SY0-401 CompTIA Security+ Certification Practice Exam Set 1

Which of the following is a best practice when a mistake is made during a forensics examination?


Options are :

  • The examiner should disclose the mistake and assess another area of the disc.
  • The examiner should document the mistake and workaround the problem. (Correct)
  • The examiner should attempt to hide the mistake during cross-examination.
  • The examiner should verify the tools before, during, and after an examination.

Answer : The examiner should document the mistake and workaround the problem.

The security administrator is currently unaware of an incident that occurred a week ago.
Which of the following will ensure the administrator is notified in a timely manner in the future?


Options are :

  • User permissions reviews
  • Incident response team
  • Change management
  • Routine auditing (Correct)

Answer : Routine auditing

An employee recently lost a USB drive containing confidential customer data.
Which of the following controls could be utilized to minimize the risk involved with the use of USB
drives?


Options are :

  • DLP (Correct)
  • HSM
  • Access control
  • Asset tracking

Answer : DLP

A forensic analyst is reviewing electronic evidence after a robbery. Security cameras installed at
the site were facing the wrong direction to capture the incident. The analyst ensures the cameras
are turned to face the proper direction.
Which of the following types of controls is being used?


Options are :

  • Deterrent
  • Preventive
  • Corrective (Correct)
  • Detective

Answer : Corrective

A security administrator needs to image a large hard drive for forensic analysis.

Which of the following will allow for faster imaging to a second hard drive?


Options are :

  • tail -f /dev/sda > /dev/sdb bs=8k
  • locate /dev/sda /dev/sdb bs=4k
  • cp /dev/sda /dev/sdb bs=8k
  • dd in=/dev/sda out=/dev/sdb bs=4k (Correct)

Answer : dd in=/dev/sda out=/dev/sdb bs=4k

The security manager received a report that an employee was involved in illegal activity and has
saved data to a workstation’s hard drive. During the investigation, local law enforcement’s criminal
division confiscates the hard drive as evidence.
Which of the following forensic procedures is involved?


Options are :

  • Chain of custody (Correct)
  • System image
  • Order of volatility
  • Take hashes

Answer : Chain of custody

Which of the following MOST specifically defines the procedures to follow when scheduled system
patching fails resulting in system outages?


Options are :

  • Access control revalidation
  • Change management (Correct)
  • Risk transference
  • Configuration management

Answer : Change management

Which of the following security account management techniques should a security analyst
implement to prevent staff, who has switched company roles, from exceeding privileges?


Options are :

  • Time of day restriction
  • Account disablement
  • Password complexity
  • Internal account audits (Correct)

Answer : Internal account audits

A security analyst informs the Chief Executive Officer (CEO) that a security breach has just
occurred. This results in the Risk Manager and Chief Information Officer (CIO) being caught
unaware when the CEO asks for further information.
Which of the following strategies should be implemented to ensure the Risk Manager and CIO are
not caught unaware in the future?


Options are :

  • Change management
  • Procedure and policy management
  • Chain of custody management
  • Incident management (Correct)

Answer : Incident management

The helpdesk reports increased calls from clients reporting spikes in malware infections on their
systems.
Which of the following phases of incident response is MOST appropriate as a FIRST response?


Options are :

  • Validation
  • Containment
  • Follow-up
  • Eradication
  • Identification (Correct)
  • Recovery

Answer : Identification

Which of the following is the MOST important step for preserving evidence during forensic
procedures?


Options are :

  • Involve law enforcement
  • Record the time of the incident
  • Chain of custody (Correct)
  • Report within one hour of discovery

Answer : Chain of custody

During which of the following phases of the Incident Response process should a security
administrator define and implement general defense against malware?


Options are :

  • Eradication
  • Preparation (Correct)
  • Identification
  • Lessons Learned

Answer : Preparation

Which of the following security strategies allows a company to limit damage to internal systems
and provides loss control?


Options are :

  • Restoration and recovery strategies
  • Detection strategies
  • Containment strategies (Correct)
  • Deterrent strategies

Answer : Containment strategies

An internal auditor is concerned with privilege creep that is associated with transfers inside the
company.
Which mitigation measure would detect and correct this?


Options are :

  • Change Control
  • Change management
  • Least privilege and job rotation
  • User rights reviews (Correct)

Answer : User rights reviews

Several employees have been printing files that include personally identifiable information of
customers. Auditors have raised concerns about the destruction of these hard copies after they
are created, and management has decided the best way to address this concern is by preventing
these files from being printed.
Which of the following would be the BEST control to implement?


Options are :

  • Data loss prevention (Correct)
  • Clean desk policies
  • File encryption
  • Printer hardening

Answer : Data loss prevention

The Chief Information Officer (CIO) is concerned with moving an application to a SaaS cloud
provider.
Which of the following can be implemented to provide for data confidentiality assurance during and after the migration to the cloud?


Options are :

  • Full disk encryption
  • DLP policy (Correct)
  • TPM technology
  • HPM technology

Answer : DLP policy

A security administrator is responsible for performing periodic reviews of user permission settings
due to high turnover and internal transfers at a corporation.
Which of the following BEST describes the procedure and security rationale for performing such reviews?


Options are :

  • Review the permissions of all transferred users to ensure new permissions are granted so the employee can work effectively.
  • Ensure all users have adequate permissions and appropriate group memberships, so the volume of help desk calls is reduced
  • Review all user permissions and group memberships to ensure only the minimum set of permissions required to perform a job is assigned. (Correct)
  • Ensure former employee accounts have no permissions so that they cannot access any network file stores and resources.

Answer : Review all user permissions and group memberships to ensure only the minimum set of permissions required to perform a job is assigned.

Developers currently have access to update production servers without going through an approval
process.
Which of the following strategies would BEST mitigate this risk?


Options are :

  • Incident management
  • Routine audits
  • Change management (Correct)
  • Clean desk policy

Answer : Change management

A compromised workstation utilized in a Distributed Denial of Service (DDOS) attack has been
removed from the network and an image of the hard drive has been created. However, the system
administrator stated that the system was left unattended for several hours before the image was
created.

In the event of a court case, which of the following is likely to be an issue with this incident?


Options are :

  • Data Analysis of the hard drive
  • Expert Witness
  • Eye Witness
  • Chain of custody (Correct)

Answer : Chain of custody

The incident response team has received the following email message.
From: monitor@ext-company.com
To: security@company.com
Subject: Copyright infringement
A copyright infringement alert was triggered by IP address 13.10.66.5 at 09: 50: 01 GMT.

After reviewing the following web logs for IP 13.10.66.5, the team is unable to correlate and
identify the incident.
09: 45: 33 13.10.66.5 http: //remote.site.com/login.asp?user=john
09: 50: 22 13.10.66.5 http: //remote.site.com/logout.asp?user=anne
10: 50: 01 13.10.66.5 http: //remote.site.com/access.asp?file=movie.mov
11: 02: 45 13.10.65.5 http: //remote.site.com/download.asp?movie.mov=ok
Which of the following is the MOST likely reason why the incident response team is unable to
identify and correlate the incident?



Options are :

  • Traffic logs for the incident are unavailable
  • The logs are corrupt and no longer forensically sound.
  • Chain of custody was not properly maintained.
  • Incident time offsets were not accounted for. (Correct)

Answer : Incident time offsets were not accounted for.

Who should be contacted FIRST in the event of a security breach?


Options are :

  • Internal auditors
  • Forensics analysis team
  • Software vendors
  • Incident response team (Correct)

Answer : Incident response team

A recent intrusion has resulted in the need to perform incident response procedures. The incident
response team has identified audit logs throughout the network and organizational systems which
hold details of the security breach. Prior to this incident, a security consultant informed the
company that they needed to implement an NTP server on the network.
Which of the following is a problem that the incident response team will likely encounter during
their assessment?


Options are :

  • Capture video traffic
  • Chain of custody
  • Record time offset (Correct)
  • Tracking man hours

Answer : Record time offset

A company is trying to limit the risk associated with the use of unapproved USB devices to copy
documents.
Which of the following would be the BEST technology control to use in this scenario?


Options are :

  • Content filtering
  • DLP (Correct)
  • Audit logs
  • IDS

Answer : DLP

Computer evidence at a crime scene is documented with a tag stating who had possession of the
evidence at a given time.
Which of the following does this illustrate?


Options are :

  • Record time offset
  • Chain of custody (Correct)
  • Order of volatility
  • System image capture

Answer : Chain of custody

Which of the following assets is MOST likely considered for DLP?


Options are :

  • Application server content
  • Reverse proxy
  • Print server
  • USB mass storage devices (Correct)

Answer : USB mass storage devices

Joe, a security administrator, is concerned with users tailgating into the restricted areas.
Given a limited budget, which of the following would BEST assist Joe with detecting this activity?


Options are :

  • Revoke all proximity badge access to make users justify access.
  • Install a camera and DVR at the entrance to monitor access. (Correct)
  • Place a full-time guard at the entrance to confirm user identity.
  • Install a motion detector near the entrance.

Answer : Install a camera and DVR at the entrance to monitor access.

Which of the following is a Data Loss Prevention (DLP) strategy and is MOST useful for securing
data in use?


Options are :

  • Endpoint protection (Correct)
  • Database fingerprinting
  • Email scanning
  • Content discovery

Answer : Endpoint protection

Which of the following controls would prevent an employee from emailing unencrypted information
to their personal email account over the corporate network?


Options are :

  • CRL
  • DLP (Correct)
  • HSM
  • TPM

Answer : DLP

Which of the following mitigation strategies is established to reduce risk when performing updates
to business critical systems?


Options are :

  • Forensic analysis
  • Change management (Correct)
  • Server clustering
  • Incident management

Answer : Change management

Encryption of data at rest is important for sensitive information because of the following:


Options are :

  • Prevents data from being accessed following theft of physical equipment (Correct)
  • Allows the remote removal of data following eDiscovery requests
  • Facilitates tier 2 support, by preventing users from changing the OS
  • Renders the recovery of data harder in the event of user password loss

Answer : Prevents data from being accessed following theft of physical equipment

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions