If you are looking for free SY0-701 dumps than here we have some sample question answers available. You can prepare from our CompTIA SY0-701 exam questions notes and prepare exam with this practice test. Check below our updated SY0-701 exam dumps.
DumpsGroup are top class study material providers and our inclusive range of SY0-701 Real exam questions would be your key to success in CompTIA CompTIA Security+ Certification Exam in just first attempt. We have an excellent material covering almost all the topics of CompTIA SY0-701 exam. You can get this material in CompTIA SY0-701 PDF and SY0-701 practice test engine formats designed similar to the Real Exam Questions. Free SY0-701 questions answers and free CompTIA SY0-701 study material is available here to get an idea about the quality and accuracy of our study material.
Sample Question 4
Which of the following incident response activities ensures evidence is properly handied?
A. E-discovery B. Chain of custody C. Legal hold D. Preservation
Answer: B
Explanation: Chain of custody is the process of documenting and preserving the integrity
of evidence collected during an incident response. It involves recording the details of each
person who handled the evidence, the time and date of each transfer, and the location
where the evidence was stored. Chain of custody ensures that the evidence is admissible
in legal proceedings and can be traced back to its source. E-discovery, legal hold, and
preservation are related concepts, but they do not ensure evidence is properly
Sample Question 5
Which of the following would help ensure a security analyst is able to accurately measurethe overall risk to an organization when a new vulnerability is disclosed?
A. A full inventory of all hardware and software B. Documentation of system classifications C. A list of system owners and their departments D. Third-party risk assessment documentation
Answer: A
Explanation: A full inventory of all hardware and software is essential for measuring the
overall risk to an organization when a new vulnerability is disclosed, because it allows the
security analyst to identify which systems are affected by the vulnerability and prioritize the
remediation efforts. Without a full inventory, the security analyst may miss some vulnerable systems or waste time and resources on irrelevant ones. Documentation of system
classifications, a list of system owners and their departments, and third-party risk
assessment documentation are all useful for risk management, but they are not sufficient to
measure the impact of a new vulnerability. References: CompTIA Security+ Study Guide:
A company must ensure sensitive data at rest is rendered unreadable. Which of thefollowing will the company most likely use?
A. Hashing B. Tokenization C. Encryption D. Segmentation
Answer: C
Explanation: Encryption is a method of transforming data in a way that makes it
unreadable without a secret key necessary to decrypt the data back into plaintext.
Encryption is one of the most common and effective ways to protect data at rest, as it
prevents unauthorized access, modification, or theft of the data. Encryption can be applied
to different types of data at rest, such as block storage, object storage, databases,
archives, and so on. Hashing, tokenization, and segmentation are not methods of rendering
data at rest unreadable, but rather of protecting data in other ways. Hashing is a one-way
function that generates a fixed-length output, called a hash or digest, from an input, such
that the input cannot be recovered from the output. Hashing is used to verify the integrity
and authenticity of data, but not to encrypt it. Tokenization is a process that replaces
sensitive data with non-sensitive substitutes, called tokens, that have no meaning or value
on their own. Tokenization is used to reduce the exposure and compliance scope of
sensitive data, but not to encrypt it. Segmentation is a technique that divides a network or a
system into smaller, isolated units, called segments, that have different levels of access
and security. Segmentation is used to limit the attack surface and contain the impact of a
breach, but not to encrypt data at rest. References: CompTIA Security+ Study Guide:
Exam SY0-701, 9th Edition, pages 77-781; Protecting data at rest - Security Pillar3
Sample Question 7
Visitors to a secured facility are required to check in with a photo ID and enter the facilitythrough an access control vestibule Which of the following but describes this form ofsecurity control?
A. Physical B. Managerial C. Technical D. Operational
Answer: A
Explanation: A physical security control is a device or mechanism that prevents
unauthorized access to a physical location or asset. An access control vestibule, also
known as a mantrap, is a physical security control that consists of a small space with two
sets of interlocking doors, such that the first set of doors must close before the second set
opens. This prevents unauthorized individuals from following authorized individuals into the
facility, a practice known as piggybacking or tailgating. A photo ID check is another form of
physical security control that verifies the identity of visitors. Managerial, technical, and
operational security controls are not directly related to physical access, but rather to
policies, procedures, systems, and processes that support security
objectives. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition,
page 341; Mantrap (access control) - Wikipedia2
Sample Question 8
A security analyst receives alerts about an internal system sending a large amount ofunusual DNS queries to systems on the internet over short periods of time during nonbusinesshours. Which of the following is most likely occurring?
A. A worm is propagating across the network. B. Data is being exfiltrated. C. A logic bomb is deleting data. D. Ransomware is encrypting files.
Answer: B
Explanation: Data exfiltration is a technique that attackers use to steal sensitive data from
a target system or network by transmitting it through DNS queries and responses. This
method is often used in advanced persistent threat (APT) attacks, in which attackers seek
to persistently evade detection in the target environment. A large amount of unusual DNS
queries to systems on the internet over short periods of time during non-business hours is
a strong indicator of data exfiltration. A worm, a logic bomb, and ransomware would not
use DNS queries to communicate with their command and control servers or perform their
malicious actions. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th
Edition, page 487; Introduction to DNS Data Exfiltration; Identifying a DNS Exfiltration
Attack That Wasn’t Real — This Time
Sample Question 9
A company is planning a disaster recovery site and needs to ensure that a single naturaldisaster would not result in the complete loss of regulated backup data. Which of thefollowing should the company consider?
A. Geographic dispersion B. Platform diversity C. Hot site D. Load balancing
Answer: A
Explanation: Geographic dispersion is the practice of having backup data stored in
different locations that are far enough apart to minimize the risk of a single natural disaster
affecting both sites. This ensures that the company can recover its regulated data in case
of a disaster at the primary site. Platform diversity, hot site, and load balancing are not
directly related to the protection of backup data from natural
A company is working with a vendor to perform a penetration test Which of the followingincludes an estimate about the number of hours required to complete the engagement?
A. SOW B. BPA C. SLA D. NDA
Answer: A
Explanation: A statement of work (SOW) is a document that defines the scope, objectives,
deliverables, timeline, and costs of a project or service. It typically includes an estimate of
the number of hours required to complete the engagement, as well as the roles and
responsibilities of the parties involved. A SOW is often used for penetration testing projects
to ensure that both the client and the vendor have a clear and mutual understanding of
what is expected and how the work will be performed. A business partnership agreement
(BPA), a service level agreement (SLA), and a non-disclosure agreement (NDA) are
different types of contracts that may be related to a penetration testing project, but they do
not include an estimate of the number of hours required to complete the
engagement. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition,
page 492; What to Look For in a Penetration Testing Statement of Work?
Sample Question 11
Which of the following teams combines both offensive and defensive testing techniques toprotect an organization's critical systems?
A. Red B. Blue C. Purple D. Yellow
Answer: C
Explanation: Purple is the team that combines both offensive and defensive testing
techniques to protect an organization’s critical systems. Purple is not a separate team, but
rather a collaboration between the red team and the blue team. The red team is the
offensive team that simulates attacks and exploits vulnerabilities in the organization’s
systems. The blue team is the defensive team that monitors and protects the organization’s
systems from real and simulated threats. The purple team exists to ensure and maximize
the effectiveness of the red and blue teams by integrating the defensive tactics and controls from the blue team with the threats and vulnerabilities found by the red team into a
single narrative that improves the overall security posture of the organization. Red, blue,
and yellow are other types of teams involved in security testing, but they do not combine
both offensive and defensive techniques. The yellow team is the team that builds software
solutions, scripts, and other programs that the blue team uses in the security
Which of the following describes the maximum allowance of accepted risk?
A. Risk indicator B. Risk level C. Risk score D. Risk threshold
Answer: D
Explanation: Risk threshold is the maximum amount of risk that an organization is willing
to accept for a given activity or decision. It is also known as risk appetite or risk tolerance. Risk threshold helps an organization to prioritize and allocate resources for risk
management. Risk indicator, risk level, and risk score are different ways of measuring or
expressing the likelihood and impact of a risk, but they do not describe the maximum
allowance of accepted risk. References: CompTIA Security+ Study Guide: Exam SY0-701,
9th Edition, page 34; Accepting Risk: Definition, How It Works, and Alternatives
Sample Question 13
The local administrator account for a company's VPN appliance was unexpectedly used tolog in to the remote management interface. Which of the following would have most likelyprevented this from happening'?
A. Using least privilege B. Changing the default password C. Assigning individual user IDs D. Reviewing logs more frequently
Answer: B
Explanation:
Changing the default password for the local administrator account on a VPN appliance is a
basic security measure that would have most likely prevented the unexpected login to the
remote management interface. Default passwords are often easy to guess or publicly
available, and attackers can use them to gain unauthorized access to devices and
systems. Changing the default password to a strong and unique one reduces the risk of
brute-force attacks and credential theft. Using least privilege, assigning individual user IDs,
and reviewing logs more frequently are also good security practices, but they are not as
effective as changing the default password in preventing the unexpected
116; Local Admin Accounts - Security Risks and Best Practices (Part 1)
Sample Question 14
A systems administrator is changing the password policy within an enterprise environmentand wants this update implemented on all systems as quickly as possible. Which of thefollowing operating system security measures will the administrator most likely use?
A. Deploying PowerShell scripts B. Pushing GPO update C. Enabling PAP D. Updating EDR profiles
Answer: B
Explanation: A group policy object (GPO) is a mechanism for applying configuration
settings to computers and users in an Active Directory domain. By pushing a GPO update,
the systems administrator can quickly and uniformly enforce the new password policy
across all systems in the domain. Deploying PowerShell scripts, enabling PAP, and
updating EDR profiles are not the most efficient or effective ways to change the password
policy within an enterprise environment. References: CompTIA Security+ Study Guide:
An employee receives a text message from an unknown number claiming to be thecompany's Chief Executive Officer and asking the employee to purchase several gift cards.Which of the following types of attacks does this describe?
A. Vishing B. Smishing C. Pretexting D. Phishing
Answer: B
Explanation: Smishing is a type of phishing attack that uses text messages or common
messaging apps to trick victims into clicking on malicious links or providing personal
information. The scenario in the question describes a smishing attack that uses pretexting,
which is a form of social engineering that involves impersonating someone else to gain
trust or access. The unknown number claims to be the company’s CEO and asks the
employee to purchase gift cards, which is a common scam tactic. Vishing is a similar type
of attack that uses phone calls or voicemails, while phishing is a broader term that covers
any email-based attack. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th
Edition, page 771; Smishing vs. Phishing: Understanding the Differences2
Sample Question 16
A systems administrator set up a perimeter firewall but continues to notice suspiciousconnections between internal endpoints. Which of the following should be set up in order tomitigate the threat posed by the suspicious activity?
A. Host-based firewall B. Web application firewall C. Access control list D. Application allow listc
Answer: A
Explanation: A host-based firewall is a software application that runs on an individual
endpoint and filters the incoming and outgoing network traffic based on a set of rules. A
host-based firewall can help to mitigate the threat posed by suspicious connections
between internal endpoints by blocking or allowing the traffic based on the source,
destination, port, protocol, or application. A host-based firewall is different from a web
application firewall, which is a type of firewall that protects web applications from common
web-based attacks, such as SQL injection, cross-site scripting, and session hijacking. A
host-based firewall is also different from an access control list, which is a list of rules that
control the access to network resources, such as files, folders, printers, or routers. A hostbased
firewall is also different from an application allow list, which is a list of applications
that are authorized to run on an endpoint, preventing unauthorized or malicious
applications from executing. References: CompTIA Security+ Study Guide: Exam SY0-701,
9th Edition, page 254
Sample Question 17
A company is developing a critical system for the government and storing projectinformation on a fileshare. Which of the following describes how this data will most likely beclassified? (Select two).
A. Private B. Confidential C. Public D. Operational E. Urgent F. Restricted
Answer: B,F
Explanation:
Data classification is the process of assigning labels to data based on its sensitivity and
business impact. Different organizations and sectors may have different data classification
schemes, but a common one is the following1:
Public: Data that can be freely disclosed to anyone without any harm or risk.
Private: Data that is intended for internal use only and may cause some harm or
risk if disclosed.
Confidential: Data that is intended for authorized use only and may cause
significant harm or risk if disclosed.
Restricted: Data that is intended for very limited use only and may cause severe
harm or risk if disclosed.
In this scenario, the company is developing a critical system for the government and storing
project information on a fileshare. This data is likely to be classified as confidential and
restricted, because it is not meant for public or private use, and it may cause serious
damage to national security or public safety if disclosed. The government may also have
specific requirements or regulations for handling such data, such as encryption, access
control, and auditing2. References: 1: CompTIA Security+ Study Guide: Exam SY0-701,
9th Edition, page 16-17 2: Data Classification Practices: Final Project Description Released
Sample Question 18
A network manager wants to protect the company's VPN by implementing multifactorauthentication that uses:. Something you know. Something you have. Something you areWhich of the following would accomplish the manager's goal?
A. Domain name, PKI, GeolP lookup B. VPN IP address, company ID, facial structure C. Password, authentication token, thumbprint D. Company URL, TLS certificate, home address
Answer: C
Explanation:
The correct answer is C. Password, authentication token, thumbprint. This combination of
authentication factors satisfies the manager’s goal of implementing multifactor
authentication that uses something you know, something you have, and something you
are.
Something you know is a type of authentication factor that relies on the user’s
knowledge of a secret or personal information, such as a password, a PIN, or a
security question. A password is a common example of something you know that
can be used to access a VPN12
Something you have is a type of authentication factor that relies on the user’s
possession of a physical object or device, such as a smart card, a token, or a
smartphone. An authentication token is a common example of something you have
that can be used to generate a one-time password (OTP) or a code that can be
used to access a VPN12
Something you are is a type of authentication factor that relies on the user’s
biometric characteristics, such as a fingerprint, a face, or an iris. A thumbprint is a
common example of something you are that can be used to scan and verify the
user’s identity to access a VPN12
References:
1: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 4: Identity and
Edition, Chapter 4: Identity and Access Management, page 179
Sample Question 19
After a recent ransomware attack on a company's system, an administrator reviewed thelog files. Which of the following control types did the administrator use?
A. Compensating B. Detective C. Preventive D. Corrective
Answer: B
Explanation: Detective controls are security measures that are designed to identify and
monitor any malicious activity or anomalies on a system or network. They can help to
discover the source, scope, and impact of an attack, and provide evidence for further
analysis or investigation. Detective controls include log files, security audits, intrusion
detection systems, network monitoring tools, and antivirus software. In this case, the
administrator used log files as a detective control to review the ransomware attack on the
company’s system. Log files are records of events and activities that occur on a system or
network, such as user actions, system errors, network traffic, and security alerts. They can
provide valuable information for troubleshooting, auditing, and forensics.
References:
Security+ (Plus) Certification | CompTIA IT Certifications, under “About the exam”,
bullet point 3: “Operate with an awareness of applicable regulations and policies,
including principles of governance, risk, and compliance.”
14: “Detective controls are designed to identify and monitor any malicious activity
or anomalies on a system or network.”
Control Types – CompTIA Security+ SY0-401: 2.1 - Professor Messer IT …, under
“Detective Controls”: “Detective controls are security measures that are designed
to identify and monitor any malicious activity or anomalies on a system or
network.”
Sample Question 20
A user is attempting to patch a critical system, but the patch fails to transfer. Which of thefollowing access controls is most likely inhibiting the transfer?
A. Attribute-based B. Time of day C. Role-based D. Least privilege
Answer: D
Explanation: The least privilege principle states that users and processes should only
have the minimum level of access required to perform their tasks. This helps to prevent
unauthorized or unnecessary actions that could compromise security. In this case, the
patch transfer might be failing because the user or process does not have the appropriate
permissions to access the critical system or the network resources needed for the
transfer. Applying the least privilege principle can help to avoid this issue by granting the
user or process the necessary access rights for the patching
An administrator finds that all user workstations and servers are displaying a message thatis associated with files containing an extension of .ryk. Which of the following types ofinfections is present on the systems?
A. Virus B. Trojan C. Spyware D. Ransomware
Answer: D
Explanation: Ransomware is a type of malware that encrypts the victim’s files and
demands a ransom for the decryption key. The ransomware usually displays a message on
the infected system with instructions on how to pay the ransom and recover the files. The
.ryk extension is associated with a ransomware variant called Ryuk, which targets large
After reviewing the following vulnerability scanning report:Server:192.168.14.6Service: TelnetPort: 23 Protocol: TCPStatus: Open Severity: HighVulnerability: Use of an insecure network protocolA security analyst performs the following test:nmap -p 23 192.168.14.6 —script telnet-encryptionPORT STATE SERVICE REASON23/tcp open telnet syn-ackI telnet encryption:| _ Telnet server supports encryptionWhich of the following would the security analyst conclude for this reported vulnerability?
A. It is a false positive. B. A rescan is required. C. It is considered noise. D. Compensating controls exist.
Answer: A
Explanation:
A false positive is a result that indicates a vulnerability or a problem when there is none. In this case, the vulnerability scanning report shows that the telnet service on port 23 is open
and uses an insecure network protocol. However, the security analyst performs a test using
nmap and a script that checks for telnet encryption support. The result shows that the telnet
server supports encryption, which means that the data transmitted between the client and
the server can be protected from eavesdropping. Therefore, the reported vulnerability is a
false positive and does not reflect the actual security posture of the server. The security
analyst should verify the encryption settings of the telnet server and client and ensure that
they are configured properly3. References: 3: Telnet Protocol - Can You Encrypt Telnet?
Sample Question 23
An organization would like to store customer data on a separate part of the network that isnot accessible to users on the main corporate network. Which of the following should theadministrator use to accomplish this goal?
A. Segmentation B. Isolation C. Patching D. Encryption
Answer: A
Explanation: Segmentation is a network design technique that divides the network into
smaller and isolated segments based on logical or physical boundaries. Segmentation can help improve network security by limiting the scope of an attack, reducing the attack
surface, and enforcing access control policies. Segmentation can also enhance network
performance, scalability, and manageability. To accomplish the goal of storing customer
data on a separate part of the network, the administrator can use segmentation
technologies such as subnetting, VLANs, firewalls, routers, or
An organization is struggling with scaling issues on its VPN concentrator and internet circuitdue to remote work. The organization is looking for a software solution that will allow it toreduce traffic on the VPN and internet circuit, while still providing encrypted tunnel accessto the data center and monitoring of remote employee internet traffic. Which of the followingwill help achieve these objectives?
A. Deploying a SASE solution to remote employees B. Building a load-balanced VPN solution with redundant internet C. Purchasing a low-cost SD-WAN solution for VPN traffic D. Using a cloud provider to create additional VPN concentrators
Answer: A
Explanation: SASE stands for Secure Access Service Edge. It is a cloud-based service
that combines network and security functions into a single integrated solution. SASE can
help reduce traffic on the VPN and internet circuit by providing secure and optimized
access to the data center and cloud applications for remote employees. SASE can also monitor and enforce security policies on the remote employee internet traffic, regardless of
their location or device. SASE can offer benefits such as lower costs, improved
performance, scalability, and flexibility compared to traditional VPN
A company's end users are reporting that they are unable to reach external websites. Afterreviewing the performance data for the DNS severs, the analyst discovers that the CPU,disk, and memory usage are minimal, but the network interface is flooded with inboundtraffic. Network logs show only a small number of DNS queries sent to this server. Which ofthe following best describes what the security analyst is seeing?
A. Concurrent session usage B. Secure DNS cryptographic downgrade C. On-path resource consumption D. Reflected denial of service
Answer: D
Explanation: A reflected denial of service (RDoS) attack is a type of DDoS attack that
uses spoofed source IP addresses to send requests to a third-party server, which then
sends responses to the victim server. The attacker exploits the difference in size between
the request and the response, which can amplify the amount of traffic sent to the victim
server. The attacker also hides their identity by using the victim’s IP address as the source.
A RDoS attack can target DNS servers by sending forged DNS queries that generate large
DNS responses. This can flood the network interface of the DNS server and prevent it from
serving legitimate requests from end users. References: CompTIA Security+ Study Guide:
Exam SY0-701, 9th Edition, page 215-216 1
Sample Question 26
Which of the following security concepts is the best reason for permissions on a humanresources fileshare to follow the principle of least privilege?
A. Integrity B. Availability C. Confidentiality D. Non-repudiation
Answer: C
Explanation: Confidentiality is the security concept that ensures data is protected from
unauthorized access or disclosure. The principle of least privilege is a technique that grants
users or systems the minimum level of access or permissions that they need to perform
their tasks, and nothing more. By applying the principle of least privilege to a human
resources fileshare, the permissions can be restricted to only those who have a legitimate
need to access the sensitive data, such as HR staff, managers, or auditors. This can
prevent unauthorized users, such as hackers, employees, or contractors, from accessing,
copying, modifying, or deleting the data. Therefore, the principle of least privilege can
enhance the confidentiality of the data on the fileshare. Integrity, availability, and nonrepudiation
are other security concepts, but they are not the best reason for permissions on
a human resources fileshare to follow the principle of least privilege. Integrity is the security concept that ensures data is accurate and consistent, and protected from unauthorized
modification or corruption. Availability is the security concept that ensures data is
accessible and usable by authorized users or systems when needed. Non-repudiation is
the security concept that ensures the authenticity and accountability of data and actions,
and prevents the denial of involvement or responsibility. While these concepts are also
important for data security, they are not directly related to the level of access or
permissions granted to users or systems. References: CompTIA Security+ Study Guide:
Exam SY0-701, 9th Edition, page 16-17, 372-373
Sample Question 27
Which of the following is the most common data loss path for an air-gapped network?
A. Bastion host B. Unsecured Bluetooth C. Unpatched OS D. Removable devices
Answer: D
Explanation: An air-gapped network is a network that is physically isolated from other
networks, such as the internet, to prevent unauthorized access and data leakage.
However, an air-gapped network can still be compromised by removable devices, such as
USB drives, CDs, DVDs, or external hard drives, that are used to transfer data between the
air-gapped network and other networks. Removable devices can carry malware, spyware,
or other malicious code that can infect the air-gapped network or exfiltrate data from
it. Therefore, removable devices are the most common data loss path for an air-gapped
network. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition,
Chapter 9: Network Security, page 449 1
Sample Question 28
An administrator discovers that some files on a database server were recently encrypted.The administrator sees from the security logs that the data was last accessed by a domainuser. Which of the following best describes the type of attack that occurred?
A. Insider threat B. Social engineering C. Watering-hole D. Unauthorized attacker
Answer: A
Explanation: An insider threat is a type of attack that originates from someone who has
legitimate access to an organization’s network, systems, or data. In this case, the domain
user who encrypted the files on the database server is an example of an insider threat, as
they abused their access privileges to cause harm to the organization. Insider threats can
be motivated by various factors, such as financial gain, revenge, espionage, or sabotage.
