CompTIA

SY0-701 Exam
CompTIA Security+

Questions & Answers

(Demo Version - Limited Content)

Thank you for Downloading SY0-701 exam PDF Demo

Get Full File:

https://www.certsland.com/sy0-701-dumps/

www.certsland.com
Questions & Answers PDF Page 2

Version:12.0

Question: 1

Which of the following threat actors is the most likely to be hired by a foreign government to attack
critical systems located in other countries?

A. Hacktivist
B. Whistleblower
C. Organized crime
D. Unskilled attacker

Answer: C

Explanation:
Organized crime is a type of threat actor that is motivated by financial gain and often operates across
national borders. Organized crime groups may be hired by foreign governments to conduct
cyberattacks on critical systems located in other countries, such as power grids, military networks, or
financial institutions. Organized crime groups have the resources, skills, and connections to carry out
sophisticated and persistent attacks that can cause significant damage and
disruption12. Reference 1: Threat Actors - CompTIA Security+ SY0-701 - 2.1 2: CompTIA Security+
SY0-701 Certification Study Guide

Question: 2

Which of the following is used to add extra complexity before using a one-way data transformation
algorithm?

A. Key stretching
B. Data masking
C. Steganography
D. Salting

Answer: D

www.certsland.com
Questions & Answers PDF Page 3

Explanation:
Salting is the process of adding extra random data to a password or other data before applying a one-
way data transformation algorithm, such as a hash function. Salting increases the complexity and
randomness of the input data, making it harder for attackers to guess or crack the original data using
precomputed tables or brute force methods. Salting also helps prevent identical passwords from
producing identical hash values, which could reveal the passwords to attackers who have access to
the hashed data. Salting is commonly used to protect passwords stored in databases or transmitted
over networks. Reference:
Passwords technical overview
Encryption, hashing, salting – what’s the difference?
Salt (cryptography)

Question: 3

An employee clicked a link in an email from a payment website that asked the employee to update
contact information. The employee entered the log-in information but received a “page not found”
error message. Which of the following types of social engineering attacks occurred?

A. Brand impersonation
B. Pretexting
C. Typosquatting
D. Phishing

Answer: D

Explanation:
Phishing is a type of social engineering attack that involves sending fraudulent emails that appear to
be from legitimate sources, such as payment websites, banks, or other trusted entities. The goal of
phishing is to trick the recipients into clicking on malicious links, opening malicious attachments, or
providing sensitive information, such as log-in credentials, personal data, or financial details. In this
scenario, the employee received an email from a payment website that asked the employee to
update contact information. The email contained a link that directed the employee to a fake website
that mimicked the appearance of the real one. The employee entered the log-in information, but
received a “page not found” error message. This indicates that the employee fell victim to a phishing
attack, and the attacker may have captured the employee’s credentials for the payment
website. Reference: Other Social Engineering Attacks – CompTIA Security+ SY0-701 – 2.2, CompTIA
Security+: Social Engineering Techniques & Other Attack … - NICCS, [CompTIA Security+ Study Guide
with over 500 Practice Test Questions: Exam SY0-701, 9th Edition]

Question: 4

An enterprise is trying to limit outbound DNS traffic originating from its internal network. Outbound
DNS requests will only be allowed from one device with the IP address 10.50.10.25. Which of the
following firewall ACLs will accomplish this goal?

A. Access list outbound permit 0.0.0.0 0 0.0.0.0/0 port 53 Access list outbound deny 10.50.10.25 32
0.0.0.0/0 port 53

www.certsland.com
Questions & Answers PDF Page 4

B. Access list outbound permit 0.0.0.0/0 10.50.10.25 32 port 53 Access list outbound deny 0.0.0.0 0
0.0.0.0/0 port 53
C. Access list outbound permit 0.0.0.0 0 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0
10.50.10.25 32 port 53
D. Access list outbound permit 10.50.10.25 32 0.0.0.0/0 port 53 Access list outbound deny
0.0.0.0.0.0.0.0.0/0 port 53

Answer: D

Explanation:
The correct answer is D because it allows only the device with the IP address 10.50.10.25 to send
outbound DNS requests on port 53, and denies all other devices from doing so. The other options are
incorrect because they either allow all devices to send outbound DNS requests (A and C), or they
allow no devices to send outbound DNS requests (B). Reference: You can learn more about firewall
ACLs and DNS in the following resources:
CompTIA Security+ SY0-701 Certification Study Guide, Chapter 4: Network Security1
Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 3.2: Firewall Rules2
TOTAL: CompTIA Security+ Cert (SY0-701) | Udemy, Section 6: Network Security, Lecture 28: Firewall
Rules3

Question: 5

A data administrator is configuring authentication for a SaaS application and would like to reduce the
number of credentials employees need to maintain. The company prefers to use domain credentials
to access new SaaS applications. Which of the following methods would allow this functionality?

A. SSO
B. LEAP
C. MFA
D. PEAP

Answer: A

Explanation:
SSO stands for single sign-on, which is a method of authentication that allows users to access
multiple applications or services with one set of credentials. SSO reduces the number of credentials
employees need to maintain and simplifies the login process. SSO can also improve security by
reducing the risk of password reuse, phishing, and credential theft. SSO can be implemented using
various protocols, such as SAML, OAuth, OpenID Connect, and Kerberos, that enable the exchange of
authentication information between different domains or systems. SSO is commonly used for
accessing SaaS applications, such as Office 365, Google Workspace, Salesforce, and others, using
domain credentials123.
B . LEAP stands for Lightweight Extensible Authentication Protocol, which is a Cisco proprietary
protocol that provides authentication for wireless networks. LEAP is not related to SaaS applications
or domain credentials4.
C . MFA stands for multi-factor authentication, which is a method of authentication that requires
users to provide two or more pieces of evidence to prove their identity. MFA can enhance security by

www.certsland.com
Questions & Answers PDF Page 5

adding an extra layer of protection beyond passwords, such as tokens, biometrics, or codes. MFA is
not related to SaaS applications or domain credentials, but it can be used in conjunction with SSO.
D . PEAP stands for Protected Extensible Authentication Protocol, which is a protocol that provides
secure authentication for wireless networks. PEAP uses TLS to create an encrypted tunnel between
the client and the server, and then uses another authentication method, such as MS-CHAPv2 or EAP-
GTC, to verify the user’s identity. PEAP is not related to SaaS applications or domain credentials.
Reference 1: Security+ (SY0-701) Certification Study Guide | CompTIA IT Certifications 2: What is
Single Sign-On (SSO)? - Definition from WhatIs.com 3: Single sign-on - Wikipedia 4: Lightweight
Extensible Authentication Protocol - Wikipedia : What is Multi-Factor Authentication (MFA)? -
Definition from WhatIs.com : Protected Extensible Authentication Protocol - Wikipedia

Question: 6

Which of the following scenarios describes a possible business email compromise attack?

A. An employee receives a gift card request in an email that has an executive's name in the display
field of the email.
B. Employees who open an email attachment receive messages demanding payment in order to
access files.
C. A service desk employee receives an email from the HR director asking for log-in credentials to a
cloud administrator account.
D. An employee receives an email with a link to a phishing site that is designed to look like the
company's email portal.

Answer: A

Explanation:
A business email compromise (BEC) attack is a type of phishing attack that targets employees who
have access to company funds or sensitive information. The attacker impersonates a trusted person,
such as an executive, a vendor, or a client, and requests a fraudulent payment, a wire transfer, or
confidential data. The attacker often uses social engineering techniques, such as urgency, pressure,
or familiarity, to convince the victim to comply with the request12.
In this scenario, option A describes a possible BEC attack, where an employee receives a gift card
request in an email that has an executive’s name in the display field of the email. The email may look
like it is coming from the executive, but the actual email address may be spoofed or compromised.
The attacker may claim that the gift cards are needed for a business purpose, such as rewarding
employees or clients, and ask the employee to purchase them and send the codes. This is a common
tactic used by BEC attackers to steal money from unsuspecting victims34.
Option B describes a possible ransomware attack, where malicious software encrypts the files on a
device and demands a ransom for the decryption key. Option C describes a possible credential
harvesting attack, where an attacker tries to obtain the login information of a privileged account by
posing as a legitimate authority. Option D describes a possible phishing attack, where an attacker
tries to lure the victim to a fake website that mimics the company’s email portal and capture their
credentials. These are all types of cyberattacks, but they are not examples of BEC
attacks. Reference 1: Business Email Compromise - CompTIA Security+ SY0-701 - 2.2 2: CompTIA
Security+ SY0-701 Certification Study Guide 3: Business Email Compromise: The 12 Billion Dollar
Scam 4: TOTAL: CompTIA Security+ Cert (SY0-701) | Udemy

www.certsland.com
Questions & Answers PDF Page 6

Question: 7

A company prevented direct access from the database administrators’ workstations to the network
segment that contains database servers. Which of the following should a database administrator use
to access the database servers?

A. Jump server
B. RADIUS
C. HSM
D. Load balancer

Answer: A

Explanation:
A jump server is a device or virtual machine that acts as an intermediary between a user’s
workstation and a remote network segment. A jump server can be used to securely access servers or
devices that are not directly reachable from the user’s workstation, such as database servers. A jump
server can also provide audit logs and access control for the remote connections. A jump server is
also known as a jump box or a jump host12.
RADIUS is a protocol for authentication, authorization, and accounting of network access. RADIUS is
not a device or a method to access remote servers, but rather a way to verify the identity and
permissions of users or devices that request network access34.
HSM is an acronym for Hardware Security Module, which is a physical device that provides secure
storage and generation of cryptographic keys. HSMs are used to protect sensitive data and
applications, such as digital signatures, encryption, and authentication. HSMs are not used to access
remote servers, but rather to enhance the security of the data and applications that reside on
them5 .
A load balancer is a device or software that distributes network traffic across multiple servers or
devices, based on criteria such as availability, performance, or capacity. A load balancer can improve
the scalability, reliability, and efficiency of network services, such as web servers, application servers,
or database servers. A load balancer is not used to access remote servers, but rather to optimize the
delivery of the services that run on them . Reference:
How to access a remote server using a jump host
Jump server
RADIUS
Remote Authentication Dial-In User Service (RADIUS)
Hardware Security Module (HSM)
[What is an HSM?]
[Load balancing (computing)]
[What is Load Balancing?]

Question: 8

An organization’s internet-facing website was compromised when an attacker exploited a buffer

overflow. Which of the following should the organization deploy to best protect against similar
attacks in the future?

www.certsland.com
Questions & Answers PDF Page 7

A. NGFW
B. WAF
C. TLS
D. SD-WAN

Answer: B

Explanation:
A buffer overflow is a type of software vulnerability that occurs when an application writes more
data to a memory buffer than it can hold, causing the excess data to overwrite adjacent memory
locations. This can lead to unexpected behavior, such as crashes, errors, or code execution. A buffer
overflow can be exploited by an attacker to inject malicious code or commands into the application,
which can compromise the security and functionality of the system. An organization’s internet-facing
website was compromised when an attacker exploited a buffer overflow. To best protect against
similar attacks in the future, the organization should deploy a web application firewall (WAF). A WAF
is a type of firewall that monitors and filters the traffic between a web application and the internet. A
WAF can detect and block common web attacks, such as buffer overflows, SQL injections, cross-site
scripting (XSS), and more. A WAF can also enforce security policies and rules, such as input
validation, output encoding, and encryption. A WAF can provide a layer of protection for the web
application, preventing attackers from exploiting its vulnerabilities and compromising its
data. Reference: Buffer Overflows – CompTIA Security+ SY0-701 – 2.3, Web Application Firewalls –
CompTIA Security+ SY0-701 – 2.4, [CompTIA Security+ Study Guide with over 500 Practice Test
Questions: Exam SY0-701, 9th Edition]

Question: 9

An administrator notices that several users are logging in from suspicious IP addresses. After
speaking with the users, the administrator determines that the employees were not logging in from
those IP addresses and resets the affected users’ passwords. Which of the following should the
administrator implement to prevent this type of attack from succeeding in the future?

A. Multifactor authentication
B. Permissions assignment
C. Access management
D. Password complexity

Answer: A

Explanation:
The correct answer is A because multifactor authentication (MFA) is a method of verifying a user’s
identity by requiring more than one factor, such as something the user knows (e.g., password),
something the user has (e.g., token), or something the user is (e.g., biometric). MFA can prevent
unauthorized access even if the user’s password is compromised, as the attacker would need to
provide another factor to log in. The other options are incorrect because they do not address the root
cause of the attack, which is weak authentication. Permissions assignment (B) is the process of
granting or denying access to resources based on the user’s role or identity. Access management © is
the process of controlling who can access what and under what conditions. Password complexity (D)

www.certsland.com
Questions & Answers PDF Page 8

is the requirement of using strong passwords that are hard to guess or crack, but it does not prevent
an attacker from using a stolen password. Reference: You can learn more about multifactor
authentication and other security concepts in the following resources:
CompTIA Security+ SY0-701 Certification Study Guide, Chapter 1: General Security Concepts1
Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 1.2: Security Concepts2
Multi-factor Authentication – SY0-601 CompTIA Security+ : 2.43
TOTAL: CompTIA Security+ Cert (SY0-701) | Udemy, Section 3: Identity and Access Management,
Lecture 15: Multifactor Authentication4
CompTIA Security+ Certification SY0-601: The Total Course [Video], Chapter 3: Identity and Account
Management, Section 2: Enabling Multifactor Authentication5

Question: 10

An employee receives a text message that appears to have been sent by the payroll department and
is asking for credential verification. Which of the following social engineering techniques are being
attempted? (Choose two.)

A. Typosquatting
B. Phishing
C. Impersonation
D. Vishing
E. Smishing
F. Misinformation

Answer: B E

Explanation:
Smishing is a type of social engineering technique that uses text messages (SMS) to trick victims into
revealing sensitive information, clicking malicious links, or downloading malware. Smishing
messages often appear to come from legitimate sources, such as banks, government agencies, or
service providers, and use urgent or threatening language to persuade the recipients to take
action12. In this scenario, the text message that claims to be from the payroll department is an
example of smishing.
Impersonation is a type of social engineering technique that involves pretending to be someone else,
such as an authority figure, a trusted person, or a colleague, to gain the trust or cooperation of the
target. Impersonation can be done through various channels, such as phone calls, emails, text
messages, or in-person visits, and can be used to obtain information, access, or money from the
victim34. In this scenario, the text message that pretends to be from the payroll department is an
example of impersonation.
A . Typosquatting is a type of cyberattack that involves registering domain names that are similar to
popular or well-known websites, but with intentional spelling errors or different
extensions. Typosquatting aims to exploit the common mistakes that users make when typing web
addresses, and redirect them to malicious or fraudulent sites that may steal their information, install
malware, or display ads56. Typosquatting is not related to text messages or credential verification.
B . Phishing is a type of social engineering technique that uses fraudulent emails to trick recipients
into revealing sensitive information, clicking malicious links, or downloading malware. Phishing
emails often mimic the appearance and tone of legitimate organizations, such as banks, retailers, or
service providers, and use deceptive or urgent language to persuade the recipients to take action78.

www.certsland.com
Questions & Answers PDF Page 9

Phishing is not related to text messages or credential verification.

D . Vishing is a type of social engineering technique that uses voice calls to trick victims into revealing
sensitive information, such as passwords, credit card numbers, or bank account details. Vishing calls
often appear to come from legitimate sources, such as law enforcement, government agencies, or
technical support, and use scare tactics or false promises to persuade the recipients to comply9 .
Vishing is not related to text messages or credential verification.
F . Misinformation is a type of social engineering technique that involves spreading false or
misleading information to influence the beliefs, opinions, or actions of the target. Misinformation
can be used to manipulate public perception, create confusion, damage reputation, or promote an
agenda . Misinformation is not related to text messages or credential verification.
Reference 1: What is Smishing? | Definition and Examples | Kaspersky 2: Smishing - Wikipedia 3:
Impersonation Attacks: What Are They and How Do You Protect Against Them? 4: Impersonation -
Wikipedia 5: What is Typosquatting? | Definition and Examples | Kaspersky 6: Typosquatting -
Wikipedia 7: What is Phishing? | Definition and Examples | Kaspersky 8: Phishing -
Wikipedia 9: What is Vishing? | Definition and Examples | Kaspersky : Vishing - Wikipedia : What is
Misinformation? | Definition and Examples | Britannica : Misinformation - Wikipedia

Question: 11

Several employees received a fraudulent text message from someone claiming to be the Chief
Executive Officer (CEO). The message stated:
“I’m in an airport right now with no access to email. I need you to buy gift cards for employee
recognition awards. Please send the gift cards to following email address.”
Which of the following are the best responses to this situation? (Choose two).

A. Cancel current employee recognition gift cards.

B. Add a smishing exercise to the annual company training.
C. Issue a general email warning to the company.
D. Have the CEO change phone numbers.
E. Conduct a forensic investigation on the CEO's phone.
F. Implement mobile device management.

Answer: B, C

Explanation:
This situation is an example of smishing, which is a type of phishing that uses text messages (SMS) to
entice individuals into providing personal or sensitive information to cybercriminals. The best
responses to this situation are to add a smishing exercise to the annual company training and to issue
a general email warning to the company. A smishing exercise can help raise awareness and educate
employees on how to recognize and avoid smishing attacks. An email warning can alert employees to
the fraudulent text message and remind them to verify the identity and legitimacy of any requests
for information or money. Reference: What Is Phishing | Cybersecurity | CompTIA, Phishing – SY0-
601 CompTIA Security+ : 1.1 - Professor Messer IT Certification Training Courses

Question: 12

A company is required to use certified hardware when building networks. Which of the following

www.certsland.com
Questions & Answers PDF Page 10

best addresses the risks associated with procuring counterfeit hardware?

A. A thorough analysis of the supply chain

B. A legally enforceable corporate acquisition policy
C. A right to audit clause in vendor contracts and SOWs
D. An in-depth penetration test of all suppliers and vendors

Answer: A

Explanation:
Counterfeit hardware is hardware that is built or modified without the authorization of the original
equipment manufacturer (OEM). It can pose serious risks to network quality, performance, safety,
and reliability12. Counterfeit hardware can also contain malicious components that can compromise
the security of the network and the data that flows through it3. To address the risks associated with
procuring counterfeit hardware, a company should conduct a thorough analysis of the supply chain,
which is the network of entities involved in the production, distribution, and delivery of the
hardware. By analyzing the supply chain, the company can verify the origin, authenticity, and
integrity of the hardware, and identify any potential sources of counterfeit or tampered products. A
thorough analysis of the supply chain can include the following steps:
Establishing a trusted relationship with the OEM and authorized resellers
Requesting documentation and certification of the hardware from the OEM or authorized resellers
Inspecting the hardware for any signs of tampering, such as mismatched labels, serial numbers, or
components
Testing the hardware for functionality, performance, and security
Implementing a tracking system to monitor the hardware throughout its lifecycle
Reporting any suspicious or counterfeit hardware to the OEM and law enforcement
agencies Reference 1: Identify Counterfeit and Pirated Products - Cisco, 2: What Is Hardware
Security? Definition, Threats, and Best Practices, 3: Beware of Counterfeit Network Equipment -
TechNewsWorld, : Counterfeit Hardware: The Threat and How to Avoid It

Question: 13

Which of the following provides the details about the terms of a test with a third-party penetration
tester?

A. Rules of engagement
B. Supply chain analysis
C. Right to audit clause
D. Due diligence

Answer: A

Explanation:
Rules of engagement are the guidelines and constraints regarding the execution of information
security testing, such as penetration testing. They define the scope, objectives, methods, and
boundaries of the test, as well as the roles and responsibilities of the testers and the clients. Rules of

www.certsland.com
Questions & Answers PDF Page 11

engagement help to ensure that the test is conducted in a legal, ethical, and professional manner,
and that the results are accurate and reliable. Rules of engagement typically include the following
elements:
The type and scope of the test, such as black box, white box, or gray box, and the target systems,
networks, applications, or data.
The client contact details and the communication channels for reporting issues, incidents, or
emergencies during the test.
The testing team credentials and the authorized tools and techniques that they can use.
The sensitive data handling and encryption requirements, such as how to store, transmit, or dispose
of any data obtained during the test.
The status meeting and report schedules, formats, and recipients, as well as the confidentiality and
non-disclosure agreements for the test results.
The timeline and duration of the test, and the hours of operation and testing windows.
The professional and ethical behavior expectations for the testers, such as avoiding unnecessary
damage, disruption, or disclosure of information.
Supply chain analysis, right to audit clause, and due diligence are not related to the terms of a test
with a third-party penetration tester. Supply chain analysis is the process of evaluating the security
and risk posture of the suppliers and partners in a business network. Right to audit clause is a
provision in a contract that gives one party the right to audit another party to verify their compliance
with the contract terms and conditions. Due diligence is the process of identifying and addressing the
cyber risks that a potential vendor or partner brings to an organization.
Reference: https://www.yeahhub.com/every-penetration-tester-you-should-know-about-this-rules-
of-engagement/
https://bing.com/search?qrules+of+engagement+penetration+testing

Question: 14

A penetration tester begins an engagement by performing port and service scans against the client
environment according to the rules of engagement. Which of the following reconnaissance types is
the tester performing?

A. Active
B. Passive
C. Defensive
D. Offensive

Answer: A

Explanation:
Active reconnaissance is a type of reconnaissance that involves sending packets or requests to a
target and analyzing the responses. Active reconnaissance can reveal information such as open ports,
services, operating systems, and vulnerabilities. However, active reconnaissance is also more likely to
be detected by the target or its security devices, such as firewalls or intrusion detection systems. Port
and service scans are examples of active reconnaissance techniques, as they involve probing the
target for specific information. Reference: CompTIA Security+ Certification Exam Objectives, Domain
1.1: Given a scenario, conduct reconnaissance using appropriate techniques and tools. CompTIA
Security+ Study Guide (SY0-701), Chapter 2: Reconnaissance and Intelligence Gathering, page
47. CompTIA Security+ Certification Exam SY0-701 Practice Test 1, Question 1.

www.certsland.com
Questions & Answers PDF Page 12

Question: 15

Which of the following is required for an organization to properly manage its restore process in the
event of system failure?

A. IRP
B. DRP
C. RPO
D. SDLC

Answer: B

Explanation:
A disaster recovery plan (DRP) is a set of policies and procedures that aim to restore the normal
operations of an organization in the event of a system failure, natural disaster, or other emergency. A
DRP typically includes the following elements:
A risk assessment that identifies the potential threats and impacts to the organization’s critical assets
and processes.
A business impact analysis that prioritizes the recovery of the most essential functions and data.
A recovery strategy that defines the roles and responsibilities of the recovery team, the resources
and tools needed, and the steps to follow to restore the system.
A testing and maintenance plan that ensures the DRP is updated and validated regularly. A DRP is
required for an organization to properly manage its restore process in the event of system failure, as
it provides a clear and structured framework for recovering from a disaster and minimizing the
downtime and data loss. Reference: CompTIA Security+ Study Guide (SY0-701), Chapter 7: Resilience
and Recovery, page 325.

Question: 16

Which of the following vulnerabilities is associated with installing software outside of a

manufacturer’s approved software repository?

A. Jailbreaking
B. Memory injection
C. Resource reuse
D. Side loading

Answer: D

Explanation:
Side loading is the process of installing software outside of a manufacturer’s approved software
repository. This can expose the device to potential vulnerabilities, such as malware, spyware, or
unauthorized access. Side loading can also bypass security controls and policies that are enforced by
the manufacturer or the organization. Side loading is often done by users who want to access
applications or features that are not available or allowed on their devices. Reference: Sideloading -
CompTIA Security + Video Training | Interface Technical Training, Security+ (Plus) Certification |

www.certsland.com
Questions & Answers PDF Page 13

CompTIA IT Certifications, Load Balancers – CompTIA Security+ SY0-501 – 2.1, CompTIA Security+
SY0-601 Certification Study Guide.

Question: 17

A security analyst is reviewing the following logs:

Which of the following attacks is most likely occurring?

A. Password spraying
B. Account forgery
C. Pass-t he-hash
D. Brute-force

Answer: A

Explanation:
Password spraying is a type of brute force attack that tries common passwords across several
accounts to find a match. It is a mass trial-and-error approach that can bypass account lockout
protocols. It can give hackers access to personal or business accounts and information. It is not a
targeted attack, but a high-volume attack tactic that uses a dictionary or a list of popular or weak
passwords12.
The logs show that the attacker is using the same password ("password123") to attempt to log in to
different accounts ("admin", "user1", "user2", etc.) on the same web server. This is a typical pattern
of password spraying, as the attacker is hoping that at least one of the accounts has a weak password
that matches the one they are trying. The attacker is also using a tool called Hydra, which is one of
the most popular brute force tools, often used in cracking passwords for network authentication3.
Account forgery is not the correct answer, because it involves creating fake accounts or credentials to
impersonate legitimate users or entities. There is no evidence of account forgery in the logs, as the
attacker is not creating any new accounts or using forged credentials.
Pass-the-hash is not the correct answer, because it involves stealing a hashed user credential and
using it to create a new authenticated session on the same network. Pass-the-hash does not require
the attacker to know or crack the password, as they use the stored version of the password to initiate
a new session4. The logs show that the attacker is using plain text passwords, not hashes, to try to
log in to the web server.
Brute-force is not the correct answer, because it is a broader term that encompasses different types
of attacks that involve trying different variations of symbols or words until the correct password is
found. Password spraying is a specific type of brute force attack that uses a single common password
against multiple accounts5. The logs show that the attacker is using password spraying, not brute

www.certsland.com
Questions & Answers PDF Page 14

force in general, to try to gain access to the web server. Reference 1: Password spraying: An
overview of password spraying attacks … - Norton, 2: Security: Credential Stuffing vs. Password
Spraying - Baeldung, 3: Brute Force Attack: A definition + 6 types to know | Norton, 4: What is a Pass-
the-Hash Attack? - CrowdStrike, 5: What is a Brute Force Attack? | Definition, Types & How It Works -
Fortinet

Question: 18

An analyst is evaluating the implementation of Zero Trust principles within the data plane. Which of
the following would be most relevant for the analyst to evaluate?

A. Secured zones
B. Subject role
C. Adaptive identity
D. Threat scope reduction

Answer: D

Explanation:
The data plane, also known as the forwarding plane, is the part of the network that carries user
traffic and data. It is responsible for moving packets from one device to another based on the routing
and switching decisions made by the control plane. The data plane is a critical component of the Zero
Trust architecture, as it is where most of the attacks and breaches occur. Therefore, implementing
Zero Trust principles within the data plane can help to improve the security and resilience of the
network.
One of the key principles of Zero Trust is to assume breach and minimize the blast radius and
segment access. This means that the network should be divided into smaller and isolated segments
or zones, each with its own security policies and controls. This way, if one segment is compromised,
the attacker cannot easily move laterally to other segments and access more resources or data. This
principle is also known as threat scope reduction, as it reduces the scope and impact of a potential
threat.
The other options are not as relevant for the data plane as threat scope reduction. Secured zones are
a concept related to the control plane, which is the part of the network that makes routing and
switching decisions. Subject role is a concept related to the identity plane, which is the part of the
network that authenticates and authorizes users and devices. Adaptive identity is a concept related
to the policy plane, which is the part of the network that defines and enforces the security policies
and rules.
Reference https://bing.com/search?qZero+Trust+data+plane

https://learn.microsoft.com/en-us/security/zero-trust/deploy/data

Question: 19

An engineer needs to find a solution that creates an added layer of security by preventing
unauthorized access to internal company resources. Which of the following would be the best
solution?

www.certsland.com
Questions & Answers PDF Page 15

A. RDP server
B. Jump server
C. Proxy server
D. Hypervisor

Answer: B

Explanation:
A jump server is a server that acts as an intermediary between a user and a target system. A jump
server can provide an added layer of security by preventing unauthorized access to internal company
resources. A user can connect to the jump server using a secure protocol, such as SSH, and then
access the target system from the jump server. This way, the target system is isolated from the
external network and only accessible through the jump server. A jump server can also enforce
security policies, such as authentication, authorization, logging, and auditing, on the user’s
connection. A jump server is also known as a bastion host or a jump box. Reference: CompTIA
Security+ Certification Exam Objectives, Domain 3.3: Given a scenario, implement secure network
architecture concepts. CompTIA Security+ Study Guide (SY0-701), Chapter 3: Network Architecture
and Design, page 101. Other Network Appliances – SY0-601 CompTIA Security+ : 3.3, Video
3:03. CompTIA Security+ Certification Exam SY0-701 Practice Test 1, Question 2.

Question: 20

A company’s web filter is configured to scan the URL for strings and deny access when matches are
found. Which of the following search strings should an analyst employ to prohibit access to non-
encrypted websites?

A. encryptionoff\
B. http://
C. www.*.com
D. :443

Answer: B

Explanation:
A web filter is a device or software that can monitor, block, or allow web traffic based on predefined
rules or policies. One of the common methods of web filtering is to scan the URL for strings and deny
access when matches are found. For example, a web filter can block access to websites that contain
the words “gambling”, “porn”, or “malware” in their URLs. A URL is a uniform resource locator that
identifies the location and protocol of a web resource. A URL typically consists of the following
components: protocol://domain:port/path?query#fragment. The protocol specifies the
communication method used to access the web resource, such as HTTP, HTTPS, FTP, or SMTP. The
domain is the name of the web server that hosts the web resource, such as www.google.com or
www.bing.com. The port is an optional number that identifies the specific service or application
running on the web server, such as 80 for HTTP or 443 for HTTPS. The path is the specific folder or file
name of the web resource, such as /index.html or /images/logo.png. The query is an optional string
that contains additional information or parameters for the web resource, such as ?qsecurity or
?langen. The fragment is an optional string that identifies a specific part or section of the web

www.certsland.com
Questions & Answers PDF Page 16

resource, such as #introduction or #summary.

To prohibit access to non-encrypted websites, an analyst should employ a search string that matches
the protocol of non-encrypted web traffic, which is HTTP. HTTP stands for hypertext transfer protocol,
and it is a standard protocol for transferring data between web servers and web browsers. However,
HTTP does not provide any encryption or security for the data, which means that anyone who
intercepts the web traffic can read or modify the data. Therefore, non-encrypted websites are
vulnerable to eavesdropping, tampering, or spoofing attacks. To access a non-encrypted website, the
URL usually starts with http://, followed by the domain name and optionally the port number. For
example, http://www.example.com or http://www.example.com:80. By scanning the URL for the
string http://, the web filter can identify and block non-encrypted websites.
The other options are not correct because they do not match the protocol of non-encrypted web
traffic. Encryptionoff is a possible query string that indicates the encryption status of the web
resource, but it is not a standard or mandatory parameter. Https:// is the protocol of encrypted web
traffic, which uses hypertext transfer protocol secure (HTTPS) to provide encryption and security for
the data. Www.*.com is a possible domain name that matches any website that starts with www and
ends with .com, but it does not specify the protocol. :443 is the port number of HTTPS, which is the
protocol of encrypted web traffic. Reference: CompTIA Security+ Study Guide (SY0-701), Chapter 2:
Securing Networks, page 69. Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section
2.1: Network Devices and Technologies, video: Web Filter (5:16).

Question: 21

During a security incident, the security operations team identified sustained network traffic from a
malicious IP address:
10.1.4.9. A security analyst is creating an inbound firewall rule to block the IP address from accessing
the organization’s network. Which of the following fulfills this request?

A. access-list inbound deny ig source 0.0.0.0/0 destination 10.1.4.9/32

B. access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
C. access-list inbound permit ig source 10.1.4.9/32 destination 0.0.0.0/0
D. access-list inbound permit ig source 0.0.0.0/0 destination 10.1.4.9/32

Answer: B

Explanation:
A firewall rule is a set of criteria that determines whether to allow or deny a packet to pass through
the firewall. A firewall rule consists of several elements, such as the action, the protocol, the source
address, the destination address, and the port number. The syntax of a firewall rule may vary
depending on the type and vendor of the firewall, but the basic logic is the same. In this question,
the security analyst is creating an inbound firewall rule to block the IP address 10.1.4.9 from
accessing the organization’s network. This means that the action should be deny, the protocol should
be any (or ig for IP), the source address should be 10.1.4.9/32 (which means a single IP address), the
destination address should be 0.0.0.0/0 (which means any IP address), and the port number should
be any. Therefore, the correct firewall rule is:
access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
This rule will match any packet that has the source IP address of 10.1.4.9 and drop it. The other
options are incorrect because they either have the wrong action, the wrong source address, or the
wrong destination address. For example, option A has the source and destination addresses

www.certsland.com
Questions & Answers PDF Page 17

reversed, which means that it will block any packet that has the destination IP address of 10.1.4.9,
which is not the intended goal. Option C has the wrong action, which is permit, which means that it
will allow the packet to pass through the firewall, which is also not the intended goal. Option D has
the same problem as option A, with the source and destination addresses reversed.
Reference: Firewall Rules – CompTIA Security+ SY0-401: 1.2, Firewalls – SY0-601 CompTIA Security+ :
3.3, Firewalls – CompTIA Security+ SY0-501, Understanding Firewall Rules – CompTIA Network+ N10-
005: 5.5, Configuring Windows Firewall – CompTIA A+ 220-1102 – 1.6.

Question: 22

A company needs to provide administrative access to internal resources while minimizing the traffic
allowed through the security boundary. Which of the following methods is most secure?

A. Implementing a bastion host

B. Deploying a perimeter network
C. Installing a WAF
D. Utilizing single sign-on

Answer: A

Explanation:
A bastion host is a special-purpose server that is designed to withstand attacks and provide secure
access to internal resources. A bastion host is usually placed on the edge of a network, acting as a
gateway or proxy to the internal network. A bastion host can be configured to allow only certain
types of traffic, such as SSH or HTTP, and block all other traffic. A bastion host can also run security
software such as firewalls, intrusion detection systems, and antivirus programs to monitor and filter
incoming and outgoing traffic. A bastion host can provide administrative access to internal resources
by requiring strong authentication and encryption, and by logging all activities for auditing
purposes12.
A bastion host is the most secure method among the given options because it minimizes the traffic
allowed through the security boundary and provides a single point of control and defense. A bastion
host can also isolate the internal network from direct exposure to the internet or other untrusted
networks, reducing the attack surface and the risk of compromise3.
Deploying a perimeter network is not the correct answer, because a perimeter network is a network
segment that separates the internal network from the external network. A perimeter network
usually hosts public-facing services such as web servers, email servers, or DNS servers that need to
be accessible from the internet. A perimeter network does not provide administrative access to
internal resources, but rather protects them from unauthorized access. A perimeter network can also
increase the complexity and cost of network management and security4.
Installing a WAF is not the correct answer, because a WAF is a security tool that protects web
applications from common web-based attacks by monitoring, filtering, and blocking HTTP traffic. A
WAF can prevent attacks such as cross-site scripting, SQL injection, or file inclusion, among others. A
WAF does not provide administrative access to internal resources, but rather protects them from
web application vulnerabilities. A WAF is also not a comprehensive solution for network security, as
it only operates at the application layer and does not protect against other types of attacks or
threats5.
Utilizing single sign-on is not the correct answer, because single sign-on is a method of
authentication that allows users to access multiple sites, services, or applications with one username

www.certsland.com
Questions & Answers PDF Page 18

and password. Single sign-on can simplify the sign-in process for users and reduce the number of
passwords they have to remember and manage. Single sign-on does not provide administrative
access to internal resources, but rather enables access to various resources that the user is
authorized to use. Single sign-on can also introduce security risks if the user’s credentials are
compromised or if the single sign-on provider is breached6. Reference 1: Bastion host -
Wikipedia, 2: 14 Best Practices to Secure SSH Bastion Host - goteleport.com, 3: The Importance Of
Bastion Hosts In Network Security, 4: What is the network perimeter? | Cloudflare, 5: What is a
WAF? | Web Application Firewall explained, 6: [What is single sign-on (SSO)? - Definition from
WhatIs.com]

Question: 23

A security analyst is reviewing alerts in the SIEM related to potential malicious network traffic
coming from an employee’s corporate laptop. The security analyst has determined that additional
data about the executable running on the machine is necessary to continue the investigation. Which
of the following logs should the analyst use as a data source?

A. Application
B. IPS/IDS
C. Network
D. Endpoint

Answer: D

Explanation:
An endpoint log is a file that contains information about the activities and events that occur on an
end-user device, such as a laptop, desktop, tablet, or smartphone. Endpoint logs can provide
valuable data for security analysts, such as the processes running on the device, the network
connections established, the files accessed or modified, the user actions performed, and the
applications installed or updated. Endpoint logs can also record the details of any executable files
running on the device, such as the name, path, size, hash, signature, and permissions of the
executable.
An application log is a file that contains information about the events that occur within a software
application, such as errors, warnings, transactions, or performance metrics. Application logs can help
developers and administrators troubleshoot issues, optimize performance, and monitor user
behavior. However, application logs may not provide enough information about the executable files
running on the device, especially if they are malicious or unknown.
An IPS/IDS log is a file that contains information about the network traffic that is monitored and
analyzed by an intrusion prevention system (IPS) or an intrusion detection system (IDS). IPS/IDS logs
can help security analysts identify and block potential attacks, such as exploit attempts, denial-of-
service (DoS) attacks, or malicious scans. However, IPS/IDS logs may not provide enough information
about the executable files running on the device, especially if they are encrypted, obfuscated, or use
legitimate protocols.
A network log is a file that contains information about the network activity and communication that
occurs between devices, such as IP addresses, ports, protocols, packets, or bytes. Network logs can
help security analysts understand the network topology, traffic patterns, and bandwidth usage.
However, network logs may not provide enough information about the executable files running on
the device, especially if they are hidden, spoofed, or use proxy servers.

www.certsland.com
Questions & Answers PDF Page 19

Therefore, the best log type to use as a data source for additional information about the executable
running on the machine is the endpoint log, as it can provide the most relevant and data about the
executable file and its behavior.
Reference: https://www.crowdstrike.com/cybersecurity-101/observability/application-log/

https://owasp.org/www-project-proactive-controls/v3/en/c9-security-logging

Question: 24

A cyber operations team informs a security analyst about a new tactic malicious actors are using to
compromise networks.
SIEM alerts have not yet been configured. Which of the following best describes what the security
analyst should do to identify this behavior?

A. [Digital forensics
B. E-discovery
C. Incident response
D. Threat hunting

Answer: D

Explanation:
Threat hunting is the process of proactively searching for signs of malicious activity or compromise in
a network, rather than waiting for alerts or indicators of compromise (IOCs) to appear. Threat
hunting can help identify new tactics, techniques, and procedures (TTPs) used by malicious actors, as
well as uncover hidden or stealthy threats that may have evaded detection by security tools. Threat
hunting requires a combination of skills, tools, and methodologies, such as hypothesis generation,
data collection and analysis, threat intelligence, and incident response. Threat hunting can also help
improve the security posture of an organization by providing feedback and recommendations for
security improvements. Reference: CompTIA Security+ Certification Exam Objectives, Domain 4.1:
Given a scenario, analyze potential indicators of malicious activity. CompTIA Security+ Study Guide
(SY0-701), Chapter 4: Threat Detection and Response, page 153. Threat Hunting – SY0-701 CompTIA
Security+ : 4.1, Video 3:18. CompTIA Security+ Certification Exam SY0-701 Practice Test 1, Question 3.

Question: 25

A company purchased cyber insurance to address items listed on the risk register. Which of the
following strategies does this represent?

A. Accept
B. Transfer
C. Mitigate
D. Avoid

Answer: B

www.certsland.com
Questions & Answers PDF Page 20

Explanation:
Cyber insurance is a type of insurance that covers the financial losses and liabilities that result from
cyberattacks, such as data breaches, ransomware, denial-of-service, phishing, or malware. Cyber
insurance can help a company recover from the costs of restoring data, repairing systems, paying
ransoms, compensating customers, or facing legal actions. Cyber insurance is one of the possible
strategies that a company can use to address the items listed on the risk register. A risk register is a
document that records the identified risks, their probability, impact, and mitigation strategies for a
project or an organization. The four common risk mitigation strategies are:
Accept: The company acknowledges the risk and decides to accept the consequences without taking
any action to reduce or eliminate the risk. This strategy is usually chosen when the risk is low or the
cost of mitigation is too high.
Transfer: The company transfers the risk to a third party, such as an insurance company, a vendor, or
a partner. This strategy is usually chosen when the risk is high or the company lacks the resources or
expertise to handle the risk.
Mitigate: The company implements controls or measures to reduce the likelihood or impact of the
risk. This strategy is usually chosen when the risk is moderate or the cost of mitigation is reasonable.
Avoid: The company eliminates the risk by changing the scope, plan, or design of the project or the
organization. This strategy is usually chosen when the risk is unacceptable or the cost of mitigation is
too high.
By purchasing cyber insurance, the company is transferring the risk to the insurance company, which
will cover the financial losses and liabilities in case of a cyberattack. Therefore, the correct answer is
B. Transfer. Reference: CompTIA Security+ Study Guide (SY0-701), Chapter 8: Governance, Risk, and
Compliance, page 377. Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 8.1:
Risk Management, video: Risk Mitigation Strategies (5:37).

Question: 26

A security administrator would like to protect data on employees’ laptops. Which of the following
encryption techniques should the security administrator use?

A. Partition
B. Asymmetric
C. Full disk
D. Database

Answer: C

Explanation:
Full disk encryption (FDE) is a technique that encrypts all the data on a hard drive, including the
operating system, applications, and files. FDE protects the data from unauthorized access in case the
laptop is lost, stolen, or disposed of without proper sanitization. FDE requires the user to enter a
password, a PIN, a smart card, or a biometric factor to unlock the drive and boot the system. FDE can
be implemented by using software solutions, such as BitLocker, FileVault, or VeraCrypt, or by using
hardware solutions, such as self-encrypting drives (SEDs) or Trusted Platform Modules (TPMs). FDE is
a recommended encryption technique for laptops and other mobile devices that store sensitive data.
Partition encryption is a technique that encrypts only a specific partition or volume on a hard drive,
leaving the rest of the drive unencrypted. Partition encryption is less secure than FDE, as it does not

www.certsland.com
Questions & Answers PDF Page 21

protect the entire drive and may leave traces of data on unencrypted areas. Partition encryption is
also less convenient than FDE, as it requires the user to mount and unmount the encrypted partition
manually.
Asymmetric encryption is a technique that uses a pair of keys, one public and one private, to encrypt
and decrypt data. Asymmetric encryption is mainly used for securing communication, such as email,
web, or VPN, rather than for encrypting data at rest. Asymmetric encryption is also slower and more
computationally intensive than symmetric encryption, which is the type of encryption used by FDE
and partition encryption.
Database encryption is a technique that encrypts data stored in a database, such as tables, columns,
rows, or cells. Database encryption can be done at the application level, the database level, or the
file system level. Database encryption is useful for protecting data from unauthorized access by
database administrators, hackers, or malware, but it does not protect the data from physical theft or
loss of the device that hosts the database.
Reference: Data Encryption – CompTIA Security+ SY0-401: 4.4, CompTIA Security+ Cheat Sheet and
PDF | Zero To Mastery, CompTIA Security+ SY0-601 Certification Course - Cybr, Application
Hardening – SY0-601 CompTIA Security+ : 3.2.

Question: 27

Which of the following security control types does an acceptable use policy best represent?

A. Detective
B. Compensating
C. Corrective
D. Preventive

Answer: D

Explanation:
An acceptable use policy (AUP) is a set of rules that govern how users can access and use a corporate
network or the internet. The AUP helps companies minimize their exposure to cyber security threats
and limit other risks. The AUP also serves as a notice to users about what they are not allowed to do
and protects the company against misuse of their network. Users usually have to acknowledge that
they understand and agree to the rules before accessing the network1.
An AUP best represents a preventive security control type, because it aims to deter or stop potential
security incidents from occurring in the first place. A preventive control is proactive and anticipates
possible threats and vulnerabilities, and implements measures to prevent them from exploiting or
harming the system or the data. A preventive control can be physical, technical, or administrative in
nature2.
Some examples of preventive controls are:
Locks, fences, or guards that prevent unauthorized physical access to a facility or a device
Firewalls, antivirus software, or encryption that prevent unauthorized logical access to a network or a
system
Policies, procedures, or training that prevent unauthorized or inappropriate actions or behaviors by
users or employees
An AUP is an example of an administrative preventive control, because it defines the policies and
procedures that users must follow to ensure the security and proper use of the network and the IT
resources. An AUP can prevent users from engaging in activities that could compromise the security,

www.certsland.com
Questions & Answers PDF Page 22

performance, or availability of the network or the system, such as:

Downloading or installing unauthorized or malicious software
Accessing or sharing sensitive or confidential information without authorization or encryption
Using the network or the system for personal, illegal, or unethical purposes
Bypassing or disabling security controls or mechanisms
Connecting unsecured or unapproved devices to the network
By enforcing an AUP, a company can prevent or reduce the likelihood of security breaches, data loss,
legal liability, or reputational damage caused by user actions or inactions3.
Reference 1: How to Create an Acceptable Use Policy - CoreTech, 2: [Security Control Types:
Preventive, Detective, Corrective, and Compensating], 3: Why You Need A Corporate Acceptable Use
Policy - CompTIA

Question: 28

An IT manager informs the entire help desk staff that only the IT manager and the help desk lead will
have access to the administrator console of the help desk software. Which of the following security
techniques is the IT manager setting up?

A. Hardening
B. Employee monitoring
C. Configuration enforcement
D. Least privilege

Answer: D

Explanation:
The principle of least privilege is a security concept that limits access to resources to the minimum
level needed for a user, a program, or a device to perform a legitimate function. It is a cybersecurity
best practice that protects high-value data and assets from compromise or insider threat. Least
privilege can be applied to different abstraction layers of a computing environment, such as
processes, systems, or connected devices. However, it is rarely implemented in practice.
In this scenario, the IT manager is setting up the principle of least privilege by restricting access to
the administrator console of the help desk software to only two authorized users: the IT manager
and the help desk lead. This way, the IT manager can prevent unauthorized or accidental changes to
the software configuration, data, or functionality by other help desk staff. The other help desk staff
will only have access to the normal user interface of the software, which is sufficient for them to
perform their job functions.
The other options are not correct. Hardening is the process of securing a system by reducing its
surface of vulnerability, such as by removing unnecessary software, changing default passwords, or
disabling unnecessary services. Employee monitoring is the surveillance of workers’ activity, such as
by tracking web browsing, application use, keystrokes, or screenshots. Configuration enforcement is
the process of ensuring that a system adheres to a predefined set of security settings, such as by
applying a patch, a policy, or a template.
Reference
https://en.wikipedia.org/wiki/Principle_of_least_privilege
https://en.wikipedia.org/wiki/Principle_of_least_privilege

www.certsland.com
Questions & Answers PDF Page 23

Question: 29

Which of the following is the most likely to be used to document risks, responsible parties, and
thresholds?

A. Risk tolerance
B. Risk transfer
C. Risk register
D. Risk analysis

Answer: C

Explanation:
A risk register is a document that records and tracks the risks associated with a project, system, or
organization. A risk register typically includes information such as the risk description, the risk owner,
the risk probability, the risk impact, the risk level, the risk response strategy, and the risk status. A
risk register can help identify, assess, prioritize, monitor, and control risks, as well as communicate
them to relevant stakeholders. A risk register can also help document the risk tolerance and
thresholds of an organization, which are the acceptable levels of risk exposure and the criteria for
escalating or mitigating risks. Reference: CompTIA Security+ Certification Exam Objectives, Domain
5.1: Explain the importance of policies, plans, and procedures related to organizational
security. CompTIA Security+ Study Guide (SY0-701), Chapter 5: Governance, Risk, and Compliance,
page 211. CompTIA Security+ Certification Guide, Chapter 2: Risk Management, page 33. CompTIA
Security+ Certification Exam SY0-701 Practice Test 1, Question 4.

Question: 30

Which of the following should a security administrator adhere to when setting up a new set of
firewall rules?

A. Disaster recovery plan

B. Incident response procedure
C. Business continuity plan
D. Change management procedure

Answer: D

Explanation:
A change management procedure is a set of steps and guidelines that a security administrator should
adhere to when setting up a new set of firewall rules. A firewall is a device or software that can filter,
block, or allow network traffic based on predefined rules or policies. A firewall rule is a statement
that defines the criteria and action for a firewall to apply to a packet or a connection. For example, a
firewall rule can allow or deny traffic based on the source and destination IP addresses, ports,
protocols, or applications. Setting up a new set of firewall rules is a type of change that can affect the
security, performance, and functionality of the network. Therefore, a change management
procedure is necessary to ensure that the change is planned, tested, approved, implemented,
documented, and reviewed in a controlled and consistent manner. A change management procedure

www.certsland.com
Questions & Answers PDF Page 24

typically includes the following elements:

A change request that describes the purpose, scope, impact, and benefits of the change, as well as
the roles and responsibilities of the change owner, implementer, and approver.
A change assessment that evaluates the feasibility, risks, costs, and dependencies of the change, as
well as the alternatives and contingency plans.
A change approval that authorizes the change to proceed to the implementation stage, based on the
criteria and thresholds defined by the change policy.
A change implementation that executes the change according to the plan and schedule, and verifies
the results and outcomes of the change.
A change documentation that records the details and status of the change, as well as the lessons
learned and best practices.
A change review that monitors and measures the performance and effectiveness of the change, and
identifies any issues or gaps that need to be addressed or improved.
A change management procedure is important for a security administrator to adhere to when setting
up a new set of firewall rules, as it can help to achieve the following objectives:
Enhance the security posture and compliance of the network by ensuring that the firewall rules are
aligned with the security policies and standards, and that they do not introduce any vulnerabilities or
conflicts.
Minimize the disruption and downtime of the network by ensuring that the firewall rules are tested
and validated before deployment, and that they do not affect the availability or functionality of the
network services or applications.
Improve the efficiency and quality of the network by ensuring that the firewall rules are optimized
and updated according to the changing needs and demands of the network users and stakeholders,
and that they do not cause any performance or compatibility issues.
Increase the accountability and transparency of the network by ensuring that the firewall rules are
documented and reviewed regularly, and that they are traceable and auditable by the relevant
authorities and parties.
The other options are not correct because they are not related to the process of setting up a new set
of firewall rules. A disaster recovery plan is a set of policies and procedures that aim to restore the
normal operations of an organization in the event of a system failure, natural disaster, or other
emergency. An incident response procedure is a set of steps and guidelines that aim to contain,
analyze, eradicate, and recover from a security incident, such as a cyberattack, data breach, or
malware infection. A business continuity plan is a set of strategies and actions that aim to maintain
the essential functions and operations of an organization during and after a disruptive event, such as
a pandemic, power outage, or civil unrest. Reference: CompTIA Security+ Study Guide (SY0-701),
Chapter 7: Resilience and Recovery, page 325. Professor Messer’s CompTIA SY0-701 Security+
Training Course, Section 1.3: Security Operations, video: Change Management (5:45).

www.certsland.com
 Thank You for trying SY0-701 PDF Demo

https://www.certsland.com/sy0-701-dumps/

Start Your SY0-701 Preparation

[Limited Time Offer] Use Coupon " SAVE20 " for extra 20%
discount on the purchase of PDF file. Test your
SY0-701 preparation with actual exam questions

www.certsland.com