the standard of the other IP's and it is also a private IP address. Regardless, if you ever see the IP
"192.168.1.X", assume it doesn't belong.
upvoted 1 times
HCM1985 4 months, 1 week ago
Following throught the question, the domain is comptia.org, and we can assume www has a fake IP because it's for a different network
from all the other records (I know it's silly and that in itself does not mean anything, but we work with what we have).
upvoted 1 times
Haykinz 5 months, 3 weeks ago
Selected Answer: B
Option B: Several things can happen when a domain is hijacked. The hackers may take control of the website and use it for malicious purposes,
such as spreading malware or conducting phishing attacks. They could also redirect traffic to other websites, resulting in lost sales or damage to
your brand reputation
The D is correct because if DNS poisoning occurs most times the website is same and not a resemblance.
https://www.examtopics.com/exams/comptia/sy0-601/view/
102/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
During a DNS poisoning attack, a hacker substitutes the address for a valid website for an imposter. Once completed, that hacker can steal
valuable information, like passwords and account numbers. Or the hacker can simply refuse to load the spoofed site.
Someone browsing the web may never know that DNS spoofing is happening. The person may visit a site that looks perfectly normal, and even
functions somewhat normally, so everything seems safe.
upvoted 2 times
Dutch012 8 months ago
Okay, now it's evident that DNS poisoning is the answer to Question 1, yay!
upvoted 1 times
TheGuitarMan_61 9 months ago
Stoneface; agree 100% "some users" takes away the Domain Hijacking answer to Poisoning, as it it is only Some Users.
upvoted 3 times
Abdul2107 8 months, 3 weeks ago
Smart notice
upvoted 2 times
Neither_you_nor_me 9 months ago
Selected Answer: D
This seems to be the practical version of the first question
upvoted 2 times
princajen 10 months ago
From ChatGPT:The output shown in the image is related to DNS, and specifically to the DNS zone file for comptia.org. It indicates that the DNS A
record for www.comptia.org has been changed to point to a different IP address than the legitimate one. This is consistent with DNS poisoning,
also known as DNS spoofing or DNS cache poisoning. Therefore, the correct answer is D. DNS poisoning.
upvoted 3 times
DALLASCOWBOYS 11 months ago
D. DNS Poisoning. Redirected to a fake website
upvoted 3 times
JD2354 11 months, 1 week ago
I agree with the crowd, answer d. why are so many "correct answers" actually incorrect on this?
upvoted 2 times
Lance711 11 months ago
I heard that the 'correct answer' is random and that the voted answers are the only reliable options. Apparently by giving the wrong answer
this site is allowed to be up because its a near perfect copy of the real CompTIA Security+ test
upvoted 8 times
Kraken84 5 months ago
Its all about the discussion.
upvoted 1 times
Kraken84 5 months ago
zzz a way to keep this available :)
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
103/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #43
Which of the following describes the continuous delivery software development methodology?
A. Waterfall
B. Spiral
C. V-shaped
D. Agile
Correct Answer: D
Community vote distribution
D (100%)
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: D
Answer: Agile
Agile methodology is a way to manage a project by breaking it up into several phases. It involves constant collaboration with stakeholders and
continuous improvement at every stage. Once the work begins, teams cycle through a process of planning, executing, and evaluating.
=======================================
Helpful Info:
Waterfall - A sequential development process that flows like a waterfall through all phases of a project (analysis, design, development, and
testing, for example), with each phase completely wrapping up before the next phase begins.
upvoted 33 times
mlonz 11 months, 3 weeks ago
Nice information Rodwave, you should try to add information for every questions
thanks mate
upvoted 15 times
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: D
Agile seems right. Its a fast paced life cycle which iterates features according to the user's feedback.
upvoted 9 times
CCNPsec
Most Recent
4 months ago
D. Agile
Continuous Delivery is a software development methodology that falls under the broader Agile umbrella. It emphasizes the rapid and continuous
delivery of software updates and improvements to production environments. In Continuous Delivery, development teams work in small,
incremental steps to develop and deliver software features, often using automation to streamline the deployment process.
In contrast, the other methodologies mentioned (A. Waterfall, B. Spiral, C. V-shaped) are not synonymous with Continuous Delivery and generally
follow different approaches to software development and project management. Waterfall, Spiral, and V-shaped are traditional, sequential
methodologies, whereas Continuous Delivery focuses on continuous iteration and deployment.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
The Agile software development methodology, including the continuous delivery approach, emphasizes iterative and incremental development
processes. It involves breaking down the development process into smaller, manageable iterations, where each iteration results in a potentially
deployable increment of the software. Agile methodologies promote collaboration between development teams and stakeholders, allowing for
faster and more adaptive development cycles.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: D
Agile is an iterative and incremental development methodology that emphasizes flexibility, collaboration, and the delivery of working software in
short iterations called sprints. Continuous delivery is a practice within the Agile methodology that focuses on ensuring that software is always in a
releasable state. It involves frequent and automated software builds, testing, and deployment to deliver new features, updates, and bug fixes
more rapidly and consistently.
upvoted 1 times
scarceanimal 11 months ago
i never heard of this once, not sure if it was on exam objectives...
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
104/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
ronniehaang 11 months, 1 week ago
Selected Answer: D
D. Agile.
Continuous delivery is a software development methodology that is based on the principles of agile development. It emphasizes a rapid, iterative,
and frequent release cycle, where new features and bug fixes are delivered to customers on a regular basis. The goal of continuous delivery is to
ensure that code changes can be rapidly and reliably deployed to production, minimizing downtime and maximizing the value delivered to
customers. This approach relies on automation, collaboration, and communication to ensure that software is delivered quickly, with high quality,
and with minimal risk.
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
D. Agile, in this methodology, updates are made continually, piece-by-piece, enabling software code to be delivered to customers as soon as it is
completed and tested.
upvoted 2 times
[Removed] 1 year, 2 months ago
Selected Answer: D
Agile approach to software
development is to ensure customer satisfaction via early and
continuous delivery of software.
upvoted 2 times
sucram 1 year, 3 months ago
syo 501
upvoted 2 times
RonWonkers 1 year, 3 months ago
Selected Answer: D
Answer is D
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
105/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #44
Which of the following is the BEST example of a cost-effective physical control to enforce a USB removable media restriction policy?
A. Putting security/antitamper tape over USB ports, logging the port numbers, and regularly inspecting the ports
B. Implementing a GPO that will restrict access to authorized USB removable media and regularly verifying that it is enforced
C. Placing systems into locked, key-controlled containers with no access to the USB ports
D. Installing an endpoint agent to detect connectivity of USB and removable media
Correct Answer: B
Community vote distribution
A (56%)
rodwave
Highly Voted
B (34%)
10%
1 year, 1 month ago
Selected Answer: A
Answer: Putting security/antitamper tape over USB ports, logging the port numbers, and regularly inspecting the ports
=============================================
Explanation:
The question is asking for two specific requirements for the solution:
1. A solution that's cost-effective
2. A solution that's a physical control
The option to implement a GPO (B) and installing an endpoint agent (D) are software-based implementations, while in the case of the GPO being
cost-effective, they do not address the physical control requirement for the solution.
Option C would address the requirement as a physical control by preventing users from physically access the USB port and likely the best out all
of the given options, however, this option is not cheapest so it's not addressing the cost-effectiveness required for the solution.
Only option A would address each requirement of the solution being a cost-effective physical control that can be implemented.
upvoted 66 times
CTE_Instructor 10 months, 1 week ago
Option A involves a lot of additional cost for security tape and regular inspection... inspection = time = money.
Option B is essentially no cost because it uses existing domain software and infrastructure to enforce. Restricting access is by definition a
physical control.
Option C also involves money (Like option A) and is not cost effective.
Option D involves purchasing individual end point agent software... again not cost effective.
They are all able to control the physical hardware by disallowing removable media or otherwise restricting it, however only one is cost effect Option B, implementing a Group Policy Object.
upvoted 17 times
jcrittendon 2 months, 3 weeks ago
Physical control buddy
upvoted 2 times
daddylonglegs 2 months, 3 weeks ago
That is not a physical control at all.
Physical: A physical control is one that prevents specific physical actions from occurring, such as a mantrap prevents tailgating. Physical
controls prevent specific human interaction with a system and are primarily designed to prevent accidental operation of something
Option B is a technical control. It does not prevent the specific physical action from occurring (someone can still plug the device in) but
rather enforces a rule at the OS level, which would be a technical control.
upvoted 6 times
brewoz404sd 10 months, 3 weeks ago
The answer is GPO not A. Cost effective is only A, GPOs are configured in AD and require no additional cost accepts the network admin to
config. A requires purchasing tape, paying techs to go to all systems and cover! Not cost effective at all. What if the organization has 2000
computers, you are going to pay techs to go out with tape! No! Answer is GPO, easy, zero cost, and bullet proof!
upvoted 13 times
rline63 4 months, 1 week ago
GPO is undoubtedly a better solution. In the context of the question though, it is absolutely not correct. GPO is a technical control, not a
physical control.
https://www.examtopics.com/exams/comptia/sy0-601/view/
106/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 5 times
[Removed] 9 months, 3 weeks ago
100% agree with you. GPO is what the DoD use.
upvoted 1 times
hieptran 9 months, 1 week ago
GPT response
Option B is better than Option A because it provides a more automated and centralized approach to enforcing the USB removable media
restriction policy.
Option B involves implementing a Group Policy Object (GPO) that restricts access to authorized USB removable media. This is a more
centralized approach that allows administrators to apply the policy to multiple devices at once, rather than manually inspecting each
device as in Option A. Additionally, a GPO is more reliable than manual inspection, as it is less prone to human error and can be more
easily audited to ensure that the policy is being enforced.
Option A, on the other hand, involves manually putting security/antitamper tape over USB ports and regularly inspecting the ports. This is a
more decentralized approach that relies on manual effort and is more prone to human error. It can also be difficult to scale this approach to
larger organizations with many devices, as the manual effort required to inspect each device can become prohibitive.
Therefore, while both options can be effective in enforcing a USB removable media restriction policy, Option B is a more scalable,
automated, and centralized approach that is easier to manage and audit.
upvoted 1 times
Sentry13 8 months, 3 weeks ago
Also from GPT:
Group Policy Object (GPO) is not a physical control, but rather a technical control
Physical controls are security measures that are implemented physically, such as locks, fences, barriers, cameras, and security guards.
They are designed to prevent or deter unauthorized physical access to equipment, facilities, or information.
In the context of a USB removable media restriction policy, a physical control could be a USB port blocker, which is a physical device
that blocks access to USB ports on a computer or other device. This device physically prevents unauthorized USB devices from being
plugged in, thereby restricting the use of removable media.
So, the BEST example of a cost-effective physical control to enforce a USB removable media restriction policy would be option A,
putting security/antitamper tape over USB ports, logging the port numbers, and regularly inspecting the ports. While this option may not
be as effective as USB port blockers, it is a cost-effective physical control that can help enforce the policy.
upvoted 8 times
Nirmalabhi 1 year, 1 month ago
absolutely agree with you. BTW your input on the discussion of the questions is phenomenal so thank you
upvoted 9 times
Hewn
Highly Voted
1 year, 3 months ago
Selected Answer: B
It's pretty obviously B, I think ya'll are getting too hung up on a physical control being 100% physical. A biometric scanner isn't useful without
some kind of software running that compares my signature to a known copy of whatever it's scanning, yet it is still considered a physical control.
upvoted 24 times
HCM1985 4 months, 1 week ago
The idea behind a "physical control" is that the main control is based on something physical (just like the biometric scan is worthless if we
don't have a body part to scan).
A GPO is pure software solution. Also, a GPO does not forbid a user from plugging in a USB removable device during system boot and then
loading some sort of malware or even a new OS.
upvoted 5 times
jcrittendon 2 months, 3 weeks ago
its obvious that it's not indeed obvious.
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
A biometric scanner by itself wouldn't be considered any kind of control because the scanner itself doesn't prevent anything. Assuming that it
is part of a door system that only opens if your biometric signature is known to the system, then the door would be a physical control that the
biometric scanner controls access to.
Physical: A physical control is one that prevents specific physical actions from occurring, such as a mantrap prevents tailgating. Physical
controls prevent specific human interaction with a system and are primarily designed to prevent accidental operation of something.
Whether or not a physical control relies on software is irrelevant. What matters is the fact that the control is physically impeding an action from
taking place (actually physically blocking the port with tape or putting the whole computer in a locked container). Using a GPO to block
removable media at the OS level is a technical control, it doesn't do anything to prevent the physical action from taking place.
upvoted 2 times
jijuk
Most Recent
4 days, 11 hours ago
You have to breakdown the question into two parts. The most effective and cheap solution also should be a physical control. GPO would be the
cost effective as well as efficient, the policy would be employed across all computers in the case of larger organization say 2000 controls.
However the best answer is still A, since it is a physical control, where as GPO is technical control.
https://www.examtopics.com/exams/comptia/sy0-601/view/
107/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
ImBleghk 6 days, 9 hours ago
Selected Answer: C
C. Placing systems into locked, key-controlled containers with no access to the USB ports
Placing systems into locked, key-controlled containers with no access to the USB ports is an example of a cost-effective physical control to
enforce a USB removable media restriction policy. This control physically prevents individuals from accessing the USB ports and using removable
media, providing a straightforward and reliable way to enforce the policy.
upvoted 1 times
geegol 1 month ago
How is tape the answer? I could just tear the tap off plug my device in and exfiltrate data and put it back. You would never know. A GPO would
be best.
upvoted 2 times
zididididi 1 month, 2 weeks ago
question says security must be "enforced". You can't actually enforce a usb policy with tape, you can just observe the fact someone did it
anyway. Like how security cameras won't enforce access control. B seems like the best option, but if you're a stickler for the "physical" portion,
then it has to be C. C is the only option here that physically enforces a protection of the usb, but also it could be argued that all one would have
to do would be break into the cabinets and they also aren't prevented from plugging something in.
The only option here that actually "enforces" a restriction on the usb is a GPO. I'm going with B.
upvoted 1 times
Teleco0997 1 month, 2 weeks ago
i hate reading questions too many times... options start getting more messed up... just like overthinking problems
upvoted 1 times
TheFivePips 2 months ago
Selected Answer: A
It is a physical control and more cost-effective than having to purchase a container and locks for the devices
upvoted 1 times
ganymede 2 months, 1 week ago
Is security/antitamper tape for USB ports even a real thing?
upvoted 1 times
TheFivePips 2 months ago
It sure is. Security/anti-tamper tape is used in various industries, such as shipping and logistics, electronics manufacturing, law enforcement,
and other applications where maintaining the integrity of sealed items or areas is essential for security and accountability.
upvoted 2 times
Mahoni 2 months, 1 week ago
Answer :A
It is a physical control. There is no information about the presence of a domain environment either, maybe these devices are just some printers or
hospital/lab equipment. Otherwise why would you chose a physical access control for usb ports of pcs, when the best solution would be
appliying a GPO.
upvoted 1 times
MortG7 2 months, 1 week ago
B. Implementing a GPO that will restrict access to authorized USB removable media and regularly verifying that it is enforced ----> GPO is not a
physical control
C. Placing systems into locked, key-controlled containers with no access to the USB ports Most Voted----->How the heck would you use it when
you need it..you would spend your while day locking/unlocking
D. Installing an endpoint agent to detect connectivity of USB and removable media--->end point agent is a software solution, not physical
A is the answer
upvoted 1 times
[Removed] 2 months, 2 weeks ago
Selected Answer: C
The BEST example of a cost-effective physical control to enforce a USB removable media restriction policy is:
C. Placing systems into locked, key-controlled containers with no access to the USB ports.
This approach physically restricts access to the USB ports, preventing users from plugging in unauthorized removable media. It is a
straightforward and effective method to control USB device usage.
Option A involves manual monitoring and inspection, which can be resource-intensive and less reliable.
Option B is more of a software-based control that restricts access via Group Policy, and it doesn't physically prevent access to USB ports.
Option D involves using software agents, which may add complexity and costs.
https://www.examtopics.com/exams/comptia/sy0-601/view/
108/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Option C, on the other hand, is a straightforward and cost-effective physical control that directly enforces the USB removable media restriction
policy.
upvoted 1 times
TheFivePips 2 months ago
If you ask Chat GPT to reconsider this response you get this: Option C, which involves placing systems into locked, key-controlled containers,
may indeed be more resource-intensive and less flexible than Option A in some environments. Option C physically restricts access to USB
ports, making it highly effective, but it can also be more expensive to implement and may limit the usability and accessibility of the systems.
Option A, on the other hand, is a less resource-intensive and more flexible approach as it doesn't limit the usability of the systems but relies
on regular inspection to enforce the policy.
The choice between Option A and Option C depends on the specific needs, budget, and usability requirements of the organization. In some
high-security environments, Option C may be preferred, while in others, the less resource-intensive Option A may be more practical.
upvoted 1 times
TheWizardKing 2 months, 2 weeks ago
Selected Answer: A
Implementing a GPO (Group Policy Object) is an administrative control, not a physical one. It can be effective but doesn't meet the criteria for a
"physical control. I personally think as a test writer that B. GPO and D are distractors and D could involve licensing
upvoted 1 times
FRANCISCO2000 2 months, 2 weeks ago
These are the same Q&A from Exam Topic Flash Cards but in different order. Also the Answer from Exam Topic is "Implementing a GPO.."
upvoted 2 times
ha33yp0tt3r69 2 months, 2 weeks ago
Selected Answer: A
GPO is software and can be by passed if the person has local admin. They talk about Physical. The lock box / container is very costly.
upvoted 1 times
bkrich 3 months, 3 weeks ago
Selected Answer: B
Cost-effective would be GPO (B)
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
Yes but that is not a physical control. Most cost effective PHYSICAL control would be tape.
upvoted 1 times
LoomH 3 months, 3 weeks ago
Selected Answer: A
It says physical so I am going with the tape.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
109/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #45
A company suspects that some corporate accounts were compromised. The number of suspicious logins from locations not recognized by the
users is increasing.
Employees who travel need their accounts protected without the risk of blocking legitimate login requests that may be made over new sign-in
properties. Which of the following security controls can be implemented?
A. Enforce MFA when an account request reaches a risk threshold.
B. Implement geofencing to only allow access from headquarters.
C. Enforce time-based login requests that align with business hours.
D. Shift the access control scheme to a discretionary access control.
Correct Answer: A
Community vote distribution
A (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: A
Enforce MFA is the most convenient way
upvoted 14 times
varun0 1 year, 4 months ago
Agreed
upvoted 5 times
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: A
Answer: Enforce MFA when an account request reaches a risk threshold.
This is likely the most convenient implementation that would work for all employees as an additional element(s) would need to be needed for
authentication/authorization.
========================
(B) - Implementing geofencing to only allow access from headquarters might stop the suspicious logins, however, it would be inconvenient for
employees not physically located near headquarters such as the traveling employees.
(C) Enforcing time-based login requests to align with business hours could also be inconvenient for traveling/global employees that work in
different times compared the business's normal business hours.
(D) With Discretionary access control, the owner of a resource can decide who can have access to the resource and you can modify the access
at anytime. The option to shift the access control scheme to a discretionary access control wouldn't really address the login issue either if the
account of someone who is authorized to access a resource was compromised. The attacker can still access the resource using their credentials.
upvoted 11 times
MortG7
Most Recent
2 months, 1 week ago
A is the correct answer, however, any security admin worth their salt would have it enforced already..it is a no brainer...why wait for a damn
threshold.
upvoted 2 times
JarnBarn 1 month, 1 week ago
LOLZ. Was hoping to find this comment verbatim.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
Enforcing Multi-Factor Authentication (MFA) when an account request reaches a risk threshold is an appropriate security control in this scenario.
MFA adds an extra layer of security by requiring users to provide additional authentication factors, such as a one-time code sent to their mobile
device, in addition to their password. By setting a risk threshold and triggering MFA when suspicious logins from unrecognized locations are
detected, the company can protect corporate accounts without unnecessarily blocking legitimate login requests made from new sign-in locations
during employee travel.
upvoted 3 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
Implementing MFA adds an extra layer of security to the authentication process by requiring users to provide multiple forms of verification, such
as a password and a one-time code generated on their mobile device or a biometric factor like a fingerprint. By setting a risk threshold, such as
detecting suspicious login activity from unrecognized locations, the system can automatically trigger the enforcement of MFA. This helps to
mitigate the risk of unauthorized access even if the credentials have been compromised.
https://www.examtopics.com/exams/comptia/sy0-601/view/
110/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
ronniehaang 11 months, 1 week ago
Selected Answer: A
A. Enforce MFA when an account request reaches a risk threshold.
Multi-Factor Authentication (MFA) is an effective security control to mitigate the risk of unauthorized access to corporate accounts. By requiring
an additional factor of authentication, such as a one-time code sent to a user's phone or a fingerprint scan, MFA can help prevent attackers from
accessing an account even if they have stolen a password. By implementing MFA only when an account request reaches a risk threshold, the
company can ensure that employees who travel and need their accounts protected will not be negatively impacted by the security control, while
still providing an extra layer of security for those accounts that are at higher risk of being compromised.
upvoted 1 times
KingDrew 12 months ago
Selected Answer: A
MFA increases security because even if one credential becomes compromised, unauthorized users will be unable to meet the second
authentication requirement and will not be able to access the targeted physical space, computing device, network, or database.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
111/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #46
An organization wants to participate in threat intelligence information sharing with peer groups. Which of the following would MOST likely meet
the organization's requirement?
A. Perform OSINT investigations.
B. Subscribe to threat intelligence feeds.
C. Submit RFCs.
D. Implement a TAXII server.
Correct Answer: D
Community vote distribution
D (93%)
Boogie_79
Highly Voted
7%
1 year, 4 months ago
Selected Answer: D
A TAXII server is a client that exchanges standardized and anonymized cyber threat intelligence among users. It works as a venue for sharing and
collecting Indicators of compromise, which have been anonymized to protect privacy.
upvoted 29 times
yasuke
Highly Voted
1 year, 2 months ago
Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging CTI over HTTPS. TAXII defines a
RESTful API and a set of requirements for TAXII Clients and Servers
upvoted 9 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: D
Implementing a TAXII (Trusted Automated Exchange of Indicator Information) server would most likely meet the organization's requirement for
threat intelligence information sharing with peer groups. TAXII is a standard for exchanging threat intelligence information, allowing organizations
to share and receive threat intelligence with other entities that also use TAXII.
Subscribing to threat intelligence feeds (Option B) is a valid approach to gain access to threat intelligence information, but it does not specifically
address the organization's requirement for actively participating in threat intelligence information sharing with peer groups.
In conclusion, according to the CompTIA Security+ SY0-601 exam objectives, the BEST option to meet the organization's requirement for threat
intelligence information sharing with peer groups is D. Implement a TAXII server. This enables the organization to actively share threat intelligence
with other entities and receive intelligence from them as well.
upvoted 5 times
DALLASCOWBOYS 11 months, 1 week ago
D. Implementing a TAXII server helps organizations exchange structured threat information relating to indicators of compromise.
upvoted 2 times
akingokay 1 year ago
Selected Answer: D
agree to D
upvoted 1 times
varun0 1 year, 4 months ago
Selected Answer: D
Sharing threat information
I'll go with TAXII server
upvoted 4 times
stoneface 1 year, 4 months ago
Selected Answer: B
It isn't typical for organizations to build TAXII servers, unless they are a security vendor, but they often connect to TAXII servers to download
threat intelligence documented in the STIX taxonomy. MISP can be configured to do this.
upvoted 3 times
Jakalan7 1 year, 3 months ago
Yes, but the question states they would like to "participate in threat intelligence information sharing", so the answer must be D, TAXII server. If
they subscribe to security feeds, they are only receiving information - they are not sharing any in return.
upvoted 17 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
112/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
cutemantoes 9 months, 3 weeks ago
I was thinking it was B until you stated that. Thanks for the help!
upvoted 4 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
113/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #47
Which of the following is the MOST effective control against zero-day vulnerabilities?
A. Network segmentation
B. Patch management
C. Intrusion prevention system
D. Multiple vulnerability scanners
Correct Answer: C
Community vote distribution
A (63%)
Ay_ma
Highly Voted
C (20%)
B (17%)
1 year, 3 months ago
Selected Answer: A
IPS can only protect against known host and application-based attacks and exploits. IPS inspects traffic against signatures and anomalies, it
does cover a broad spectrum of attack types, most of them signature-based, and signatures alone cannot protect against zero-day attacks.
(www.rawcode7.medium.com)
However, with network segmentation, you're able to isolate critical assets into different segments. And when a zero-day attack occurs, you're not
at risk of losing all and are able to isolate the attack's effect to one segment.
upvoted 25 times
AzureG0d 3 months ago
I don't know who yo are @ay_ma but this is a cold answer lol. I'm with yo in selecting A here, makes the most sense.
upvoted 2 times
CTE_Instructor 10 months, 1 week ago
But the question isn't about protecting other data, the question directly says how to "control zero-day vulnerabilities". If there is a zero-day
vulnerability in a new piece of software on a device, the BEST control against this is patch management to ensure the vulnerability is patched
out as soon as possible.
upvoted 2 times
Secplas 1 month, 3 weeks ago
Zero-day means there's no patch. There is 0 to patch against.
upvoted 5 times
233Matis 3 weeks ago
That is the MAIN REASON FOR PATHING THE SYSTEM! it means UPDATES!! Patching=update to prevent 0 days
upvoted 1 times
SIFD32 9 months ago
I believe it would still be network segmentation because when it mentions "zero-day" you have to automatically assume that there is no
work around. But with network segmentation, you can contain the vulnerability and not allow it to affect the rest of the network. Essentially
"controlling" it.
upvoted 6 times
DriftandLuna 7 months, 2 weeks ago
the mention of zero day implies they mean attacks for which there is no patch yet. Patch management wont protect against something that
there isn't a patch for which is the definition of a zero day exploit.
upvoted 5 times
beardsly
Highly Voted
1 year, 3 months ago
Had to look this up myself as there is no real clear answer here. One of the Sec+ books I have suggested IPS and segmenting. Google search
even says IPS in this regard as well. I would personally say Network Segmentation but otherwise not sure. My comment is not all that helpful I
know but just wanted to throw my thoughts out there.
upvoted 23 times
TinyTrexArmz 11 months, 1 week ago
I agree, there is no clear answer here. And though I don't think it's what the test would want us to answer I will say in my 20 years of IT
expereince that a good Patch management process is the most helpful when it comes to zero-day exploits. I say this because once a Zero
Day becomes public knowledge then the vendor normally rushes to put out some kind of patch or workaround. Having a way to deploy that in
a quick and reliable manner is key to getting things back to secure as soon as possible.
But I would say IPS would be most effective against zero day vulnerabilities because you might be able to detect the usual traffic or activity.
Network segmentation will only help slow the intruder down. If you don't have anything to detect the oddity then the attacker could install a
back door and then work their way across the segments. What's the old saying? An once on prevention is worth a pound of cure. But in a
perfect world, both would be implemented. My vote is C.
https://www.examtopics.com/exams/comptia/sy0-601/view/
114/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 8 times
hieptran 12 months ago
To be more clear, zero days is an unknown exploit. There are a few chances that the IPS will detect the attack payloads/signature. But
segregating the network would eventually prevent lateral movement even if the attacker has Remote Code Execution privilege on the
compromised server.
upvoted 13 times
thefoque 3 months ago
I think its also in the official course a question like this somewhere.
IPS is the only way to actually protect against zero days, since it uses baselines to detect any anomalies in the system. IPS is not only
signature based, it's not an antivirus.
Segmentation would just prevent the spread of the infection throughout the network.
upvoted 2 times
DriftandLuna 7 months, 2 weeks ago
Agreed, i chose IPS but was thinking segmentation as well for the reasons you stated.
upvoted 1 times
mascot45 11 months ago
I believe it's B, patch management. I don't really get how segmenting network can defend or prevent a zero day for being exploited on your
network. I put this questions to chatGPT and it gave me B as the answer, so that's what I'm going with.
upvoted 10 times
rondo24 11 months ago
I did the same and then I pointed out to chat GPT that a Zero Day is by definition not known and it changed its answer and said "However,
even though the vendor may be unaware of the vulnerability, there are still ways to mitigate the risks posed by zero-day vulnerabilities. For
example, network segmentation, intrusion prevention systems, and multiple vulnerability scanners can help to reduce the attack surface
and limit the damage that can be done if a zero-day vulnerability is exploited."
upvoted 3 times
Sanj 11 months ago
Regular software updates: Installing the latest software updates can help protect against known vulnerabilities and fix security holes
that could be exploited by zero-day attacks.
upvoted 4 times
daddylonglegs 2 months, 3 weeks ago
Do you understand what a zero-day is? It's a vulnerability that is unknown to security researchers or the vendor or the product. You
can't fix a vulnerability that you don't know about, therefore there would not be a patch for a zero-day vulnerability until it is
discovered, at which point it is no longer a zero-day vulnerability.
upvoted 2 times
sarah2023 4 months, 2 weeks ago
Wrong, the essence of a zero day vulnerability is that you can't prevent or protect against something you have not encountered in the past.
upvoted 3 times
12f1a9a
Most Recent
6 days, 23 hours ago
I believe the answer is network segmentation. When we read the question carefully it says "which would be the most effective CONTROL...." The
question is not asking for most effective way to prevent the zero day vulnerability. By segregation you can control the situation to prevent a big
loss in my opinion.
upvoted 1 times
ykt 1 week, 3 days ago
Selected Answer: C
IPS is not just about signatures. There are behavior-based IPS and AI-based IPS. So the answer is IPS.
upvoted 1 times
Enzoxx 2 weeks, 1 day ago
Selected Answer: B
Look this site: https://www.imperva.com/learn/application-security/zero-day-exploit/#:~:text=One%20of%20the%
Patch management:
Another strategy is to deploy software patches as soon as possible for newly discovered software vulnerabilities. While this cannot prevent zeroday attacks, quickly applying patches and software upgrades can significantly reduce the risk of an attack.
upvoted 1 times
saucehozz 1 month ago
Selected Answer: C
IPS can be effective in detecting and blocking anomalous behavior
upvoted 1 times
Teleco0997 1 month, 2 weeks ago
Selected Answer: C
https://www.examtopics.com/exams/comptia/sy0-601/view/
115/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Zero-day vulnerabilities refer to security vulnerabilities that are not known to the vendor or the public and, therefore, do not have a patch
available. The most effective control against zero-day vulnerabilities is an intrusion prevention system (IPS).
WHY?
Behavioral Analysis: An IPS can detect and prevent attacks based on anomalous behavior rather than relying solely on known signatures. This is
crucial for identifying and blocking attacks exploiting zero-day vulnerabilities.
Heuristic Analysis: Intrusion prevention systems often employ heuristic analysis to identify patterns of behavior that may indicate an exploit. This
helps in detecting previously unknown threats.
Real-time Protection: IPS operates in real-time and can automatically respond to and block suspicious activities, reducing the window of
exposure for zero-day vulnerabilities.
Network Segmentation is assuming the vulnerability is already exploited
upvoted 2 times
IDTENT 2 months ago
Answer is IPS. As per CompTIA Sec+ textbook page 271: "Behavioral-based detection means that the engine is trained to recognize baseline
"normal" traffic or events. Anything that deviates from this baseline (outside a defined
level of tolerance) generates an incident. The idea is that the software will be able to
identify zero day attacks, insider threats, and other malicious activity"
upvoted 2 times
kj0699 2 months ago
Selected Answer: C
IPS can sometimes prevent zero-day attacks by detecting and blocking suspicious activity or malware that exploits unknow vulnerabilities, based
on heuristics or behavior rather than known signatures.
upvoted 1 times
TheFivePips 2 months ago
Selected Answer: A
This is a bad question. I'd personally go with network segmentation because both IPS and patch management can't really do anything against an
exploit that is unknown to them. That being said, I feel like in the real world, those are exactly the tools you would use to address the exploit after
you know about them (but then it's not a zero-day, so we're back at network segmentation)
upvoted 2 times
Mahoni 2 months, 1 week ago
My Answer is B
I don't think you can defend against a zero day vulnerability other than patching your systems. Don't just think about it before it becomes public
when only a few people know the vulnerability. After it becomes public then the hunt will begin to find the unpatched systems. Good luck with
your segmented network and IPS while the vulnerability hasn't been fixed with the patches.
upvoted 1 times
MortG7 2 months, 1 week ago
I have a feeling that this was written as such by design. I think Comptia will give you credit for any choice you select because they all apply in
some way.
upvoted 1 times
PropheticBettor 2 months, 2 weeks ago
Network segmentation doesn't actually stop the Zero Day, just minimizes it's impact. IPS will minimize impact through stopping the zero day
which makes it more effective
upvoted 1 times
FRANCISCO2000 2 months, 2 weeks ago
We can find thise Answer in Cisco.com about Network Segmentation.
upvoted 1 times
tonnage800 2 months, 3 weeks ago
Selected Answer: C
C. Intrusion prevention system: IPSs are designed to identify and prevent suspicious activities by analyzing behavior patterns and the traffic flow.
They are effective against zero-day vulnerabilities because they don't rely solely on signatures of known vulnerabilities (like antivirus software),
but also analyze behavior to block potential zero-day attacks.
upvoted 4 times
Cyberjerry 3 months ago
Selected Answer: B
Patch management is the most effective control against zero-day vulnerabilities. Zero-day vulnerabilities are security flaws that are exploited by
attackers before the vendor has released a patch or fix for them. Patch management involves regularly updating and applying patches to
software, operating systems, and applications to address known vulnerabilities. While it may not address zero-day vulnerabilities as they are
initially discovered, it helps protect against them once patches become available.
The other options, such as network segmentation, intrusion prevention systems, and multiple vulnerability scanners, are important security
measures but may not be as directly effective in protecting against zero-day vulnerabilities as timely patch management.
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
You understand that once a patch is released for a zero-day it is no longer a zero-day vulnerability right? When the question asks about the
most effective control against zero-days it's asking about vulnerabilities you don't even know you have and that there are no patches for. How
would patch management help against a vulnerability that no one even knows exists? Network segmentation is the best answer.
https://www.examtopics.com/exams/comptia/sy0-601/view/
116/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
mjr131 3 months ago
Network Segmentation (A): By dividing a network into segments and controlling the flow of traffic between them, network segmentation can help
contain the impact of a zero-day vulnerability. If an attacker exploits a vulnerability in one segment, they may be restricted from moving laterally
to other segments.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
117/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #48
Which of the following is the GREATEST security concern when outsourcing code development to third-party contractors for an internet-facing
application?
A. Intellectual property theft
B. Elevated privileges
C. Unknown backdoor
D. Quality assurance
Correct Answer: C
Community vote distribution
C (93%)
varun0
Highly Voted
7%
1 year, 4 months ago
Selected Answer: C
GREATEST security concern would be unknown backdoor
upvoted 16 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: C
The GREATEST security concern when outsourcing code development to third-party contractors for an internet-facing application is the
possibility of an unknown backdoor being introduced into the code. An unknown backdoor refers to unauthorized access points deliberately
inserted into the software without the knowledge or consent of the organization.
When outsourcing code development, the organization has less direct control over the development process and may not have full visibility into
the contractor's practices. This lack of oversight could potentially lead to the inclusion of hidden backdoors, which can be exploited by malicious
actors to gain unauthorized access to the application and its data.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: C
While intellectual property theft, elevated privileges, and quality assurance are all important considerations when outsourcing code development,
the presence of an unknown backdoor poses the greatest security risk. An unknown backdoor is a hidden entry point or vulnerability intentionally
or unintentionally inserted into the code by a malicious or compromised developer. It can provide unauthorized access to the application or its
underlying systems, allowing attackers to exploit the application's functionality or compromise sensitive data.
An unknown backdoor can be difficult to detect and may remain undetected for an extended period, allowing attackers to maintain persistent
access and potentially exploit the application or compromise the organization's systems or data. It can bypass security controls and enable
unauthorized actions, posing a significant risk to the security and integrity of the internet-facing application.
upvoted 3 times
ronniehaang 11 months, 1 week ago
Selected Answer: C
The greatest security concern when outsourcing code development to third-party contractors for an internet-facing application is the possibility
of an unknown backdoor. This is because a contractor may intentionally or unintentionally insert malicious code into the application that could
compromise the security and privacy of user data and the organization's systems. This risk is elevated if the contractor is not fully vetted, or if the
organization does not have adequate safeguards in place to ensure the security and integrity of the codebase. To mitigate this risk, the
organization should have strict security policies and procedures in place for outsourcing, including background checks for contractors, code
review and testing procedures, and continuous monitoring and incident response processes.
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
C. I think Unknown Backdoors would be the GREATEST security concern is the best answer. I do believe D is very good answer because that
would be the first step in risk assessment and mitigation is Quality Assurance.
upvoted 1 times
sonic1230 1 year, 2 months ago
Selected Answer: C
google
upvoted 3 times
Ay_ma 1 year, 4 months ago
A- Intellectual Property Theft: I'm guessing by that point a legal contract is already on ground to mitigate such an issue.
Unknown Backdoor, in my opinion, is equivalent to a zero-day attack. You have no idea if these contractors knowingly or unknowingly but a
backdoor in your code
https://www.examtopics.com/exams/comptia/sy0-601/view/
118/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Quality Assurance: I'm guessing that's why you hired them in the first place because you know they deliver quality service.
upvoted 4 times
comeragh 1 year, 4 months ago
Selected Answer: C
GREATEST security concern - for me this would be C - Unknown Backdoor
upvoted 1 times
stoneface 1 year, 4 months ago
Selected Answer: D
If you're outsourcing dev work, you probably have a contract with a legit company and you had probably also reviewed their documents and
AOC's and stuff.
Without good QA, there could be a purposeful OR unintended backdoor in the application if somebody was an incompetent developer
With good QA, ideally they would be doing automated security testing to look for a backdoor in the program.
upvoted 2 times
Sandon 11 months, 3 weeks ago
Bad Stoneface, bad
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
119/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #49
An organization has hired a red team to simulate attacks on its security posture. Which of the following will the blue team do after detecting an
IoC?
A. Reimage the impacted workstations.
B. Activate runbooks for incident response.
C. Conduct forensics on the compromised system.
D. Conduct passive reconnaissance to gather information.
Correct Answer: C
Community vote distribution
B (93%)
varun0
Highly Voted
7%
1 year, 4 months ago
Selected Answer: B
Incident is detected, now incident response has to happen. Runbook describes everyone's roles during incident response.
upvoted 34 times
Sanj 11 months ago
This is a simulation - so the blue team has to do forensics not incident response
upvoted 6 times
cybertechb 2 weeks, 3 days ago
Forensics may be necessary to understand the root cause, gather evidence, and improve future defenses. However, it typically occurs after
the initial incident response steps have been taken.
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
What???
The whole point of having red team sims is to practice incident response? If your first move is forensics then the red team will own your
whole network before you even know what is going on
upvoted 7 times
stoneface 1 year, 4 months ago
agreed
upvoted 5 times
Protract8593
Highly Voted
5 months, 2 weeks ago
Selected Answer: B
After detecting an Indicator of Compromise (IoC), the blue team's primary action will be to activate runbooks for incident response. Incident
response runbooks are predefined procedures and guidelines that outline the steps to be taken when specific security incidents are detected.
These runbooks are essential for organizing and streamlining the response process to security incidents, including those identified through IoCs.
upvoted 7 times
ykt
Most Recent
1 week, 3 days ago
Selected Answer: B
You must activate incidence response once you detect IoC. That's the whole point of the exercise. Blue Team Members are generally part of
CIRT Team, this particular example helps the company see how their incident response is.
upvoted 1 times
_deleteme_ 3 weeks, 1 day ago
I'm going to go with what NIST says and choose C. The Blue Team identifies security threats and risks in the operating environment, and in
cooperation with the customer, analyzes the network environment and its current state of security readiness. Based on the Blue Team findings
and expertise, they provide recommendations that integrate into an overall community security solution to increase the customer's CS readiness
posture. Often times a Blue Team is employed by itself or prior to a Red Team employment to ensure that the customer's networks are as secure
as possible before having the Red Team test the systems.
https://csrc.nist.gov/glossary/term/blue_team
upvoted 1 times
RevolutionaryAct 5 months ago
Selected Answer: B
Forensics would never happen during or after a PenTest as not only do you know what the testers did as you hired them, but there are blue
teams (defense), white (referees) and purple (red/blue mix) teams which are meant to work to stop and / or respond to the attack.
https://www.examtopics.com/exams/comptia/sy0-601/view/
120/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
The response to the IoC is what the blue needs to do and therefore the answer is B runbook.
https://www.quora.com/Is-penetration-testing-a-part-of-cyber-forensic
upvoted 4 times
frejus 6 months ago
From the official book of Comptia S+ "Blue team—performs the defensive role by operating monitoring and alerting" hence answers is B
controls to detect and prevent the infiltration.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: B
After detecting an Indicator of Compromise (IoC), the blue team would typically activate runbooks for incident response. Runbooks are
predefined procedures or processes that guide the response actions to be taken when a security incident or compromise is detected. These
runbooks outline the steps and actions to be followed, including notifying appropriate stakeholders, containing the incident, and initiating an
investigation.
upvoted 1 times
Dan_26 7 months, 2 weeks ago
Answer is C. You've been compromised. There's an indicator it happened. The attack is over. It's in the past now. Whodunnit (attribution) is in the
future and the evidence needs to be acquired by gathering evidence (forensics). This is straight out of law enforcement: murder/forensics/blame
in that order.
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
Absolutely incorrect. Who says the attack is over?
To continue your law enforcement analogy, if you were alerted that a murder is in progress would you start collecting evidence while was
ongoing or activate a plan to try and stop the murder from happening?
From a single indicator of compromise there's no way of knowing whether the attacker is currently monitoring your environment or has been
long gone.
Following your runbook is the best bet. Forensics is often part of the post incident activity of a runbook.
upvoted 2 times
LeonardSnart 7 months, 3 weeks ago
I thought since this is a pen test C would be right, but according to Mike Meyers B is correct.
"Penetration tests are treated as an exercise between two teams. The red team is tasked with the job of performing the penetration testing.
They’re the ones we more typically think of as the hacker types who use clever attacks and tools to get into other folks’ networks. Red teams
emulate potential attacker techniques. But the red team is only part of the pen test exercise. Every good pen test also includes a blue team, the
insider team, the defender if you will. Any good pen test isn’t just the red team against your infrastructure. Just as in
a real-world attack, your inside folks, your blue team, would work actively to mitigate any attack—even one taking place in real time."
Mike Meyers Security+ Cert Guide Third Edition SY0-601
upvoted 2 times
TheWaraba 8 months, 3 weeks ago
Read this article https://www.crowdstrike.com/cybersecurity-101/indicators-of-compromise/ioa-vs-ioc/
IOC means the system has already been breached, the most logical thing to do is to start an incident response. We can forensics later.
upvoted 3 times
monzie 9 months, 1 week ago
Selected Answer: C
After detecting an Indicator of Compromise (IoC), the blue team will conduct forensics on the compromised system.
Forensics analysis will enable the blue team to identify the root cause of the security incident and determine the extent of the damage. It can also
help identify other compromised systems, as well as the tactics, techniques, and procedures (TTPs) used by the red team. Based on the findings,
the blue team can then take appropriate steps to contain, mitigate, and remediate the incident. Reimaging the impacted workstations may be
one of those steps, but it depends on the specific circumstances and the findings of the forensics analysis. Activating runbooks for incident
response and conducting passive reconnaissance are also important steps, but they are not directly related to detecting and analyzing an IoC.
upvoted 3 times
daddylonglegs 2 months, 3 weeks ago
While you're doing your forensics work the red team is proliferating across your network and wreaking havoc. This is basic, stop the bleeding
first. Then when you're sure that the breach is contained you can start your forensics work.
The IoC is the trigger to activate the runbook. We're not interested in analyzing the IoC itself, we're interested that there is an IoC at all.
upvoted 2 times
C_M_M 9 months, 2 weeks ago
Forensics is primarily done to determine who is to blame. That's not the immediate next step. You should be more concerned with understanding
the compromise, and limiting it. You can do so while ensuring that evidence is preserved. This is where incident response comes in.
So the correct answer should B.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
121/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Bruised_Warlock 9 months, 2 weeks ago
I think the keyword here is IOC (Indicator of Compromise). I will use the analogy as follows, just because you are showing early signs of diabetes
does not make you a diabetic until you go to a doctor and are diagnosed a diabetic. The system shows signs of a compromise, however, it does
not make this an incident until the Blue Team in this scenario performs forensics to confirm the signs of a compromise and then call it an incident.
My answer would be C. Since, now it is confirmed an incident, we would then activate the runbooks for incident response.
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
Your analogy is flawed.
The early sign of diabetes is an IoC.
Visiting the doctor, getting a diagnosis, and plan for treatment is the runbook.
Forensics in this situation would be trying to figure out how you got diabetes, by analyzing diet, exercise habits, and genetics.
Determining whether the IoC is a false positive or an actual breach is part of the runbook. Forensics happens afterwards to tell us who the
attacker was and how they achieved their objectives.
upvoted 1 times
princajen 10 months ago
Selected Answer: B
From ChatGPT:
the BEST answer to this question depends on the specific context of the scenario. If the organization wants to contain the attack quickly and
prevent further damage, reimaging the impacted workstations or activating runbooks for incident response may be the more appropriate
immediate response. Forensics analysis may come later, after the incident has been resolved, to help the organization identify any gaps in its
security posture and improve its response to future incidents.
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
Please stop with the ChatGPT answers...
Reimaging machines does nothing if the breach is not contained, as the attacker could turn around and reinfect the system
upvoted 1 times
ronniehaang 11 months, 1 week ago
Selected Answer: B
B. Activate runbooks for incident response.
After detecting an Indicator of Compromise (IoC), the blue team will activate runbooks for incident response. The purpose of runbooks is to have
a systematic, documented, and repeatable process to respond to security incidents. The blue team will use the runbooks to assess the scope of
the attack, contain it, and minimize damage. The runbooks will also help the blue team collect and preserve evidence, perform root cause
analysis, and restore normal operations. The blue team will take the information gathered from the runbooks and use it to improve the
organization's security posture.
upvoted 5 times
DALLASCOWBOYS 11 months, 1 week ago
B. The blue team is the defense and will defend against the attack
upvoted 3 times
[Removed] 1 year ago
Selected Answer: C
IoC = Forensics… Both answers seems fine but C answer could be right given the scenario (IoC).
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
122/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #50
An amusement park is implementing a biometric system that validates customers' fingerprints to ensure they are not sharing tickets. The park's
owner values customers above all and would prefer customers' convenience over security. For this reason, which of the following features should
the security team prioritize
FIRST?
A. Low FAR
B. Low efficacy
C. Low FRR
D. Low CER
Correct Answer: C
Community vote distribution
C (100%)
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: C
Answer: Low FRR
There are two main metrics that are used to determine the performance of biometrics:
1. FAR (False Acceptance Rate)
2. FRR (False Rejection Rate)
False Acceptance Rate (FAR) is a metric for bio-metric performance that determines the number of instances where unauthorized persons were
incorrectly authorized. False Rejection Rate (FRR) is a metric that determines the number of instances where an authorized person are incorrectly
rejected.
If the emphasis is security, then making sure the False Acceptance Rate is low as a low FAR rate means a lower possibility for someone to be
authorized who shouldn't. If the emphasis is convenience, then you'd want to make sure the False Rejection Rate is low as a low FRR means a
lower possibility for someone to be rejected who should be authorized.
upvoted 19 times
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: C
since convenience should be prioritized over security, FIRST priority should be low FRR
upvoted 16 times
ScottT 1 year, 3 months ago
https://www.recogtech.com/en/knowledge-base/security-level-versus-user-convenience - FAR = False Acceptance. FRR = False Rejections
upvoted 4 times
stoneface 1 year, 4 months ago
concur
upvoted 4 times
TheFivePips
Most Recent
2 months ago
If the amusement park owner is prioritizing customer convenience, then a "Low FRR" (False Rejection Rate) is indeed the preferred option.
A low FRR means that the system is less likely to reject valid customers, reducing the inconvenience for legitimate ticket holders. This aligns with
the owner's priority of providing a convenient experience for customers, even if it means accepting a slightly higher risk of potentially
unauthorized users gaining access.
upvoted 1 times
Broflovski 3 months, 2 weeks ago
convenience over security = FRR (False Rejection Rate)
security over convenience = FAR (False Acceptance Rate)
upvoted 1 times
cyberbb 5 months, 1 week ago
real answe is C
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
https://www.examtopics.com/exams/comptia/sy0-601/view/
123/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
In this scenario, where the amusement park owner values customers' convenience over security, the security team should prioritize a biometric
system with a low False Rejection Rate (FRR). The False Rejection Rate is the percentage of legitimate users who are incorrectly denied access
by the biometric system.
A low FRR means that the biometric system is more lenient in accepting valid fingerprints, reducing the likelihood of customers experiencing
inconvenience due to frequent false rejections. While this may slightly compromise security by allowing some potential ticket sharing, it aligns
with the park's focus on customer convenience.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: C
The False Rejection Rate (FRR) measures the likelihood of a biometric system incorrectly rejecting a valid user. A low FRR means that the system
will have fewer instances of denying access to legitimate customers, minimizing inconvenience for park visitors.
While security is still important, in this particular case, the park owner's preference for customer convenience takes precedence. By prioritizing a
low FRR, the security team can prioritize a seamless and user-friendly experience, ensuring that valid customers are not mistakenly rejected
when trying to access the park.
upvoted 1 times
BevMe 8 months, 3 weeks ago
Selected Answer: C
Low FRR minimizes customer inconvenience while maintaining an acceptable level of security.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
A. False Acceptance Rate, means you are falsely accepting unauthorized users, therefore, park owner wants to prioritize convenience over
security. This will allow for convenience.
FRR would be falsely rejecting authorized users which would impact convenience.
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
C. Changing answer to Low FRR, as you decrease False rjection rate you will increase the rate of false acceptance, therefore more
convenience.
upvoted 1 times
i_m_Jatin 11 months, 1 week ago
Low FRR is good answer
upvoted 1 times
Sklark 1 year, 2 months ago
Could you imagine the uproar of a zoo storing fingerprint data?
upvoted 6 times
J_Ark1 1 year, 1 month ago
yes all the habitats and species going bananas in their enclosures lol
upvoted 5 times
Tjank 1 year, 3 months ago
Selected Answer: C
FAR (False Acceptance Rate)
FRR (False Rejection Rate)
CER (Crossover Error Rate) AKA ERR (Equal Error Rate)
since he is willing to sacrifice Security for Customer Service, Best way to understand this is.
FAR has to go up in order for FRR to go down.
typical business practice is in the middle of both which would be near the CER.
upvoted 1 times
banditring 1 year, 3 months ago
why would an amusement park even do this?
upvoted 3 times
darklion 9 months ago
universal does this
upvoted 1 times
RobV 1 year, 2 months ago
Disneyworld fingerprint verifies guests.
upvoted 3 times
RonWonkers 1 year, 3 months ago
For the same reason some dude in a math test buys 50 watermelons
upvoted 26 times
gladtam 9 months, 2 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
124/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
This is hilarious hahaha
upvoted 1 times
banditring 1 year, 3 months ago
touche lol
upvoted 1 times
Wutan 1 year, 3 months ago
awesome :D
upvoted 1 times
varun0 1 year, 4 months ago
Low CER?
upvoted 2 times
varun0 1 year, 4 months ago
Disregard this
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
125/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #51
Which of the following organizations sets frameworks and controls for optimal security configuration on systems?
A. ISO
B. GDPR
C. PCI DSS
D. NIST
Correct Answer: D
Community vote distribution
D (89%)
Tjank
Highly Voted
11%
1 year, 3 months ago
Both ISO and NIST have Frameworks for standards.
when searching parts of the question "sets frameworks and controls for optimal security configuration" only NIST came up specifically.
I personally hate these type of questions as I would utilize both to build from.
upvoted 21 times
LePecador 5 months, 3 weeks ago
I would choose NIST just because the questions is stating "frameworks" not "standards" (ISO is a standard) I know is weird, but CompTIA is
equally weird with these vague questions
upvoted 7 times
rodwave 1 year, 1 month ago
Agreed, not a huge fan of the question either. The question only mentions security where both ISO and NIST would cover but I would lean
towards NIST as its specifically for improving cybersecurity.
upvoted 5 times
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: D
NIST I guess
upvoted 19 times
Teleco0997
Most Recent
1 month, 2 weeks ago
Selected Answer: D
besides the word framework and not standard to differentiate between NIST and ISO; when it comes to security configuration on systems
specifically, NIST is often more directly associated with detailed guidelines and controls. NIST's Special Publication 800-53 (which is mentioned
in the official study guide), for example, provides a comprehensive catalog of security controls for federal information systems and organizations.
So, ISO addresses broader aspects of information security, but NIST is often considered more focused on providing detailed security
configurations and controls
upvoted 1 times
Dogeo 2 months, 2 weeks ago
NIST is USA specific if the question dosen't specify how are we supposed to know guess?
upvoted 1 times
sujon_london 5 months ago
Selected Answer: D
Once mentioned security that’s should be recon it’s NIST
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
NIST (National Institute of Standards and Technology) is the organization that sets frameworks and controls for optimal security configuration on
systems. NIST is a non-regulatory agency of the United States Department of Commerce and plays a significant role in developing standards and
guidelines for various aspects of information security, including cybersecurity best practices and security configuration.
upvoted 6 times
Tiazzed 5 months, 2 weeks ago
I think ist nist
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: D
https://www.examtopics.com/exams/comptia/sy0-601/view/
126/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
The organization that sets frameworks and controls for optimal security configuration on systems is NIST (National Institute of Standards and
Technology). NIST provides guidelines, standards, and best practices for various aspects of cybersecurity, including security configuration
management. Their publications, such as the NIST Special Publication 800-53, provide detailed controls and recommendations for securing
information systems and protecting sensitive data.
ISO (International Organization for Standardization) develops and publishes international standards for various industries, including cybersecurity,
but it does not specifically focus on security configuration management.
upvoted 3 times
JAMBER 7 months, 2 weeks ago
Selected Answer: D
Very vague question for such broad reaching organizations. I went with D- NIST, but ISO seemed very likely as well.
upvoted 1 times
goodmate 9 months, 2 weeks ago
National versus international. Some frameworks are used within
a single country (and referred to as national frameworks), while
others are used internationally. As an example, NIST created the
Cybersecurity Framework, which focuses on cybersecurity activities
and risks within the United States. In contrast, the International
Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) create and publish international
standards. For example, ISO/IEC 27002 provides a framework for IT
security.
Source: Darill Gibson, ComptiaSecurity+ SY0-501 Study Guide, page: 690
upvoted 2 times
Omi0204 10 months ago
https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/security-frameworks/
NIST answer would be D
upvoted 1 times
ronniehaang 11 months, 1 week ago
Selected Answer: D
D. NIST (National Institute of Standards and Technology) sets frameworks and controls for optimal security configuration on systems. NIST
provides guidelines, standards, and best practices for information security, including the development of security configuration baselines for
various technologies, such as operating systems and applications.
upvoted 3 times
DALLASCOWBOYS 11 months, 1 week ago
D. NIST ( National Institute of Standards and Technology) is the standard used by organizations to establish fundamental controls and processes
needed for optimum cybersecurity
upvoted 2 times
i_m_Jatin 11 months, 1 week ago
National Institute of Standards and Technology
upvoted 1 times
[Removed] 11 months, 3 weeks ago
Selected Answer: D
https://sopa.tulane.edu/blog/NIST-cybersecurityframework#:~:text=The%20National%20Institute%20of%20Standards,and%20how%20it%20is%20implemented.
upvoted 1 times
shitgod 1 year ago
The quality of this question is quite low...
upvoted 9 times
Knowledge33 1 year, 2 months ago
Selected Answer: D
ISO is for all standards, not only security, whereas NIST is only related to security.
upvoted 5 times
housecoatjapan 9 months, 3 weeks ago
Not true, but just memorize it.
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to
promote American innovation and industrial competitiveness. NIST's activities are organized into physical science laboratory programs that
include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical
measurement. From 1901 to 1988, the agency was named the National Bureau of Standards.[4]
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
127/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #52
An organization discovered files with proprietary financial data have been deleted. The files have been recovered from backup, but every time the
Chief Financial
Officer logs in to the file server, the same files are deleted again. No other users are experiencing this issue. Which of the following types of
malware is MOST likely causing this behavior?
A. Logic bomb
B. Cryptomalware
C. Spyware
D. Remote access Trojan
Correct Answer: A
Community vote distribution
A (100%)
cozzmo
Highly Voted
1 year, 4 months ago
Logic bomb: a set of instructions secretly incorporated into a program so that if a particular condition is satisfied they will be carried out, usually
with harmful effects.
upvoted 21 times
varun0 1 year, 4 months ago
Agreed
upvoted 3 times
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: A
Answer: Logic Bomb
A logic bomb is inserted code that will intentionally set off a malicious function when specified conditions are met. In this question, the logic
bomb could be related to when the CFO logs in as no other user is experiencing this issue.
==================================
Helpful info:
Cryptomalware - A type of ransomware that will encrypt user's files and demand a random
Spyware - a form of malware that hides on your device, monitors activity and steals sensitive information.
Remote Access Trojan (RAT) - malware an attacker uses to remotely control an infected computer
upvoted 16 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: A
A logic bomb is a type of malicious code that is intentionally inserted into a system or software application with the purpose of executing a
malicious action at a specific time or when certain conditions are met. In this scenario, the files with proprietary financial data are being deleted
every time the Chief Financial Officer logs in to the file server, suggesting that the deletion is triggered by a specific action, which is characteristic
of a logic bomb.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
Based on the given scenario, the most likely type of malware causing this behavior is a logic bomb. A logic bomb is a type of malware that is
programmed to execute a malicious action when specific conditions are met. In this case, the logic bomb is triggered when the Chief Financial
Officer (CFO) logs into the file server, resulting in the deletion of the proprietary financial data.
upvoted 1 times
ronniehaang 11 months, 1 week ago
Selected Answer: A
A. Logic bomb is most likely causing this behavior.
A logic bomb is a type of malware that triggers an action based on certain conditions. In this scenario, the files with proprietary financial data are
being deleted every time the Chief Financial Officer logs in to the file server, which is a clear indication of a logic bomb in action. This type of
malware is designed to cause harm to a target system and can have devastating effects, including data loss and system shutdown.
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
A. Logic bomb. Attack is triggered when certain conditions are met.
https://www.examtopics.com/exams/comptia/sy0-601/view/
128/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
xxxdolorxxx 11 months, 2 weeks ago
Selected Answer: A
I'm saying A. Circumstance happens when a specific set of sequences takes place. I.e. Logic Bomb.
.
B. Cryptomalware (No mention of crypto here)
C. Spyware (No mention of spying or ads specific ads)
D. Remote access Trojan (Not really applicable here)
upvoted 1 times
nobodyridesforfree 1 year, 2 months ago
Selected Answer: A
Logic Bomb is correct as it requires a specific action to occur.
upvoted 1 times
alayeluwa 1 year, 2 months ago
Selected Answer: A
Logic bomb
If user-account = chief-financial-officer;
Execute bla bla bla
upvoted 3 times
Fastytop 1 year, 2 months ago
Logic bomb not the types of malware!!!
upvoted 1 times
VendorPTS 1 year, 3 months ago
Selected Answer: A
Logic bomb. Occurs upon meeting preset criteria (e.g. a particular user logging on).
upvoted 1 times
Gravoc 1 year, 3 months ago
Logic bomb. When set criteria's/conditions are met, something happens. The condition in this case is the files being accessed = erase.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
129/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #53
A security analyst has identified malware spreading through the corporate network and has activated the CSIRT. Which of the following should the
analyst do
NEXT?
A. Review how the malware was introduced to the network.
B. Attempt to quarantine all infected hosts to limit further spread.
C. Create help desk tickets to get infected systems reimaged.
D. Update all endpoint antivirus solutions with the latest updates.
Correct Answer: B
Community vote distribution
B (98%)
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: B
Answer: Attempt to quarantine all infected hosts to limit further spread.
As soon as the malware was identified, the incident response begins. The steps for incident response are:
1. Preparation - Preparing for an attack and how to respond
2. Identification - Identifying the threat
3. Containment - Containing the threat
4. Eradication - Removing the threat
5. Recovery - Recovering affected systems
6. Lessons Learned - Evaluating the incident response, see where there can be improvements for a future incident.
In the scenario, the malware has already been identified, which means that we are past the Identification step. The next step would be to begin
containment as to limit the amount of damage the malware can cause, so, quarantining infected hosts would be the best option here.
upvoted 17 times
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: B
Quarantine to limit further spread
upvoted 16 times
Roosey
Most Recent
5 months ago
Selected Answer: B
Quarantine
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
When a security analyst identifies malware spreading through the corporate network and activates the Computer Security Incident Response
Team (CSIRT), the immediate next step should be to attempt to quarantine all infected hosts to limit further spread of the malware. Quarantining
infected hosts can help contain the malware and prevent it from infecting other systems on the network.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: B
When a security analyst has identified malware spreading through the corporate network and activated the Computer Security Incident Response
Team (CSIRT), the next step would be to attempt to quarantine all infected hosts to limit further spread. This is crucial to prevent the malware
from infecting more systems and potentially causing additional damage.
upvoted 1 times
RileyG 7 months, 3 weeks ago
Selected Answer: B
The sensible next step is to isolate the malware to prevent spread. AKA quarantine the incident.
upvoted 1 times
Jacs 8 months, 3 weeks ago
Selected Answer: C
Could be C because the plan was already activated and one phase included in the IRP states that the threat must be identified and contained
which means trying to avoid spreading the virus to the entire company. Then the next logical step must be to reimage the infected PCs.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
130/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
RevolutionaryAct 4 months ago
Nope, all that has happened is that the malware was identified and CSIRT was notified:
1. Preparation - Preparing for an attack and how to respond
2. Identification - Identifying the threat << You are here
3. Containment - Containing the threat << Need to go here
4. Eradication - Removing the threat
5. Recovery - Recovering affected systems << Too far into the future
6. Lessons Learned - Evaluating the incident response, see where there can be improvements for a future incident.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
B. Quarantine to limit the spread
upvoted 1 times
JarnBarn 1 month ago
Nah, It's C for Cowboys suuck
upvoted 1 times
sauna28 1 year ago
Selected Answer: B
Phases in the Incident Response Plan
1. Preparation: The organization plans out how they will respond to attack, this can involve:
2. Identification: Detecting and determining whether an incident has occurred.
3. Containment: Once a threat has been identified, the organization must limit or prevent any further damage. 4. Eradication: The removal of the
threat
5. Recovery: Restoring systems affected by the incident
6. Lessons Learned: Where the organization reviews their incident response and prepare for a future attack
upvoted 2 times
lordguck 1 year, 2 months ago
This question is free for interpretation again :-( A is my bet, whereas B (containment)/C (recovery) could be right, too. By activating the CSIRT his
duties regarding containment and recovery could be fullfilled/handed over and the analyst goes to "lessons learnt".
upvoted 1 times
Jossie_C 1 year, 2 months ago
Nope. Step 4 isn't urgent unlike quarantining. It's like COVID: quarantine everyone infected, which is containment, then figure out what
happened.
upvoted 2 times
RonWonkers 1 year, 3 months ago
Selected Answer: B
Incident response cycle, step 2 identification > step 3 containment
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
131/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #54
During an incident response, an analyst applied rules to all inbound traffic on the border firewall and implemented ACLs on each critical server.
Following an investigation, the company realizes it is still vulnerable because outbound traffic is not restricted, and the adversary is able to
maintain a presence in the network.
In which of the following stages of the Cyber Kill Chain is the adversary currently operating?
A. Reconnaissance
B. Command and control
C. Actions on objective
D. Exploitation
Correct Answer: C
Community vote distribution
B (88%)
stoneface
Highly Voted
6%
1 year, 4 months ago
Selected Answer: B
Command and control (C2)—establishment of outbound communications from a victim system for secure communications between victim and
adversary systems. Compromised hosts typically beacon out and await further instruction or exploit when higher order interaction or data
exchange is required. This is the hallmark of advanced persistent threat (APT) attacks and data exfiltration.
upvoted 31 times
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: B
able to maintain a presence in the network = C2
upvoted 8 times
saucehozz
Most Recent
1 month ago
Selected Answer: C
Ugh. Attacker already establishes C2. According to the cyber kill chain, the next step is taking action on the objectives.
Think for yourself.
upvoted 1 times
Broflovski 1 month, 1 week ago
Selected Answer: B
Command and Control (C2 or C&C) - The weaponized code establishes an outbound channel to a remote server that can then be used to control
the remote access tool and possibly download additional tools to progress the attack.
upvoted 1 times
Cyberjerry 3 months ago
Selected Answer: B
In the scenario described, the adversary has already breached the network, and the incident response actions taken so far (applying rules to
inbound traffic and implementing ACLs on critical servers) were likely aimed at detecting or blocking their initial intrusion. However, the adversary
is still present and operating within the network, indicating that they have established command and control over compromised systems. They
are in the "Command and control" stage of the Cyber Kill Chain, which involves maintaining control over compromised systems, communicating
with them, and potentially exfiltrating data or carrying out further malicious activities.
upvoted 1 times
IT__noob 4 months, 3 weeks ago
While "Command and control" (answer B) is a valid consideration, the scenario you provided primarily indicates that the adversary has already
bypassed the initial security measures and is maintaining a presence in the network. This aligns more closely with the "Actions on objective"
stage, as they are actively carrying out their malicious activities.
"Command and control" generally refers to the stage where the attacker establishes communication channels and controls compromised
systems remotely. In your scenario, the attacker has already progressed beyond this stage by maintaining a presence and potentially interacting
with the network.
It's important to note that incident response and cyber threat scenarios can be complex, and stages might overlap or evolve. In the given
context, "Actions on objective" seems to be the most appropriate stage based on the information provided.
upvoted 6 times
cybertechb 2 weeks, 3 days ago
so this cannot be actions on objective bc it would force us to assume the overall objective was met; moreover we have to consider the fact
that it is stated 'outbound traffic' which leans more towards C2 establishing communication channels.
https://www.examtopics.com/exams/comptia/sy0-601/view/
132/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
TreeeSon 3 months, 3 weeks ago
Actions on objective is assuming that the attacker has performed malicious actions. However, this isn't stated in the question. Although C
seems logical; this is CompTIA we CANNOT assume anything.
upvoted 5 times
daddylonglegs 2 months, 3 weeks ago
Thank you.
The threat actor may be planning attacks on objectives but until we see an indicator of this the only information we have is that the attacker
still has a presence in the network and that communication is possible through outbound traffic.
upvoted 2 times
narensnair 4 months, 3 weeks ago
Selected Answer: C
The c2c is established, team blocked all inbound ports, but no action taken against outbound traffic that might originate from an effected end
point, if the organization suspects still the attack is going on point to the next stage of action on object or data exfiltration or any such malicious
action
upvoted 2 times
RevolutionaryAct 5 months ago
Selected Answer: C
If it was Command and Control, then the adversary could not communicate with the internal network from the outside, however because they are
in the network and affecting outgoing traffic they have completed actions on objectives:
https://www.eccouncil.org/cybersecurity-exchange/threat-intelligence/cyber-kill-chain-seven-steps-cyberattack/
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
You misread the question. They aren't "affecting outgoing traffic". Outbound traffic is still allowed. Meaning that whatever presence the
attacker has in the network can initiate an outbound session with C2
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
In the scenario described, the adversary has already breached the network and is maintaining a presence. The fact that outbound traffic is not
restricted allows the adversary to communicate with their command and control (C2) servers without hindrance. By maintaining this
communication, the attacker can control and continue their operations within the network.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: B
In the given scenario, the incident response team implemented rules on inbound traffic and applied ACLs on critical servers. This indicates that
the organization has taken measures to address the initial entry point and potential exploitation of their systems. However, the adversary is still
able to maintain a presence in the network, suggesting that they are communicating and controlling their activities from within the network.
The "Command and control" stage of the Cyber Kill Chain involves the adversary establishing communication channels and control mechanisms
to manage their presence in the compromised environment. By maintaining this control, they can continue their malicious activities and work
towards achieving their objectives, which may include data exfiltration, further network compromise, or other malicious actions.
upvoted 2 times
Abdul2107 8 months, 3 weeks ago
Selected Answer: B
Check this, it’s clear:
https://en.m.wikipedia.org/wiki/File:Intrusion_Kill_Chain_-_v2.png
upvoted 1 times
C_M_M 9 months, 2 weeks ago
Why not Action on Objective?
They have locked out all inbound, so C2 is essentially blocked. Even though the malware can communicate with its control center, it's unable to
recieve commands when all inbound traffic is blocked.
However, if the malware is at the stage of Action on Objective, which often includes data exfiltration, just outbound traffic is enough for the
malware to keep operating.
I will go for Action on Objective.
upvoted 5 times
Vulturized 8 months, 1 week ago
You have answered your own question "Action on Objective, which often includes data exfiltration". Does the test question state they have
done any exfiltration any other kind of action? No.
Also, all incoming traffic being blocked does not mean they cannot communicate with the system at all. The compromised system can be the
one to initiate the communication and most of the time firewalls will allow incomming traffic if the session was iniated from inside outwards.
Therefore, all the hackers would have to do is wait and listen on a port for the malware to connect to it. And then they will be able to do the
next step, which would be Action on Objective.
upvoted 4 times
Nishkurup 9 months, 3 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
133/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: B
Phases of the Cyber Kill Chain Process
Phase 1: Reconnaissance
Phase 2: Weaponization
Phase 3: Delivery
Phase 4: Exploitation
Phase 5: Installation
Phase 6: Command and Control
In Command & Control, the attacker is able to use the malware to assume remote control of a device or identity within the target network. In this
stage, the attacker may also work to move laterally throughout the network, expanding their access and establishing more points of entry for the
future.
Phase 7: Actions on Objective
In this stage, the attacker takes steps to carry out their intended goals, which may include data theft, destruction, encryption or exfiltration.
upvoted 6 times
EricShon 11 months, 1 week ago
Selected Answer: B
Command and control (C2 or C&C)—the weaponized code establishes an outbound channel to a remote server that can then be used to control
the remote access tool and possibly download additional tools to progress the attack.
upvoted 1 times
ronniehaang 11 months, 1 week ago
Selected Answer: B
The adversary is currently operating in the Command and Control (C2) stage of the Cyber Kill Chain. This stage is characterized by the adversary
establishing and maintaining persistent access to the target network, often through outbound traffic. By maintaining a presence in the network,
the adversary is able to receive instructions and exfiltrate data from the target network, even though inbound traffic is restricted.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
Another tricky ansewer, but B is the best answer as the question indicates the attacker still has the presence in the network. While the outbound
port is still open for communication, which means the attacker still could exfiltrate data, which would suggestion Actions on Objective, the
question does not say the attacker is exfiltrating data.
upvoted 1 times
its_melly 1 year ago
Selected Answer: D
At this stage the installation of a remote access Trojan or backdoor on the victim system allows the adversary to maintain persistence inside the
environment.
https://www.usprotech.com/7-essential-steps-cybersecurity-kill-chainprocess/#:~:text=Step%205%3A%20INSTALLATION,maintain%20persistence%20inside%20the%20environment.
upvoted 2 times
daddylonglegs 2 months, 3 weeks ago
If the attacker is in the environment then they've already passed the exploitation phase.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
134/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #55
A recent security breach exploited software vulnerabilities in the firewall and within the network management solution. Which of the following will
MOST likely be used to identify when the breach occurred through each device?
A. SIEM correlation dashboards
B. Firewall syslog event logs
C. Network management solution login audit logs
D. Bandwidth monitors and interface sensors
Correct Answer: A
Community vote distribution
A (100%)
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: A
SIEM could tell when the breach occurred in firewall AND in network management solution
upvoted 32 times
stoneface 1 year, 4 months ago
I concur
upvoted 8 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: A
A SIEM (Security Information and Event Management) system is designed to collect, analyze, and correlate log and event data from various
devices and applications across the network. In the context of the given scenario, a SIEM system would be the most appropriate tool to identify
when the breach occurred through each device (firewall and network management solution).
In contrast, SIEM correlation dashboards can aggregate and correlate logs from multiple sources, allowing security analysts to piece together the
timeline of events and detect anomalies and potential breaches more effectively. This makes it the most appropriate option for identifying when
the breach occurred through each device in the given scenario, according to the CompTIA Security+ SY0-601 exam objectives.
upvoted 3 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
SIEM correlation dashboards collect and analyze security event logs from various devices and systems within an organization's network,
including firewalls and network management solutions. By aggregating and correlating these logs, the SIEM can identify patterns and anomalies
that may indicate a security breach. This can help in pinpointing the timeframe in which the breach occurred through each device.
upvoted 1 times
MGMKING 9 months ago
SIEM (security information and event management) dashboards are the windows into the SIEM datastore, a collection of information that can tell
you where attacks are occurring and provide a trail of breadcrumbs to show how the attacker got into the network and moved to where they are
now. SIEM systems act as the information repository for information surrounding potential and actual intrusions. During an investigation, the
SIEM system can provide a host of information concerning a user, what they have done, and so on. The fundamental purpose of a SIEM system
is to provide alerts and relevant information to incident response teams that are investigating incidents. If something happens that initiates an
investigation, and the SIEM system has no relevant information, then this suggests that the SIEM and its component elements need better tuning
to provide meaningful surveillance of the system for potential problems.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
135/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #56
Which of the following is the FIRST environment in which proper, secure coding should be practiced?
A. Stage
B. Development
C. Production
D. Test
Correct Answer: A
Community vote distribution
B (87%)
varun0
Highly Voted
10%
1 year, 4 months ago
Selected Answer: B
Development
The developer has to start writing secure code from beginning itself. Which will then be tested, staged and finally production
upvoted 26 times
comeragh
Highly Voted
1 year, 3 months ago
Selected Answer: B
Development, Testing, Staging, Production
upvoted 13 times
IrunNYnLA
Most Recent
2 months ago
Selected Answer: B
Development stage
upvoted 1 times
IrunNYnLA 2 months ago
how is the anser not B, hmmm
upvoted 1 times
Cyberjerry 3 months ago
Selected Answer: B
Proper, secure coding practices should be applied from the very beginning of the software development process, which is the development
stage.
upvoted 1 times
redrio6 3 months, 3 weeks ago
Selected Answer: B
Development, Secure coding should be practiced at all times. The only times practice code should be used is in IED away from the environment
upvoted 1 times
RevolutionaryAct 5 months ago
Selected Answer: B
https://livecodestream.dev/post/development-testing-staging-production-whats-the-difference/#when-is-security-considered-in-the-applicationdevelopment-cycle
When Is Security Considered in the Application Development Cycle?
Security should always be considered at any stage and in any environment. This means that developers need to think about security when they
are coding, and they should also be aware of the potential risks of the libraries and frameworks they are using.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
In the software development lifecycle, secure coding practices should be implemented and practiced from the very beginning, which is the
development stage. This ensures that security is built into the software from its inception and throughout the development process. By
integrating security practices early in the development phase, potential vulnerabilities can be identified and addressed before the software moves
on to other stages like testing, staging, or production. This approach helps reduce the risk of security flaws and ensures that the final product is
more secure.
upvoted 3 times
Haykinz 5 months, 3 weeks ago
Selected Answer: A
https://www.examtopics.com/exams/comptia/sy0-601/view/
136/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Laying emphasis on the proper , secure coding. I’ll code A over B.
A staging environment is very similar to a production environment, but it is used for testing purposes before the application is launched in
production. This environment tries to simulate as much as possible the final production environment, so tests in staging are more
accurate(PROPER) than tests done in development
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
How does that make sense? You don't start coding in staging environments?
upvoted 3 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: B
The Development environment is where software applications and systems are built and coded. It is the initial stage of the software development
life cycle (SDLC) where developers write, test, and debug code. Implementing secure coding practices in the Development environment helps to
ensure that security considerations are integrated from the early stages of application development.
By following secure coding practices during development, such as input validation, secure data handling, and proper use of encryption,
developers can mitigate common vulnerabilities and weaknesses that could be exploited in later stages. This proactive approach reduces the
likelihood of introducing security flaws and weaknesses that can lead to security breaches and incidents in subsequent environments like Testing,
Staging, and Production.
upvoted 1 times
Givemore 6 months, 2 weeks ago
Selected Answer: B
Development
upvoted 1 times
Yawannawanka 8 months, 2 weeks ago
The FIRST environment in which proper, secure coding should be practiced is in the development environment, option B. It is important to
implement secure coding practices from the beginning of the software development process, as it is more cost-effective to address security
issues early in the development lifecycle rather than later in production or post-production. Secure coding practices can help prevent security
vulnerabilities such as injection attacks, buffer overflows, and cross-site scripting. While testing, staging, and production environments are
important for ensuring the functionality and stability of the code, secure coding practices should be implemented from the start in the
development environment to ensure a strong foundation for the software. (ChatGpt generated answer)
upvoted 2 times
Omi0204 10 months ago
B
Secure coding is more than just writing, compiling, and releasing code into applications. To fully embrace secure programming, you also need to
create a secure development environment built on a reliable and secure IT infrastructure using secure hardware, software, and services and
providers.
upvoted 2 times
princajen 10 months ago
Selected Answer: D
B. Development
Testing and staging are important steps in the software development life cycle, but they come after the development stage, and should not be the
first environments where secure coding is practiced.
upvoted 1 times
geekneek 10 months, 3 weeks ago
Selected Answer: B
B. Development: Proper, secure coding practices should be implemented and followed in the development environment first. This is because it is
during the development phase that the code is written and tested before it is deployed to production. By incorporating secure coding practices
during development, vulnerabilities, and potential security threats can be identified and addressed before the code is deployed to production,
reducing the risk of security incidents.
upvoted 1 times
[Removed] 11 months ago
WhatsApp +1(409)223 7790 PASS CIPP,CIPM,CIPT EXAMS,PAY AFTER PASS RESULTS https://ittca.org/pass-cipp-e-exam/
Book for online proctor exam and we’ll remotely take the exam for you. Pay us after confirmation of results
ITTCA.org
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
B. Development which is the 1st step and secure practicing code should be used in all phases.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
137/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #57
A cloud service provider has created an environment where customers can connect existing local networks to the cloud for additional computing
resources and block internal HR applications from reaching the cloud. Which of the following cloud models is being used?
A. Public
B. Community
C. Hybrid
D. Private
Correct Answer: C
Community vote distribution
C (73%)
varun0
Highly Voted
D (21%)
6%
1 year, 4 months ago
Selected Answer: C
Hybrid cloud since internal network and cloud computing is combined
upvoted 22 times
T_dawg 10 months ago
hybrid is private and public cloud, not private cloud and internal network. D. Private
upvoted 4 times
cybertechb 2 weeks, 3 days ago
: In a hybrid cloud model, organizations use a combination of on-premises (local) infrastructure and cloud services. In this scenario, the
cloud service provider allows customers to connect their existing local networks to the cloud to access additional computing resources.
However, the internal HR applications are blocked from reaching the cloud, indicating a hybrid approach where certain services or
applications remain on-premises.
Private (Option D): In a private cloud, infrastructure is used exclusively by a single organization. It may be hosted on-premises or by a thirdparty provider, but the resources are dedicated to that organization. in this scenario the customers also have access to the cloud therefore
rendering the answer not d but C. hybrid
upvoted 1 times
Bryanvm28 1 month, 1 week ago
T_dawg That's not correct, hybrid refers to the model where you are using your own infrastructure on premises combined with services or
infrastructure in the cloud, reference: https://aws.amazon.com/what-is/hybridcloud/#:~:text=Hybrid%20cloud%20is%20an%20IT,your%20applications%20across%20multiple%20environments.
Hybrid Cloud is the correct option here
upvoted 1 times
okay123
Highly Voted
1 year, 1 month ago
Selected Answer: C
See because they mentioned internal HR + External Customers = Hybrid
upvoted 11 times
RevolutionaryAct 5 months ago
No mention of the word "external" so it could be the onsite client making it private
upvoted 2 times
MortG7 2 months, 1 week ago
Local network is private...you connect it to a cloud network, which is a public network, and you end up with a private network?, really?
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
The word "customer" for a CSP implies that they are external. What would an "internal customer" for a CSP even be?
upvoted 1 times
ADVWTR
Most Recent
1 month, 3 weeks ago
Selected Answer: D
Hybrid Environment - Cloud + On Premises computing
Hybrid Cloud Environment - 1 type of cloud + 1 type of cloud
upvoted 1 times
MortG7 2 months, 1 week ago
Local Network + Cloud Network = hybrid
https://www.examtopics.com/exams/comptia/sy0-601/view/
138/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 3 times
Synnister 2 months, 2 weeks ago
Selected Answer: C
The scenario also mentions that internal HR applications are blocked from reaching the cloud, which indicates that some resources and
applications are kept within a private network, further supporting the hybrid cloud model.
upvoted 3 times
Thurams 2 months, 3 weeks ago
The cloud model described in the scenario is "Hybrid." In a hybrid cloud model, an organization combines its private cloud (on-premises) with a
public cloud, allowing data and applications to be shared between them. In this specific case, the organization is connecting its local network
(private cloud or on-premises environment) to the cloud (public cloud) to access additional computing resources. At the same time, it is
implementing controls to block specific internal applications from reaching the cloud, indicating a hybrid approach with a mix of on-premises and
public cloud resources.
upvoted 2 times
Cyberjerry 3 months ago
Selected Answer: C
In a hybrid cloud model, an organization can connect its existing on-premises (local) infrastructure to cloud resources provided by a cloud service
provider. This allows the organization to leverage cloud computing resources while still maintaining some control over their internal network and
applications. In the scenario described, where the cloud environment is connected to the local network, and certain internal HR applications are
blocked from reaching the cloud, a hybrid cloud model is being used.
upvoted 1 times
AmesCB 5 months, 1 week ago
chat GPT says:
In a Hybrid Cloud environment, a cloud service provider offers a combination of both private and public cloud services. It allows customers to
connect their existing local networks (private cloud) to the cloud provider's infrastructure (public cloud) for additional computing resources,
scalability, and flexibility.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
The scenario described in the question where customers connect their existing local networks to the cloud for additional computing resources
and block internal HR applications from reaching the cloud is an example of a hybrid cloud model. A hybrid cloud model combines both private
and public cloud services, allowing organizations to take advantage of the benefits of both environments.
In a hybrid cloud model, certain applications and data can be kept in a private cloud, which offers greater control, security, and customization,
while other applications and data can be hosted in the public cloud, which provides scalability and cost-efficiency. The two environments are
connected through encrypted and secure connections, enabling seamless data exchange between them while maintaining the necessary security
and access controls.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: C
The Hybrid cloud model combines both public and private cloud environments to meet specific business requirements. In this case, the cloud
service provider has created an environment where customers can connect their existing local networks (private cloud) to the cloud provider's
infrastructure (public cloud) for additional computing resources.
The mention of blocking internal HR applications from reaching the cloud suggests that there is a separation between the customer's private
network and the resources available in the cloud. This is a characteristic of the Hybrid cloud model, where certain sensitive or critical applications
and data are kept within the private cloud, while utilizing the scalability and flexibility of the public cloud for other non-sensitive workloads.
upvoted 1 times
yummysec 7 months, 3 weeks ago
Selected Answer: C
I think C is the correct answer. in my opinion hybrid solution is a mix of on prem and hybrid
upvoted 2 times
Yawannawanka 8 months, 2 weeks ago
The cloud model being used in this scenario is option C, hybrid cloud. A hybrid cloud is a combination of two or more cloud deployment models,
typically a mix of private, public, and/or community clouds, that remain unique entities but are bound together by standardized technology. In this
scenario, the cloud service provider is providing a way for customers to connect their existing local networks (which would typically be private
clouds) to the cloud service (which could be a public or community cloud) for additional computing resources. This is an example of a hybrid
cloud deployment. Additionally, the provider is also blocking internal HR applications from reaching the cloud, which is a common security
practice in a hybrid cloud environment where sensitive applications and data are kept on-premises to provide additional control and security.
upvoted 1 times
SHAKERRAB93 8 months, 3 weeks ago
A customer utilizing the service provided by the 3rd party SP would be using a public local network, the SP is providing the ability to block HR
from reaching the network providing the client with a private environment?
Public networks= large amount of users ( employees)
Private network= Restricted user access (HR)
Public + private=Hybrid
I might be wrong let me know.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
139/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
FreK 8 months, 4 weeks ago
The cloud model being used in this scenario is Hybrid cloud.
Hybrid cloud is a cloud computing environment that combines a private cloud environment (i.e., on-premises data center) with one or more
public cloud environments (i.e., third-party cloud service providers). In a hybrid cloud environment, the private and public cloud environments are
integrated, and data and applications can be shared between them.
In this scenario, the cloud service provider has created an environment that allows customers to connect their existing local networks (i.e., private
cloud) to the cloud service provider's environment (i.e., public cloud) for additional computing resources. This integration between the private and
public cloud environments is characteristic of a hybrid cloud environment.
Additionally, the cloud service provider has blocked internal HR applications from reaching the cloud, which is an example of how security can be
managed in a hybrid cloud environment. By limiting access to certain applications and data, organizations can maintain control over sensitive
information while still leveraging the benefits of cloud computing.
upvoted 1 times
Confuzed 8 months, 4 weeks ago
Selected Answer: A
I'm going to swim against the current here.
Connecting your private network to the cloud does not make it a private cloud. AWS is a public cloud provider, and has tons of customers who
connect their private networks to it.
For this to be a private cloud, the vendor would have had to create multiple environments (one per customer) not 'an' environment.
The fact that the customers can block HR applications is irrelevant. I could do that all day long on AWS, Azure, or GCP and it doesn't make the
private or hybrid.
Therefore, this is a public cloud provider.
upvoted 4 times
ProdamGarazh 1 month, 3 weeks ago
Agree with you! The cloud service is provided for multiple customerS, so it cannot be private. It doesn't say that customers share common
concerns, so it cannot be community. And I don't see how the ability to block an access can make a cloud hybrid.
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
Private local network + cloud resources = hybrid
upvoted 1 times
Kraken84 5 months ago
"for additional computing resources" should be the giveaway.
upvoted 1 times
Dutch012 8 months ago
Agree with ya, I was surprised by their answers
upvoted 1 times
arrowphoto7604493ahmed 9 months, 1 week ago
Selected Answer: C
The cloud service provider in this scenario is providing an environment that allows customers to connect their existing local networks to the cloud
for additional computing resources. At the same time, the provider is also blocking internal HR applications from accessing the cloud, which
indicates that the cloud environment is not fully open to the public.
Therefore, the cloud model being used in this scenario is a hybrid cloud. Hybrid cloud is a cloud computing model that combines public cloud
and private cloud infrastructure, allowing data and applications to be shared between them. In this case, the local network of the customer is a
private cloud, and the cloud environment provided by the service provider is a public cloud. The combination of these two clouds makes a hybrid
cloud.
upvoted 2 times
JagamonFiya 10 months, 2 weeks ago
Was anyone else looking for RodWave opinion/explanation on this?
upvoted 7 times
gladtam 9 months, 2 weeks ago
Yes, where did he go? Lol
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
140/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #58
An organization has developed an application that needs a patch to fix a critical vulnerability. In which of the following environments should the
patch be deployed
LAST?
A. Test
B. Staging
C. Development
D. Production
Correct Answer: C
Community vote distribution
D (86%)
varun0
Highly Voted
10%
1 year, 4 months ago
Selected Answer: D
LAST place to deploy the patch is production
upvoted 23 times
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: D
Production should be the last place where to apply patches as you have already tested properly
upvoted 12 times
Cruzan
Most Recent
1 month, 3 weeks ago
Selected Answer: D
In a typical software development lifecycle, patches or updates are first applied in development, then tested in the test environment, and finally
moved to staging for further validation. Production is the last environment where updates are applied to ensure that they are stable and won't
cause disruptions to live services
upvoted 1 times
goodmate 2 months, 2 weeks ago
Answer B
A staging environment is very similar to a production environment, but it is used for testing purposes before the application is launched in
production.
This environment tries to simulate as much as possible the final production environment, so tests in staging are more accurate than tests done in
development.
The staging environment should have the same server configuration, database, caching system, and so on, that will be used in production. This
way, you can find and fix potential problems before the application goes live.https://livecodestream.dev/post/development-testing-stagingproduction-whats-the-difference/#what-is-a-staging-environment
upvoted 1 times
MortG7 2 months, 1 week ago
goodmate, LAST means LAST, not one before last. It is production my friend. Staging is NOT last..it resembles prod but it is NOT
LAST...production is last.
upvoted 2 times
Sublime_Cheese 2 months, 3 weeks ago
super awkward question. CompTIA be like, where does your last name go? at the end of your name.
upvoted 3 times
Thurams 2 months, 3 weeks ago
Dev-Testing-Staging-Prod.....So, the correct order for deploying a patch is Development, Test, Staging, and Production. Therefore, the patch
should be deployed LAST in the Production environment.
upvoted 2 times
LLuis_L 3 months ago
You first want to start on your dev environment! Then have your qa can confirm the fix then move it up!
upvoted 1 times
Afel_Null 3 months ago
This question is nonsense. If this is critical vulnerability, it needs to be applied AT ONCE.
So you test it, if it works, then immediately deploy.
https://www.examtopics.com/exams/comptia/sy0-601/view/
141/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
It still needs to be tested before deployed to production to ensure that it doesn't break the application or create a more severe vulnerability.
upvoted 2 times
BlackSpider 3 months, 2 weeks ago
Selected Answer: D
The correct answer is:
D. Production
In a typical software development lifecycle, patches or updates are first applied in development, then tested in the test environment, and finally
moved to staging for further validation. Production is the last environment where updates are applied to ensure that they are stable and won't
cause disruptions to live services.
upvoted 1 times
J0EL 3 months, 2 weeks ago
Selected Answer: A
A. Test
Deploying patches should always start with the testing environment before deployment to the production environment. Testing provides an
opportunity to evaluate the impact of the patch on the intended systems and also ensures that the patch is working as intended. The testing
environment should replicate the production environment as closely as possible, including hardware and software configurations, network
topology, and any other relevant factors that may affect the application's functionality. Once the patch has been successfully tested, it can be
deployed to the staging and production environments following established change control procedures.
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
The questions asks which environment to deploy to LAST. You want to test the change after pushing it to production?
upvoted 1 times
malibi 4 months ago
Selected Answer: C
rephrasing the question, is like where would you last apply a patch...... you will not apply a patch on the development stage right? you can apply
a patch during staging, you can apply a patch during testing and or during production.... but you will most likely will not apply a patch during
development! this is the last thing you would do!
upvoted 1 times
Mima08 2 weeks, 3 days ago
Yeap, production should be first because it the most vulnerable
upvoted 1 times
RevolutionaryAct 4 months ago
You would still need to go through change management and such, and test to make sure it doesn't break your systems, so no, Production.
upvoted 1 times
koolkids4life 4 months, 3 weeks ago
It's Production
upvoted 1 times
Kraken84 5 months ago
BARD"The patch should be deployed to the production environment last. This is because the production environment is the most critical environment
and should only be patched after the patch has been thoroughly tested in the staging and testing environments."
upvoted 2 times
RevolutionaryAct 5 months ago
Selected Answer: C
https://livecodestream.dev/post/development-testing-staging-production-whats-the-difference/#when-is-security-considered-in-the-applicationdevelopment-cycle
When Is Security Considered in the Application Development Cycle?
Security should always be considered at any stage and in any environment. This means that developers need to think about security when they
are coding, and they should also be aware of the potential risks of the libraries and frameworks they are using.
upvoted 1 times
RevolutionaryAct 4 months ago
Whoops wrong question this went to, I hate this site's setup.
I meant to pick D Production.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
https://www.examtopics.com/exams/comptia/sy0-601/view/
142/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
In the software development life cycle, the production environment is the last environment where changes, including patches, should be
deployed. The software is fully developed, tested, and ready to be used by end-users in the production environment. Deploying patches directly
to the production environment without proper testing in lower environments (such as development, staging, and testing) can introduce risks and
potentially disrupt critical operations.
The idea behind deploying patches to lower environments first is to identify and mitigate any potential issues or conflicts with existing systems,
so that the production environment remains stable and secure.
upvoted 1 times
JohanLondon 6 months ago
Beta testing
In this testing environment, the software is released to a limited number of real-world users outside the organization to obtain their feedback
which is then forwarded back to developers to optimize and improve the release as needed before releasing to all users.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: D
Once the patches have been tested and verified in these lower environments, they can be deployed in the Production environment. The
Production environment is the live or operational environment where the application is used by end-users or customers. It is crucial to ensure that
the patches have been thoroughly tested and verified before deploying them in the Production environment to minimize any potential disruptions
or issues.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
143/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #59
An organization is building backup server rooms in geographically diverse locations. The Chief Information Security Officer implemented a
requirement on the project that states the new hardware cannot be susceptible to the same vulnerabilities in the existing server room. Which of
the following should the systems engineer consider?
A. Purchasing hardware from different vendors
B. Migrating workloads to public cloud infrastructure
C. Implementing a robust patch management solution
D. Designing new detective security controls
Correct Answer: B
Community vote distribution
A (82%)
Gravoc
Highly Voted
Other
1 year, 3 months ago
Don't let this one trip you up. A seems to be too easy of an answer, but it's A. Part of the reason it tripped me up is anytime I learned about
vender diversity, it was always in the context of anti-malware, SIEM, NIDS, etc. Never dawned on me that vendor diversity also applies to
physical hardware, but it makes sense. Vender diversity is a part of the swiss cheese model, or defense-in-depth. Having your production server,
and your backup server running identical configurations means that there's two perfectly aligned holes in the swiss cheese model. Meaning the
integrity of the backup server cannot be trusted in the event of an attack that damages or shuts down the production server. Different hardware is
a defense layer that gives the defenders a buffer time to get their operation back in order, and defend against potentially inbound attacks on the
backup server.
upvoted 16 times
Strykar
Highly Voted
1 year, 3 months ago
Selected Answer: A
It's A. Who's answering these questions?
upvoted 7 times
Demilitarized_zone 1 year, 2 months ago
help me ask please.... i feel the owners of this platform should get professionals to answer these questions. Many of the answers are clearly
wrong.
upvoted 4 times
Kraken84 5 months ago
they need to be for this to not be TOO perfect of a place to join and DISCUSS all these wonderful questions.
upvoted 3 times
Secplas 1 month, 3 weeks ago
Especially that many people tout this platform around as one that helped them pass the exam. Some of the votes are emotionally placed.
upvoted 1 times
Ggonza3 1 year, 1 month ago
I think that they're not allowed to outright post the correct answers, hence why this website is community based.
upvoted 8 times
fiela1
Most Recent
2 days, 14 hours ago
the answer is A, this is about vendor diversity which is an example of security in depth
upvoted 1 times
Thurams 2 months, 3 weeks ago
The ans. is A and D is also good one to consider here. Implementing additional detective security controls can help identify vulnerabilities and
threats. This can include intrusion detection systems, security information and event management (SIEM) solutions, and other monitoring tools
that can detect and alert on suspicious activities.
upvoted 1 times
Cyberjerry 3 months ago
Selected Answer: A
To ensure that the new backup server rooms are not susceptible to the same vulnerabilities as the existing server room, it's a good practice to
diversify the hardware vendors. This approach reduces the risk of common vulnerabilities affecting all systems in the same way. Different vendors
may use different hardware designs, software stacks, and security configurations, which can provide a level of diversity and defense in depth.
upvoted 2 times
Dtimap 3 months, 2 weeks ago
Selected Answer: A
https://www.examtopics.com/exams/comptia/sy0-601/view/
144/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
B cannot be correct. The question states they are purchasing and building new server rooms. Hence, utilizing a cloud for data storage conflicts
with the statement that they are purchasing their own equipment and creating their own physical facility. Go with A
upvoted 1 times
RevolutionaryAct 5 months ago
Selected Answer: A
It's A because you have no idea what the public cloud is using, no right to audit, no right to patch, no right to run scans, etc. and for all you know
they are using the same hardware as you and have zero control over it as opposed to buying your own hardware.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
The organization is building backup server rooms in geographically diverse locations to enhance redundancy and business continuity. The Chief
Information Security Officer (CISO) wants to ensure that the new hardware in these backup server rooms does not have the same vulnerabilities
as the existing server room.
To address this requirement, the systems engineer should consider designing new detective security controls. Detective controls are designed to
identify and detect potential security incidents or vulnerabilities. By implementing new detective controls in the backup server rooms, the
organization can continuously monitor for any vulnerabilities that might exist in the hardware or software and take appropriate actions to mitigate
them.
Why it's not A according to ChatGPT (which has been fed the CompTIA Security+ SY0-601 exam objectives and is insistent that D is the correct
answer for this question):
upvoted 2 times
MortG7 2 months, 1 week ago
Tell ChatGPT it is wrong. Ask ChatGPT, how many physical rooms can you build in the cloud?
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
So sick of the ChatGPT answers here. Are you going to learn to think critically or are you going to ask ChatGPT for everything for the rest of
your life?
A detective control will detect potential malicious activity, that's it. It will not ensure that a piece of hardware is or isn't susceptible to the same
vulnerabilities as a different piece of hardware. The only way to do that is to do research on your hardware and your vendors.
Sooner or later you will have to realize that ChatGPT isn't a genie in a bottle. It doesn't know the answer to everything despite how insistent it
is that it does.
upvoted 3 times
Protract8593 5 months, 2 weeks ago
Option A, which suggests purchasing hardware from different vendors to ensure vendor diversity, may indeed provide some level of protection
against vulnerabilities that are specific to a particular vendor's hardware or software. Vendor diversity can reduce the risk of a single point of
failure and can introduce variations in security implementations across different products.
However, the CISO's requirement is specifically focused on ensuring that the new hardware in the backup server rooms is not susceptible to
the same vulnerabilities as the existing server room. While vendor diversity can be a valuable strategy for increasing overall resilience, it does
not guarantee that all the hardware from different vendors will be free from the same vulnerabilities present in the existing environment.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Vulnerabilities can arise from various sources, such as misconfigurations, software bugs, or design flaws, and they may exist across
multiple vendors' products. Therefore, relying solely on vendor diversity to address the CISO's requirement may not be sufficient.
Designing new detective security controls, as mentioned in option D, can be a more proactive and comprehensive approach to address the
specific requirement. These controls will continuously monitor and detect vulnerabilities or potential security issues in the new hardware,
regardless of the vendor. By doing so, the organization can take appropriate actions to mitigate any risks effectively.
In summary, while vendor diversity can be part of an overall security strategy, it may not fully address the CISO's requirement to ensure
that the new hardware in the backup server rooms is not susceptible to the same vulnerabilities as the existing server room. Therefore,
designing new detective security controls would be a more direct and suitable approach to meet the specified requirement.
upvoted 1 times
Dan_26 7 months, 2 weeks ago
They're BUYING hardware. You rent in the cloud. So the answer is A. Buy it from someone else. A Palo Alto firewall will have different problems
than a Fortigate, as an example. An Aruba switch will be different from a Cisco.
upvoted 3 times
McLobster 9 months ago
An organization is building backup server rooms in geographically diverse locations. The Chief Information Security Officer implemented a
requirement on the project that states the new hardware cannot be susceptible to the same vulnerabilities in the existing server room. Which of
the following should the systems engineer consider?
The question itself gives away the answer it mentions "the new hardware" cannot be susceptible... So pretty much get different hardware.
The answer is A.
upvoted 1 times
Saphi 9 months, 2 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
145/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
"An organization is building backup server rooms"
The exact reason why it can't be C. I agree that Cloud would be the most resilient to downtime but the point is that if they're building a new
server room it has to be A.
upvoted 1 times
MasterControlProgram 10 months ago
Selected Answer: A
To ensure that the new hardware is not susceptible to the same vulnerabilities as the existing server room, the systems engineer should consider
purchasing hardware from different vendors. This approach will increase the likelihood that any vulnerabilities present in the existing hardware will
not be present in the new hardware.
upvoted 1 times
princajen 10 months ago
Selected Answer: C
C. Patch management
This is because vulnerabilities can exist in hardware from any vendor, and purchasing hardware from different vendors does not guarantee that
vulnerabilities will not be present in the new backup server rooms.
upvoted 1 times
z3phyr 9 months, 1 week ago
The requirement is to avoid the *same* vulnerabilities that exist with the current hardware. Purchasing hardware from a different vendor may
introduce new vulnerabilities, but if so they would almost certainly different ones.
upvoted 1 times
ThomasKong 10 months, 3 weeks ago
Purchasing hardware from different vendors what relate to below ?
"susceptible" ?
"same vulnerabilities in the existing server room" ?
change vendor can add more safe percentage% to HA ?
I will go to B. Cloud .
upvoted 1 times
CTE_Instructor 10 months, 1 week ago
The organization is already building new server rooms, so putting your backups on the cloud is not necessary.
If there is a vulnerability in Unifi equipment or Palo Alto equipment, then having another vendor's equipment that does not have that same
vulnerability will increase defense in depth. Don't put all your eggs in one basket.
upvoted 1 times
brewoz404sd 11 months, 1 week ago
The answer is C, not A at all! Different hw does nothing to mitigate failure or vulnerabilities. Migrating some infrastructure / workloads to cloud
mitigates the SAME failure / vulnerabilities as the previous dc. C!
upvoted 2 times
[Removed] 11 months, 3 weeks ago
Selected Answer: A
"new hardware cannot be susceptible to the same vulnerabilities in the existing server room"
upvoted 2 times
jhfdkjshfkjdsho 1 year ago
Selected Answer: B
Different vendors can use similar chips. It says "geographically diverse locations" That is why the cloud is the best solution.
upvoted 3 times
RevolutionaryAct 5 months ago
Except you have no idea what systems the public cloud uses, so no
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
146/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #60
A security analyst is working on a project to implement a solution that monitors network communications and provides alerts when abnormal
behavior is detected.
Which of the following is the security analyst MOST likely implementing?
A. Vulnerability scans
B. User behavior analysis
C. Security orchestration, automation, and response
D. Threat hunting
Correct Answer: B
Community vote distribution
B (72%)
Nirmalabhi
C (27%)
Highly Voted
1 year, 1 month ago
Selected Answer: B
Not 100% sure but i will go with B. User behavior Analysis.
Reason: As per Comptia objectives, User behavior Analysis comes under SIEM. Well as the Question asks whats most likely the solution being
implemented hence User behavior analysis seems to be the direct answer. SOAR simply means you are adding automation and servers handle
the security tasks automatically and take action. happy to discuss. Some of the question are to confuse so i ll stick to most direct connection in
this case. B
upvoted 24 times
Sepu
Highly Voted
1 year, 3 months ago
Selected Answer: B
B.
SOAR will react to the alert.
upvoted 21 times
deeden 1 year, 1 month ago
You mean C. SOAR ?
upvoted 5 times
awscody 3 months, 1 week ago
No, he is saying its B because SOAR will react to the alert hence why that is wrong.
upvoted 4 times
Thurams
Most Recent
2 months, 3 weeks ago
User behavior analysis involves monitoring and analyzing network communications and user activities to identify abnormal or suspicious
behavior. When anomalies are detected, alerts are generated to notify security personnel. This approach helps in identifying potential security
threats, insider threats, and other irregular activities within the network.
upvoted 1 times
Cyberjerry 3 months ago
Selected Answer: B
The security analyst is most likely implementing user behavior analysis as part of a security solution that monitors network communications and
provides alerts when abnormal behavior is detected. User behavior analysis (UBA) is a cybersecurity technique that focuses on monitoring and
analyzing the behavior of users and entities within a network to detect anomalies or suspicious activities. UBA solutions use machine learning
and behavioral modeling to establish a baseline of normal user behavior and then identify deviations from that baseline.
While security orchestration, automation, and response (SOAR) (Option C) can be used to automate incident response processes, it is not
primarily focused on monitoring network communications and detecting abnormal behavior.
upvoted 3 times
WANDOOCHOCO 3 months ago
Selected Answer: C
Answer is C
there is no option like user behavior analysis in Security assessments chapter in a text book
upvoted 1 times
TheFivePips 2 months ago
It's under Objective 1.7: Syslog/Security information and
event management (SIEM)
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
147/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
RevolutionaryAct 5 months ago
initially I thought it was SOAR but as I read this now I am believing it is B. User behavior analysis as it does not detect anomalies in behavior.
SOAR is low level/signature based
https://www.technology.org/2019/04/30/siem-ueba-and-soar-whats-the-difference/
SOAR technologies meet the need for a missing component of SIEM tools, which is the ability to take action against malicious activity. SIEM
tools can flag suspicious behavior, however, problems such as false positives and incident prioritization can deter from their proper use.
SOAR tools allow for automated responses to low-level incidents and correct incident prioritization. Because of their ability to orchestrate
information from many different sources, SOAR systems also provide a greater level of efficiency and effectiveness to an organization’s
information security defenses.
upvoted 1 times
sujon_london 5 months ago
Selected Answer: B
BA would be right answer as here directly nothing to do with automation or orchestration. The configurations of various Behavior analysis
settings will helps SIEM to detect anomalies and alert based on that.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
I'm going to go with B. ChatGPT keeps switching between B and C.
User behavior analysis involves monitoring and analyzing network communications to identify abnormal behavior or patterns that may indicate a
security threat. It helps in detecting suspicious activities, such as unusual login patterns, data access attempts, or unauthorized network access,
and raises alerts to security analysts for further investigation.
Why C is apparently wrong:
C. Security orchestration, automation, and response (SOAR) involves automating incident response processes, but it is not directly related to
monitoring network communications for abnormal behavior.
upvoted 2 times
streak007 5 months, 3 weeks ago
Selected Answer: C
The question is asked system that sends the alert after detecting the abnormality in user behaviour which is SIEM
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: B
User behavior analysis involves monitoring and analyzing network communications, user activities, and system behavior to identify patterns and
anomalies. By analyzing user behavior, such as login patterns, access patterns, data transfer activities, and other network interactions, abnormal
behavior can be detected. This can help identify potential security incidents, unauthorized access, insider threats, and other suspicious activities.
Implementing a solution that monitors network communications and provides alerts for abnormal behavior aligns with the goals of user behavior
analysis. It helps enhance the organization's security posture by detecting and responding to potential security incidents in real-time.
upvoted 2 times
LeonardSnart 7 months, 3 weeks ago
Selected Answer: B
"SIEMS are systems built to apply rules to sets of data with respect to specific patterns. Traditionally this meant network- and server-type events,
failures, and other conditions that alerted an operator that the system was not responding in a normal manner...Advances in user behavioral
analysis has provided another interesting use of the SIEM: monitoring what people do with their systems and how they do it. If every day, upon
beginning work, the
accountants start the same programs, then when an accountant account logs in and does something totally different, like accesses a system
they have never accessed before, this indicates a behavioral change worth looking into."
Comptia Security+ Exam Guide Sixth Edition SY0-601 by Conklin et al.
SOAR on the other hand is automated with playbooks, not what this question is asking about.
upvoted 1 times
Yawannawanka 8 months, 2 weeks ago
The security analyst is MOST likely implementing option B, user behavior analysis. User behavior analysis is a type of security solution that uses
machine learning and artificial intelligence to monitor network communications and identify abnormal behavior that may indicate a security threat.
By analyzing patterns in user behavior, the solution can detect anomalies and generate alerts for further investigation by security personnel. This
type of solution is commonly used in network security operations centers (SOCs) to enhance threat detection capabilities and reduce the time it
takes to detect and respond to security incidents. Options A, C, and D are different types of security solutions that may also be implemented by
security analysts, but they are not specifically related to monitoring network communications for abnormal behavior.
upvoted 1 times
arrowphoto7604493ahmed 9 months, 1 week ago
Selected Answer: B
The security analyst is most likely implementing a User Behavior Analysis (UBA) solution, which uses machine learning and statistical analysis
techniques to monitor network traffic and detect abnormal user activity that deviates from the normal behavior of users in the network. UBA
https://www.examtopics.com/exams/comptia/sy0-601/view/
148/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
solutions can identify threats such as insider threats, compromised user accounts, and malware infections that might be missed by traditional
security controls like firewalls and antivirus software. The solution will generate alerts when it detects abnormal behavior, which can be used to
trigger further investigation by the security team.
upvoted 3 times
MasterControlProgram 10 months ago
Selected Answer: B
The security analyst is most likely implementing a user behavior analysis solution, which monitors network communications and provides alerts
when abnormal behavior is detected. Answer: B. User behavior analysis.
upvoted 1 times
Ahmed_aldouky 10 months ago
Selected Answer: B
User behavior analysis (UBA) is a type of security solution that monitors network communications and user activities to detect abnormal behavior
and potential threats. UBA solutions use machine learning and artificial intelligence algorithms to establish a baseline of normal user behavior and
identify deviations from this baseline that could indicate potential security threats.
Vulnerability scans, security orchestration, automation, and response (SOAR), and threat hunting are different types of security solutions that are
not directly related to monitoring network communications and detecting abnormal behavior.
Vulnerability scans are automated tools that identify vulnerabilities and weaknesses in a system or network. SOAR solutions automate incident
response and security operations workflows to increase efficiency and reduce response time. Threat hunting involves actively searching for
threats and vulnerabilities that may not be detected by traditional security solutions.
Therefore, the security analyst is most likely implementing user behavior analysis to monitor network communications and detect abnormal
behavior.
upvoted 3 times
Nishkurup 10 months, 1 week ago
Selected Answer: B
the security analyst is most likely implementing User Behaviour Analytics (UBA) solution. UBA is a security solution that uses machine learning
algorithms and statistical analysis to identify abnormal behaviour patterns of users on the network. It monitors the user's activity, including logins,
file accesses, and network traffic, and compares the behaviour against a baseline of expected behaviour for that user or group. When UBA
detects an abnormal behaviour pattern, it generates an alert that can be used by security analysts to investigate and respond to potential threats
or security incidents. UBA can help identify insider threats, compromised accounts, and other unauthorized activity on the network. On the other
hand, SOAR solutions are focused on automating and orchestrating security processes to improve incident response time, reduce manual efforts,
and improve the overall security posture. SOAR solutions typically include incident response playbooks, automation workflows, and integration
with other security solutions such as SIEM, NIDS, and endpoint detection and response.
upvoted 2 times
tebirkishaw 11 months, 1 week ago
Selected Answer: B
There is no automation of tasks going on, just an alert. Nothing is being fixed. Has to be B
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
149/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #61
Data exfiltration analysis indicates that an attacker managed to download system configuration notes from a web server. The web-server logs
have been deleted, but analysts have determined that the system configuration notes were stored in the database administrator's folder on the
web server. Which of the following attacks explains what occurred? (Choose two.)
A. Pass-the-hash
B. Directory traversal
C. SQL injection
D. Privilege escalation
E. Cross-site scripting
F. Request forgery
Correct Answer: BD
Community vote distribution
BD (81%)
rodwave
Highly Voted
Other
1 year, 1 month ago
Selected Answer: BD
Answer: B. Directory traversal & D. Privilege escalation
Directory traversal is a type of HTTP exploit in which a hacker uses the software on a web server to access data in a directory other than the
server's root directory. If the attempt is successful, the threat actor can view restricted files or execute commands on the server.
Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to
gain elevated access to resources that are normally protected from an application or user.
upvoted 17 times
carpathia
Highly Voted
1 year, 1 month ago
Selected Answer: BD
"admin's folder" - Priv escalation, + dir transversal. "database" is thrown in as a decoy for SQL answer.
upvoted 15 times
LO353 3 months, 2 weeks ago
database admin folder caught me out ,
upvoted 1 times
cyberPunk28
Most Recent
3 weeks ago
Selected Answer: BD
B. Directory traversal& D. Privilege escalation
upvoted 1 times
Fiftypeso 3 months, 2 weeks ago
Selected Answer: AD
Can someone explain how B and D got the culprit in? Why isn't pass-the hash in there via the web server and then privilege escalation would get
him into the DB's directory if it wasn't his has and also allow for the deletion of the logs.... I think I'm totally missing something.... the culprit
would need the user name with the pass the hash?
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
A few reasons, mainly being that pass-the-hash attacks are not really applicable when authenticating to web servers. Pass-the-hash is mainly
in the context with authenticating to directory services.
upvoted 1 times
Fiftypeso 3 months, 2 weeks ago
--maybe SQLi and then the privilege escalation, I'm so stuck on how they got in to escalate the privilege
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: BD
1. Directory traversal: In a directory traversal attack, the attacker exploits improper input validation to access files and directories that are outside
the intended directory. In this scenario, the attacker used directory traversal to access the database administrator's folder on the web server and
download the system configuration notes.
2. Privilege escalation: Privilege escalation involves gaining higher-level privileges on a system to access resources or perform actions beyond
https://www.examtopics.com/exams/comptia/sy0-601/view/
150/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
the intended scope. In this case, the attacker likely escalated their privileges to gain access to the database administrator's folder and retrieve
the system configuration notes.
upvoted 1 times
monzie 9 months, 1 week ago
Selected Answer: BC
The two attacks that could explain what occurred are:
B. Directory traversal: This attack involves using a specially crafted input to access files or directories that are outside of the intended directory
structure. In this scenario, it is possible that the attacker used a directory traversal attack to access the database administrator's folder on the
web server and retrieve the system configuration notes.
C. SQL injection: This attack involves injecting malicious SQL code into an application's input field, which can then be used to access or modify
sensitive data in a database. It is possible that the attacker used a SQL injection attack to access the database administrator's folder on the web
server and retrieve the system configuration notes.
upvoted 2 times
MasterControlProgram 9 months, 3 weeks ago
Selected Answer: BD
The two attacks that explain the scenario are:
B. Directory traversal: Directory traversal is an attack in which an attacker can access files and directories that are stored outside the web root
folder by manipulating a web application's input parameters, such as file paths or directory names. In this case, the attacker was able to access
the system configuration notes by traversing to the database administrator's folder on the web server.
D. Privilege escalation: Privilege escalation is an attack in which an attacker gains elevated privileges to a system or network by exploiting a
vulnerability or weakness. In this case, the attacker was able to access the database administrator's folder on the web server, which suggests
that they may have escalated privileges to gain access to that folder.
upvoted 1 times
cutemantoes 10 months, 2 weeks ago
Selected Answer: BC
Yes B and D sound correct. However, just because they accessed the notes from an admins folder still doesnt mean that a privilege escalation
occurred. It does say that it was on the databases admin folder, making it seem as theres a database. Im on the fence between B and D, and B
and C.
upvoted 4 times
LePecador 5 months, 3 weeks ago
I'll choose B and D because priviledge escalation is related to lateral movement in which a cyberattacker moves deeper into a network in
search of high-value assets. In this case, the system configuration notes in the database administrator's folder
upvoted 3 times
daddylonglegs 2 months, 3 weeks ago
There being a database admin does imply there is a database but that was not mentioned as part of the attack. All the question mentions is
that the config files were stored in the DBAdmin's folder. No mention or indication of anything to do with sql injection. Best answer is BD
upvoted 2 times
G4ct756 1 year, 2 months ago
Selected Answer: CD
C & D,
- c, the admin notes are stored in "the database", Will require SQLi to interact with DB.
- d, need privilege to clear the system logs.
upvoted 2 times
hieptran 12 months ago
Read the question carefully. It clearly stated: "database administrator's folder". It has nothing to do with SQL injection.
upvoted 2 times
j0n45 1 year, 3 months ago
Selected Answer: BD
Directory traversal and Privilege escalation.
upvoted 5 times
FT1 1 year, 4 months ago
B&D
The simplest example of a directory traversal attack is when an application displays or allows the user to download a file via a URL parameter.
upvoted 4 times
Wiggie 1 year, 4 months ago
Selected Answer: BC
B and C
upvoted 1 times
Wiggie 1 year, 4 months ago
Correction, B and D
https://www.examtopics.com/exams/comptia/sy0-601/view/
151/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
varun0 1 year, 4 months ago
Selected Answer: BD
B & D seem to be correct.
upvoted 3 times
varun0 1 year, 4 months ago
Also don't assume just because there's a db admin there'd be a database. DB or web application interface (XSS) is not a requirement for a
web server, don't assume there is one.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
152/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #62
A junior security analyst is conducting an analysis after passwords were changed on multiple accounts without users' interaction. The SIEM have
multiple login entries with the following text: suspicious event - user: scheduledtasks successfully authenticate on AD on abnormal time
suspicious event - user: scheduledtasks failed to execute c:\weekly_checkups\amazing-3rdparty-domain-assessment.py suspicious event - user:
scheduledtasks failed to execute c:\weekly_checkups\secureyourAD-3rdparty-compliance.sh suspicious event - user: scheduledtasks
successfully executed c:\weekly_checkups\amazing-3rdparty-domain-assessment.py
Which of the following is the MOST likely attack conducted on the environment?
A. Malicious script
B. Privilege escalation
C. Domain hijacking
D. DNS poisoning
Correct Answer: A
Community vote distribution
A (81%)
CertAddict69
Other
Highly Voted
1 year, 3 months ago
Selected Answer: A
This is obviously A, malicious script. Look at the name of the script that is running:
"amazing-3rdparty-domain-assessment.py"
I'm sure they used the word amazing in the file name so that the script appears as a malicious script that is disguised as a 3rd party domain
assessment script.
upvoted 40 times
6R15 10 months, 3 weeks ago
.py = Python script
.sh = shell script
So the attacker is trying to run malicious script, answer A
upvoted 19 times
Kraken84 5 months ago
Simplicity is key, thank you :)
upvoted 4 times
sujon_london 5 months ago
Agreed .py python based script
upvoted 3 times
DWISE1
Highly Voted
9 months, 2 weeks ago
just Passed with 799 please study everything here. if you can cram cram
90% came out from here. if you want to go through what came out with me reach me on linkdin israel olumese
upvoted 22 times
jakesmith45
Most Recent
1 week, 4 days ago
Selected Answer: A
.py -> malicious script
upvoted 1 times
MortG7 2 months, 1 week ago
2 Python .py scripts and one shell script .sh
A
upvoted 1 times
RogerW 4 months ago
I believe the answer is B, because the script,
c:\weekly_checkups\amazing-3rdparty-domain-assessment.py is executed twice. On the first attempt, it failed to execute. However, on the
second attempt it was successfully executed. This means the user, scheduled task, privilege was elevated prior to successfully executing the
script.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
153/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: A
The SIEM entries indicate that suspicious events related to scheduled tasks are occurring. Specifically, there are references to the successful and
failed execution of scripts located in the "c:\weekly_checkups" directory. This suggests that a malicious script is being executed through
scheduled tasks without user interaction, which can lead to unauthorized actions, data exfiltration, or other malicious activities on the affected
systems.
Options B (Privilege escalation), C (Domain hijacking), and D (DNS poisoning) are not directly supported by the evidence presented in the SIEM
logs. While they could be potential threats in different scenarios, the logs provided in the question primarily point towards the execution of a
malicious script through scheduled tasks.
Why B is wrong according to ChatGPT:
B. Privilege escalation:
The SIEM logs do not indicate any activities related to unauthorized elevation of privileges. Privilege escalation typically involves gaining higherlevel access or permissions on a system, which is not evident from the provided logs.
upvoted 3 times
Kraken84 5 months ago
"In other words, ChatGPT arrives at an answer by making a series of guesses, which is part of why it can argue wrong answers as if they were
completely true.
While it's great at explaining complex concepts, making it a powerful tool for learning, it's important not to believe everything it says."
https://www.makeuseof.com/openai-chatgpt-biggest-probelms/
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
Malicious script: The suspicious events indicate that a script named "amazing-3rdparty-domain-assessment.py" and "secureyourAD-3rdpartycompliance.sh" was executed by the user "scheduledtasks." These scripts were executed from the directory "c:\weekly_checkups." The fact that
these scripts were executed without user interaction and resulted in changes to multiple account passwords suggests the presence of a
malicious script that is responsible for the unauthorized password changes.
upvoted 2 times
Yawannawanka 8 months, 2 weeks ago
Based on the provided information, the MOST likely attack conducted on the environment is option A, malicious script. The suspicious login
events indicate that a scheduled task was created on the compromised system, which executed two scripts (amazing-3rdparty-domainassessment.py and secureyourAD-3rdparty-compliance.sh) that failed to execute and one script (amazing-3rdparty-domain-assessment.py) that
successfully executed. This is a strong indication that a malicious actor or malware was responsible for the creation and execution of these
scripts, possibly as a means of gathering information or establishing persistence on the compromised system. Privilege escalation is also a
possibility, as the malicious actor or malware may have gained elevated permissions to create and execute the scheduled task and scripts, but
the information provided does not provide conclusive evidence of this. Domain hijacking and DNS poisoning are less likely scenarios, as there is
no information provided to suggest that the attacker attempted to take control of the domain or manipulate DNS records.
upvoted 1 times
Neither_you_nor_me 9 months ago
Selected Answer: A
"scheduledtask"
Entire process as the same user
No indication of user changing here
upvoted 1 times
MasterControlProgram 9 months, 3 weeks ago
Selected Answer: A
Based on the provided information, the MOST likely attack conducted on the environment is A. Malicious script. The suspicious events indicate
that a scheduled task was created on the affected machines, and a script was executed that appears to be assessing third-party domains and
checking compliance. It is possible that this script was a malicious file downloaded and executed by the attacker or an authorized script that was
tampered with to include a malicious payload. Further investigation is necessary to determine the root cause of the issue.
upvoted 1 times
princajen 10 months ago
Selected Answer: A
The SIEM events suggest that a malicious script or set of scripts was used to change the passwords on multiple accounts without user
interaction. The successful execution of a script called "amazing-3rdparty-domain-assessment.py" and the failed execution of other scripts may
indicate that the attacker was using a variety of tools to achieve their objectives, rather than relying solely on privilege escalation.
Therefore, based on the information provided, the most likely attack that was conducted on the environment is the use of a malicious script.
upvoted 1 times
Nishkurup 10 months, 1 week ago
Selected Answer: B
Based on the provided information, it is more likely a Privilege Escalation attack rather than a Malicious Script attack. The reason being, the
suspicious event logs show that a user account named "scheduledtasks" was able to successfully authenticate on AD at an abnormal time,
which indicates that the user account had sufficient privileges to perform the authentication. The account was then able to execute a script
related to 3rd party domain assessment, which suggests that the account had elevated privileges on the system. In a Privilege Escalation attack,
an attacker gains access to a low-level user account and attempts to elevate their privileges to gain access to more sensitive data or resources.
Attackers can abuse scheduled tasks by creating malicious tasks to execute code, such as backdoors or malware, with system-level privileges.
By gaining access to a privileged scheduled task, attackers can bypass security controls and execute arbitrary code.
https://www.examtopics.com/exams/comptia/sy0-601/view/
154/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Nishkurup 9 months, 3 weeks ago
After more research, I think its malicious script
upvoted 2 times
gladtam 9 months, 2 weeks ago
I love how you corrected yourself. thank you
upvoted 1 times
scarceanimal 11 months ago
Selected Answer: A
"amazing-3rdparty-domain-assessment.py" lol they put amazing hilarious
upvoted 1 times
hsdj 11 months, 1 week ago
passwords were changed on multiple accounts without users' interaction - looks like privileged account activity to me
upvoted 2 times
hsdj 11 months, 1 week ago
option "malicious script" is not TYPE of attack! so my answer is privilege escalation B
upvoted 1 times
CTE_Instructor 10 months ago
While the changed passwords potentially could be privilege escalation, there is definitely malicious scripts occurring that were recorded in
the SIEM logs.
Objective 6.1 covers "Malicious code or script execution", including python (.py), bash (.sh), powershell (.ps1), visual basic (.vba), and
macro scripts.
Because the prompt has clear malicious scripts that were blocked by the security software, and the lack of proof of privilege escalation,
I'm more inclined to select A as the correct answer. In reality, it was probably a combination of privilege escalation and malicious scripts
that truly occurred here.
upvoted 1 times
asum 11 months, 3 weeks ago
Selected Answer: B
It is talking about attack. So B
upvoted 2 times
farisAl 12 months ago
Selected Answer: A
execute c:\weekly_checkups\amazing-3rdparty-domain-assessment.py
The .py at the end gave it away it's a malicious script
upvoted 2 times
LaoX 1 year ago
Selected Answer: A
Definitely A: Malicious Scripts. Cos look at these: 1. weekly_checkups\secureyourAD-3rdparty-compliance.sh 2. scheduledtasks, and 3.
amazing-3rdparty-domain-assessment. All those are definitely malicious names that results in password changes.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
155/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #63
A customer service representative reported an unusual text message that was sent to the help desk. The message contained an unrecognized
invoice number with a large balance due and a link to click for more details. Which of the following BEST describes this technique?
A. Vishing
B. Whaling
C. Phishing
D. Smishing
Correct Answer: D
Community vote distribution
D (100%)
comeragh
Highly Voted
1 year, 4 months ago
Selected Answer: D
Agree with D being correct here
upvoted 12 times
varun0 1 year, 4 months ago
Agreed
upvoted 2 times
Thurams
Most Recent
2 months, 3 weeks ago
Smishing: Uses text messages.
Vishing: Involves voice calls.
Whaling: Targets high-profile individuals.
Phishing: Usually occurs via email, targeting a wider audience.
upvoted 3 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
The correct answer is D. Smishing.
Explanation:
- Vishing (A) is a social engineering technique where attackers use voice calls to deceive individuals into revealing sensitive information or
performing certain actions.
- Whaling (B) is a form of phishing that targets high-profile individuals, such as executives or CEOs, to steal sensitive information or gain access
to valuable assets.
- Phishing (C) is a broad term for social engineering attacks where attackers use emails, messages, or websites that appear to be from a
reputable source to deceive recipients into providing sensitive information or performing actions.
- Smishing (D) is a specific type of phishing that uses SMS or text messages to trick individuals into clicking malicious links, disclosing personal
information, or taking other harmful actions.
In the given scenario, the unusual text message containing a link to click for more details is characteristic of a smishing attempt, making option D
the correct answer.
upvoted 4 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: D
Smishing is a form of phishing that specifically targets individuals through text messages (SMS). In this case, the customer service representative
received an unusual text message containing a suspicious invoice number and a link to click for more details. This aligns with the characteristics
of a smishing attack, where the attacker uses text messages to deceive and manipulate individuals into divulging sensitive information or
performing actions that compromise their security.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
D. Smishing is phishing via text
upvoted 2 times
xxxdolorxxx 11 months, 3 weeks ago
Smishing = Text Message
upvoted 2 times
Orean 1 year, 2 months ago
Selected Answer: D
https://www.examtopics.com/exams/comptia/sy0-601/view/
156/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Pretty straightforward. Smishing, a portmanteau of SMS and phishing, is a specific type of phishing done via text messaging, and it's commonly
used to orchestrate invoice scams or otherwise harvest credentials.
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
157/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #64
Which of the following actions would be recommended to improve an incident response process?
A. Train the team to identify the difference between events and incidents.
B. Modify access so the IT team has full access to the compromised assets.
C. Contact the authorities if a cybercrime is suspected.
D. Restrict communication surrounding the response to the IT team.
Correct Answer: A
Community vote distribution
A (81%)
hazeleyes
Highly Voted
B (19%)
1 year, 3 months ago
Selected Answer: A
A is correct. this training can help CSIRT to know whether to trigger IR mechanisms and reduce instances of false alert. With B - I don't really see
why giving the IT team access can be beneficial, as this could very likely violate least privilege principle.
upvoted 8 times
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: B
B according to me
upvoted 5 times
cymm 1 year, 2 months ago
Any change after a comprise may not be possible. Only way to guarantee full access would be to modify before hand. Then you would violate
principle of least privilege.
upvoted 4 times
BM9904 1 year, 3 months ago
I agree this step comes before training your team in the process
upvoted 2 times
MortG7
Most Recent
2 months, 1 week ago
People who answered B
B. Modify access so the IT team has full access to the compromised assets.----> how do you know which are the compromised before they are
compromised? The answer is A
upvoted 1 times
vidwj 4 months, 3 weeks ago
A is correct
upvoted 2 times
Kraken84 5 months ago
Why do so many put so much faith in a human fed machine that learns by our own code that we teach it to learn from? The data sets used to
educate an AI are literally fed by humans. Why would we put all faith in such a concept? It is cool and all and can help with my sports bets, but I
cannot bargain my 380$ for ChatGPT, BARD or any other AI's opinions. Because in essence, AI, as a Deep/Machine Learning model only knows
what we 'INSTRUCT' it too. From that instruction comes opinion and argument. Try it, they will argue with you. We can feed it all the data in the
world but the MACHINE that LEARNS (which is coded by humans) has limits.
https://fortune.com/2023/07/19/chatgpt-accuracy-stanford-study/
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
The correct answer is A. Train the team to identify the difference between events and incidents.
Explanation:
- A well-prepared incident response process involves properly identifying and handling security events and incidents. Training the team to
distinguish between events (normal activities that do not pose a security threat) and incidents (actual security breaches or potential threats) is
crucial. This helps ensure that the team can focus on the real security incidents and respond effectively.
Why it's not B according to ChatGPT:
- Option B, modifying access so the IT team has full access to the compromised assets, is not a recommended action as it may lead to a conflict
of interest and hinder proper investigation and containment. It is important to maintain the principle of least privilege and involve specialized
incident response personnel.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
158/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Kraken84 5 months ago
https://fortune.com/2023/07/19/chatgpt-accuracy-stanford-study/
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
Improving the incident response process involves various actions, but one recommended step is to train the team to differentiate between events
and incidents. This training helps the team understand that not every event is necessarily an incident that requires immediate response and
investigation. By being able to identify and classify events correctly, the team can focus their efforts on addressing actual incidents that pose a
threat to the organization's security.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
A. Training team to differentiate between incidents and events,
upvoted 1 times
KingDrew 11 months, 4 weeks ago
Selected Answer: A
A is correct since it helps create more response efficiency.
upvoted 1 times
okay123 1 year, 1 month ago
Selected Answer: A
Training the team makes sense, I don't see how giving the whole IT team full access to zombie computers is going to do anything...
upvoted 3 times
Gravoc 1 year, 3 months ago
An event is defined as an attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or
information stored on such Information System.
An incident is defined as a breach of a system's security policy in order to affect its integrity or availability and/or the unauthorised access or
attempted access to a system or systems
upvoted 3 times
carpathia 1 year, 3 months ago
Selected Answer: A
The Preparation (initial phase) involves correct data events are being logged, the reporting of potential incidents is happening and personnel
training. Nothing in B, C and D is referring to that.
upvoted 2 times
j0n45 1 year, 3 months ago
Of course the answer is "A", logically speaking, if the "CSIRT" and not "IT" team is trained to differentiate between events and incidents, that
would drastically improve their IR process.
🐱🚀 🐱💻
upvoted 3 times
j0n45 1 year, 3 months ago
Also to add:
Security Incidents Are Events That Produce Consequences
It’s when an event results in a data breach or privacy breach that the event is then deemed a security incident.
For example, a delay in patching a security weakness in vital company software would be an event. It would only be deemed an incident after
your security monitoring team confirmed a resulting data breach by hackers who capitalized on the weakness.
upvoted 3 times
MarceloFontes1979 1 year, 3 months ago
A - I believe is the best choice.
upvoted 2 times
Liftedkris 1 year, 4 months ago
Selected Answer: A
I’m leaning towards training so A for me
upvoted 4 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
159/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #65
A cybersecurity administrator needs to implement a Layer 7 security control on a network and block potential attacks. Which of the following can
block an attack at
Layer 7? (Choose two.)
A. HIDS
B. NIPS
C. HSM
D. WAF
E. NAC
F. NIDS
Correct Answer: BD
Community vote distribution
BD (79%)
rodwave
Highly Voted
14%
7%
1 year, 1 month ago
Selected Answer: BD
Answer: (B) NIPS and (D) WAF
A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the
Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection,
among others. A WAF is a protocol layer 7 defense (in the OSI model).
A network intrusion protection system (NIPS) is an umbrella term for a combination of hardware and software systems that protect computer
networks from unauthorized access and malicious activity. NIPS consists of NIDS and IPS. WAF is a firewall. NIPS can operate up to layer 7 by
passing or allowing traffic
upvoted 22 times
sujon_london 5 months ago
Agreed with ur very well versed explanation. Thank you
upvoted 2 times
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: BD
B & D seems correct, it has to BLOCK the traffic remember.
upvoted 16 times
MortG7
Most Recent
3 days, 3 hours ago
D. WAF
E. NAC
NIPS is a layer 3 & 4 device
upvoted 1 times
Jackwasblk 1 month, 2 weeks ago
NIPS solutions can look at application layer protocols such HTTP, FTP, and SMTP.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: BD
- B. NIPS (Network Intrusion Prevention System): A NIPS is an intrusion detection system that can actively block and prevent detected threats. It
operates at Layer 7 of the OSI model, just like NIDS (Network Intrusion Detection System). However, NIPS goes beyond detection and takes
proactive measures to block potential attacks at the network level.
- D. WAF (Web Application Firewall): A WAF is a security control that operates at Layer 7 of the OSI model. It is specifically designed to monitor,
filter, and block HTTP/HTTPS traffic to and from web applications. By doing so, it can prevent web-based attacks, such as SQL injection, crosssite scripting (XSS), and other OWASP Top 10 vulnerabilities.
Why A is wrong according to ChatGPT:
A. HIDS (Host Intrusion Detection System): HIDS operates on individual hosts or endpoints and is not specifically focused on Layer 7 protection.
It is not designed to block network-based attacks.
upvoted 3 times
Bro111 6 months ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
160/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: AD
HIDS is a Layer 7, not NIPS
upvoted 1 times
Abdul2107 6 months ago
True HIDS is Layer7, but it's Detection, it will not Prevent/Blcok.
upvoted 4 times
Bro111 6 months ago
Sorry HIDS is a Layer 7 but it doesn't block attacks.
upvoted 1 times
Yawannawanka 8 months, 2 weeks ago
The two security controls that can block an attack at Layer 7 are:
D. WAF (Web Application Firewall): A WAF is a Layer 7 security control that sits between a web application and the internet, inspecting all
incoming and outgoing traffic. It can block attacks targeting web applications, such as SQL injection, cross-site scripting (XSS), and remote file
inclusion (RFI), by examining the content of HTTP requests and responses and blocking any that match predefined rules.
B. NIPS (Network Intrusion Prevention System): A NIPS is a Layer 7 security control that can inspect and block attacks targeting specific network
protocols and applications. It can identify and block attacks at the network layer, transport layer, and application layer, including Layer 7. NIPS
uses signature-based detection and behavioral analysis to detect and block known and unknown attacks.
Therefore, options B (NIPS) and D (WAF) are the correct answers. The other options, including HIDS, HSM, NAC, and NIDS, do not specifically
target Layer 7 and may not be effective at blocking attacks targeting specific applications or protocols.
upvoted 2 times
cutemantoes 9 months, 2 weeks ago
Selected Answer: DE
I initally was going to say NIPS as well. Yes a NIPS blocks traffic but it says at Layer 7. Im pretty sure NIPS operates on layer 3 i believe. So that
would mean im guessing the answer is D and E.
upvoted 2 times
RevolutionaryAct 5 months ago
Not NAC as that's layers 2 and 3
https://www.varonis.com/blog/network-access-control-nac
upvoted 2 times
z3phyr 9 months, 1 week ago
NAC is network access control. It control access to a network, which has nothing to do with preventing attacks.
upvoted 5 times
z3phyr 9 months, 1 week ago
NAC also operates at level 3, not level 7.
upvoted 4 times
GS1011 9 months, 4 weeks ago
B & D.
* Network access control (NAC) is typically implemented at either the data link (layer two) or network layer (layer three) of the open standards
interconnection model. Enforcement mechanisms vary between different products, and some have multiple options.
upvoted 2 times
scott2969 10 months ago
Why not NIDS Network Intrusion Detection System?
upvoted 1 times
CTE_Instructor 10 months ago
IDS are designed to detect/alert to events, but not to block or take action. Because the scenario asked for a security control that will block
traffic, any IDS option (HIDS or NIDS) should not be selected. IPS options will be prioritized, or firewalls (WAF)
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
B&D. Web Apllication Firewall is at the Application Layer, and NIPS, is a prevention system.
upvoted 2 times
Sandon 11 months, 3 weeks ago
Selected Answer: DE
ChatGPT says it's WAF and NAC.
upvoted 5 times
datsrobin 10 months, 1 week ago
How come it's saying WAF and NIDS on mine Lol
upvoted 2 times
princajen 10 months ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
161/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Mine said WAF and NIPS lol
upvoted 1 times
asum 11 months, 3 weeks ago
Selected Answer: BD
The IPS sensor analyzes at Layer 2 to Layer 7 the payload of the packets for more sophisticated embedded attacks that might include malicious
data.
upvoted 2 times
P0wned 1 year ago
Selected Answer: DE
D. WAF (Web Application Firewall) and E. NAC (Network Access Control) can block attacks at Layer 7.
A HIDS (Host-based Intrusion Detection System) is a security system that monitors and analyzes the logs and events on a single host for signs of
potential attacks or malicious activity. It operates at the host level, rather than at the network level, and therefore cannot block attacks at Layer 7.
A NIPS (Network Intrusion Prevention System) is a security system that analyzes network traffic in real-time to identify and prevent potential
attacks or malicious activity. It operates at the network level, rather than at the host level, and therefore cannot block attacks at Layer 7.
upvoted 1 times
RevolutionaryAct 5 months ago
Not NAC as that's layers 2 and 3
https://www.varonis.com/blog/network-access-control-nac
upvoted 1 times
Jossie_C 1 year, 2 months ago
NIPS consists of NIDS and IPS. WAF is a firewall.
upvoted 2 times
jgp 1 year, 4 months ago
Selected Answer: BD
B & D.
> An inline NIPS is “in line” with traffic, acting as a Layer 3–7 firewall by passing or allowing traffic
upvoted 2 times
Wiggie 1 year, 4 months ago
Selected Answer: AD
A&D
Layer 7 = Host Intrusion Detection System and Web Application Firewall
upvoted 3 times
CapJackSparrow 1 year, 2 months ago
I generally look for what you would go for and pick the opposite...
upvoted 16 times
gladtam 9 months, 2 weeks ago
You guys are funny lol
upvoted 2 times
Gino_Slim 1 year, 2 months ago
That is actually hilarious
upvoted 2 times
ramesh2022 1 year, 3 months ago
HIDS only detects and alerts you, can't block or program to block. HIPS or NISP can do.
upvoted 3 times
redsidemanc2 1 year, 3 months ago
BLOCK.IDS only detects. its b and D
upvoted 1 times
zzzfox 1 year, 3 months ago
The question asking block potential attacks. IDS doesnt block the traffic
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
162/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #66
A business operations manager is concerned that a PC that is critical to business operations will have a costly hardware failure soon. The
manager is looking for options to continue business operations without incurring large costs. Which of the following would mitigate the manager's
concerns?
A. Implement a full system upgrade.
B. Perform a physical-to-virtual migration.
C. Install uninterruptible power supplies.
D. Purchase cybersecurity insurance.
Correct Answer: B
Community vote distribution
B (100%)
xxxdolorxxx
Highly Voted
11 months, 2 weeks ago
Selected Answer: B
I got for B.
A. Implement a full system upgrade. (Not cost effective)
B. Perform a physical-to-virtual migration. (Cloud would be much more redundant against physical hardware breaking)
C. Install uninterruptible power supplies. (Would only help really if an external power failure, would do nothing if say a hard drive fails)
D. Purchase cybersecurity insurance. (Hardware will still fail)
upvoted 5 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: B
Performing a physical-to-virtual (P2V) migration involves converting the existing physical system (the critical PC) into a virtual machine (VM)
running on a virtualization platform. By doing so, the PC's operating system and applications are encapsulated in a virtual environment, allowing
it to run on different hardware or even multiple servers simultaneously.
By using a virtual machine, the critical PC can benefit from the following advantages:
1. Hardware Independence: The VM is decoupled from the physical hardware, so it can be migrated easily to different host servers without being
affected by the underlying hardware.
2. Snapshot and Backup Capabilities: VMs can be snapshot for backup purposes, allowing easy restoration in case of hardware failures.
3. Cost Savings: Virtualization can lead to cost savings in terms of hardware maintenance, power consumption, and space requirements.
While option C (Install uninterruptible power supplies) can provide short-term power backup during outages, it does not directly address the
concern of a potential hardware failure in the PC.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: B
Option B, performing a physical-to-virtual migration, is a viable option to mitigate the business operations manager's concerns about potential
hardware failure. By migrating the critical PC to a virtual machine, the organization can leverage virtualization technology to ensure business
continuity even if the physical hardware fails.
A physical-to-virtual migration involves converting the existing physical system into a virtual machine (VM) that runs on a virtualization platform.
This migration allows the VM to be hosted on different hardware resources, providing increased flexibility, scalability, and resilience.
upvoted 2 times
KingDrew 11 months, 4 weeks ago
Selected Answer: B
Answer is B
Cloud is far more secure and reliable than a stand-alone computer, and there are many applications out right now for little to no cost that can
store data and software.
upvoted 1 times
rodwave 1 year, 1 month ago
Selected Answer: B
Answer: Perform a physical-to-virtual migration.
A Physical to virtual migration (P2V), is the migration of physical machines to virtual machines. Converting the PC to a VM temporarily will allow
the PC to continue to its operations on a different host. The other options would require that PC be turned off so the organization would not have
access to its function.
upvoted 4 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
163/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
carpathia 1 year, 1 month ago
Selected Answer: B
It must be B. Purchasing insurance is Transference, not Mitigation.
upvoted 1 times
zzzfox 1 year, 3 months ago
Selected Answer: B
B - Migrate Physical Server to Cloud(Virtual)
upvoted 2 times
comeragh 1 year, 4 months ago
Read my full comment Ribeiro I didnt say it was D I was referring to the point you might be in an exam and trying to narrow it down...
upvoted 4 times
comeragh 1 year, 4 months ago
Selected Answer: B
To narrow it down for me it would be either B or D. Going with B as the question mentions "without incurring large costs"
upvoted 4 times
Ribeiro19 1 year, 4 months ago
Man wake up, D is for cybersecurity, not for hardware failure. the option B is the only answer.
upvoted 7 times
varun0 1 year, 4 months ago
Selected Answer: B
B seems right, without incurring large costs which means full system upgrade is out of question
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
164/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #67
An organization has activated an incident response plan due to a malware outbreak on its network. The organization has brought in a forensics
team that has identified an internet-facing Windows server as the likely point of initial compromise. The malware family that was detected is
known to be distributed by manually logging on to servers and running the malicious code. Which of the following actions would be BEST to
prevent reinfection from the infection vector?
A. Prevent connections over TFTP from the internal network.
B. Create a firewall rule that blocks a 22 from the internet to the server.
C. Disable file sharing over port 445 to the server.
D. Block port 3389 inbound from untrusted networks.
Correct Answer: C
Community vote distribution
D (89%)
stoneface
Highly Voted
9%
1 year, 4 months ago
Selected Answer: D
The SMB Protocol (in all its version) doesn't provide functionality to execute files at the remote systems. Its main objective is to support the
sharing of file and print resource between machines.
The only feasible option left is loggin through RDP and manually executing the file.
Correct me if I am wrong
upvoted 57 times
darkgypsy 1 year, 2 months ago
You rock !
upvoted 2 times
hfzazm6 9 months, 1 week ago
you are never wrong stoneface
upvoted 10 times
J_Ark1 1 year, 2 months ago
yeahh :)
upvoted 2 times
banditring 1 year, 3 months ago
you the best stoneface :)
upvoted 9 times
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: D
Answer: Block port 3389 inbound from untrusted networks.
3389 is the default port for RDP connections. RDP is the protocol used to connect to windows desktops/servers remotely. In the scenario, the
malware family is known to be distributed through manually logging on to servers and RDP would require a manual login to access the machine
and be able to easily run scripts on the server especially through a GUI.
upvoted 27 times
section8santa 11 months ago
love you rodwave!
upvoted 2 times
gladtam 9 months, 2 weeks ago
You are my hero!
upvoted 1 times
LePecador 5 months, 3 weeks ago
OUR hero
upvoted 1 times
Yatoro
Most Recent
1 month, 1 week ago
I don't get why people choose D as correct answer. it said it was malware outbreak on its network. the attacker intentionally run the malicious
code (could be worm since it said a malware outbreak) on windows server (file sharing server). and at the end of the question stated that "Which
https://www.examtopics.com/exams/comptia/sy0-601/view/
165/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
of the following actions would be BEST to prevent reinfection from the infection vector" (Window Server which is already infected)? C should be
the correct answer.
upvoted 1 times
goodmate 2 months, 3 weeks ago
Some harsh argument with ChatGBT here is the answer :
port 22 is a Unix-based system but question states Wİndows Server in DMZ, so assess the answer again
ChatGPT
I understand the clarification regarding the Windows Server in the DMZ. Given this specific context, it's important to reassess the answer in light
of the Windows environment. Port 22 (SSH) is typically associated with Unix-based systems, not Windows, and may not be the port of concern
for manual logins in this case. My previous responses were based on the assumption of Unix-based systems.
In a Windows environment, manual logins and remote access are commonly achieved through protocols like RDP (Remote Desktop Protocol) on
port 3389. Given the situation with a Windows Server in the DMZ, it is more appropriate to focus on securing access via the RDP protocol and
associated port. Therefore, blocking port 3389 inbound from untrusted networks (as mentioned in option D) is the more relevant and effective
security measure in this specific scenario.
upvoted 1 times
sujon_london 5 months ago
Selected Answer: C
Followed by given question clue; The malware family that was detected is known to be distributed by manually logging on to servers and running
the malicious code and suspecting reification from initial vector.
In this case first step should be focus on port 445; reson behind is Port 445 is used for the Microsoft-DS (Directory Services) protocol, also
known as Microsoft-DS SMB (Server Message Block). It facilitates file and printer sharing, as well as communication between Windows
computers on a network.
Here many of u chosen RDP based 3389. That's not primary action. We should consider printer and other computer on same network connected
with infected server/computer. That's why I will go for C. Correct me if I'm wrong.
upvoted 4 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
Blocking port 3389 inbound from untrusted networks is a security measure commonly recommended to protect against potential RDP-based
attacks. Here's more information on why option D is the correct choice:
1. Malware Distribution: The question mentions that the malware is distributed by manually logging on to servers and running the malicious code.
This indicates that the attackers are gaining access to the server through a legitimate remote access method like RDP.
2. Port 3389: RDP uses port 3389 by default to establish remote connections to Windows servers. By blocking inbound traffic on port 3389 from
untrusted networks, you effectively limit the exposure of the server to potential attackers trying to use RDP as a means to gain unauthorized
access.
3. Mitigating Unauthorized Access: By blocking inbound RDP traffic from untrusted networks, you are preventing potential attackers from
attempting to brute-force or exploit RDP vulnerabilities to gain unauthorized access to the server.
upvoted 4 times
Protract8593 5 months, 2 weeks ago
4. Defense-in-Depth Strategy: Implementing network-level controls like blocking port 3389 is part of a defense-in-depth strategy, which
involves using multiple layers of security measures to protect systems and data. In this case, it complements other security controls and helps
mitigate risks associated with unauthorized remote access.
5. Least Privilege: Limiting access to RDP only from trusted networks or specific IP ranges aligns with the principle of least privilege, which
reduces the attack surface and potential impact of security incidents.
In conclusion, blocking inbound traffic on port 3389 from untrusted networks is a recommended security practice to prevent unauthorized
access to RDP services and help protect against potential malware infections that rely on manual logins to servers.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: C
Disabling file sharing over port 445 helps to prevent the malware from being manually copied and executed on the server. By closing this filesharing port, the organization can effectively block the specific method through which the malware was distributed.
upvoted 1 times
CyberMrT 8 months, 2 weeks ago
Selected Answer: A
I have seen this question in other places and the answer is listed as A. If you think about the question..."prevent reinfection from the initial
infection vector"; I am interpreting this to mean the spread AFTER the windows-facing server is compromised. If you look at it that way, they want
to know how you would protect the internal network from further infection. Thoughts?
upvoted 2 times
Yawannawanka 8 months, 2 weeks ago
Based on the information provided, the malware was likely manually installed on the internet-facing Windows server by logging in to the server
and running the malicious code. Therefore, the best action to prevent reinfection from this infection vector is to prevent unauthorized access to
the server. Option D, "Block port 3389 inbound from untrusted networks," is the best choice to prevent unauthorized access to the server.
Port 3389 is used by the Remote Desktop Protocol (RDP), which allows users to log in to the server remotely. By blocking inbound traffic on this
port from untrusted networks, the organization can prevent attackers from logging in to the server and manually installing the malware. This
control is especially important for internet-facing servers, which are more likely to be targeted by attackers.
https://www.examtopics.com/exams/comptia/sy0-601/view/
166/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
The other options may be valid controls for other types of attacks or malware, but they do not directly address the infection vector described in
this scenario. Therefore, option D is the BEST choice in this scenario.
upvoted 1 times
T_dawg 10 months ago
Selected Answer: D
3389 - RDP
port 22 - SSH if it was a Linux
upvoted 1 times
ronniehaang 11 months, 1 week ago
Selected Answer: D
D. Block port 3389 inbound from untrusted networks.
Blocking port 3389, which is used for Remote Desktop Protocol (RDP), would prevent remote access to the server from untrusted networks,
making it less likely for attackers to manually log on to the server and run the malicious code. This would be the best action to prevent reinfection
from the initial infection vector.
upvoted 2 times
Jimbobilly 1 year ago
Selected Answer: C
Curveball, the person was physically in front of the server and logged in.
upvoted 4 times
GMuney 1 year, 1 month ago
Selected Answer: C
Can't it be C? If we're looking to prevent reinfection then wouldn't we want to block file sharing so that the malicious code wouldn't end up on
the server in the first place?
upvoted 1 times
babyzilla 1 year, 2 months ago
Selected Answer: D
D makes the most sense as the best solution to prevent manually logging into a system would be to block RDP. SSH is for Linux. RDP is for
Windows. C would probably be the next step.
upvoted 3 times
yasuke 1 year, 2 months ago
it had to be a windows server :D
block rdp
upvoted 3 times
rindrasakti 1 year, 2 months ago
Selected Answer: D
Read carefully on "to be distributed by manually logging on to servers and running the malicious code" it's mean using RDP. simple way to
prevent is by blocked the RDP port
upvoted 1 times
Jakalan7 1 year, 3 months ago
Selected Answer: D
The answer is clearly D, the question states "The malware family that was detected is known to be distributed by manually logging on to servers
and running the malicious code." By blocking inbound conncetions on port 3389 (RDP), they would be preventing reinfection.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
167/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #68
Which of the following uses SAML for authentication?
A. TOTP
B. Federation
C. Kerberos
D. HOTP
Correct Answer: B
Community vote distribution
B (100%)
KetReeb
Highly Voted
1 year, 4 months ago
Answer: B: Federation, or identity federation, defines policies, protocols, and practices to manage identities across systems and organizations.
Federation’s ultimate goal is to allow users to seamlessly access data or systems across domains. Federation is enabled through the use of
industry standards such as Security Assertion Markup Language (SAML)
upvoted 26 times
varun0 1 year, 4 months ago
I agree
upvoted 1 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: B
Federation uses SAML (Security Assertion Markup Language) for authentication and single sign-on (SSO) between multiple systems or
organizations. SAML is an XML-based open standard used to exchange authentication and authorization data between identity providers (IdP)
and service providers (SP) to facilitate secure SSO. It enables users to access multiple applications or services with a single set of credentials,
making it a key technology for enabling seamless authentication across federated systems.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: B
Federation is the option that uses Security Assertion Markup Language (SAML) for authentication. SAML is an XML-based open standard for
exchanging authentication and authorization data between parties, typically in the context of web-based single sign-on (SSO) systems.
Federation allows for the sharing of authentication and authorization information across different organizations or domains, enabling users to
access multiple systems using a single set of credentials. SAML is commonly used in federation scenarios to facilitate secure authentication and
authorization across various applications and systems.
upvoted 2 times
RvR109 10 months, 2 weeks ago
Selected Answer: B
SAML (Security Assertion Markup Language) is a protocol that you can use to perform federated single sign-on from identity providers to service
providers. In federated single sign-on, users authenticate at identity provider.
upvoted 2 times
KingDrew 11 months, 4 weeks ago
Selected Answer: B
Federation is correct
upvoted 1 times
Knowledge33 1 year, 2 months ago
Selected Answer: B
Federation, or identity federation, defines policies, protocols, and practices to manage identities across systems and organizations. Federation’s
ultimate goal is to allow users to seamlessly access data or systems across domains. Federation is enabled through the use of industry
standards such as Security Assertion Markup Language (SAML).
upvoted 3 times
db97 1 year, 3 months ago
B - Federation
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
168/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #69
The SOC for a large MSSP is meeting to discuss the lessons learned from a recent incident that took much too long to resolve. This type of
incident has become more common in recent weeks and is consuming large amounts of the analysts' time due to manual tasks being performed.
Which of the following solutions should the SOC consider to BEST improve its response time?
A. Configure a NIDS appliance using a Switched Port Analyzer.
B. Collect OSINT and catalog the artifacts in a central repository.
C. Implement a SOAR with customizable playbooks.
D. Install a SIEM with community-driven threat intelligence.
Correct Answer: C
Community vote distribution
C (100%)
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: C
SOAR allows for automation of IR
upvoted 11 times
Tjank
Highly Voted
1 year, 3 months ago
Selected Answer: C
SOAR (Security Orchestration, Automation, and Response)
Can use either playbook or runbook. It assists in collecting threat related data from a range of sources and automate responses to low level
threats. (frees up some of the CSIRT time)
upvoted 7 times
bolajiambex
Most Recent
4 months ago
SOAR is correct
upvoted 1 times
Kraken84 5 months ago
.."large amounts of the analysts' time due to manual tasks being performed" In need of Automation?
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
SOC (Security Operations Center) can improve its incident response time and efficiency by implementing a SOAR (Security Orchestration,
Automation, and Response) platform with customizable playbooks. SOAR platforms help automate and streamline various security tasks and
processes, allowing analysts to respond to incidents more quickly and effectively. By using customizable playbooks, the SOC can define
automated workflows tailored to their specific incident response needs, reducing manual efforts and improving overall response time to security
incidents.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: C
Implementing a SOAR with customizable playbooks would be the best solution to improve the SOC's response time in this scenario. SOAR
platforms are designed to streamline and automate incident response processes, allowing security analysts to respond more efficiently to
security incidents.
By creating customizable playbooks, the SOC can define predefined response actions and automate the execution of common and repetitive
tasks. This reduces the reliance on manual processes and enables faster response times. The playbooks can include automated investigation,
enrichment of data with OSINT (Open Source Intelligence), and execution of response actions based on predefined rules and logic.
upvoted 1 times
KingDrew 11 months, 4 weeks ago
Selected Answer: C
SOAR is automated, and includes security orchestration and response to help resolve security issues more efficiently and timely.
upvoted 1 times
Jossie_C 1 year, 2 months ago
Selected Answer: C
Sounds like football but ok
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
169/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #70
Business partners are working on a security mechanism to validate transactions securely. The requirement is for one company to be responsible
for deploying a trusted solution that will register and issue artifacts used to sign, encrypt, and decrypt transaction files. Which of the following is
the BEST solution to adopt?
A. PKI
B. Blockchain
C. SAML
D. OAuth
Correct Answer: A
Community vote distribution
A (88%)
BigV
Highly Voted
12%
1 year, 2 months ago
The question mentions one trusted company, "centralized", it can not be Blockchain which is a "de-centralized" technology.
upvoted 21 times
cybertechb 2 weeks, 3 days ago
although i agree with it not being blockchain technology, i disagree with the reasoning. Blockchain technology is used for both decentralized
and centralized platforms. The blockchain is only but a digital ledger. The correct answer would be A. PKI
upvoted 1 times
ronniehaang
Highly Voted
11 months, 1 week ago
Selected Answer: A
A. PKI (Public Key Infrastructure) is the best solution to adopt as it provides the means to securely issue, manage, and revoke digital certificates
used to verify the identity of users and systems. PKI is commonly used to secure transactions and provide secure communication between
entities, making it a suitable solution for the described scenario.
upvoted 10 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: A
PKI (Public Key Infrastructure) is the best solution for deploying a trusted mechanism that can register and issue artifacts used for signing,
encrypting, and decrypting transaction files securely. PKI is a set of policies, procedures, hardware, software, and encryption technologies that
enable secure communications and authentication over a network. It relies on public and private key pairs to provide authentication, data
integrity, and non-repudiation, making it suitable for securely validating transactions and ensuring the authenticity and confidentiality of data
exchanged between business partners.
upvoted 4 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
PKI (Public Key Infrastructure) is the best solution to adopt in this scenario. PKI is a security mechanism that uses asymmetric encryption and
digital certificates to establish the authenticity, integrity, and confidentiality of electronic transactions. It provides a framework for generating,
managing, and distributing digital certificates, which are used to verify the identity of users and entities involved in transactions.
upvoted 2 times
Dan_26 7 months, 2 weeks ago
Blockchain sucks at everything except sucking, and the concept needs to be kicked out of CompTIA as it's a terrible technology.
upvoted 1 times
Yawannawanka 8 months, 2 weeks ago
Based on the requirements described in the scenario, the BEST solution to adopt would be PKI, or Public Key Infrastructure.
PKI is a system that uses a combination of public and private keys to provide secure communication over an insecure network. It uses digital
certificates, which are issued by a trusted third party, to authenticate the identities of users and devices. These certificates can be used to sign,
encrypt, and decrypt transactions, ensuring their confidentiality and integrity.
In the scenario, one company is responsible for deploying a trusted solution that will register and issue artifacts used to sign, encrypt, and
decrypt transaction files. PKI is a well-established and widely used technology for this purpose, and it meets the requirements described in the
scenario.
Blockchain, SAML, and OAuth are all useful technologies in their own right, but they may not be the best fit for the scenario described.
Blockchain, for example, is more commonly used for secure distributed ledgers rather than transaction signing and encryption. SAML and OAuth
are used more for authentication and authorization rather than encryption and decryption. Therefore, PKI is the BEST solution to adopt in this
scenario
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
170/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Confuzed 8 months, 4 weeks ago
The main reason this is not blockchain is that blockchain is all about transparency. The transaction record is visible to all, and can be verified by
the hash. Blockchain is not used to encrypt or decrypt anything.
upvoted 2 times
monzie 9 months, 1 week ago
Selected Answer: A
A. PKI (Public Key Infrastructure) is the best solution to adopt in this case. PKI is a system that uses digital certificates and public key
cryptography to secure communications and transactions. With PKI, one company can act as a Certificate Authority (CA), issuing digital
certificates that can be used to sign, encrypt, and decrypt transaction files. This provides a trusted mechanism for validating transactions
securely between business partners. Blockchain, SAML, and OAuth are all useful technologies for certain security scenarios, but they may not be
the best fit for this particular use case.
upvoted 3 times
Blake89 1 year, 1 month ago
PKI (Public Key Infrastructure)
• Combining asymmetric cryptography with symmetric cryptography along with the hashing and digital certificates, giving us hybrid
cryptography.
Straight from the CompTIA study guide
upvoted 3 times
elkol 1 year, 3 months ago
Selected Answer: A
Answer is PKI. PKI involves one trusted third-party or middleman which is the company. Blockchain is a decentralized or distributed system. I
think some people lean towards Blockchian as the answer due to "valid transaction" being mentioned which I understand but I will go with "A PKI"
upvoted 5 times
hazeleyes 1 year, 3 months ago
Selected Answer: A
PKI. "register and issue artifacts used to sign, encrypt, and decrypt transaction files" - for PKI this artifact is a digital certificate. what artifact
does the blockchain "register" and "issue" that does this?
upvoted 4 times
KetReeb 1 year, 4 months ago
Selected Answer: A
I have to go with A: PKI.
Ref the following: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786417(v=ws.11)
upvoted 4 times
varun0 1 year, 4 months ago
Selected Answer: A
PKI seems like it
upvoted 5 times
Wiggie 1 year, 4 months ago
Selected Answer: B
Blockchain
upvoted 3 times
CapJackSparrow 1 year, 2 months ago
I was going to go with blockchain, then I seen YOU went with blockchain.. so now I'm pretty sure it's not blockchain.
upvoted 19 times
gladtam 9 months, 2 weeks ago
I don’t even want to pass this exam. I’m just here for your comments.
upvoted 1 times
Jossie_C 1 year, 2 months ago
Block chain is decentralized. Incorrect
upvoted 1 times
varun0 1 year, 4 months ago
Selected Answer: B
Blockchain is the best for transactions
upvoted 2 times
varun0 1 year, 4 months ago
Disregard this, I'm going with PKI after much consideration
upvoted 8 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
171/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #71
A security analyst has been asked by the Chief Information Security Officer to:
✑ develop a secure method of providing centralized management of infrastructure
✑ reduce the need to constantly replace aging end user machines
✑ provide a consistent user desktop experience
Which of the following BEST meets these requirements?
A. BYOD
B. Mobile device management
C. VDI
D. Containerization
Correct Answer: C
Community vote distribution
C (100%)
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: C
VDI seems to be it
upvoted 7 times
nickolas789
Most Recent
4 months, 1 week ago
is this an accurate site?
upvoted 1 times
awscody 3 months, 1 week ago
Yes, this site is accurate. Keep in mind that as you go through these questions, some of the "correct answers" may seem wrong. The site
needs to mark the wrong answers so they won't make an identical copy of the exam or a closely related one or else it will result in compTIA
requesting for the site to be take down. Rely on the discussion and external sources to verify the answer that people have chosen. Some
answers that the site chooses are correct but other may be internally wrong.
upvoted 6 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
VDI is a technology that allows users to access a virtualized desktop environment hosted on a centralized server. It provides a secure method of
centrally managing infrastructure because all virtual desktops are hosted and managed from a centralized location, making it easier to apply
security policies and updates uniformly.
VDI also reduces the need to constantly replace aging end-user machines since the virtual desktops can be accessed from various devices,
including older machines with less processing power and resources. Users can access their virtual desktops from different devices without the
need for extensive hardware upgrades.
Additionally, VDI provides a consistent user desktop experience since users are interacting with a standardized virtual desktop environment that
remains consistent across different devices. This allows for a seamless user experience regardless of the device they use to access their virtual
desktop.
In summary, VDI is the best option that meets the requirements of providing centralized management of infrastructure, reducing the need to
replace aging end-user machines, and providing a consistent user desktop experience.
upvoted 4 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: C
VDI is the best option that meets the provided requirements. VDI allows for centralized management of infrastructure, as it provides a virtualized
desktop environment hosted on servers in the data center. This allows for centralized control and management of the desktop images,
applications, and user configurations.
With VDI, aging end-user machines can be replaced with thin clients or repurposed devices, as the actual processing and computing are handled
by the servers in the data center. This reduces the need for frequent hardware replacements and extends the lifespan of end-user devices.
VDI also provides a consistent user desktop experience since users access their virtual desktops, which are based on standardized images,
applications, and configurations. Any changes or updates can be applied centrally, ensuring a consistent experience across all devices.
upvoted 1 times
mtw5 10 months ago
why not containerization? doesn't this centralize applications and make management easier?
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
172/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Dan_26 7 months, 2 weeks ago
Not for endpoints. Servers sure, but not user machines like a laptop.
upvoted 1 times
applepieboy 11 months, 2 weeks ago
Selected Answer: C
Pretty clearly VDI. 2 big giveaways
1. VDI makes centralized management easier
2. Since you push the same desktop it is the only thing that provides a consistent desktop experience.
upvoted 2 times
rodwave 1 year, 1 month ago
Selected Answer: C
Answer: VDI
Virtual Desktop Infrastructure (VDI) is a technology that refers to the use of virtual machines to provide and manage virtual desktops. VDI hosts
desktop environments on a centralized server and deploys them to end-users on request.
upvoted 4 times
Jossie_C 1 year, 2 months ago
Virtual desktops so that it can be combined with BYOD to save money.
upvoted 2 times
Katyaz 1 year, 2 months ago
VDI appears to be correct
upvoted 1 times
comeragh 1 year, 4 months ago
Selected Answer: C
Agree with C VDI - "consistent user desktop experience"
upvoted 3 times
stoneface 1 year, 4 months ago
plus, no need to replace aging end user machines
upvoted 5 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
173/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #72
Which of the following terms describes a broad range of information that is sensitive to a specific organization?
A. Public
B. Top secret
C. Proprietary
D. Open-source
Correct Answer: C
Community vote distribution
C (100%)
IQ30
Highly Voted
1 year, 4 months ago
Professor Messer notes:
• Proprietary
– Data that is the property of an organization
– May also include trade secrets
– Often data unique to an organization
upvoted 12 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: C
The term "proprietary" describes a broad range of information that is sensitive and owned by a specific organization. Proprietary information is
considered confidential and is not intended for public disclosure. It may include trade secrets, intellectual property, customer data, financial
information, and other sensitive data unique to the organization.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: C
Proprietary information refers to a broad range of sensitive information that is specific to a particular organization. It includes trade secrets,
confidential business strategies, customer data, financial information, intellectual property, and any other information that is considered valuable
and exclusive to the organization. Proprietary information is typically protected from unauthorized access, use, or disclosure to maintain the
competitive advantage and confidentiality of the organization.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
C. Proprietary is specific to 1 organization
upvoted 2 times
applepieboy 11 months, 2 weeks ago
Selected Answer: C
Proprietary would definitely be the answer on an exam, but top secret is still accurate.
upvoted 2 times
Nirmalabhi 1 year, 1 month ago
Selected Answer: C
no brainer. Proprietary should be the answer
upvoted 2 times
[Removed] 1 year, 1 month ago
hello everyone, are you interested in taking any exam certification exam? Contact me now for remote support. Success guaranteed in just a
single attempt. wa.me/12694315721
upvoted 2 times
viksap 1 year, 1 month ago
what's the proposal?
upvoted 1 times
eli_2000 1 year, 1 month ago
i need that
upvoted 2 times
rodwave 1 year, 1 month ago
Selected Answer: C
Answer: Proprietary
https://www.examtopics.com/exams/comptia/sy0-601/view/
174/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Proprietary information, also known as a trade secret, is information a company wishes to keep confidential
upvoted 3 times
RonWonkers 1 year, 3 months ago
Selected Answer: C
I agree with C
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
175/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #73
A Chief Security Officer (CSO) is concerned that cloud-based services are not adequately protected from advanced threats and malware. The CSO
believes there is a high risk that a data breach could occur in the near future due to the lack of detective and preventive controls. Which of the
following should be implemented to BEST address the CSO's concerns? (Choose two.)
A. A WAF
B. A CASB
C. An NG-SWG
D. Segmentation
E. Encryption
F. Containerization
Correct Answer: CD
Community vote distribution
BC (95%)
stoneface
Highly Voted
4%
1 year, 4 months ago
Selected Answer: BC
NG-SWG -> NG SWG) is designed to address the key cloud and web security use cases encompassing granular policy controls, web filtering,
threat protection, and data protection spanning managed and unmanaged apps, cloud services, and web traffic.
CASB The CASB serves as a policy enforcement center, consolidating multiple types of security policy enforcement and applying them to
everything your business utilizes in the cloud—regardless of what sort of device is attempting to access it, including unmanaged smartphones,
IoT devices, or personal laptops.
upvoted 46 times
carpathia
Highly Voted
1 year, 1 month ago
Selected Answer: BC
CASB and NGSWG (pg 164 in D Gibson's book on SY0-601).
upvoted 10 times
_deleteme_
Most Recent
2 weeks, 4 days ago
BC, you can verify in the Professor Messer video below.
https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/cloud-security-solutions/
upvoted 2 times
cyberPunk28 3 weeks ago
Selected Answer: BC
B. A CASB Most Voted
C. An NG-SWG
upvoted 1 times
Mumbo 1 month, 3 weeks ago
Took the exam today and passed with a 775. About 90% of the questions are from this dump.
This question was in the test.
upvoted 5 times
samuelr146 1 month, 3 weeks ago
does this mean i can rely only on this dump by remembering it?
upvoted 3 times
Protract8593 5 months, 2 weeks ago
Selected Answer: BC
The correct answers are:
B. A CASB (Cloud Access Security Broker)
A CASB is a security solution that helps organizations extend their security policies and controls to the cloud environment. It provides visibility
into cloud-based services, detects and prevents cloud-specific threats, and enforces security policies.
C. An NG-SWG (Next-Generation Secure Web Gateway)
An NG-SWG is a security solution that combines traditional web filtering with advanced security features, such as application control, URL
https://www.examtopics.com/exams/comptia/sy0-601/view/
176/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
filtering, anti-malware, and data loss prevention. It can help protect against advanced threats and malware in cloud-based services accessed
through web browsers.
Both B and C address the CSO's concerns about protecting cloud-based services from advanced threats and malware by providing additional
security controls and visibility into cloud activities.
upvoted 8 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: BC
An NG-SWG combines traditional secure web gateway capabilities with advanced security features such as advanced threat detection,
sandboxing, data loss prevention, and SSL/TLS inspection.
By deploying an NG-SWG, organizations can apply granular security policies to monitor and control web traffic to and from cloud-based
services, ensuring that malicious activity is detected and blocked. The NG-SWG can provide advanced threat intelligence, content filtering, and
behavioral analysis to protect against known and unknown threats. It also offers visibility into user activities, allowing organizations to detect
anomalies and potential security breaches.
A Cloud Access Security Broker (CASB) can also help address the concerns by providing additional security controls and visibility into cloudbased services. A CASB acts as an intermediary between users and cloud service providers, allowing organizations to enforce security policies,
monitor user activity, and detect and prevent unauthorized access to cloud resources.
upvoted 4 times
Yawannawanka 8 months, 2 weeks ago
Based on the requirements described in the scenario, the BEST solution to adopt would be PKI, or Public Key Infrastructure.
PKI is a system that uses a combination of public and private keys to provide secure communication over an insecure network. It uses digital
certificates, which are issued by a trusted third party, to authenticate the identities of users and devices. These certificates can be used to sign,
encrypt, and decrypt transactions, ensuring their confidentiality and integrity.
In the scenario, one company is responsible for deploying a trusted solution that will register and issue artifacts used to sign, encrypt, and
decrypt transaction files. PKI is a well-established and widely used technology for this purpose, and it meets the requirements described in the
scenario.
Blockchain, SAML, and OAuth are all useful technologies in their own right, but they may not be the best fit for the scenario described.
Blockchain, for example, is more commonly used for secure distributed ledgers rather than transaction signing and encryption. SAML and OAuth
are used more for authentication and authorization rather than encryption and decryption. Therefore, PKI is the BEST solution to adopt in this
scenario.
upvoted 2 times
Abdul2107 8 months, 2 weeks ago
Your answer does not apply here, it’s for 3 questions back (question 70)
upvoted 7 times
Yawannawanka 8 months, 2 weeks ago
A Chief Security Officer (CSO) is concerned that cloud-based services are not adequately protected from advanced threats and malware. The
CSO believes there is a high risk that a data breach could occur in the near future due to the lack of detective and preventive controls. Which of
the following should be implemented to BEST address the CSO's concerns? (Choose two.)
A. A WAF
B. A CASB Most Voted
C. An NG-SWG Most Voted
D. Segmentation
E. Encryption
F. Containerization
upvoted 1 times
Kraken84 5 months ago
B. A CASB
C. An NG-SWG
upvoted 1 times
darklion 9 months ago
Selected Answer: BC
A CASB (Cloud Access Security Broker) provides visibility into cloud application usage and provides security policies that can be used to prevent
risky activities. This helps detect and prevent advanced threats and malware in cloud-based services.
An NG-SWG (Next-Generation Secure Web Gateway) provides advanced security features, such as web filtering, SSL inspection, and cloud
application control, which can help detect and prevent advanced threats and malware in cloud-based services.
Therefore, options B and C should be implemented to best address the CSO's concerns.
upvoted 2 times
cmyjw 9 months, 1 week ago
Can anyone tell me why WAF is not a right answer?
upvoted 1 times
leobro 7 months, 3 weeks ago
i think because it is a cloud based service the answer is NG-SWG & CASB
https://www.examtopics.com/exams/comptia/sy0-601/view/
177/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
monzie 9 months, 1 week ago
Selected Answer: AB
A. A WAF
B. A CASB
Explanation:
A WAF (Web Application Firewall) can provide security controls to protect against advanced threats, including malware. It can detect and block
malicious requests and payloads, and it can also help prevent data leakage from web applications. A WAF can also provide real-time monitoring
and threat intelligence.
A CASB (Cloud Access Security Broker) can provide visibility and control over cloud services to prevent data breaches. It can detect and prevent
unauthorized access to cloud services, enforce policies for data protection, and provide real-time monitoring and threat intelligence.
upvoted 1 times
skeletor23 9 months, 2 weeks ago
C and D, NG SWG seems obvious. D "a physical or virtual architectural approach dividing a network into multiple segments, each acting as its
own subnetwork providing additional security and control"
upvoted 1 times
MasterControlProgram 9 months, 3 weeks ago
Selected Answer: AB
A. A WAF and B. A CASB are the two best solutions to address the CSO's concerns. A WAF can help detect and prevent web-based attacks on
cloud-based services, while a CASB can provide visibility and control over cloud-based services to prevent data breaches. Segmentation,
encryption, and containerization are also good security measures, but they do not specifically address the risks associated with cloud-based
services. An NG-SWG (Next-Generation Secure Web Gateway) may help, but a CASB is a more specialized solution for cloud security.
upvoted 2 times
Nishkurup 10 months ago
A CASB: A Cloud Access Security Broker (CASB) can provide visibility and control over cloud-based services. CASBs can monitor user activity,
enforce security policies, and protect data in the cloud. They can also detect and block unauthorized access attempts, enforce encryption
policies, and prevent data leakage. CASBs can help the CSO to gain better visibility and control over cloud-based services, and protect them
from advanced threats and malware.
Segmentation: Segmentation can be used to limit the access of different parts of the network to one another, making it more difficult for attackers
to move laterally within the network. Implementing segmentation for cloud-based services can help reduce the risk of a data breach and protect
against advanced threats and malware.
While the other solutions such as a WAF, NG-SWG, encryption, and containerization can provide additional security measures, they may not
address the concerns of the CSO regarding the security of cloud-based services as effectively as the CASB and segmentation solutions.
upvoted 1 times
Nishkurup 9 months, 3 weeks ago
I think I will go for CASB and NGSWG
upvoted 1 times
scarceanimal 11 months ago
Selected Answer: BC
both cloud controls that address the dude's concerns. :)
upvoted 1 times
mhmtn 11 months, 1 week ago
I think C and D. I have been inspired divide and manage policy that is a British tactic on the head of century:)
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
178/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #74
An organization is planning to roll out a new mobile device policy and issue each employee a new laptop. These laptops would access the users'
corporate operating system remotely and allow them to use the laptops for purposes outside of their job roles. Which of the following deployment
models is being utilized?
A. MDM and application management
B. BYOD and containers
C. COPE and VDI
D. CYOD and VMs
Correct Answer: B
Community vote distribution
C (94%)
stoneface
Highly Voted
4%
1 year, 4 months ago
Selected Answer: C
Bring your own device (BYOD)—the mobile device is owned by the employee. The mobile will have to meet whatever profile is required by the
company (in terms of OS version and functionality) and the employee will have to agree on the installation of corporate apps and to some level of
oversight and auditing. This model is usually the most popular with employees but poses the most difficulties for security and network managers.
Corporate owned, business only (COBO)—the device is the property of the company and may only be used for company business.
Corporate owned, personally-enabled (COPE)—the device is chosen and supplied by the company and remains its property. The employee may
use it to access personal email and social media accounts and for personal web browsing (subject to whatever acceptable use policies are in
force).
Choose your own device (CYOD)—much the same as COPE but the employee is given a choice of device from a list.
upvoted 42 times
Ay_ma
Highly Voted
1 year, 4 months ago
Selected Answer: C
COPE: Corporate-Owned Personally Enabled. The question states that the company is handing out laptops but then they can use them outside
of business requirements.
VDI (Virtual Desktop Infrastructure): You can access Operating Systems Virtually, It's like a whole desktop, but virtual.
Regarding the question, the employees can access company data through VDI, while being able to use the laptops for personal stuff.
upvoted 8 times
_deleteme_
Most Recent
2 weeks, 4 days ago
C answer can verified here
https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/mobile-deployment-models/
upvoted 1 times
port87 1 month, 2 weeks ago
The correct answer is:
C. COPE and VDI
upvoted 1 times
Vly4875 3 months ago
as other questions, some are having bad answers intentionally set ?
upvoted 1 times
saucehozz 1 month ago
yes, you must study the answers and review the conversations
upvoted 1 times
BobsUrUncle2 3 months, 2 weeks ago
Selected Answer: C
The laptops are company owned i.e. COPE
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
The correct answer is:
C. COPE and VDI (Corporate-Owned, Personally Enabled, and Virtual Desktop Infrastructure)
In the scenario described, the organization is planning to issue laptops to its employees (corporate-owned) and allow them to use the laptops for
personal purposes (personally enabled). Additionally, the laptops would access the users' corporate operating system remotely, which implies the
https://www.examtopics.com/exams/comptia/sy0-601/view/
179/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
use of Virtual Desktop Infrastructure (VDI). The COPE model refers to the practice of providing employees with corporate-owned devices that can
also be used for personal activities.
upvoted 6 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: C
In a COPE model, the organization provides employees with corporate-owned devices, such as laptops, while allowing them some level of
personal use. This means that employees can use the laptops for both work-related tasks and personal purposes.
VDI, on the other hand, refers to Virtual Desktop Infrastructure, which enables users to access their corporate operating system remotely. With
VDI, the actual operating system and applications run on virtual machines hosted on centralized servers, and users connect to these virtual
machines from their laptops or other devices. This allows employees to access their corporate environment and use the provided laptops for
work purposes.
upvoted 3 times
fouserd 8 months, 4 weeks ago
Selected Answer: C
The scenario involves the organization issuing laptops to employees for work purposes and allowing them to use the laptops for personal
purposes as well. This is characteristic of the COPE deployment model, in which the organization owns and manages the device, but employees
are allowed to use it for personal purposes as well.
upvoted 1 times
Drealjesusfreak 10 months ago
So, can CYOD be used for both cooperate and personal use and i though CYOD is also property of the compony?
upvoted 1 times
applepieboy 11 months, 2 weeks ago
Selected Answer: C
There is no way to no whether or not VDI is involved in this situation, but the answer is clearly the one with COPE (corporate owned, personally
enabled). The workers don't own the device, but it is allowed to be used for personal business. By definition COPE
upvoted 5 times
byfener 1 year ago
Selected Answer: C
It has to be C , in the explanation say " An organization is planning to roll out a new mobile device policy and issue each employee a new laptop.
"
upvoted 1 times
carpathia 1 year, 3 months ago
Selected Answer: C
VDI is installed on laptops, no probs (search best laptops for VDI on Google). I don't think anyone uses Terminals anymore. COPE does allow
users to use the device for personal activities.
upvoted 4 times
Swarupam 1 year, 3 months ago
Selected Answer: C
answer is hidden in the question! Company is providing the laptops .. so its COPE
upvoted 4 times
remtech 11 months, 1 week ago
says - issue each employee COPE
upvoted 1 times
cozzmo 1 year, 4 months ago
NOT VDI: issue each employee a new laptop. (VDI is a virtual workspace on a server. so you don't get a laptop).
NOT BYOD: issue each employee a new laptop.
NONE of these work!
upvoted 1 times
TR3Y 1 year, 3 months ago
VDI can be used with COPE devices. I currently work at an organization that leverages VDI and gives us laptops....
upvoted 6 times
Wiggie 1 year, 4 months ago
Selected Answer: A
https://www.ibm.com/topics/mobile-device-management
upvoted 1 times
comeragh 1 year, 4 months ago
Selected Answer: C
Agree with C here. "issue each employee a new laptop". Laptops are issued so cannot be BYOD or CYOD.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
180/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #75
Certain users are reporting their accounts are being used to send unauthorized emails and conduct suspicious activities. After further
investigation, a security analyst notices the following:
✑ All users share workstations throughout the day.
✑ Endpoint protection was disabled on several workstations throughout the network.
✑ Travel times on logins from the affected users are impossible.
✑ Sensitive data is being uploaded to external sites.
All user account passwords were forced to be reset and the issue continued.
Which of the following attacks is being used to compromise the user accounts?
A. Brute-force
B. Keylogger
C. Dictionary
D. Rainbow
Correct Answer: B
Community vote distribution
B (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: B
A Keylogger would be the reason of why even after resetting the passwords the issue persisted.
There is no information about the password itself that would allows to determine if any brute force attack method is being used
upvoted 26 times
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: B
Keyloggers seems to be it.
Enduser protection is disabled and someone installed a keyloggers since workstations are being shared. Changing password doesn't uninstall
this keylogger which is likely recording the new changed passwords and sending them out to the attacker.
upvoted 13 times
cyberPunk28
Most Recent
3 weeks ago
Selected Answer: B
B. Keylogger
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
- All users sharing workstations could mean that the keylogger is capturing keystrokes across multiple user sessions.
- Endpoint protection being disabled on several workstations suggests that the attackers might have gained administrative access to the
workstations, allowing them to disable security software without detection.
- Impossible travel times on logins from the affected users indicate that someone other than the legitimate user might be logging in using their
credentials, possibly from a different location.
- Sensitive data being uploaded to external sites indicates unauthorized access to sensitive information, likely obtained through captured
keystrokes.
The hint that everyone missed:
✑ Sensitive data is being uploaded to external sites.
This means that the keylogger was hardware-based and it must have had a WAP that the attacker was able to connect to and retrieve all the
users' keystrokes through the login portal of the keylogger (a local IP like 192.168.0.10).
upvoted 3 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: B
The key indicators in the scenario point towards the presence of a keylogger:
All users share workstations throughout the day: This means that multiple users are accessing the same workstations, making it easier for a
keylogger to capture keystrokes from different users.
Endpoint protection was disabled on several workstations: Disabling endpoint protection allows malware, including keyloggers, to go undetected
on the compromised workstations.
https://www.examtopics.com/exams/comptia/sy0-601/view/
181/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Impossible travel times on logins: This suggests that the attacker is remotely accessing the compromised accounts, which is consistent with the
use of a keylogger.
Sensitive data uploaded to external sites: The presence of a keylogger enables the attacker to capture sensitive information, such as login
credentials and other data, and upload it to external sites for unauthorized use.
upvoted 2 times
z3phyr 9 months, 1 week ago
Nothing was clear until you pick out the fact that the password resets didn't help. Makes it pretty clear
upvoted 2 times
skeletor23 9 months, 2 weeks ago
passwords have been reset but the issue continue, in this case can only be a keylogger which is "recording" the new password entered
upvoted 1 times
rodwave 1 year, 1 month ago
Selected Answer: B
Answer - Keylogger
A keylogger or keystroke logger is a type of monitoring software that can be used to collect keystrokes that you type. A keylogger was likely used
to capture various sensitive information and credentials. As the issue continued after the password reset, the keylogger was still capturing
information as it wasn't removed.
=========================
Brute-force - trail and error attempts to guess login info
Dictionary - a form of brute force attack that uses common words, phrases and variations
Rainbow - uses tables of reversed hashes to crack passwords
upvoted 5 times
Knowledge33 1 year, 2 months ago
There is no relationship between the context and the questions/responses. It's so weird
upvoted 7 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
182/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #76
A security forensics analyst is examining a virtual server. The analyst wants to preserve the present state of the virtual server, including memory
contents. Which of the following backup types should be used?
A. Snapshot
B. Differential
C. Cloud
D. Full
E. Incremental
Correct Answer: A
Community vote distribution
A (97%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: A
A snapshot preserves the state and data of a virtual machine at a specific point in time.
The state includes the virtual machine’s power state (for example, powered-on, powered-off, suspended).
The data includes all of the files that make up the virtual machine. This includes disks, memory, and other devices, such as virtual network
interface cards.
A virtual machine provides several operations for creating and managing snapshots and snapshot chains. These operations let you create
snapshots, revert to any snapshot in the chain, and remove snapshots. You can create extensive snapshot trees.
upvoted 24 times
cyberPunk28
Most Recent
3 weeks ago
Selected Answer: A
A. Snapshot
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
A snapshot backup is the appropriate type to use when the security forensics analyst wants to preserve the present state of the virtual server,
including memory contents. A snapshot is a point-in-time copy of the virtual machine (VM) that captures its entire state, including its memory.
This allows for the virtual server to be restored to the exact state it was in when the snapshot was taken, including any volatile data present in
memory at that moment.
For the purpose of preserving the present state of the virtual server, including memory contents, a snapshot backup is the most appropriate
choice.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
A snapshot is a point-in-time copy of a virtual machine's disk file, including its memory state. It captures the entire state of the virtual server at a
specific moment, including the memory contents, disk contents, and configuration settings. This allows for the preservation of the virtual server's
current state, which can be useful for forensic analysis, system recovery, or other purposes.
upvoted 1 times
Tango58 9 months, 2 weeks ago
Selected Answer: B
FULL backup will store everything on it.
upvoted 1 times
HCM1985 4 months, 1 week ago
But no the current memory state
upvoted 6 times
skeletor23 9 months, 2 weeks ago
Answer is A, a good practical of this is to download oracle VM set up a virtual machine and in software there is an option to "snapshot" current
device
upvoted 2 times
JaMorant 11 months, 1 week ago
present state is the keyword in this case so snapshot will do the job
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
183/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
kennyleung0514 1 year ago
A VM snapshot file consists of all the files stored on the storage devices of a virtual machine. Taking a snapshot creates files with extensions
.vmdk, -delta.vmdk, .vmsd, and .vmsn, which are stored with the VM base files.
A memory snapshot also includes a memory state file (with extension .vmsn) that holds the memory of the VM at the time of the snapshot
capture. The size of the memory file and the time it takes to capture the memory state depends on the configured maximum memory for the
original/parent VM.
upvoted 1 times
hackerguy 1 year, 2 months ago
Selected Answer: A
per dion training notes:
Type of backup primarily used to capture the entire operating system
image including all applications and data
§ Snapshots are also commonly used with virtualized systems
upvoted 2 times
comeragh 1 year, 4 months ago
Selected Answer: A
Agree with A snapshot being the correct answer here
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
184/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #77
After returning from a conference, a user's laptop has been operating slower than normal and overheating, and the fans have been running
constantly. During the diagnosis process, an unknown piece of hardware is found connected to the laptop's motherboard. Which of the following
attack vectors was exploited to install the hardware?
A. Removable media
B. Spear phishing
C. Supply chain
D. Direct access
Correct Answer: A
Community vote distribution
D (72%)
YusufMadkour
A (21%)
Highly Voted
7%
1 year, 4 months ago
Selected Answer: D
D because no hardware can be installed on the motherboard unless the perpetrator had direct access to the machine.
upvoted 34 times
Sandon 11 months, 3 weeks ago
Or the supply chain
upvoted 8 times
scarceanimal 11 months ago
that's not an attack vector
upvoted 5 times
CTE_Instructor 10 months ago
Security+ 601 Objectives Section 1.5 Explain different threat actors, vectors, and intelligence sources.
Vectors:
* Direct Access
* Email
* Supply Chain
* Social Media
* Removable media
* Cloud
The answer is *most likely* direct access, as the problem started after going to the conference. It's implied someone gained physical
access to this laptop and installed hardware on the motherboard -or- plugged in a USB drive. It's unlikely, however it's possible a
supply chain attacker could have also installed hardware inside the laptop prior to shipping to a company.
Either way, the attacker would have needed direct access to complete this attack. It's more general than the other options, and covers
all possibilities.
upvoted 11 times
cybertechb 2 weeks, 3 days ago
i agree partly, i would in whole had the laptop been left unattended. Since its not stated that it was left unattended then i'm inclined
to believe that it is the supply chain
upvoted 1 times
80drag 1 year, 3 months ago
but it doesnt say installed just connected. The usb connector is attached to the motherboard
upvoted 6 times
TheDarkSide2405 11 months, 2 weeks ago
USB doesn't unknown piece of hardware
upvoted 5 times
80drag 1 year, 3 months ago
I redact the previous statement
upvoted 3 times
Boogie_79
Highly Voted
1 year, 4 months ago
Selected Answer: D
Direct access
https://www.examtopics.com/exams/comptia/sy0-601/view/
185/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 5 times
Teleco0997
Most Recent
1 month, 2 weeks ago
Selected Answer: D
the question is "which attack VECTORS" were used, removable media is not the vector is the device
upvoted 1 times
goodmate 2 months, 3 weeks ago
Answer D
A- USB is well known
B- Spear phishing is not a physical component
C- Supply chain, if the laptop has issues after purchase, this may be supply chain attack but crucial point is after the conference, so this option is
not true
D- direct access is answer. Because someone implement a unknown piece of hardware to the motherboard in order to gain access the laptop.
upvoted 1 times
Thurams 2 months, 3 weeks ago
1. The user's laptop showed signs of being compromised after returning from a conference.
2. An unknown piece of hardware was found connected to the laptop's motherboard.
Supply chain attacks involve tampering with or compromising the hardware or software components of a product at some point in the supply
chain. In this case, the unknown hardware connected to the laptop's motherboard was likely added during the laptop's journey through the
supply chain.
Therefore, the correct answer is C. Supply Chain.
upvoted 1 times
Gwcan 2 months, 3 weeks ago
Selected Answer: D
Everyone choosing A didn't even read the question. Which attack vector was used to install the HARDWARE? Removable media is used to install
SOFTWARE, not HARDWARE. Direct access is needed to install HARDWARE.
upvoted 3 times
goodmate 2 months, 4 weeks ago
ChatCGT and its apologize :I apologize for any confusion in my previous responses. Based on the additional information that "an unknown piece
of hardware is found connected to the laptop's motherboard," the most appropriate assumption is that this unknown hardware was physically
connected to the laptop's motherboard during or after the conference.
Given this specific detail, the supply chain attack, where a compromised component is introduced during manufacturing or distribution, becomes
less likely. Instead, the scenario suggests a scenario closer to "direct access," where someone had physical access to the laptop, either during
the conference or afterward, and connected the unknown hardware to the motherboard.
Therefore, considering the presence of the unknown hardware, the attack vector "Direct access" becomes a more plausible explanation for the
situation described in the scenario.
upvoted 1 times
Dogeo 4 months, 1 week ago
A Removable Media.
Direct Access is being physically at the device to perform malicious acts rather than the use of software or hardware, the question says that
hardware has been connected to the mother board, everything including USB ports are connected to the motherboard so this dose not rule out
USB hardware
Although they would need Direct Access to attach the hardware it is the hardware itself causing the issue.
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
The question asks "Which attack vector was exploited TO INSTALL THE HARDWARE"
This question is asking what the attacker exploited to install the hardware, nothing about the follow on activity. The attacker had to have
DIRECT ACCESS to install anything at all.
upvoted 2 times
Dogeo 4 months, 2 weeks ago
Its A, the question states unknow hardware has been attached to the motherboard (removeable media)
Direct access would be the malicious user performing an attack while physically at the device.
upvoted 2 times
RevolutionaryAct 5 months ago
Selected Answer: A
Well I learned something new, you can directly add removable media to the motherboard, whic is what I picked but for different reasons. One
could say direct access but hardware attached to a motherboard is removable:
https://www.howtogeek.com/201493/ask-htg-can-i-plug-a-usb-device-right-into-my-motherboard/
upvoted 2 times
daddylonglegs 2 months, 3 weeks ago
Again, the question is asking about what the attacker exploited to install the hardware in the first place. Whether or not it can be classified as
removable media is irrelevant as the attacker needs direct access to do anything at all.
https://www.examtopics.com/exams/comptia/sy0-601/view/
186/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
sujon_london 5 months ago
Selected Answer: A
This very straight forward question with given clue that found hardware connected with motherboard. As we all know that any USB port
connected with motherboard of the Computer. It’s simple of-course we maybe thinking critically due to CompTIA or easy option given.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
In the given scenario, the laptop issues started after the user returned from a conference. Furthermore, an unknown piece of hardware was found
connected to the laptop's motherboard. These details indicate that someone had physical access to the laptop and inserted the unknown
hardware directly.
A direct access attack involves an attacker physically accessing a device to compromise it. In this case, the attacker likely inserted malicious
hardware or tampered with the laptop's internal components to gain unauthorized access and control over the system.
Why A and C are wrong according to ChatGPT:
- A. Removable media: This option involves using external devices like USB drives, CDs, or DVDs to introduce malware to a system. While it's a
possible attack vector, it does not explain the presence of unknown hardware on the laptop's motherboard.
- C. Supply chain: A supply chain attack involves compromising devices or components during the manufacturing or distribution process. In this
case, the laptop was not new, and the issue occurred after the user returned from a conference, making a supply chain attack less likely.
upvoted 2 times
Aleem001 5 months, 3 weeks ago
Selected Answer: A
Come on Guys,
Have you ever opened a computer to see the motherboard, its A, as USB port is connected to the motherboard after all, plus it happed in the
conference room, not in any computer hardware Lab.
upvoted 2 times
daddylonglegs 2 months, 3 weeks ago
Again, the question is asking about what the attacker exploited to install the hardware in the first place. Whether or not it can be classified as
removable media is irrelevant as the attacker needs direct access to do anything at all.
upvoted 2 times
Aleem001 5 months, 3 weeks ago
Scenario says : unknown piece of hardware is found.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: D
Direct access refers to physically accessing a device or its components, and in this case, it seems that someone had direct physical access to
the laptop and installed the unknown hardware on the motherboard. The symptoms of the laptop operating slower, overheating, and constant fan
activity further suggest that a physical modification or tampering has occurred.
Supply chain attacks typically involve compromising the supply chain process to introduce malicious software or components into devices during
manufacturing or distribution. While supply chain attacks can result in compromised hardware, they are not the most likely explanation in this
specific scenario, as the user's laptop was affected after returning from a conference.
upvoted 3 times
JAMBER 7 months, 2 weeks ago
Selected Answer: C
Got to love some of these questions. I went with C supply chain. I didn't read enough clues to determine it to be
A. Removable Media: usually external storage and not internally attached to motherboard.
B. Spear Phishing: well yeah, the throw away choice
D. Direct Access: typically refers to unauthorized physical access
C. Supply Chain with possible (hardware) time-delayed attack.
upvoted 1 times
DylanB2868 8 months, 2 weeks ago
Selected Answer: D
D because it said "after returning from an event" This means the hardware was not there before hand and therefore eliminates the idea of a
supply chain vector.
upvoted 1 times
HypeMan_crew 8 months, 3 weeks ago
Selected Answer: D
This is not supply chain. This laptop has been in use for a while and not a new laptop. The issue happened after the conference meaning that
there was a direct contact or access from someone on that laptop.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
187/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #78
After a recent security breach, a security analyst reports that several administrative usernames and passwords are being sent via cleartext across
the network to access network devices over port 23. Which of the following should be implemented so all credentials sent over the network are
encrypted when remotely accessing and configuring network devices?
A. SSH
B. SNMPv3
C. SFTP
D. Telnet
E. FTP
Correct Answer: A
Community vote distribution
A (100%)
comeragh
Highly Voted
1 year, 4 months ago
Selected Answer: A
Telnet (port 23) is insecure and should be replaced with SSH (port 22)
upvoted 15 times
[Removed] 1 year, 4 months ago
Correct, SSH is the answer.
upvoted 3 times
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: A
Answer: SSH (22)
Port 23 (Telnet) and Port 22 (SSH) are network protocols used to remotely access and manage systems however telnet does not encrypt the
connection so captured traffic appears in cleartext whereas an ssh connection would be encrypted.
=========================
SNMP (Simple Network Management Protocol) - is a protocol for collecting and organizing information about managed devices on networks.
Devices that typically support SNMP include servers/desktops, routers, switches, etc.
SFTP (Secure File Transfer Protocol) is a secure file transfer protocol that uses SSH encryption to securely sending and receiving file transfers.
FTP (File Transfer Protocol) - For file transfers
upvoted 9 times
cyberPunk28
Most Recent
3 weeks ago
Selected Answer: A
A. SSH
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
SSH (Secure Shell) is a cryptographic network protocol used to securely access and manage network devices remotely. Unlike Telnet (Option D),
which sends credentials in cleartext over port 23, SSH encrypts all communication between the client and server, providing a secure remote login
and management solution. It ensures that administrative usernames and passwords are not sent in plaintext, making it the best choice for
securing remote access to network devices.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
SSH is a cryptographic network protocol designed for secure remote login, command execution, and data communication. It provides strong
encryption and authentication mechanisms, protecting the confidentiality and integrity of the transmitted data, including usernames and
passwords. Unlike Telnet (option D), which sends data in clear text, SSH encrypts the communication channel, preventing unauthorized
interception and eavesdropping.
upvoted 1 times
fuweezy 8 months, 3 weeks ago
Selected Answer: A
A is correct
https://www.examtopics.com/exams/comptia/sy0-601/view/
188/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
scarceanimal 11 months ago
Selected Answer: A
ssh replaces telnet in that it provides an encrypted session. Telnet sends in clear text, unsecure.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
A. SSH. SSH is an encryption protocol used to connect to systems.
upvoted 1 times
Samsonite363 11 months, 2 weeks ago
Selected Answer: A
Easiest question in this guide.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
189/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #79
Which of the following provides a calculated value for known vulnerabilities so organizations can prioritize mitigation steps?
A. CVSS
B. SIEM
C. SOAR
D. CVE
Correct Answer: A
Community vote distribution
A (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: A
CVSS is maintained by the Forum of Incident Response and Security Teams (first.org/cvss). CVSS metrics generate a score from 0 to 10 based
on characteristics of the vulnerability, such as whether it can be triggered remotely or needs local access, whether user intervention is required,
and so on
upvoted 18 times
cyberPunk28
Most Recent
3 weeks ago
Selected Answer: A
A. CVSS
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
CVSS (Common Vulnerability Scoring System) is a standardized scoring system used to assess and quantify the severity of known vulnerabilities.
It provides a calculated value or score for each vulnerability based on its characteristics and potential impact. The CVSS score helps
organizations prioritize their mitigation efforts by understanding the severity of each vulnerability and taking appropriate action accordingly.
Higher CVSS scores indicate more severe vulnerabilities that require immediate attention and mitigation.
upvoted 3 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
CVSS is a standardized framework used to assess and quantify the severity of vulnerabilities in software systems. It provides a numerical score
to represent the risk level associated with a specific vulnerability. The score takes into account various factors, such as the impact of the
vulnerability, its exploitability, and the level of security controls in place. The score helps organizations prioritize their mitigation efforts by focusing
on vulnerabilities with higher scores, indicating a greater potential impact.
upvoted 2 times
temple12 9 months, 3 weeks ago
Selected Answer: A
cvss is the correct answer
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
A. CVSS. The Common Vulnerability Scoring System is an industry standard for assessing the severity of security vulnerabilities.
upvoted 3 times
Jossie_C 1 year, 2 months ago
Selected Answer: A
Common Vulnerability Scoring System
upvoted 1 times
ExamTopicsDiscussor 1 year, 3 months ago
CVSS stands for the correct
upvoted 1 times
carpathia 1 year, 3 months ago
Selected Answer: A
"calculated" = CVSS
upvoted 1 times
comeragh 1 year, 4 months ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
190/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: A
Agree with A - CVSS here as the correct answer
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
191/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #80
Several universities are participating in a collaborative research project and need to share compute and storage resources. Which of the following
cloud deployment strategies would BEST meet this need?
A. Community
B. Private
C. Public
D. Hybrid
Correct Answer: A
Community vote distribution
A (90%)
10%
8c55165 3 days, 7 hours ago
I initially picked D but it would ONLY be D if they were not planning on sharing storage space. Hybrid has separation of Private and Public.
upvoted 1 times
cyberPunk28 3 weeks ago
Selected Answer: A
A. Community
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
In a community cloud deployment model, multiple organizations or entities with common interests share computing and storage resources. It is
designed for specific communities of users who have shared concerns or requirements, such as research projects, government agencies, or
educational institutions. In this scenario, where several universities are participating in a collaborative research project and need to share
compute and storage resources, a community cloud deployment strategy would be the best fit.
upvoted 4 times
matace 5 months, 3 weeks ago
Selected Answer: D
The best cloud deployment strategy for several universities participating in a collaborative research project to share compute and storage
resources would be a hybrid cloud deployment.
A hybrid cloud deployment allows organizations to use a combination of public and private cloud resources. This gives the universities the
flexibility to choose the right cloud platform for their specific needs. For example, they could use the public cloud for resources that need to be
highly scalable and available, such as data storage and computing power. They could then use the private cloud for resources that need to be
more secure and compliant, such as sensitive research data.
A hybrid cloud deployment would also allow the universities to share resources more efficiently. For example, they could use the public cloud for
peak demand periods, such as when they are running large-scale simulations. They could then use the private cloud for more consistent demand
periods, such as when they are running smaller-scale experiments.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
A community cloud is a deployment model that is specifically designed to serve a specific community or group of organizations with shared
interests and requirements. In this case, the universities participating in the research project form a community that can leverage the community
cloud model.
With a community cloud, the universities can establish a shared infrastructure that is dedicated to their specific needs. They can collectively pool
their resources, such as computing power and storage, and share them among the participating universities. This allows for efficient resource
utilization, cost-sharing, and collaborative research efforts.
upvoted 2 times
scarceanimal 11 months ago
Selected Answer: A
sharing infrastructure
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
A. Community Cloud Deployment, where tenants are limited to members of a specifically designed community. Community memberships is
normally based on a shared mission, similar security and compliance requirements, or other commonalities.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
192/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Astra10 11 months, 2 weeks ago
D. Hybrid cloud deployment strategy would BEST meet the need for universities participating in a collaborative research project to share
compute and storage resources. A hybrid cloud deployment allows organizations to use a combination of public and private cloud resources. In
this case, the universities can keep sensitive data on their private cloud while sharing the compute and storage resources on a public cloud. This
way, the universities can have the benefits of both the public and private cloud.
A. Community cloud deployment strategy is when multiple organizations share a cloud infrastructure, but the resources are only available to a
specific community of users.
B. Private cloud deployment strategy is when an organization builds and maintains a cloud infrastructure for its own use.
C. Public cloud deployment strategy is when an organization uses a cloud infrastructure provided by a third-party provider, available to the
general public.
upvoted 2 times
assfedassfinished 4 months ago
No, it's community cloud. You're adding data to the question that it does not ask for.
upvoted 1 times
bsComptia 11 months, 3 weeks ago
A community cloud deployment strategy, while it may be able to meet the need for sharing compute and storage resources among a group of
universities, would likely not be the best option. A community cloud is typically shared among organizations with similar security and compliance
requirements, and is often managed by a third-party provider. However, the level of control and customization offered by a community cloud may
be limited compared to a hybrid cloud deployment strategy, which combines elements of both public and private cloud deployment. This would
give the universities more control and flexibility in terms of how they manage and utilize their shared resources.
upvoted 1 times
bsComptia 11 months, 3 weeks ago
how about this?
upvoted 1 times
bsComptia 11 months, 3 weeks ago
A hybrid cloud deployment strategy is a combination of both private and public cloud deployment. This approach allows organizations to
take advantage of the benefits of both types of clouds, depending on their specific needs.
In a hybrid cloud deployment, sensitive and/or regulated data is kept on the private cloud, which provides a higher level of security and
compliance. Meanwhile, less sensitive workloads can be run on the public cloud, which allows for greater scalability and costeffectiveness. The two clouds are connected through secure, dedicated connections, such as VPNs, allowing for data and application
portability.
This deployment strategy allows organizations to take advantage of the benefits of both public and private clouds, depending on their
specific needs. It also allows organizations to reduce costs by using public cloud resources for non-sensitive workloads, and to improve
security by keeping sensitive data on the private cloud.
upvoted 1 times
[Removed] 11 months, 3 weeks ago
Selected Answer: A
A community cloud is defined as a cloud infrastructure in which multiple organizations share resources and services based on common
operational and regulatory requirements.
upvoted 2 times
[Removed] 1 year, 1 month ago
Selected Answer: D
D - becouse they only share compute and storage - so they connect on presmise network with cloud - which they share.
upvoted 1 times
Jossie_C 1 year, 2 months ago
Selected Answer: A
Community is when different organizations share same stuff
upvoted 3 times
nobodyridesforfree 1 year, 2 months ago
Selected Answer: A
Community (shared)
upvoted 1 times
comeragh 1 year, 4 months ago
Selected Answer: A
A - Community " share compute and storage resources"
upvoted 2 times
varun0 1 year, 4 months ago
Selected Answer: A
Community
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
193/487
06/01/2024, 09:03
https://www.examtopics.com/exams/comptia/sy0-601/view/
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
194/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #81
A forensic analyst needs to prove that data has not been tampered with since it was collected. Which of the following methods will the analyst
MOST likely use?
A. Look for tampering on the evidence collection bag.
B. Encrypt the collected data using asymmetric encryption.
C. Ensure proper procedures for chain of custody are being followed.
D. Calculate the checksum using a hashing algorithm.
Correct Answer: D
Community vote distribution
D (66%)
rodwave
Highly Voted
C (34%)
1 year, 1 month ago
Selected Answer: D
Answer: Calculate the checksum using a hashing algorithm. (D)
A checksum is specifically intended to verify the integrity of data or find data corruption. Comparing a file's original and current checksum. And if
a byte or even a piece of the file's data has been changed, the original and current checksum will be different, and therefore you will know
whether it's the same file or not.
=====================
(A) - This is essentially the physical version of checking if something was tampered but wouldn't work for virtual data
(B) - Dont need to encrypt anything
(C) - Even if a proper chain of custody was followed, it doesn't guarantee that data hasn't been modified by anyone that had access to the data.
upvoted 33 times
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: C
Procedure to establish the Chain of Custody
In order to assure the authenticity of the chain of custody, a series of steps must be followed. It is important to note that the more information
Forensic expert obtains concerning the evidence, the more authentic is the created chain of custody. You should ensure that the following
procedure is followed according to the chain of custody for electronic devices:
Save the original material
Take photos of the physical evidence
Take screenshots of the digital evidence.
Document date, time, and any other information on the receipt of the evidence.
Inject a bit-for-bit clone of digital evidence content into forensic computers.
Perform a hash test analysis to authenticate the working clone.
upvoted 18 times
KetReeb 1 year, 4 months ago
While your reasoning is a best practice, the only way to Prove the integrity of the data after its been handled is by verifying the checksum
(Answer D).
upvoted 43 times
stoneface 1 year, 4 months ago
I stand corrected -> D is correct - ensuring is not a method
upvoted 28 times
Kraken84 5 months ago
Now that is a RFM!
upvoted 1 times
KetReeb 1 year, 4 months ago
I'm sorry stoneface, I have to retract my comment after running across the following in the all-in-one review: regarding checksums - A
disadvantage is that they miss larger numbers of errors as a second error can cancel the effect of the first on a checksum. Thus,
checksums serve no real purpose in digital forensics.
Your answer is best.
upvoted 12 times
CTE_Instructor 10 months ago
It's near impossible for a second change in data integrity to "undo" the hash effect of the first error. Multiple changes in file data will
still produce different hash results. Checking hash results of the original collection vs present state is standard for verifying data
integrity.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
195/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
daddylonglegs
Most Recent
2 months, 3 weeks ago
Everyone picking Chain of Custody is missing the point.
Establishing a chain of custody doesn't prevent tampering nor allow you to prove that data has been tampered. What it does is give you an audit
trail to follow if you discover that evidence was in fact tampered with, and you can use it to identify who in the chain of custody tampered with
the evidence.
To actually PROVE that the data hasn't been tampered with, you would calculate a checksum, likely at each step of the chain of custody when
the data is received by the next party.
upvoted 4 times
BigAl5505 3 months, 1 week ago
Selected Answer: D
There is no chain of custody for data transmission, chain of custody is mainly for equipment/devices that are used on the network by end-users.
Hashing and checksum are the only ways to check the integrity of data.
upvoted 1 times
assfedassfinished 4 months ago
Selected Answer: D
It's D. Consider the role. The analyst, as the expert, would validate the checksum. A lawyer or court official would validate via the CoC.
Additionally, anyone can access the data, change it, and properly mark up the chain of custody. If only using the chain of custody without
validating the integrity, false data would be accepted.
upvoted 4 times
BigIshai 5 months ago
The question asked for what method to verify the integrity of the file in question. the simple answer is to compare the hash valve with the original
when it was collected. The correct answer is D. Ensuring that the proper chain of custody was followed is still subject to interpretation and can
not prove the data has not changed.
upvoted 2 times
Nikamy 5 months, 1 week ago
Selected Answer: D
My answer is D
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
A checksum is a value derived from the content of data, and it serves as a unique identifier for that data. When data is collected for forensic
analysis, the forensic analyst can calculate the checksum using a hashing algorithm (such as MD5, SHA-256, etc.). If the data remains
unchanged and has not been tampered with, the checksum will remain the same. Any alteration or tampering of the data would result in a
different checksum value.
By comparing the calculated checksum of the collected data with a known, trusted checksum (such as the original value), the forensic analyst
can verify that the data has not been tampered with since it was collected. This process ensures data integrity and is commonly used in digital
forensics to validate the authenticity of evidence.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: D
Calculating the checksum using a hashing algorithm is a common technique in forensic analysis to ensure data integrity. A hashing algorithm
takes the data as input and generates a unique hash value, which is a fixed-length string of characters. Even a small change in the input data will
result in a significantly different hash value. By comparing the calculated checksum of the collected data with a previously generated checksum
of the original data, the forensic analyst can determine if any tampering or alteration has occurred.
upvoted 2 times
EvelynStandford 7 months, 3 weeks ago
Selected Answer: C
i started with C after i read all the comment and i was sure it was D but i find this and it make me change my mind
Difference Between a Checksum and a Hash
Checksums and similarity hashes are often used interchangeably, but they have slight differences.
In a nutshell, a Checksum is a hash, but a hash isn’t necessarily a Checksum.
Hashing Applications
Encryption
Storage
Performance
Why Use Checksums?
Why use checksums to compare data over byte-by-byte comparison?
The answer: because it is much smaller (256 bits).
Byte by Byte comparison requires having the entire copy of files which can be very large (gigabytes).
A checksum’s relatively small size is small enough to be treated as file metadata.
https://www.examtopics.com/exams/comptia/sy0-601/view/
196/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
How can Checksums be Used?
Checksums can be used in many ways:
in search engines to check for duplicate documents,
in engineering to check for corrupted files
in cryptography to transfer data securely.
upvoted 1 times
EvelynStandford 7 months, 3 weeks ago
also i find an other source where they say
Step 5: Run the validate command with the clip file name attached to get the checksum for that clip (For PC: Hash = Checksum)
Command
for a proper chain of custody, so if they ensure that the checksum is included in the procedure
upvoted 1 times
fouserd 8 months ago
Selected Answer: C
To prove that data has not been tampered with since it was collected, a forensic analyst would MOST likely calculate the checksum using a
hashing algorithm. A hashing algorithm generates a unique fixed-size string of characters, called a hash or checksum, from a given input. By
calculating the hash of the collected data and comparing it to the hash calculated at the time of collection, the analyst can verify that the data has
not been altered.
upvoted 1 times
fouserd 8 months ago
Apologies meant to click D not C
upvoted 2 times
Yawannawanka 8 months, 2 weeks ago
C. Ensure proper procedures for chain of custody are being followed.
Proper chain of custody procedures ensure that the evidence is properly collected, stored, and transferred to prevent tampering or alteration. By
following these procedures, the forensic analyst can demonstrate that the evidence has not been tampered with since it was collected, and can
be relied upon as authentic and admissible in court. The other options do not directly address the issue of proving that data has not been
tampered with.
upvoted 1 times
Confuzed 8 months, 4 weeks ago
Selected Answer: D
While ensuring proper chain of custody is critical, following the process is how you ensure that tampering/mishandling doesn't occur, not how
you prove it didn't. To prove that tampering did not occur, the analyst would use hashing.
upvoted 2 times
KnifeClown1 8 months, 4 weeks ago
Selected Answer: D
A checksum is a unique value that is generated from a mathematical algorithm applied to the data. If the data is tampered with in any way, the
checksum value will also change, indicating that the data has been altered. By comparing the original checksum value with the current checksum
value, the forensic analyst can determine whether the data has been tampered with since it was collected.
upvoted 1 times
ffsilveira10 8 months, 4 weeks ago
Selected Answer: C
I believe that the correct option is C. When they say "data" they do not specific which type of data, could be digital or not. If not digital then the
checksum will not be helful. In this case the most likely approach would be keep chain of custody.
upvoted 2 times
darklion 9 months ago
Selected Answer: D
D. Calculate the checksum using a hashing algorithm.
The checksum calculated using a hashing algorithm can be used to verify that the data has not been altered since it was collected. Any changes
to the data will result in a different checksum, providing evidence that the data has been tampered with. Other methods, such as checking the
evidence collection bag or following proper chain of custody procedures, can help ensure the integrity of the evidence but do not directly prove
that the data has not been tampered with. Encrypting the data using asymmetric encryption will protect the confidentiality of the data but will not
ensure its integrity.
upvoted 1 times
examrobo 9 months, 1 week ago
Selected Answer: D
Says prove so D
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
197/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #82
Multiple business accounts were compromised a few days after a public website had its credentials database leaked on the Internet. No business
emails were identified in the breach, but the security team thinks that the list of passwords exposed was later used to compromise business
accounts. Which of the following would mitigate the issue?
A. Complexity requirements
B. Password history
C. Acceptable use policy
D. Shared accounts
Correct Answer: B
Community vote distribution
B (61%)
antster1000
A (20%)
Highly Voted
C (19%)
1 year, 4 months ago
Don't really feel like any of the answers are sufficient. Would be looking for something like MFA for this.
upvoted 46 times
CTE_Instructor 10 months ago
Yeah. A few days after the breach, the passwords were a vulnerability? Password history would not be realistic for this scenario. If it said 7
months later, that would make more sense.
Imagine having a 24-hour password policy :cry:
upvoted 11 times
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: B
Password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period of
time.
upvoted 21 times
kigikik881 3 months ago
It doesn't make sense. It's known fact, that users use the same password changing the last one-two digits to comply with "pasword history"
requirement. Password complexity helps to preserve policies, at least. I believe, here no good option. Idk why they ask to choose better from
worst.
upvoted 5 times
stonefacegroupie 8 months, 4 weeks ago
I concur
upvoted 2 times
cyberPunk28
Most Recent
3 weeks ago
Selected Answer: B
B. Password history
upvoted 1 times
Oruga88 2 months, 1 week ago
Selected Answer: A
Correct Answer:
A. Complexity requirements, Because having stronger and more complex passwords makes it harder for attackers to use leaked passwords from
other breaches to compromise accounts. If users have complex passwords that are unique to each service they use, the likelihood of a password
from one service being valid on another is reduced.
Other Answer:
B. Password history, This ensures users don't reuse recent passwords, but it wouldn't necessarily prevent the use of passwords from an external
leak if a user used the same password on multiple platforms.
C. Acceptable use policy, While this sets guidelines for how IT resources can be used, it doesn't directly address the password reuse issue.
D. Shared accounts, Shared accounts typically present more of a security risk rather than mitigating issues, as multiple individuals have access
to the same account and it's harder to track individual actions.
upvoted 1 times
Josh1978 2 months, 2 weeks ago
Answers for the exam and answers that make since in the real world aren't always the same. Once I pass I'm memory dumping all this BS.
upvoted 5 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
198/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
MortG7 2 months, 3 weeks ago
All of the choices are crap...not sure if this question is reflective of the real world, or has any value. They are more concerned with tricking with
words rather than validating you knowledge. What clown is authoring these questions?
upvoted 5 times
saucehozz 1 month ago
The receptionist
upvoted 1 times
Fiftypeso 3 months, 1 week ago
I don't understand these questions, i starting to understand the comments about these questions. Should mitigate the problem right now be have
them all change their passwords.... history doesn't matter if there is no age? If they have the database of passwords then they are running a
rainbow attack on it somewhere and going to just get more passwords if no one changes it? force a password change, add age and history...
upvoted 1 times
awscody 3 months, 1 week ago
These answers are in fact bad but password history would be ideal out of all of them. A better choice would be password age.
upvoted 1 times
assfedassfinished 4 months ago
Selected Answer: B
Password history is the least bad of these bad answers.
upvoted 7 times
Kraken84 5 months ago
"... was later used" is a our key statement here.
upvoted 2 times
BigIshai 5 months ago
Selected Answer: C
The scenario indicates business accounts have been compromised in an aftermath of a non-related security incident. Meaning the malicious
actors got information from the leaked information and used the same on corporate accounts which evidently also got compromised because the
end-users must have reused passwords. Hence an acceptable policy against password reuse would have mitigated the secondary incident.
(logic appears sound but open to debate)
upvoted 5 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
Implementing password history would be an effective measure to mitigate the issue of compromised business accounts in this scenario.
Password history keeps track of previously used passwords, and users are not allowed to reuse old passwords when creating a new one. This
prevents attackers from reusing leaked passwords to gain unauthorized access to business accounts, even if the leaked credentials are known to
them.
By enforcing password history, organizations can improve their security posture and protect against credential reuse attacks.
upvoted 1 times
LiteralGod 5 months, 3 weeks ago
Selected Answer: B
I think given the information we have it would be password history.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: B
Password history: Implementing a password history policy ensures that users cannot reuse their previously used passwords. This prevents
attackers from reusing compromised passwords to gain unauthorized access to business accounts. By maintaining a password history, users are
forced to choose unique passwords each time they update their credentials.
upvoted 2 times
Loonie 6 months, 2 weeks ago
I would say B password history, keyword "exposed was later used"
upvoted 1 times
mosher21 8 months, 2 weeks ago
Selected Answer: A
None of the options are correct. This is another question that sucks. Comptia charges almost 400 dollars for the exam and gives us this
nonsense in return. kudos to them.
upvoted 10 times
Confuzed 8 months, 4 weeks ago
Selected Answer: A
Complexity requirements is the only solution that makes sense.
An AUP dictates what a user may do with corporate systems, it does not address how the
user should manage their passwords, that would be Code of Conduct or some other policy.
https://www.examtopics.com/exams/comptia/sy0-601/view/
199/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Password history only serves to prevent password reuse on the corporate network; it will do nothing to prevent the user from using the same
passwords on a public site. MAYBE, had the question stated that the password database was old, then password history may make sense, but
even then complexity is the better answer.
A shared account would absolutely do nothing to help with this.
So by elimination we can say it's complexity. However, it intuitively makes sense. A leaked password database would contain password hashes
that need to be cracked, weak passwords are trivial to extract using rainbow table or dictionary attacks while complex passwords may never be
recovered from a leaked password database. Thus the hacker will have a list of weak passwords they will use in their attack. Enforcing complex
passwords nullifies that list.
upvoted 6 times
ProdamGarazh 1 month, 3 weeks ago
It doesn't say that the leaked credentials were hashes, it says "list of passwords". So, the complexity would mean nothing when you have a
password in a clear text.
upvoted 1 times
z3phyr 9 months, 1 week ago
Password history > enforces new passwords > makes the leaked passwords irrelevant
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
200/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #83
A security analyst wants to fingerprint a web server. Which of the following tools will the security analyst MOST likely use to accomplish this task?
A. nmap -pl-65535 192.168.0.10
B. dig 192.168.0.10
C. curl --head http://192.168.0.10
D. ping 192.168.0.10
Correct Answer: C
Community vote distribution
C (69%)
stoneface
Highly Voted
A (31%)
1 year, 4 months ago
Selected Answer: C
Agreed, for those wondering a curl --head 1.1.1.1 will output this :
HTTP/1.1 301 Moved Permanently
Server: cloudflare
Date: Thu, 01 Sep 2022 22:36:50 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Location: https://1.1.1.1/
CF-RAY: 74417cb04d6b9a50-MFE
upvoted 26 times
TinyTrexArmz 11 months ago
While nmap can be used to fingerprint a webserver, those are not the right parameters to do so. You would use nmap -sV <target> not p<port-range>
upvoted 9 times
Gravoc
Highly Voted
1 year, 3 months ago
curl --head is similar to curl get. Remember from your studies that get is when a user/entity is requesting to get/download resources from a
server across the internet. Get requests include a header and a body. By doing curl --head, you're sending a request to get information from a
server. The server will reply by providing only the headers of the request, rather than including the body. Therefore a curl --head is a way to send
requests for header-only get requests. This allows people a quick summary of a response server, or in this case, to view it's fingerprint.
upvoted 16 times
TheFivePips
Most Recent
2 months ago
Selected Answer: C
The curl command with the --head option is commonly used to send an HTTP HEAD request to a web server, which typically retrieves
information about the web server's headers, including the server type and version. This can help a security analyst identify and fingerprint the
web server.
The other options are not primarily used for web server fingerprinting:
A. nmap is a network scanning tool that can be used for port scanning and identifying open ports on a target system, but it won't provide
detailed information about the web server itself.
B. dig is a DNS query tool used to retrieve DNS-related information about a host, but it doesn't directly fingerprint a web server.
D. ping is used to test network connectivity and reachability of a target host but does not provide information about the web server software or
version.
upvoted 1 times
Yessssssssss 2 months, 4 weeks ago
Selected Answer: A
I believe it is A. I got this because in the official COMPTIA study guide fingerprinting is defined as analysis of services on a particular host. Where
you found that in the study guide is under the header of "Service and Version Detection and OS Fingerprinting with NMAP"
upvoted 2 times
finbar4 4 weeks ago
Yes, but the bits after the nmap in answer A is wrong
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
https://www.examtopics.com/exams/comptia/sy0-601/view/
201/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Using the command "curl --head" allows the security analyst to perform an HTTP HEAD request to the specified web server (http://192.168.0.10)
without actually downloading the contents. This will retrieve only the headers of the web server's response, which often includes server
information, such as the server software and version, that can be used to fingerprint the web server.
A. nmap -pl-65535 192.168.0.10
The "nmap" command is used for network scanning, but the given command is not correct. The option "-pl-65535" is invalid. The correct option
for scanning all 65535 TCP ports would be "-p-".
Corrected command: nmap -p- 192.168.0.10
Output (example):
Starting Nmap 7.91 ( https://nmap.org ) at 2023-07-22 12:00 UTC
Nmap scan report for 192.168.0.10
Host is up (0.0020s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
upvoted 1 times
Protract8593 5 months, 2 weeks ago
B. curl --head http://192.168.0.10
The "curl" command is a tool used for transferring data with URLs. The "--head" option is used to perform an HTTP HEAD request and
retrieve only the headers of the web server's response.
Output (example):
HTTP/1.1 200 OK
Date: Thu, 22 Jul 2023 12:00:00 GMT
Server: Apache/2.4.41 (Unix)
Last-Modified: Wed, 21 Jul 2023 10:00:00 GMT
ETag: "12345-56789"
Content-Type: text/html
Content-Length: 1234
In this example, the output includes server information such as "Server: Apache/2.4.41 (Unix)", which can be used to fingerprint the web
server.
upvoted 3 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: C
The tool that the security analyst would most likely use to fingerprint a web server is option C: curl --head http://192.168.0.10.
The curl command is commonly used for making HTTP requests and retrieving information from web servers. By using the --head option, the
security analyst can send an HTTP HEAD request to the web server specified by the given IP address (192.168.0.10). This request retrieves only
the HTTP headers of the server's response, which often include information about the server software, version, and other relevant details.
By analyzing the server's response headers, the security analyst can gather information about the web server's fingerprint, such as the server
type (e.g., Apache, Nginx) and the specific version. This helps in identifying the server software being used and assists in further analysis and
assessment of potential vulnerabilities or security configurations.
upvoted 2 times
Yawannawanka 8 months, 2 weeks ago
Curl is a command-line tool for transferring data from or to a server, and it can be used to obtain the headers of a web server's HTTP response,
which can provide information about the server and its configuration. Therefore, the tool that the security analyst will MOST likely use to
fingerprint a web server is:
C. curl --head http://192.168.0.10
upvoted 1 times
Confuzed 8 months, 4 weeks ago
Selected Answer: A
While "C" is actually more valuable, based on what is in the Official CompTIA study guide I have to go with A.
The only reference to service discovery and fingerprinting in the guide talks about doing so with NMAP. While it clearly talks about using various
switches, I suspect that this is just a poorly worded question.
The command line in A would be part of service discovery rather than fingerprinting... But discovery is done before fingerprinting, so I suspect
that they think that the FIRST command the user will run is what is shown in A... then additional switches used to actually perform fingerprinting
of the services that were discovered?
upvoted 2 times
Kraken84 5 months ago
"so I suspect that they think"...
....maybe you can think about awhile
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
202/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
cutemantoes 9 months, 3 weeks ago
Im looking at this question with my wife right now and we both agree this has to be the most dirtiest security plus question we've come across
XD
upvoted 1 times
NerdAlert 9 months, 1 week ago
ive got bad news for you brotha... keep going
😂
upvoted 2 times
princajen 10 months ago
Selected Answer: C
Of the options provided, curl is the most likely tool a security analyst would use to fingerprint a web server. The "--head" option tells curl to send
an HTTP HEAD request to the server, which will return a response that includes important metadata about the web server, such as the software
type, version number, and possibly other configuration details.
The other options listed are not appropriate for fingerprinting a web server. Nmap is a port scanner, which can help identify open ports and
services running on a target system, but it does not provide information about the web server software. Dig is a tool for querying DNS servers to
resolve domain names to IP addresses, and ping is used to test network connectivity, but neither of these tools provide information about the
web server software.
upvoted 1 times
geekneek 10 months, 3 weeks ago
Selected Answer: C
Curl is a command-line tool that is commonly used to test web applications and is also a popular choice for web application fingerprinting. The "-head" option is used to request only the header information of the web server's response, which can contain information about the web server's
software and version.
Option A, "nmap -pl-65535 192.168.0.10," is a command to perform a ping scan using Nmap. While this may reveal the IP address of the web
server, it is not designed for fingerprinting the web server software.
Option B, "dig 192.168.0.10," is a command for performing DNS queries to retrieve information about domain names. It does not have any direct
relation to fingerprinting a web server.
Option D, "ping 192.168.0.10," is a command to test the connectivity between two devices on a network. It does not provide any information
related to web server fingerprinting.
Therefore, the most appropriate tool for fingerprinting a web server would be "curl --head http://192.168.0.10".
upvoted 3 times
EricShon 11 months ago
Selected Answer: A
A. nmap -pl-65535 192.168.0.10
upvoted 2 times
ronniehaang 11 months, 1 week ago
Selected Answer: A
The detailed analysis of services on a particular host is often called fingerprinting. This is because each OS or application software that underpins
a network service responds to probes in a unique way. This allows the scanning software to guess at the software name and version, without
having any sort of privileged access to the host. This can also be described as banner grabbing, where the banner is the header of the response
returned by the application.
Nmap is very widely used for this task, or you could use hping or Netcat.
upvoted 1 times
ronniehaang 11 months, 1 week ago
A security analyst would most likely use the tool "nmap" to fingerprint a web server. The command "nmap -p1-65535 192.168.0.10" will scan
the target IP address (192.168.0.10) for open ports, which can provide information about the web server software and operating system being
used. The tool nmap is commonly used for network exploration, security auditing, and finding open ports and services on a target system.
upvoted 1 times
Sandon 11 months, 2 weeks ago
Selected Answer: A
ChatGPT says it's A
upvoted 3 times
P0wned 11 months, 4 weeks ago
Selected Answer: A
The security analyst will MOST likely use nmap -p1-65535 192.168.0.10 to fingerprint a web server.
nmap is a network exploration and security auditing tool that can be used to fingerprint a wide variety of network devices, including web servers.
The -p option tells nmap to scan only the specified ports (1-65535 in this case) rather than all ports. This command will give the analyst
information about the open ports and the services running on them.
dig is a command-line tool for querying DNS servers, it can give information about the DNS information but it doesn't fingerprint a web server.
Curl is a command-line tool for sending HTTP requests and it can give information about the HTTP headers, but it doesn't fingerprint a web
server.
https://www.examtopics.com/exams/comptia/sy0-601/view/
203/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Ping is a command-line tool for testing whether a particular host is reachable across an IP network, it can give information about reachability but
it doesn't fingerprint a web server.
upvoted 4 times
bsComptia 11 months, 3 weeks ago
Agreed
A. nmap -pl-65535 192.168.0.10 is the most likely tool that a security analyst would use to fingerprint a web server. Nmap is a powerful tool
for network exploration, management, and security auditing, and can be used to fingerprint web servers to identify the operating system,
services running, and open ports.
Curl is a command-line tool for transferring data using various protocols, including HTTP. The `--head` option sends an HTTP request with the
`HEAD` method, which retrieves only the headers of the response, not the full response body. While this can provide some information about
the server, such as the server type, it is not as comprehensive as using a tool like nmap, which can provide more detailed information about
the server's operating system, services, and open ports.
Additionally, nmap can also be used to fingerprint the web server to identify the version of the web server software, and the available plugins,
which can be valuable information for identifying vulnerabilities and potential attack vectors.
upvoted 3 times
Lars87 1 year, 3 months ago
Selected Answer: C
C 100%
upvoted 1 times
comeragh 1 year, 4 months ago
sorry on review it seems C would be a better answer.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
204/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #84
A penetration tester was able to compromise an internal server and is now trying to pivot the current session in a network lateral movement.
Which of the following tools, if available on the server, will provide the MOST useful information for the next assessment step?
A. Autopsy
B. Cuckoo
C. Memdump
D. Nmap
Correct Answer: A
Community vote distribution
D (92%)
stoneface
Highly Voted
4%
1 year, 4 months ago
Selected Answer: D
Autopsy is a digital forensics analysis tool - maily targetted to hard drive analysis - not very helpful for the requeriments
Nmap would be the correct answer. we want to pivot to another devices on the NETWORK, so next step is to do reconnaisance, port scanning,
etc
upvoted 32 times
Demilitarized_zone
Highly Voted
1 year, 2 months ago
WHY ARE THE ADMIN GIVING US WRONG ANSWERS PLEASE. THIS IS WICKED. COME ON
upvoted 29 times
8c55165 3 days, 7 hours ago
CompTIA forces sites to remove their content if it's too accurate. That's why there's discussions here.
upvoted 1 times
NerdAlert 9 months, 1 week ago
so we dont get shut down! check discussions
upvoted 22 times
loccodennis 7 months, 2 weeks ago
Is there a way to access non purchased comptia things anymore? all of the tests are gone for me
upvoted 1 times
saucehozz 1 month ago
Use a VPN outside the U.S.
upvoted 1 times
will305 7 months ago
as long as you're logged in you can google the pages. "exam name" examtopics
upvoted 1 times
MortG7
Most Recent
2 days, 6 hours ago
C. Memdump
In the context of lateral movement during penetration testing, a memory dump (memdump) from a compromised system can contain valuable
information such as credentials, tokens, and other artifacts that may aid in further exploitation or privilege escalation within the network.
Analyzing the contents of memory can reveal sensitive information about the running processes and system state.
upvoted 1 times
cyberPunk28 3 weeks ago
Selected Answer: D
D. Nmap
upvoted 1 times
Ruger 2 months, 1 week ago
D. Nmap
Nmap (Network Mapper) is a powerful network scanning tool that can be used to discover information about devices on a network. In this
scenario, the penetration tester can use Nmap to scan the internal network from the compromised server to identify potential targets for lateral
movement and gather information about their services and vulnerabilities. This information is crucial for planning the next steps in the
assessment.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
205/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Abbey2 4 months ago
C. Memdump
Explanation:
In this scenario, the penetration tester has compromised an internal server and is attempting lateral movement within the network. To determine
the most useful information for the next assessment step, memory analysis can be critical. Memory analysis tools like "memdump" are used to
capture the content of a server's memory at a specific point in time. Analyzing this memory dump can reveal valuable information, including
active processes, running services, user credentials, and potential vulnerabilities.
upvoted 1 times
malibi 4 months ago
Selected Answer: A
Autopsy. Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law
enforcement, military, and corporate examiners to investigate what happened on a computer.
upvoted 1 times
ccnaexam28 5 months, 1 week ago
this was on my exam.
Took the exam 27/7/2023, i scored 840 and got 82 questions in total.
90%+ is from this site and I have no contributor access though I think it's also just luck on what set you'll get from their questions' pool. good
luck!
upvoted 10 times
Koki20 2 months, 1 week ago
congrat! Did you go with the community answer or with exam topic answer?
upvoted 1 times
tonnage800 2 months, 2 weeks ago
oh how could you access full questions without contributor access?
upvoted 1 times
AmesCB 5 months, 1 week ago
congratulations!
So what was the answer? or are you not allowed to say?
upvoted 3 times
needciscohelp 2 months ago
Of course he's not "allowed" to say lol, just like this entire website wouldn't be allowed by CompTIA. We share anyways.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
Nmap is a versatile network scanning tool that can be used for various purposes, including network reconnaissance and discovering hosts and
services on a computer network. In the given scenario, the penetration tester has already compromised an internal server and is looking to pivot
and move laterally within the network. Running Nmap on the compromised server can provide valuable information about other hosts and
services within the network, helping the tester identify potential targets for further exploitation.
Nmap can reveal open ports, services, and operating systems on the target hosts, which can be useful for the penetration tester to plan their next
steps. By understanding the network topology and available services, the tester can identify additional attack vectors and potential vulnerabilities
to exploit for further lateral movement.
upvoted 2 times
LiteralGod 5 months, 3 weeks ago
Why would Nmap need to be available on the server ?
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: D
Nmap (Network Mapper) is a powerful network scanning tool that can be used for network exploration and security auditing. It can help the
penetration tester gather information about the network, identify hosts, discover open ports, and detect services running on those ports. With this
information, the tester can assess the network's topology, identify potential targets for lateral movement, and plan their next steps.
upvoted 1 times
aw23 8 months ago
If a penetration tester has already compromised a server and is attempting to move laterally through the network, the focus is more likely to be on
gaining access to additional systems and extracting information from the compromised system. Therefore, tools like Memdump, which can
provide information about the state of the system and active network connections, are more relevant in this context.
upvoted 2 times
daddylonglegs 2 months, 3 weeks ago
Maybe, maybe not. But you're not reading the key part of the question, which is the attacker is looking to achieve lateral movement.
Memdump would not be very helpful in obtaining lateral movement
upvoted 2 times
Yawannawanka 8 months, 2 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
206/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
If the goal is to pivot the current session in a network lateral movement, the most useful tool would be Nmap, as it can be used to scan the local
network for other vulnerable machines that can be targeted. So the correct answer is D.
upvoted 2 times
NerdAlert 9 months, 1 week ago
a memdump would be more helpful for identifying suspicious processes, but with nmap you can scan for what connections are opening on the
other machine and see if they are trying to make lateral movement (connecting to other machines) in an easier way
upvoted 3 times
monzie 9 months, 1 week ago
Selected Answer: C
C. Memdump. A memory dump (memdump) can provide a wealth of information about a system, including active processes, services, network
connections, open files, registry keys, and more. With this information, a penetration tester can identify additional targets to compromise and
pivot through the network. Autopsy is a forensics tool used to analyze disk images. Cuckoo is a malware sandboxing platform. Nmap is a
network scanning tool. While these tools can be useful for various tasks, they are not as helpful as a memdump for network lateral movement.
upvoted 2 times
hieptran 9 months, 1 week ago
No one use memdump for lateral movement when conducting a penetration test.
upvoted 2 times
NerdAlert 9 months, 1 week ago
a memdump would be more helpful for identifying suspicious processes, but with nmap you can scan for what connections are opening on
the other machine and see if they are trying to make lateral movement (connecting to other machines) in an easier way
upvoted 2 times
MasterControlProgram 9 months, 3 weeks ago
Selected Answer: D
If a penetration tester was able to compromise an internal server and is trying to pivot the current session in a network lateral movement, the
most useful tool, if available on the server, would be Nmap. This is because Nmap can be used to scan the network for additional targets and
map out the network topology, allowing the penetration tester to identify other potential targets for exploitation. Autopsy is a digital forensics tool
used for analyzing and recovering data from hard disks and other storage devices. Cuckoo is a sandbox tool used for analyzing malware
behavior. Memdump is a tool used for creating a memory dump of a system. While these tools may be useful in other phases of the assessment,
they are not specifically designed for lateral movement.
upvoted 3 times
liya0 10 months ago
Can someone explain why the answer isn't memdump? i asked chatgpt and this is what it said "the question mentions that the penetration tester
has already compromised an internal server and is trying to pivot the current session in a network lateral movement. This suggests that the tester
has already gained access to one system within the network and is attempting to move laterally to other systems. In this scenario, the tester
needs to gather real-time information about the compromised server in order to identify other vulnerable systems within the network. Therefore,
Memdump would be the most useful tool for this purpose."
upvoted 2 times
daddylonglegs 2 months, 3 weeks ago
I would stop asking ChatGPT.
Think about what has happened, what the attacker wants to do, and the options available. What does memdump do? It dumps the contents
of memory to a file. How would analyzing the memory of the compromised machine be helpful when looking for other vulnerable machines?
Nmap is the best answer because it can scan for active IP addresses, open ports, and anything running on those open ports. With that
information you can identify vulnerable, unpatched services, or services running with weak configurations.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
207/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #85
Field workers in an organization are issued mobile phones on a daily basis. All the work is performed within one city, and the mobile phones are
not used for any purpose other than work. The organization does not want these phones used for personal purposes. The organization would like
to issue the phones to workers as permanent devices so the phones do not need to be reissued every day. Given the conditions described, which
of the following technologies would BEST meet these requirements?
A. Geofencing
B. Mobile device management
C. Containerization
D. Remote wiping
Correct Answer: B
Community vote distribution
B (93%)
stoneface
Highly Voted
7%
1 year, 4 months ago
Selected Answer: B
MDM is the best solution here, Company wants to issue a COBO device therefore no containerization < - tailored to BYOD
Geofencing and remote wiping are capabilites that are provided by an MDM solution
upvoted 18 times
cyberPunk28
Most Recent
3 weeks ago
Selected Answer: B
B. Mobile device management
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
MDM allows organizations to centrally manage and control mobile devices used by their employees, ensuring that they are configured and used
in accordance with the organization's policies. With MDM, the organization can set up and enforce strict configurations on the mobile phones
issued to field workers, ensuring they are used exclusively for work purposes and not for personal use.
MDM solutions offer features such as device enrollment, configuration management, application management, security policy enforcement, and
remote management capabilities. Through MDM, the organization can push work-related applications to the devices, restrict the installation of
unauthorized apps, enforce security policies, and remotely wipe devices if necessary.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: B
The technology that would best meet the described requirements is Mobile Device Management (MDM).
MDM enables organizations to manage and secure mobile devices, including smartphones, tablets, and other endpoints, from a central platform.
With MDM, the organization can enforce policies and restrictions on the mobile devices, ensuring that they are used only for work purposes and
preventing unauthorized access or use.
In this case, the organization can use MDM to configure the mobile phones issued to field workers in a way that limits their functionality to workrelated tasks only. The MDM solution can enforce restrictions such as disabling personal app installations, blocking access to non-work-related
websites or applications, and restricting certain device functionalities. Additionally, MDM provides capabilities for device tracking, monitoring,
and remote management.
upvoted 1 times
MorganB 8 months, 1 week ago
I just passed my exam 27 Apr 23. I must say that none of the questions here were on my exam. I think that this is however a great study tool to
use but that’s about it. Trust me this Test I took had now of the 410 questions on my exam. But I can say that reading the discussions here truly
helped me pass my exam. Trust me if you are going to take this exam base off these questions your going to find it difficult to pass. Good luck to
anyone that is getting ready to take the exam. Study from other sources please. You live to thank me someday.
upvoted 2 times
Samo1 10 months, 1 week ago
Selected Answer: C
C. Containerization would be the best technology to meet the requirements of the organization. Containerization allows work applications and
data to be separated from the personal applications and data on the phone. This enables the organization to issue the phones as permanent
devices, knowing that the personal use of the phones is not a concern. In addition, if an employee leaves the organization, the container can be
easily wiped from the phone without affecting the employee's personal data. Geofencing, Mobile device management, and Remote wiping are
not as relevant to this particular scenario.
https://www.examtopics.com/exams/comptia/sy0-601/view/
208/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
rueyb 8 months, 2 weeks ago
they dont want it to be used for personal at all..
upvoted 2 times
Sir_Learnalot 1 year, 1 month ago
Selected Answer: B
MDM will do the job
upvoted 1 times
grinop 1 year, 2 months ago
I agree that MDM is corrrect. Te question almost tricked me into selecting geofencing however MDM is best suited since geofencing would only
accomplish limiting loaction.
upvoted 3 times
scarceanimal 11 months ago
yes, after all they can still use it for personal use within geofencing perimeters. mdm will prevent that
upvoted 1 times
Bob455 1 year, 3 months ago
A. a MDM would be used if the org was concerned about the users using thr devices for other purposes but the questioons states they are not
and it gives a geohraphical clue with "users work in one city"
upvoted 1 times
redsidemanc2 1 year, 3 months ago
MDM is best solution.
MDM provides the other 3 in one solution
upvoted 1 times
comeragh 1 year, 4 months ago
Selected Answer: B
Agree with B - MDM as being correct answer here
upvoted 2 times
Boogie_79 1 year, 4 months ago
Selected Answer: B
agreed
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
209/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #86
Which of the following control types is focused primarily on reducing risk before an incident occurs?
A. Preventive
B. Deterrent
C. Corrective
D. Detective
Correct Answer: A
Community vote distribution
A (89%)
cozzmo
Highly Voted
11%
1 year, 3 months ago
Selected Answer: A
Yay.. finally one that makes sense!
upvoted 17 times
carpathia
Highly Voted
1 year, 3 months ago
Selected Answer: A
"Preventive controls act before an event, preventing it from advancing". Deterrent - "acts to discourage the attacker by reducing the likelhood of
success from the perspective of the attacker".
upvoted 6 times
ScottT 1 year, 3 months ago
https://www.sciencedirect.com/topics/computer-science/preventative-control
upvoted 1 times
cyberPunk28
Most Recent
2 weeks, 2 days ago
Selected Answer: A
A. Preventive
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
Preventive controls are security measures and practices that are put in place to reduce the likelihood of security incidents or breaches from
occurring. Their primary focus is on proactively reducing risk before any incident takes place. These controls aim to prevent potential threats and
vulnerabilities from being exploited.
Examples of preventive controls include firewalls, intrusion prevention systems (IPS), access controls, encryption, security awareness training,
security policies, and patch management. By implementing these measures, organizations aim to create a more secure environment and reduce
the chances of security incidents and data breaches.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
Preventive controls are implemented to proactively mitigate risks and prevent incidents from happening in the first place. These controls are
designed to minimize vulnerabilities, strengthen security measures, and establish safeguards to reduce the likelihood of security breaches or
incidents.
Examples of preventive controls include implementing strong access controls, enforcing strong passwords and authentication mechanisms,
conducting regular security awareness training for employees, performing security assessments and vulnerability scans, deploying firewalls and
intrusion prevention systems, and implementing secure coding practices.
upvoted 1 times
MasterControlProgram 9 months, 3 weeks ago
Selected Answer: A
A. Preventive control types are focused primarily on reducing risk before an incident occurs. They aim to prevent incidents from happening in the
first place. Examples of preventive controls include access controls, training and awareness programs, security policies and procedures, and
regular maintenance and updates of hardware and software systems.
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
A. Preventive controls stop a security issue before it occurs.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
210/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
[Removed] 11 months, 3 weeks ago
Selected Answer: A
Preventive—the control acts to eliminate or reduce the likelihood that an attack can
succeed. A preventative control operates BEFORE an attack can take place.
upvoted 1 times
FMMIR 1 year, 1 month ago
Selected Answer: A
preventive controls are controls intended to completely avoid an incident from being able to occur. Deterrent controls, alternatively, are intended
to discourage a bad actor from an unlawful activity that they had originally intended to perform.
upvoted 1 times
okay123 1 year, 1 month ago
Selected Answer: A
Deterrent controls reduce the likelihood of a deliberate attack. Preventative controls protect vulnerabilities and make an attack unsuccessful or
reduce its impact.
https://www.sciencedirect.com/topics/computer-science/deterrentcontrol#:~:text=Deterrent%20controls%20reduce%20the%20likelihood%20of%20a%20deliberate%20attack.&text=Preventative%20controls%
20protect%20vulnerabilities%20and,unsuccessful%20or%20reduce%20its%20impact.
So A ("reducing risk")
upvoted 1 times
Halaa 1 year, 3 months ago
Selected Answer: B
reducing risk before it happens--deterrent
upvoted 4 times
Jakalan7 1 year, 3 months ago
I can see where you are coming from, but they are asking what reduces risk - so the answer has to be A. Deterrents are " intended to
discourage someone from doing something", they don't actually prevent a risk though. For example, a fence is a deterrent, but people can still
get a ladder and climb over it, it does not reduce the risk.
upvoted 4 times
HCM1985 4 months, 1 week ago
I also think that it is Preventive. Because we can never forget that nothing is 100% safe, so even preventive techniques will not reduce the
risk to 0.
upvoted 1 times
[Removed] 11 months, 1 week ago
Question says it's "focused primarily on reducing". Preventive controls primarily function as preventive control not reducing.
upvoted 1 times
Libraboy 1 year, 2 months ago
A fence reduces the number of people that will be hoping to break in. in this case, a preventive measure would be an electric fence.
upvoted 4 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
211/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #87
A systems administrator reports degraded performance on a virtual server. The administrator increases the virtual memory allocation, which
improves conditions, but performance degrades again after a few days. The administrator runs an analysis tool and sees the following output:
==3214== timeAttend.exe analyzed
==3214== ERROR SUMMARY:
==3214== malloc/free: in use at exit: 4608 bytes in 18 blocks.
==3214== checked 82116 bytes
==3214== definitely lost: 4608 bytes in 18 blocks.
The administrator terminates the timeAttend.exe, observes system performance over the next few days, and notices that the system performance
does not degrade. Which of the following issues is MOST likely occurring?
A. DLL injection
B. API attack
C. Buffer overflow
D. Memory leak
Correct Answer: D
Community vote distribution
D (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: D
Definitely memory leak ' key sentence' -> The administrator increases the virtual memory allocation, which improves conditions, but performance
degrades again after a few days.
Memory leak occurs when programmers create a memory in heap and forget to delete it.
The consequences of memory leak is that it reduces the performance of the computer by reducing the amount of available memory. Eventually, in
the worst case, too much of the available memory may become allocated and all or part of the system or device stops working correctly, the
application fails, or the system slows down vastly .
upvoted 102 times
Old_Boy_ 2 months ago
You're legend Stoneface lol
upvoted 4 times
TheRoot9 8 months, 1 week ago
If the checked bytes were greater than 4608*18, would it be buffer overflow ?
upvoted 2 times
sujon_london 5 months ago
Brilliant sighting! Good calculation @theroot9
upvoted 2 times
Gino_Slim 1 year, 2 months ago
Stoneface will help you pass this everyone (lol)
upvoted 29 times
gladtam 9 months, 2 weeks ago
I’m gonna have to treat stoneface when I pass this exam!
upvoted 3 times
cyberPunk28
Most Recent
3 weeks ago
Selected Answer: D
D. Memory leak
upvoted 1 times
Kraken84 5 months ago
Selected Answer: D
I love these questions, answer is right in the question :) I bet we get at least 15 of those on the test, yeah? A+, AZ-900, SC-900, all of em seem to
follow the same scheming.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
212/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: D
The output from the analysis tool indicates that there is a memory issue, specifically a memory leak. A memory leak occurs when a program fails
to release memory that is no longer needed, leading to the gradual consumption of memory over time. In this case, the timeAttend.exe process is
causing the memory leak, and terminating the process has resolved the performance degradation issue.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: D
A memory leak occurs when a program or process does not release memory resources properly after it is no longer needed. As a result, memory
consumption continues to increase over time, leading to degraded performance and potential system instability.
In this case, the system administrator observed degraded performance on the virtual server, which improved temporarily after increasing the
virtual memory allocation. However, the performance degraded again after a few days. The output of the analysis tool indicates that there are
4608 bytes in 18 blocks of memory that are "definitely lost" at the time of exit.
By terminating the "timeAttend.exe" process and observing that the system performance does not degrade afterward, it suggests that the
memory leak issue was related to the "timeAttend.exe" process. Terminating the process would release the allocated memory, resolving the
memory leak and improving system performance.
upvoted 3 times
ronniehaang 11 months, 1 week ago
Selected Answer: D
The issue that is most likely occurring is a memory leak. A memory leak occurs when a program allocates memory dynamically, but does not free
it properly. Over time, this results in a gradual increase in memory usage, leading to degraded system performance and eventually to a crash. The
output from the analysis tool shows that timeAttend.exe is the cause of the memory leak, as it has 4608 bytes in 18 blocks of memory that are
definitely lost. Terminating the timeAttend.exe process and observing improved system performance confirms this diagnosis.
upvoted 2 times
jjhidalgo21 1 year, 1 month ago
WHO IS STONEFACE?
upvoted 3 times
bitezadusto 9 months, 2 weeks ago
the GOAT
upvoted 3 times
MusaKeita 1 year, 2 months ago
memory leak
upvoted 1 times
MarciaL 1 year, 2 months ago
I think B. API attack
upvoted 1 times
Wanafresh 1 year, 3 months ago
Memory leaks are usually caused by failure to deallocate memory that has been allocated.
upvoted 2 times
cozzmo 1 year, 3 months ago
Thank you Stoneface!
upvoted 3 times
comeragh 1 year, 4 months ago
Well spotted stoneface. Agree with you on D for this one.
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
213/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #88
An administrator is experiencing issues when trying to upload a support file to a vendor. A pop-up message reveals that a payment card number
was found in the file, and the file upload was blocked. Which of the following controls is most likely causing this issue and should be checked
FIRST?
A. DLP
B. Firewall rule
C. Content filter
D. MDM
E. Application allow list
Correct Answer: A
Community vote distribution
A (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: A
DLP - Data Loss Prevention uses exact data matching or regex matching - in this case a regex rule for detecting credit card numbers could be in
place that is actively blocking the upload of the document Regex for detecting and Amex Card: ^3[47][0-9]{13}$
Source https://stackoverflow.com/questions/9315647/regex-credit-card-number-tests
upvoted 44 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: A
The control that is most likely causing this issue and should be checked FIRST is Data Loss Prevention (DLP). Data Loss Prevention is designed
to prevent sensitive information, such as payment card numbers or personally identifiable information (PII), from being accidentally or maliciously
disclosed outside the organization.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
DLP is a security control that is designed to prevent sensitive or confidential information from being leaked, intentionally or unintentionally,
outside of the organization's network. It helps identify and block the transmission of sensitive data, such as payment card numbers, to
unauthorized recipients.
In this scenario, the pop-up message indicates that a payment card number was found in the file, and as a result, the file upload was blocked.
This behavior aligns with the functionality of a DLP control, which scans files or data being transferred and checks for the presence of specific
patterns or formats that match sensitive information.
upvoted 1 times
MorganB 8 months, 1 week ago
Just to exam. This was not on test.
upvoted 1 times
KingDrew 11 months, 4 weeks ago
Selected Answer: A
DLP keeps sensitive data such as PHI, PII, and PCI-DSS secure from escaping the network or being leaked.
upvoted 3 times
learnNcurve 1 year, 1 month ago
Selected Answer: A
A data loss prevention (DLP) device can reduce the risk of employees emailing confidential information outside the organization
upvoted 1 times
comeragh 1 year, 4 months ago
Selected Answer: A
Agree with DLP being the correct answer here
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
214/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #89
Which of the following risk management strategies would an organization use to maintain a legacy system with known risks for operational
purposes?
A. Acceptance
B. Transference
C. Avoidance
D. Mitigation
Correct Answer: A
Community vote distribution
A (61%)
stoneface
Highly Voted
D (39%)
1 year, 4 months ago
Selected Answer: A
Accepting risk, or risk acceptance, occurs when a business or individual acknowledges that the potential loss from a risk is not great enough to
warrant spending money to avoid it.
upvoted 62 times
alittlesmarternow 6 days, 2 hours ago
Acceptance is something you do. You accept the risk, but mitigation is something you use. You use known mitigation tactics for "KNOWN
RISK". people are drinking your cool-aid but I believe you are wrong on this one.
upvoted 1 times
Old_Boy_ 2 months ago
I will right your name on my cv
upvoted 3 times
Gino_Slim 1 year, 2 months ago
In stoneface we trust
upvoted 29 times
Confuzed
Highly Voted
8 months, 4 weeks ago
Selected Answer: D
Per the CompTIA official study guide:
"By definition, legacy platforms are unpatchable. Such systems are highly likely to be vulnerable to exploits and must be protected by security
controls other than patching, such as isolating them to networks that an attacker cannot physically connect to."
"Risk acceptance (or tolerance) means that no countermeasures are put in place either because the level of risk does not justify the cost or
because there will be unavoidable delay before the countermeasures are deployed."
So Risk acceptance would be counter to what CompTIA says MUST be done with legacy systems.
"Risk mitigation (or remediation) is the overall process of reducing exposure to or the effects of risk factors. If you deploy a countermeasure that
reduces exposure to a threat or vulnerability that is risk deterrence (or reduction). Risk reduction refers to controls that can either make a risk
incident less likely or less costly (or perhaps both)."
That is what CompTIA says MUST be done on a legacy system... reduce risk. So the answer is risk mitigation.
upvoted 17 times
ganymede
Most Recent
1 month, 3 weeks ago
Selected Answer: D
D. Mitigation
It's common for organizations to use Legacy systems in their environments. Oftentimes they do not have a choice. Just because they are using
Legacy systems does not mean they cannot take any steps to reduce the risk those Legacy systems expose them to. The answer is mitigation
because there are still actions they can take to reduce the risk. For example Network segmentation.
upvoted 2 times
TheFivePips 2 months ago
I hate these types of questions. Here's what ChatGPT has to say after some pushback:
While mitigation is a valid risk management strategy and is often preferred when it's possible to reduce or eliminate risks, it might not be the best
choice in the context of maintaining a legacy system with known risks for operational purposes. Here's why:
Legacy systems can be expensive and resource-intensive to modify or enhance. Mitigation efforts may require significant investments in terms of
time, money, and effort, and these resources might be better spent on more critical projects or system upgrades.
Modifying a legacy system to mitigate risks can introduce new vulnerabilities or issues, especially if the system is complex and poorly
documented. It's important to tread carefully to avoid inadvertently creating more problems.
https://www.examtopics.com/exams/comptia/sy0-601/view/
215/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Making changes to a legacy system can disrupt normal operations and introduce downtime or service interruptions, which might not be
acceptable in cases where the legacy system is critical for ongoing operations.
In some cases, the legacy system may be so outdated that viable mitigation options are limited or impractical.
upvoted 1 times
Ruger 2 months, 1 week ago
A. Acceptance
When an organization chooses to maintain a legacy system with known risks for operational purposes, it is essentially accepting the risks
associated with that system. This is a risk management strategy known as risk acceptance. In this case, the organization acknowledges the
existence of risks but continues to use the system due to various reasons, such as cost-effectiveness, business continuity, or other operational
considerations.
upvoted 1 times
PropheticBettor 2 months, 1 week ago
Mitigation is accepting the risk while trying to minimize it as you can. Acceptance is simply letting it be. That wouldn't be smart since we still have
to use the equipment in daily operations. Must accept while doing our best to mitigate risk
upvoted 1 times
J0EL 3 months, 2 weeks ago
Selected Answer: D
D. Mitigation.
The organization would use the risk management strategy of mitigation to maintain a legacy system with known risks for operational purposes.
Mitigation strategies are used to reduce the potential impact of risks or likelihood of occurrence. For a legacy system, mitigation measures may
include regular maintenance and patching, limiting who has access to the system, and monitoring the system for any signs of compromise.
Acceptance involves acknowledging the risks associated with the system but choosing to use it anyway without taking any additional action to
reduce the risk. Transference involves transferring the risk to a third party through insurance or outsourcing, while avoidance involves avoiding
the use of the system altogether.
upvoted 2 times
TreeeSon 3 months, 2 weeks ago
Selected Answer: A
I will go with A seeing as how legacy systems have more limitations/ vulnerabilities that cannot be completely eliminated
upvoted 1 times
RogerW 4 months ago
The answer is A.
The key word is maintain. I thought it implied fixing. I was wrong. It means "
: to keep in an existing state (as of repair, efficiency, or validity) : preserve from failure or decline". In other words, keep it running without making
changes.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
Acceptance involves acknowledging the risks associated with a particular system or activity but deciding to continue with it despite those risks.
This is often done when the cost of mitigating the risks or replacing the system outweighs the potential impact of the risks.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
Acceptance is a risk management strategy where the organization acknowledges the existence of a risk but consciously decides to tolerate or
accept it. This means that the organization is aware of the risks associated with the legacy system but chooses to continue using it despite those
risks. This decision is usually based on factors such as cost, feasibility of alternatives, business requirements, and the understanding that the
risks can be managed within acceptable levels.
upvoted 1 times
clean_it_up_janny 8 months, 1 week ago
Selected Answer: D
Maintain keyword
upvoted 3 times
ffsilveira10 8 months, 3 weeks ago
Selected Answer: D
I would go with D (mitigation)... when you have a legacy system you need to put mitigation control in place to minimize the risk.
upvoted 4 times
ankiuser 9 months, 1 week ago
D. Chatgpt3.5: In some cases, the risk management strategy of mitigation may be more appropriate than acceptance, especially if the risks
associated with a legacy system are significant or could have severe consequences. Mitigation involves taking actions to reduce the likelihood or
impact of a risk, which could include implementing additional security controls, performing regular vulnerability assessments, and conducting
regular security awareness training for users.
upvoted 1 times
cutemantoes 9 months, 3 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
216/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: D
It says to maintain the legacy system. Meaning to mitigate the risk. Answer is D. If it was acceptance, its knowing that theres a risk and doing
nothing about it and continue on about your day.
upvoted 4 times
Omi0204 9 months, 3 weeks ago
Selected Answer: D
Despite their operational value to organizations, a legacy system can pose a major security threat because they are outdated technology that is
no longer updated, supported or maintained by their vendor or manufacturer.
Organizations using legacy systems tend to give limited access to these systems and operate them with the phrase “out of sight, out of mind”
being central. This almost perfect storm of security issues — no updates, no support and not being watched closely, has placed legacy systems
and legacy software at the heart of security breaches.
So are you still going to accept the known risk(breach, hack, attack) or try to put mitigation (limited access).
Answer is D.
upvoted 3 times
geekneek 10 months, 3 weeks ago
Selected Answer: A
Acceptance is a risk management strategy in which an organization accepts the risks associated with a particular activity, process, or system.
This strategy is typically used when the cost of reducing the risk is too high, or the risk is considered acceptable to the organization. In the case
of a legacy system with known risks that needs to be maintained for operational purposes, the organization may determine that the cost of
upgrading or replacing the system is too high, or that the system is critical to their operations and the risks associated with it are acceptable.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
217/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #90
Which of the following is the BEST action to foster a consistent and auditable incident response process?
A. Incent new hires to constantly update the document with external knowledge.
B. Publish the document in a central repository that is easily accessible to the organization.
C. Restrict eligibility to comment on the process to subject matter experts of each IT silo.
D. Rotate CIRT members to foster a shared responsibility model in the organization.
Correct Answer: D
Community vote distribution
B (74%)
G4ct756
Highly Voted
D (26%)
1 year, 2 months ago
Selected Answer: B
I think is B, because there are 2 requirements " Consistent & Auditable".
D, will foster consistent IR process, but not auditable.
B, will ensure consistency in understanding in IR process & document is auditable.
upvoted 20 times
sterfryy
Highly Voted
1 year ago
The best action to foster a consistent and auditable incident response process is to publish the document in a central repository that is easily
accessible to the organization. This will ensure that all members of the organization have access to the latest version of the document and can
refer to it easily in the event of an incident. It will also enable the organization to track changes to the document over time, helping to ensure that
the incident response process remains up to date and effective.
upvoted 13 times
TheExile
Most Recent
1 week, 1 day ago
Selected Answer: D
Rotating members of the CIRT ensures consistency by ensuring that there is no one group that has full control of the incident response process.
Separating the duties of incident response prevents single points of failure. It ensure auditability by making sure that no one group of staff has full
control of the process and a member's participation in the CIRT can be checked by other personnel.
"Another important consideration is availability. Incident response will typically require 24/7 availability, which will be expensive to provide. It is
also worth considering that members of the CIRT should be rotated periodically to preclude the possibility of infiltration."
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
By publishing the incident response document in a central repository that is easily accessible to the organization, all stakeholders, including team
members, management, and relevant personnel, can have access to the latest version of the document. This ensures that everyone is on the
same page and follows a consistent incident response process. Having a centralized repository also facilitates version control, making it easier to
audit and track changes to the document over time.
Option D, rotating CIRT members to foster a shared responsibility model, can be a good practice to promote knowledge sharing and avoid
overreliance on specific individuals. However, it might not directly address the need for a consistent and auditable incident response process.
upvoted 5 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: B
Publishing the incident response document in a central repository that is easily accessible to the organization ensures that all relevant
stakeholders have access to the latest version of the document. This promotes consistency in the incident response process as everyone is
working from the same set of guidelines and procedures.
upvoted 2 times
Dan_26 7 months, 2 weeks ago
D. We have a centralized repository and thinking that'll create consistency? Don't make me laugh! No, create a team (smallish) and make them do
it to tightly-defined parameters.
upvoted 2 times
Yawannawanka 8 months, 2 weeks ago
The BEST action to foster a consistent and auditable incident response process is to publish the document in a central repository that is easily
accessible to the organization. By making the document easily accessible, all employees can access the document and understand the incident
response process, ensuring consistency in the incident response process. Additionally, having a central repository makes it easier to audit the
incident response process to ensure compliance with policies and regulations.
upvoted 1 times
MasterControlProgram 9 months, 2 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
218/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: B
B. Publish the document in a central repository that is easily accessible to the organization is the BEST action to foster a consistent and auditable
incident response process.
upvoted 2 times
MasterControlProgram 9 months, 3 weeks ago
Selected Answer: B
B. Publish the document in a central repository that is easily accessible to the organization would be the BEST action to foster a consistent and
auditable incident response process. By publishing the document in a central repository that is easily accessible to the organization, all members
of the organization will have access to the incident response process and will be able to refer to it as needed. This will help ensure that the
process is consistent and that all incidents are handled in the same way. Additionally, by making the process easily accessible, it will be easier to
audit and ensure that it is being followed properly.
upvoted 2 times
seagnull 10 months, 3 weeks ago
Selected Answer: B
i work as a CIRT and document is a must-have so that your company's future CIRTs will process any future incidents the same as we are doing
today. Consistency is the key + you can audit your new resources using the document.
upvoted 4 times
sarah2023 11 months, 1 week ago
Selected Answer: D
It´s clearly stated in the materials provided that the answer is D
upvoted 1 times
TinyTrexArmz 11 months ago
Maybe quote the materials you're looking at and/or provide a reference.
upvoted 13 times
DALLASCOWBOYS 11 months, 1 week ago
B. The only way to foster a consistent response is to publish the SOP where everyone can view the procedures. Now that doesn't mean that
everyone will follow the procedures competently. It is the BEST answer of the choices given.
upvoted 3 times
Sandon 11 months, 2 weeks ago
ChatGPT says it's B
upvoted 3 times
[Removed] 11 months, 3 weeks ago
Selected Answer: B
knowledge base or documentation for a consistent and auditable incident response process.
upvoted 2 times
RvR109 11 months, 3 weeks ago
Selected Answer: B
According to ChatGPT:
B. Publish the document in a central repository that is easily accessible to the organization.
Making the incident response process document easily accessible to the entire organization is the best way to foster a consistent and auditable
incident response process. This ensures that everyone in the organization is aware of the process and is able to refer to it when needed. It also
allows for easy updates and revisions to be made as needed, and for the document to be readily available for audits.
Option A is not the best option as it could lead to a lack of consistency and understanding of the incident response process among new hires.
Option C is not the best option as it could lead to siloed knowledge and inefficiency in incident response.
Option D is not the best option as it does not ensure that everyone in the organization is aware of the incident response process and could lead
to lack of consistency."
upvoted 5 times
asum 11 months, 3 weeks ago
Selected Answer: D
Incident response will typically require
24/7 availability, which will be expensive to provide. It is also worth considering that
members of the CIRT should be rotated periodically to preclude the possibility of
infiltration
upvoted 2 times
scarceanimal 11 months ago
inconsistent and not auditable since only those members will be knowledgeable of the process
upvoted 2 times
KingDrew 11 months, 4 weeks ago
Selected Answer: B
Answer is B, because despite users there will always be that same documentation to follow.
https://www.examtopics.com/exams/comptia/sy0-601/view/
219/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
220/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #91
During a recent penetration test, the tester discovers large amounts of data were exfiltrated over the course of 12 months via the internet. The
penetration tester stops the test to inform the client of the findings. Which of the following should be the client's NEXT step to mitigate the issue?
A. Conduct a full vulnerability scan to identify possible vulnerabilities.
B. Perform containment on the critical servers and resources.
C. Review the firewall and identify the source of the active connection.
D. Disconnect the entire infrastructure from the internet.
Correct Answer: B
Community vote distribution
B (91%)
stoneface
Highly Voted
6%
1 year, 4 months ago
Selected Answer: B
Perform containment on the critical servers and resources -> Isolation or containment is the first thing to do after an incident has been
discovered
upvoted 35 times
[Removed]
Highly Voted
1 year, 1 month ago
Selected Answer: B
If we follow Incident Response Process:
1) Preparation - hardening
2) Identification - detection
3) Containment :)
4) Eradication
5) Recovery
6) Lesson Learned
So it has to be CONTAINMENT :)
upvoted 19 times
val4
Most Recent
2 months, 2 weeks ago
Passed 758>750, 5-10 Q I knew, rest of like Chinese
upvoted 2 times
Sebatian20 2 months, 2 weeks ago
Did you select the wrong language for your test?
upvoted 9 times
freyprey 3 months, 3 weeks ago
Selected Answer: A
here is a quote from CompTIA study guide. The most recent :
,, Platform as a Service
Platform as a service (PaaS) provides resources somewhere between SaaS and IaaS.
A typical PaaS solution would provide servers and storage network infrastructure
(as per IaaS) but also provide a multi-tier web application/database platform on top.
This platform could be based on Oracle or MS SQL or PHP and MySQL. Examples
include Oracle Database (oracle.com/database), Microsoft Azure SQL Database (azure.
microsoft.com/services/sql-database), and Google App Engine (cloud.google.com/
appengine).
As distinct from SaaS though, this platform would not be configured to actually
do anything. Your own developers would have to create the software (the CRM or
e‑commerce application) that runs using the platform. The service provider would
be responsible for the integrity and availability of the platform components, but you
would be responsible for the security of the application you created on the platform. "
SO reading this i think this debate is closed. The answer is SaaS although in practice things are a little more different.
upvoted 1 times
BigIshai 5 months ago
Selected Answer: B
I agree on containment because the pen tester already must have conducted a vulnerability assessment and in the course of pen testing would
have the details- (identification) of what system the exfiltrated data is from hence the next step is to contain.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
221/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: B
When the penetration tester discovers data exfiltration, the immediate concern should be to prevent further damage and limit the attacker's
access. By performing containment on critical servers and resources, the client can isolate the affected systems from the rest of the network,
preventing further data exfiltration and minimizing the impact of the breach.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: B
Performing containment involves isolating or segregating the affected servers and resources to prevent further unauthorized access or data
exfiltration. This can be done by disconnecting the compromised systems from the network, disabling their access to sensitive data or critical
resources, or implementing network segmentation to isolate the affected parts of the infrastructure.
Containment is a crucial step to prevent the ongoing exfiltration and minimize the potential impact of the breach. By limiting the attacker's ability
to access or extract sensitive information, the organization can mitigate the risk of further data loss or damage.
upvoted 1 times
Nippilous 9 months, 2 weeks ago
Selected Answer: B
https://www.sciencedirect.com/topics/computer-science/containment-strategy
upvoted 2 times
MasterControlProgram 9 months, 2 weeks ago
Selected Answer: B
B. Perform containment on the critical servers and resources should be the client's NEXT step to mitigate the issue.
upvoted 2 times
[Removed] 1 year, 1 month ago
If we follow Incident Response Process:
1) Preparation - hardening
2) Identification - detection
3) Containment :)
4) Eradication
5) Recovery
6) Lesson Learned
So it has to be CONTAINMENT :)
upvoted 3 times
Sarooor 1 year, 1 month ago
Selected Answer: B
Perform containment on the critical servers and resources -> Isolation or containment is the first
thing to do after an incident has been discovered.
upvoted 2 times
Tjank 1 year, 3 months ago
Selected Answer: C
following the Incident Response process:
Preparation, Identification (detection), Containment, Eradication, Recovery, Post-Incident.
Pen Tester would be the Preparation phase ( constantly new vulnerabilities)
Identification is needed to know which systems are affected and the extend of the containment needed.
Containment is next. you use what you have identified to know if you need to segment, isolate, or even shutdown completely.
upvoted 4 times
Tafari 1 year, 3 months ago
Selected Answer: A
He stopped so he needs to finish so all vulnerable systems are contained
upvoted 1 times
i_bird 1 year, 3 months ago
read the question well..
it's the client that is the subject of the question, not the pen tester, and its asking for MITIGATION steps
upvoted 2 times
sujon_london 5 months ago
I assume u got mistaken abt pentester doing test on behalf of client; so client perspective should tk initiative for containment.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
222/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #92
A security analyst is designing the appropriate controls to limit unauthorized access to a physical site. The analyst has a directive to utilize the
lowest possible budget. Which of the following would BEST meet the requirements?
A. Preventive controls
B. Compensating controls
C. Deterrent controls
D. Detective controls
Correct Answer: D
Community vote distribution
C (94%)
banditring
Highly Voted
3%
1 year, 3 months ago
Selected Answer: C
a piece of paper with a crayon that says 'STAY OUT OF HERE" is the cheapest method if you ask me
upvoted 59 times
Gino_Slim 1 year, 2 months ago
This is the answer. Well for me at least. I wouldn't suggest you do this on the exam.
upvoted 5 times
sandra001 11 months, 2 weeks ago
as funny as this sounds, yea it is the cheapest
upvoted 6 times
DALLASCOWBOYS 11 months, 1 week ago
LOL good one.
upvoted 2 times
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: C
This is a confusing one - > Without thinking too much, deterrent controls seems to be less expensive
I hear you ....
upvoted 55 times
Old_Boy_ 2 months ago
In StoneFace we trust
upvoted 3 times
kingsAffection 1 year, 4 months ago
indeed a confusing one. but I agree deterrence will only use minimum controls to deter action.
upvoted 2 times
housecoatjapan 9 months, 2 weeks ago
I believe the keyword is a "physical site"
upvoted 2 times
jakesmith45
Most Recent
1 week, 3 days ago
This is definitely C. A is too expensive, key word is cheapest. C you can do with a warning sign saying "do not enter, cameras in use' and it would
deter most people.
upvoted 1 times
Peshokp 2 weeks, 5 days ago
Selected Answer: A
I think everybody is focusing on the "Technical control" which has Deterrent control, but the question is asking about "Physical Control" :
-Preventive controls are making the location less tempting to break into; such as secure entry points, biometric or card-based access systems,
and employee identification.
-Detective controls is identifying what was broken into, what is missing, and the extent of the damage. Alarms, Cameras, guards
-Recovery controls are the review of the physical security procedures, repairing any damage, and hardening the physical security of the company
against future problems.
So from the "Physical Control " is A: Preventative Control makes more sense for me
https://www.examtopics.com/exams/comptia/sy0-601/view/
223/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
cybertechb 2 weeks, 3 days ago
deterrent control is still the best option which includes signage; cameras; proper lighting and fencing, whereas preventive measures would
appear to be more costly and aims to completely prevent. the object is to limit
upvoted 1 times
volakos 2 months ago
Asked Chatgpt, it said B. Compensating controls, which was obviously incorrect. After some prodding it changed its answer to A. Preventive
controls which I believe is correct.
upvoted 1 times
volakos 2 months ago
I originally thought C at first, but looking at the question the keyword is limit physical control. Deterrent may keep someone from attempting
access, but would not physically limit access.
upvoted 1 times
ctonahill 3 months ago
Deterrent Control is the right one for me
upvoted 1 times
mark_72 3 months, 1 week ago
Selected Answer: C
Detective controls (option D) focus on identifying security incidents after they occur and may not discourage unauthorized access.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
Deterrent controls are measures designed to discourage potential attackers or unauthorized individuals from attempting to gain access to a
physical site. These controls are often cost-effective and can be a more budget-friendly option compared to other control types.
Examples of deterrent controls include visible security cameras, warning signs, access control badges, security guards, and physical barriers like
fences or gates. While deterrent controls may not physically prevent access, their presence can deter or discourage unauthorized individuals
from attempting to breach the site.
upvoted 3 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: C
Deterrent controls are designed to discourage potential intruders or unauthorized individuals from attempting to gain access to a physical site.
They focus on creating a perception of risk or increasing the effort required for unauthorized access. Deterrent controls are typically cost-effective
and can be effective in preventing or reducing security incidents.
upvoted 2 times
twingods77 7 months, 2 weeks ago
God, who wrote these kinds of questions?
upvoted 6 times
Confuzed 8 months, 4 weeks ago
Selected Answer: A
Its impossible to say if deterrent or preventative controls would be cheaper. If a site has a single door, it may be cheaper to put a lock on, than to
post signs.
However the question said the control must LIMIT unauthorized access. Limit in this context is synonymous with restrict. While deterrents may
reduce incidents of unauthorized access... they do nothing to actually limit/restrict it.
upvoted 3 times
fouserd 9 months ago
Selected Answer: C
The best option for the security analyst to utilize the lowest possible budget would be deterrent controls. Deterrent controls are designed to
discourage potential attackers from attempting to gain unauthorized access to a physical site. This can be achieved through the use of signs,
fencing, and other physical barriers that make it clear that the site is protected and that unauthorized access is not permitted. This can be an
effective way to prevent unauthorized access without requiring significant investment in more expensive security measures.
upvoted 1 times
Invade 9 months, 2 weeks ago
Selected Answer: B
Compensating controls are used when the preferred control is not viable for one reason or the other. I think everyone is misinterpreting this... lol.
You cant just put poster banners cause its cheap
upvoted 3 times
bitezadusto 9 months, 2 weeks ago
Selected Answer: C
think of it as having a sign in front of your house saying "we have security cameras installed by SecurityCameras Inc"
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
224/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
rob_cherrywood 10 months, 1 week ago
Selected Answer: C
It's c
upvoted 1 times
MacheenZero 10 months, 2 weeks ago
Deterrent - Sign that reads ~stupid ass CompTIA questions inside, stay out~
upvoted 7 times
gladtam 9 months, 2 weeks ago
Hahaha good one
upvoted 1 times
CTE_Instructor 10 months ago
That would deter me, for sure
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
C. Deterrent controls would be the least expensive option. Examples would include signage, not monitored CCTV cameras. It does not prevent,
but it may deter an attacker from taking action.
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
225/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #93
A company is looking to migrate some servers to the cloud to minimize its technology footprint. The company has 100 databases that are on
premises. Which of the following solutions will require the LEAST management and support from the company?
A. SaaS
B. IaaS
C. PaaS
D. SDN
Correct Answer: A
Community vote distribution
A (66%)
Hewn
Highly Voted
C (31%)
1 year, 4 months ago
Selected Answer: A
I think this is one of those questions where real-life experience doesn't answer the question correctly here. The question seems to be focusing
more on which form of cloud computing requires the LEAST amount of management (SaaS) with the database part of the question being filler.
upvoted 47 times
[Removed] 1 year, 4 months ago
Honestly I think you're right. PaaS requires management and resource allocation, and SaaS (database software for instance) wouldn't require
nearly as much.
upvoted 6 times
db97 1 year, 3 months ago
I agree, real-life experience says "PaaS" but theory says "SaaS" lol
upvoted 5 times
YusufMadkour
Highly Voted
1 year, 4 months ago
Selected Answer: C
If they have 100 databases they need to migrate, then they will need a Platform. I don't see how the SaaS model can help with migrating
databases to the cloud.
upvoted 27 times
stoneface 1 year, 4 months ago
I concur with this - an example of a Database service offered as a PaaS model is Azure SQL Database, is a fully managed platform as a
service (PaaS. PaaS capabilities built into Azure SQL Database enable you to focus on the domain-specific database administration and
optimization activities that are critical for your business.
https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview?view=azuresql
upvoted 18 times
Sebatian20 2 months, 2 weeks ago
ChatGPT: PaaS, or Platform as a Service, is a cloud computing service model that provides a platform and environment for developers to
build, deploy, and manage applications without having to worry about the underlying infrastructure.
They are not doing any development - thus PaaS won't fit their requirements.
upvoted 1 times
Fiftypeso 3 months, 1 week ago
I agree with C as well, I see it as your migrating the whole databases not the data which could be from a lot of different types of databases.
upvoted 1 times
scarceanimal 11 months ago
they need to migrate the servers. the database part is there to deter you. The question also calls for the least management which Saas
answers for.
upvoted 4 times
Peshokp
Most Recent
2 weeks, 5 days ago
Selected Answer: B
https://hypertecsp.com/knowledge-base/cloud-migration/
IaaS – Is best for companies that don’t mind hosting their applications in third-party data centers but instead would prefer to outsource the care
of their physical infrastructure to concentrate more completely on developing, deploying, and monitoring.
PaaS – Robust and portable, PaaS platforms provide a full (and invisible) infrastructure environment. Adopting a PaaS solution will also reduce
your ready-to-market timings – since PaaS will be pre-loaded with most of the run-time required software.
https://www.examtopics.com/exams/comptia/sy0-601/view/
226/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
SaaS – Is a delivery model through which centrally hosted productivity software is licensed on a subscription basis.
IaaS: Infrastructure as a Service (AWS, Azure, Google Cloud Platform, Alibaba Cloud)
PaaS: Platform as a Service (AWS Elastic Beanstalk, Heroku, Google App Engine, Engine Yard)
SaaS: Software as a Service (Google G Suite, Office 365, Salesforce, NetSuite)
upvoted 1 times
JarnBarn 1 month ago
Selected Answer: C
Keyword is databases.
upvoted 1 times
Mumbo 1 month, 3 weeks ago
Took the exam today and passed with a 775. About 90% of the questions are from this dump. This dump was worth the $39.0
This question was exam.
This question was in the test.
upvoted 6 times
JarnBarn 1 month ago
Nice! what'd you answer for this one?
upvoted 2 times
ctonahill 3 months ago
This one is tricky, but if you think of it, they are migrating servers, not just the data, which tells me they intend to provision new instances in the
cloud to host their data. That looks like PaaS to me hence C
upvoted 1 times
Kurt43 3 months, 2 weeks ago
if you check out the definition of SaaS, I dont really know how that is an answer in migrating 100 databases and servers to the cloud.
upvoted 2 times
freyprey 3 months, 3 weeks ago
Selected Answer: A
here is a quote from CompTIA study guide. The most recent :
,, Platform as a Service
Platform as a service (PaaS) provides resources somewhere between SaaS and IaaS.
A typical PaaS solution would provide servers and storage network infrastructure
(as per IaaS) but also provide a multi-tier web application/database platform on top.
This platform could be based on Oracle or MS SQL or PHP and MySQL. Examples
include Oracle Database (oracle.com/database), Microsoft Azure SQL Database (azure.
microsoft.com/services/sql-database), and Google App Engine (cloud.google.com/
appengine).
As distinct from SaaS though, this platform would not be configured to actually
do anything. Your own developers would have to create the software (the CRM or
e‑commerce application) that runs using the platform. The service provider would
be responsible for the integrity and availability of the platform components, but you
would be responsible for the security of the application you created on the platform. "
SO reading this i think this debate is closed. The answer is SaaS although in practice things are a little more different.
upvoted 3 times
Abdul2107 4 months, 1 week ago
Selected Answer: C
PaaS
It's Platform, as you need to bring your database (install it on the cloud), it's not mentioned that you use some 3rd party ready DB.
upvoted 1 times
sujon_london 5 months ago
Selected Answer: A
It’s a SaaS not PaaS
upvoted 1 times
AmesCB 5 months, 1 week ago
From a purely theoretical standpoint, SaaS is the answer. plus the fact that the phrase 'least amount of management' is added.
:)
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
SaaS is a cloud computing model where the cloud provider hosts applications and makes them available to users over the internet. In this model,
the cloud provider takes care of managing the infrastructure, middleware, software, and data, allowing the company to focus solely on using the
applications without worrying about the underlying maintenance and management.
In the case of migrating databases to the cloud using SaaS, the company would not have to deal with database server administration, patching,
backups, or other maintenance tasks. The cloud provider handles all of these aspects, making it the option that requires the least management
and support from the company.
upvoted 4 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
227/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
sujon_london 5 months ago
Agreed to the point. Another justifying point is where PaaS and SaaS both available in the options SaaS should be selected as SaaS is niche
option for migrating data bases into to the SaaS as a computer model.
upvoted 1 times
LeonardSnart 7 months, 3 weeks ago
Selected Answer: C
From this excerpt it sounds to me like PaaS would be correct
"Platform as a service (PaaS) offers a business a computing platform—such as a Web application server or database server, for example—that it
can use to provide services both internally and to customers on the Internet. Many online storefronts use this model to conduct business, rather
than hosting on their own premises the physical servers, Web sites, databases, and applications. Again, the advantages of using this type of
service are cost savings, no requirement to build and maintain the infrastructure on site, and the guarantee of around-the-clock availability—plus,
the PaaS provider takes care of the patching and configuration work."
-Mike Meyers Security+ Cert Guide SY0-601
upvoted 2 times
Yawannawanka 8 months, 2 weeks ago
Option A (SaaS) and C (PaaS) will require the least management and support from the company. SaaS (Software as a Service) solutions are fully
managed by the cloud provider, while PaaS (Platform as a Service) solutions provide a platform on which the company can deploy their
applications, but the cloud provider manages the underlying infrastructure. Option B (IaaS) provides the company with more control over the
infrastructure but will require more management and support from the company, including patching, updates, and security management. Option
D (SDN) is a networking technology and not relevant to the question. Therefore, the BEST option for the company to require the LEAST
management and support is either SaaS or PaaS.
upvoted 1 times
Exlr8me 9 months, 1 week ago
Selected Answer: A
it has to be A since PaaS follows SaaS
upvoted 2 times
sujon_london 5 months ago
Here PaaS is the base but SaaS is the answer
upvoted 1 times
MasterControlProgram 9 months, 2 weeks ago
Selected Answer: A
A. SaaS will require the LEAST management and support from the company.
SaaS (Software-as-a-Service) is a cloud computing model in which a third-party provider hosts applications and makes them available to
customers over the internet. With SaaS, the third-party provider is responsible for managing and maintaining the infrastructure, platform, and
software, which means that the company does not need to manage or support any of the underlying technology.
upvoted 2 times
Drealjesusfreak 10 months ago
I changed my answer because i got confused last minute. i chose Paas but i think its Saas.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
228/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #94
Which of the following employee roles is responsible for protecting an organization's collected personal information?
A. CTO
B. DPO
C. CEO
D. DBA
Correct Answer: B
Community vote distribution
B (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: B
A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data
protection officers are responsible for overseeing a company's data protection strategy and its implementation to ensure compliance with GDPR
requirements
upvoted 27 times
MorganB
Highly Voted
8 months, 1 week ago
This was on my exam. I took my exam 27, ARP 23.
upvoted 15 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: B
The Data Protection Officer (DPO) is responsible for protecting an organization's collected personal information and ensuring compliance with
data protection regulations and policies. The DPO is a key role in ensuring that the organization handles personal data in a lawful and secure
manner, protecting the privacy and rights of individuals whose data is collected and processed.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: B
The Data Protection Officer (DPO) is responsible for ensuring that an organization complies with data protection laws and regulations. This
includes protecting the personal information collected by the organization. The DPO is responsible for developing and implementing policies and
procedures related to data protection, conducting privacy impact assessments, monitoring data handling practices, and ensuring compliance
with data protection regulations such as the General Data Protection Regulation (GDPR) in the European Union.
upvoted 1 times
MasterControlProgram 9 months, 2 weeks ago
Selected Answer: B
B. DPO (Data Protection Officer) is responsible for protecting an organization's collected personal information.
A DPO is responsible for ensuring an organization's compliance with data protection laws and regulations, including protecting the privacy rights
of individuals whose personal information the organization collects and processes. This includes implementing appropriate technical and
organizational measures to ensure the security of personal data and preventing unauthorized access, use, or disclosure.
upvoted 2 times
Boubou480 12 months ago
Selected Answer: B
DPO is the right role
upvoted 2 times
Sklark 1 year, 2 months ago
Selected Answer: B
You know if they would list the name of the acronym this would be an incredibly easy exam, but knowing the acronym is the answer here: Data
Protection Officer (DPO).
upvoted 5 times
Boogie_79 1 year, 4 months ago
Selected Answer: B
The answer is literally in the question DATA is the keyword!
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
229/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #95
Against the recommendation of the IT security analyst, a company set all user passwords on a server as `P@55w0rD`. Upon review of the
/etc/passwd file, an attacker found the following: alice:a8df3b6c4fd75f0617431fd248f35191df8d237f
bob:2d250c5b2976b03d757f324ebd59340df96aa05e chris:ea981ec3285421d014108089f3f3f997ce0f4150
Which of the following BEST explains why the encrypted passwords do not match?
A. Perfect forward secrecy
B. Key stretching
C. Salting
D. Hashing
Correct Answer: C
Community vote distribution
C (100%)
Boogie_79
Highly Voted
1 year, 4 months ago
Selected Answer: C
Salting refers to adding random data to the input of a hash function to guarantee a unique output. The set password, in this case, is already
hashed so to further secure it salting is the next step in cryptography i.e. adding more security to the password. Think of it as "salt bae" making it
just that much better.
upvoted 35 times
MorganB
Highly Voted
8 months, 1 week ago
Passed my exam 27, April 23. This question was on my test.
upvoted 11 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: C
The reason the encrypted passwords do not match is due to the use of salting. In password hashing, salting involves adding a random value (the
salt) to the password before hashing it. The salt value is unique for each user, which means even if two users have the same password, their
hashed passwords will be different due to the different salt values.
In the given scenario, the three encrypted passwords for Alice, Bob, and Chris do not match each other because each password is hashed with a
different salt. This adds an extra layer of security and prevents attackers from easily identifying common passwords by looking at the hashed
values.
upvoted 3 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: C
In password storage, salting is the practice of adding a random value (salt) to each password before hashing it. The salt is then stored alongside
the hashed password. Salting enhances the security of stored passwords by introducing uniqueness to each password hash, even if two users
have the same password.
In the given scenario, the encrypted passwords do not match because each password has been salted before being hashed. This means that
even though the original passwords were the same (P@55w0rD), the addition of a unique salt value resulted in different hashed representations
for each user.
upvoted 2 times
mosher21 8 months, 2 weeks ago
Selected Answer: C
Why not key stretching tho? It well can be key stretching too.
upvoted 3 times
MasterControlProgram 9 months, 2 weeks ago
Selected Answer: C
The encrypted passwords do not match because of "Salting." Salting is a technique that adds a random string of characters to a password
before hashing it, so that even if two users have the same password, their encrypted passwords will be different. This makes it more difficult for
attackers to use precomputed tables of hashes to crack passwords. In the given scenario, if salting was not used, all users would have the same
password hash, making it easy for an attacker to gain unauthorized access to all accounts by cracking just one password.
upvoted 1 times
ApplebeesWaiter1122 10 months ago
Selected Answer: C
C, salt
https://www.examtopics.com/exams/comptia/sy0-601/view/
230/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
C. Salting. Salts eliminate the possibility that duplicate hashes are stored for different user accounts that have the same password.
upvoted 1 times
xxxdolorxxx 11 months, 3 weeks ago
Selected Answer: C
C all day long
upvoted 1 times
[Removed] 11 months, 3 weeks ago
salt A security countermeasure that
mitigates the impact of a rainbow table
attack by adding a random value to
("salting") each plaintext input
upvoted 1 times
Sklark 1 year, 2 months ago
Selected Answer: C
Haha I get that the question says "Against IT recommendations" but can you imagine a company actually setting everyone's passwords to the
same password? There would be no least privilege or admin credentials. Haha anyways the example is testing to see why hash values of the
same password would be different and that would be done by adding salt which is an arbitrary or mathematical extra something to the password
to give it a different value when hashed.
upvoted 3 times
Libraboy 1 year, 2 months ago
Selected Answer: C
different passwords have different hashes but in this case, the same password is used and the only way to achieve different outcomes is by
salting...adding random data to the password (same or not) when hashing to change the stored hash value.
upvoted 1 times
[Removed] 1 year, 4 months ago
I'm no expert, but I believe the hashed passwords are actually stored in etc/shadow. Anyways, it's salting.
upvoted 4 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
231/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #96
After gaining access to a dual-homed (i.e., wired and wireless) multifunction device by exploiting a vulnerability in the device's firmware, a
penetration tester then gains shell access on another networked asset. This technique is an example of:
A. privilege escalation.
B. footprinting.
C. persistence.
D. pivoting.
Correct Answer: D
Community vote distribution
D (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: D
Pivoting -> The act of an attacker moving from one compromised system to one or more other systems on the network
upvoted 40 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: D
In the given scenario, the penetration tester gains access to a multifunction device with both wired and wireless interfaces. Then, after exploiting
a vulnerability in the device's firmware, the tester gains shell access on another networked asset. This technique is an example of "pivoting."
Pivoting is a method used by attackers or penetration testers to leverage their initial access to a compromised system or network to gain access
to other systems within the same network. In this case, the attacker is using the compromised multifunction device as a pivot point to gain
access to other networked assets.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: D
Pivoting is a technique used by attackers or penetration testers to move from one compromised system or network to another. In this scenario,
the attacker gained access to a multifunction device through a vulnerability in its firmware. From there, they used that compromised device to
gain shell access on another networked asset, essentially using the compromised device as a pivot point to access other systems or networks.
upvoted 1 times
MasterControlProgram 9 months, 2 weeks ago
Selected Answer: D
This technique is an example of "pivoting". Pivoting is a technique used by attackers to move from one compromised system to another system
on the same network, or to a different network, in order to expand their access and control. In this scenario, the attacker gained access to the
multifunction device and then used that as a jumping-off point to gain shell access on another networked asset. This is an example of pivoting
because the attacker used the initial compromise to "pivot" to another system and expand their access.
upvoted 2 times
xxxdolorxxx 11 months, 3 weeks ago
Selected Answer: D
Pivoting is correct.
upvoted 2 times
Idkanything 1 year, 1 month ago
Why not privilege escalation?
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
privilege escalation, refers to the act of gaining higher levels of access or privileges on a system or network. While privilege escalation may
occur during the attack process, it does not specifically describe the technique used in this scenario.
upvoted 2 times
applepieboy 11 months, 2 weeks ago
Nothing in the question implies the level of access the attacker has. They do however pivot to another device.
upvoted 2 times
xxxdolorxxx 11 months, 2 weeks ago
Priv Esc is more on the same machine. Going from a user to root.
upvoted 6 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
232/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Jossie_C 1 year, 2 months ago
Selected Answer: D
Lateral movement AKA pivoting
upvoted 2 times
EDSAL 1 year, 3 months ago
answer is D Pivoting
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
233/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #97
Which of the following should be monitored by threat intelligence researchers who search for leaked credentials?
A. Common Weakness Enumeration
B. OSINT
C. Dark web
D. Vulnerability databases
Correct Answer: C
Community vote distribution
C (100%)
Protract8593 5 months, 2 weeks ago
Selected Answer: C
Threat intelligence researchers who search for leaked credentials should monitor the dark web. The dark web is a part of the internet that is not
indexed by traditional search engines and is intentionally hidden and anonymous. It is a common platform for illegal activities, including the
buying and selling of stolen data, including credentials.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: C
Threat intelligence researchers who search for leaked credentials should primarily monitor the dark web. The dark web refers to a part of the
internet that is not indexed by traditional search engines and is often used for illicit activities. It is a common marketplace for buying and selling
stolen data, including leaked credentials such as usernames and passwords.
By monitoring the dark web, threat intelligence researchers can identify if any leaked credentials associated with their organization or clients are
being traded or shared. This information can be crucial for organizations to take proactive measures to protect their systems and accounts from
unauthorized access.
upvoted 2 times
MasterControlProgram 9 months, 2 weeks ago
Selected Answer: C
Threat intelligence researchers who search for leaked credentials should monitor the "dark web". The dark web is a part of the internet that is not
indexed by search engines and is accessible only through special software, such as Tor. It is often used for illegal activities, including the buying
and selling of stolen data, such as login credentials. By monitoring the dark web, threat intelligence researchers can identify and track leaked
credentials and other information that could be used for malicious purposes.
upvoted 2 times
scarceanimal 11 months ago
Selected Answer: C
C wouldn't help too much at all really, but its the best choice lol.
upvoted 4 times
hieptran 11 months, 4 weeks ago
Selected Answer: C
C fo sho
upvoted 2 times
Arcd3746 1 year, 1 month ago
Selected Answer: C
There's no better choice
upvoted 1 times
Mewchan 1 year, 3 months ago
Selected Answer: C
Darkweb
https://www.hackers-arise.com/post/open-source-intelligence-osint-finding-breached-email-addresses-passwords-and-other-credentials
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
234/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #98
A security analyst needs to be able to search and correlate logs from multiple sources in a single tool. Which of the following would BEST allow a
security analyst to have this ability?
A. SOAR
B. SIEM
C. Log collectors
D. Network-attached storage
Correct Answer: B
Community vote distribution
B (100%)
Gravoc
Highly Voted
1 year, 3 months ago
Every single time I've seen the word correlate in questions, the answer has always been SIEM.
From google:
SIEM event correlation is an essential part of any SIEM solution. It aggregates and analyzes log data from across your network applications,
systems, and devices, making it possible to discover security threats and malicious patterns of behaviors that otherwise go unnoticed and can
lead to compromise or data loss.
upvoted 20 times
Fitzd
Highly Voted
1 year, 3 months ago
SIEM has log repository and analysis capabilities that SOAR platforms typically do not. The SOAR has response capabilities that the SIEM does
not
upvoted 8 times
scarceanimal 11 months ago
yep they're commonly used in conjunction for that reason.
upvoted 1 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: B
A SIEM (Security Information and Event Management) system is designed to collect, store, and analyze log data from various sources in realtime. It allows security analysts to search and correlate logs from multiple sources in a single tool, enabling them to identify and respond to
security incidents effectively.
upvoted 2 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: B
SIEM (Security Information and Event Management) systems are designed to collect, analyze, and correlate log data from various sources such
as network devices, servers, applications, and security systems. They provide a centralized platform where logs can be ingested, normalized,
and indexed for efficient searching and analysis.
With a SIEM, security analysts can perform log searches, create custom queries, and apply correlation rules to identify patterns, anomalies, and
potential security incidents. SIEMs also provide features like real-time monitoring, alerting, and reporting to help analysts detect and respond to
security events effectively.
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
B. SIEM. This describes exactly what a SIEM does and is.
upvoted 3 times
rhocale 1 year ago
this would not be SOAR just bc they dont want security prevention or automation correct? someone explain why not SOAR.
upvoted 1 times
Yebby 1 year, 1 month ago
SIEM - Security Information and Event Management
upvoted 3 times
Knowledge33 1 year, 2 months ago
Selected Answer: B
Log collectors are pieces of software that function to gather data from multiple independent sources and feed it into a unified source such as a
SIEM. Log collectors only collects the logs. SIEM store all logs
https://www.examtopics.com/exams/comptia/sy0-601/view/
235/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 3 times
RonWonkers 1 year, 3 months ago
Selected Answer: B
I believe it is SIEM
upvoted 5 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
236/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #99
A security analyst is investigating suspicious traffic on the web server located at IP address 10.10.1.1. A search of the WAF logs reveals the
following output:
Which of the following is MOST likely occurring?
A. XSS attack
B. SQLi attack
C. Replay attack
D. XSRF attack
Correct Answer: B
Community vote distribution
B (100%)
comeragh
Highly Voted
1 year, 4 months ago
Selected Answer: B
SQLi - the giveaway is 1=1
upvoted 29 times
xxxdolorxxx 11 months, 3 weeks ago
You are correct.
upvoted 2 times
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: B
Answer: SQLi attack
SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access
information that was not intended to be displayed. The giveaway here is the 1=1 in the query which is essentially creating a condition that will
automatically be true.
======================
Helpful Info:
XSS (Cross-Site Scripting) attacks -a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
Replay Attack - a kind of man-in-the-middle attack in which an attacker sniffs messages being sent on a channel to intercept them and resend
them under the cloak of authentic messages.
CSRF (Cross Sit Request Forgery)- attacks that target functionality that causes a state change on the server, such as changing the victim's email
address or password, or purchasing something.
upvoted 21 times
Tommer
Most Recent
1 month, 2 weeks ago
Almost anytime there is 1=1 in any example, its SQLi. Buddy took it recently and said there were a lot of them on his exams. Don't miss the free
points.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
In the provided logs, the presence of characters like -- and +OR+1=1-- in the requested URL indicates that the web server is likely vulnerable to
SQL injection (SQLi) attacks. SQL injection is a type of web application vulnerability where an attacker can inject malicious SQL code into the
input fields of a web application to manipulate the underlying database and potentially gain unauthorized access or extract sensitive information.
upvoted 1 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: B
From Dion's material: If you see a 1=1 it is most likely a SQL injection
upvoted 3 times
MasterControlProgram 9 months, 2 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
237/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: B
The most likely attack occurring based on the provided information is a "SQLi attack" (SQL Injection attack). The second log entry indicates that
the attacker is attempting to exploit a SQL injection vulnerability by appending a payload to the "category" parameter of the contact form. The
payload "OR 1=1--" is a common technique used to bypass authentication or gain unauthorized access by modifying the SQL query to always
return true. The double-dash "--" indicates the start of a comment in SQL, which helps the payload to avoid syntax errors.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
SQLi. Key is the 1=1 is the dead giveaway for the SQL injection attack
upvoted 3 times
hieptran 11 months, 4 weeks ago
Selected Answer: B
B - Typical SQL Injection payload
upvoted 1 times
Queenica 1 year, 1 month ago
I selected SQL Injection. However every SQL Statement Query starts with SELECT which is missing. Confused with the wording of the question.
upvoted 1 times
RonWonkers 1 year, 3 months ago
Selected Answer: B
1=1 so its SQLi
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
238/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #100
Which of the following components can be used to consolidate and forward inbound internet traffic to multiple cloud environments though a
single firewall?
A. Transit gateway
B. Cloud hot site
C. Edge computing
D. DNS sinkhole
Correct Answer: A
Community vote distribution
A (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: A
VPC peering relationships can quickly become difficult to manage, especially if each VPC must interconnect in a mesh-like structure. A transit
gateway is a simpler means of managing these interconnections. Essentially, a transit gateway is a virtual router that handles routing between the
subnets in each attached VPC and any attached VPN gateways (aws.amazon.com/transit-gateway).
upvoted 39 times
Old_Boy_ 2 months ago
He strikes gold again! Stoneface the main man
upvoted 1 times
kameel1221
Highly Voted
11 months, 1 week ago
Hardest Question in Ohio
upvoted 19 times
JarnBarn
Most Recent
1 month ago
Shout out to edge computing. Easily my favorite form of computing in Ohio.
upvoted 1 times
Mumbo 1 month, 3 weeks ago
Took the exam today and passed with a 775. About 90% of the questions are from this dump.
This question is in the exam.
upvoted 3 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
A transit gateway is a networking component that can be used to consolidate and forward inbound internet traffic to multiple cloud environments
through a single firewall. It acts as a hub to connect multiple Virtual Private Clouds (VPCs) or cloud environments within the same cloud service
provider or across different cloud service providers. The transit gateway allows organizations to centralize their network traffic and security
controls for efficient management and security monitoring.
upvoted 3 times
ApplebeesWaiter1122 6 months, 1 week ago
Selected Answer: A
A transit gateway is a networking construct that allows organizations to connect multiple virtual private clouds (VPCs), on-premises networks,
and remote networks through a central hub. It acts as a transit point for network traffic, enabling the routing and forwarding of traffic between
different network environments.
By deploying a transit gateway, organizations can consolidate their inbound internet traffic from various sources, such as multiple cloud
environments, and route it through a single firewall or security appliance. This centralizes the traffic management and allows for consistent
security controls to be applied.
upvoted 2 times
ronniehaang 11 months, 1 week ago
Selected Answer: A
a transit gateway is a virtual router that handles routing between the subnets in each attached VPC and any attached VPN gateways
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
A. Transit gateway establishes a simple and seamless integration of VPCs and local systems through a centeral hub or cloud router.
upvoted 1 times
Jakalan7 1 year, 3 months ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
239/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: A
A is the only answer that makes sense here.
upvoted 7 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
240/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #101
A DBA reports that several production server hard drives were wiped over the weekend. The DBA also reports that several Linux servers were
unavailable due to system files being deleted unexpectedly. A security analyst verified that software was configured to delete data deliberately
from those servers. No backdoors to any servers were found. Which of the following attacks was MOST likely used to cause the data loss?
A. Logic bomb
B. Ransomware
C. Fileless virus
D. Remote access Trojans
E. Rootkit
Correct Answer: A
Community vote distribution
A (87%)
stoneface
Highly Voted
8%
1 year, 4 months ago
Selected Answer: A
"software was configured to delete data deliberately from those servers"
This could be achieved by a cronjob
upvoted 26 times
Nirmalabhi
Highly Voted
1 year, 1 month ago
its a trap.I also first thought it was rootkit. but i ll go with logic bomb. Although no conditions specified, Q says it happened over weekend which
means the software was configured to delete data automatically over the weekend.
upvoted 5 times
NerdAlert 9 months, 3 weeks ago
I thought so too, but then I noticed "no backdoors were found" - rootkits are usually a type of backdoor
upvoted 1 times
Ant0507
Most Recent
1 month, 3 weeks ago
Question, the Comptia exam is only 90 or so questions, is everyone going through all 700 questions on here?
upvoted 3 times
Billyon 1 month, 3 weeks ago
Yes i am
upvoted 6 times
guestionme 4 months, 1 week ago
Rootkit seems right to me because the question says "system files being deleted." Does anyone know the actual answer?
upvoted 1 times
MuttleyB 2 weeks, 6 days ago
Logic bomb. On a linux server, you don't need a rootkit to delete system files. Theoretically, just sudo in and you can wipe your entire kernel
like that. Practically, most distributions have protections that keep you from doing that, but it's not as difficult to accomplish as Windows.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
A logic bomb is a type of malicious code or software that is intentionally inserted into a system and designed to execute a specific malicious
action when certain conditions are met. In this scenario, the logic bomb was deliberately configured to delete data from the production server
hard drives and Linux servers unexpectedly. It is important to note that logic bombs can be triggered by various conditions such as a specific
date, time, or event, and they are intended to cause harm or damage to the targeted system or data.
upvoted 3 times
ApplebeesWaiter1122 6 months ago
Selected Answer: A
A logic bomb is a type of malicious code or script that is intentionally inserted into a system with the purpose of executing a harmful action at a
specific time or when specific conditions are met. In this scenario, the deliberate deletion of data from the production server hard drives and the
unexpected deletion of system files on the Linux servers indicate the presence of a logic bomb.
upvoted 1 times
MasterControlProgram 9 months, 2 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
241/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: A
The most likely attack used to cause the data loss is a "Logic bomb" attack. A logic bomb is a type of malicious code that is intentionally inserted
into a software program or system with the intention of causing damage or destruction at a specific time or under specific conditions, such as a
particular date or event. In this case, the fact that the software was configured to delete data deliberately from the servers indicates that a logic
bomb may have been used to trigger the deletion.
upvoted 1 times
Mismomano 10 months, 2 weeks ago
Selected Answer: E
A rootkit allows someone to maintain command and control over a computer without the computer user/owner knowing about it. Once a rootkit
has been installed, the controller of the rootkit has the ability to remotely execute files and change system configurations on the host machine.
upvoted 1 times
Boulet_Dude 9 months, 2 weeks ago
Wouldn’t a root kit create a back door?
upvoted 10 times
TheFivePips 2 months ago
chat gpt says: Yes, a rootkit typically creates a backdoor or a hidden and unauthorized access point into a compromised system. Rootkits
are a form of malicious software designed to conceal their presence on a system while granting an attacker privileged access and control
over the compromised system. This hidden access often functions as a backdoor, allowing the attacker to maintain control over the
system, execute malicious actions, and potentially exfiltrate data or perform other unauthorized activities.
While rootkits are known for their stealth and ability to hide their presence from system administrators and security tools, they are primarily
used to establish a secret means of control, which is effectively a backdoor into the compromised system. This backdoor access is what
distinguishes rootkits from other types of malware.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
A. Logic bomb would suggest software was configured to be deleted data deliberately from the servers.
upvoted 3 times
Conejo_Negro 1 year, 1 month ago
Selected Answer: C
I believe the answer is C Fileless virus. Rootkits usually require a back door..question states no back door found..there no pattern or condition
stated in the question..the “software was configured to delete data from those servers “ Fileless attacks usually attaches itself to legitimate
software. https://www.trellix.com/en-us/security-awareness/ransomware/what-is-fileless-malware.html
upvoted 3 times
Confuzed 8 months, 4 weeks ago
A fileless virus resides in memory... they wouldn't be able to say "software was configured" if it were a running process that did this. Software
on the system was configured to do this, we can assume that it doesn't just keep doing this constantly, so it must have a trigger (time, event,
etc), a trigger is logic. So it's a logic bomb.
upvoted 2 times
Sandon 11 months, 2 weeks ago
That ain't it
upvoted 3 times
[Removed] 1 year, 1 month ago
Selected Answer: E
I also sway to the ROOTKIT. "no BACKDOOR was found" <---- rootkit hides its presence that why no backdoor was found.
The term ROOTKIT derives from UNIX/Linux where any process running as root has unrestricted access to everything from the root of the file
system down.
upvoted 1 times
NerdAlert 9 months, 3 weeks ago
rootkits are usually a type of backdoor
upvoted 2 times
Sandon 11 months, 2 weeks ago
That ain't it
upvoted 1 times
Jossie_C 1 year, 2 months ago
Key word is deliberately, i.e., intentionally. It's a trap
upvoted 1 times
EDSAL 1 year, 3 months ago
A Logic bomb
upvoted 1 times
gen2dee 1 year, 3 months ago
"software was configured"
https://www.examtopics.com/exams/comptia/sy0-601/view/
242/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
WondaByte 1 year, 3 months ago
Correct Answer E
Rootkit fits the answer to the question. A condition has to be true for Logic Bomb to occur which in this case isn't there. Correct Answer E
upvoted 3 times
Orean 1 year, 2 months ago
The condition could be time-based, meaning the logic bomb might have been set to activate at a specified date and time—such as the
weekend of the data wipe.
upvoted 3 times
Gino_Slim 1 year, 2 months ago
Hey everyone, this is NOT the right answer.
upvoted 2 times
Halaa 1 year, 3 months ago
But no BACKDOOR was found.
upvoted 4 times
Boogie_79 1 year, 4 months ago
Selected Answer: A
Its simply LOGIC
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
243/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #102
Digital signatures use asymmetric encryption. This means the message is encrypted with:
A. the sender's private key and decrypted with the sender's public key.
B. the sender's public key and decrypted with the sender's private key.
C. the sender's private key and decrypted with the recipient's public key.
D. the sender's public key and decrypted with the recipient's private key.
Correct Answer: A
Community vote distribution
A (87%)
stoneface
Highly Voted
7%
1 year, 4 months ago
In order to verify the authenticity of a digital signature we need to encrypt the initial message with the sender's private key.
The receiver then can verify the authenticity by decrypting the message with the sender's public key.
https://docs.huihoo.com/globus/gt4-tutorial/ch09s03.html
upvoted 42 times
Knowledge33
Highly Voted
1 year, 2 months ago
Selected Answer: A
There are 2 general ways to use asymetric algorithm.
1 - For communication between 2 hosts: If bob sends a message to Alice, bob uses Alice's public key to encrypt the message, and Alice uses
her private key to decrypt the message.
2 - For digital signature/Authentication: If ALice need to authenticate Bob, BOB uses his private key to sign the message, and Alice uses the
public key of bob to decrypt the message. This process help to make sure the signature is owned by Bob.
On this example, A is totally correct.
upvoted 32 times
Xynned 6 months ago
Didn't knew there were different usage for asymmetric cryptography in terms of mail usage. Was only aware of S/MIME which uses recipient's
public key to encrypt the message and uses the recipient's private key to decrypt. Thanks for this info!
upvoted 2 times
scarceanimal 11 months ago
I NEVER KNEW THIS wow ty
upvoted 4 times
VEE224
Most Recent
1 week, 2 days ago
answer is B
Asymmetric key algorithms use a public key for encryption and a private key for
decryption. Examples include the RSA, Diffie-Hellman, El Gamal, and elliptic curve
cryptography standards
upvoted 2 times
above 3 months ago
Selected Answer: A
Digital signatures work by proving that a digital message or document was not modified—intentionally or unintentionally—from the time it was
signed. Digital signatures do this by generating a unique hash of the message or document and encrypting it using the sender's private key. The
hash generated is unique to the message or document, and changing any part of it will completely change the hash.
Once completed, the message or digital document is digitally signed and sent to the recipient. The recipient then generates their own hash of the
message or digital document and decrypts the sender's hash (included in the original message) using the sender's public key. The recipient
compares the hash they generate against the sender's decrypted hash; if they match, the message or digital document has not been modified
and the sender is authenticated.
https://www.cisa.gov/news-events/news/understanding-digital-signatures
upvoted 1 times
kigikik881 3 months ago
I didn't expect they call the process of signing "encrypt"... So stupid and misleading. Everywhere I read the process of encryption is changing of
clear-text data into hiden(encrypted) ciphertext so it can't be read without decryption.
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
It's not stupid or misleading at all if you take care and read the question. Make sure you understand what a digital signature is.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
244/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
lamrine04 5 months, 1 week ago
Selected Answer: B
From ChatGPT:
The correct answer is B. the sender's public key and decrypted with the sender's private key.
In digital signatures, the message is first hashed (using a cryptographic hash function) to generate a fixed-length digest. Then, this digest is
encrypted with the sender's private key to create the signature. The recipient of the message can then verify the signature by decrypting it using
the sender's public key, which should result in the same hash value. If the decrypted hash matches the hash value calculated from the received
message, it confirms the integrity of the message and the authenticity of the sender.
So, digital signatures use asymmetric encryption in such a way that the message is encrypted with the sender's private key and decrypted with
the sender's public key for verification.
upvoted 1 times
TuanDinh 4 months, 1 week ago
chat GPT sometime stupid
upvoted 11 times
Old_Boy_ 2 months ago
Chat GPT would fail this test.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
Digital signatures use asymmetric encryption, but when it comes to signing a message or file with a digital signature, the process is as follows:
A. The sender's private key is used to encrypt the hash or digest of the message, and the recipient uses the sender's public key to decrypt the
hash or digest and verify the authenticity of the signature.
So, for digital signatures, the correct answer is A.
upvoted 1 times
Aleem001 5 months, 3 weeks ago
Selected Answer: B
Digital signatures use asymmetric encryption. This means the message is encrypted with:
A. the sender's private key and decrypted with the sender's public key. Most Voted
B. the sender's public key and decrypted with the sender's private key.
C. the sender's private key and decrypted with the recipient's public key.
D. the sender's public key and decrypted with the recipient's private key.
ChatGPT
B. the sender's public key and decrypted with the sender's private key.
upvoted 1 times
sirpsionics 5 months, 2 weeks ago
I find it sorta funny that Bard and Bing give the answer as C. Given that I am having a hard time understanding how things work, I have no
clue if the answer is A, B, or C.
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
The answer is A. None of the other answers make sense. First of all, C and D suggest using the public and private keys of two different
keypairs, which would not work at all.
If you chose B, that would imply that the sender's private key was being shared with the recipient to decrypt the message, which defeats
the entire purpose of asymmetric encryption.
A describes the process of digital signatures. If the sender encrypts something with their private key, the message can only be decrypted
with the sender's public key. Therefore, you know that the sender was the true sender, because attempting to decrypt using anyone else's
key would not work. This process of digital signing would typically take place after the sender encrypts the message using the recipient's
public key to protect confidentiality.
upvoted 1 times
ApplebeesWaiter1122 6 months ago
Selected Answer: A
The purpose of using the sender's private key for encryption is to create a unique digital signature that can only be generated by the sender. This
provides authenticity and non-repudiation, as only the sender possessing the corresponding private key can create a valid signature. The
recipient can then decrypt the signature using the sender's public key to verify the integrity and authenticity of the message.
upvoted 1 times
Dutch012 8 months ago
guys it's B
the sender encrypts the message with your public key and you decrypt it by using your private key, your public key is shared with others, and
they can not decrypt the message with your public key.
https://www.examtopics.com/exams/comptia/sy0-601/view/
245/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
RobbieT 8 months, 2 weeks ago
The key thing here is signature. You sign with your private key.
upvoted 1 times
mkimchi 9 months ago
These answer choices are worded wrong. Asymmetric encryption uses two keys: public and private. Anything encrypted with the public key can
only be decrypted with the matching private key. Anything encrypted with the private key can only be decrypted with the matching public key.
For digital signatures, to send the message with encryption, you use the sender’s private key and decrypt the message with the sender’s public
key.
upvoted 4 times
daddylonglegs 2 months, 3 weeks ago
...which is answer A
upvoted 1 times
MGMKING 9 months ago
asymmetric encryption
Also called public key cryptography, a data encryption system that uses two mathematically derived keys to encrypt and decrypt a message—a
public key, available to everyone, and a private key, available only to the owner of the key.
upvoted 1 times
MGMKING 9 months ago
Asymmetric Encryption
Also called public key cryptography, a data encryption system that uses two mathematically derived keys to encrypt and decrypt a message—a
public key, available to everyone, and a private key, available only to the owner of the key.
Make your own assumptions per the above definition.
upvoted 1 times
monzie 9 months, 1 week ago
Selected Answer: B
B. The sender's public key is used to encrypt the message, and the sender's private key is used to decrypt the message.
Digital signatures use asymmetric encryption to ensure authenticity and integrity of a message. The sender uses their private key to encrypt a
digital signature that is appended to the message. The recipient uses the sender's public key to decrypt the digital signature, which verifies the
authenticity and integrity of the message
upvoted 2 times
PenTestKing 10 months, 2 weeks ago
A is correct for digital signature, B would be for messaging
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
B would not work for anything as the recipient would need the sender's private key, which defeats the entire purpose of asymmetric key
encryption
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
A. If the sender wants to digitally sign a message(Bob), Bob encrypts the message using his private key. When the recipient(Judy) receives the
digitally signed message, Judy decrypts the digital signature using Bob's public key.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
246/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #103
A security engineer was assigned to implement a solution to prevent attackers from gaining access by pretending to be authorized users. Which
of the following technologies meets the requirement?
A. SSO
B. IDS
C. MFA
D. TPM
Correct Answer: C
Community vote distribution
C (100%)
VEE224 1 week, 2 days ago
answer is B:
Asymmetric key algorithms use a public
key for encryption and a private key for
decryption. Examples include the RSA,
Diffie-Hellman, El Gamal, and elliptic curve
cryptography standards
upvoted 1 times
r57ah__ 1 month, 1 week ago
Why not TPM?
upvoted 1 times
mm777 4 months, 4 weeks ago
What about SSO? MFA is authentication not authorization technology
upvoted 2 times
Copmp 4 months, 3 weeks ago
The attackers are trying to get in by pretending to be someone who is allowed right? SSO doesnt help to prevent attackers from fooling the
system. SSO is just using username and password often in a federation setting. MFA makes the attacker have two different things to sign on
(such as password and fingerprint). So MFA would be the answer
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
Multi-Factor Authentication (MFA) is a security mechanism that requires users to provide two or more forms of identification before gaining
access to a system. It is designed to prevent attackers from gaining access by pretending to be authorized users because they would need to
provide multiple pieces of evidence to prove their identity.
upvoted 2 times
ApplebeesWaiter1122 6 months ago
Selected Answer: C
MFA adds an extra layer of security by requiring users to provide multiple forms of identification or verification before accessing a system or
application. It typically combines something the user knows (such as a password), something the user has (such as a physical token or mobile
device), or something the user is (such as biometric data) to authenticate their identity.
By implementing MFA, even if an attacker manages to obtain or guess a user's password, they would still need the additional factor (such as a
physical token or biometric data) to successfully authenticate as the authorized user.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
C. Multifactor authentication.
upvoted 2 times
comeragh 1 year, 4 months ago
Selected Answer: C
C - Multi Factor Authentication (MFA)
upvoted 3 times
Josh_Feng 1 year, 4 months ago
Selected Answer: C
C is correct since MFA = harder to impersonate due to having multifactor authentication.
https://www.examtopics.com/exams/comptia/sy0-601/view/
247/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 4 times
Papee 1 year, 2 months ago
is MFA a technology ?
upvoted 1 times
EubertT 1 year, 1 month ago
YEs MFA is a technology. Multifactor authentication (MFA) is a security technology that requires multiple methods of authentication from
independent categories of credentials to verify a user's identity for a login or other transaction.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
248/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #104
The Chief Information Security Officer (CISO) has requested that a third-party vendor provide supporting documents that show proper controls are
in place to protect customer data. Which of the following would be BEST for the third-party vendor to provide to the CISO?
A. GDPR compliance attestation
B. Cloud Security Alliance materials
C. SOC 2 Type 2 report
D. NIST RMF workbooks
Correct Answer: C
Community vote distribution
C (78%)
Nirmalabhi
Highly Voted
A (22%)
1 year, 1 month ago
Do not overthink. The question is simply on auditing.. note the words in the question. "...has requested that a third-party vendor provide
supporting documents." Hence the correct answer is indeed SOC 2. See below directly from Professer messer notes:
If your organization has undergone an audit, then you’re probably familiar with the SSAE SOC 2 types I and II. This is from the American Institute
of Certified Public Accountants, or the AICPA. It’s an auditing standard called the Statement on Standards for Attestation Engagements number
18, or SSAE 18. During these audits, there’s a series of reports that are created, and the name for the suite of reports that are associated with
trust services criteria, or security controls, is the SOC 2, that’s the System and Organization Controls number two. This audit focuses on topics
that can include firewalls, intrusion prevention, or intrusion detection, or multi-factor authentication.
upvoted 23 times
stoneface
Highly Voted
1 year, 4 months ago
I am split between SOC Type 2 and GDPR compliance ->
SOC Type 2 -> A SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those
controls are operating. Companies that use cloud service providers use SOC 2 reports to assess and address the risks associated with third
party technology services.
GDPR Compliance Attestations -> ATC 315 also helps mature your internal controls over GDPR compliance and can help you manage GDPR
compliance risk beyond what internal risk assessments and audits provide. ATC 315 can identify deficiencies in internal controls, pinpoint areas
for improvement, and will strengthen your organization’s GDPR compliance posture.
It seems that SOC Type 2 Report better matches the requirement.
I listen to you ...
upvoted 9 times
Old_Boy_ 2 months ago
Well if STONEFACE thinks its SOC Type 2 report then it must be a SOC Type 2 report
upvoted 2 times
DriftandLuna 5 months, 1 week ago
yes - If i am unsure i usually only use GDPR if Europe is mentioned.
upvoted 2 times
andrizo 1 year, 2 months ago
gdpr only applies to collection of consumer data in europe
upvoted 2 times
KetReeb 1 year, 4 months ago
SOC Type 2 Report would verify that the vendor is an organization that maintains a high level of information security.
upvoted 1 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: C
A SOC 2 (Service Organization Control 2) Type 2 report is a widely recognized report that provides assurance about the controls and security
measures implemented by a service organization. It is designed to evaluate a service provider's controls relevant to security, availability,
processing integrity, confidentiality, and privacy. The SOC 2 Type 2 report specifically assesses the effectiveness of these controls over a
specified period of time.
Given that the Chief Information Security Officer (CISO) is requesting supporting documents to show proper controls in place to protect customer
data, a SOC 2 Type 2 report would be the best choice. This report demonstrates that the third-party vendor has undergone an independent audit
of its controls, providing valuable information about its security practices and compliance with industry standards.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
249/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
LiteralGod 5 months, 3 weeks ago
Selected Answer: A
GDPR specifically relates to customer data so that's what I went with.
The question doesn't mention the EU, but it also doesn't mention anywhere outside of the EU.
upvoted 1 times
ApplebeesWaiter1122 6 months ago
Selected Answer: C
A SOC 2 (System and Organization Controls 2) report is a widely recognized standard for evaluating and reporting on the effectiveness of an
organization's controls related to security, availability, processing integrity, confidentiality, and privacy. A Type 2 report specifically covers a
specified period of time and provides more in-depth information about the design and effectiveness of controls.
By providing a SOC 2 Type 2 report, the third-party vendor can demonstrate that they have undergone a comprehensive assessment of their
controls by an independent auditor and that they have implemented appropriate measures to protect customer data.
upvoted 1 times
LeonardSnart 7 months, 3 weeks ago
Selected Answer: C
"...[T]he System and Organization Controls (SOC) 2 report covers organizational cybersecurity controls. The auditor creates the SOC 2 report
after evaluating an organization’s security controls. The SOC 2 report indicates that the organization is SOC 2 compliant and gives customers a
level of assurance that the organization has adequate security controls in place. SOC 2 addresses five trust service principles: confidentiality,
integrity, availability, security, and privacy.
• SOC 2 Type II. The Type II report describes an organization’s systems and covers security controls’ operational effectiveness over a range of
dates, such as 12 months. In this context, operational effectiveness refers to how well the security controls worked when
mitigating risks during the range of dates. Soc 2 Type 2 compliance gives a higher level of assurance than SOC 2 Type I."
Security+ SY0-601 Get Certified Get Ahead by D. Gibson
upvoted 1 times
mosher21 8 months, 2 weeks ago
Selected Answer: C
A SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those controls are
operating. Companies that use cloud service providers use SOC 2 reports to assess and address the risks associated with third party technology
services.
https://www.onelogin.com/compliance/soc-2-type-2
upvoted 1 times
Drealjesusfreak 10 months ago
this is one of those questions that just throw you of then cent.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
C. In the SOC 2 Type report, the auditor confirms that the controls are functioning properly.
upvoted 2 times
atrax 1 year, 1 month ago
Selected Answer: C
I work in GRC and third party vendonrs provides a soc2 report. GDPR is almost a law where they stated they compliance, but its never
audited/certified
upvoted 3 times
Knowledge33 1 year, 1 month ago
Selected Answer: A
The SOC 2 is a separate report that focuses on controls at a service provider relevant to security, availability, processing integrity, confidentiality,
and privacy of a system. GDPR is the unique possible response, even though It's only applied in EU. The other responses are not related to client
data.
upvoted 3 times
Gravoc 1 year, 3 months ago
GDPR only applies when the entity operates or collects data in any EU country. This question doesn't specify if the personal information in
question belongs to an EU member country. Therefore, we can eliminate option A. If the question stated anything at all about Europe, it would be
A. Since it didn't, It's SOC 2 Type 2 is the correct answer.
It's basically a modernized security audit that occurs usually at a minimum of every 6 months. A 3rd party supplying the results from its internal
SOC 2 Type 2 audit would provide the required supporting documents to satisfy the CISO.
upvoted 2 times
redsidemanc2 1 year, 3 months ago
Selected Answer: C
GDPR related to EU nothing in question to say they are in EU.
SOC type 2 : tests security controls in place
upvoted 6 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
250/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
ScottT 1 year, 3 months ago
https://www.itgovernance.co.uk/soc-reporting
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
251/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #105
Which of the following is assured when a user signs an email using a private key?
A. Non-repudiation
B. Confidentiality
C. Availability
D. Authentication
Correct Answer: A
Community vote distribution
A (85%)
IQ30
Highly Voted
D (15%)
1 year, 4 months ago
Selected Answer: A
Professor Messer notes
• Non-Repudiation
– Confirm the authenticity of data
– Digital signature provides both integrity
and non-repudiation
upvoted 25 times
Old_Boy_
Most Recent
2 months ago
Another question where it could be A OR D. AGHH
upvoted 1 times
TheFivePips 2 months ago
Selected Answer: A
When a user signs an email using their private key in a public key infrastructure (PKI) or digital signature system, it assures non-repudiation. Nonrepudiation means that the sender of the email cannot later deny having sent it. The digital signature, created with the private key, provides
cryptographic proof of the sender's identity and the integrity of the message, making it difficult for the sender to disavow the message's
authenticity.
Authentication: While email signing does provide authentication, the term "non-repudiation" more specifically relates to the sender's inability to
deny the message, which is the primary focus of digital signatures.
upvoted 1 times
ComPCertOn 2 months, 2 weeks ago
Selected Answer: D
the assurance provided is Authentication Email signing using a private key allows the recipient to verify the sender's identity and ensure that the
email has not been tampered with during transit. This provides authentication and verifies the sender's identity. Non-repudiation is also related to
digital signatures, but it assures that the sender cannot deny sending the message, which is a separate concept from authentication
upvoted 1 times
Thurams 2 months, 3 weeks ago
When a user signs an email using a private key, the assurance provided is Authentication
Email signing using a private key allows the recipient to verify the sender's identity and ensure that the email has not been tampered with during
transit. This provides authentication and verifies the sender's identity. Non-repudiation is also related to digital signatures, but it assures that the
sender cannot deny sending the message, which is a separate concept from authentication. Confidentiality and availability are not directly related
to email signing with a private key.
upvoted 1 times
guestionme 4 months, 1 week ago
Non-repudiation is a legal concept that's widely used in information security and refers to a service, which provides proof of the origin and
integrity of data.
A, No?
upvoted 1 times
zygmunt 5 months ago
In the chapter for digital signatures in CompTIA's Certmaster Learn for Security+, only authentication and integrity are mentioned. I don't doubt
non-repudiation is also proved (a later page even states non-repudiation is linked to authentication), but I'm going to go with authentication here.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
When a user signs an email using a private key, it provides assurance of non-repudiation. Non-repudiation is the property that ensures the sender
of a message cannot deny sending it. By signing the email with their private key, the sender creates a digital signature that can only be decrypted
https://www.examtopics.com/exams/comptia/sy0-601/view/
252/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
and verified with their corresponding public key. This process ensures that the sender's identity is authenticated and cannot be denied later,
providing non-repudiation.
upvoted 2 times
ApplebeesWaiter1122 6 months ago
Selected Answer: A
It could be A or It could be D. Another Comptia-esque question. Looking at Messer's notes for section 2.8 he states that Non-Repudiation can
authentic and provides integrity
upvoted 1 times
fouserd 8 months, 3 weeks ago
Selected Answer: D
D. Authentication is assured when a user signs an email using a private key.
When a user signs an email using a private key, it provides a digital signature that verifies the authenticity of the email and the sender. This
process ensures that the recipient can be confident that the email is from the claimed sender, and that the message has not been tampered with
during transit. Authentication is the process of verifying the identity of a user or entity, and in this case, the digital signature provides this
verification. Therefore, the correct answer is D. Authentication.
Note that signing an email with a private key does not necessarily provide confidentiality (B) or availability (C), as these are separate aspects of
information security that require different measures to achieve. Non-repudiation (A) is related to authentication, but it refers specifically to the
inability of the sender to deny having sent the message once it has been signed with their private key.
upvoted 4 times
TheGuitarMan_61 9 months ago
when a sender signs a message with their private key, they guarantee the message's authenticity, illustrating that they were indeed the
message's source. And in this way, the sender's public key, which the recipient has access to, is the sole method of decrypting the sender's
message. After the Email is sent then "A".
upvoted 1 times
goodmate 9 months, 2 weeks ago
It seems answer D. Non-repudiation. The sender cannot later deny sending the
message. This is sometimes required with online transactions. For
example, imagine Homer sends an order to sell stocks using a digitally
signed email. If the stocks increase after his sale completes, he can’t
deny the transaction. Source: Darill Gibson, CompTIA Security+:Get Certified Get Ahead SY0-501 Study Guide
upvoted 1 times
Omi0204 9 months, 3 weeks ago
Message signing, on the other hand, uses the sender's private key to sign the message, and his or her public key is used to read the signature.
Message signing helps ensure data integrity, message authentication, and non-repudiation.
So Option A and D both are correct. :)
upvoted 2 times
cutemantoes 10 months, 2 weeks ago
I agree that its A. However, it states "what is assured when a user signs an email..", it doesnt say if it was sent. Just that it was signed. CompTIA
is more than likely going to do answer D. Knowing them, they'd do that.
upvoted 3 times
DALLASCOWBOYS 11 months, 1 week ago
A. Non-repudiation. It is a concept that the sender cannot deny that they sent the message.
upvoted 1 times
Gravoc 1 year, 3 months ago
Non Repudiation is your virtual John Hancock. It's a way of virtually stamping any data or document with "I am who I say I am". Only way to
break this would be if the private key owners' private key became compromised. Which at that point you got bigger problems than Non
Repudiation.
upvoted 3 times
Gino_Slim 1 year, 2 months ago
"John Hancock" is another way of saying "signature" for those that don't know
upvoted 2 times
EDSAL 1 year, 3 months ago
A- Non Repudation confirms that the signature comes from what it sayst it comes
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
253/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #106
A systems administrator is troubleshooting a server's connection to an internal web server. The administrator needs to determine the correct ports
to use. Which of the following tools BEST shows which ports on the web server are in a listening state?
A. ipconfig
B. ssh
C. ping
D. netstat
Correct Answer: D
Community vote distribution
D (97%)
Gino_Slim
Highly Voted
1 year, 2 months ago
Selected Answer: D
Answer is D
A. ipconfig - Just shows you the IP information for your current machine
B. ssh - this is used for file transfers (ftp etc etc)
C. ping - this is just to reach out to a node to get a response from it
These are simple ways of explaining. Don't come behind me and getting real granular super duper tech people -_upvoted 43 times
Old_Boy_ 2 months ago
I think the best way to answer questions for CompTIA is by ruling out the wrong answers first. There are always two. Then you've got a 50/50
chance of getting the answer correct even if you dont know it.
upvoted 2 times
scarceanimal 11 months ago
thanks gino slim!
upvoted 2 times
rodwave 1 year, 1 month ago
the explanations are perfectly fine
upvoted 5 times
comeragh
Highly Voted
1 year, 4 months ago
Selected Answer: D
Netstat shows listening ports
upvoted 9 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: D
The netstat command is a network utility used to display network connections, routing tables, and network interface statistics on a system. It can
show which ports on the web server are in a listening state, allowing the systems administrator to troubleshoot the server's connection to the
internal web server.
upvoted 1 times
ApplebeesWaiter1122 6 months ago
Selected Answer: D
Netstat (Network Statistics) is a command-line tool used to display active network connections, listening ports, and related network statistics. By
using the appropriate command-line parameters, such as "-a" (all connections and listening ports) or "-n" (numeric format), the administrator can
obtain a list of all open ports on the web server that are in a listening state.
Options A, B, and C are not relevant for determining the open ports on a web server:
ipconfig is a command-line tool used to display IP configuration information on a local system, such as IP address, subnet mask, and default
gateway. It does not provide information about open ports on a remote web server.
ssh (Secure Shell) is a network protocol used for secure remote access to systems. It is not specifically designed to display open ports on a web
server.
ping is a utility used to test the connectivity and reachability of a network host using Internet Control Message Protocol (ICMP). It does not
provide information about open ports on a web server.
upvoted 2 times
MasterControlProgram 9 months, 2 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
254/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: D
The tool that BEST shows which ports on a server are in a listening state is netstat. Therefore, the correct answer is D.
upvoted 1 times
Ahmed_aldouky 10 months ago
Selected Answer: D
The correct answer is D. netstat.
Netstat is a command-line tool that displays information about network connections and network statistics. It can be used to show which ports
on a server are in a listening state, among other things. This information can be very useful for troubleshooting network issues.
A. ipconfig is a command-line tool that displays network configuration information for a computer. It does not show which ports on a web server
are in a listening state.
B. ssh is a network protocol that allows secure remote access to a server. It does not show which ports on a web server are in a listening state.
C. ping is a command-line tool that tests network connectivity between two devices. It does not show which ports on a web server are in a
listening state.
upvoted 2 times
T4IT 11 months, 2 weeks ago
Selected Answer: A
Netstat is correct
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
255/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #107
Which of the following BEST reduces the security risks introduced when running systems that have expired vendor support and lack an immediate
replacement?
A. Implement proper network access restrictions.
B. Initiate a bug bounty program.
C. Classify the system as shadow IT.
D. Increase the frequency of vulnerability scans.
Correct Answer: A
Community vote distribution
A (96%)
Jakalan7
Highly Voted
4%
1 year, 3 months ago
Selected Answer: A
A is the only answer that makes sense here.
upvoted 12 times
Papee 1 year, 2 months ago
I agree. Network segmentation.
upvoted 4 times
03allen 1 year, 1 month ago
I don't think A means network segmentation.
upvoted 2 times
Ranaer
Highly Voted
11 months, 2 weeks ago
Selected Answer: A
We are asked to REDUCE risk.
A. Implement proper network access restrictions. - This more or less reduces risk by limiting who has access to the legacy system.
B. Initiate a bug bounty program. - We dont need that, since its a legacy system, which we havent developed. We most likely cannot patch this
anyway.
C. Classify the system as shadow IT. - Irrelevant to the question.
D. Increase the frequency of vulnerability scans. - As in B, us knowing that issues exist, wont help us much, since we cannot patch the system.
upvoted 11 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: A
Implementing proper network access restrictions helps to reduce the security risks associated with running systems that have expired vendor
support and lack an immediate replacement. By restricting network access, unauthorized parties are less likely to exploit vulnerabilities in the
unsupported systems. This is a proactive approach to limit potential risks until a more permanent solution can be implemented.
upvoted 1 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: A
Implementing proper network access restrictions is the best option to reduce the security risks introduced by running systems that have expired
vendor support and lack an immediate replacement. By limiting the network access of these systems, you can minimize their exposure to
potential threats from the internet or unauthorized users. This reduces the attack surface and helps mitigate the risk of security breaches and
vulnerabilities.
upvoted 1 times
mosher21 8 months, 2 weeks ago
Selected Answer: A
AKA airgap them.
upvoted 2 times
monzie 9 months, 1 week ago
Selected Answer: D
D. Increase the frequency of vulnerability scans would be the BEST option to reduce the security risks introduced when running systems that
have expired vendor support and lack an immediate replacement.
When vendor support for a system has expired, it is no longer receiving security updates or patches from the vendor. This leaves the system
vulnerable to known and unknown vulnerabilities. Increasing the frequency of vulnerability scans allows for the identification and remediation of
any vulnerabilities that may be present. By identifying vulnerabilities earlier, the organization can take action to minimize the risk of exploitation.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
256/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Confuzed 8 months, 4 weeks ago
I would agree except that if you do identify a new vulnerability you cannot remediate it so increasing the scans will only increase the risks that
you must accept and do nothing to mitigate them.
upvoted 2 times
TinyTrexArmz 11 months ago
Maybe it's my lack of imagination, but I can't think of a case where you wouldn't Implement proper network access restrictions by default even
on a system with vendor support still active and can be immediately replaced.
upvoted 2 times
mick1 1 year ago
I would say D - as system is not changing role, and in ANY use case, network access should be minimized (or at least planned for system) - so if i
don't want to change device role, just reduce risk, I would go with more scans.
upvoted 1 times
KingDrew 11 months, 3 weeks ago
Unfortunately that doesn't reduce the risk, they can still attack, and the scans will only detect that attack not reduce the probability of chance
of it happening. I choose A.
upvoted 2 times
Jossie_C 1 year, 2 months ago
Prevent the computer from connecting to the internet where the bad guys are
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
257/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #108
Due to unexpected circumstances, an IT company must vacate its main office, forcing all operations to alternate, off-site locations. Which of the
following will the company MOST likely reference for guidance during this change?
A. The business continuity plan
B. The retention policy
C. The disaster recovery plan
D. The incident response plan
Correct Answer: A
Community vote distribution
A (85%)
stoneface
Highly Voted
C (15%)
1 year, 4 months ago
Selected Answer: A
BCP is to empower an organization to keep crucial functions running during downtime. This, in turn, helps the organization respond quickly to an
interruption, while creating resilient operational protocols.
upvoted 30 times
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: A
Answer - The business continuity plan
A business continuity is a plan that ensures a company can maintain core operations without interrupts especially in a event of a crisis.
===========================
Retention Policy - determines how long business a record/resource is stored and how to dispose of the record when it is time to do so.
Disaster Recovery - A set of instructions created by an organization on how to respond and recover from unplanned incidents. Generally
involving a hardware failure, destruction, etc.
Incident Response - a set of steps a incident response team follows to properly prepare and respond to incidents.
upvoted 17 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: A
When an IT company must vacate its main office and move to alternate, off-site locations due to unexpected circumstances, it would most likely
reference the business continuity plan. The business continuity plan outlines the procedures and strategies that an organization will use to ensure
that essential business functions can continue during and after a disaster or other disruptive event. It includes measures to protect personnel,
assets, and business processes to ensure the organization's continuity.
On the other hand, the disaster recovery plan is focused on restoring critical systems and services after a significant disruption, and it deals with
the technical aspects of recovery. While both plans are related to managing disruptive events, the business continuity plan takes a broader
approach, encompassing business processes and personnel, while the disaster recovery plan primarily focuses on IT systems and data recovery.
upvoted 4 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: A
During the unexpected circumstance of vacating the main office and moving operations to alternate, off-site locations, the IT company would
most likely reference the business continuity plan. The business continuity plan outlines strategies and procedures to ensure the continued
operation of critical business functions during and after disruptive events. It includes measures to maintain essential operations, recover critical
systems, and resume normal business activities in the face of unexpected events that could disrupt normal business operations.
upvoted 1 times
mosher21 8 months, 2 weeks ago
Selected Answer: C
I say C because the given info implies something big and severe, aka a disaster, happened that you have to move all of your operations to an off
site. So you would consult your disaster recovery plan during such incidents.
upvoted 3 times
ganymede 1 month, 3 weeks ago
The DR plan is only focused on IT disaster recovery. Not the entire business.
The business continuity plan is focused on the entire business.
upvoted 2 times
MasterControlProgram 9 months, 2 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
258/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: A
The IT company will most likely reference the business continuity plan for guidance during the change. The business continuity plan is designed
to help an organization continue operations in the event of a disruption or disaster, and is intended to minimize the impact on the business. The
plan typically includes procedures and processes for identifying critical business functions, establishing alternate locations, and outlining how
operations will continue during the disruption.
upvoted 1 times
Drealjesusfreak 10 months ago
The word, unexpected circumstances is the key. I think the answer is C. I have checked other questions and it says disaster recovery plan is the
answer.
upvoted 3 times
tebirkishaw 11 months, 1 week ago
Selected Answer: C
It is C. The business continuity plan goes over what you can do in the event you can't access your normal resources, or if things aren't working.
For example if your payment portal is down, you would have something saying you take payments by phone. In this question they have all of
their resources, just working at a different site. Professor Messer's videos on this explain it really well as well.
upvoted 1 times
tebirkishaw 11 months, 1 week ago
Actually I had my definitions mixed up lol... I think the answer would be A
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
A. Business Continuity Plans focus on keeping an organization functional when misfortune or incidents occur. The reason for the vacating of the
office isn't specified, so there is no way, based on the information provided, that a disaster ( natural or man-made has occurred)
upvoted 1 times
Sandon 11 months, 2 weeks ago
Selected Answer: C
ChatGPT says it's C
upvoted 2 times
xxxdolorxxx 11 months, 2 weeks ago
Selected Answer: A
A seems like the correct answer
upvoted 2 times
carpathia 1 year, 1 month ago
Selected Answer: A
This should normally be BIA, but BIA is part of BCP, so BCP.
upvoted 1 times
DoDaResearch 1 year, 2 months ago
Selected Answer: C
See CompTIA Security + study guide page 518
Disaster Recovery plan -- A disaster can be seen as a special class of incident where the organizations primary business function is disrupted.
Disaster recovery requires considerable resources, sush as SHIFTING PROCESSING TO A SECONDARY SITE. Disaster recovery will involve a
wider range of stakeholders than a less serious incidents.
Business Continuity Plan (BCB) -- this identifies how business processes should deal with both minor and disaster-level disruption. During an
incident, a system may need to be isolated. Continuity planing ensures that there is processing redundancy supporting the workflow so that
when a server is taken offline for security remediation, processing can failover to a separate system. If systems do not have this sort of planned
resilience, incident response will be much more disruptive.
upvoted 4 times
DoDaResearch 1 year, 2 months ago
Not all disasters are natural, if a fire marshal closes your building for various reasons that may not even be related to your building, you still
can not enter
upvoted 1 times
Gravoc 1 year, 3 months ago
Remember that BCP is all-encompassing, including natural disaster recovery. Since the question did not specify this is a disaster, then BCP is
the only option left that can be correct.
upvoted 3 times
Yuyuyakuza 1 year, 3 months ago
A.BCP no indication of a natural disaster.
upvoted 1 times
comeragh 1 year, 4 months ago
Selected Answer: A
Agree with A - BCP
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
259/487
06/01/2024, 09:03
https://www.examtopics.com/exams/comptia/sy0-601/view/
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
260/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #109
While reviewing an alert that shows a malicious request on one web application, a cybersecurity analyst is alerted to a subsequent token reuse
moments later on a different service using the same single sign-on method. Which of the following would BEST detect a malicious actor?
A. Utilizing SIEM correlation engines
B. Deploying Netflow at the network border
C. Disabling session tokens for all sites
D. Deploying a WAF for the web server
Correct Answer: D
Community vote distribution
A (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: A
I think that SIEM correlation would be the best way to detect an attacker in this case.
The initial compromise was a malicious request on a web server. Moments later the token created with SSO was used on another service, the
question does not specify what type of service.
Deploying a WAF on the web server will detect the attacker but only on that server. If the attacker issues the same malicious request to get
another SSO token correlating that event with using that SSO token in other services would allows to detect the malicious activity.
Correct me if I am wrong
upvoted 45 times
hieptran 11 months, 4 weeks ago
I think the same with you,
The token type could be varies, but I don't think that it will be detected and prevented by WAF or anything since it could be a legitimate
request with stolen/hacked token.
In the context of this question, it is best to collerate logs and find which system is compromised.
upvoted 2 times
Petercx
Most Recent
1 month ago
Selected Answer: A
The best option to detect a malicious actor in this scenario would be A. Utilizing SIEM correlation engines.
SIEM (Security Information and Event Management) systems provide real-time analysis of security alerts generated by applications and network
hardware. They have correlation engines that can aggregate data from various sources, identify normal and abnormal activity, and detect
potential security incidents such as unauthorized access or token reuse.
upvoted 1 times
RogerW 3 months, 3 weeks ago
It looks like a CSRF attack. The SIEM detected the attack and notified the user. If the question asked what would be the BEST to "protect" as
opposed to "detect", I would have selected, D WAF. Since is asking what would be BEST to detect, I pick A.
upvoted 1 times
malibi 4 months ago
Selected Answer: A
The question mentions about Web Application!
A WAF protects your web apps by filtering, monitoring, and blocking any malicious HTTP/S traffic traveling to the web application, and prevents
any unauthorized data from leaving the app.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
Utilizing SIEM (Security Information and Event Management) correlation engines would be the best way to detect a malicious actor in this
scenario. SIEM systems collect and analyze log data from various sources, including web applications and network devices. By using correlation
rules, the SIEM can identify patterns of behavior and detect abnormal or malicious activities that might not be apparent when analyzing each
event in isolation.
In the given scenario, the SIEM can correlate the alerts from the two different services that detected the subsequent token reuse. This correlation
would help identify the abnormal behavior and raise an alert for further investigation by the cybersecurity analyst. SIEM systems play a crucial
role in identifying complex and sophisticated attack patterns and improving incident detection and response capabilities.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
261/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: A
SIEM (Security Information and Event Management) correlation engines are designed to collect, analyze, and correlate data from various sources
across an organization's IT infrastructure. By using SIEM correlation rules, the cybersecurity analyst can identify patterns and relationships
between events and data from different systems and applications. In the given scenario, the SIEM correlation engine can detect the subsequent
token reuse moments after the initial malicious request on one web application. This correlation can help identify the presence of a malicious
actor attempting to exploit the single sign-on method and potentially moving laterally to other services.
upvoted 1 times
Ahmed_aldouky 10 months ago
Selected Answer: A
. Utilizing SIEM correlation engines would BEST detect a malicious actor.
SIEM correlation engines can be used to analyze and correlate events from different systems and applications. In this case, the cybersecurity
analyst can use a SIEM correlation engine to correlate the request on the web application and the subsequent token reuse on a different service.
This can help to identify the malicious actor and take appropriate actions to prevent further attacks.
B. Deploying Netflow at the network border can help to monitor network traffic and identify anomalies, but it may not provide enough context to
detect the malicious actor in this scenario.
C. Disabling session tokens for all sites is not a recommended solution as it can have negative impacts on legitimate user access.
D. Deploying a WAF for the web server can help to detect and block attacks on the web application, but it may not provide enough visibility to
detect the subsequent token reuse on a different service.
upvoted 2 times
brewoz404sd 11 months, 1 week ago
Answer is D. A waf looks specifically at session / token use, as well as monitoring all traffic between web / user. You can deploy a waf to protect
ALL web apps behind it. Answer is clearly D, its exactly what a WAF is designed to do.
upvoted 2 times
[Removed] 1 year, 1 month ago
i still think D
upvoted 1 times
Gravoc 1 year, 3 months ago
SIEM correlation dashboards. From google:
"It aggregates and analyzes log data from across your network applications, systems, and devices, making it possible to discover security threats
and malicious patterns of behaviors that otherwise go unnoticed and can lead to compromise or data loss."
Web application firewall is a good candidate, except that it will log both events into separate log files. Which can go unnoticed by security
administrators, and will require additional tools to automate the process of alerting the correlated events together. Such as a SIEM.
upvoted 4 times
Lars87 1 year, 3 months ago
Selected Answer: A
SIEM i think correct
upvoted 1 times
okay123 1 year, 4 months ago
The software analyzes the log entries to identify signs of malicious activity. In addition, since the system gathers events from different sources
across the network, it can recreate the timeline of an attack, enabling a company to determine the nature of the attack and its impact on the
business.
https://www.techtarget.com/searchsecurity/definition/security-information-and-event-management-SIEM
I thought D but key word is differint devices.. so SIEM correlation i think
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
262/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #110
Two organizations plan to collaborate on the evaluation of new SIEM solutions for their respective companies. A combined effort from both
organizations' SOC teams would speed up the effort. Which of the following can be written to document this agreement?
A. MOU
B. ISA
C. SLA
D. NDA
Correct Answer: A
Community vote distribution
A (100%)
Gravoc
Highly Voted
1 year, 3 months ago
MOU - Memorandum of Understanding
MOA - Memorandum of Agreement
A MOU is the initialization phase for two companies who plan to work together. It establishes what each company is looking to achieve/get out of
the arrangement. It's not a signed contract.
A MOA is a step above the MOU. It's a signed contract that indicates both parties understand and agree with the terms placed forward by both
parties.
upvoted 26 times
RonWonkers 1 year, 3 months ago
Thanks for the explanation
upvoted 1 times
ccnaexam28
Highly Voted
5 months, 1 week ago
this was on my exam. i chose A.
Took the exam 27/7/2023, I scored 840 and got 82 questions in total(with 3 PBQs). (not quite sure what questions I got right or wrong, there were
tons that have 50/50 percentage in this site)
90%+ is from this site and I have no contributor access though I think it's also just luck on what set you'll get from their questions' pool. good
luck!
upvoted 18 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: A
A Memorandum of Understanding (MOU) is a written agreement between two or more parties outlining their intention to work together on a
specific project or endeavor. It is a non-binding document that establishes the framework and terms of cooperation between the parties involved.
In this scenario, the MOU can be used to document the agreement between the two organizations to collaborate on the evaluation of new SIEM
(Security Information and Event Management) solutions. It outlines their joint effort and commitment to work together towards a common goal
without creating a formal legal contract.
upvoted 1 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: A
A Memorandum of Understanding (MOU) is a written agreement between two or more parties that outlines the understanding and terms of their
collaboration. In this scenario, the two organizations plan to collaborate on the evaluation of new SIEM solutions, and the MOU can be used to
document their agreement on the joint effort. It will specify the objectives of the collaboration, the roles and responsibilities of each organization's
SOC teams, the resources they will contribute, the duration of the collaboration, and any other relevant terms and conditions.
upvoted 1 times
MorganB 8 months, 1 week ago
Pass my exam 27, April 23. This question was on my tested worded differently but the answer is the same.
upvoted 6 times
ronniehaang 11 months, 1 week ago
Selected Answer: A
A. MOU (Memorandum of Understanding) is the best option to document the agreement between two organizations to collaborate on the
evaluation of new SIEM solutions.
An MOU is a non-binding agreement between two or more parties outlining the goals and objectives of a project or collaboration. It outlines the
responsibilities, resources, and expectations of each party involved, and serves as a framework for future cooperation and collaboration. In this
case, the MOU between the two organizations would outline the purpose and goals of their collaboration to evaluate new SIEM solutions, the
roles and responsibilities of each organization's SOC team, and any timelines or expectations for the evaluation process.
https://www.examtopics.com/exams/comptia/sy0-601/view/
263/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
An MOU is a good option as it provides a clear understanding of the expectations and responsibilities of both organizations without binding
either organization to a specific course of action or committing to a formal agreement.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
A. MOU. It just states they are collaborating, thus not requiring a legal agreement.
upvoted 6 times
stoneface 1 year, 4 months ago
Selected Answer: A
A document that regulates security-relevant aspects of an intended connection between an agency and an external system. It regulates the
security interface between any two systems operating under two different distinct authorities. It includes a variety of descriptive, technical,
procedural, and planning information. It is usually preceded by a formal MOA/MOU that defines high- level roles and responsibilities in
management of a cross-domain connection.
upvoted 17 times
stoneface 1 year, 4 months ago
Add ISA at the beginning -> source https://csrc.nist.gov/glossary/term/interconnection_security_agreement
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
264/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #111
The Chief Information Security Officer wants to prevent exfiltration of sensitive information from employee cell phones when using public USB
power charging stations. Which of the following would be the BEST solution to implement?
A. DLP
B. USB data blocker
C. USB OTG
D. Disabling USB ports
Correct Answer: B
Community vote distribution
B (71%)
Blake89
Highly Voted
A (29%)
11 months, 3 weeks ago
Selected Answer: B
The CompTia Sec+ Study Guide book literally talks about USB data blockers when using public charging stations. Y'all overthink way too much
sometimes.
upvoted 36 times
FQ
Highly Voted
1 year, 3 months ago
Selected Answer: A
The question is talking about PUBLIC USB power charging stations, the CISO cannot for sure place USB data blocker on all publich USB ports in
the world !
The CISO also can't disable employees cell phones ports, as these are usually personal properties.
USB OTG is obviously playing the oppostie of what's required if used.
DLP is the answer, and it can be implemented as following:
1. Create a User Group based on AD - (You will need to have a Directory Connection configured)
2. Create a policy that detects the data AND includes a rule for the User Group. - This way it will ONLY work for those users
3. Test to make sure the policy works for ONLY those users.
4. Create a Response rule that BLOCK Endpoint AND only applies to USB
5. Apply this new Response Rule to the Policy (Response Rule Tab)
upvoted 28 times
arrowphoto7604493ahmed 9 months, 1 week ago
USB data blockers (also known as USB condom or USB port blocker) are small devices that can be placed between a USB charging port and
a USB cable.
upvoted 5 times
sujon_london 5 months ago
DLP It’s reasonable option if USB option not there. while in market USB blocker are there available in that case answer is USB data blocker. I
think physically we should know how its look alike and how to use it.
upvoted 2 times
ExamPasser420 8 months, 1 week ago
What does stoneface think?
upvoted 9 times
EricShon 9 months, 3 weeks ago
Then just but the data blocker on the cable being used...
upvoted 2 times
ComPCertOn
Most Recent
2 months, 2 weeks ago
Selected Answer: A
DLP solutions monitor and control data transfers within an organization’s network and are more focused on preventing data leaks through various
channels, such as email, cloud storage, or removable devices.
upvoted 1 times
chaddaddy 3 months ago
how does a simple question like this, have so much discussion among it? the fact that the post with Highly voted is the wrong answer amazes
me.
upvoted 2 times
fgfj 3 months, 2 weeks ago
Selected Answer: A
USB data blocker
https://www.examtopics.com/exams/comptia/sy0-601/view/
265/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
A USB data blocker, also known as a "USB condom" or "USB pass-through device," is a hardware device that prevents data transfer over USB
connections while allowing the device to charge. It does this by physically blocking the data pins on the USB cable, only allowing power transfer
between the device and the charging station. By using a USB data blocker, employees can safely charge their cell phones at public USB power
charging stations without worrying about data exfiltration or potential malware infections through the USB port.
The other options are not suitable for the scenario described:
A. DLP (Data Loss Prevention) is a broader security measure used to prevent unauthorized data exfiltration or leakage, but it typically operates at
the software or network level and may not directly address the USB charging station issue.
upvoted 5 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: B
A USB data blocker, also known as a USB condom or charging blocker, is a small device that allows a device to be charged using a USB
charging cable but blocks data transfer between the device and the USB port. When connected to a public USB charging station, it prevents any
potential data exfiltration or unauthorized access to sensitive information from the connected device.
upvoted 2 times
Pythetic 8 months, 3 weeks ago
From a Security standpoint, a data blocker is much more secure as it physically takes away the data pins this is the "best" method as although
DLP might give slight convenience if you forgot your cable, there are still ways around it
upvoted 2 times
arrowphoto7604493ahmed 9 months, 1 week ago
Selected Answer: B
USB data blockers (also known as USB condom or USB port blocker) are small devices that can be placed between a USB charging port and a
USB cable
upvoted 2 times
attesco 9 months, 3 weeks ago
Selected Answer: A
The right answer for this question is A. The question ask for the best solution and the best solution is to deploy a DLP software on each
employee cell phone. It is a way much cheaper to do than buy a piece of hardware( USB Data Blocker) for each employee.
Secondly, if the employee failed or forgot to use the USB Data Blocker at Airport or coffee shops.............It becomes an ineffective solution. But
the DLP software either Endpoint DLP or Network DLP works without human interference to prevent Data Loss. The correct Answer is A and it`s
the BEST solution according to the question. Thank you
upvoted 3 times
princajen 10 months ago
Selected Answer: B
B. USB Data Blocker.
an employee could carry a USB data blocker device with them to use at public USB power charging stations. A USB data blocker is a small
device that plugs into the USB port and blocks the data transfer pins, while allowing the power pins to connect, so the device can be charged
without any data being transferred. This would prevent any potential data exfiltration from the employee's device while it is being charged at a
public charging station.
upvoted 1 times
Omi0204 10 months ago
Answer is B.
A USB data blocker, also known as a “USB condom” (really, no kidding!), is a device that allows you to plug into USB charging ports including
charging kiosks, and USB ports on gadgets owned by other people.
The main purpose of using one is to eliminate the risk of infecting your phone or tablet with malware, and even prevent hackers to install/execute
any malicious code to access your data.
upvoted 1 times
ApplebeesWaiter1122 10 months ago
Selected Answer: B
Dont over think this question, the answer is B
upvoted 4 times
AlwaysRunning 10 months, 1 week ago
Selected Answer: B
Espero no causar molestias por dejar opinios en español, sin duda a muchos les servira.
La respuesta correcta es la B, la guía oficial habla de bloqueadores de datos USB como la mitigación contra el robo de datos cuando un
dispositvo es conectado en un cargador público.
upvoted 3 times
ramesh2022 10 months, 3 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
266/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
DLP is the right answer. This is looking for a solution for multiple employees (company-wide solution).
upvoted 1 times
LaoX 1 year ago
Selected Answer: A
The CISO shouldn't place a USB data blocker on personnel's device but a DLP is best to implement.
upvoted 1 times
sujon_london 5 months ago
Basically USB data blocker is portable one; it can be carry and use along with USB cable. Google search for image of USB data blocker
would helps to understand how to use it and works.
upvoted 2 times
jhfdkjshfkjdsho 1 year ago
Selected Answer: B
It says public charging... This is not under the control of the company. You can't apply DLP... etc for a charging station in an airport. The
employee can use a USB condom that doesn't have data pins.
upvoted 5 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
267/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #112
The board of directors at a company contracted with an insurance firm to limit the organization's liability. Which of the following risk management
practices does this BEST describe?
A. Transference
B. Avoidance
C. Mitigation
D. Acknowledgement
Correct Answer: A
Community vote distribution
A (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: A
organization's liability -> organization's RESPONSABILITY
upvoted 9 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: A
Transference is a risk management practice in which an organization shifts the financial burden of potential risks or losses to another party. In this
scenario, by contracting with an insurance firm, the company is transferring the liability of certain risks to the insurance company. If an incident
occurs that is covered by the insurance policy, the insurance company would bear the financial responsibility, thereby limiting the organization's
liability.
upvoted 2 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: A
Contracting with an insurance firm to limit the organization's liability is an example of risk transference. In this practice, the company transfers the
financial consequences of certain risks to an insurance provider. In case of a covered event, the insurance firm would bear the financial burden,
reducing the potential impact on the company's assets and resources.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
A. Insurance is transferring the risk to the insurance company
upvoted 2 times
Boubou480 12 months ago
Selected Answer: A
Insurance = Tranfert
upvoted 2 times
FMMIR 1 year ago
Selected Answer: A
The board of directors at a company contracted with an insurance firm to limit the organization's liability BEST describes the risk management
practice of transference. Transference is the process of transferring the risk of loss from one party to another, typically through the use of
insurance. In this case, the company is transferring the risk of potential liability to the insurance firm by purchasing an insurance policy. This
allows the company to limit its potential losses in the event of a liability claim. Options B, C, and D do not accurately describe the situation
described in the question.
upvoted 1 times
db97 1 year, 3 months ago
if something happens, the insurance company will assume responsibility (Transference)
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
268/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #113
Which of the following is a risk that is specifically associated with hosting applications in the public cloud?
A. Unsecured root accounts
B. Zero-day
C. Shared tenancy
D. Insider threat
Correct Answer: C
Community vote distribution
C (90%)
IGUESS
Highly Voted
10%
1 year, 11 months ago
Shared Tenancy Vulnerabilities.
In a multi-tenant environment, such as the cloud, a “container” vulnerability can allow an attacker to compromise containers of other tenants on
the same host. Flaws in chip design can also result in the compromise of tenant information in the cloud through side-channel attacks.
upvoted 21 times
Huntero21
Most Recent
3 months ago
C. don't over think this. Public cloud is shared.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
Shared tenancy is a risk that is specifically associated with hosting applications in the public cloud. Public cloud providers offer shared resources
to multiple customers on the same physical infrastructure. This means that multiple virtual machines and applications from different customers
are running on the same physical server. While cloud providers take measures to isolate and secure these resources, there is always a risk of
potential data leakage or unauthorized access if the isolation mechanisms are not robust.
upvoted 2 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: C
Hosting applications in the public cloud means that multiple customers share the same physical infrastructure and resources provided by the
cloud service provider. This shared infrastructure introduces the concept of "shared tenancy," where multiple customers' data and applications
coexist on the same servers and network devices. While cloud providers implement strong security measures to isolate customer data, there is
always a risk of a breach or misconfiguration that could potentially expose one customer's data to another. This risk is commonly associated with
hosting applications in the public cloud.
upvoted 2 times
arrowphoto7604493ahmed 9 months, 1 week ago
Selected Answer: C
shared tenancy model means that sensitive data, such as encryption keys, may be stored on the same physical hardware as other tenants,
potentially increasing the risk of unauthorized access
upvoted 1 times
MasterControlProgram 9 months, 2 weeks ago
Selected Answer: C
C. Shared tenancy is a risk specifically associated with hosting applications in the public cloud. Public cloud environments typically host multiple
tenants on the same physical hardware. While cloud providers implement security measures to ensure tenant separation and protection, the
possibility of one tenant gaining unauthorized access to another tenant's data cannot be completely ruled out.
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
C. Shared tenancy is the risk associated with the Cloud.
upvoted 2 times
FMMIR 1 year ago
Selected Answer: C
A risk that is specifically associated with hosting applications in the public cloud is shared tenancy. Shared tenancy refers to the practice of
multiple customers sharing the same physical infrastructure in a cloud environment. This can create security risks, as the actions of one customer
can potentially impact the security and performance of other customers on the same infrastructure. Options A, B, and D are not specifically
associated with hosting applications in the public cloud, although they can be potential risks in any computing environment.
upvoted 3 times
Sir_Learnalot 1 year, 1 month ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
269/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: C
"C" shared tenancy is a cloud specific threat. Insider threats are also applicable to on-prem
upvoted 1 times
Jakalan7 1 year, 3 months ago
Selected Answer: C
The answer has to be C, since A, B and D are not specific to cloud platforms.
upvoted 2 times
ishallgetit 1 year, 8 months ago
Selected Answer: C
"specifically associated with hosting applications in the public cloud"
C: shared tenancy
upvoted 4 times
Branchflake 1 year, 9 months ago
I read this twice and still missed the "public " cloud. Shared Tenancy
upvoted 1 times
Dunzel 1 year, 9 months ago
Why would it be D? How is an insider threat "specifically associated with hosting applications in the public cloud?" Insider threats are everywhere
- not just in the cloud.
upvoted 2 times
CLAW_ 1 year, 10 months ago
I didnt read the question properly and chose Unsecured Accounts, this is wrong. The correct answer is Shared Tenancy given that the clue in the
question is "Public" cloud.
upvoted 2 times
szl0144 1 year, 10 months ago
Selected Answer: C
C is the correct answer, cloud server are multi-tenant
upvoted 2 times
bugrovac 1 year, 11 months ago
Selected Answer: D
Correct Answer: D
upvoted 2 times
ansenlool88 1 year, 10 months ago
insider threat is also on different types of cloud, or premise location and any datacenter or LAN or WAN. dont think D is correct. keywords on
the question is PUBLIC CLOUD
upvoted 3 times
greenerme 1 year, 11 months ago
An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former
employees, contractors or business associates, who have inside information concerning the organization's security practices, data and
computer systems
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
270/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #114
DDoS attacks are causing an overload on the cluster of cloud servers. A security architect is researching alternatives to make the cloud
environment respond to load fluctuation in a cost-effective way. Which of the following options BEST fulfills the architect's requirements?
A. An orchestration solution that can adjust scalability of cloud assets
B. Use of multipath by adding more connections to cloud storage
C. Cloud assets replicated on geographically distributed regions
D. An on-site backup that is displayed and only used when the load increases
Correct Answer: D
Community vote distribution
A (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: A
A. An orchestration solution that can adjust scalability of cloud assets -> this is the correct answer IMO - this is what elasticity in cloud is all
about, we are only creating new resources when there is a workload spike.
B. Use of multipath by adding more connections to cloud storage -> this doest address the issue of dealing with the additional load on the
servers
C. Cloud assets replicated on geographically distributed regions -> hot or warm recovery sites ( not cost effective )
D. An on-site backup that is displayed and only used when the load increases ( not cost effective since the on-site will be always on behind the
scenes)
upvoted 62 times
Old_Boy_ 2 months ago
Stone Face is basically the creator of this Comptia
upvoted 1 times
Gino_Slim 1 year, 2 months ago
In stoneface we trust (that means this is the right answer)
upvoted 28 times
Mag_D
Most Recent
6 days, 2 hours ago
Can anyone share why exam topics mostly select the wrong answer?
upvoted 1 times
fryderyk 1 month, 4 weeks ago
Out of the four options it's probably 'A', but that's actually one of the possible reasons for DDoS - increase the load to make the victim incur
higher cost.
Some sort of DDoS protection might make more sense.
upvoted 2 times
Afel_Null 3 months ago
Dynamically changed load is a matter of elasticity, not scalability. WTF is wrong with these questions? This whole exam is basically a scam.
upvoted 2 times
RevolutionaryAct 4 months, 4 weeks ago
Kind of torn, I can see either in that orchestration might cost a lot plus scaleability = more resource costs
On the other hand a passive load balancing server costs more in hardware but isn't used regularly, and would have to cost less than scaling,
SOAR, etc.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
An orchestration solution that can adjust the scalability of cloud assets is the best option to fulfill the security architect's requirements.
Orchestration in the context of cloud computing refers to the automated management and coordination of various cloud resources to handle
changes in demand and optimize performance. By using an orchestration solution, the cloud environment can dynamically scale resources up or
down based on load fluctuations caused by DDoS attacks or any other factors. This allows the organization to respond to changing demands in a
cost-effective and efficient manner.
upvoted 2 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: A
An orchestration solution allows for dynamic scaling of cloud resources based on the current load or demand. This means that as the DDoS
attack causes an overload on the cloud servers, the orchestration solution can automatically increase the number of servers (scale-out) to handle
https://www.examtopics.com/exams/comptia/sy0-601/view/
271/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
the increased traffic. Similarly, when the load decreases, the solution can scale down by removing unnecessary servers to save costs.
This approach provides an efficient and cost-effective way to respond to load fluctuations caused by DDoS attacks, ensuring that the cloud
environment can handle the increased demand without compromising performance or incurring unnecessary expenses.
upvoted 1 times
Mkoenig69 9 months ago
Selected Answer: A
An orchestration solution that can adjust scalability of cloud assets would likely be the best option for fulfilling the security architect's
requirements. This would allow the cloud environment to dynamically adjust the scalability of its assets based on load fluctuation, effectively
managing the overload caused by DDoS attacks. By automatically provisioning or deprovisioning resources as needed, an orchestration solution
can help maintain optimal performance while minimizing costs.
upvoted 1 times
Exlr8me 9 months, 1 week ago
Selected Answer: A
A is the correct answer
upvoted 1 times
MasterControlProgram 9 months, 2 weeks ago
Selected Answer: A
A. An orchestration solution that can adjust scalability of cloud assets would be the best option to fulfill the architect's requirements. An
orchestration solution allows for automatic scaling of resources based on traffic demands, which will help the cloud environment respond to load
fluctuation. Additionally, it can be cost-effective because it can scale resources up or down as needed, meaning that resources are only allocated
when needed, and are released when they are no longer required. This reduces unnecessary resource consumption and costs.
upvoted 2 times
carpathia 1 year, 1 month ago
Selected Answer: A
It cannot be B: "What is multipathing in cloud computing?
Multipathing, also called SAN multipathing or I/O multipathing, is the establishment of multiple physical routes between a server and the storage
device that supports it."
upvoted 2 times
RonWonkers 1 year, 3 months ago
Selected Answer: A
I think A
upvoted 1 times
Gravoc 1 year, 3 months ago
I agree with stoneface on A. Remember that backups are expensive. Which is the entire reason for the convoluted process of hot, warm, and cold
sites.
Scaling cloud infrastructures can experience lag during the periods of high activity, where other assets have to either be added, or become
active. This is the compromise for a cost-effective solution that scales. The company could go for a system that is absolutely overkill on assets at
all times, in preparation for those brief peak moments. But this is expensive, and unlikely to be taken by most companies. Only case you would
want to use one of these is if you have a sensitive or critical service that MUST remain online. Stock exchange servers, military servers, bank
servers, etc. come to mind for this criteria.
upvoted 3 times
lucasvs_ 1 year, 4 months ago
Selected Answer: A
Yes a ido
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
272/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #115
Which of the following documents provides expectations at a technical level for quality, availability, and responsibilities?
A. EOL
B. SLA
C. MOU
D. EOSL
Correct Answer: B
Community vote distribution
B (100%)
Strykar
Highly Voted
1 year, 3 months ago
Selected Answer: B
This site needs a Dark Mode.
upvoted 31 times
snofear 1 year, 3 months ago
Use Dark Reader-Chrome extension
upvoted 12 times
J_Ark1 1 year, 2 months ago
thanks for that :)
upvoted 2 times
banditring 1 year, 3 months ago
AGREED!
upvoted 3 times
comeragh
Highly Voted
1 year, 4 months ago
Selected Answer: B
B - Service Level Agreement (SLA)
upvoted 9 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: B
A Service Level Agreement (SLA) is a document that outlines the specific expectations at a technical level for quality, availability, responsibilities,
and other metrics related to the services provided by one party to another. SLAs are commonly used in service contracts between providers and
customers to define the level of service that the customer can expect and the consequences for not meeting those service levels.
upvoted 1 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: B
An SLA (Service Level Agreement) is a formal agreement between two parties that outlines the expectations and responsibilities for a service. It
provides specific details at a technical level, including quality, availability, and the responsibilities of each party involved in the agreement. SLAs
are commonly used in various business relationships, such as between a service provider and a customer or between different departments
within an organization. The SLA sets clear expectations for the level of service that should be provided and the consequences for failing to meet
those expectations.
upvoted 2 times
NerdAlert 9 months, 3 weeks ago
MSP workers where you at?!
upvoted 4 times
Sandon 11 months, 2 weeks ago
An old ITIL question. Definitely B
upvoted 1 times
KingDrew 11 months, 3 weeks ago
Selected Answer: B
B: SLA (Service Level Agreement)
upvoted 1 times
FMMIR 1 year ago
Selected Answer: B
https://www.examtopics.com/exams/comptia/sy0-601/view/
273/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
A document that provides expectations at a technical level for quality, availability, and responsibilities is a Service Level Agreement (SLA). An SLA
is a contract between a service provider and a customer that specifies the level of service that the provider will deliver. This typically includes
technical details such as uptime, response times, and performance criteria. The SLA is used to ensure that the customer receives the level of
service that they have agreed to and that the provider is held accountable for meeting those expectations. Options A, C, and D are not related to
the technical level of service expectations. EOL refers to the end of life for a product or service, MOU is a memorandum of understanding, and
EOSL is the end of service life.
upvoted 5 times
Topic 1
Question #116
Which of the following is an example of transference of risk?
A. Purchasing insurance
B. Patching vulnerable servers
C. Retiring outdated applications
D. Application owner risk sign-off
Correct Answer: A
Community vote distribution
A (100%)
comeragh
Highly Voted
1 year, 4 months ago
Selected Answer: A
Correct answer A here
upvoted 12 times
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: A
Answer: Purchasing Insurance
Cyber insurance covers a business' liability for a data breach involving sensitive customer information like health records, credit card numbers,
account numbers etc. A few things insurance generally handle are legal fees, notifying customers of the data breach, and repairing damaged
systems.
Risk transference is about assigning risk to a third-party. The risk here being the financial loss that can be incurred after a data breach from legal
fees, repairing system etc. The organization is assigning this risk to an insurance company.
upvoted 6 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: A
Transference of risk involves shifting the financial consequences of a risk to another party, typically through the use of insurance or outsourcing.
By purchasing insurance, an organization transfers the financial risk of potential incidents to the insurance provider, who will cover the costs
associated with those incidents up to the limits specified in the insurance policy.
upvoted 1 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: A
Transference of risk involves shifting the potential impact of a risk to another party or entity. In the context of risk management, purchasing
insurance is a common example of risk transference. By purchasing insurance, an organization transfers the financial burden of potential losses
or damages to the insurance company. In case of an adverse event covered by the insurance policy, the insurance company will bear the cost of
the loss, reducing the financial impact on the organization.
upvoted 1 times
Navigator 7 months, 2 weeks ago
Selected Answer: A
Transference because you are moving the risk to the insurance company.
upvoted 1 times
Sarooor 1 year, 2 months ago
can someone explain why the correct
answer is A??
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
274/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #117
An employee received a word processing file that was delivered as an email attachment. The subject line and email content enticed the employee
to open the attachment. Which of the following attack vectors BEST matches this malware?
A. Embedded Python code
B. Macro-enabled file
C. Bash scripting
D. Credential-harvesting website
Correct Answer: B
Community vote distribution
B (100%)
IQ30
Highly Voted
1 year, 4 months ago
Jason Dion notes:
Macro
o Virus embedded into a document and is executed when
the document is
opened by the user
upvoted 20 times
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: B
Answer: Macro-enabled file
Phishing emails with a word document attachment typically will have macros that can be ran for malicious purposes. Macros are scripts that can
run whatever you want and however many times you want it to run, it's generally used for automating frequently used tasks.
Since macros can practically do whatever you want, they can be used for malicious purposes such as infecting other files, or
downloading/installing other malicious software.
Macros would normally run as soon as the document is opened but now macros are disabled in Office apps by default so you would need to
manually enable marcos on the file for them to run.
upvoted 9 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: B
A macro-enabled file is a type of document (such as a word processing file) that contains embedded macros, which are scripts or programs that
can be executed to automate tasks within the document. In the context of this question, the employee received a word processing file as an
email attachment, and the subject line and email content enticed the employee to open the attachment. This is a common tactic used in phishing
attacks, where attackers send malicious files with enticing content to trick users into opening them, thereby executing the embedded macros,
which may deliver malware or perform other malicious actions.
upvoted 3 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: B
In this scenario, the most likely attack vector is a macro-enabled file. Macro-enabled files are commonly used in phishing attacks. The email
attachment appears to be a harmless document (e.g., Word, Excel), but it contains embedded macros. When the user opens the file and enables
the macros as prompted, the malicious code within the macros gets executed, potentially leading to the installation of malware or other harmful
activities on the user's system. This type of attack takes advantage of users' curiosity or interest in the content of the email to trick them into
executing the malicious code.
upvoted 1 times
samwin111 1 year, 2 months ago
Selected Answer: B
Python will not run on doc files
Macro runs on doc files
upvoted 3 times
comeragh 1 year, 4 months ago
Selected Answer: B
B - correct answer here
upvoted 2 times
Sublime_Cheese 3 months, 3 weeks ago
valid point
https://www.examtopics.com/exams/comptia/sy0-601/view/
275/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Topic 1
Question #118
A security proposal was set up to track requests for remote access by creating a baseline of the users' common sign-in properties. When a
baseline deviation is detected, an MFA challenge will be triggered. Which of the following should be configured in order to deploy the proposal?
A. Context-aware authentication
B. Simultaneous authentication of equals
C. Extensive authentication protocol
D. Agentless network access control
Correct Answer: A
Community vote distribution
A (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: A
Context-Aware authentication -> An access control scheme that verifies an object's identity based on various environmental factors, like time,
location, and behavior.
upvoted 53 times
J_Ark1 1 year, 2 months ago
yes i agree
upvoted 1 times
Protract8593
Highly Voted
5 months, 2 weeks ago
Selected Answer: A
Context-aware authentication is a form of authentication that takes into account various factors or context information when determining whether
to grant access to a user. In the given scenario, the security proposal aims to track requests for remote access by creating a baseline of the
users' common sign-in properties. When a deviation from this baseline is detected, an MFA (Multi-Factor Authentication) challenge will be
triggered. Context-aware authentication fits this scenario well as it can analyze multiple contextual factors such as user behavior, location, time,
device, and more to make an informed decision about whether additional authentication steps are required.
upvoted 5 times
ApplebeesWaiter1122
Most Recent
5 months, 2 weeks ago
Selected Answer: A
Context-aware authentication is the appropriate choice for the security proposal described. Context-aware authentication takes into
consideration various factors or context elements, such as user behavior, location, device, time of access, and more, to assess the risk
associated with a specific authentication attempt.
In this scenario, the proposal aims to track requests for remote access and create a baseline of users' common sign-in properties. When a
deviation from the baseline is detected, an MFA challenge is triggered. Context-aware authentication allows for the evaluation of various
contextual factors to determine whether the sign-in properties match the expected baseline or not. If a deviation is detected, the system can
enforce the MFA challenge to provide an additional layer of security for remote access.
upvoted 2 times
Gravoc 1 year, 3 months ago
Context: "The circumstances that form the setting for an event, statement, or idea, and in terms of which it can be fully understood and
assessed."
CAA is likely correct, as the context is that the login attempt deviates from the baseline, triggering an additional authentication layer.
upvoted 4 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
276/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #119
Which of the following secure coding techniques makes compromised code more difficult for hackers to use?
A. Obfuscation
B. Normalization
C. Execution
D. Reuse
Correct Answer: A
Community vote distribution
A (100%)
varun0
Highly Voted
1 year, 4 months ago
Selected Answer: A
A is correct
upvoted 10 times
ScottT 1 year, 3 months ago
https://en.wikipedia.org/wiki/Obfuscation_(software)
upvoted 1 times
Fitzd
Highly Voted
1 year, 3 months ago
Three of the most common techniques used to obfuscate data are encryption, tokenization, and data masking.
upvoted 9 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: A
Obfuscation is a secure coding technique that involves modifying the source code to make it more difficult for hackers to understand or reverse
engineer the code. By using obfuscation, the code's logic and structure become more complex and convoluted, making it harder for attackers to
identify vulnerabilities or manipulate the code for malicious purposes. This technique aims to increase the level of effort required to exploit or
reuse compromised code, thereby enhancing the security of the application.
upvoted 7 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: A
Obfuscation is a secure coding technique that makes compromised code more difficult for hackers to understand and use. It involves modifying
the source code in such a way that it becomes more complex, convoluted, or difficult to read and comprehend. The goal of obfuscation is to
make the code harder to reverse-engineer, making it challenging for attackers to understand its logic, control flow, and vulnerabilities.
By using obfuscation techniques, the code's original intent and functionality are preserved, but its structure and appearance are intentionally
made confusing and obscure. This can help protect sensitive information, intellectual property, or proprietary algorithms within the code.
upvoted 2 times
LeonardSnart 7 months, 3 weeks ago
Selected Answer: A
"Obfuscation attempts to make something unclear or difficult to understand, and code obfuscation (or code camouflage) attempts to make the
code unreadable. It does things like rename variables, replace numbers with expressions, replace strings of characters with hexadecimal codes,
and remove comments. For example, a meaningful variable of strFirstName might be renamed to 94mdiwl, and the number 11 might be changed
to 0xF01B – 0x73 – 0xEF9D (which still results in the decimal number 11).
It’s worth noting that most security experts reject security through obscurity as a reliable method of maintaining security. Similarly, code
obfuscation might make the code difficult to understand by most people. However, it’s still possible for someone with skills to dissect the code."
-Security+ Get Certified Get Ahead SY0-601 by Darril Gibson
upvoted 1 times
madmax1984 11 months, 2 weeks ago
Selected Answer: A
Code obfuscation makes the code more difficult to read. Stored procedures are used with SQL databases and can be used for input validation.
Normalization refers to organizing tables and columns in a database to reduce redundant data and improve overall database performance.
upvoted 4 times
xxxdolorxxx 11 months, 2 weeks ago
Selected Answer: A
A is the right answer here.
I know because I've done exactly that for web dev stuff, lol.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
277/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
rodwave 1 year, 1 month ago
Selected Answer: A
Answer: Obfuscation
Obfuscation is the action of making something obscure, unclear, or unintelligible. In software development, obfuscation is the act of creating
code that is difficult for humans or computers to understand.
upvoted 7 times
Gravoc 1 year, 3 months ago
Don't forget that obfuscation works in the reverse as well. Hackers usually obfuscate their malware and viruses to avoid signature detectors.
Things such as writing arbitrary and benign looking code, and sneaking malicious functions into it. Or hackers also like to stretch the key length
of their encryption, or use naming conventions that are only easily understandable by the person who created it.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
278/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #120
As part of a security compliance assessment, an auditor performs automated vulnerability scans. In addition, which of the following should the
auditor do to complete the assessment?
A. User behavior analysis
B. Packet captures
C. Configuration reviews
D. Log analysis
Correct Answer: A
Community vote distribution
C (61%)
stoneface
Highly Voted
D (34%)
5%
1 year, 4 months ago
Selected Answer: C
Configuration reviews should also be performed.
upvoted 72 times
suwayne 4 months, 1 week ago
Thanks for this. Key phrase that helps with this answer in my opinion; "performs automated vulnerability scans". The right answer is C.
upvoted 1 times
DJCODING 9 months, 2 weeks ago
While user behavior analysis, packet captures, and log analysis are also important tools for detecting security incidents and identifying
potential threats, they are not directly related to completing a security compliance assessment. These tools are typically used as part of
incident response and forensic investigations.
upvoted 8 times
calculator 9 months, 2 weeks ago
We are with you sir!
upvoted 1 times
hazeleyes
Highly Voted
1 year, 3 months ago
Selected Answer: D
D. log analysis. It's not C because configuration review is part of the vulnerability scan. Vulnerability scan can produce false positives, which is
why its effectiveness can be enhanced by log reviews to see whether an identified vulnerability is in fact valid.
upvoted 34 times
[Removed] 11 months, 1 week ago
Compliance is all about configuration. Log analysis and packet captures are more of troubleshooting tools than compliance factors.
upvoted 11 times
rline63 4 months, 1 week ago
I think this is key to how I understand the question. Log analysis is a good step in ensuring you have a secure network but I do not believe
it is related to compliance in any way.
upvoted 2 times
brewoz404sd 10 months, 2 weeks ago
No config is not part of any security compliance. Logs however are 100% as all logs are correlated into the siem for analysis. No need for
config checks. Scans will tell you what you need to know regarding week configuration of devices. The answer is logs.
upvoted 1 times
Confuzed 8 months, 4 weeks ago
Are you insane. What is SCAP, OSPP, PCI-DSS, or STIG around for then? Most large environments have some security baseline
compliance expectation. For example, federal systems must have frequent STIG compliance scans performed which ensures that the
systems do not have any insecure configurations that may pose a risk.
upvoted 7 times
daddylonglegs 2 months, 3 weeks ago
No, configuration review is not necessarily part of the vulnerability scan
upvoted 1 times
CS3000 4 months, 2 weeks ago
analyzing the settings and configurations of systems, applications and devices is important to ensure they align with industry best practices,
security policies and compliance requirements. Misconfigurations are a common source of vulnerabilities and security breaches.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
279/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
TheExile
Most Recent
3 weeks, 6 days ago
Selected Answer: D
From the official CompTIA student handbook:
Reviewing related system and network logs can enhance the vulnerability report validation process. As an example, assume that your
vulnerability scanner identified a running process on a Windows machine. According to the scanner, the application that creates this process is
known to be unstable, causing the operating system to lock up and crash other processes and services. When you search the computer's event
logs, you notice several entries over the past couple of weeks indicate the process has failed. Additional entries show that a few other processes
fail right after. In this instance, you've used a relevant data source to help confirm that the vulnerability alert is, in fact, valid.
upvoted 2 times
Petercx 1 month ago
Selected Answer: C
To complete a security compliance assessment, in addition to automated vulnerability scans, the auditor should also perform C. Configuration
reviews.
Configuration reviews involve examining the settings and parameters of systems and applications to ensure they are set up correctly and
securely. This can help identify potential security risks such as unnecessary services, open ports, default accounts or passwords, and improper
permissions.
upvoted 1 times
Oruga88 2 months, 1 week ago
Selected Answer: C
Correct Answer: C. Configuration reviews. In addition to automated vulnerability scans, a security compliance assessment should involve
reviewing the configuration settings of systems and devices. This ensures that they are set up in accordance with security best practices and
compliance requirements.
Other Answer: A. User behavior analysis. While user behavior analysis is important for security, it may not be a standard part of a compliance
assessment process. It's more focused on monitoring and detecting suspicious user activities.
Other Answer: B. Packet captures. Packet captures are typically used for network analysis and troubleshooting rather than security compliance
assessments.
Other Answer: D. Log analysis. Log analysis is important for monitoring and detecting security incidents, but it may not be the primary focus of a
compliance assessment. Compliance assessments typically look at configurations, policies, and adherence to specific standards and
requirements.
upvoted 4 times
Old_Boy_ 2 months ago
In Oruga88 we trust (that means this is the right answer)
upvoted 1 times
ComPCertOn 2 months, 2 weeks ago
Selected Answer: C
C is correct
upvoted 1 times
freyprey 3 months, 3 weeks ago
Selected Answer: D
,, The main types of security assessment are usually classed as vulnerability
assessment, threat hunting, and penetration testing. A vulnerability assessment is an
evaluation of a system's security and ability to meet compliance requirements based
on the configuration state of the system. Essentially, the vulnerability assessment
determines if the current configuration matches the ideal configuration (the baseline).
Vulnerability assessments might involve manual inspection of security controls, but are
more often accomplished through automated vulnerability scanners. "
SO the automated vulnerability scanners checks configurations that means the best suited answer is D
upvoted 1 times
Dark_Tarantula 4 months, 1 week ago
Selected Answer: C
The key here is that this is a security compliance ASSESSMENT, he is evaluating their security posture.
upvoted 3 times
sace 4 months, 1 week ago
Auditor's cannot do anything but configuration review.
Imagine them trying to perform packet analysis, log analysis or behavior analysis - seems out of scope right?
upvoted 2 times
tomf021959 4 months, 1 week ago
Selected Answer: C
Vulnerability scan does not include a config review...
"The difference between vulnerability scanners and configuration auditing software"
https://www.titania.com/about-us/news-media/the-difference-between-vulnerability-scanners-and-configuration-auditingsoftware#:~:text=Vulnerability%20Scanning%20doesn%27t%20take,standards%20require%20both%20as%20mandatory
"Vulnerability Scanning doesn't take away the need for Configuration Auditing but used alone, Configuration Auditing cannot secure the entire
https://www.examtopics.com/exams/comptia/sy0-601/view/
280/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
network. Both are important when it comes to assessing and maintaining cybersecurity and many of the accepted industry standards require
both as mandatory."
upvoted 1 times
above 4 months, 3 weeks ago
Its almost like saying I can apply Linux compliance checks against a Windows system, or deselect some pertinent checks and the scan comes
back clean and its OK. Just because you perform a vulnerability scan does not mean you are performing the correct checks. The auditor will look
at the vulnerability scan results as well as review the configurations that were applied to ensure they are applicable to the systems and meet the
STIGs/DoD etc standards. Answer is C. They don't look at the logs as part of the Vulnerability scan analysis.
upvoted 1 times
above 4 months, 3 weeks ago
Its almost like saying I can apply Linux compliance checks against a Windows system, or deselect some pertinent checks and the scan comes
back clean and its OK. Just because you perform a vulnerability scan does not mean you are performing the correct checks. The auditor will look
at the vulnerability scan results as well as review the configurations that were applied to ensure they are applicable to the systems and meet the
STIGs/DoD etc standards. Answer is C. They don't look at the logs as part of the Vulnerability scan analysis.
upvoted 1 times
DriftandLuna 5 months, 1 week ago
I went with d but thinking about it, c is correct. Log analysis will usually be done in response to an incident. An admin may may also do it as part
of general day to day checking and operations to ensure there is not something happening they have missed but the question is really about
compliance.
Compliance is about ensuring what you have set up is configured correctly, not finding live issues
upvoted 2 times
Nikamy 5 months, 1 week ago
Selected Answer: C
I choose C. Usually Logs are verified during an incident.
upvoted 1 times
frejus 5 months, 2 weeks ago
Selected Answer: C
As a real life exemple, when PCI DSS auditors came to audit a bank, after gathering the vulnerability assessement report, the next step is to
conduct a configuration review on all in-scope devices. therefore answer is C
upvoted 3 times
Protract8593 5 months, 2 weeks ago
As part of a security compliance assessment, an auditor should perform automated vulnerability scans to identify potential vulnerabilities in the
systems. However, configuration reviews are also an essential part of the assessment process. Configuration reviews involve examining the
configuration settings of various systems, applications, and devices to ensure they comply with security policies, best practices, and industry
standards. It helps identify misconfigurations that could lead to security issues and provides an opportunity to make necessary adjustments to
improve security posture.
Log analysis is an essential security practice, but it is not explicitly mentioned as part of a security compliance assessment in the given context.
Log analysis involves the review and analysis of log data from various systems and applications to detect security incidents, anomalies, and
potential threats. It helps in identifying unauthorized access attempts, abnormal user behavior, and potential security breaches.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
upvoted 1 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: C
Configuration reviews (option C) involve manually inspecting and analyzing the configuration settings of systems, applications, and network
devices to ensure they align with security best practices and comply with the organization's security policies and standards.
Configuration reviews are essential in assessing security compliance as they can identify misconfigurations, weak security settings, unnecessary
services or ports, and other configuration issues that automated vulnerability scans might miss. They provide valuable insights into the security
hygiene of the organization's IT infrastructure and help identify areas that need improvement to enhance overall security.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
281/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #121
A database administrator wants to grant access to an application that will be reading and writing data to a database. The database is shared by
other applications also used by the finance department. Which of the following account types is MOST appropriate for this purpose?
A. Service
B. Shared
C. Generic
D. Admin
Correct Answer: C
Community vote distribution
A (97%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: A
Service accounts are a special type of non-human privileged account used to execute applications and run automated services, virtual machine
instances, and other processes. Service accounts can be privileged local or domain accounts, and in some cases, they may have domain
administrative privileges
upvoted 50 times
cyberPunk28
Most Recent
3 weeks ago
Selected Answer: A
A. Service
upvoted 1 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: A
A. Service
The most appropriate account type for an application that needs to read and write data to a shared database is a "Service" account. Service
accounts are used to run specific services or applications in a controlled manner, allowing them to access resources and perform specific actions
on behalf of the application or service they represent.
In this scenario, the application needs to interact with the database on a regular basis, so a dedicated service account should be created for it.
This service account should have the necessary permissions to read and write data to the specific tables or data objects required by the
application.
Using a service account provides better control and accountability over the actions performed by the application. It allows the database
administrator to restrict the application's access to only the required resources and minimize the risk of unauthorized access to other parts of the
database that are unrelated to the application's functionality.
upvoted 3 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
A service account is typically used for applications and services that need access to specific resources, such as a database. In this scenario, the
application that reads and writes data to the database should have its own dedicated service account. By using a service account, the access
can be specifically granted and restricted as needed, providing appropriate permissions for the application to interact with the database without
compromising other accounts used by the finance department or other applications.
Option B (Shared), Option C (Generic), and Option D (Admin) are not suitable choices in this context. Shared and Generic accounts are not
specifically intended for application access, and granting admin privileges to an application is unnecessary and risky, as it may lead to
unauthorized access or actions. It is always best practice to use the least privilege principle and provide only the necessary permissions for the
application to perform its required tasks.
upvoted 2 times
LeonardSnart 7 months, 3 weeks ago
Selected Answer: A
"Service accounts. Some applications and services need to run under the context of an account, and a service account fills this need. As an
example, SQL Server is a database
application that runs on a server, and it needs access to resources on the server and the network. Administrators create a regular user account,
name it something like sqlservice, assign it appropriate privileges, and configure SQL Server to use this account. Note that this is like a regular
end-user account. The only difference is that it’s used by the service or application, not an end user. Credential policies may require long,
complex passwords for these accounts, but they should not expire. If the password expires, the account can no longer log on, and the service or
application will stop."
-Security+ Get Certified Get Ahead SY0-601 by Darril Gibson
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
282/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
strong1 8 months, 1 week ago
Service accounts are accounts that specific applications or
services use to interact with the system. For example, if you have an
FTP server that interacts with an FTP service, you might use a
service account with limited permissions to allow that service to
access the system. This enables you to apply very tight security
controls to the service account, rather than using a general user
account to perform the activity
upvoted 1 times
Kaps443 8 months, 1 week ago
Selected Answer: A
A is correct.
upvoted 1 times
EricShon 9 months, 3 weeks ago
Selected Answer: A
A. Service account is the most appropriate for this purpose.
upvoted 1 times
seagnull 10 months, 2 weeks ago
Selected Answer: A
"A database administrator wants to grant access to an application". Service accounts are created for apps and services.
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
A. Service accounts are associated with applications and services.
upvoted 1 times
nul8212 1 year ago
Selected Answer: C
generic account A preset, standard, common, guest, fixed, shared, or anonymous
user account.
upvoted 2 times
Dacoder 4 months, 1 week ago
It is an application, not a person.
upvoted 1 times
Blake89 11 months, 3 weeks ago
Absolutely not. People like you need to stop commenting on these threads.
upvoted 11 times
zharis 1 year, 2 months ago
Service accounts are used by scheduled processes and application server software such as databases
upvoted 2 times
[Removed] 1 year, 2 months ago
Selected Answer: A
Service accounts associated with applications and services.
upvoted 1 times
ergo54 1 year, 3 months ago
Selected Answer: A
Agreed its A. The study guide explicitly states that generic accounts are for many different individuals doing the same work whereas a service
account is explicitly for a application/service to run its work.
upvoted 3 times
RonWonkers 1 year, 3 months ago
Selected Answer: A
I think A is most appropriate
upvoted 1 times
k9_462 1 year, 4 months ago
Selected Answer: A
i would go with A-service account
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
283/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #122
A security analyst generated a file named host1.pcap and shared it with a team member who is going to use it for further incident analysis. Which
of the following tools will the other team member MOST likely use to open this file?
A. Autopsy
B. Memdump
C. FTK imager
D. Wireshark
Correct Answer: D
Community vote distribution
D (100%)
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: D
Answer: Wireshark
PCAP or Packet Capture is an interface used for capturing live network packet data. PCAP files like 'host1.pcap' are data files created by
network analyzers like Wireshark that are used to collect and record packet data from a network. These files which can be used for analyzing the
network traffic.
==================================
Other Tools/Options
(A) Autopsy - A platform that provides digital forensic tools
(B) Memdump - The memdump tool is a program that can do memory dumps. A memory dump is the process of taking all data in RAM and
storing it on a hard drive for like applications or for the case of a system crash. The memdump tool will dump the contents of physical memory by
default.
(c) FTk Imager - Forensic Toolkit (FTK) is forensics software and FTK Imager a tool that can be used to create forensic images. Forensic images is
basically a copy of an entire physical hard drive including files, folders etc.
upvoted 14 times
Blake89 11 months, 3 weeks ago
Autopsy IS a TOOL. Not a platform for multiple tools. It's main purpose is to view and recover data from storage devices. People like you need
to really stop talking in here.
upvoted 2 times
8c55165 11 hours, 1 minute ago
Correct, Autopsy is a tool, but it is not the correct answer.
upvoted 1 times
Elyria 11 months, 2 weeks ago
How about you get a life and YOU stop commenting here. All I see under every discussion is you crying about other people participating.
Grow up.
upvoted 17 times
Blake89 11 months, 2 weeks ago
Elyria, How about you quit crying about me calling out people who are talking nonsense and giving out false information? These are not
opinions, it's all factual. Take your little delicate sensitivities to Facebook.
upvoted 2 times
cyberPunk28
Most Recent
3 weeks ago
Selected Answer: D
D. Wireshark
upvoted 1 times
BigSuh 1 month, 2 weeks ago
Answer Wireshark
Wireshark is a widely used network protocol analyzer that allows users to capture and interactively browse the traffic running on a computer
network. It supports the analysis of packet captures stored in the pcap file format. Pcap files contain network traffic data captured during packet
sniffing or network monitoring.
The other options explained:
A. Autopsy:
https://www.examtopics.com/exams/comptia/sy0-601/view/
284/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Autopsy is a digital forensics platform primarily used for analyzing disk images and file systems. It is not designed for the analysis of network
traffic captures in pcap format.
B. Memdump:
Memdump typically refers to the process of capturing the contents of a computer's memory. It is not a tool for analyzing pcap files containing
network traffic data.
C. FTK Imager:
FTK Imager is a digital forensics tool used for imaging and analyzing disk drives. It is not specifically designed for the analysis of network traffic
captures.
upvoted 1 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: D
Wireshark is a widely used open-source network protocol analyzer that allows users to capture and analyze network traffic. It is commonly used
by security analysts and network administrators to examine network packets, troubleshoot network issues, and perform incident analysis.
In the scenario described, the security analyst generated a file named host1.pcap, which is likely a packet capture file in the PCAP format. To
further analyze the network traffic and incidents captured in this file, the team member would most likely use Wireshark. Wireshark can open and
read PCAP files, allowing the user to inspect the captured packets, filter the data, and gain insights into the network activity and potential
security issues.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
Wireshark is a widely used network protocol analyzer and packet capture tool. It is commonly used for opening and analyzing files with the
".pcap" extension, which contain captured network traffic data. With Wireshark, the team member can view the contents of the "host1.pcap" file
and perform further incident analysis by examining the network packets and their associated data.
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
D. Wireshark analyzes packet captures
upvoted 2 times
xxxdolorxxx 11 months, 2 weeks ago
Selected Answer: D
Wireshark. Did this for my eJPT exam.
upvoted 1 times
RonWonkers 1 year, 3 months ago
Selected Answer: D
pcap is wireshark
upvoted 3 times
Gravoc 1 year, 3 months ago
Wireshark. I've opened enough pcap's in wireshark to know this one :p.
upvoted 4 times
okay123 1 year, 4 months ago
Wireshark is a network packet analyzer. A network packet analyzer presents captured packet data in as much detail as possible.
upvoted 1 times
comeragh 1 year, 4 months ago
Selected Answer: D
D - Wireshark
upvoted 4 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
285/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #123
An application developer accidentally uploaded a company's code-signing certificate private key to a public web server. The company is concerned
about malicious use of its certificate. Which of the following should the company do FIRST?
A. Delete the private key from the repository.
B. Verify the public key is not exposed as well.
C. Update the DLP solution to check for private keys.
D. Revoke the code-signing certificate.
Correct Answer: D
Community vote distribution
D (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: D
We need to revoke the code-signing certificate as this is the most secure way to ensure that the comprised key wont be used by attackers.
Usually there are bots crawking all over repos searching this kind of human errors.
upvoted 28 times
ApplebeesWaiter1122
Highly Voted
5 months, 2 weeks ago
Selected Answer: D
In this scenario, the company's code-signing certificate private key has been exposed to the public, which is a significant security concern. The
first and most critical step the company should take is to revoke the compromised code-signing certificate. By revoking the certificate, the
company informs all parties that the certificate is no longer trustworthy and should not be used for signing applications or code.
After revoking the certificate, the company can then proceed with other necessary actions, such as verifying that the public key is not exposed,
deleting the private key from the repository, and updating the Data Loss Prevention (DLP) solution to check for private keys. However, the
immediate priority is to prevent the malicious use of the compromised certificate by revoking it as soon as possible.
upvoted 6 times
cyberPunk28
Most Recent
3 weeks ago
Selected Answer: D
D. Revoke the code-signing certificate
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
In the scenario described, the company's code-signing certificate private key has been accidentally uploaded to a public web server. This poses
a significant security risk as malicious actors could potentially use the private key to sign malicious code, impersonating the company. The first
and most critical step the company should take is to revoke the code-signing certificate. By revoking the certificate, any code that was previously
signed with it will no longer be trusted, and the risk of malicious use is mitigated.
After revoking the certificate, the company can take further actions such as deleting the private key from the repository, verifying the public key is
not exposed, and updating the Data Loss Prevention (DLP) solution to check for private keys. However, the immediate priority is to revoke the
certificate to prevent further damage or misuse.
upvoted 1 times
MorganB 8 months, 1 week ago
MorganB 0 minutes ago Awaiting moderator approval
Pass my exam 27, April 23. This question was on my tested worded differently but the answer is the same.
upvoted 6 times
DALLASCOWBOYS 11 months, 1 week ago
D. Revoke the code-signing certificate.
upvoted 1 times
Sir_Learnalot 1 year, 1 month ago
revoke the certificate and you should perform user training to minimize the chance for this to happen again
upvoted 2 times
Jossie_C 1 year, 2 months ago
Selected Answer: D
D is containment
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
286/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
RonWonkers 1 year, 3 months ago
Selected Answer: D
This is D
upvoted 1 times
Gravoc 1 year, 3 months ago
Revoke they certificate with a revocation authority, and go about getting a new one with a certificate authority.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
287/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #124
An organization implemented a process that compares the settings currently configured on systems against secure configuration guidelines in
order to identify any gaps. Which of the following control types has the organization implemented?
A. Compensating
B. Corrective
C. Preventive
D. Detective
Correct Answer: D
Community vote distribution
D (55%)
Gravoc
C (44%)
Highly Voted
1 year, 3 months ago
From the official study guide:
"Compensating - controls designed to mitigate the risk associated with exceptions made to a security policy.
Corrective - remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example of a corrective
control.
Preventive - intend to stop a security issue before it occurs. Firewalls and encryption are examples of preventive controls.
Detective - identify security events that have already occurred. Intrusion detection systems are detective controls."
Based on this, Preventive makes the most sense to me. They are comparing the configurations to a secure guideline to ensure no gaps. Meaning
they are pre-emptively hardening their systems against future attack vectors.
upvoted 76 times
cybertechb 2 weeks, 1 day ago
according to chtgpt 'Detective controls are designed to identify and detect security incidents or deviations from security policies after they
have occurred. In this case, the process of comparing current system settings against secure configuration guidelines is a detective measure
aimed at identifying any gaps or deviations from the established security standards'
upvoted 1 times
Sublime_Cheese 2 months, 3 weeks ago
Key word in the question is "identify". Key word in your definitions is "identify". its Detective
upvoted 2 times
J_Ark1 1 year, 2 months ago
Stone face wisdom here :)
upvoted 14 times
Luuke 10 months, 1 week ago
True dat
upvoted 1 times
assfedassfinished 9 months, 1 week ago
You're not given information concerning whether a security event has occurred. How can undetected gaps be prevented?
upvoted 2 times
jgp
Highly Voted
1 year, 4 months ago
Selected Answer: D
"...identify..."
upvoted 28 times
Strykar 1 year, 3 months ago
"Identify so it can be Prevented". It better to read and understand the whole question and not just a keyword.
upvoted 9 times
RvR109 10 months, 4 weeks ago
It doesn't say anywhere that it's to "prevent" anything, only to "identify". Which makes it Detective.
upvoted 9 times
brewoz404sd 10 months, 3 weeks ago
No, detective is after an incident, not finding gaps. Can't be detective at all.
upvoted 6 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
288/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
ffsilveira10 8 months, 3 weeks ago
If any gaps be identified, so it would be an "incident" and you had detected it. Scan the environment for gaps will not prevent they
from occur, will in first instance identify them.
upvoted 4 times
8c55165
Most Recent
10 hours, 53 minutes ago
I think people are overthinking this. It's just implementing a tool to detect or "Identify" the configurations. It isn't fixing them. If it was, it would be
preventative.
upvoted 1 times
dbear1214 1 month ago
Selected Answer: C
When your comparing something to another that works or a proper way something is suppose to be configured, arnt you trying to prevent it from
breaking? Correct me here if im wrong
upvoted 1 times
Petercx 1 month ago
Selected Answer: D
The organization has implemented D. Detective controls.
Detective controls are designed to identify and react to incidents or conditions that have occurred. In this case, comparing the current system
configurations against secure configuration guidelines helps the organization identify any deviations or gaps, which can then be addressed. This
process does not prevent or correct the issue but rather detects it, hence it’s a detective control.
upvoted 1 times
Jackwasblk 1 month, 2 weeks ago
https://youtu.be/NLzgcDX6rkE
preventative control. hardening. skip to 10min mark
upvoted 2 times
No1BlackAce 1 month, 1 week ago
If you continued watching and got to the detective section, it would've mentioned the security audit under detective controls so I think D is the
right answer.
upvoted 1 times
Teleco0997 1 month, 2 weeks ago
Selected Answer: D
the process described it's focused on identifying misconfigurations rather than actively preventing or blocking them, in that sense a DETECTIVE
is a more fitting choice
upvoted 3 times
Frogalicious 1 month, 4 weeks ago
Selected Answer: C
"A detective control operates during the progress of an attack"
"A corrective control is used after an event"
Identifying gaps in a systems configuration does not equate to those gaps being exploited, therefor it must be a preventative control.
upvoted 2 times
Mahoni 2 months, 1 week ago
Preventive!
It can be preventive or detective depending on the situation. What is the situation now? There is no incident! Why they are doing this? To prevent
security issues in the future. They can also use this tool when there has been a security incident to detect if there was some changes made to the
configurations, then it would be a detective control. IMO
upvoted 2 times
ComPCertOn 2 months, 2 weeks ago
Selected Answer: D
"identify"
upvoted 2 times
Sublime_Cheese 2 months, 3 weeks ago
Detective.
Key phrases "org implemented" (past tense), "in order to identify", "Which ... has the org implemented?" (past tense). *An org implemented a
Detective control (in the past)* in order to identify necessary Preventative controls in the future.
upvoted 1 times
toluwalase022 1 month ago
If it says in the past then it is preventive.. detective only happens while the attack occurs or after the attack happens
upvoted 1 times
[Removed] 3 months, 1 week ago
Selected Answer: C
I'd say preventive
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
289/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
freyprey 3 months, 2 weeks ago
Selected Answer: C
In the CompTIA Security + study guide detective actions are taken when a attack takes place. Here all the actions are Preventive ( before an
attack ), in order to solve security breaches.
upvoted 2 times
MooWasHere 3 months, 3 weeks ago
Selected Answer: C
they are trying to prevent any gaps from happening
upvoted 1 times
RevolutionaryAct 4 months ago
Selected Answer: A
Compensating as this is comparing gaps.
From All-In-One Exam Guide:
"Compensating controls are used to meet a requirement when there is no control available to directly address a threat. Fire suppression systems
do not prevent fire damage, but if properly employed, they can mitigate or limite the level of damage from a fire."
Corrective is used after an event so it cannot be that one
Detective is during an event so it cannot be that one
Preventive is to stop an event from occurring, but this is about comparing gaps.
upvoted 1 times
Dark_Tarantula 4 months, 1 week ago
Selected Answer: D
Detective controls are designed to identify and alert when security violations or deviations from security policies occur. In this case, the process
of comparing the current settings against secure configuration guidelines is aimed at detecting any gaps between the actual system
configurations and the recommended secure configurations.
upvoted 3 times
gho5tface 4 months, 1 week ago
Selected Answer: D
The organization is implementing a detective control by comparing settings to identify any deviations from the secure configuration guidelines.
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
290/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #125
The Chief Information Security Officer directed a risk reduction in shadow IT and created a policy requiring all unsanctioned high-risk SaaS
applications to be blocked from user access. Which of the following is the BEST security solution to reduce this risk?
A. CASB
B. VPN concentrator
C. MFA
D. VPC endpoint
Correct Answer: A
Community vote distribution
A (100%)
Mamun1
Highly Voted
1 year, 4 months ago
Selected Answer: A
A cloud access security broker (CASB) is on-premises or cloud-based software that sits between a cloud service consumer and a cloud service
provider. It serves as a tool for enforcing an organization's security policies through risk identification and regulation compliance whenever its
cloud-residing data is accessed.
upvoted 29 times
ScottT 1 year, 3 months ago
For me the key clue is SaaS suggesting cloud computing. With that being decided CASB is the only option
upvoted 13 times
comeragh
Highly Voted
1 year, 4 months ago
Selected Answer: A
By process of elimination A seems to be the correct answer
upvoted 10 times
Gino_Slim 1 year, 2 months ago
That's exactly what I did. Even if I didn't know what CASB meant, the others didn't make any sense
upvoted 9 times
cyberPunk28
Most Recent
3 weeks ago
Selected Answer: A
A. CASB
upvoted 1 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: A
A Cloud Access Security Broker (CASB) is the best security solution to reduce the risk of shadow IT related to unsanctioned high-risk SaaS
applications. CASB provides visibility and control over the use of cloud services within an organization, helping to detect and block unauthorized
cloud applications. It acts as an intermediary between users and cloud services, allowing organizations to enforce security policies, monitor cloud
activity, and prevent access to unsanctioned or high-risk cloud applications.
By implementing a CASB solution, the Chief Information Security Officer (CISO) can gain better visibility into the usage of cloud services, enforce
security policies, and block access to unauthorized or high-risk applications, effectively reducing the risk of shadow IT and enhancing overall
cloud security.
upvoted 5 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
CASB is a security solution that provides organizations with visibility into and control over cloud-based services and applications accessed by
their users. It acts as an intermediary between users and cloud service providers, allowing security teams to enforce security policies and monitor
cloud usage.
By implementing a CASB, the organization can gain insights into all cloud applications being used by its employees, including unsanctioned
ones, and apply policy-based controls to block access to high-risk SaaS applications. This helps mitigate the risks associated with shadow IT,
enhances security, and ensures compliance with organizational policies.
The other options (B. VPN concentrator, C. MFA, and D. VPC endpoint) are not directly related to managing or controlling access to SaaS
applications, and thus, they would not be the best choice for reducing the risk of unsanctioned high-risk SaaS applications.
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
A. SaaS is a cloud based service, therefore, a CASB, Cloud Access Security Broker
https://www.examtopics.com/exams/comptia/sy0-601/view/
291/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 3 times
FMMIR 1 year ago
Selected Answer: A
The best security solution to reduce the risk of shadow IT and unsanctioned high-risk SaaS applications is a Cloud Access Security Broker
(CASB). A CASB is a security solution that is designed to provide visibility and control over cloud applications and services. It can be used to
block access to unsanctioned applications and to enforce security policies and compliance requirements for cloud services. In this case, the
CASB would be used to block access to unsanctioned high-risk SaaS applications, reducing the risk of shadow IT and helping the organization
to maintain control over its cloud environment. Options B, C, and D are not specifically related to reducing the risk of shadow IT and
unsanctioned SaaS applications. A VPN concentrator is a network device that is used to manage and terminate VPN connections, MFA is a
security control that requires multiple factors for authentication, and a VPC endpoint is a networking feature that allows private access to AWS
services.
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
292/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #126
A technician enables full disk encryption on a laptop that will be taken on a business trip. Which of the following does this process BEST protect?
A. Data in transit
B. Data in processing
C. Data at rest
D. Data tokenization
Correct Answer: C
Community vote distribution
C (100%)
Gravoc
Highly Voted
1 year, 3 months ago
Data in transit is incorrect. The official terminology is data in motion.
Data-in-Motion: Data that is in transit over a network. Think data packets working their way across the internet.
Data-at-Rest: Stored data that resides on hard drives, tapes, in the cloud, or on other storage media. When this is taught, it's almost always
taught as a USB stick laying on a desk in an office. Don't forget that this is broad category.
Data-in-Processing: Data that is actively in use by a computer system. Includes data stored in memory while processing takes place.
upvoted 9 times
xxxdolorxxx
Highly Voted
11 months, 2 weeks ago
C is the right answer. They tried to throw a curveball with the "traveling" thing, lol.
upvoted 8 times
cyberPunk28
Most Recent
3 weeks ago
Selected Answer: C
C. Data at rest
upvoted 1 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: C
Full disk encryption (FDE) is a security measure that protects data at rest, meaning data that is stored on a device, such as a laptop's hard drive.
When FDE is enabled, all the data on the disk is encrypted, and it remains encrypted even when the device is powered off or not in use.
This ensures that if the laptop is lost, stolen, or accessed by unauthorized individuals, the data on the disk is still protected and cannot be easily
accessed or read without the decryption key. FDE helps to safeguard sensitive information from potential data breaches or unauthorized access
to the physical device.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
Full disk encryption (FDE) is a security measure that encrypts the entire hard drive or storage media of a device, such as a laptop, to protect the
data stored on it when the device is powered off or not in use. It ensures that if the laptop is lost, stolen, or accessed by unauthorized individuals,
the data on the disk remains encrypted and inaccessible without the appropriate decryption key or password. This protects the data at rest from
being compromised in such situations.
upvoted 3 times
Zdane 8 months, 3 weeks ago
It's funny, because the part "laptop that will be taken on a business trip" is a decoy for the answer "Data in transit"
upvoted 1 times
DALLASCOWBOYS 11 months, 1 week ago
C. Data at rest, such as when data stored on the device when it is in an off state, or when a laptop is in sleep mode.
upvoted 1 times
kstevens11 1 year, 2 months ago
Selected Answer: C
Full DISK encryption - disk data is data at rest
upvoted 3 times
serginljr 1 year, 3 months ago
Selected Answer: C
https://www.examtopics.com/exams/comptia/sy0-601/view/
293/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Data at Rest is correct Answer.
Data at rest: Data at rest is data in its stored or resting state, which is
typically on some type of persistent storage such as a hard drive or tape.
Symmetric encryption is used in this case.
upvoted 5 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
294/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #127
A security analyst was called to investigate a file received directly from a hardware manufacturer. The analyst is trying to determine whether the
file was modified in transit before installation on the user's computer. Which of the following can be used to safely assess the file?
A. Check the hash of the installation file.
B. Match the file names.
C. Verify the URL download location.
D. Verify the code signing certificate.
Correct Answer: A
Community vote distribution
A (85%)
Gravoc
Highly Voted
D (15%)
1 year, 3 months ago
The hardware manufacturer will post the hash of the file publicly, and anyone who receives a copy of that file will be able to run a checksum on
the file themselves, and compare them to the official manufacturer-provided checksum. Hashing is almost always the correct answer in these
type of questions. You'll see a lot of Github repositories using hashed checksums as well for verification, and I recently just installed Java onto
my new computer. Java provided me with a hashed checksum for the setup executable.
upvoted 18 times
Blake89
Highly Voted
11 months, 2 weeks ago
Selected Answer: A
Directly from the CompTIA Sec + Study Guide: "• The most common way to validate that a forensic copy matched an original copy is to create a
hash of the copy and to create a hash of the original drive, and then compare them. If the hashes match, the forensic copy is identical to the
original."
upvoted 8 times
1bagwell 10 months ago
hey there! how can I be able to get the study guide?
upvoted 1 times
cybertechb 2 weeks, 1 day ago
u can use alison.com, professor messer on youtube and/or purchase the book on amazon
upvoted 1 times
cyberPunk28
Most Recent
3 weeks ago
Selected Answer: A
A. Check the hash of the installation file.
upvoted 1 times
predsednik 4 months, 4 weeks ago
Selected Answer: A
The most common way to validate that a forensic copy matched an original copy is to create a hash of the copy and to create a hash of the
original drive, and then compare them. If the hashes match, the forensic copy is identical to the original.
upvoted 1 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: A
When you download a file from a reputable source, the provider often publishes the hash value (such as MD5, SHA-256, etc.) of the original file
on their website. After downloading the file, you can calculate the hash of the downloaded file and compare it to the published hash. If the
hashes match, it means the file was not modified in transit and is likely the same as the original file provided by the hardware manufacturer. If the
hashes do not match, it suggests that the file might have been altered during transmission or is a different version from the one provided by the
manufacturer.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
Hashing is a cryptographic method used to generate a unique fixed-size string of characters (hash value) from the content of a file. By calculating
the hash value of the original installation file and comparing it to the hash value of the received file, the security analyst can determine whether
the file has been modified in transit or remains unchanged. If the hash values match, it is highly likely that the file was not tampered with during
transmission. If the hash values differ, it indicates that the file has been altered, and it should not be trusted.
Option B (Match the file names) and Option C (Verify the URL download location) are not sufficient for ensuring the integrity of the file, as an
attacker can use the same file name or spoof the download location to trick users into installing malicious content.
Option D (Verify the code signing certificate) is relevant for verifying the authenticity and integrity of software files but might not be applicable in
https://www.examtopics.com/exams/comptia/sy0-601/view/
295/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
this case if the file is not digitally signed by the manufacturer. In such situations, checking the file's hash would be a more general and reliable
method to assess the file's integrity.
upvoted 2 times
z3phyr 9 months, 1 week ago
Selected Answer: A
Code signing certificates are for software code. Nowhere does the question state that this is for code. It says "file".
upvoted 1 times
assfedassfinished 9 months, 1 week ago
Selected Answer: A
Check the Hash(es)
Is a collision possible, yes, likely, no - especially considering reviewing more than one hash.
upvoted 1 times
monzie 9 months, 1 week ago
Selected Answer: D
D. Verify the code signing certificate.
Verifying the code signing certificate ensures that the file was not modified during transit, as the certificate provides assurance that the file
originated from a trusted source and has not been tampered with since it was signed.
upvoted 1 times
LeeBeeDee 2 months, 2 weeks ago
certificates can be faked, you can't fake a hash.
upvoted 2 times
DALLASCOWBOYS 11 months, 1 week ago
A. Check the hash of the file to verifiy the integrity of the file to see if it was modified.
upvoted 1 times
[Removed] 11 months, 3 weeks ago
Selected Answer: A
Hashing
upvoted 2 times
FMMIR 1 year ago
Selected Answer: A
The security analyst can safely assess the file by checking the hash of the installation file. A hash is a unique value that is generated based on the
contents of a file. When a file is sent from one party to another, the sender can compute the hash of the file and provide it to the recipient. The
recipient can then compute the hash of the received file and compare it to the original hash. If the hashes match, it indicates that the file has not
been modified and is identical to the original file. This can provide assurance that the file has not been tampered with or corrupted in transit.
Options B, C, and D are not reliable methods for determining whether a file has been modified in transit. Matching file names does not guarantee
the integrity of the file, verifying the URL download location does not provide information about the file itself, and verifying the code signing
certificate does not guarantee that the file has not been modified.
upvoted 3 times
[Removed] 1 year, 1 month ago
Selected Answer: A
A. Always when it's about checking if app wasnt't modified by 3rd party - you compare hashes :p
upvoted 3 times
kstevens11 1 year, 2 months ago
Selected Answer: A
keywords: "determine whether a file was modified", and you need a hash comparison for this. Code signing is more for nonrepudiation, I thought.
upvoted 3 times
MathDayMan 1 year, 2 months ago
A
Hashed is the right one
upvoted 1 times
G4ct756 1 year, 2 months ago
Selected Answer: D
D. There are possibility of hash collision, and we can't verify if file is from manufacturer.
Code sign certificate, verify file is not tampered together with Signer's identity.
I would think code sign certificate will hold more weight over file hash.
upvoted 3 times
Tomtom11 1 year, 2 months ago
Selected Answer: A
File is Hashed
Code is Signed to ensure it has not be altered
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
296/487
06/01/2024, 09:03
https://www.examtopics.com/exams/comptia/sy0-601/view/
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
297/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #128
A help desk technician receives a phone call from someone claiming to be a part of the organization's cybersecurity incident response team. The
caller asks the technician to verify the network's internal firewall IP Address. Which of the following is the technician's BEST course of action?
A. Direct the caller to stop by the help desk in person and hang up declining any further requests from the caller.
B. Ask for the caller's name, verify the person's identity in the email directory, and provide the requested information over the phone.
C. Write down the phone number of the caller if possible, the name of the person requesting the information, hang up, and notify the
organization's cybersecurity officer.
D. Request the caller send an email for identity verification and provide the requested information via email to the caller.
Correct Answer: D
Community vote distribution
C (65%)
rodwave
Highly Voted
D (35%)
1 year, 1 month ago
Selected Answer: C
Answer: Write down the phone number of the caller if possible, the name of the person requesting the information, hang up, and notify the
organization's cybersecurity officer.
In this scenario, the help desk technician should be wary of the person's request as help desk technicians would not have this information. Also,
if the person claimed to be from the cybersecurity incident response team, they would more likely to have access to this information anyway, or
at least know who to contact.
For the sake of the technician, it would be best to get as much information as possible and delegate the task of confirming the person's identity
to the cybersecurity officer. Even in the very slim chance that it was a legitimate request, it would still be best for the cyber security officer to
provide this information instead of a tech.
upvoted 22 times
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: D
D->Request the caller send an email for identity verification and provide the requested information via email to the caller. -> This will allow to have
a record of the requested information as well as identifying the requester.
upvoted 21 times
cybertechb 2 weeks, 1 day ago
Requesting verification via email might not be secure, as email addresses can be easily spoofed or compromised. Relying on email for identity
verification is not a strong authentication method. In addition would it not be rare for a helpdesk tech to have this sort of information. I usually
agree with everything you but i must disagree respectfully with this boss
upvoted 1 times
Ruthless937 4 months, 1 week ago
if the attacker has spoofed the email address then they could bypass the email identity verification.
upvoted 6 times
Ruthless937 3 months, 3 weeks ago
also you would never send an internal IP like that over email for anyone to read.
upvoted 6 times
OneTooManyCert 9 months ago
I answer C but the lord himself answer D, now i'm confused
upvoted 9 times
Old_Boy_ 1 month, 4 weeks ago
Its stone face tho. He's always right
upvoted 1 times
chaddaddy 3 months, 2 weeks ago
LOL! An anarchy is foaming
upvoted 1 times
J_Ark1 1 year, 2 months ago
For the SIEM systems to be able to know who it was that attacked and compromised the system?
upvoted 1 times
cyberPunk28
Most Recent
3 weeks ago
Selected Answer: D
https://www.examtopics.com/exams/comptia/sy0-601/view/
298/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
From working experience any type of request like this has to be requested in writing via email
D. Request the caller send an email for identity verification and provide the requested information via email to the caller.
upvoted 1 times
TheFivePips 2 months ago
Selected Answer: C
Why on earth would a member of the response team ask a help desk person to give them an IP? They would be much more likely to have that
information on hand
upvoted 1 times
Mahoni 2 months, 1 week ago
C-> Can you imagine a real CSIRT calling helpdesk asking for the firewall IP address? Better get all the info you can get from them and pass it to
the security team. Make sure you don't give them any more info such as your email other phone numbers etc.
upvoted 2 times
ComPCertOn 2 months, 2 weeks ago
Selected Answer: C
never give any information over the phone, Inform the Cyber team
upvoted 2 times
Arishutara 2 months, 2 weeks ago
"I must express my disappointment with the cybersecurity community's response to the recent question. It appears that the answer provided was
incorrect, which can be frustrating when seeking accurate information in this critical field."
upvoted 1 times
Only12go 3 months ago
Selected Answer: C
Look up MGM hack = Answer is C
upvoted 2 times
malibi 4 months ago
Selected Answer: D
emailing a helpdesk is like creating a helpdesk ticket. 1. email add of the sender will be verified, 2. the request will go on the proper channel!. just
my 2 cents
upvoted 1 times
ja1092m 4 months, 2 weeks ago
It asked for the BEST course of action, wouldn't C be the most secure?
upvoted 1 times
RevolutionaryAct 4 months, 4 weeks ago
Selected Answer: C
D doesn't make sense given the firewall is supposedly compromised, why would you send data in the clear over email when the firewall is in
question?
It's C
upvoted 1 times
predsednik 4 months, 4 weeks ago
Selected Answer: C
I would go with C because in case someone is trying to scam help desk tech claiming that he belongs to cyber security team, then help desk
tech should check and verify this information with Cybersec team if that person exists in their team and does he need that information.
In case you decide for D and send requested info to sender without verifying his identity with the cyber sec team you could be wrong and send
sensitive information to the hacker who maybe stole email credentials from the real guy.
upvoted 1 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: C
In this situation, the technician should be cautious and follow proper security protocols. The caller's request to verify the network's internal
firewall IP address is sensitive information that should not be disclosed over the phone without proper verification. Instead, the technician should
gather as much information as possible about the caller, including their name and phone number, and then hang up the call. The next step is to
notify the organization's cybersecurity officer or a designated authority about the incident so they can verify the legitimacy of the request and
take appropriate actions if necessary.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
In this scenario, the help desk technician receives a call from someone claiming to be from the organization's cybersecurity incident response
team. It is essential to follow proper security protocols and procedures when dealing with sensitive information or requests for verification.
Option A (Direct the caller to stop by the help desk in person and hang up declining any further requests from the caller) is a good approach if the
person is genuinely from the incident response team. However, it may not be feasible or practical in all situations, especially if the organization
has a distributed workforce or remote teams.
https://www.examtopics.com/exams/comptia/sy0-601/view/
299/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Option B (Ask for the caller's name, verify the person's identity in the email directory, and provide the requested information over the phone) is
not recommended because verifying the person's identity solely based on the email directory may not be enough to ensure their authenticity.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Option D (Request the caller send an email for identity verification and provide the requested information via email to the caller) is also not the
best course of action, as responding to unsolicited emails can lead to phishing or other security risks.
The best approach is to gather as much information as possible from the caller (name, phone number, purpose of the request) without
divulging sensitive information. After hanging up, the technician should notify the organization's cybersecurity officer or the appropriate
security personnel to verify the legitimacy of the request before taking any further action.
upvoted 3 times
Jonsmith24 5 months, 2 weeks ago
What if he is part of the organization's cybersecurity incident response team, and has the proper identity information? Why are you calling the
cyber security officer before you even seen the identification?
upvoted 2 times
Gaurabdon 6 months, 3 weeks ago
Selected Answer: D
In real world scenario, the answer is D. I work as an IT help desk in a MSP and the protocol is never to hang up on the person keeping in mind
that the person calling can be a legitimate person as well. For that reason, it is best for both parties that the caller sends an email requesting the
information so that it gets documented on who asked. If the user is legitimate, we can easily tell with the email address they are sending us from.
From there, we can inform the cyber team if we can proceed with the request.
upvoted 5 times
Kaps443 8 months, 1 week ago
Selected Answer: C
C. Write down the phone number of the caller if possible, the name of the person requesting the information, hang up, and notify the
organization's cybersecurity officer.
The best course of action for the technician is to follow the principle of least privilege and verify the caller's identity before providing any sensitive
information. The caller could potentially be a social engineer attempting to gain unauthorized access to the network. Writing down the phone
number and the name of the person requesting information, hanging up, and notifying the cybersecurity officer will help prevent unauthorized
access to the network.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
300/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #129
Which of the following would BEST provide detective and corrective controls for thermal regulation?
A. A smoke detector
B. A fire alarm
C. An HVAC system
D. A fire suppression system
E. Guards
Correct Answer: D
Community vote distribution
C (89%)
stoneface
Highly Voted
11%
1 year, 4 months ago
Selected Answer: C
What are the functions of an HVAC system?
An HVAC system is designed to control the environment in which it works. It achieves this by controlling the temperature (THERMAL) of a room
through heating and cooling. It also controls the humidity level in that environment by controlling the movement and distribution of air inside the
room. So it provides detective and corrective controls for THERMAL regulation.
upvoted 44 times
cyberPunk28
Most Recent
3 weeks ago
Selected Answer: C
C. An HVAC system
upvoted 1 times
sujon_london 5 months ago
Selected Answer: D
The optimal way to achieve detective and corrective thermal regulation is through a fire suppression system, which actively curbs fires and halts
their escalation. While smoke detectors, fire alarms, and HVAC systems are significant, they lack the direct fire control capability of a suppression
system.
upvoted 1 times
RevolutionaryAct 4 months, 4 weeks ago
Wrong. It never mentions fire and fire suppression can only put out fires, it cannot raise temperatures nor slowly (or rapidly) cool unlike an
HVAC system
"corrective controls for thermal regulation" =/= fire
upvoted 1 times
RevolutionaryAct 4 months ago
OK now I retract that comment because elsewhere I see that a fire suppression system is considered a corrective and compensating
control.
upvoted 1 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: C
An HVAC (Heating, Ventilation, and Air Conditioning) system can provide both detective and corrective controls for thermal regulation. The HVAC
system helps detect abnormal temperature changes in the environment, which can indicate potential issues with thermal regulation. For example,
if a server room becomes too hot, the HVAC system can trigger alarms or notifications to alert the relevant personnel about the issue.
Additionally, the HVAC system can be programmed to take corrective actions automatically in response to temperature fluctuations. It can adjust
heating, cooling, and ventilation settings to bring the environment back to the desired temperature range.
upvoted 2 times
sujon_london 5 months ago
I do appreciate your contribution in this platform which is very helpful: just to check what aspect HVAC will detect and would be corrective ?
This may helps to change answer c >d; The optimal way to achieve detective and corrective thermal regulation is through a fire suppression
system, which actively curbs fires and halts their escalation. While smoke detectors, fire alarms, and HVAC systems are significant, they lack
the direct fire control capability of a suppression system.
upvoted 1 times
Frogalicious 1 month, 4 weeks ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
301/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Think about your personal HVAC system at home; it's likely that you set the desired temperature on the control panel (aka
thermo(temperature)stat(stasis)), which detects the temperature level and corrects it upon noticing a change.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
An HVAC (Heating, Ventilation, and Air Conditioning) system can provide both detective and corrective controls for thermal regulation. It is
capable of detecting abnormal temperatures and adjusting the environment to maintain the desired temperature range. By doing so, it helps to
prevent overheating or freezing of equipment, which can lead to system failures or damage. This makes the HVAC system an important
component in maintaining the overall security and reliability of the infrastructure.
upvoted 1 times
EUGgrep 7 months, 2 weeks ago
Selected Answer: C
D can't be the correct answer because a fire suppressor does not have detection capabilities. whereas the HVAC has detective and corrective
powers, it detects the temperature and adjusts it accordingly depending on the settings. so the correct answer is C.
upvoted 1 times
Yawannawanka 8 months, 2 weeks ago
C. An HVAC system.
An HVAC (heating, ventilation, and air conditioning) system can provide both detective and corrective controls for thermal regulation. The system
is designed to detect changes in temperature and adjust the airflow and temperature accordingly. If the temperature goes beyond a certain
threshold, the system can trigger an alarm or alert to notify the appropriate personnel. The HVAC system can also take corrective action to
regulate the temperature by adjusting the airflow or turning on a cooling system, for example.
A smoke detector and a fire alarm are designed to detect smoke and fire, respectively, and are not directly related to thermal regulation. A fire
suppression system is designed to extinguish fires, but it does not provide detective or corrective controls for thermal regulation. Guards can
provide physical security but are not directly related to thermal regulation.
upvoted 2 times
Mkoenig69 9 months ago
Selected Answer: C
Fire suppression systems are designed to extinguish fires and prevent them from spreading, but they do not provide any thermal regulation.
upvoted 2 times
MasterControlProgram 9 months, 2 weeks ago
Selected Answer: C
C. An HVAC system would provide the best detective and corrective controls for thermal regulation. HVAC stands for Heating, Ventilation, and Air
Conditioning, and it helps to maintain a comfortable temperature and humidity level inside a building. It can detect and correct issues related to
temperature, such as too hot or too cold, and provide a way to regulate it through heating or cooling systems. Smoke detectors, fire alarms, fire
suppression systems, and guards are designed to detect and prevent fire-related incidents and may not be effective in regulating temperature.
upvoted 3 times
hoottfii 10 months, 4 weeks ago
fire suppression is detective and corrective?
upvoted 2 times
assfedassfinished 9 months, 1 week ago
HVAC is a better answer. The odds of a fire are less than the odds of the temperature being 1+ degree hotter/colder than spec. HVAC can
detect and correct that.
upvoted 1 times
DALLASCOWBOYS 11 months ago
C. HVAC system. It measures temperature and humidity, and corrects both if the measurements get out of the acceptable ranges.
upvoted 1 times
Blake89 11 months, 2 weeks ago
Selected Answer: C
CompTia Study Guide book: 'HVAC systems ensures that the processes or systems are at the proper temperature and humidity."
upvoted 3 times
Boubou480 12 months ago
Selected Answer: C
C. An HVAC system would provide the best detective and corrective controls for thermal regulation. An HVAC (heating, ventilation, and air
conditioning) system can detect deviations in temperature and adjust accordingly to maintain a comfortable and safe range. It can also alert
maintenance staff if there is a problem that needs to be corrected.
upvoted 2 times
jhfdkjshfkjdsho 1 year ago
Selected Answer: D
A fire suppression system, like a fire sprinkler system, is used to extinguish or control fires, and is activated by heat, smoke, or a combination of
the two. However, a fire suppression system uses gaseous, chemical, or foam fire suppression agents to suppress the fire, rather than water. So,
it is a detective and corrective system
https://www.examtopics.com/exams/comptia/sy0-601/view/
302/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Blake89 11 months, 2 weeks ago
Lol just stop it. The answer is C
upvoted 2 times
PraygeForPass 11 months, 4 weeks ago
Thermal regulation isn't just fires/smoke. It can be extremely cold or humid in a building for example. A fire suppression system won't help
with that.
upvoted 3 times
nul8212 1 year ago
Selected Answer: D
This answer covers both parts of the question.
upvoted 1 times
FMMIR 1 year ago
Selected Answer: C
An HVAC system would provide the best detective and corrective controls for thermal regulation. An HVAC (heating, ventilation, and air
conditioning) system is a type of building management system that is used to control the temperature, humidity, and air quality within a building.
HVAC systems typically include sensors that can detect changes in temperature, and control mechanisms that can adjust the heating or cooling
output to maintain a comfortable and safe environment. This provides both detective and corrective controls for thermal regulation, as the
sensors can detect deviations from the desired temperature range, and the control mechanisms can automatically adjust the heating or cooling
output to correct the problem. Options A, B, D, and E do not provide the same level of control for thermal regulation as an HVAC system. A
smoke detector and fire alarm can detect fires, but they do not provide the same level of control over the temperature within a building. A fire
suppression system can extinguish fires, but it does not provide any control over the temperature. Guards do not provide any control over the
temperature
upvoted 2 times
babyzilla 1 year, 1 month ago
Selected Answer: C
Remember corrective and detective are AFTER an incident occurs. The first suppression system would kick in after a fire happened...I highly
doubt that this is what the question is referring to. On the other hand, in order for a HVAC system to activate, a simple thermal change has to
happen. Just like at home, you set your thermostat to heat or cool and set a temp. If it goes below or above your set temp, then the system will
kick on.
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
303/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #130
Which of the following is a benefit of including a risk management framework into an organization's security approach?
A. It defines expected service levels from participating supply chain partners to ensure system outages are remediated in a timely manner.
B. It identifies specific vendor products that have been tested and approved for use in a secure environment.
C. It provides legal assurances and remedies in the event a data breach occurs.
D. It incorporates control, development, policy, and management activities into IT operations.
Correct Answer: D
Community vote distribution
D (90%)
10%
cyberPunk28 3 weeks ago
Selected Answer: D
D. It incorporates control, development, policy, and management activities into IT operations.
upvoted 1 times
predsednik 4 months, 4 weeks ago
Selected Answer: D
A risk management framework incorporates various control, development, policy, and management activities into an organization's IT operations.
It provides a structured approach to identifying and managing risks, which includes defining risk appetite, risk assessment methodologies, risk
treatment strategies, and risk monitoring and reporting.
upvoted 1 times
ApplebeesWaiter1122 5 months, 2 weeks ago
Selected Answer: D
A risk management framework incorporates various control, development, policy, and management activities into an organization's IT operations.
It provides a structured approach to identifying and managing risks, which includes defining risk appetite, risk assessment methodologies, risk
treatment strategies, and risk monitoring and reporting. By integrating these activities into IT operations, the organization can effectively manage
and mitigate risks, ensuring a more secure and resilient environment.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
Including a risk management framework into an organization's security approach helps to integrate various aspects of security, including control
implementation, development practices, policy creation, and management activities. A risk management framework provides a structured and
systematic approach to identify, assess, and mitigate risks, ensuring that security measures are well-coordinated and aligned with the
organization's goals and objectives.
upvoted 1 times
LeonardSnart 7 months, 3 weeks ago
Selected Answer: D
"Risk Management Framework (RMF)
A process that integrates security and risk management activities into the system development life cycle through an approach to security
control selection and specification that considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders,
policies, standards, or regulations"
-Jason Dion Comptia Security+ Study Notes
・
upvoted 3 times
Yawannawanka 8 months, 2 weeks ago
D. It incorporates control, development, policy, and management activities into IT operations.
Including a risk management framework into an organization's security approach has several benefits, including incorporating control,
development, policy, and management activities into IT operations. A risk management framework provides a structured and systematic
approach to identify, assess, and manage risks to an organization's information systems and assets. It allows the organization to prioritize risks
and allocate resources accordingly, which can lead to more effective and efficient security measures.
Option A is related to service level agreements (SLAs) and supply chain management, which are not directly related to a risk management
framework. Option B is related to vendor management and procurement, which are important components of a security program but not directly
related to a risk management framework. Option C is related to legal compliance and liabilities, which are important but not directly related to a
risk management framework.
upvoted 2 times
assfedassfinished 9 months, 1 week ago
Selected Answer: D
https://www.examtopics.com/exams/comptia/sy0-601/view/
304/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Which of the following is a benefit of including a risk management framework into an organization's security approach?
-D
There are no legal assurances or remedies provided at all by the framework itself. Neither is that included in the org's security approach. The
product of the RMF's incorporation into the org's security approach would provide those things.
upvoted 1 times
Omi0204 10 months ago
Answer is C.
A strong risk management framework can offer organizations a number of key benefits, such as protection of assets, reputation management,
and the optimization of data management. A risk management framework can also provide protection against losses of competitive advantage,
legal risks, and business opportunities.
Benefits of Risk Management Framework
A risk management framework helps protect against potential losses of competitive advantage, business opportunities, and even legal risks.
upvoted 3 times
DALLASCOWBOYS 11 months ago
D is the best answer given.
upvoted 2 times
[Removed] 1 year, 1 month ago
Selected Answer: D
I would go with D. There is nothing about legal assurence in books i read.
Risk management is about identyfying vulnerabilities and threats in your company. To help you mitigater them, so your company can run
smoothly.
upvoted 4 times
deeden 1 year, 1 month ago
Selected Answer: C
Agree with C. RMF goes beyond IT Operations and Supplier/Vendor management.
upvoted 1 times
passmemo 1 year, 2 months ago
Selected Answer: D
An effective risk management framework will prioritize understanding the risks that your business faces to take the necessary steps to protect
your assets and your business
upvoted 2 times
skorza 1 year, 3 months ago
Is it not A as the benefit is "to ensure system outages are remediated in a timely manner"?
upvoted 2 times
studant_devsecops 1 year, 3 months ago
Selected Answer: C
Believe the keyword is reference to legal. Does anyone think same?
upvoted 1 times
[Removed] 1 year, 3 months ago
Where is it referencing "legal"?
upvoted 3 times
Gino_Slim 1 year, 2 months ago
It doesn't. Idk where they got that from.
upvoted 3 times
RonWonkers 1 year, 3 months ago
Selected Answer: D
I agree with D
upvoted 4 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
305/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #131
An organization maintains several environments in which patches are developed and tested before being deployed to an operational status. Which
of the following is the environment in which patches will be deployed just prior to being put into an operational status?
A. Development
B. Test
C. Production
D. Staging
Correct Answer: B
Community vote distribution
D (93%)
bitezadusto
Highly Voted
5%
9 months, 2 weeks ago
remember this: Dont Throw Sausage Pizza
Development >> Testing >> Staging >> Production
upvoted 34 times
8c55165 10 hours, 44 minutes ago
Love this, thank you!
upvoted 1 times
BigIshai 5 months ago
The full acronym would be Development >> Testing >> Staging >> Production >> Quality Assurance. Don't Throw Sausage Pizza Quickly! lol
(source: page 252 CompTIA+ SYO-601:Get Certified ahead. Darril Gibson)
upvoted 3 times
Samsonite363
Highly Voted
11 months, 1 week ago
Selected Answer: D
Development > Testing > Staging > Production
upvoted 13 times
FancyLady01
Most Recent
3 months, 1 week ago
Answer is D
The keyword here is "deployed". The answer is in the question.
upvoted 2 times
RevolutionaryAct 4 months, 4 weeks ago
Hm, I am wondering if testing is indeed the right answer
https://www.pagerduty.com/resources/learn/software-development-life-cycle/
upvoted 1 times
cybertechb 2 weeks, 1 day ago
the prior stage to operational (production stage) is the staging where it is deployed for final validation
upvoted 1 times
predsednik 4 months, 4 weeks ago
Selected Answer: D
Development >> Testing >> Staging >> Production
upvoted 1 times
sujon_london 5 months ago
Selected Answer: B
This is very critical question to answer, in my understanding and research through wording of question I have concluded precisely with B.
Development: This is where patches are created and initial testing might occur.
Test: Patches are thoroughly tested in this environment to identify any issues or conflicts before moving to the next stage.
Staging: Patches are deployed to a staging environment that closely resembles the operational environment. This allows for final testing and
verification and validation for the final stage before deployment.
Production: Once patches have successfully passed testing in the staging environment, they are deployed to the operational or production
environment for regular use.
The confusion here maybe between resembles of final product and testing before deploying into the operational environment.
Patches are throughly tested indeed at testing stage not staging stage.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
306/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
ApplebeesWaiter1122 5 months, 1 week ago
Selected Answer: D
In the software development lifecycle, the staging environment serves as a final testing and validation phase before deploying changes to the
production environment. It closely mirrors the production environment, allowing organizations to assess the impact of changes and ensure
everything works as expected before going live. Once patches have been thoroughly tested in the staging environment and any potential issues
have been addressed, they can then be deployed to the production environment for regular use.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
The staging environment is the environment where patches and updates are deployed just before they are put into an operational status. It serves
as a final step before deploying changes to the production environment, allowing organizations to validate the changes in a controlled setting and
ensure that they work as expected before going live.
upvoted 1 times
Yawannawanka 8 months, 2 weeks ago
D. Staging.
Staging is the environment in which patches will be deployed just prior to being put into an operational status. The staging environment is
intended to replicate the production environment as closely as possible and is used to test changes, including patches, before they are
implemented in the production environment.
The development environment is used for developing and testing new features and functionality. The test environment is used to test the software
or patches in a controlled environment before being moved to the staging environment. The production environment is the live environment
where the system is used by end-users.
upvoted 1 times
assfedassfinished 9 months, 1 week ago
Selected Answer: D
If the patches are already developed and tested, but not yet deployed to the operational status, then the environment just before that is staging.
upvoted 1 times
Omi0204 9 months, 4 weeks ago
A staging environment is very similar to a production environment, but it is used for testing purposes before the application is launched in
production. This environment tries to simulate as much as possible the final production environment, so tests in staging are more accurate than
tests done in development.
upvoted 1 times
GRIM95 9 months, 4 weeks ago
I just read that staving is before every single one of these steps and testing is right before an operational environment ?
upvoted 1 times
Omi0204 10 months ago
patches are developed and tested before being deployed: It means patches are already passed through the development and test environment.
so the third is the stage environment before production(Operational environment).
Development -> Test -> Stage -> Production(Operational)
upvoted 1 times
DALLASCOWBOYS 11 months ago
D. Staging is the step right before production
upvoted 2 times
Comicbookman 11 months, 2 weeks ago
A staging environment is the last step before something goes into production and is visible on the live site.
A staging site’s main purpose is to ensure that all new changes deployed from previous environments are working as intended before they hit the
live website. By using a staging site and testing everything before deploying to a live website, you will be able to eliminate bugs and issues, so
they never affect the user. Sometimes this process is referred to as quality assessment (QA).
upvoted 2 times
Boubou480 12 months ago
Selected Answer: D
D. Staging
The staging environment is where patches are deployed just prior to being put into an operational status. It is a test environment that closely
resembles the production environment, and it is used to ensure that patches are working correctly before they are deployed to the production
environment.
The development environment is where new patches are developed and tested before they are ready to be deployed to a test environment. The
test environment is where patches are tested to ensure that they are working correctly before they are deployed to the staging environment. The
production environment is the live operational environment where patches are deployed once they have been tested and approved.
upvoted 1 times
Capt_Mundo 1 year ago
Selected Answer: C
https://www.examtopics.com/exams/comptia/sy0-601/view/
307/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
I think its C as it stated in the question "Which of the following is the environment in which patches will be deployed", the patches are being
deployed during TESTING however, in STAGING patches are already been deployed and tested, its for observation whether for deployment to
Production is feasible.
upvoted 2 times
Capt_Mundo 1 year ago
I stand corrected B is my answer due to the reasons above. thanks
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
308/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #132
During a trial, a judge determined evidence gathered from a hard drive was not admissible. Which of the following BEST explains this reasoning?
A. The forensic investigator forgot to run a checksum on the disk image after creation.
B. The chain of custody form did not note time zone offsets between transportation regions.
C. The computer was turned off, and a RAM image could not be taken at the same time.
D. The hard drive was not properly kept in an antistatic bag when it was moved.
Correct Answer: B
Community vote distribution
B (68%)
Dachosenone
A (31%)
Highly Voted
1 year, 4 months ago
Selected Answer: B
The question states that a trial Judge determined evidence gathered from a hard drive was not admissible. It is obvious that this is a legal matter.
All of the remaining answers are of a technical nature, So consequently the only issue that a Judge can rule on is a Chain of custody issue. So,
ladies and gentlemen, I rest my case (quickly bangs a gavel upon the desk)
upvoted 49 times
rline63 4 months, 1 week ago
I'm confused by this. The checksum verifies the integrity of the file and confirms the evidence has not been tampered with. In my mind, it's
almost like a police station creating a written document about what the evidence is before putting it into evidence. Without it, the evidence
could have been modified and no one would know. I'm not saying the time isn't important, it is, but the gaps could be filled by looking at the
physical location of the drive in correlation with the time documented. I feel like both are correct though and I struggle to identify one that
seems more correct.
upvoted 2 times
Kurt43 3 months, 2 weeks ago
the question did not mention about transport or timezones. it only mentioned about HDD not admissible. Why would we assume a scenario
that wasn't described?
upvoted 3 times
Luuke 10 months, 1 week ago
Any video evidence ingested must include time stamp and time zone in order to convict - I used to run evidentiary collection for a 3 letter
agency. These video drives had to be finalized in order to make them read-only as well.
upvoted 3 times
Yaakb 4 months, 4 weeks ago
I perfectly agree with Dachosenone
upvoted 1 times
Ay_ma
Highly Voted
1 year, 3 months ago
Selected Answer: B
If you read through the forensics chapter in Darril Gibson's (Ebook PG. 779) sce+ guide, Option B will make sense to you.
Chain of Custody is one of the important parts of forensics, cause someone has to take responsibility for protecting the evidence. Your evidence
also always has to show exact dates. And in this question, the evidence needed to be transported to multiple geographical locations before it got
to the judge. So if there's a mismanagement of dates and times, it won't be legally admissible in court, cause 2 rules have been violated.
upvoted 14 times
Kurt43 3 months, 2 weeks ago
the question did not mention about transport or timezones. it only mentioned about HDD not admissible. Why would we assume a scenario
that wasn't described?
upvoted 3 times
Frogalicious 1 month, 4 weeks ago
Nor does it mention a forensic investigator, so let's not assume that's who gathered the evidence...
Not very solid reasoning in my opinion.
upvoted 1 times
8c55165
Most Recent
10 hours, 38 minutes ago
I so badly want "A" to be the answer but how would the Judge know the data was checked ot tampered with? The only thing the judge can
proove is things that are documented, which is the dates and times of the transport of evidence.
upvoted 1 times
Jahania 17 hours, 26 minutes ago
Looked A at first but upon research i found its B.
Chain of Custody is very important factor to consider when Judge get involved
https://www.examtopics.com/exams/comptia/sy0-601/view/
309/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Russchim01 2 weeks, 6 days ago
Selected Answer: C
RAM image: When a computer is turned off, volatile data stored in RAM (Random Access Memory) is lost. Taking a RAM image alongside the
hard drive image is crucial for capturing the complete state of the computer at the time of seizure, including any potentially incriminating data
stored in RAM.
upvoted 1 times
Moobled 1 month, 2 weeks ago
Selected Answer: A
I thought B but then I will go with A. If the investigator forgot to run a checksum after creation, then how can the hard drive be admissible if
there's no way to guarantee the integrity?
If chain of custody form has the date/time but not the date/time offsets between transportation regions as it specifically mentioned then I believe
the integrity of the HDD is more important.
The time/date offset is to ensure the difference between local time and the UTC if each person who handles the data. If the answer said just date
and time then it could be either / both answers. In this case it is both but it says 'BEST' so I would go with A
upvoted 3 times
IGasset 2 months, 1 week ago
Selected Answer: B
If the Judge determined that evidence gathered from a hard drive was not admissible, the most likely reason would be related to the handling,
preservation, or authenticity of the hard drive data. Given the options provided, the closest explanation would be B. The chain of custody form
did not note time zone offsets between transportation regions.
Proper documentation of the chain of custody is crucial in legal proceedings to maintain the integrity of the evidence. If there are discrepancies in
the documentation, such as not noting time zone offsets, it can raise concerns about the integrity and handling of the evidence, potentially
leading to its inadmissibility in court.
upvoted 1 times
Rowdy_47 2 months, 1 week ago
Selected Answer: A
I guess most of us are speculating here as we have no experience with legal matters
I think @Boubou480 explains it really well
Again, IMO it doesn't really matter who had the drive, it could have been lost and then found again, if the hash matches the integrity is in tact and
the evidence is good
Even if the chain of custody is 100% documented but the hash has changed, the evidence will be inadmissible
upvoted 2 times
Thetarzangod 3 months, 1 week ago
Selected Answer: B
B makes sense
upvoted 1 times
examcrammer 3 months, 1 week ago
Selected Answer: A
This question has nothing to do with physical hardware submission (chain of custody for the hdd), but everything to do with the data that was
forensically gathered and submitted to the court of law. Any data, to be deemed admissible, must match a hash the court generates against the
data (not the HDD) and match to the hash submitted as part of the evidence.
upvoted 2 times
Nikamy 5 months, 1 week ago
Selected Answer: B
I choose B
upvoted 1 times
ApplebeesWaiter1122 5 months, 1 week ago
Selected Answer: B
The chain of custody is a critical document that tracks the handling and movement of evidence from the time it is collected until it is presented in
court. It includes details such as who had custody of the evidence, when it was collected, transported, and stored, and any changes or
alterations made to it. If the chain of custody is not properly maintained, it can cast doubt on the integrity and authenticity of the evidence,
leading to its exclusion from the trial.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
The chain of custody is a critical aspect of handling digital evidence. It is a documentation process that tracks the movement and handling of
evidence from the time it is collected until it is presented in court. If the chain of custody is not properly maintained, it can lead to the evidence
being deemed inadmissible in court, as it may cast doubt on the integrity and authenticity of the evidence. In this case, the judge determined that
the evidence gathered from the hard drive was not admissible because the chain of custody form did not properly note the time zone offsets
between transportation regions, raising concerns about the handling and integrity of the evidence during its movement.
Let me explain why option A is incorrect.
https://www.examtopics.com/exams/comptia/sy0-601/view/
310/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Option A states that the forensic investigator forgot to run a checksum on the disk image after creation. While running a checksum on the disk
image is a good practice to verify the integrity of the data, it is not the reason for the judge determining the evidence as inadmissible.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
A checksum is a value calculated from the data in a file to ensure that it has not been altered or corrupted during storage or transmission. It is
used to verify the integrity of the data and detect any changes or errors. However, the absence of a checksum alone does not make the
evidence inadmissible in court.
The judge's decision to determine the evidence as inadmissible is most likely due to a breach in the chain of custody, as mentioned in option
B. The chain of custody is a legal concept that ensures the proper handling and control of evidence, documenting each person who had
access to the evidence, the time of access, and any changes made to it. If there are any issues or gaps in the chain of custody
documentation, it can cast doubt on the integrity and authenticity of the evidence, leading to it being deemed inadmissible in court.
In summary, the lack of a checksum on the disk image, as mentioned in option A, might be a procedural oversight, but it is not the primary
reason for the evidence being considered inadmissible. The more critical concern is the proper maintenance of the chain of custody, as
highlighted in option B.
upvoted 2 times
jb844 7 months ago
"A" going against the grain. Even lawyers can tell there is a time difference between cities in US and international. From:
https://www.sans.org/blog/law-is-not-a-science-admissibility-of-computer-evidence-and-md5-hashes/
Could you get electronic evidence admitted without hashing? Yep.
Will hashing help admissibility of my evidence? Certainly, but it is not legally required.
What if someone brings up collisions in court? Again, usually an attempt to confuse the jury. But you can turn this on them by stating that it is
more likely that before showing up for jury duty, all the jurors randomly put the same 7 numbers into the Powerball Lottery and won. That has a
much greater chance of happening than a naturally occurring collision. (Thanks to Scott Moulton for that great analogy). With folks being
prosecuted on partial fingerprint matches or eye witness testimony from a guy driving by in a car at 30 MPH, do we really think this is a show
stopper for courts?
I think not noting EST, CST or other is irrelevant WHERE it came from will be center stage. (city, state, country) Offset is not needed in my humble
opinion. Hash is the most relevant.
upvoted 1 times
fouserd 8 months ago
Selected Answer: B
The most likely reason for the judge to determine that evidence gathered from a hard drive was not admissible is B. The chain of custody form
did not note time zone offsets between transportation regions. The chain of custody is a record of the handling and storage of evidence,
including details such as who had access to the evidence, when it was accessed, and how it was transported. If the chain of custody form did
not accurately record the time zone offsets between transportation regions, it could cast doubt on the integrity and reliability of the evidence,
leading the judge to rule it inadmissible.
upvoted 1 times
Yawannawanka 8 months, 2 weeks ago
B. The chain of custody form did not note time zone offsets between transportation regions.
The judge likely determined that the evidence gathered from the hard drive was not admissible due to a lack of proper documentation of the
chain of custody. The chain of custody refers to the chronological documentation that records the handling and movement of evidence from the
time it is collected until the time it is presented in court. The documentation must include detailed information, such as the date, time, location,
and individuals who had custody of the evidence.
In this case, the chain of custody form did not note time zone offsets between transportation regions. This could indicate that the chain of
custody was not properly documented or that there were inconsistencies or gaps in the documentation, which could compromise the integrity of
the evidence. As a result, the judge may have determined that the evidence was not admissible in court.
Options A, C, and D are not directly related to the admissibility of evidence and are not likely to be the reason why the judge determined the
evidence to be inadmissible.
upvoted 1 times
Yawannawanka 8 months, 2 weeks ago
B. The chain of custody form did not note time zone offsets between transportation regions.
The judge likely determined that the evidence gathered from the hard drive was not admissible due to a lack of proper documentation of the
chain of custody. The chain of custody refers to the chronological documentation that records the handling and movement of evidence from the
time it is collected until the time it is presented in court. The documentation must include detailed information, such as the date, time, location,
and individuals who had custody of the evidence.
In this case, the chain of custody form did not note time zone offsets between transportation regions. This could indicate that
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
311/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #133
An organization wants to implement a biometric system with the highest likelihood that an unauthorized user will be denied access. Which of the
following should the organization use to compare biometric solutions?
A. FRR
B. Difficulty of use
C. Cost
D. FAR
E. CER
Correct Answer: E
Community vote distribution
D (52%)
stoneface
Highly Voted
E (44%)
5%
1 year, 4 months ago
Selected Answer: E
Crossover Error Rate (CER)—the point at which FRR and FAR meet. The lower the CER, the more efficient and reliable the technology.
Errors are reduced over time by tuning the system. This is typically accomplished by adjusting the sensitivity of the system until CER is reached.
upvoted 54 times
cybertechb 2 weeks, 1 day ago
FAR measures the likelihood of the biometric system incorrectly accepting an unauthorized user as a legitimate one.
Organizations with a high emphasis on security and stringent access control requirements aim to minimize FAR. A lower FAR means a lower
chance of unauthorized users gaining access.
upvoted 1 times
PraygeForPass 11 months, 3 weeks ago
The reason I like FAR (False acceptance rate) is because the company is more focused on making sure unauthorized users will be denied
access. They aren't too worried about FRR (False rejection rate) as these users will already have access, so they don't need to focus on
comparing both FAR and FRR using CER. That is why I pick D.
upvoted 25 times
kigikik881 3 months ago
so CER is about compromise between the FAR and FRR. If you tune the system to be more suspectible, it will increase FRR and decrease
FAR, so CER still will be at the same point. I'd go with D. FAR
upvoted 3 times
Danalyst 1 year, 3 months ago
Probably right, I chose D. FAR but the question is worded strangely, 'what should they compare against?'' CER would be more useful.
upvoted 6 times
comeragh
Highly Voted
1 year, 3 months ago
Selected Answer: D
"with the highest likelihood that an unauthorized user will be denied access" - I would think this is D (False Acceptance Rate).
upvoted 33 times
Gino_Slim 1 year, 2 months ago
I hope you didn't select this on the exam...
upvoted 5 times
DriftandLuna 5 months, 1 week ago
why not? It's the correct answer. Read it carefully, the question is not about overall accuracy, it is about ensuring unauthorised entry is not
permitted.
upvoted 6 times
Mperor 1 year, 1 month ago
lo. you funny
upvoted 5 times
zzzfox 1 year, 3 months ago
False Acceptance Rate means the likelihood that an unauthorized used will be accessed(Acceptance)..
upvoted 5 times
NICKJONRIPPER 1 year, 1 month ago
make this rate close to 0 to achieve the goal.
https://www.examtopics.com/exams/comptia/sy0-601/view/
312/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 5 times
Jahania
Most Recent
17 hours, 22 minutes ago
"highest likelihood that an unauthorized user will be denied access"
D is the correct answer.
Don't overthink. They don't want a balanced system according to the question. There are trying to reject the person who is unauthorised.
upvoted 1 times
12f1a9a 6 days, 1 hour ago
In order to keep CER low you have to work on keeping FAR low isn't? So coompany should focus on FAR. CER will be low automaticly. ??
upvoted 1 times
Trickster_ATK 1 week, 1 day ago
Selected Answer: D
The highest likelihood means it doesn't need the best solution, just the lowest acceptance.
upvoted 1 times
Jacksoms 1 month ago
Selected Answer: E
It is CER indeed
upvoted 1 times
Petercx 1 month ago
Selected Answer: D
The organization should use D. FAR (False Acceptance Rate) to compare biometric solutions if they want to implement a system with the highest
likelihood that an unauthorized user will be denied access.
The False Acceptance Rate (FAR) is the measure of the likelihood that the biometric security system will incorrectly accept an access attempt by
an unauthorized user. A lower FAR means the system is less likely to grant access to unauthorized users, which is what the organization is aiming
for in this case.
upvoted 1 times
rasadebayor 1 month, 3 weeks ago
based on the question, FRR is the answer.
upvoted 1 times
fercho2023 3 months ago
Hi there,
If we agree on this definition "A comparison metric for different biometric devices and technologies; the error rate at which FAR equals FRR. The
lower the CER, the more accurate and reliable the biometric device. The point at which the false acceptance rate (FAR) equals the false rejection
rate (FRR)." , then CER option makes more sense.
upvoted 1 times
Jacob_Kramer1995 4 months, 1 week ago
Which of the following should the organization use to """"""""compare"""""""" biometric solutions. = CER
upvoted 2 times
rline63 4 months, 1 week ago
Selected Answer: D
CER is the best way to minimize errors in these systems. With this in mind, you can skew the errors in one direction if it is beneficial. In a high
security system, it would be better for a legitimate request to be denied than a malicious request to be accepted. This is why it is better in the
context of this question to focus on minimizing the false acceptance rate.
upvoted 2 times
sarah2023 4 months, 2 weeks ago
Selected Answer: D
D. FAR as the accent is on preventing unauthorised access rather than overall accuracy. From the question I don't get the sense of them caring if
someone would falsely get denied access if it's for the sake of making sure the person is legitimate.
upvoted 3 times
ja1092m 4 months, 2 weeks ago
id go with D, CER is also known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system,
because they asked what would be used to compare biometrics
upvoted 1 times
LetsDiscuss23 4 months, 3 weeks ago
Selected Answer: D
It is D
upvoted 1 times
predsednik 4 months, 4 weeks ago
Selected Answer: D
FAR (False Acceptance Rate)
The False Acceptance Rate (FAR) measures the probability that an unauthorized user is incorrectly granted access. A lower FAR indicates a
https://www.examtopics.com/exams/comptia/sy0-601/view/
313/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
system that is less likely to accept unauthorized users, which aligns with the organization's goal of denying access to unauthorized users.
Therefore, FAR is the most relevant metric for this specific objective.
upvoted 1 times
DriftandLuna 5 months, 1 week ago
They are not asking about the accuracy of the system, they are asking which of these options will most likely reject an unauthorised user.
FAR is the false acceptance rate, that is all the question is concerned about, not overall accuracy.
Therefore the answer is D
upvoted 1 times
Nikamy 5 months, 1 week ago
Selected Answer: D
I choose D
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
314/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #134
A company recently experienced a significant data loss when proprietary information was leaked to a competitor. The company took special
precautions by using proper labels; however, email filter logs do not have any record of the incident. An investigation confirmed the corporate
network was not breached, but documents were downloaded from an employee's COPE tablet and passed to the competitor via cloud storage.
Which of the following is the BEST remediation for this data leak?
A. User training
B. CASB
C. MDM
D. DLP
Correct Answer: A
Community vote distribution
D (59%)
stoneface
A (22%)
Highly Voted
Other
1 year, 4 months ago
Selected Answer: D
This would be handled perfectly by a DLP agent installed on those COBE devices.
upvoted 29 times
Peshokp 3 weeks, 6 days ago
Corporate network was not breach but if the COPE device doesn't has MDM they can connect to a guest network where is no COPE or DLP
and upload the documents to the cloud. Also saying documents, but if the inside treat was taking picture with the COPE tablet and then
upload the pictures to the cloud DLP or SASB will not detect the pictures because are not labeled.
upvoted 1 times
sujon_london 5 months ago
DLP is valid choice, what on earth where cloud involved in this particular situation why we should go over CASB than DLP.
CASB is well-suited answer in this particular situation. As inside threat persisted A user trading would not work be adequate/effective.
upvoted 1 times
Warza
Highly Voted
1 year, 3 months ago
Selected Answer: A
The first sentence legitimately tells you that they labeled the data properly for DLP and that the email system has no logs of DLP incidents. The
user downloaded it themselves and shared it manually through a cloud provider. This can be remedied with user training.
upvoted 19 times
Orean 1 year, 1 month ago
Just because they labeled it doesn't mean they're already used in a DLP solution. Top-secret documents were a thing well before the advent
of the Digital Age and were labeled accordingly.
User-training seems implausible because the user seems to be doing this deliberately by sharing it with competitors, meaning they're
probably incorrigible in that regard.
upvoted 7 times
zzzfox 1 year, 3 months ago
Disagree, "passed to the competitor" indicate this person could be insider threat, user training wouldn't help at all.
upvoted 29 times
sujon_london 5 months ago
It could be even hacker hacked COPE tablet and downloaded then passed to competitor. Here bit gray area not clear wording
upvoted 1 times
RonWonkers 1 year, 3 months ago
zzzfox has a good point
upvoted 1 times
Sezz 1 year ago
User Training does not make sense here. Trained user could also send this kind of sensitive or important infos or files by mistake. Cos of this
we have DLP.
upvoted 1 times
deeden 1 year, 3 months ago
Yeah... not sure how effective DLP is on personally enabled devices, especially when users have access to Yahoo or Gmail.
https://www.examtopics.com/exams/comptia/sy0-601/view/
315/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
andrizo 1 year, 2 months ago
its a cope device
upvoted 3 times
AceVander
Most Recent
3 weeks, 1 day ago
The question says: "The company took special precautions by using proper labels;" Isn't this a hint that they were already using DLP?
"The documents were downloaded from an employee's COPE tablet and passed to the competitor via cloud storage." This means MDM is
already enabled but DLP isn't scanning downloaded documents passed via the cloud.
Why couldn't B. CASB be the answer?
upvoted 2 times
Peshokp 3 weeks, 6 days ago
Selected Answer: C
All this answers are correct but in this scenario I`ll think of the first step need to be done, securing the device with MDM.Even saying COPE
device we can't assume that MDM is implemented when Comptia giving MDM as a answer.
Mobile Device Management is useful for managing and securing mobile devices in an organization. COPE device must be implemented with
MDM without properly secured the device , non of the DLP or COPE can stope leaking of data.
Imaging that scenario:
"Document been download on a COPE device , CASB or DLP allows it to download because is COPE device.User disconnect the device from
company network and connect to hotspot or guest network (bypassing COPE & DLP and upload the document to the cloud." MDM can restrict
that connection outside the company network so DLP or CASB restrict the data leak.
upvoted 1 times
sarah2023 3 months, 1 week ago
https://www.examtopics.com/discussions/comptia/view/119676-exam-sy0-601-topic-1-question-679-discussion/ -- Same question, DLP isn't
an option though
upvoted 2 times
DChilds 2 months, 1 week ago
Here is the difference:
Q137 asks "BEST remediation for this data leak?" Which would be a DLP
Q679 asks "BEST mitigation strategy to prevent this from happening in the future?" In this case, it is CASB.
upvoted 1 times
mainskrillz 3 months, 2 weeks ago
ANSWER IS CASB, DLP WAS NOT IN THE OPTIONS FOR ME
upvoted 8 times
RogerW 4 months ago
I believe it is DLP and not CASB. DLP is installed on the COPE. CASB is placed between the cloud and COPE. Since the user uploaded the file to
cloud storage for a competitor, one has to assume that it is not the company's cloud storage. CASB would only be valid if the competitor had
access to the same cloud. I think not.
upvoted 3 times
TheExile 3 weeks, 6 days ago
CASB agent can broker connections to all cloud applications, not necessarily just those incorporated into your organization. CASB also can
include DLP technology and prevent data exfiltration to unsanctioned cloud applications.
upvoted 1 times
TOMSLICK 4 months, 1 week ago
DLP is the BEST for data leaks.
upvoted 1 times
gho5tface 4 months, 2 weeks ago
Key sentence.
"but documents were downloaded from an employee's COPE tablet"
upvoted 1 times
gho5tface 4 months, 2 weeks ago
D. DLP
upvoted 1 times
Yaakb 4 months, 4 weeks ago
D. First of all, I agree with those who are saying the employee passed this info or data on purpose. So it wasn't that the employee didn't know
what he was doing. So user training wouldn't be a good option in this scenario.
upvoted 1 times
ApplebeesWaiter1122 5 months, 1 week ago
Selected Answer: B
the BEST remediation for the data leak described in the scenario would be to implement a CASB (Cloud Access Security Broker) solution. CASB
can provide visibility and control over cloud services and applications, including the ability to enforce security policies, detect and prevent data
https://www.examtopics.com/exams/comptia/sy0-601/view/
316/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
exfiltration, and monitor user activities in cloud environments.
By implementing CASB, the company can gain better control over data stored in cloud services and prevent unauthorized access and data
leakage, such as what occurred when proprietary information was leaked to a competitor via cloud storage. CASB can help address the security
and data protection challenges associated with using cloud services and reduce the risk of future data breaches.
upvoted 4 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
If the data was indeed labeled and the leak still occurred, it would suggest that a Data Loss Prevention (DLP) solution might already be in place,
but it did not effectively prevent the data leak.
Given that the data was downloaded from an employee's COPE tablet and passed to the competitor via cloud storage, it's possible that the
existing DLP solution was not configured to detect or block such data transfers. In this case, the most appropriate remediation would be to
reevaluate and enhance the current DLP configuration to include monitoring and blocking data transfers to unauthorized cloud storage services.
In summary, the correct answer would be:
D. DLP (Data Loss Prevention)
By improving the DLP configuration to better detect and prevent unauthorized data transfers, the organization can reduce the risk of future data
leaks and enhance the protection of its proprietary information.
upvoted 1 times
Dan_26 7 months, 2 weeks ago
A well-trained user accidentally passing on sensitive info? Same result as a hacker doing it deliberately. You need to prevent both scenarios so
it's DLP.
upvoted 1 times
Kaps443 8 months, 1 week ago
Selected Answer: D
The BEST remediation for this data leak is to implement a Data Loss Prevention (DLP) solution. A DLP solution can help prevent sensitive data
from being copied, downloaded, or transmitted to unauthorized destinations. It can also detect and alert on suspicious activities related to data
access and exfiltration. User training, Cloud Access Security Broker (CASB), and Mobile Device Management (MDM) are all important security
measures, but they cannot prevent data leakage as effectively as a DLP solution.
upvoted 2 times
MorganB 8 months, 1 week ago
MorganB 0 minutes ago Awaiting moderator approval
Pass my exam 27, April 23. This question was on my tested worded differently but the answer is the same.
upvoted 2 times
mosher21 8 months, 2 weeks ago
Selected Answer: B
This exact question was on somewhere else and all options were same except DLP. It had EDR instead of DLP. So considering this, neither DLP
nor EDR are correct. User training is definitely not correct since this is clearly an insider threat. So what we got are CASB and MDM. I go with
CASB because it provides visibility over who accesses cloud and what they are doing etc.
upvoted 1 times
Yawannawanka 8 months, 2 weeks ago
D. DLP (Data Loss Prevention).
Data Loss Prevention (DLP) is the best remediation for this data leak, as it is designed to identify, monitor, and protect sensitive data in use, in
transit, and at rest. In this scenario, the data leak occurred when the proprietary information was downloaded from an employee's COPE tablet
and passed to the competitor via cloud storage. DLP can help prevent data loss by monitoring and controlling how data is being used, identifying
sensitive data and its location, and setting policies to prevent data exfiltration.
Option A, user training, is important but not sufficient to prevent data loss. Even with proper training, employees may still inadvertently or
intentionally leak sensitive information. Option B, CASB (Cloud Access Security Broker), can provide visibility and control over cloud services to
detect and prevent data leaks, but it may not be sufficient in this scenario where the data was downloaded from a COPE tablet. Option C, MDM
(Mobile Device Management), can help manage and secure mobile devices in the enterprise, but it may not prevent data leaks if the data is
accessed through cloud storage.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
317/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #135
An attacker was eavesdropping on a user who was shopping online. The attacker was able to spoof the IP address associated with the shopping
site. Later, the user received an email regarding the credit card statement with unusual purchases. Which of the following attacks took place?
A. On-path attack
B. Protocol poisoning
C. Domain hijacking
D. Bluejacking
Correct Answer: A
Community vote distribution
A (83%)
Josh_Feng
Highly Voted
C (17%)
1 year, 4 months ago
Selected Answer: A
On path attack is often known as man in the middle.
upvoted 13 times
banditring 1 year, 4 months ago
I was getting confused as to what an on path attack is
upvoted 5 times
NerdAlert 9 months, 3 weeks ago
just think - the attacker is on the same path as the victim and their destination, just in the middle between them
upvoted 5 times
Boubou480
Highly Voted
12 months ago
Selected Answer: C
C. Domain hijacking
Domain hijacking refers to the unauthorized acquisition of control over a domain name. In this case, the attacker was able to spoof the IP address
associated with the shopping site, which means they were able to redirect traffic intended for the legitimate website to a different website under
their control. This allowed the attacker to eavesdrop on the user while they were shopping online and potentially steal their credit card
information.
An on-path attack is an attack in which the attacker has control over a network along the path between the sender and the receiver. Protocol
poisoning is a type of attack in which an attacker modifies a protocol message in an attempt to disrupt or subvert normal communication.
Bluejacking is a type of attack in which an attacker sends unsolicited messages to Bluetooth-enabled devices. None of these attacks are directly
related to the scenario described in the question.
upvoted 5 times
Kraken84
Most Recent
5 months ago
" eavesdropping " LISTENING IN..... MITM.....
upvoted 5 times
ApplebeesWaiter1122 5 months, 1 week ago
Selected Answer: A
In an on-path attack, also known as a Man-in-the-Middle (MITM) attack, the attacker intercepts and relays communication between two parties,
making them believe they are communicating directly with each other. The attacker can eavesdrop on the communication and even modify the
data transmitted between the parties.
In this scenario, the attacker was eavesdropping on the user's online shopping session, and by spoofing the IP address associated with the
shopping site, they could intercept the user's communication with the site. The attacker then modified the data, resulting in the user receiving an
email regarding unusual purchases on their credit card statement, which the attacker may have initiated.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
Based on the information provided, the attack that took place is a:
A. On-path attack
In an on-path attack (also known as a man-in-the-middle attack), the attacker intercepts and relays communication between two parties. In this
scenario, the attacker eavesdropped on the user's communication with the shopping site and spoofed the IP address to trick the user into
thinking they were communicating with the legitimate site while in reality, the attacker was in the middle of the communication.
https://www.examtopics.com/exams/comptia/sy0-601/view/
318/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
As a result, the attacker was able to obtain the user's credit card information and conduct unauthorized purchases, leading to the unusual credit
card statement.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
The other options are not applicable to the given scenario:
B. Protocol poisoning: This term is not commonly used, and it is not specifically related to the attack described in the scenario.
C. Domain hijacking: Domain hijacking typically involves unauthorized changes to a domain's registration settings, which is not mentioned in
the scenario.
D. Bluejacking: Bluejacking refers to the practice of sending unsolicited messages or data over Bluetooth to a user's mobile device. It is
unrelated to the eavesdropping and IP spoofing described in the scenario.
Therefore, the correct answer is:
A. On-path attack
upvoted 1 times
MasterControlProgram 9 months, 1 week ago
Selected Answer: A
A. On-path attack. The attacker was able to intercept and manipulate the communication between the user and the shopping site by spoofing the
IP address, leading to the interception of the user's credit card information.
upvoted 1 times
Omi0204 10 months ago
Answer is B.
DNS Highjacking and DNS spoofing/poisoning are the type of On-path attack. Now read this:DNS spoofing/cache poisoning: This is an attack where forged DNS data is introduced into a DNS resolver’s cache, resulting in the resolver
returning an incorrect IP address for a domain. Instead of going to the correct website, traffic can be diverted to a malicious machine or
anywhere else the attacker desires; often this will be a replica of the original site used for malicious purposes such as distributing malware or
collecting login information.
In this question, IP spoofed and traffic diverted to the spoofed IP where attacker already craeted a replica copy of actual website. When use
entered his/her credit card details, it was collected by attacker and then later on used user create card with collected information to make the
purchase and then user received email with credit card statement.
upvoted 3 times
medulan 10 months, 4 weeks ago
Selected Answer: A
If victim paid for example for shopping 50$ and it went to some other account then yes hijacking but there was many payments made for
different stuff what suggests someone had his card details hence on-path attack
upvoted 1 times
rodwave 1 year, 1 month ago
Selected Answer: A
Answer: On-path attack
An On-path attack(Man in the Middle) occurs when an attacker place themselves between two devices (often a web browser and a web server)
and intercept or modify communications between the two.
In this question, the attacker was eavesdropping on the connection which means they placed themselves between the user and the shopping
site and intercepted the communication.
The attacker had likely captured credit card information or account information from the site to be able to make the purchases.
upvoted 3 times
Bogardinc 11 months, 2 weeks ago
Are you guys forgetting in the question it states "The attacker was able to spoof the IP address associated with the shopping site"
upvoted 2 times
princajen 10 months ago
No, spoofing an IP address and hijacking a domain are two different types of attacks. In a domain hijacking attack, the attacker gains
control of a domain name and redirects users to a different site that appears to be the legitimate one. In the scenario you described, the
attacker spoofed the IP address of the shopping site, which means they sent packets to the user's computer with a false source IP
address, making it appear as if the packets were coming from the shopping site. This allowed the attacker to intercept and view the user's
traffic, including their credit card information, without the user's knowledge. This is an example of an on-path attack or a man-in-themiddle attack.
upvoted 5 times
alayeluwa 1 year, 2 months ago
Selected Answer: A
Man in the middle.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
319/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
ostralo 1 year, 2 months ago
Selected Answer: A
A,
FYI,
Domain hijacking is the act of changing the registration of a domain name without the permission of the original owner, or by abuse of privileges
on domain hosting and domain registrar systems.
upvoted 1 times
comeragh 1 year, 3 months ago
Selected Answer: A
"Eavesdroppping" - On-Path
upvoted 2 times
KetReeb 1 year, 4 months ago
A: On-path (MTM) - attacker was eavesdropping on the communications, spoofed the IP of the shopping site that the victim thought was legit, a
purchase was attempted, credit info intercepted.
upvoted 4 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
320/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #136
A company is considering transitioning to the cloud. The company employs individuals from various locations around the world. The company
does not want to increase its on premises infrastructure blueprint and only wants to pay for additional compute power required. Which of the
following solutions would BEST meet the needs of the company?
A. Private cloud
B. Hybrid environment
C. Managed security service provider
D. Hot backup site
Correct Answer: B
Community vote distribution
B (86%)
Confuzed
Highly Voted
14%
8 months, 3 weeks ago
Selected Answer: B
The important thing to notice is that B is "hybrid ENVIRONMENT" not "hybrid CLOUD". A hybrid environment is a mix of private network and
cloud, while a hybrid cloud is a mix of private cloud and public cloud.
This company wants to provide services in the cloud, but maintain their existing on prem environment... that's a hybrid environment.
upvoted 16 times
RonWonkers
Highly Voted
1 year, 3 months ago
Selected Answer: B
The company does not want to increase its on premises infrastructure blueprint, it's B.
upvoted 12 times
ApplebeesWaiter1122
Most Recent
5 months, 1 week ago
Selected Answer: B
A hybrid environment combines the use of on-premises infrastructure with cloud-based services. In this scenario, the company can maintain its
existing on-premises infrastructure blueprint and utilize additional compute power in the cloud as needed. This approach allows the company to
scale resources dynamically, paying for the compute power required, without the need to invest in additional on-premises infrastructure.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
A hybrid environment allows the company to take advantage of both on-premises infrastructure and cloud services. It provides the flexibility to
use the cloud for additional compute power when needed, without the need to increase the on-premises infrastructure footprint. The company
can scale up or down based on demand, and only pay for the additional resources required during peak times, optimizing costs.
upvoted 1 times
SHAKERRAB93 8 months, 2 weeks ago
B.
Hybrid
Reason: Company employees from different regions, they need to be able to access enviornmant- public access
But the company needs to be able to privately utilize the environment and maintain security- Private ….
Idk thinking outloud lmk
upvoted 1 times
z3phyr 9 months, 1 week ago
It's Hybrid. They need to integrate their on-prem infrastructure with the cloud.
upvoted 3 times
MasterControlProgram 9 months, 1 week ago
Selected Answer: A
A. Private cloud
upvoted 2 times
monzie 9 months, 1 week ago
Selected Answer: A
A. Private cloud
A private cloud can provide the company with the ability to dynamically provision and deprovision compute resources based on the current
needs of the organization. With a private cloud, the company can avoid the expense of additional on-premises infrastructure while still
https://www.examtopics.com/exams/comptia/sy0-601/view/
321/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
maintaining full control over the security and management of its data and applications. Additionally, a private cloud can be accessed by
authorized personnel from anywhere in the world, making it ideal for a globally distributed workforce.
upvoted 3 times
examrobo 9 months, 1 week ago
Do you always pick a different answer?
upvoted 3 times
medulan 10 months, 4 weeks ago
This cloud is only going to be used by one company hence should be Private. It would be Hybrid if they wanted to expand operate in Public web
upvoted 1 times
Ranaer 10 months, 2 weeks ago
According to Messer:
Hybrid cloud is - – Combination of internal cloud resources with external
This means that B. Hybrid environment fits perfectly for the question.
upvoted 1 times
T_dawg 9 months, 4 weeks ago
Well either Messer or you are wrong. Hybrid is public and private cloud, not cloud and on-premise.
upvoted 1 times
sirpsionics 5 months, 2 weeks ago
It's hybrid. Not sure why you or anyone else would say otherwise.
https://cloud.google.com/learn/what-is-hybrid-cloud
upvoted 1 times
Boubou480 12 months ago
B. Hybrid environment
A hybrid environment is a cloud computing model that combines on-premises infrastructure with a cloud infrastructure. This type of solution
would allow the company to retain control over some of its infrastructure while also taking advantage of the flexibility and scalability of the cloud.
This would allow the company to pay for additional compute power as needed and avoid the need to increase its on-premises infrastructure.
A private cloud is a cloud infrastructure that is operated solely for a single organization. It is not suitable for a company with employees located
around the world because it does not provide the flexibility and scalability of a public cloud. A managed security service provider is a third-party
that provides security services to an organization. It is not directly related to the company's need to transition to the cloud. A hot backup site is a
backup site that is always active and ready to take over in the event of a disaster. It is not related to the company's need to transition to the
cloud.
upvoted 3 times
MathDayMan 1 year, 2 months ago
B it's B.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
322/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #137
After multiple on premises security solutions were migrated to the cloud, the incident response time increased. The analysts are spending a long
time trying to trace information on different cloud consoles and correlating data in different formats. Which of the following can be used to
optimize the incident response time?
A. CASB
B. VPC
C. SWG
D. CMS
Correct Answer: C
Community vote distribution
A (84%)
stoneface
Highly Voted
D (16%)
1 year, 4 months ago
Selected Answer: A
CASB, better may to keep track accross multiple cloud based security solutions > Open to discussion
upvoted 24 times
zzzfox 1 year, 3 months ago
Agree, consider CASB can be deployed on-premised as well as cloud
upvoted 1 times
Kandy357
Highly Voted
11 months, 4 weeks ago
Selected Answer: A
Answer should be CASB.
As per CompTIA Sec+ objectives, CMS is a content management system, not a cloud.
CMP term is used for Cloud Management Platforms.
upvoted 13 times
shover 11 months, 3 weeks ago
Thanks , i was just about to say that when i went to look up the Acronym in the objectives.
upvoted 1 times
ApplebeesWaiter1122
Most Recent
5 months, 1 week ago
Selected Answer: A
CASB stands for Cloud Access Security Broker, which is a security solution that helps organizations secure data and applications in cloud
environments. CASBs act as intermediaries between cloud service users and cloud service providers, providing visibility, control, and security
features to monitor and protect data as it moves between the organization's network and cloud services.
In the given scenario, the incident response time increased after migrating security solutions to the cloud because analysts are dealing with
different cloud consoles and data in various formats. Implementing a CASB can help optimize incident response time by providing a centralized
platform to monitor and manage security events across multiple cloud services. CASBs can aggregate logs and events from various cloud
platforms, standardize data formats, and provide a single pane of glass for security analysts to investigate and respond to incidents more
efficiently.
upvoted 4 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
A Cloud Access Security Broker (CASB) is a security solution specifically designed to provide visibility, control, and data security across multiple
cloud services. It acts as an intermediary between an organization's on-premises infrastructure and cloud providers, offering centralized visibility
and management of cloud-related security incidents and data.
By using a CASB, security analysts can have a single point of access to monitor and manage security events and data across different cloud
consoles. It helps to correlate data in a consistent format, simplifying the incident response process and reducing response times.
upvoted 1 times
Dutch012 8 months ago
Amm, so CASB acts like a SIEM solution but for cloud, Okay good to know.
upvoted 4 times
Yawannawanka 8 months, 2 weeks ago
A Cloud Access Security Broker (CASB) can be used to optimize the incident response time after multiple on premises security solutions are
migrated to the cloud. CASBs provide centralized visibility and control over cloud applications and data, allowing analysts to quickly correlate
data in a single console and take immediate action to mitigate incidents. Therefore, option A is the correct answer.
https://www.examtopics.com/exams/comptia/sy0-601/view/
323/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
VPC (Virtual Private Cloud) is a cloud networking construct that allows a company to create an isolated private network in the cloud, but it does
not optimize the incident response time. SWG (Secure Web Gateway) is a cloud-based security solution that provides protection against webbased threats, but it does not directly address the issue of incident response time. CMS (Content Management System) is a software application
that allows for the creation, modification, and publishing of digital content, but it is not a security solution and does not address incident
response.
upvoted 2 times
user82 8 months, 2 weeks ago
Why do people keep typing “ago”
upvoted 1 times
Confuzed 8 months, 3 weeks ago
Selected Answer: A
I think the answer is CASB, for perhaps a different reason than others. It states that several security systems were moved from on prem to the
cloud. It's likely that CASB could REPLACE those systems, providing a single pane of glass for responding to incidents.
No other solution is going to consolidate and simplify information from their legacy on prem solutions that they moved to the cloud.
upvoted 1 times
jhfdkjshfkjdsho 11 months ago
Selected Answer: A
https://www.microsoft.com/en-us/security/business/security-101/what-is-a-cloud-access-security-broker-casb
upvoted 1 times
mlonz 11 months, 1 week ago
A cloud access security broker (CASB) is a software tool or service deployed between an organizations network and the cloud provider. It
provides security by monitoring traffic and enforcing security policies.
A next generation secure web gateway (SWG) provide proxy service for traffic from clients to Internet sites, such as filtering URLs and scanning
for malware.
upvoted 2 times
Sandon 11 months, 2 weeks ago
Selected Answer: D
ChatGPT says the answer is D. Configuration management system
upvoted 1 times
ThreeKings 9 months ago
ChatGPT got the answer right (Option A) as of 09Apr23. The point? As a sole or primary source, ChatGPT is not a recommended resouce,
however, it is getting better and it serves as another resource that provides good information most of the time. This community provides some
of the best information for consideration and ChatGPT is great at expanding what the community recommends.
upvoted 2 times
ExamLSMotor 11 months, 2 weeks ago
ChatGPT wrong bro
upvoted 6 times
Sandon 11 months, 1 week ago
Yes it is
upvoted 1 times
shover 11 months, 3 weeks ago
As per the Comptia SYO-601 Acronym list : CMS: Content management system, not cloud management system. I'm sure Cloud management
system is a real thing but according to the Sec+ exam objectives CMS is something totally different.
upvoted 3 times
Boubou480 12 months ago
Selected Answer: D
D. CMS
A Cloud Management System (CMS) is a tool that helps to manage and monitor cloud resources. It can be used to optimize incident response
time by providing a centralized platform for viewing and analyzing data from multiple cloud consoles. This can help analysts to more quickly trace
information and correlate data, as they do not have to switch between different consoles and deal with data in different formats.
A Cloud Access Security Broker (CASB) is a security solution that sits between an organization's on-premises infrastructure and the cloud and
helps to secure data in the cloud. A Virtual Private Cloud (VPC) is a virtual network that is dedicated to an organization and isolated from other
virtual networks in the cloud. A Secure Web Gateway (SWG) is a security solution that is used to protect an organization's users from internetbased threats. None of these solutions are directly related to optimizing incident response time in the way that a CMS is.
upvoted 5 times
mike47 1 year ago
Selected Answer: A
CASB vs SWG
CASB is the more optimal solution for multiple on premises security solutions
CASB services are explicitly designed to fit the needs of large enterprises
https://www.examtopics.com/exams/comptia/sy0-601/view/
324/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
You can access link and read about it:
https://www.gend.co/blog/casb-or-swg-which-is-best-option-for-your-enterprise
upvoted 1 times
FMMIR 1 year ago
Selected Answer: D
To optimize the incident response time, the company could implement a Cloud Management System (CMS). A CMS is a tool that allows an
organization to manage and monitor all of its cloud-based resources and services from a single, centralized platform. This would enable the
analysts to quickly access and correlate data from different cloud consoles and formats, reducing the time and effort required to respond to
security incidents. Other solutions such as a Cloud Access Security Broker (CASB) or a Secure Web Gateway (SWG) could also help to improve
security in the cloud, but a CMS would be the most effective solution for optimizing incident response time in this scenario. A Virtual Private
Cloud (VPC) would not be relevant in this context
upvoted 3 times
FMMIR 1 year ago
The difference between a Cloud Access Security Broker (CASB) and a Cloud Management System (CMS) is that a CASB is a security solution
that sits between an organization's on-premises infrastructure and its cloud-based resources and services, while a CMS is a tool that allows
an organization to manage and monitor all of its cloud-based resources and services from a single, centralized platform. A CASB can help to
improve security by enforcing policies and controls on access to cloud-based resources, but it does not directly affect incident response time.
A CMS, on the other hand, can help to optimize incident response time by enabling analysts to quickly access and correlate data from
different cloud consoles and formats. Both solutions can be useful in optimizing security in the cloud, but they have different functions and
capabilities.
upvoted 5 times
Halaa 1 year, 3 months ago
Selected Answer: A
https://www.instreamcorp.com/wp-content/uploads/2018/11/What-is-CASB.jpg
upvoted 2 times
Halaa 1 year, 3 months ago
(Image)
upvoted 1 times
Halaa 1 year, 3 months ago
CASB provides critical security tool that help control , monitoring, compliance management , data security and threat protection that will
optimize incident response time.
upvoted 2 times
Yuyuyakuza 1 year, 3 months ago
C. SWG deploy swg as part of a SASE solution. could based service to insepct traffic and enforce policies without diverting traffic. esentially
unlike CASB which hurts network performance and employee productivity.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
325/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #138
Which of the following control types would be BEST to use in an accounting department to reduce losses from fraudulent transactions?
A. Recovery
B. Deterrent
C. Corrective
D. Detective
Correct Answer: D
Community vote distribution
D (48%)
okay123
Highly Voted
B (31%)
C (21%)
1 year, 4 months ago
Detective controls – look for both fraudulent and unintentionally improper transactions after the fact. Examples of detective controls include
reconciliations, variance analyses, physical inventories, audits, and continuous monitoring through data analytics.
upvoted 22 times
andrizo
Highly Voted
1 year, 2 months ago
Selected Answer: D
Just to break the gridlock.
A - If the bank refunds the transactions
B - If it's an insider threat
C - Rectify skimmed transactions
D- Definitely kibosh insider threats, and most likely to be implemented whether external or internal
upvoted 11 times
8c55165
Most Recent
10 hours, 30 minutes ago
I mean, a corrective can get you back some losses but you can't guarantee it's gonna be worth the cost. You need to detect fraudulent activity
before it happens to save losses.
upvoted 1 times
12f1a9a 6 days ago
It should be deterrent in my opinion. Corrective and detective controls performed after the fraudulent transaction. To prevent the loss the control
should be before the fraudulent transaction in my opinion.
upvoted 1 times
Jackwasblk 1 month, 2 weeks ago
Selected Answer: D
In the context of reducing losses from fraudulent transactions in an accounting department, the best control type would be:
D. Detective
Detective controls are designed to identify and record security events. In the case of fraudulent transactions, a detective control could help in
detecting unusual or suspicious financial activities. For example, implementing a system that monitors transaction patterns, uses anomaly
detection, or performs regular audits would fall under the category of detective controls. This allows for the timely identification of fraudulent
transactions, enabling the organization to take corrective action and minimize losses.
While corrective controls (option C) focus on mitigating damage after a security event, and recovery controls (option A) involve compensating for
issues left behind, these may not be as effective in preventing or detecting fraudulent transactions as detective controls. Deterrent controls
(option B) aim to deter individuals from committing fraudulent acts, but they may not be as reliable in identifying ongoing or attempted fraudulent
transactions.
upvoted 1 times
TheFivePips 2 months ago
Selected Answer: B
I dont think any of the other answers would actually prevent a loss. Preventive controls are the only type of control here that is deployed before
the attack happens. All the other answers are reactive
upvoted 4 times
j904 2 weeks, 3 days ago
I 100% agree... it says to reduce losses, so that would be a deterrent.
upvoted 1 times
ComPCertOn 2 months, 1 week ago
oh, man :( so confusing now! i chose Detterant but it seems way harder when looking at all these comments
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
326/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
ha33yp0tt3r69 2 months, 2 weeks ago
Selected Answer: B
Deterrent controls are designed to discourage individuals from attempting fraudulent activities in the first place. In the context of an accounting
department, deterrent controls can include policies, procedures, and measures that create a strong disincentive for employees or others to
engage in fraudulent transactions. For example, implementing stringent authorization and approval processes, conducting regular audits, and
enforcing strict segregation of duties can deter fraudulent behavior.
While detective controls (Option D) can help identify fraudulent transactions after they occur, and corrective controls (Option C) can rectify the
situation after a fraudulent transaction has been identified, it's generally more effective to prevent fraud by discouraging it through deterrent
controls.
upvoted 3 times
Mez92 3 months, 1 week ago
Selected Answer: B
Deterrent controls will significantly reduce the losses, why? Since it will discourage threat actors to commit crime and this will not effect only the
current situation but the future transactions as well. Corrective will just correct the current situation, and in some situation recovery of
transactions are not possible, detective from the word it self will only detect nothing more nothing less.
upvoted 1 times
sarah2023 4 months, 2 weeks ago
Selected Answer: C
C. Corrective because the question is about reducing the loss, not reducing the likelihood of the fraud happening. My understanding is that we
talk about a post attack control.
As per the CompTIA official guide: Corrective—the control acts to eliminate or reduce the impact of an intrusion event. A corrective control is
used after an attack.
upvoted 2 times
ApplebeesWaiter1122 5 months, 1 week ago
Selected Answer: B
Deterrent controls are designed to discourage potential attackers or fraudsters from attempting to commit fraudulent activities. In the context of
the accounting department, implementing deterrent controls would make it more challenging or risky for individuals to engage in fraudulent
transactions, thus reducing the likelihood of such activities occurring in the first place. Examples of deterrent controls could include strict access
controls, separation of duties, and clear policies and procedures regarding financial transactions.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: D
Detective controls are designed to identify and detect incidents or fraudulent activities that have already taken place. In the context of an
accounting department, detective controls could include the implementation of monitoring systems, audit trails, and log analysis to identify
suspicious transactions and activities that may indicate fraudulent behavior.
Detective controls are essential for incident response and help in uncovering fraudulent transactions after they have happened, which allows for
timely investigation and remediation to reduce losses and prevent similar incidents in the future.
upvoted 2 times
fouserd 8 months ago
Selected Answer: D
To reduce losses from fraudulent transactions in an accounting department, the BEST control type to use would be D. Detective. Detective
controls are designed to identify and detect fraudulent activities or errors that have already occurred. These controls can include activities such
as reconciliations, audits, and reviews of transactions. By implementing detective controls, the accounting department can quickly identify and
investigate any fraudulent transactions, thereby reducing losses.
upvoted 1 times
aw23 8 months ago
chatgpt said deterent
upvoted 2 times
Abdul2107 8 months, 2 weeks ago
Selected Answer: D
D. Detective, based on ChatGPT:
The best control type to use in an accounting department to reduce losses from fraudulent transactions is Detective.
Detective controls are designed to identify and detect fraud after it has occurred. These controls can include things like monitoring bank
accounts for unusual activity, conducting regular audits, and reviewing financial statements for discrepancies. By identifying fraudulent activity as
soon as possible, corrective action can be taken to minimize losses.
While other control types such as deterrent or corrective controls can also be useful in preventing fraud, they may not be as effective in detecting
fraud that has already occurred. Recovery controls, on the other hand, are designed to recover lost assets after a fraud has occurred, which can
be helpful but not as effective as detecting the fraud beforehand.
upvoted 2 times
mosher21 8 months, 2 weeks ago
Selected Answer: C
https://www.examtopics.com/exams/comptia/sy0-601/view/
327/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Corrective controls are implemented after detective controls to rectify the problem and (ideally) prevent it from happening again
upvoted 2 times
Yawannawanka 8 months, 2 weeks ago
Corrective controls are designed to identify and correct issues that have already occurred. They are used to reduce the impact of an event and to
prevent its recurrence. In this case, implementing corrective controls in an accounting department would be the best approach to reduce losses
from fraudulent transactions. This could include measures such as implementing separation of duties, performing regular audits, and
implementing financial reporting controls.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
328/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #139
A company is receiving emails with links to phishing sites that look very similar to the company's own website address and content. Which of the
following is the
BEST way for the company to mitigate this attack?
A. Create a honeynet to trap attackers who access the VPN with credentials obtained by phishing.
B. Generate a list of domains similar to the company's own and implement a DNS sinkhole for each.
C. Disable POP and IMAP on all Internet-facing email servers and implement SMTPS.
D. Use an automated tool to flood the phishing websites with fake usernames and passwords.
Correct Answer: B
Community vote distribution
B (100%)
Josh_Feng
Highly Voted
1 year, 4 months ago
Selected Answer: B
DNS sinkhole prevents users from entering the site if they have a sinkhole for the domain name. So making a list of fake websites domain name
and making a sinkhole will prevent access to these website if a user tried to search for it on accident.
upvoted 14 times
ComPCertOn 1 month, 3 weeks ago
Isn't that equivalent to a block list?
upvoted 1 times
MorganB
Highly Voted
8 months, 1 week ago
MorganB 0 minutes ago Awaiting moderator approval
Pass my exam 27, April 23. This question was on my tested worded differently but the answer is the same.
upvoted 6 times
ApplebeesWaiter1122
Most Recent
5 months, 1 week ago
Selected Answer: B
The best way for the company to mitigate the phishing attack described is by generating a list of domains that are similar to the company's own
domain and implementing a DNS sinkhole for each of these domains. A DNS sinkhole is a technique used to redirect malicious traffic to a
controlled environment or block access to malicious domains.
By implementing a DNS sinkhole for similar-looking domains, the company can prevent users from accessing phishing sites that may
impersonate the company's website. When users click on links in the phishing emails, their DNS requests for those domains will be redirected to
a safe location, preventing them from reaching the actual phishing sites. This approach helps protect users from falling victim to the phishing
attack and helps in mitigating the risk of credential theft and other malicious activities associated with phishing.
upvoted 3 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
By generating a list of domains that are similar to the company's own and implementing a DNS sinkhole for each of these domains, the company
can prevent users from accessing phishing sites that look similar to their legitimate website. A DNS sinkhole involves redirecting traffic from the
malicious domains to a non-existent or controlled server, effectively blocking users from accessing the phishing sites.
This approach is an effective way to mitigate the phishing attack and protect users from falling victim to the fraudulent websites. It helps in
preventing data loss and protecting the company's reputation from being exploited by attackers.
upvoted 1 times
Dutch012 8 months, 2 weeks ago
If all the answers are correct, I would go with D.
upvoted 1 times
rline63 4 months, 1 week ago
I'm pretty sure D is illegal. Probably would work but takes a lot of resources, can be mitigated if the target uses proper protection, and like I
said is ethically and legally questionable.
upvoted 1 times
MasterControlProgram 9 months, 1 week ago
Selected Answer: B
B. Generate a list of domains similar to the company's own and implement a DNS sinkhole for each would be the best way for the company to
mitigate this attack. By generating a list of domains similar to the company's own and implementing a DNS sinkhole for each, the company can
prevent users from accessing the phishing sites. A DNS sinkhole is a technique used to block access to malicious websites by redirecting
https://www.examtopics.com/exams/comptia/sy0-601/view/
329/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
requests for those sites to a non-existent IP address or a local web server that displays a warning message. This can help to prevent users from
inadvertently accessing phishing sites that look similar to the company's own website.
upvoted 1 times
FMMIR 1 year ago
Selected Answer: B
The best way for the company to mitigate this attack would be to implement a DNS sinkhole for domains similar to the company's own. A DNS
sinkhole is a security measure that redirects traffic from known malicious or fraudulent websites to a safe location. By generating a list of
domains similar to the company's own and setting up a DNS sinkhole for each, the company can prevent employees from accidentally accessing
phishing websites that mimic the company's own domain. Other solutions such as disabling POP and IMAP on email servers, implementing
SMTPS, or using an automated tool to flood phishing websites with fake credentials may also be effective, but a DNS sinkhole would be the most
direct and effective way to prevent employees from accessing the phishing sites. Creating a honeynet would not be relevant in this scenario.
upvoted 2 times
RonWonkers 1 year, 3 months ago
Selected Answer: B
I agree with B
upvoted 3 times
stoneface 1 year, 4 months ago
This is a very confusing question -> Im inclining with D, other options will not directly try to reduce the danger associated with the fake sites
upvoted 1 times
[Removed] 11 months, 2 weeks ago
revenge of the sith, lets DDOS the fckers
upvoted 4 times
stoneface 1 year, 4 months ago
After consideration Im choosing B -> I think the question implies that Typosqueatting is also on the table. So setting an internal DNS sinkhole
that redirects all similar addresses (including the ones being used on the phishing campaign) to nothing will help mitigate this attack
upvoted 3 times
andrizo 1 year, 2 months ago
but boy, wouldnt it be cool to DOS phishing sites
upvoted 4 times
zzzfox 1 year, 3 months ago
not sure flooding fake websites if is even a legal thing to do...
upvoted 7 times
Gino_Slim 1 year, 2 months ago
That was a very humorous answer choice to me
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
330/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #140
A SOC operator is receiving continuous alerts from multiple Linux systems indicating that unsuccessful SSH attempts to a functional user ID have
been attempted on each one of them in a short period of time. Which of the following BEST explains this behavior?
A. Rainbow table attack
B. Password spraying
C. Logic bomb
D. Malware bot
Correct Answer: A
Community vote distribution
B (92%)
stoneface
Highly Voted
8%
1 year, 4 months ago
SSH cannot take hash values as an input, so rainbow attack out of the table.
Im left with password spraying. ...
upvoted 33 times
[Removed] 11 months, 1 week ago
With rainbow attack, you don't attack with password hashes! First, you use the table to crack the password for a target user offline and then
use it to attack live systems. Password spraying uses one or few passwords against a list of usernames.
upvoted 6 times
ApplebeesWaiter1122
Highly Voted
5 months, 1 week ago
Selected Answer: B
Password spraying is a type of brute-force attack where the attacker attempts to gain unauthorized access to multiple accounts by trying a small
number of commonly used passwords against many usernames. In this scenario, the continuous alerts from multiple Linux systems indicating
unsuccessful SSH attempts to a functional user ID suggest that an attacker is trying different passwords against the same user ID on each
system, which aligns with the behavior of a password spraying attack. The attacker is not attempting to guess different usernames but is trying a
limited set of passwords against the same user ID on multiple systems.
upvoted 8 times
Yaakb
Most Recent
4 months, 4 weeks ago
B, because, password spraying targets multiple accounts on a system, which fits perfectly in this scenario.
upvoted 3 times
Protract8593 5 months, 2 weeks ago
Selected Answer: B
Password spraying is a type of brute-force attack where an attacker tries a few common passwords against many accounts. In this scenario, the
continuous alerts from multiple Linux systems indicating unsuccessful SSH attempts to a functional user ID suggest that an attacker is trying a
limited set of passwords across various accounts in the hope of gaining unauthorized access. This is a common attack vector used to avoid
detection from traditional brute-force protection mechanisms.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Password spraying can occur to a single account. Password spraying is a type of brute-force attack where attackers attempt to gain
unauthorized access to multiple accounts by trying a few commonly used passwords against many usernames. Instead of attempting to
guess passwords for a single account (which would be a regular brute-force attack), password spraying involves trying a small set of
passwords against a large number of accounts.
In the given scenario, the question states that unsuccessful SSH attempts have been made to a functional user ID on multiple Linux systems
in a short period of time. This aligns with the behavior of password spraying, as the attackers are attempting to use a small set of passwords
against multiple accounts (the functional user ID) on different systems.
Given this understanding, Option B (Password spraying) would be the most likely correct answer for the question, as it matches the scenario
described.
upvoted 1 times
excelchips11 3 months, 3 weeks ago
For Password Spraying, it is done on multiple accounts NOT just one. Here, we have ONLY ONE functional user ID, several password and
several systems are informed. Though, B is the closest answer but not the answer as SSH
upvoted 1 times
macrocarpa 7 months, 2 weeks ago
Selected Answer: B
https://www.examtopics.com/exams/comptia/sy0-601/view/
331/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
I think this is yet another poorly worded question meant to trip people up. First guess would be Rainbow Table Attack. But since it's over SSH it
has to be password spraying. The question doesn't indicate more than one username being used which is what we've come to understand as
password spraying. But password spraying is still a form of a brute-force attack which would have to be the answer imo.
upvoted 1 times
DanielBruse 6 months, 2 weeks ago
Yes it’s a little tricky question but they say “multiple Linux systems to a funcional user ID” so they are trying more than one account
upvoted 2 times
strong1 8 months, 1 week ago
password spraying tries the most common
passwords against many accounts. Known as a “low-and-slow”
attack, it attempts to bypass the password lockout by trying one
common password against many targets and then circling back to try
the next common password after a period of time.
upvoted 1 times
MorganB 8 months, 1 week ago
MorganB 0 minutes ago Awaiting moderator approval
Pass my exam 27, April 23. This question was on my tested worded differently but the answer is the same.
upvoted 3 times
TejasTony 9 months, 1 week ago
where do these "correct" answers come from? Some of them are so far out there and ridiculous.
upvoted 1 times
Nishkurup 10 months ago
Selected Answer: B
B. Password spraying is the BEST explanation for this behavior. Password spraying is a type of brute force attack where attackers try a small
number of commonly used passwords against a large number of user accounts. In this scenario, the attackers are attempting to guess the
password for a functional user ID on multiple Linux systems. The unsuccessful SSH attempts are generated by automated tools used by
attackers attempting to gain unauthorized access to the systems.
Rainbow table attacks (A) are a type of pre-computed password attack that attempt to crack password hashes. Logic bombs (C) are malicious
code designed to execute a set of instructions when certain conditions are met. Malware bots (D) are a type of malware that allows an attacker to
take control of a compromised system and use it to carry out malicious activities. None of these attacks specifically match the behavior
described in the scenario.
upvoted 3 times
CJohnson219 11 months ago
How is this password spraying? it clearly says "to a functional user ID" that is a single user. password spraying is across multiple users
upvoted 1 times
NerdAlert 9 months, 3 weeks ago
the wording on this question is dumb and ambiguous
upvoted 2 times
Ertrexs 11 months ago
"alerts from multiple Linux systems"
upvoted 3 times
ronniehaang 11 months, 1 week ago
Selected Answer: B
B. Password spraying.
Password spraying is a type of brute-force attack that targets multiple user accounts with a few commonly used passwords. This technique is
used to avoid triggering account lockouts, which are a common security measure to prevent brute-force attacks. The attacker tries a small
number of passwords against many accounts, with the hope of finding one that works. By targeting a large number of systems and trying a
limited number of passwords, the attacker can avoid detection and quickly gain access to one or more systems.
upvoted 1 times
OnA_Mule 11 months ago
The question says "a functional user ID" suggesting it's a single account. So spraying does not apply
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
Not necessarily a single account, just a user ID that is functional.
Regardless, none of the other answers even remotely apply at all in this scenario.
upvoted 1 times
FMMIR 1 year ago
Selected Answer: B
The behavior described in the scenario is likely the result of a password spraying attack. Password spraying is a technique used by attackers to
compromise accounts by trying a small number of commonly used passwords against a large number of user accounts. This allows the attacker
to avoid triggering account lockout policies, which are designed to prevent brute-force attacks by locking an account after a certain number of
https://www.examtopics.com/exams/comptia/sy0-601/view/
332/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
failed login attempts. In this case, the attacker is likely using password spraying to try to gain access to the Linux systems via SSH using a
functional user ID. A rainbow table attack, a logic bomb, or a malware bot could potentially cause similar symptoms, but the description of the
behavior in the scenario is most consistent with a password spraying attack.
upvoted 2 times
OnA_Mule 11 months ago
Spraying would apply if it were multiple user accounts, but the question seems to indicate it is 1 user ID. So it's not spraying.
upvoted 1 times
Mahougbe 1 year, 2 months ago
Selected Answer: B
A Password Spraying Attack is a type of brute force attack where a malicious actor attempts the same password on many accounts before
moving on to another one and repeating the process.
upvoted 4 times
ostralo 1 year, 2 months ago
Selected Answer: A
I will go for the Rainbow table - because the perpetrator could guess a password using the leaked hash from the system prior to the attack to
crack an account.
Password spray attack - using the same password to crack many different accounts.
upvoted 3 times
daddylonglegs 2 months, 3 weeks ago
So if it were a rainbow table attack the perpetrator would already have the password because it would be precomputed, therefore there would
be no failed logins. The fact that it is multiple failed logins across multiple devices clearly points to password spraying
upvoted 1 times
Jakalan7 1 year, 3 months ago
Selected Answer: B
Clearly B, password spraying.
upvoted 2 times
comeragh 1 year, 3 months ago
Selected Answer: B
I believe this is password spraying - "multiple Linux systems to a functional user ID"
upvoted 8 times
Jacob_Kramer1995 4 months, 1 week ago
Out of all the answers's password spraying the best, however, I don't like the wording. a functional user (singular) could indicate bruteforce or
directory knowing it's a (singular user login creds)
upvoted 3 times
tibetbey 1 year, 4 months ago
Selected Answer: B
Password Spraying is a variant of what is known as a brute force attack. In a traditional brute force attack, the perpetrator attempts to gain
unauthorized access to a single account by guessing the password "repeatedly" in a very short period of time.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
333/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #141
A tax organization is working on a solution to validate the online submission of documents. The solution should be carried on a portable USB
device that should be inserted on any computer that is transmitting a transaction securely. Which of the following is the BEST certificate for these
requirements?
A. User certificate
B. Self-signed certificate
C. Computer certificate
D. Root certificate
Correct Answer: B
Community vote distribution
A (69%)
EubertT
C (26%)
Highly Voted
6%
1 year ago
I'm going to give details of what is the use of each one, because I'm tired that are not giving the right answer:
User Certificate: User certificates specify which resources a given user can have access to. They are sometimes used on devices that several
users share. When different users log in, their profile and certificate are automatically loaded, granting them access to their required information.
Self-signed certificate: A self-signed certificate is one that is not signed by a CA at all – neither private nor public. In this case, the certificate is
signed with its own private key, instead of requesting it from a public or a private CA (Certificate Authority).
Root Certificate: Root certificates are the cornerstone of authentication and security in software and on the Internet. They're issued by a certified
authority (CA) and, essentially, verify that the software/website owner is who they say they are.
So for this verification I'm completely 100% sure is A: User certificate
upvoted 17 times
RevolutionaryAct 4 months, 4 weeks ago
User certificates are bound to 1 user, and this solution is supposed to be for any computer uploading/transmitting, which means it has more
than one user and thus cannot be a user certificate. Self-signed it is.
upvoted 3 times
daddylonglegs 2 months, 3 weeks ago
A self-signed certificate can be spoofed by literally any other computer and is not secure in the slightest. Self-signed it isn't.
upvoted 4 times
shitgod 1 year ago
You didn't mention anything about a computer certificate.
upvoted 5 times
LeonardSnart 7 months, 2 weeks ago
"Machine/computer A company may want to encrypt the communication between computers on the network. For example, a company
may want to encrypt communication between its servers. In order to do this, each computer needs a machine certificate, also known as a
computer certificate, applied to it."
-Comptia Security+ Certification Fourth Edition SY0-601 by Glen Clarke & Dan Lachance
"Machine/Computer. Certificates issued to a device or a computer are commonly called machine certificates or computer certificates. The
certificate is typically used to identify the computer within a domain."
-Security+ Get Certified Get Ahead SY0-601 by Darril Gibson
"Machine/Computer. Assigning a certificate to individual computers isn’t too common, but there are places where this is used. Very highsecurity, enterprise-level 802.11 wireless networks using EAP-TTLS security can assign a machine certificate to every system."
-Mike Meyers' Security+ Cert Guide Third Edition SY0-601
upvoted 2 times
deeden
Highly Voted
1 year, 3 months ago
Selected Answer: A
I though option A make sense - if acquired from a publicly trusted CA. Found this link below from IdenTrust about IRS Secure Data Transfer...
https://www.identrust.com/partners/department-treasury-irs-secure-data-transfer
upvoted 8 times
Confuzed 8 months, 3 weeks ago
That is a user certificate (the requestor must provide their personal ID to obtain one).
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
334/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
ImBleghk
Most Recent
6 days ago
Selected Answer: A
A. User certificate
upvoted 1 times
AceVander 1 month ago
I understand the question like this:
the tax organization wants to validate online submissions of documents using a portable USB device. Which means EACH USER transmitting
documents needs to be validated using ANY computer.
This is why I am choosing A. User Certificate
The user is authenticated with the USB device not the C. Computer Certificate (validates the computer but the scenario wants to use a USB
device to validate users on any computer)
Not with D. Root Certificate (validates software; scenario is asking to validate transmissions not the application).
Not with B. Self-signed Certificate because is neither private or public, not signed by a CA, and in this scenario the organization is looking to
validate ONLINE submissions; self-signed certificates can be spoofed.
upvoted 1 times
G_logic44 1 month, 2 weeks ago
Selected Answer: C
Computer Certificate: A computer certificate, also known as a machine certificate or host certificate, is issued to a specific computer or device. In
this case, having a computer certificate on the portable USB device ensures that the device itself is authenticated when plugged into any
computer. This type of certificate is suitable for validating the identity of the computer or device initiating a secure transaction.
upvoted 1 times
Feiyui3993 2 months ago
Selected Answer: C
A computer certificate is typically issued to a computer or device and is used to establish the identity of the device when connecting to a network
or service securely
upvoted 1 times
Maxi42288 3 months, 1 week ago
"A tax organization is working on a solution to validate the online submission of documents". Sounds like this organization is working on a
solution internally
Self-signed certificates appear to work for this scenario.
Self-signed certificates are now primarily used for internal purposes, such as testing, development environments, or private networks, where the
need for third-party validation is minimal.
https://venafi.com/
upvoted 1 times
Tmans713 4 months, 1 week ago
Selected Answer: A
I answered A. The question mentions that the solution is on "a portable USB" meaning a user would need to insert it into whichever PC they're
transmitting transactions from. Not necessarily contained to one computer as some have stated.
upvoted 3 times
HCM1985 4 months, 1 week ago
At first I was thinking Computer certificates, but "portable" really is the key word here. So either a User certificate or a self signed could work.
I'd go with a User's.
upvoted 1 times
RevolutionaryAct 4 months, 4 weeks ago
User certificates are bound to 1 user, and this solution is supposed to be for any computer uploading/transmitting, which means it has more than
one user and thus cannot be a user certificate.
Ditto user certificates: "Computer Certificate Templates are intended to be bound to a single computer entity to provide identity and/ or
encryption services for that computer"
https://www.sciencedirect.com/topics/computer-science/computer-certificate
Root certificate wouldn't apply as it comes from a certified authority (CA).
Self-signed is referring to the USB being added to the computers which are currently uploading with various users/computers, so this is a
separate thing from both.
upvoted 1 times
ApplebeesWaiter1122 5 months, 1 week ago
Selected Answer: A
A user certificate, also known as a client certificate, is the best certificate type for the given requirements. User certificates are used to identify
and authenticate individual users or clients, and they can be stored on a portable USB device. When a user wants to perform a secure
transaction, they can insert the USB device into any computer, and the certificate stored on the device will be used to establish a secure
connection and validate the user's identity. This allows for secure online submission of documents while maintaining portability and ease of use
for the users.
https://www.examtopics.com/exams/comptia/sy0-601/view/
335/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
Given the context of the tax organization trying to validate online submissions, the BEST certificate for their requirements would indeed be an A.
User certificate.
A user certificate is issued to an individual user and is used to authenticate and verify the identity of the user during online transactions. It is
typically associated with an individual and allows them to securely sign and encrypt data, which aligns with the tax organization's goal of
validating online submission of documents by users.
The other options (B. Self-signed certificate, C. Computer certificate, and D. Root certificate) are not as suitable for this scenario. Self-signed
certificates may not provide the necessary level of trust in a public environment, computer certificates are issued to devices rather than individual
users, and root certificates are used to establish trust in a certificate chain but are not directly associated with user authentication.
Therefore, the correct answer is A. User certificate, as it aligns with the tax organization's goal of validating online submissions by users.
upvoted 6 times
Protract8593 5 months, 2 weeks ago
I changed my mind. C makes the most sense here (ChatGPT's explanation):
In the scenario described, where the tax organization is working on a solution to validate the online submission of documents and the solution
is carried on a portable USB device that should be inserted on any computer that is transmitting a transaction securely, a computer certificate
would be the most appropriate choice.
A computer certificate is used to authenticate and identify a specific computer system. It allows the computer to establish secure connections
and transactions. By using a computer certificate on the portable USB device, the tax organization can ensure that any computer using the
device for online transactions is validated and secure.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Option C (Computer certificate) is the best choice because the question mentions that the solution should be carried on a portable USB
device and inserted on any computer that is transmitting a transaction securely. This implies that the solution needs to be installed and
utilized on different computers, and the certificate used should be associated with the computer (device) itself rather than a specific user.
A computer certificate is a type of digital certificate that is issued to a computer or device. It is used to authenticate the identity of the
computer and establish a secure connection between the device and the server. In this context, the tax organization wants a solution that
can be carried on a portable USB device and used on different computers to securely transmit transactions. Therefore, using a computer
certificate on the USB device ensures that each computer the device is plugged into can be securely authenticated and trusted for
transmitting transactions.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
While user certificates are used to authenticate individual users, they are typically associated with user-specific actions, such as user
authentication to access specific resources or services. In this scenario, a computer certificate is more appropriate because the focus is
on securing the transactions on the computer level, not user-level authentication.
upvoted 1 times
muhaimin 8 months, 1 week ago
A user certificate could also be a valid option depending on the specific requirements and use case of the tax organization's solution. A user
certificate is issued to an individual user and is used to verify the identity of the user.
If the tax organization requires the USB device to be used by a specific individual or group of individuals, then a user certificate would be
appropriate. The user certificate would be stored on the USB device and would be used to verify the identity of the user when they insert the
device into a computer to transmit a transaction securely.
However, if the tax organization requires the USB device to be used by any computer to securely transmit transactions, then a computer
certificate would be more appropriate. The computer certificate would be stored on the USB device and would be used to verify the identity of
the device transmitting the transaction.
upvoted 1 times
ortizj118 8 months, 2 weeks ago
User Certificate is correct
upvoted 1 times
Yawannawanka 8 months, 2 weeks ago
Based on the requirements provided, the best certificate to use would be a user certificate. A user certificate is issued to a specific user and can
be stored on a portable USB device. It can be used for authentication purposes when the user is transmitting a transaction securely from any
computer. In contrast, a computer certificate is issued to a specific computer, while a root certificate is used to establish trust with a particular
certificate authority (CA). A self-signed certificate is a certificate that is signed by the entity whose identity it certifies. However, it may not be the
best option for this scenario as it may not be recognized by other systems.
upvoted 1 times
DylanB2868 8 months, 2 weeks ago
Selected Answer: C
The USB authenticates the Computer not the User.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
336/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Handsomeware 8 months, 3 weeks ago
Selected Answer: C
Chatgpt :
Based on the given requirements, the BEST certificate for this scenario would be a Computer certificate.
A Computer certificate is issued to a computer or device and is used to authenticate the identity of the computer or device in a network
environment. This certificate is typically used to provide secure communication between a client computer and a server.
In this scenario, the portable USB device needs to be inserted into any computer that is transmitting a transaction securely. By having a
Computer certificate, the USB device can authenticate itself and the computer it is being inserted into, providing a secure and reliable way to
validate online document submissions.
User certificates are used to authenticate individual users, self-signed certificates are not recommended for production use, and Root certificates
are used to sign other certificates and are typically used in a public key infrastructure (PKI) environment.
upvoted 2 times
Herb30 8 months, 4 weeks ago
https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/creating-certificates-for-usb-storage-devices
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
337/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #142
A routine audit of medical billing claims revealed that several claims were submitted without the subscriber's knowledge. A review of the audit
logs for the medical billing company's system indicated a company employee downloaded customer records and adjusted the direct deposit
information to a personal bank account.
Which of the following does this action describe?
A. Insider threat
B. Social engineering
C. Third-party risk
D. Data breach
Correct Answer: A
Community vote distribution
A (100%)
i_bird
Highly Voted
1 year, 3 months ago
Selected Answer: A
going to jail..lol
upvoted 19 times
joelitof 1 year, 3 months ago
xD rip that person
upvoted 2 times
LunaFruit
Most Recent
2 weeks, 2 days ago
He bold lmao
upvoted 1 times
ApplebeesWaiter1122 5 months, 1 week ago
Selected Answer: A
The action described in the scenario involves an employee of the medical billing company who abused their authorized access to the system to
download customer records and manipulate direct deposit information for fraudulent purposes. This behavior is considered an insider threat
because it involves a trusted individual within the organization using their access privileges to perform unauthorized and malicious actions.
Insider threats are a significant concern for organizations as they can pose a serious risk to data security and privacy.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
In this scenario, the employee of the medical billing company downloaded customer records and manipulated direct deposit information for
personal gain. This type of action represents an insider threat, which refers to potential risks posed to an organization by its own employees,
contractors, or other trusted individuals who have access to sensitive information and systems.
The insider threat is a significant concern for organizations, and it's essential to implement proper security measures and monitoring to detect
and prevent such malicious activities.
upvoted 1 times
Omi0204 9 months, 3 weeks ago
Question is asking about Action so it is Data Breach.
Answer D is correct.
upvoted 2 times
P_man 9 months, 1 week ago
are you deliberately trying to cause people to fail this exam? While a data breach did occur, it was accomplished by an EMPLOYEE, so Insider
Threat is the correct answer here.
upvoted 4 times
NerdAlert 9 months, 1 week ago
it says what does this action DESCRIBE? It describes an insider threat
upvoted 2 times
RonWonkers 1 year, 3 months ago
Selected Answer: A
It is A, company employee = insider threat
upvoted 4 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
338/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
comeragh 1 year, 3 months ago
Selected Answer: A
A - Insider Threat
upvoted 4 times
tibetbey 1 year, 4 months ago
Selected Answer: A
Insider threat is the potential for an insider to use their authorized access or understanding of an organization to harm that organization
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
339/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #143
A recent audit cited a risk involving numerous low-criticality vulnerabilities created by a web application using a third-party library. The
development staff state there are still customers using the application even though it is end of life and it would be a substantial burden to update
the application for compatibility with more secure libraries. Which of the following would be the MOST prudent course of action?
A. Accept the risk if there is a clear road map for timely decommission.
B. Deny the risk due to the end-of-life status of the application.
C. Use containerization to segment the application from other applications to eliminate the risk.
D. Outsource the application to a third-party developer group.
Correct Answer: C
Community vote distribution
A (54%)
[Removed]
Highly Voted
C (46%)
1 year, 4 months ago
Selected Answer: C
I think C is correct. You shouldn't have to take any risk at all if you can containerize the application. The goal of containerization is to isolate an
application to prevent malware, intruders, system resources or other applications from interacting with the application – and any of its sensitive
information — secured by the container.
upvoted 44 times
scarceanimal 11 months ago
Prudent: acting with or showing care and thought for the future.
in this case C is not much of a prudent course of action, A specifies a "clear road for timely decommission" hence it being a better choice.
Along with it being low risk it's a clear A.
upvoted 9 times
scarceanimal 11 months ago
i think this video will help
https://www.youtube.com/watch?v=dQw4w9WgXcQ
upvoted 45 times
8c55165 10 hours, 20 minutes ago
I knew it was too good to be true
upvoted 1 times
ronah 10 months, 4 weeks ago
i hate you. be serious.
😂
upvoted 7 times
Abdul2107 8 months, 2 weeks ago
C is clear for future for "more security risks"
upvoted 1 times
[Removed] 1 year, 4 months ago
Resource:https://www.proofpoint.com/sites/default/files/pp-containerization-and-app-reputation.pdf
upvoted 2 times
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: A
IMO they should Accept the risk if there is a clear road map for timely decommission ->
upvoted 28 times
alittlesmarternow 5 days, 22 hours ago
Why would you ONLY accept the risk, when you can SEGMENT the application while accepting the risk eliminating the risk from affecting the
network.
upvoted 1 times
slenderjim 8 months, 2 weeks ago
You right bby
upvoted 6 times
deeden 1 year, 3 months ago
I agree with A. The web app will have the same threat vector 3rd-party library even after containerization, and is rated as low risk vulnerability.
upvoted 7 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
340/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
xfr0ggy
Most Recent
1 week, 3 days ago
Selected Answer: C
for me it is prudent to avoid the incidents using containers while the app is being removed.
upvoted 2 times
DChilds 2 months, 1 week ago
Selected Answer: C
My understanding this is the organization has a web application using a third-party library and it is end of life. However, it is still in use by some of
the organizations customers. With legacy systems, the best control of this risk is a compensating one (mitigation). Network segmentation is
always the best compensating control and in this case it can be tied in with containerization of the application. This is a more prudent approach
than accepting the risk since there is NO clear road map for timely decommission.
upvoted 1 times
ComPCertOn 2 months, 1 week ago
Selected Answer: A
The most prudent course of action would be:
A. Accept the risk if there is a clear road map for timely decommission.
This option acknowledges the risk but also emphasizes having a plan in place to decommission the application in a timely manner. This approach
balances the need for security with the awareness of the application's end-of-life status and the potential burden of immediate updates.
Chat gpt
upvoted 1 times
demianUY 2 months, 3 weeks ago
The answer is A.
If you read carefully, it says "eliminate the risk."
Firstly, when containerizing, the risk is not ELIMINATED, but rather mitigated to some extent; the risk will still exist because there is no possible
solution that eliminates it (well, maybe rebuilding the entire software). Therefore, even if you containerize, the risk WILL CONTINUE TO EXIST,
meaning you will still have to ACCEPT the remaining risk, which is not acceptable since the goal is to eliminate the risk. The only way to eliminate
this risk is to decommission the outdated software.
upvoted 3 times
Josh1978 2 months, 3 weeks ago
y'all can't agree on nothing
upvoted 5 times
idwPastrami 3 months, 1 week ago
I chose C because there is no clear map to a decommission. "..even though it is end of life and it would be a substantial burden to update the
application for compatibility with more secure libraries"
upvoted 2 times
Samiatif 3 months, 1 week ago
Selected Answer: C
Eliminating risk is always a better option then accepting risk, its C
upvoted 1 times
rline63 4 months, 1 week ago
Selected Answer: A
While C is an effective strategy to minimize the risk of this application, elimination is not a risk management strategy. C would result in a risk still,
just a smaller one. Mitigation however is a risk management strategy.
upvoted 1 times
sujon_london 4 months, 4 weeks ago
Selected Answer: A
Using containerization can help mitigate risks, but it might not fully eliminate the risk of vulnerabilities. Containerization involves isolating
applications and their dependencies within containers, which can add an extra layer of security and isolation. However, it won’t eliminate
vulnerabilities within the application code or the third-party library itself.
Containerization can limit the potential impact of vulnerabilities by containing them within the isolated environment. This can be particularly useful
if the application interacts with other systems. However, it’s important to note that security updates and patches for the application and the thirdparty library would still be required to address the vulnerabilities at their source.
So, while containerization can be a valuable step to reduce risks, it’s unlikely to fully eliminate all risks associated with the low-criticality
vulnerabilities.
In this case A should be chosen prudently
upvoted 1 times
daddylonglegs 2 months, 3 weeks ago
But A does nothing to even try to mitigate the risk. At least by containerizing you can mostly prevent an exploit of a vulnerability inside the
container from leading to total compromise of the system
upvoted 2 times
4vv 5 months ago
https://www.examtopics.com/exams/comptia/sy0-601/view/
341/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
These questions constantly have you thinking if you're overthinking it or if youre underthinking it.
upvoted 4 times
Abdul2107 5 months ago
Selected Answer: A
A. Is correct.
Keyword as mentioned by @scarceanimal, is “prudent” which means for “future”
upvoted 1 times
ApplebeesWaiter1122 5 months, 1 week ago
Selected Answer: A
While addressing the vulnerabilities and updating the third-party library would be the ideal solution, the development staff has stated that
updating the application would be a substantial burden. In such cases, it may not be immediately feasible to fix all vulnerabilities. However, if
there is a clear road map and plan in place to decommission the application in the near future, the organization can accept the risk for the time
being while minimizing exposure.
It is important to have a risk management plan in place, which includes monitoring the vulnerabilities and having a decommissioning plan in order
to address the risks in the long term. Organizations should also implement compensating controls and security measures to reduce the impact of
the vulnerabilities until the application can be decommissioned.
upvoted 1 times
Nikamy 5 months, 1 week ago
Selected Answer: C
C because of the prudent appraoch
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
Accepting the risk means acknowledging the vulnerabilities and deciding not to take further action to address them immediately. However, having
a clear plan for decommissioning the application in a timely manner demonstrates that the organization is actively working to eliminate the risk in
the long run.
While there are low-criticality vulnerabilities in the web application due to the use of a third-party library, the development staff states that
updating the application for compatibility with more secure libraries would be a substantial burden, and the application is already end-of-life. In
this situation, accepting the risk with a clear plan to decommission the application in a timely manner would be the most prudent course of
action. This decision acknowledges the risk while also taking steps to address it by eventually phasing out the application and minimizing the
security exposure in the long term.
upvoted 1 times
Aie_7 5 months, 3 weeks ago
Selected Answer: A
The risks associated with the web application are low-criticality, and the application is end-of-life. This means that the application is no longer
being actively developed or maintained, and there is a risk that the third-party library could become obsolete or insecure.
However, the development staff has stated that there are still customers using the application, and it would be a substantial burden to update the
application for compatibility with more secure libraries.
In this case, the most prudent course of action is to accept the risk if there is a clear road map for timely decommissioning. This means that the
organization should have a plan to sunset the application and migrate its users to a more secure platform
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
342/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #144
A security analyst is evaluating solutions to deploy an additional layer of protection for a web application. The goal is to allow only encrypted
communications without relying on network devices. Which of the following can be implemented?
A. HTTP security header
B. DNSSEC implementation
C. SRTP
D. S/MIME
Correct Answer: A
Community vote distribution
A (93%)
stoneface
Highly Voted
7%
1 year, 4 months ago
Selected Answer: A
When enabled on the server, HTTP Strict Transport Security (HSTS), part of HTTP Security header, enforces the use of encrypted HTTPS
connections instead of plain-text HTTP communication.
upvoted 32 times
comeragh
Highly Voted
1 year, 3 months ago
Selected Answer: A
I would agree with A on this one
S/MIME - relates to email
SRTP - relates to VOIP
upvoted 7 times
hrncgl
Most Recent
4 months ago
The original recommendation of A. HTTP security header (specifically HTTP Strict Transport Security or HSTS) is the most common and effective
method for enforcing encrypted communications for web applications. HSTS is specifically designed to ensure that web browsers use secure
HTTPS connections for all interactions with a web application, thereby enforcing encryption.
If the goal is to secure a web application and enforce encryption for all communications, HSTS is the appropriate solution. SRTP, on the other
hand, is typically associated with securing real-time communication protocols like VoIP and is not designed for securing web applications.
upvoted 1 times
ApplebeesWaiter1122 5 months, 1 week ago
Selected Answer: A
To allow only encrypted communications for a web application without relying on network devices, a security analyst can implement HTTP
security headers. These headers are added to the web application's HTTP response and provide instructions to the client's web browser on how
to interact with the web application securely.
One specific HTTP security header that can be implemented for this purpose is the "Strict-Transport-Security" (HSTS) header. When the web
server sends the HSTS header to the client's browser, it instructs the browser to only access the web application over HTTPS (encrypted HTTP)
for a specified period. This helps prevent any insecure connections and ensures that all communication between the client and the web
application is encrypted.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
HTTP security headers are a set of HTTP response headers that a web server can use to enhance the security of a web application. One of the
security headers is the HTTP Strict Transport Security (HSTS) header, which allows a website to specify that it should only be accessed over a
secure, encrypted connection (HTTPS). By implementing the HSTS header, the web application can enforce encrypted communications and
prevent insecure connections. This additional layer of protection helps ensure that communications between the client and the server are
encrypted, without relying solely on network devices for security.
upvoted 1 times
Yawannawanka 8 months, 2 weeks ago
HTTP security headers can be used to enforce secure communication between a web application and the client's web browser, ensuring that
only encrypted traffic is allowed. Therefore, the correct answer is A. HTTP security header. DNSSEC implementation is used to secure the DNS
infrastructure and does not provide additional protection for a web application. SRTP is used to secure real-time communication such as VoIP,
and S/MIME is used to encrypt email messages.
upvoted 3 times
ThreeKings 9 months ago
Selected Answer: A
https://www.examtopics.com/exams/comptia/sy0-601/view/
343/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
The questions asks to deploy an additional layer of protection for a WEB APPLICATION (emphasis added); this points to HTTP with security
header. The question also uses the term ENCRYPTED COMMUNICATIONS (emphases added),which might point to SRTP IF the nature of the
communicaiton involves voice, video &/or mulitmedia. Because the question does not include voice/video/multimedia verbiage and because the
question more explictily includes a (browser based) web applicaiton, HTTP with security header is a better fit.
upvoted 2 times
fouserd 9 months ago
Selected Answer: A
initially i went with A but after asking Bing Chat this is what she said:
The solution that can be implemented to allow only encrypted communications without relying on network devices is SRTP1. SRTP stands for
Secure Real-time Transport Protocol and is used to provide confidentiality, message authentication, and replay protection to RTP (Real-time
Transport Protocol) traffic1.
upvoted 1 times
elcan_22 9 months, 1 week ago
Selected Answer: C
The correct answer is C. SRTP (Secure Real-time Transport Protocol) is a cryptographic protocol designed to provide secure communication for
voice and video traffic over the Internet, typically used in VoIP (Voice over IP) applications. By implementing SRTP, the web application can
ensure that all communications are encrypted end-to-end, without relying on network devices to enforce security.
HTTP security headers can enhance the security of web applications, but they do not provide end-to-end encryption. DNSSEC (Domain Name
System Security Extensions) is a protocol that provides integrity and authentication to DNS data, but it does not provide encryption for web
application communications. S/MIME (Secure/Multipurpose Internet Mail Extensions) is a protocol used for securing email communications, but it
is not typically used for web application security.
upvoted 2 times
HCM1985 4 months, 1 week ago
But SRTP would only be appliable for web applications that use some sort of WebRTC, no?
upvoted 1 times
monzie 9 months, 1 week ago
Selected Answer: C
The solution that can be implemented to allow only encrypted communications without relying on network devices for a web application is option
C, SRTP (Secure Real-Time Transport Protocol). SRTP is a security extension of the RTP (Real-Time Transport Protocol) used for multimedia
communications, such as voice and video. It provides confidentiality, integrity, and replay protection for the RTP traffic. This will ensure that the
web application only uses encrypted communications, even if the network devices are not enforcing encryption.
upvoted 1 times
konanna 9 months, 3 weeks ago
Selected Answer: C
C. SRTP (Secure Real-time Transport Protocol) can be implemented to allow only encrypted communications without relying on network devices.
SRTP is a protocol designed to provide encryption, message authentication, and integrity for real-time multimedia communication, such as voice
and video over IP networks. By implementing SRTP, the web application can ensure that all communications are encrypted, even if they traverse
untrusted networks or devices.
HTTP security headers, DNSSEC implementation, and S/MIME are all useful security measures, but they do not directly address the goal of
allowing only encrypted communications without relying on network devices. HTTP security headers are used to improve web application
security by providing additional protections against various types of attacks, such as XSS and CSRF. DNSSEC is used to ensure the authenticity
and integrity of DNS information, preventing DNS spoofing attacks. S/MIME is used to provide encryption and digital signatures for email
communications.
upvoted 1 times
konanna 9 months, 3 weeks ago
Its A never trust chatgpt
upvoted 5 times
uveal 10 months, 1 week ago
SRTP IS The solution that can be implemented to allow only encrypted communications without relying on network devices .
HTTP security header, is used to enhance the security of web applications, but it doesn't provide end-to-end encryption.
upvoted 1 times
ronniehaang 11 months, 1 week ago
Selected Answer: A
A. HTTP security header - An HTTP security header can be added to the web application to enforce the use of encryption for all communication.
This header can specify the use of Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols to ensure that all data transmitted
between the web server and client is encrypted. The header can also configure various security-related options such as disabling caching,
preventing cross-site scripting (XSS) attacks, and mitigating cross-site request forgery (CSRF) attacks.
HTTP security headers include:
Strict-Transport-Security (HSTS)
X-XSS-Protection
X-Content-Type-Options
X-Frame-Options
https://www.examtopics.com/exams/comptia/sy0-601/view/
344/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Content-Security-Policy
Note: HTTP security headers are not a replacement for encryption but rather a way to enforce encryption.
upvoted 4 times
rhocale 1 year ago
i thought HTTP isn't secure
upvoted 1 times
scarceanimal 11 months ago
*HTTP security header*
upvoted 1 times
deeden 1 year, 3 months ago
Selected Answer: A
https://www.youtube.com/watch?v=064yDG7Rz80
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
345/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #145
A company labeled some documents with the public sensitivity classification. This means the documents can be accessed by:
A. employees of other companies and the press.
B. all members of the department that created the documents.
C. only the company's employees and those listed in the document.
D. only the individuals listed in the documents.
Correct Answer: C
Community vote distribution
A (93%)
stoneface
Highly Voted
7%
1 year, 4 months ago
Selected Answer: A
Public (unclassified)—there are no restrictions on viewing the data. Public information presents no risk to an organization if it is disclosed but
does present a risk if it is modified or not available.
upvoted 40 times
xfr0ggy 1 week, 3 days ago
in stoneface we trust
upvoted 1 times
Old_Boy_ 1 month, 4 weeks ago
Thankyou Lord Stone Face
upvoted 3 times
stonefaces_kitten 1 year, 1 month ago
Thank you (:
upvoted 14 times
Boubou480
Highly Voted
12 months ago
Selected Answer: A
A company labeled some documents with the public sensitivity classification means that the documents can be accessed by employees of other
companies and the press. The public sensitivity classification indicates that the documents are intended for public access and can be shared
with a wide audience, including employees of other companies and members of the media. This classification is often used for documents that
contain information that is not sensitive or confidential and that can be shared freely with the public. In contrast, documents with other sensitivity
classifications, such as "confidential" or "private," may have more restricted access and may only be shared with a limited group of individuals,
such as employees of the company or those listed in the document.
upvoted 7 times
P_man 9 months, 1 week ago
This clarification helps. Thank you. I was reading it as C, but I think A is correct now.
upvoted 1 times
ImBleghk
Most Recent
6 days ago
Selected Answer: C
C. only the company's employees and those listed in the document.
upvoted 1 times
drnburak 2 weeks, 2 days ago
Selected Answer: A
answer is A
upvoted 1 times
Peshokp 3 weeks, 5 days ago
Selected Answer: C
public & sensitivity
Sensitive data (restricted even within the company that is responsible for it)- From TesOut
The public is all employees, Sensitive is only for the company employees.
For example, on Facebook, you post a picture but only want your Friends to see it and don't want them to share it so all the world can see it. The
photo is on Facebook but only for your friends' eyes. Or your male friends chatting in a group chat and sharing dirty pictures that you don't want
your wife to see, Your friend is public, but the pictures and conversation are "sensitive" for your wife's eyes:)))))
upvoted 2 times
Abbey2 3 months, 4 weeks ago
Wondering how 98% of the people voted the wrong answer!
https://www.examtopics.com/exams/comptia/sy0-601/view/
346/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 4 times
grumpy_farmer 4 months, 1 week ago
Access vs distribution they weren't distributed but are able to be accessed.. they are stupid on semantics
upvoted 1 times
RevolutionaryAct 4 months, 4 weeks ago
I think the real question is where are these documents located?
If they are on internal servers not public facing then C, otherwise the answer is A
upvoted 1 times
ApplebeesWaiter1122 5 months, 1 week ago
Selected Answer: A
Public: Information that is intended for unrestricted public access and does not contain sensitive or confidential data.
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
Documents labeled with the "public" sensitivity classification are accessible to anyone, including employees of other companies and the press.
This classification means there are no restrictions on viewing the data, and it is considered public information.
upvoted 1 times
fouserd 8 months ago
Selected Answer: A
I think the key word for this one is "Public" Sensitivity Classification.
upvoted 1 times
MasterControlProgram 9 months, 1 week ago
Selected Answer: A
The public sensitivity classification means that the documents can be accessed by anyone, including individuals outside of the company.
Therefore, the correct answer is:
A. employees of other companies and the press.
upvoted 1 times
assfedassfinished 9 months, 1 week ago
Selected Answer: C
I think the correct answer is C, as I read the question and the provided answers, it made me think of U/FOUO designation, or Unclassified/For
Official Use Only. This designation indicates that the document with those markings are unclassified, but not appropriate for public release. I am
biased, since that is primarily my background.
upvoted 2 times
Ahmed_aldouky 10 months, 1 week ago
If a company has labeled some documents with the public classification, it means that the documents can be accessed by anyone who has
access to the documents, including employees of other companies and the press.
Option A, employees of other companies and the press, is the correct answer. The public classification means that the documents are not
confidential or sensitive and can be shared with anyone who needs to access them.
Option B, all members of the department that created the documents, is incorrect because the public classification does not limit access to a
specific department or group of individuals.
Option C, only the company's employees and those listed in the document, is incorrect because the public classification means that the
documents are not restricted to the company's employees or any specific individuals.
Option D, only the individuals listed in the documents, is incorrect because the public classification means that the documents can be accessed
by anyone who has access to them, not just the individuals listed in the documents.
upvoted 1 times
Deeppain90 11 months, 3 weeks ago
owww I get it now its "company labeled some documents with the public sensitivity classification" so DOCUMENTS in company even if they are
unclassified are not for shere, from answer C is the one (sorry for my gramar)
upvoted 5 times
Deeppain90 11 months, 3 weeks ago
Selected Answer: A
WHY C is the chosen answer 0o
upvoted 1 times
Nome02 1 year, 1 month ago
A is the correct answer. The Public Sensitivity is Public.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
347/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #146
Which of the following is the MOST relevant security check to be performed before embedding third-party libraries in developed code?
A. Check to see if the third party has resources to create dedicated development and staging environments.
B. Verify the number of companies that downloaded the third-party code and the number of contributions on the code repository.
C. Assess existing vulnerabilities affecting the third-party code and the remediation efficiency of the libraries' developers.
D. Read multiple penetration-testing reports for environments running software that reused the library.
Correct Answer: C
Community vote distribution
C (100%)
comeragh
Highly Voted
1 year, 3 months ago
Selected Answer: C
I would go with C also on this one. It seems to make the most sense.
upvoted 5 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: C
Before embedding third-party libraries in developed code, it is crucial to assess the existing vulnerabilities in the third-party code and evaluate
the responsiveness and efficiency of the library developers in addressing these vulnerabilities. This check helps to ensure that the third-party
libraries are secure and do not introduce unnecessary risks into the developed code.
The other options may provide valuable information about the third-party libraries, but assessing existing vulnerabilities and the responsiveness
of the library developers is the most relevant security check in this context.
upvoted 2 times
SabITSec 1 year, 1 month ago
b is the possible answer too
upvoted 1 times
Imanism 1 year, 2 months ago
Selected Answer: C
What to be done to best prevent issues in third-party code?
Establish a baseline and process for every third-party software that is introduced into the organisation, including performing a risk assessment to
establish the risk associated with implementing a certain piece of code.
upvoted 4 times
RonWonkers 1 year, 3 months ago
Selected Answer: C
My guess is C
upvoted 3 times
varun0 1 year, 4 months ago
Selected Answer: C
C is correct
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
348/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #147
A help desk technician receives an email from the Chief Information Officer (CIO) asking for documents. The technician knows the CIO is on
vacation for a few weeks. Which of the following should the technician do to validate the authenticity of the email?
A. Check the metadata in the email header of the received path in reverse order to follow the email's path.
B. Hover the mouse over the CIO's email address to verify the email address.
ג
ג
C. Look at the metadata in the email header and verify the €From: € line matches the CIO's email address.
D. Forward the email to the CIO and ask if the CIO sent the email requesting the documents.
Correct Answer: A
Community vote distribution
A (44%)
stoneface
D (39%)
Highly Voted
Other
1 year, 4 months ago
Selected Answer: A
https://www.cmu.edu/iso/news/2020/email-spoofing.html
upvoted 19 times
Old_Boy_ 1 month, 4 weeks ago
If stone face says its A then it must be A
upvoted 5 times
vandybear 1 year, 2 months ago
The URL you provided states, "Please note that email headers can be spoofed and are not always reliable. " Wouldn't that make answer A
unreliable?
upvoted 8 times
Sandon 11 months, 2 weeks ago
Yes, yes it would
upvoted 6 times
ostralo 1 year, 2 months ago
I concur
return path verification is a must.
upvoted 2 times
Ertrexs 11 months ago
what are you talking about ostralo
upvoted 5 times
revolt54
Highly Voted
4 months, 1 week ago
I don't know why so many people think its D. Forwarding a possibly malicious email to anyone much less the CIO and being like "this you?"
seems crazy especially since it says he is on vacation for a few weeks. He likely wouldn't reply quickly and if he did it would be with "why would
you forward this to me?"
upvoted 13 times
Kurt43 3 months, 2 weeks ago
A CIO that asks why he is asked to verify a request for security purposes could go on his vacation and never come back. He must be fired
ASAP.
upvoted 5 times
Rumcajs
Most Recent
18 hours, 5 minutes ago
Selected Answer: A
CEO is on vacation, he will not reply. Therefore "A" is best solution here.
upvoted 1 times
ImBleghk 6 days ago
Selected Answer: C
C. Look at the metadata in the email header and verify the "From:" line matches the CIO's email address.
upvoted 1 times
Trickster_ATK 1 week, 1 day ago
Selected Answer: A
Before forwarding the email to the CIO, it's necessary to check the email headers first.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
349/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
58ee59c 3 weeks, 5 days ago
For those who chose D, the CIO is trusting you with the company's security. If you send the email to the CIO without knowing it is legit, then you
would be putting them at risk. It is A.
upvoted 2 times
toluwalase022 1 month ago
Selected Answer: C
IDK if option C is invisble to everyone. To validate the authenticity of the email, you should check the metadata in the email header and verify that
the "From:" line matches the CIO's email address.
upvoted 1 times
ganymede 1 month, 2 weeks ago
Selected Answer: A
It's A folks.
Looking at the email headers and following the path the email took is the best way to determine if this is a legitimate email or not.
upvoted 1 times
cantbeme 1 month, 4 weeks ago
Why would a help desk technician forward any suspicious email directly to the CIO? There should be multiple levels of management involved,
and if not, there definitely will be after that email!
upvoted 2 times
azzawim 2 months ago
Selected Answer: A
answer is metadata
upvoted 1 times
TheFivePips 2 months ago
Selected Answer: D
Given that email headers can be spoofed, the best approach to validate the authenticity of the email would be:
D. Forward the email to the CIO and ask if the CIO sent the email requesting the documents.
This method involves double-checking with the CIO through a separate communication channel to confirm the legitimacy of the email. It adds an
extra layer of verification to ensure that the request is genuinely coming from the CIO, especially when sensitive information is involved.
I personally think maybe a different mode of communication channel would be better, but these are the answered we are given.
upvoted 1 times
DChilds 2 months, 1 week ago
Selected Answer: A
Security requires a zero trust approach, therefore any suspicious email should not be forwarded. The helpdesk agent should go with A.
upvoted 1 times
imustknow 2 months, 1 week ago
WHy D?
technician receives an email from the CIO If the email at this time may have been stolen and then sent back along the original path, how to
verify that the recipient of the email is the CIO?
【
】
,
upvoted 2 times
above 3 months ago
Selected Answer: D
In real life D. I have a CTO not CIO and manage a NOC. We do this. This is our process. I would do this. My CTO, CEO will respond to this query
even if they're on vacation. Everyone is trained identify and handle phishing emails. Most help desk technicians do not have that level of decision
making ability to send important documents without first verifying by phone call or email. In this case forwarding the email to the CIO is the first
thing that should happen i.e. after a ticket is opened.
upvoted 4 times
J0EL 3 months, 2 weeks ago
Selected Answer: D
According to DeepAi
D. Forward the email to the CIO and ask if the CIO sent the email requesting the documents. This is the best practice to validate the authenticity
of the email from the CIO. Since the technician knows that the CIO is on vacation, it is possible that the email could be fake or malicious.
Forwarding the email to the CIO and asking for confirmation will ensure that the email is legitimate. Checking the metadata in the email header
and verifying the email address may not be sufficient as email spoofing is a common tactic used to impersonate someone else's email address.
Hovering the mouse cursor over the email address is also not a reliable method of validation. Checking the metadata in the email header in
reverse order may be useful, but it may not be necessary in this case.
upvoted 3 times
bzona 4 months, 2 weeks ago
Selected Answer: A
Answer is A. The only way to verify the authenticity of the sender is to verify the return path. This is email checking 101...
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
350/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Kurt43 3 months, 2 weeks ago
A, would have been correct if it was a SOC analyst. But he's a helpdesk
upvoted 3 times
thisguyfucks 4 months, 3 weeks ago
Upon comprehensive review of Network+ and Security+ email security curriculum:
Forwarding potential phishing attempts risks exposing recipients unnecessarily.
Tracing email routes through backward header inspection proves technically challenging and not a supported verification method.
Header validation of key identity fields like "From:" against organizational records remains their endorsed initial precaution.
However, with this CIO absent for an extended period, no option achieves verification singularly.
The most secure approach meeting their goal of authentication without enabling compromise aligning with documented techniques is:
C. Look at the metadata in the email header and verify the "From." line matches the CIO's email address. Then contact another trustworthy
affiliate to corroborate any request.
upvoted 2 times
goodmate 2 months, 3 weeks ago
there is no attachment in the mail mentioned, So no need assume, and also help desk technician has no authority to inspect metadata.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
351/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #148
A company needs to validate its updated incident response plan using a real-world scenario that will test decision points and relevant incident
response actions without interrupting daily operations. Which of the following would BEST meet the company's requirements?
A. Red-team exercise
B. Capture-the-flag exercise
C. Tabletop exercise
D. Phishing exercise
Correct Answer: C
Community vote distribution
C (71%)
TR3Y
Highly Voted
D (17%)
13%
1 year, 3 months ago
A Cyber Security tabletop exercise is a discussion-based event (not real). If they are looking for "real world" solution to validate their IRP then the
best option would be a "Red Team" as they can simulate a real-world event testing your organizations IRP. let me know If I am missing
something.
upvoted 10 times
03allen 1 year, 2 months ago
"without interrupting daily operation" would be the reason.
upvoted 13 times
tonnage800
Most Recent
2 months, 2 weeks ago
Selected Answer: C
Red team may not led to system failure but still have some affected to the daily operations through their actions, while tabletop (desktop
exercise) is purely similate the incident in the meeting room, that complete has no affect to any systems
upvoted 2 times
decieredavidolo 3 months, 1 week ago
Greetings to all,
i bring you good news today. Those of you who are into IT and wanna venture into cybersecurity and having difficulties to study and how to go
through are hereby advice to get directories from the global certification support center.
They orientate you on how to get and pass certifications with lots of ease making you competent and master in the field.
Reach them using the site globalcertcenter.org
Good luck
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
A tabletop exercise is a type of scenario-based simulation that allows organizations to validate their incident response plan without executing the
plan in a real-world environment. It involves a discussion-based approach, where key stakeholders come together in a controlled environment to
walk through a hypothetical incident and discuss their responses, decision points, and actions. This exercise allows the organization to identify
areas of improvement, test communication and coordination, and assess the effectiveness of their incident response procedures without
disrupting regular operations.
upvoted 1 times
LiteralGod 5 months, 2 weeks ago
Selected Answer: A
Guys a Tabletop exercise would still interrupt daily operations, whereas a red team would usually be subbed to a third party.
upvoted 1 times
Kurt43 3 months, 2 weeks ago
agreed. pulling resources from their desk to do tabletop interrupts their regular office functions.
upvoted 1 times
awscody 3 months, 1 week ago
You guys are literally thinking about this toooo deeply. "Regular office functions"?? A table top would involve the security team and
stakeholders. That is their job. So no it would not interrupt regular function. Its another day in the office. Red Team will most likely be in the
network and could take down critical services or actual servers which would / could interrupt daily ops.
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
352/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
LeonardSnart 7 months, 2 weeks ago
Selected Answer: C
key point- test decision points and relevant incident response actions without interrupting daily operations
"A tabletop exercise (also called a desktop exercise) is discussion-based. A coordinator gathers participants in a classroom or conference room
and leads them through one or more hypothetical scenarios such as a cyberattack or a natural disaster. As the coordinator introduces each stage
of the scenario, the participants identify how they would respond
based on an organization’s plan. This generates discussion about team members’ roles and responsibilities and the decision-making process
during an incident."
-Security+ Get Certified Get Ahead SY0-601 by Darril Gibson
upvoted 4 times
fouserd 8 months, 3 weeks ago
Selected Answer: C
A tabletop exercise would BEST meet the company’s requirements as it is designed to simulate an incident in a low-risk environment, such as a
conference room, where participants discuss and walk through the response plan and identify gaps and opportunities for improvement1. This
type of exercise tests decision points and relevant incident response actions without interrupting daily operations
upvoted 1 times
assfedassfinished 9 months, 1 week ago
Selected Answer: C
It's table top. The other activities, even a phishing exercise, interrupts daily activities. For the phishing activity, you receive a non-work related
email, that interrupts your daily activities.
upvoted 1 times
MasterControlProgram 9 months, 1 week ago
Selected Answer: C
A tabletop exercise would BEST meet the company's requirements as it is designed to simulate an incident in a low-risk environment, such as a
conference room, where participants discuss and walk through the response plan and identify gaps and opportunities for improvement. It would
allow decision points to be tested, relevant incident response actions to be evaluated, and facilitate discussion of response and recovery
procedures without interrupting daily operations. Red-team exercises, capture-the-flag exercises, and phishing exercises are all designed to
simulate real-world attacks and test specific security controls, and may not be suitable for validating an incident response plan.
upvoted 1 times
gladtam 9 months, 2 weeks ago
The tabletop exercise is a verbally-simulated scenario that mimics a real cybersecurity incident which could have a damaging impact on your
business continuity.
upvoted 2 times
mvckenzi 10 months, 1 week ago
Selected Answer: A
We're testing decision points and incident response actions. The answer is A.
It's definitely not capture the flag.
It's not TTXs. Those take away from daily ops.
Phishing exercises isn't wrong, but red-table exercises would be the most correct fit since the network is being attacked and we're testing out
our current incident response.
upvoted 1 times
MSCertifications 11 months, 2 weeks ago
Selected Answer: D
I'll go with phishing
upvoted 1 times
nicekoda 1 year ago
Answer is Red team exercise. The actions are real world and intended to simulate the operational approach of a ransomware-style attack without
overwriting sensitive files.
upvoted 1 times
alwaysrollin247 1 year ago
Selected Answer: A
Red Team exercises differ from penetration testing in that they don’t focus on a single application or system, but instead set out to exploit
multiple systems and potential avenues of attack. The gloves are off, and “Think like an attacker” is the rule of play. Usually, Red Teams are part
of your internal security team, though sometimes they can be from external or dedicated agencies. While thinking like an attacker, a Red Team
group acts as (and provides security feedback from the perspective of) a malicious threat or challenger. It’s up to the business’s dedicated
security team – the Blue Team – to provide a suitable response in detecting, combating, and weakening their opposition. Prior to the Red Team
exercise, it’s usual that the Blue Team won’t know the plan or what is coming. This is in order to make the exercise as realistic as possible.
https://www.imperva.com/blog/what-are-red-team-exercises-and-why-are-they-important/
upvoted 1 times
KingTre 1 year ago
Selected Answer: D
Although table top is a the most voted answer , "without interruping daily operations" leads me to think D would be correct.
https://www.examtopics.com/exams/comptia/sy0-601/view/
353/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Tabletops involve physical participants to sit down and talk through incidents. This would take time and people away from daily operations.
A phishing tactic could be done by 1 security officer and sent out as a daily email. Correct me if I'm wrong.
upvoted 3 times
ja1092m 4 months, 2 weeks ago
That's not what they mean by "daily operations" that's why you're getting confused. Daily operation is referring to technical work imo
upvoted 1 times
assfedassfinished 9 months, 1 week ago
Your phishing email would disrupt the daily activities of anyone who receives that email.
upvoted 1 times
RonWonkers 1 year, 3 months ago
Selected Answer: C
C is correct
upvoted 3 times
serginljr 1 year, 3 months ago
Selected Answer: C
C is the correct answer
upvoted 4 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
354/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #149
Security analysts are conducting an investigation of an attack that occurred inside the organization's network. An attacker was able to collect
network traffic between workstations throughout the network. The analysts review the following logs:
The Layer 2 address table has hundreds of entries similar to the ones above. Which of the following attacks has MOST likely occurred?
A. SQL injection
B. DNS spoofing
C. MAC flooding
D. ARP poisoning
Correct Answer: C
Community vote distribution
C (100%)
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: C
Answer: MAC flooding
The question mentions that the table is on Layer 2 which is the Data link layer. The data-link layer is where switches operates on to move traffic.
Switches will use MAC addresses to find the physical address of the device. This is because the Layer 2 address(MAC Address) will be unique on
the local network.
MAC flooding is a cyber attack that overflows the MAC Table (Layer 2 Table) of switches by sending out invalid MAC addresses.
When a MAC Address table is full, the switch is no longer able to save new addresses, so it will enter into fail-open mode and begin broadcasting
data (like a hub) to all ports. This will allow an attacker to get data packets intended for another computer and be able to steal sensitive
information.
upvoted 24 times
Mumbo
Most Recent
1 month, 3 weeks ago
Took the exam today and passed with a 775. About 90% of the questions are from this dump.
This question is in the exam.
upvoted 2 times
Kheeze1 1 month, 2 weeks ago
About which numbers from this dump is on there ? The majority or the first 100?
upvoted 2 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
In MAC flooding (also known as MAC address table overflow attack), an attacker sends a large number of frames to a network switch with fake
source MAC addresses, causing the switch's MAC address table to become full. When the MAC address table is full, the switch will operate in
"fail-open" mode and start broadcasting traffic to all ports instead of sending it only to the appropriate port, effectively turning it into a hub-like
behavior. This allows the attacker to capture network traffic from multiple workstations on the network, as mentioned in the scenario.
upvoted 2 times
Yawannawanka 8 months, 2 weeks ago
Based on the provided information, the attack that MOST likely occurred is MAC flooding, as the Layer 2 address table has hundreds of entries
that are overwhelming the switch's ability to forward frames efficiently. This is a common technique used in denial-of-service (DoS) attacks,
where the attacker floods the switch's MAC address table with fake addresses, causing it to slow down or stop forwarding frames altogether.
SQL injection and DNS spoofing are application layer attacks, while ARP poisoning involves modifying ARP tables to redirect network traffic.
upvoted 1 times
fouserd 9 months ago
Selected Answer: C
The attack that has most likely occurred is MAC flooding. MAC flooding is a type of network attack that involves sending a large number of
frames with different source MAC addresses to a switch. This causes the switch to flood its address table and forward all traffic to all ports,
allowing an attacker to collect network traffic between workstations throughout the network.
https://www.examtopics.com/exams/comptia/sy0-601/view/
355/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
deeden 1 year, 3 months ago
Selected Answer: C
I agree with MAC flooding. Here's a good read about it and how to prevent.
https://www.omnisecu.com/ccna-security/what-is-mac-flooding-attack-how-to-prevent-mac-flooding-attack.php
upvoted 3 times
RonWonkers 1 year, 3 months ago
Selected Answer: C
Hundreds of entries, I would assume its flooding
upvoted 4 times
_Tyler_ 1 year, 3 months ago
Selected Answer: C
All the other answers involve an attack that changes data that is already present this question states that there are hundreds of entries indicating
flooding.
upvoted 4 times
ScottT 1 year, 3 months ago
and Layer 2 ruling out SQL and DNS
upvoted 2 times
Yuyuyakuza 1 year, 4 months ago
Mac Flooding "Layer 2.."
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
356/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #150
A security policy states that common words should not be used as passwords. A security auditor was able to perform a dictionary attack against
corporate credentials. Which of the following controls was being violated?
A. Password complexity
B. Password history
C. Password reuse
D. Password length
Correct Answer: A
Community vote distribution
A (92%)
rodwave
Highly Voted
4%
1 year, 1 month ago
Selected Answer: A
Answer: Password complexity
Password complexity is a measure of how difficult a password is to guess in relation to any number of guessing or cracking methods. For the
security auditor to be able to successfully perform a dictionary attack, that means that the credentials were too predictable and was likely a
common password.
upvoted 9 times
jack35567
Most Recent
1 month, 3 weeks ago
There is a strong argument for C but I’m sure that’s not it since 90% chose A. A dictionary attack can be a library of compromised passwords
from other sites which users could use the same passwords across multiple accounts which would be a violation. But then again, restricting
password reuse across multiple accounts from different platforms is likely not enforceable in most scenarios.
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: A
The security policy states that common words should not be used as passwords, which implies that the passwords should have certain
complexity requirements to avoid using easily guessable passwords. A dictionary attack is an attempt to crack passwords by systematically
trying words from a dictionary, and it can be successful when passwords lack complexity. By enforcing password complexity requirements,
organizations aim to prevent attackers from using simple and common words as passwords.
upvoted 1 times
tutita 9 months, 1 week ago
Selected Answer: A
we need more easy questions like this
upvoted 4 times
user82 8 months, 2 weeks ago
I wish 6% of voters agreed. This question still has people picking D
upvoted 1 times
xxxdolorxxx 11 months, 2 weeks ago
Selected Answer: A
A makes the most amount of sense to me.
upvoted 1 times
NICKJONRIPPER 1 year, 1 month ago
Selected Answer: C
passwords in common dictionary is not necessarily not complex. In the well-known "/usr/share/wordlists/rockyou.txt" dictionary, we can find
passwords like "arisDAN13032008", "arires_super13@hotmail.cpom"... So it`s about reuse, not about complexity.
upvoted 1 times
Sandon 1 year ago
That ain't it
upvoted 5 times
Gino_Slim 1 year, 2 months ago
Selected Answer: A
Not even sure how that one person got D. The answer is A all the way. Complexity refers to how the password needs to be formatted.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
357/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
RonWonkers 1 year, 3 months ago
Selected Answer: A
It is A
upvoted 2 times
Ay_ma 1 year, 3 months ago
Selected Answer: D
According to guidance offered by the National Institute of Standards and Technology (NIST), password length is more important than password
complexity. This actually makes a lot of sense as longer passphrases take longer to crack, and they are easier to remember than a string of
meaningless characters.
NIST has provided a number of additional recommendations for organizations to follow, some of which include:
- Passphrases should consist of 15 or more characters.
- Uppercase, lowercase, or special characters are not required.
- Only ask users to change their passwords if you believe your network has been compromised.
- Check all new passwords against a list of passwords that are frequently compromised.
- Avoid locking your users out of their accounts after a number of unsuccessful login attempts, as hackers will often try to flood networks by
purposely trying incorrect passwords in order to lock users out of their accounts.
- Don’t allow password “hints.”
www.lepide.com
I'm inclined to go for option D
upvoted 1 times
user82 8 months, 2 weeks ago
No WAY it’s D. Come on man. Complex passwords > password length
upvoted 1 times
rhocale 1 year ago
this would make sense except the fact that its a dictionary account and length of words wont stop a dictionary account its still a basic word
upvoted 2 times
RonWonkers 1 year, 3 months ago
This might be true but it does not answer the question.
The question is: Which of the following controls was being violated?
When using a standard word you violate complexity control.
upvoted 6 times
comeragh 1 year, 4 months ago
Selected Answer: A
Agree with A here
upvoted 4 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
358/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #151
A SOC operator is analyzing a log file that contains the following entries:
Which of the following explains these log entries?
A. SQL injection and improper input-handling attempts
B. Cross-site scripting and resource exhaustion attempts
C. Command injection and directory traversal attempts
D. Error handling and privilege escalation attempts
Correct Answer: C
Community vote distribution
C (100%)
stoneface
Highly Voted
1 year, 4 months ago
Selected Answer: C
C. Command injection and directory traversal attempts
upvoted 18 times
ScottT 1 year, 3 months ago
https://www.professormesser.com/security-plus/sy0-401/directory-traversal-and-command-injection-2/
upvoted 11 times
VendorPTS 1 year, 3 months ago
Thank you. This was super helpful.
upvoted 3 times
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: C
Answer: Command injection and directory traversal attempts
Directory traversal is when an attacker uses the software on a web server to access data in a directory other than the server's root directory. If the
attempt is successful, the threat actor can view restricted files or execute commands on the server.
Command injection is an attack that involves executing commands on a host. Typically, the threat actor injects the commands by exploiting an
application vulnerability, such as insufficient input validation.
The attacker is attempting to traverse the directory of the host and execute the cat command which could be used to print the contents of a file.
upvoted 7 times
Soleandheel
Most Recent
2 months, 1 week ago
This video explains more clearly about directory traversal: https://www.youtube.com/watch?v=NQwUDLMOrHo
upvoted 1 times
Protract8593 5 months, 2 weeks ago
Selected Answer: C
The log entries show attempts to perform command injection and directory traversal attacks. In a command injection attack, the attacker tries to
execute arbitrary commands on the target system by injecting malicious input into the application. In this case, the GET requests in the log
entries include sequences like "../../../../../../etc/passwd" and "../../../../../../etc/shadow," which are attempts to traverse directories and access
sensitive files on the system.
Directory traversal attacks are an attempt to access files and directories that are outside of the web application's intended directory structure. By
using "../" sequences, the attacker tries to navigate to parent directories and access files that should not be publicly accessible.
upvoted 1 times
Yawannawanka 8 months, 2 weeks ago
The log entries suggest command injection and directory traversal attempts. The attacker is attempting to execute commands on the web server
by entering special characters, such as semicolons and forward slashes, in the input fields. They are also trying to access directories outside of
the web root by using "../" in the URI. Therefore, the correct answer is C.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
359/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
J_Ark1 1 year, 2 months ago
Selected Answer: C
When I saw 'Get' instantly I went for cmd injection and traversal attempts.
upvoted 3 times
Jossie_C 1 year, 2 months ago
Selected Answer: C
The cat command traverses files in a directory.
upvoted 1 times
Sandon 11 months, 2 weeks ago
Negative ghost rider. The cat command displays the contents of a file.
upvoted 3 times
Protract8593 5 months, 2 weeks ago
Correct. cat = concatenate.
upvoted 1 times
RonWonkers 1 year, 3 months ago
Selected Answer: C
Agree with C
upvoted 3 times
comeragh 1 year, 4 months ago
Selected Answer: C
Agree with C for this one
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
360/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #152
A security incident has been resolved. Which of the following BEST describes the importance of the final phase of the incident response plan?
A. It examines and documents how well the team responded, discovers what caused the incident, and determines how the incident can be
avoided in the future.
B. It returns the affected systems back into production once systems have been fully patched, data restored, and vulnerabilities addressed.
C. It identifies the incident and the scope of the breach, how it affects the production environment, and the ingress point.
D. It contains the affected systems and disconnects them from the network, preventing further spread of the attack or breach.
Correct Answer: A
Community vote distribution
A (100%)
rodwave
Highly Voted
1 year, 1 month ago
Selected Answer: A
Answer: It examines and documents how well the team responded, discovers what caused the incident, and determines how the incident can be
avoided in the future.
The final phase of the incident response is also called the lessons learned or remediation step.
=======================
Phases of the Incident Response Plan:
1. Preparation - Preparing for an attack and how to respond
2. Identification - Identifying the threat
3. Containment - Containing the threat
4. Eradication - Removing the threat
5. Recovery - Recovering affected systems
6. Lessons Learned - Evaluating the incident response, see where there can be improvements for a future incident.
upvoted 10 times
Protract8593
Most Recent
5 months, 2 weeks ago
Selected Answer: A
The final phase of the incident response plan is crucial for evaluating the effectiveness of the response, identifying any weaknesses in the
incident handling process, understanding the root cause of the incident, and implementing measures to prevent similar incidents in the future. It
involves conducting a post-incident analysis and generating a comprehensive report with recommendations for improvement.
upvoted 1 times
Jossie_C 1 year, 2 months ago
Remediation AKA lessons learned
upvoted 1 times
deeden 1 year, 3 months ago
Selected Answer: A
https://playbooks.flexibleir.com/incident-response-phases-best-practices/
upvoted 2 times
RonWonkers 1 year, 3 months ago
Selected Answer: A
I agree, the other steps were Identification, containment and recovery, It is A, lessons learned
upvoted 3 times
Danalyst 1 year, 3 months ago
'Lessons Learned'
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/view/
361/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #153
Topic 1
HOTSPOT Select the appropriate attack and remediation from each drop-down list to label the corresponding attack with its remediation.
INSTRUCTIONS Not all attacks and remediation actions will be used.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hot Area:
https://www.examtopics.com/exams/comptia/sy0-601/view/
362/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
cefibo
Highly Voted
2 years, 10 months ago
Botnet->Enable DDoS protection
RAT->Disable remote access services
Worm-> Change default passwords
Keylogger->2FA using push
Backdoor->Code Review
upvoted 170 times
Protract8593 5 months, 1 week ago
I agree with cefibo for all 5 scenarios. Contrary to what etwe04 said, ChatGPT said that change is not correct:
3. Worm -> Change Application password
https://www.examtopics.com/exams/comptia/sy0-601/view/
363/487
06/01/2024, 09:03
SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics
✗ This choice is not accurate. Worms typically exploit vulnerabilities to propagate through networks, and changing the application password
might not directly address the worm issue. Instead, changing default passwords for systems or services would be more relevant here.
upvoted 3 times
Sublime_Cheese 2 months, 3 weeks ago
Chat GPT said ... your argument is invalid
upvoted 5 times
ComPCertOn 2 months, 1 week ago
chat GPT isn't always right
upvoted 2 times
etwe04 2 years, 7 months ago
Everything is right just change Worm > Change Application password
upvoted 20 times
CapnFlint 1 year, 9 months ago
Ditto on the keylogger problem. Since all it says is that a keylogger is being used and not how it got there or what type it is, the best answer is
implement 2FA since that will mitigate any keylogger /cred harvesting attack by ensuring that the stolen credentials alone wont be enough to
compromise an account.
upvoted 5 times
John_Ferguson 4 months ago
It specifies it is hardware
upvoted 1 times
EricShon 9 months, 3 weeks ago
The only change I would make would be keylogger > patch vulnerable systems.
In the case of an attack that is self-propagating and compromises a SQL database using well-known credentials as it moves through the
network, changing the default system or application password may not be the most effective preventative or remediation action since the
attacker has already gained access to the network using well-known credentials.
Instead, the BEST preventative or remediation action would be to patch vulnerable systems and disable vulnerable services to prevent further
exploitation by the attacker. Additionally, implementing a host-based IPS (Intrusion Prevention System) could help detect and block any
further malicious activity on the compromised system. Finally, it is important to conduct a thorough review of the network and systems to
identify any other vulnerabilities that could be exploited by the attacker.
upvoted 2 times
hanoi92
Highly Voted
2 years, 2 months ago
I think result
1. Web server ======> Botnet ===> Enable DDoS protection
2. User => RAT =====> Implement a host-base IPS
3. Database server ======> Worm ===> Change the default application password
4. Executive =====> Keylogger > Implement 2FA using push notification
5. Application =======> Backdoor > Conduct a code review
upvoted 33 times
hieptran 9 months, 1 week ago
Agree on the 2. -> HIPS
While disabling remote access services can be effective in preventing RAT attacks, it may not be practical or feasible in all situations,
particularly in cases where remote access is necessary for legitimate business purposes.
On the other hand, a host-based IPS provides real-time monitoring and protection against RAT attacks, as well as other types of threats. It can
also be configured to provide alerts or take automatic actions when an attack is detected, which can help to minimize the damage caused by
the attack. Therefore, I would recommend implementing a host-based IPS as the best preventative or remediation action against RATs.
upvoted 4 times
Andrii1137
Most Recent
6 days, 17 hours ago
This was on my exam 29.12.23
upvoted 1 times
olaniran22001 2 weeks, 1 day ago
Passed my exam today with a score of 781 on my first try. Got 4 PBQs and this was o
