Practice questions · Cybersecurity
CompTIA Security+ (SY0-701): Practice Questions
Original, syllabus-based practice questions for CompTIA Security+ (SY0-701). Each answer is explained, including why the other options are wrong. Filter by domain or difficulty. These are concept checks to test understanding - not real exam questions.
Answered 0 · Correct 0
-
Which part of the CIA triad ensures that data has not been altered without authorization?
Correct answer: B. Integrity ensures data is not modified without authorization, typically verified with hashing. Confidentiality prevents disclosure, availability keeps data accessible, and authentication verifies identity - none of which is about detecting alteration. -
You want to verify a downloaded file has not been modified. What is most appropriate?
Correct answer: A. A hash (SHA-256) changes if the file changes, so comparing it to the published value detects modification. Encryption protects confidentiality, not integrity verification; a password is authentication; watermarking is for tracing ownership, not integrity. -
Which access-control model assigns permissions based on a user's job function?
Correct answer: B. Role-Based Access Control grants permissions by role/job function. DAC lets the resource owner decide; MAC enforces system-assigned labels and clearances; ABAC decides on attributes and context rather than role alone. -
Which statement best summarizes zero trust?
Correct answer: B. Zero trust grants no implicit trust based on network location; every request is verified. 'Trust all internal network traffic by default' is the old perimeter model it replaces; 'allow full access after a single login' ignores per-request verification; and 'encrypt only traffic leaving the network' is one partial control, not the principle. -
A phishing attack that specifically targets a senior executive is called:
Correct answer: B. Whaling targets high-value individuals such as executives. Spear phishing is targeted but not specifically at executives; vishing uses voice calls; smishing uses SMS. -
An attacker exploits a software flaw before any patch is available. This is a:
Correct answer: A. A zero-day exploits a vulnerability with no available fix. An insider threat involves a trusted internal actor; an on-path attack intercepts communications; brute force guesses credentials. -
Which best mitigates SQL injection?
Correct answer: D. Parameterized queries plus input validation stop untrusted input from being executed as SQL. Passwords, disk encryption and session timeouts do not address how injection works. -
After restoring from backups following a ransomware incident, which action most reduces recurrence?
Correct answer: C. Patching, segmentation and phishing-awareness training address the common ways ransomware gets in and spreads. Paying funds crime and prevents nothing; password length alone won't stop it; disabling the firewall increases exposure. -
Which is an indicator of compromise (IoC)?
Correct answer: A. Unexpected outbound traffic to an unknown host can indicate data exfiltration or command-and-control. Onboarding a new employee, a routine quarterly password change and a scheduled monthly patch window are all normal, expected activities. -
Isolating public-facing web servers in their own network segment, separate from internal systems, is an example of:
Correct answer: A. Placing exposed servers in their own segment (a DMZ) limits how far an attacker can move if they are breached. Full-disk encryption protects data at rest, multifactor authentication verifies identity, and tokenization substitutes sensitive data; none of those isolates the network. -
Which control primarily protects data in transit?
Correct answer: D. TLS encrypts data moving across a network. Full-disk encryption protects data at rest; hashing protects stored secrets; RAID provides redundancy/availability, not transit confidentiality. -
A system must stay available even if one data center fails. Which contributes most?
Correct answer: C. Multi-site redundancy with failover keeps services running through a site outage. Passwords don't affect availability; a longer RPO means accepting more data loss (worse); disabling logging harms operations and forensics. -
Multifactor authentication improves security because it requires:
Correct answer: D. MFA combines two or more independent factor types (something you know, have, or are). A longer password is still one factor; biometrics alone is one factor; rotating passwords is a policy, not multifactor. -
The principle of least privilege means:
Correct answer: C. Least privilege grants the minimum access required for a task. Broad admin rights, seniority-based grants and blanket temporary access are not the principle. -
In the common incident-response process, which phase immediately follows identification?
Correct answer: A. A typical order is preparation, identification, containment, eradication, recovery, then lessons learned - so containment follows identification. Recovery and lessons learned come later; preparation comes first. -
A SIEM primarily helps an analyst by:
Correct answer: C. A SIEM aggregates and correlates log and event data to surface meaningful alerts. It is not an encryption tool, a firewall replacement, or a patch manager. -
To limit the damage if one user account is compromised and an attacker tries to move across systems, which helps most?
Correct answer: B. Segmentation plus least privilege constrains lateral movement after a compromise. Longer passwords don't stop an already-compromised account; backups help recovery, not containment of movement. -
A formal process to request, approve, document and review system changes is:
Correct answer: A. Change management governs controlled changes to systems. Incident response handles security events; penetration testing assesses defenses; tokenization substitutes sensitive data. -
Evaluating the security practices of a software supplier before using them is part of:
Correct answer: D. Evaluating a supplier's security before use is third-party (vendor) risk management. Patch management, disk encryption and biometric enrollment are unrelated technical activities, not the assessment of an external supplier. -
The main purpose of security-awareness training is to:
Correct answer: D. Training reduces human-factor risk like phishing susceptibility. It complements rather than replaces technical controls, and no measure eliminates all risk. -
Which part of the CIA triad ensures information is accessible when needed?
Correct answer: C. Availability keeps data and services reachable. Confidentiality limits access, integrity ensures data is unaltered, and authentication verifies identity. -
Malware that encrypts a victim's files and demands payment to restore them is:
Correct answer: C. Ransomware encrypts data for extortion. Spyware steals information, a rootkit hides access, and adware shows ads. -
An attacker tricks a user into running a program disguised as legitimate software. This is a:
Correct answer: B. A Trojan masquerades as legitimate software. A worm self-propagates, a logic bomb triggers on a condition, and a botnet is a network of compromised hosts. -
An attacker secretly intercepts and may alter traffic between two parties who believe they communicate directly. This is a:
Correct answer: A. An on-path attacker sits between the parties. DoS exhausts resources, brute force guesses credentials, and SQL injection targets databases. -
Encrypting stored data so only authorized parties can read it primarily protects:
Correct answer: B. Encryption protects confidentiality. It does not, by itself, improve availability, redundancy or speed. -
Placing a firewall and a screened subnet (DMZ) between the internet and internal servers is an example of:
Correct answer: C. Multiple layers between attacker and assets is defense in depth. The other terms describe unrelated techniques. -
Applying a vendor's security patch promptly mainly reduces the risk from:
Correct answer: D. Patching closes known vulnerabilities before they are exploited. It does not address social engineering, theft or power issues. -
A strong password policy combined with account lockout after several failed attempts mainly defends against:
Correct answer: C. Strong passwords plus account lockout frustrate brute-force guessing by limiting attempts. Network latency, power outages and data-backup failures are operational issues, not attacks this control is meant to stop. -
A document that defines how an organization classifies and handles its data is a:
Correct answer: C. A security policy governs data handling. A firewall rule, pen-test report and network diagram are technical artifacts, not the governing policy. -
Assessing the likelihood and impact of threats so controls can be prioritized is:
Correct answer: C. Weighing the likelihood and impact of threats to prioritize controls is risk assessment. Encryption, patch management and load balancing are specific controls you might apply afterward, not the assessment process itself. -
A company stamps every approved invoice with a signature that cannot later be denied by the signer. Which security goal does this primarily support?
Correct answer: B. Non-repudiation prevents a party from credibly denying an action they took, which is exactly what a verifiable signature on an invoice provides. Confidentiality is about hiding the contents, not proving who signed. Availability is about access to the data, not accountability. Fault tolerance keeps a system running through failures and has nothing to do with denial of an action. -
Which type of security control is a security-awareness training program best classified as?
Correct answer: B. Training is preventive because it aims to stop incidents before they happen by changing user behavior. A corrective control acts after an incident to restore systems, which training does not do. A compensating control substitutes for a missing primary control, which is not the role of routine training. Physical describes controls like locks or fences, not an awareness program. -
A door lock and a fence are examples of which control category by nature?
Correct answer: D. Locks and fences are physical controls because they protect assets with tangible barriers. Technical controls are implemented in hardware or software, such as a firewall. Managerial controls are policies and procedures that guide decisions. Operational controls are processes carried out by people, like guard rounds, but the lock and fence themselves are physical. -
An organization deploys a SIEM specifically so it can prove what happened during an incident after the fact. Which control function is this?
Correct answer: B. A detective control identifies and records events so activity can be reconstructed, which is what a SIEM does when it retains and correlates logs. A deterrent discourages an attacker before they act, such as a visible warning sign. A directive control instructs people what to do, like a policy statement. A preventive control blocks the event from occurring at all, which logging does not do. -
In public key cryptography, which key should the recipient use to decrypt a message that was encrypted for them?
Correct answer: C. Data encrypted with a recipient's public key can only be decrypted with that recipient's private key, so the recipient uses their own private key. The sender's public key verifies signatures, it does not decrypt messages sent to the recipient. A shared symmetric key is not used in this asymmetric scenario. The sender's private key signs data and is never shared, so the recipient cannot have it. -
What is the primary purpose of a digital certificate issued by a certificate authority?
Correct answer: C. A certificate binds a public key to an identity that a trusted certificate authority has verified, letting others trust that the key belongs to the named entity. Encrypting data at rest is done by storage encryption, not the certificate itself. One-time passcodes come from an OTP system, not a certificate. Compression is a performance feature unrelated to identity binding. -
A developer adds a unique random value to each password before hashing so that identical passwords produce different hashes. This value is called a:
Correct answer: B. A salt is a unique random value added to a password before hashing, which defeats precomputed rainbow tables and hides identical passwords. A nonce is a number used once in a protocol exchange, not a stored per-password value. A token is a stand-in credential or hardware device, not a hashing input. A cipher is an encryption algorithm, not an added value. -
Which statement best describes the goal of key stretching algorithms such as PBKDF2 or bcrypt?
Correct answer: A. Key stretching makes each password hash computation deliberately slow and resource-intensive, which dramatically raises the cost of brute-force guessing. It does not shorten keys; it strengthens weak inputs. It complements salting rather than replacing it. It is not a bulk data-encryption speed improvement, and being slow is the point. -
An online store substitutes each stored credit-card number with a non-sensitive surrogate value that has no mathematical relationship to the original. This technique is:
Correct answer: A. Tokenization replaces sensitive data with an unrelated surrogate value, keeping the real number out of the environment that uses the token. Hashing produces a one-way digest, not a usable substitute that maps back through a secure vault. Steganography hides data inside other data, which is not what is happening here. Encoding such as Base64 is reversible by anyone and provides no protection. -
Which of the following best describes the purpose of a change advisory board (CAB) in change management?
Correct answer: B. A change advisory board reviews proposed changes for risk and impact and authorizes them before they are implemented. Running penetration tests is a security assessment activity, not the board's function. Encrypting configuration files is a technical control unrelated to change approval. Responding to active incidents is the role of an incident response team, not the CAB. -
Before a major change is approved, a team documents how they will revert if it fails. This documented fallback is called a:
Correct answer: D. A backout plan, also called a rollback plan, describes how to return to the prior working state if a change fails. A maintenance window is the scheduled time the change happens, not the recovery steps. A service level agreement defines availability commitments, not change reversal. A threat model maps attack possibilities and is unrelated to reverting a change. -
In a zero trust architecture, the component that makes the allow-or-deny decision for an access request is the:
Correct answer: D. The policy engine evaluates the request against policy and rules and renders the access decision in a zero trust model. The policy enforcement point carries out the decision but does not make it. A certificate authority issues certificates and does not adjudicate each access request. A load balancer distributes traffic and has no role in authorization decisions. -
A security team uses a honeypot on its network. The primary purpose of a honeypot is to:
Correct answer: B. A honeypot is a decoy system designed to attract attackers so their methods can be observed and detected. It does not perform database encryption. It provides no power redundancy. It is not an authentication mechanism; any interaction with it is itself suspicious. -
Which best describes the difference between hashing and encryption?
Correct answer: A. Encryption is designed to be reversed by anyone holding the correct key, while hashing is a one-way function that cannot be reversed to recover the input. Saying hashing is reversible and encryption is one-way states the relationship backwards. Neither is reversible without the proper key or by design, so 'both always reversible' is wrong. Hashing does not use key pairs; that describes asymmetric encryption. -
An organization wants to confirm that automated, repeatable steps replace error-prone manual configuration of new servers. Which benefit of automation does this describe?
Correct answer: C. Automation applies the same defined steps every time, which enforces a consistent and secure baseline and reduces configuration drift and human error. It increases rather than reduces consistency. It does not remove the need for logging, which remains essential. It supports human oversight rather than permanently removing it; people still review and govern the automation. -
An attacker registers the domain 'paypa1.com' to fool users who misread it as the real service. This technique is:
Correct answer: C. Typosquatting registers look-alike or misspelled domains to capture users who mistype or misread a legitimate address. Pharming redirects users by poisoning DNS or host files, not by relying on a misread domain. A watering hole attack compromises a site the target group already visits. Pretexting is a social-engineering story used to extract information, not a domain trick. -
Employees of a specific company are compromised after visiting an industry news site that attackers had quietly infected. This is an example of a:
Correct answer: A. A watering hole attack compromises a website the target group is known to frequent so victims infect themselves by normal browsing. Whaling is phishing aimed at executives, which is not what happened here. A logic bomb is malicious code that triggers on a condition, not a compromised website. A replay attack reuses captured authentication data, which is unrelated. -
Which threat actor is typically best funded, most patient, and motivated by long-term espionage?
Correct answer: C. A nation-state actor, often described as an advanced persistent threat, has substantial resources and pursues stealthy, long-term espionage goals. A script kiddie uses prebuilt tools with little skill or funding. A hacktivist is driven by ideology and visibility rather than patient espionage. An accidental insider causes harm unintentionally and is not a funded adversary. -
A disgruntled administrator plants code that will delete the payroll database if their account is ever disabled. This malicious code is a:
Correct answer: C. A logic bomb is dormant malicious code that executes when a specific condition is met, such as an account being removed. A worm self-propagates across systems, which is not described here. A Trojan disguises itself as legitimate software the user runs. A rootkit hides an attacker's presence and access rather than triggering a destructive payload on a condition. -
Malware that self-replicates and spreads across a network with no user interaction is a:
Correct answer: B. A worm spreads on its own across networks without requiring a user to take action. A Trojan needs the user to run a disguised program. A ransomware dropper still typically relies on an initial delivery such as a phishing click. A keylogger records keystrokes and does not self-replicate. -
An attacker captures a user's session cookie and reuses it to access an application as that user without knowing the password. This is best described as:
Correct answer: B. Session hijacking takes over an authenticated session, often by stealing and replaying a session cookie, so no password is needed. SQL injection manipulates database queries, which is not happening here. Privilege escalation raises an account's rights, but the attacker is impersonating an existing session rather than gaining new privileges. Directory traversal accesses files outside the web root and is unrelated. -
A web form lets an attacker inject a script that runs in other users' browsers when they view a page. This vulnerability is:
Correct answer: A. Cross-site scripting injects malicious script that executes in other users' browsers, typically through unsanitized input reflected or stored on a page. A buffer overflow overwrites memory in an application, not script in a browser. ARP poisoning manipulates local network address resolution. DNS amplification is a volumetric denial-of-service technique, not script injection. -
Which attack writes more data into a memory region than it was allocated, potentially overwriting adjacent memory and allowing code execution?
Correct answer: B. A buffer overflow writes beyond an allocated memory boundary, which can corrupt adjacent memory and let an attacker run arbitrary code. Cross-site request forgery tricks a browser into sending unwanted authenticated requests, not a memory overwrite. Phishing is social engineering, not a memory flaw. Credential stuffing reuses leaked username and password pairs, which is unrelated to memory. -
An attacker uses lists of usernames and passwords leaked from one breach to try logging into many other unrelated sites. This is:
Correct answer: D. Credential stuffing reuses already-leaked username and password pairs across many sites, exploiting password reuse. Password spraying tries a few common passwords across many accounts, not leaked pairs. A dictionary attack guesses passwords from a wordlist against a target. Rainbow table cracking reverses captured hashes using precomputed tables, which is a different technique. -
An attacker tries the single common password 'Spring2026!' against thousands of different accounts to avoid lockouts. This is:
Correct answer: A. Password spraying tries one or a few common passwords across many accounts, which avoids triggering per-account lockout thresholds. Credential stuffing uses leaked credential pairs, not a single guessed password. A birthday attack targets hash collisions, not login attempts. An on-path attack intercepts traffic and is unrelated to guessing passwords. -
A vulnerability scan reports a flaw that does not actually exist on the target system. This result is a:
Correct answer: B. A false positive is an alert or finding for something that is not actually present, exactly as described. A true positive correctly flags a real flaw. A false negative misses a flaw that is genuinely present. A true negative correctly reports that nothing is wrong, which is also not this case. -
A scanner fails to report a serious vulnerability that is actually present on the host. This is a:
Correct answer: D. A false negative occurs when a real vulnerability is present but the tool fails to detect it, which is the most dangerous outcome because the risk goes unnoticed. A false positive flags something that is not there. A true positive correctly detects a real issue, which did not happen here. A true negative correctly reports no issue, which is incorrect because an issue exists. -
Which describes a supply chain attack?
Correct answer: A. A supply chain attack compromises a trusted supplier, library, or update mechanism so the malicious code reaches the supplier's many downstream customers. Repeated password guessing is a brute-force attack, not a supply chain compromise. Flooding a server is a denial-of-service attack. Encrypting files for ransom describes ransomware, a payload rather than the supply chain vector. -
An attacker leaves USB drives loaded with malware in a company parking lot hoping employees plug them in. This social-engineering tactic relies on:
Correct answer: A. Baiting exploits curiosity by leaving tempting infected media that victims connect out of interest. Authority pressures victims by impersonating someone powerful, which is not the lure here. Scarcity pressures victims with limited-time offers, not abandoned drives. Encryption is a protective control, not a social-engineering principle. -
Sending an urgent SMS text that pretends to be from a bank and asks the user to click a link is:
Correct answer: D. Smishing is phishing delivered through SMS text messages, which matches the scenario. Vishing uses voice phone calls rather than texts. Whaling targets senior executives specifically, regardless of channel. Tailgating is following someone through a physical door without authorization, which is unrelated. -
An attacker follows an employee through a secured door without badging in. This physical attack is:
Correct answer: C. Tailgating is gaining physical entry by closely following an authorized person through a controlled door. Shoulder surfing is watching someone enter credentials or data. Dumpster diving recovers sensitive material from discarded trash. Pretexting is using a fabricated story to manipulate someone, not physically slipping through a door. -
Which best mitigates the threat of stolen passwords being reused, even when the password itself is correct?
Correct answer: C. Multifactor authentication blocks reuse of a stolen password because the attacker still lacks the second factor. Longer expiration intervals leave a compromised password valid for more time, which is worse. Disabling account lockout makes guessing easier, not safer. Allowing password reuse across systems increases exposure when one set leaks. -
A team subscribes to a feed of known malicious IP addresses, file hashes, and domains to improve detection. This is best described as:
Correct answer: D. Threat intelligence provides curated indicators such as malicious IPs, hashes, and domains that defenders use to detect and block known threats. A honeypot is a decoy system, not an indicator feed. A backout plan is a change-management rollback procedure. Data masking obscures sensitive data values and has nothing to do with threat indicators. -
Which of the following is the strongest indicator that an account may be compromised?
Correct answer: D. Successful logins from geographically distant locations within minutes (impossible travel) strongly suggest the account is being used by more than one party. A normal morning login from the usual office is expected behavior. A self-service password reset at a kiosk is routine. A scheduled report running overnight as configured is expected automation, not a compromise sign. -
An attacker overwhelms a target using many compromised devices across the internet to exhaust its resources. This is a:
Correct answer: A. A distributed denial-of-service attack uses many compromised hosts, often a botnet, to flood a target and exhaust its resources. Privilege escalation raises an account's rights, not a flood. Cross-site scripting injects browser scripts. Pass-the-hash reuses captured credential hashes to authenticate, which is unrelated to a traffic flood. -
Which vulnerability arises when an application trusts data from the user without checking it, allowing unintended commands to run?
Correct answer: B. Improper input validation lets untrusted user data be processed as if safe, enabling injection and other attacks. Excessive logging is an operational concern, not the cause of injection. Strong encryption is a protective control, not a vulnerability. Network redundancy improves availability and has nothing to do with input handling. -
An attacker exploits the gap between when a file's permissions are checked and when the file is used. This class of flaw is a:
Correct answer: C. A race condition, specifically time-of-check to time-of-use, exploits the window between validating a resource and using it. A buffer overflow overwrites memory boundaries, a different flaw. Phishing is social engineering, not a timing flaw. ARP poisoning manipulates local address resolution and is unrelated to check-versus-use timing. -
Which describes a 'living off the land' technique used by attackers?
Correct answer: D. Living off the land abuses legitimate, already-present system tools such as PowerShell so activity blends in with normal administration and evades detection. Deploying a brand-new custom binary is the opposite, since unknown binaries are more likely to be flagged. Sending a phishing email is an initial access tactic, not the technique described. Physically stealing a laptop is a separate, non-software approach. -
A purchased security appliance ships with the same default administrator password documented publicly. Failing to change it is an example of which vulnerability?
Correct answer: D. Leaving a publicly documented default credential in place is an insecure default configuration that attackers routinely exploit. End-of-life software refers to unsupported products no longer receiving patches, which is a different issue. Lack of redundancy affects availability, not credentials. Insufficient bandwidth is a performance concern unrelated to default settings. -
Which mitigation most directly reduces the attack surface of a server?
Correct answer: D. Disabling services and ports that are not needed removes potential entry points, directly shrinking the attack surface. Installing many services does the opposite by adding exposure. Sharing the admin password widely increases risk and accountability problems. Turning off logging blinds defenders and weakens detection rather than reducing attack surface. -
An attacker intercepts and resends a valid authentication message to gain access later. Adding a time-stamped, single-use value to each request best defends against this:
Correct answer: B. A replay attack reuses captured valid messages, and a single-use, time-bound value (a nonce or timestamp) makes a reused message invalid. Phishing is social engineering that a nonce does not address. A watering hole attack compromises a frequented website. Dumpster diving recovers discarded information, neither of which is mitigated by single-use request values. -
In the shared responsibility model for Infrastructure as a Service (IaaS), who is generally responsible for patching the guest operating system?
Correct answer: C. Under IaaS, the customer manages and patches the guest operating system and everything above it, while the provider secures the underlying infrastructure. The cloud provider's responsibility stops at the hypervisor and physical layer for IaaS. The internet service provider only carries connectivity and has no patching role. Operating systems do not patch themselves without action, so 'no one' is incorrect. -
Which deployment model keeps an organization's most sensitive workloads on dedicated private infrastructure while using public cloud for less sensitive workloads?
Correct answer: C. A hybrid cloud combines private infrastructure for sensitive workloads with public cloud for others, matching the description. Pure public cloud places everything in shared provider infrastructure. On-premises only uses no public cloud at all. Single-tenant SaaS describes an application delivery model, not a mix of private and public placement. -
A company wants to protect data so that even if a laptop is stolen, the stored files cannot be read. Which control is most appropriate?
Correct answer: A. Full-disk encryption renders the stored data unreadable without the key, protecting it if the device is stolen. A faster CPU has no security effect. A longer screen timeout actually increases exposure by leaving sessions open longer. More RAM improves performance, not data confidentiality at rest. -
Which technology lets multiple isolated operating systems run on one physical host, improving resource use but introducing the hypervisor as a security boundary?
Correct answer: D. Virtualization runs multiple isolated guest systems on one host via a hypervisor, which becomes a critical security boundary. RAID provides disk redundancy, not multiple operating systems. Tokenization substitutes sensitive data values. Load balancing distributes traffic across servers and does not host multiple operating systems on one machine. -
An organization needs to recover operations within four hours after a disaster. This four-hour target is the:
Correct answer: D. The recovery time objective is the maximum acceptable time to restore operations after a disruption, which is the four-hour target here. The recovery point objective measures acceptable data loss in time, not restoration speed. Mean time between failures estimates reliability of a component. A service level indicator is a measured metric, not a recovery target. -
An organization can tolerate losing at most fifteen minutes of data in a failure. This fifteen-minute value is the:
Correct answer: B. The recovery point objective defines the maximum acceptable amount of data loss measured in time, which is the fifteen minutes described. The recovery time objective is about how fast service is restored, not data loss. Maximum tolerable downtime is the outer limit of outage the business can survive, a different measure. Annualized loss expectancy is a financial risk figure, not a data-loss window. -
Which backup strategy keeps three copies of data on two different media with one copy offsite?
Correct answer: A. The 3-2-1 rule keeps three copies on two media types with one stored offsite, a widely used resilience guideline. RAID 0 stripes data for speed and provides no redundancy at all. Continuous deduplication reduces storage size but is not a copy-placement strategy. Hot-swappable disks allow replacement without downtime but do not define how many copies are kept. -
A recovery site that has hardware and data ready and can take over operations almost immediately is a:
Correct answer: D. A hot site is fully equipped and continuously updated so it can assume operations almost immediately. A cold site provides space and power but no ready systems, requiring significant setup time. A warm site has some equipment but still needs configuration and data restoration before use. A mobile kiosk is not a standard disaster-recovery site classification. -
Placing a load balancer in front of several identical web servers primarily improves which property?
Correct answer: C. A load balancer distributes traffic across multiple servers, improving availability and allowing the service to scale under load. It does not by itself add confidentiality protections. Non-repudiation concerns proof of actions, which a load balancer does not provide. Data classification is a governance activity unrelated to traffic distribution. -
Which device inspects traffic and can actively block malicious packets inline, rather than only alerting?
Correct answer: D. An intrusion prevention system sits inline and can block malicious traffic, not just detect it. An intrusion detection system only observes and alerts without blocking. A syslog server collects log messages and takes no protective action. A network tap copies traffic for monitoring and cannot block anything. -
Which firewall type makes decisions based on application-layer content and can understand specific protocols like HTTP, rather than only ports and IP addresses?
Correct answer: D. A next-generation firewall inspects application-layer content and understands specific applications and protocols, going beyond ports and addresses. A basic packet-filtering firewall decides only on ports, addresses, and protocols at lower layers. A network switch forwards frames and does not filter by application content. A patch panel is passive cabling hardware with no inspection capability. -
A company segments its network so that the finance department's systems cannot directly reach the manufacturing floor's systems. The primary security benefit is:
Correct answer: D. Segmentation restricts how an attacker or malware can move between zones, limiting lateral movement after a breach. It does not increase internet bandwidth. It does not change password strength. It does not make backups faster; those are unrelated effects. -
Which approach to data protection replaces or hides specific fields, such as showing only the last four digits of a card number, so unauthorized viewers see limited data?
Correct answer: A. Data masking hides or partially obscures field values, such as revealing only the last four digits, so unauthorized viewers see limited data. Full-disk encryption protects an entire volume at rest but does not selectively mask fields for viewers. RAID striping is about disk performance and redundancy. Load balancing distributes traffic and is unrelated to field-level protection. -
An air-gapped system is one that:
Correct answer: C. An air-gapped system is isolated with no connection to untrusted networks, used to protect highly sensitive environments. Running only in the cloud is the opposite of physical isolation. Using two firewalls is layered filtering, not isolation. Encrypting disks protects data at rest but does not make a system air-gapped. -
Which is the best description of a virtual private network (VPN)?
Correct answer: D. A VPN creates an encrypted tunnel so traffic stays confidential and integrity-protected while crossing an untrusted network like the internet. A physical fence is a tangible barrier, not a network tunnel. A backup rotation schedule is an operational data-protection process. A password complexity policy governs credential strength, unrelated to tunneling traffic. -
A security architect wants to ensure a single hardware component failure does not take down a critical server. Which approach directly addresses this?
Correct answer: B. Redundant power supplies and disks remove single points of failure so one component failing does not stop the server. A stronger password policy addresses authentication, not hardware failure. Phishing tests reduce human-factor risk, not component failure. Longer log retention helps investigations but does nothing to prevent a hardware outage. -
Which embedded-system characteristic most often makes them harder to secure than general-purpose computers?
Correct answer: B. Embedded and IoT systems frequently have limited or infrequent update mechanisms and remain deployed for many years, which leaves vulnerabilities unpatched. They are usually harder, not easier, to patch. Many do connect to networks, expanding their exposure. Most cannot run full modern antivirus due to constrained resources, so that claim is false. -
Which describes a microsegmentation strategy in a modern data center?
Correct answer: B. Microsegmentation enforces fine-grained, workload-level access controls between individual systems, shrinking what a compromised host can reach. A single broad perimeter rule is the coarse model microsegmentation improves upon. Disabling internal logging reduces visibility and is counterproductive. Granting every workload full admin rights violates least privilege and increases risk. -
An organization stores a duplicate copy of critical data at a geographically distant site so a regional disaster cannot destroy both copies. This practice supports:
Correct answer: A. Keeping a duplicate at a distant site provides geographic redundancy so a single regional disaster cannot destroy all copies, improving resilience. It does not change encryption strength. It does not affect CPU performance. It is unrelated to password policy; the benefit is purely about surviving localized disasters. -
Which statement about a screened subnet (DMZ) is correct?
Correct answer: C. A screened subnet hosts internet-facing services in an isolated zone so a compromise there does not directly expose the internal network. It is not a backup repository. It works with firewalls rather than replacing them. It is not a place to store administrative passwords; that would be a serious misconfiguration. -
Which control best protects the confidentiality of data being sent between a browser and a web server?
Correct answer: D. TLS encrypts the connection between browser and server, protecting the confidentiality and integrity of data in transit. RAID 5 provides disk redundancy for the server, not transit protection. A clean desk policy addresses physical exposure of documents. Hourly server reboots affect availability behavior and do nothing for in-transit confidentiality. -
An organization adopts infrastructure as code so environments are defined in version-controlled templates. A key security benefit is:
Correct answer: B. Infrastructure as code produces consistent, repeatable deployments that can be reviewed and version-controlled, reducing drift and surprises. It reduces configuration drift rather than increasing it. It does not remove the need for logging. It discourages undocumented manual changes rather than encouraging them, since changes should flow through the code. -
Which process removes unnecessary software, closes unused ports, and tightens settings to reduce a system's exposure?
Correct answer: A. System hardening reduces exposure by removing unneeded software, closing unused ports, and tightening configuration. Threat hunting proactively searches for hidden threats but does not reconfigure systems. Data classification labels information by sensitivity. Risk transference shifts risk to a third party, such as insurance, and is not a system-configuration activity. -
A baseline configuration in security operations is best described as:
Correct answer: A. A baseline is a documented standard secure configuration that systems of a given type should match, making deviations easy to spot. A list of employees is unrelated personnel data. A security budget is a financial figure, not a configuration. A backup tape rotation is a data-protection schedule, not a configuration standard. -
In identity and access management, what does provisioning refer to?
Correct answer: D. Provisioning creates a user account and grants the appropriate access for that person's role. Deleting old log files is log maintenance, not account creation. Encrypting a database is a data-protection control. Running a vulnerability scan assesses weaknesses and is unrelated to granting user access. -
When an employee leaves the company, promptly disabling their accounts is called:
Correct answer: A. Deprovisioning removes or disables access when a user no longer needs it, such as at termination, closing a key risk. Provisioning is the opposite, granting access at onboarding. Federation lets identities be trusted across organizations and is unrelated to offboarding. Tokenization substitutes sensitive data values and has nothing to do with account removal. -
Which technology lets a user authenticate once and then access multiple connected applications without logging in again?
Correct answer: C. Single sign-on lets a user authenticate once and reach multiple connected applications without repeated logins. Full-disk encryption protects data at rest, not authentication flow. A demilitarized zone is a network segment for exposed services. A logic bomb is malicious code triggered by a condition and is unrelated to authentication. -
A company lets employees log in to a partner's cloud application using the company's own identity provider. This trust arrangement is:
Correct answer: D. Federation establishes trust so identities from one organization can authenticate to another's systems, as in this partner scenario. Air gapping is physical isolation, the opposite of cross-organization trust. RAID mirroring duplicates disks for redundancy. Steganography hides data within other data and is unrelated to identity trust. -
Which IAM concept grants a user temporary elevated rights only for a specific task and time, then revokes them?
Correct answer: A. Just-in-time privileged access grants elevated rights only when needed for a specific task and time, then revokes them, limiting standing privilege. Permanent administrator access leaves rights always available, increasing risk. Shared service accounts reduce accountability and are discouraged for interactive admin use. Disabled logging removes oversight and is unrelated to access duration. -
What is the main purpose of log aggregation in a security operations center?
Correct answer: C. Log aggregation gathers logs from many sources into a central place so analysts can search and correlate events efficiently. It is not about deleting logs faster. It does not replace a firewall, which is a network control. It does not encrypt passwords, which is an authentication-storage concern. -
Which tool automates and orchestrates routine incident-response actions, such as enriching alerts and isolating hosts, to speed up the SOC?
Correct answer: B. A SOAR platform automates and orchestrates response actions like enrichment and host isolation, reducing manual effort in the SOC. A RAID controller manages disk redundancy. A patch panel is passive cabling hardware. A UPS provides backup power and none of these automate response. -
During incident response, which phase focuses on removing the threat, such as deleting malware and closing the exploited hole?
Correct answer: D. Eradication removes the threat itself, including deleting malware and closing the vulnerability that allowed it. Containment limits the spread first but does not remove the root cause. Preparation happens before any incident. Lessons learned is the final review phase after recovery, not the removal step. -
Which incident-response phase ensures that what was learned is fed back to improve future defenses?
Correct answer: B. The lessons-learned phase reviews the incident and feeds improvements back into preparation and controls. Identification is about detecting and confirming the incident. Containment limits damage during the event. Eradication removes the threat but does not, by itself, capture and apply the broader improvements. -
Maintaining a documented chain of custody for collected evidence is most important to:
Correct answer: B. Chain of custody documents who handled evidence and when, preserving its integrity and admissibility in legal or disciplinary proceedings. It has no effect on server uptime. It does not speed patch deployment. It is unrelated to electricity costs; its sole purpose is trustworthy evidence handling. -
Which describes the purpose of a runbook (playbook) in security operations?
Correct answer: C. A runbook or playbook provides step-by-step procedures for handling a specific scenario consistently, such as a phishing report. A list of phone numbers is a contact resource, not a procedure set. A firewall rule is a network control, not a procedure document. An encryption algorithm transforms data and is unrelated to operational procedures. -
Vulnerability management most importantly includes which ongoing activity after scanning?
Correct answer: A. Vulnerability management requires prioritizing and remediating the weaknesses that scans find, since scanning alone does not reduce risk. Ignoring findings leaves risk unaddressed. Disabling the scanner removes future visibility. Deleting scan reports destroys the records needed to track and verify remediation. -
A CVSS score is used primarily to:
Correct answer: A. The Common Vulnerability Scoring System rates the severity of a vulnerability to help prioritize remediation. It does not measure bandwidth. It does not encrypt traffic. It does not authenticate users; it is purely a severity-rating framework. -
Which approach validates that a patch did not break functionality before it is deployed broadly?
Correct answer: B. Testing a patch in a staging environment first verifies it works and does not break functionality before broad deployment. Deploying to all production at once risks widespread outages if the patch is faulty. Skipping testing increases the chance of breakage. Disabling rollback removes the safety net needed if something goes wrong. -
Endpoint detection and response (EDR) primarily provides:
Correct answer: C. EDR continuously monitors endpoint activity and enables investigation and response to threats on those devices. Physical access control is handled by badges and locks, not EDR. Power redundancy is provided by UPS or generators. DNS hosting resolves names and is unrelated to endpoint monitoring. -
Which is the best reason to use time synchronization (NTP) across systems in a SOC?
Correct answer: D. Consistent, synchronized clocks let analysts correlate events across systems because timestamps line up, which is essential for investigations. It has nothing to do with disk speed. It does not replace antivirus. It does not affect password length; its value is accurate cross-system timing. -
An organization wants to prevent users from installing unapproved software. Which control achieves this most directly?
Correct answer: A. Application allow listing permits only approved software to run, directly preventing unapproved installs from executing. A longer session timeout affects login sessions, not software installation. More disk space is a capacity matter. A faster network improves throughput and does nothing to restrict software. -
What is the primary purpose of data loss prevention (DLP) tools?
Correct answer: B. Data loss prevention detects and blocks unauthorized transfer of sensitive data, such as exfiltration over email or USB. It does not balance server load. It does not provide power. It does not compress backups; its function is controlling sensitive-data movement. -
Which authentication factor category does a fingerprint belong to?
Correct answer: A. A fingerprint is a biometric trait, so it is 'something you are.' 'Something you know' is knowledge such as a password or PIN. 'Something you have' is a possession like a token or phone. 'Somewhere you are' is a location-based factor, not a biometric one. -
A one-time code generated by an authenticator app every thirty seconds is an example of which factor?
Correct answer: D. A code from an authenticator app proves possession of the registered device, so it is 'something you have.' 'Something you know' is a memorized secret, which a generated code is not. 'Something you are' is a biometric trait. A static password is a knowledge factor and is not the rotating code described. -
Which practice reduces the risk that a single administrator can perform a sensitive action unilaterally without oversight?
Correct answer: A. Separation of duties splits a sensitive task across multiple people so no single person can complete it alone, reducing fraud and error. Disabling logging removes oversight rather than adding it. Sharing one admin account destroys accountability. Removing backups harms recoverability and does nothing to control a single administrator's power. -
Forcing employees in sensitive roles to take time off so their activity can be reviewed by others is an example of:
Correct answer: A. Mandatory vacation requires sensitive-role staff to be away so others can review their work and detect concealed wrongdoing. Job rotation moves people between roles to spread knowledge and catch issues, which is related but is a different control. Least privilege limits access to what is needed, not time off. Tokenization is a data-protection technique unrelated to staffing controls. -
Which monitoring approach watches for deviations from a known-good pattern of normal activity?
Correct answer: C. Anomaly-based detection flags deviations from an established baseline of normal behavior, which can catch novel threats. Signature-based detection matches known patterns and can miss new attacks. Manual log deletion destroys evidence and is not detection. Disabling alerts removes notifications entirely, the opposite of monitoring. -
A security analyst proactively searches the environment for hidden threats that automated tools may have missed. This is called:
Correct answer: D. Threat hunting is the proactive search for hidden or undetected threats beyond what automated alerts surface. Patch management addresses known vulnerabilities through updates. Tokenization protects sensitive data values. Load balancing distributes traffic and is unrelated to actively searching for threats. -
Which is the most secure way to handle a privileged service account's credentials?
Correct answer: D. Storing and rotating privileged credentials in a PAM vault controls access and limits exposure of these high-value accounts. Hard-coding credentials in scripts leaves them exposed in plaintext. Emailing them spreads the secret insecurely. Reusing one set across all systems means a single leak compromises everything. -
After deploying a new secure baseline, what activity confirms systems still match it over time?
Correct answer: A. Continuous compliance monitoring repeatedly checks systems against the baseline so deviations are caught early. Configuration drift is the problem being detected, not the activity that confirms compliance. Disabling audits removes the very checks needed. Random password resets address credentials, not baseline conformance. -
Which best describes the purpose of file integrity monitoring (FIM)?
Correct answer: A. File integrity monitoring alerts when protected files change unexpectedly, which can reveal tampering or compromise. It does not speed up downloads. It does not encrypt network traffic. It does not assign user roles; its function is detecting unauthorized file changes. -
A SOC defines that critical alerts must be triaged within fifteen minutes. This commitment is best tracked as a:
Correct answer: C. A fifteen-minute triage commitment is a service level objective that measures and tracks response performance. A backup rotation schedules data copies, not response timing. A firewall rule controls network traffic. An encryption key protects data and is unrelated to response-time tracking. -
Which describes the principle behind 'defense in depth' applied to security operations?
Correct answer: B. Defense in depth layers multiple independent controls so that if one fails, others still provide protection. Relying on a single control creates a single point of failure. Removing controls to cut cost weakens protection. Fully trusting all internal users contradicts modern operations and zero trust thinking. -
What is the main benefit of network access control (NAC) when a device connects?
Correct answer: B. Network access control assesses a connecting device's posture, such as patch level or compliance, and grants or denies access based on policy. It does not encrypt hard drives. It does not schedule backups. It does not write incident reports; its role is admission control at connection time. -
Which is the best first step when a workstation is suspected of active malware infection?
Correct answer: D. Isolating the suspected host from the network contains the threat and prevents spread while preserving the system for analysis. Reimaging immediately destroys evidence needed to understand the incident. Emailing everyone the details is poor handling and can tip off an insider. Turning off logging removes the records investigators need. -
Which document is a high-level statement of management's intent and direction for security?
Correct answer: D. A security policy is the high-level statement of management's intent and direction that other documents support. A standard specifies mandatory technical or procedural requirements that implement policy. A procedure is the detailed step-by-step how-to. A guideline offers recommended but non-mandatory advice, so none of these is the top-level intent statement. -
Which governance document specifies mandatory, measurable requirements, such as 'passwords must be at least 14 characters'?
Correct answer: B. A standard defines mandatory, measurable requirements that implement a policy, such as a specific minimum password length. A policy states intent at a high level without that level of specificity. A guideline is advisory and non-binding. A mission statement describes organizational purpose, not security requirements. -
Calculating annualized loss expectancy (ALE) by multiplying single loss expectancy by annualized rate of occurrence is part of which approach?
Correct answer: B. Quantitative risk analysis assigns numeric values, computing ALE from single loss expectancy and annualized rate of occurrence. Qualitative analysis uses ratings like high, medium, and low rather than precise numbers. Penetration testing actively probes defenses, not financial loss math. Change management governs system changes and is unrelated to loss calculations. -
An organization buys cyber insurance to handle the financial impact of a possible breach. This is an example of risk:
Correct answer: B. Buying insurance shifts the financial impact of the risk to a third party, which is risk transference. Acceptance means choosing to live with the risk and its consequences. Avoidance means not engaging in the risky activity at all. Mitigation reduces likelihood or impact through controls, which insurance by itself does not do. -
A company decides to stop offering a feature entirely because its risk is too high to manage. This is risk:
Correct answer: C. Eliminating the risky activity entirely is risk avoidance. Acceptance would mean keeping the feature and tolerating the risk. Transference would shift the impact to a third party while still offering it. Mitigation would reduce the risk with controls rather than removing the feature. -
Management reviews a residual risk and formally signs off to proceed without further controls. This is risk:
Correct answer: C. Formally signing off to proceed with the remaining risk is risk acceptance. Avoidance would stop the activity entirely. Transference would move the impact to another party. Escalation raises an issue to a higher authority but is not itself a risk-treatment decision. -
Which agreement is a legally binding contract that defines confidentiality obligations between parties?
Correct answer: A. A non-disclosure agreement is a binding contract that defines confidentiality obligations between the parties. A service level agreement defines performance and availability commitments, not confidentiality. A memorandum of understanding expresses intent and is often non-binding. A business impact analysis assesses the effect of disruptions and is not an agreement. -
A business impact analysis (BIA) primarily helps an organization:
Correct answer: C. A business impact analysis identifies critical functions and quantifies the impact if they are disrupted, informing recovery priorities. It is not about choosing a firewall vendor. It does not write malware signatures. It does not configure DNS; its focus is understanding disruption impact. -
Which regulation governs the protection of personal data of individuals in the European Union?
Correct answer: A. The General Data Protection Regulation governs personal data protection for individuals in the European Union. HIPAA governs health information in the United States. PCI DSS is a payment-card industry standard, not a general data-protection law. SOX addresses financial reporting controls for public companies. -
Which standard sets requirements for organizations that store, process, or transmit payment card data?
Correct answer: C. PCI DSS sets security requirements for entities handling payment card data. GDPR is a personal-data protection law, broader than payment cards. ISO 9001 addresses quality management, not security of card data. HIPAA covers protected health information, not payment cards. -
An organization classifies data as Public, Internal, Confidential, and Restricted. The main purpose of data classification is to:
Correct answer: D. Data classification assigns sensitivity levels so that protection and handling match how sensitive each data set is. It has nothing to do with office seating. It does not increase internet speed. It does not select a backup vendor; its purpose is right-sizing protection to sensitivity. -
Who is typically accountable for deciding how a specific set of data may be used and protected?
Correct answer: D. The data owner is accountable for decisions about how the data is classified, used, and protected. The data custodian implements and maintains the controls but does not set the policy decisions. The end user simply uses the data within granted permissions. The auditor independently evaluates controls and does not own usage decisions. -
Who is responsible for implementing and maintaining the technical controls that protect data according to the owner's requirements?
Correct answer: A. The data custodian implements and maintains the technical controls that protect data as directed by the owner. The data owner sets requirements and is accountable, but typically does not perform the hands-on maintenance. A regulator enforces external rules, not internal control maintenance. A customer is an external party and does not maintain the organization's controls. -
An independent assessment that verifies whether controls meet a defined standard and are operating effectively is a(n):
Correct answer: A. An audit independently verifies that controls meet a standard and operate effectively. A penetration test actively attacks systems to find exploitable weaknesses, a different purpose. A backup is a data-protection copy, not an assessment. A honeypot is a decoy system used for detection, not control verification. -
Which best distinguishes a penetration test from a vulnerability scan?
Correct answer: B. A penetration test goes beyond identification by actively exploiting weaknesses to demonstrate real-world impact. Merely listing missing patches describes a scan, not a pen test. A vulnerability scan identifies issues but does not actively exploit them. The two are related but not identical, so calling them the same is wrong. -
A vendor provides a report attesting to its security controls so customers do not each have to audit it directly. A common example is a:
Correct answer: B. A SOC 2 report attests to a service provider's controls so customers can rely on it instead of auditing the vendor themselves. A DNS record maps names to addresses and has no assurance role. A RAID array is storage redundancy hardware. A phishing simulation tests employees, not vendor controls. -
When onboarding a new cloud provider, reviewing its certifications, breach history, and security posture is part of:
Correct answer: A. Reviewing a provider's certifications, breach history, and posture before use is third-party risk management. Disk defragmentation is a storage-maintenance task. Password rotation is a credential-hygiene control. Log compression saves storage space and is unrelated to evaluating a vendor's risk. -
Which metric expresses how often a given threat is expected to occur in a year for quantitative risk analysis?
Correct answer: D. The annualized rate of occurrence estimates how many times a threat is expected to happen per year. Single loss expectancy is the cost of one occurrence, not its frequency. Recovery time objective is a restoration-time target. Mean time to repair measures how long a fix takes, not how often an event occurs. -
Which document records who is allowed to access what data and is reviewed periodically to remove unnecessary access?
Correct answer: C. An access or entitlement review periodically checks who has access to what and removes access that is no longer needed. A network diagram depicts topology, not entitlements. A backup catalog lists backup contents, not user access. A threat feed lists malicious indicators and is unrelated to access governance. -
A company maps its controls to a recognized framework like the NIST Cybersecurity Framework primarily to:
Correct answer: C. Mapping to a framework like the NIST CSF gives a structured, consistent approach to managing and communicating cyber risk. No framework can guarantee zero breaches. A framework guides controls rather than replacing technical ones. It does not eliminate the need for staff; people still operate the program. -
Which is the best example of measuring the effectiveness of a security-awareness program?
Correct answer: B. Tracking the phishing-simulation click rate over time shows whether awareness is actually improving behavior. Counting emails sent measures activity, not effectiveness. Server uptime is an availability metric unrelated to awareness. Counting firewall rules measures configuration size, not human behavior change. -
An acceptable use policy (AUP) primarily defines:
Correct answer: A. An acceptable use policy sets out what employees may and may not do with company systems and data. It does not describe how servers are wired, which is an infrastructure detail. It does not specify an encryption algorithm, which is a technical standard. It does not define a backup rotation schedule, which is an operational procedure. -
Which regulation primarily governs the protection of patient health information in the United States?
Correct answer: B. HIPAA governs the protection of patient health information in the United States. GDPR is the European Union's general personal-data law, not US health-specific. PCI DSS covers payment card data. ISO 27001 is an information-security management standard, not a US health-data regulation. -
What is the primary goal of an exit interview's security component when an employee leaves?
Correct answer: C. The security side of an exit interview recovers company assets such as badges and laptops and confirms that access has been revoked, closing offboarding risk. Negotiating salary is an HR matter unrelated to security. Installing antivirus on personal devices is not part of standard offboarding. Scheduling a penetration test is a separate assessment activity, not an offboarding step.
Practice questions FAQ
- Are these real SY0-701 exam questions?
- No. These are original study questions written to test understanding. They are not real exam questions, exam dumps, or copied from any provider.
- How should I use these practice questions?
- Answer each one, read the explanation (including why the wrong options are wrong), and use the per-domain score below to focus your revision on weak areas. Revisit before exam day.
- How many questions should I do before the exam?
- Enough to score consistently across every domain, alongside full-length practice from official or reputable providers. Understanding why each answer is right matters more than raw volume.
- What score means I am ready?
- A good signal is consistently scoring around 80% or higher across all domains on questions you have not seen before, and being able to explain why the wrong options are wrong.
- Should I use exam dumps?
- No. Dumps (real or leaked questions) breach provider policy, can void your certification, and do not build the understanding the exam actually tests.