Security+ (SY0-701) Study Path¶

Correct Answer: C) Deterrent

Explanation: Deterrent controls aim to discourage attacks before they happen. Examples include security cameras (visible), warning banners, security lighting, and acceptable use policies. Detective controls identify attacks in progress, corrective controls fix damage after an attack, and compensating controls provide alternative protection when primary controls are impractical.

Reference: Chapter 1 -- Security Control Types

Correct Answer: B) Multi-factor authentication

Explanation: Smart card (something you have) combined with PIN (something you know) constitutes two different authentication factors. MFA requires at least two factors from different categories: something you know, something you have, something you are, or somewhere you are. Using two passwords would be multi-step but not multi-factor since both are "something you know."

Reference: Chapter 13 -- Authentication and Access Controls

Correct Answer: C) Least privilege

Explanation: The principle of least privilege restricts user access rights to the bare minimum needed for their role. Need to know is related but specifically limits access to information. Separation of duties ensures no single person can complete a critical process alone. Defense in depth uses multiple layers of controls rather than limiting individual permissions.

Reference: Chapter 13 -- Governance and Access Principles

Correct Answer: B) Log normalization

Explanation: Log normalization converts disparate log formats into a common schema (such as ECS, CIM, or CEF) so analysts and detection rules can process events consistently. Data masking obscures sensitive fields, deduplication removes repeated records, and correlation links related events into incidents -- but none of those standardize the format itself.

Reference: Chapter 3 -- Data Modeling and Normalization

Correct Answer: B) Integrity

Explanation: Integrity ensures that data has not been altered by unauthorized parties. Unauthorized modification of database records is a direct integrity violation. Confidentiality addresses unauthorized disclosure, availability addresses denial of service, and non-repudiation (not part of CIA) proves a party performed an action.

Reference: Chapter 1 -- Security Fundamentals

Correct Answer: B) Administrative preventive

Explanation: Tabletop exercises are administrative (policy/procedure-based) and preventive because they prepare teams to handle incidents more effectively before they occur. They identify gaps in response plans and improve readiness. While they may reveal detective or corrective control weaknesses, the exercise itself is an administrative preventive measure.

Reference: Chapter 15 -- Resilience and Tabletop Exercises

Correct Answer: B) All traffic is denied unless explicitly allowed regardless of location

Explanation: Zero Trust eliminates implicit trust based on network location. Every access request -- whether from inside or outside the corporate perimeter -- must be authenticated, authorized, and continuously validated. Options A, C, and D all describe perimeter-based trust models that Zero Trust explicitly rejects.

Reference: Chapter 39 -- Zero Trust Implementation

Correct Answer: D) Public

Explanation: Data classification labels indicate the sensitivity and required handling. A marketing brochure intended for external distribution on the company website is Public data -- no harm results from its disclosure. Restricted data (e.g., PII, trade secrets) requires the highest protection, Confidential is sensitive but less critical, and Internal is for employee-only material.

Reference: Chapter 3 -- Data Classification and Lifecycle

Correct Answer: B) Technique

Explanation: In MITRE ATT&CK, tactics represent the adversary's goal (the "why"), techniques describe how the adversary achieves that goal (the "how"), and procedures are specific implementations of techniques observed in the wild. Campaigns describe coordinated sets of intrusion activity. The hierarchy is: Tactic > Technique > Sub-technique > Procedure.

Reference: Chapter 1 -- MITRE ATT&CK Framework

Correct Answer: C) Offboarding

Explanation: Offboarding is the process of revoking all access when an employee or contractor leaves the organization. This includes disabling accounts, revoking VPN credentials, retrieving equipment, and removing from distribution lists. While access recertification reviews could also catch this, the root failure is the offboarding process that should have immediately revoked access upon contract termination.

Reference: Chapter 13 -- Identity Lifecycle and Governance

Correct Answer: C) Business email compromise (BEC)

Explanation: BEC attacks impersonate executives or trusted parties to trick employees into transferring funds or disclosing sensitive data. While this is also a form of spear phishing (targeted) and whaling (targeting high-value individuals), the use of a look-alike domain to impersonate the CEO for financial fraud is the hallmark of BEC. Vishing uses voice calls rather than email.

Reference: Chapter 25 -- Social Engineering and BEC Attacks

Correct Answer: B) Supply chain attack

Explanation: Supply chain attacks compromise a trusted vendor, supplier, or third-party component to reach the vendor's downstream customers. The SolarWinds Orion compromise (2020) is the canonical example: attackers injected malicious code into the build pipeline, and the trojanized update was distributed to approximately 18,000 organizations. Watering hole attacks compromise websites that targets visit, not vendor build pipelines.

Reference: Chapter 24 -- Supply Chain Attacks

Correct Answer: B) CVSS

Explanation: The Common Vulnerability Scoring System (CVSS) evaluates vulnerabilities on a 0.0-10.0 scale using Base, Temporal, and Environmental metric groups. Base metrics include Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and CIA impact. EPSS predicts exploitation probability, CWE categorizes weakness types, and CVE provides unique identifiers for vulnerabilities.

Reference: Chapter 29 -- Vulnerability Management and CVSS

Correct Answer: B) Insider threat

Explanation: Insider threats originate from individuals who have legitimate access to organizational resources -- employees, contractors, or business partners. This scenario describes a malicious insider motivated by grievance. Key indicators include unusual data access patterns, use of personal storage services, and after-hours activity. UEBA (User and Entity Behavior Analytics) is a primary detection mechanism for this threat type.

Reference: Chapter 26 -- Insider Threats

Correct Answer: B) Double extortion

Explanation: Double extortion combines traditional ransomware encryption with data theft and the threat of public exposure. Victims face two pressures: pay to decrypt their data AND pay to prevent publication of stolen data. This technique was pioneered by the Maze ransomware group and has become standard practice. Some groups have escalated to triple extortion, adding DDoS threats or contacting customers directly.

Reference: Chapter 23 -- Ransomware Deep Dive

Correct Answer: C) Apply risk-based prioritization considering CVSS, EPSS, asset exposure, and business impact

Explanation: Risk-based vulnerability management considers multiple factors: CVSS severity, EPSS exploitation likelihood, asset criticality, network exposure, and compensating controls. While the CVSS score is high, the low EPSS and internal-only exposure reduce the effective risk. Neither CVSS alone nor EPSS alone tells the complete story. The team should still plan remediation but may not need to treat it as an emergency.

Reference: Chapter 29 -- Risk-Based Vulnerability Prioritization

Correct Answer: C) Fileless malware

Explanation: Fileless malware resides exclusively in memory and leverages legitimate system tools (Living off the Land Binaries, or LOLBins) such as PowerShell, WMI, and mshta.exe. Because nothing is written to disk, traditional signature-based antivirus cannot detect it. Detection requires behavioral analysis, script block logging, AMSI integration, and memory-based endpoint detection.

Reference: Chapter 22 -- Threat Actor TTPs and Fileless Techniques

Correct Answer: D) Both B and C

Explanation: Virtual patching uses WAF rules, IPS signatures, or other network-based controls to block exploitation of a known vulnerability without modifying the vulnerable application. It is also a compensating control because it provides alternative protection when the primary control (vendor patch) is unavailable. Virtual patching is a critical strategy for zero-day response while vendors develop official fixes.

Reference: Chapter 53 -- Zero-Day Response and Virtual Patching

Correct Answer: B) Typosquatting

Explanation: Typosquatting (also called URL hijacking) registers domain names that are visually similar to legitimate domains, exploiting common typing mistakes or character substitutions. Using "paypa1.com" (numeral 1) instead of "paypal.com" (letter l) is a classic homoglyph attack. URL redirection sends users from a legitimate URL to a malicious one, DNS poisoning corrupts DNS responses, and pharming redirects traffic at the DNS level.

Reference: Chapter 25 -- Social Engineering Techniques

Correct Answer: B) SBOM

Explanation: A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of all components, libraries, and dependencies in a software product. SBOMs enable rapid identification of affected systems when a vulnerability is discovered in a component (e.g., Log4Shell). STIX is a threat intelligence format, SOAR is a security orchestration platform, and SIEM is a log aggregation and correlation system.

Reference: Chapter 24 -- Supply Chain Attacks and SBOM

Correct Answer: B) The customer

Explanation: In the IaaS shared responsibility model, the cloud provider secures the infrastructure (physical data centers, hypervisors, network fabric), while the customer is responsible for everything deployed on that infrastructure: operating systems, applications, data, identity management, and network configurations. In PaaS, the provider takes on OS patching; in SaaS, the provider manages nearly everything except data and user access.

Reference: Chapter 31 -- Cloud Security Architecture

Correct Answer: C) RSA

Explanation: RSA is an asymmetric (public-key) algorithm used for encryption, key exchange, and digital signatures. AES-256 and ChaCha20 are symmetric algorithms (same key for encryption and decryption), and SHA-512 is a hashing algorithm (one-way function, not encryption). Asymmetric algorithms use a key pair -- public key for encryption and private key for decryption.

Reference: Chapter 32 -- Applied Cryptography

Correct Answer: B) IPSec

Explanation: IPSec (Internet Protocol Security) provides confidentiality (encryption via ESP), integrity (HMAC), and authentication (IKE key exchange) for IP traffic. It supports both transport mode (payload only) and tunnel mode (entire packet) and is the standard for site-to-site VPNs. PPTP is deprecated and insecure, TFTP is an unencrypted file transfer protocol, and Telnet transmits data in cleartext.

Reference: Chapter 31 -- Network Security Architecture

Correct Answer: C) Attribute-Based Access Control (ABAC)

Explanation: ABAC evaluates multiple attributes (user, resource, environment, action) to make dynamic access decisions. Unlike RBAC, which assigns permissions based on fixed roles, ABAC can incorporate contextual factors like time, location, and device health. This makes ABAC more granular and flexible, though more complex to implement. MAC uses classification labels and clearance levels, and DAC lets resource owners set permissions.

Reference: Chapter 33 -- Identity and Access Security

Correct Answer: B) Next-Generation Firewall (NGFW)

Explanation: NGFWs combine traditional firewall capabilities (stateful packet inspection) with advanced features: deep packet inspection, application identification and control, integrated IPS, threat intelligence feeds, TLS inspection, and user identity awareness. Traditional stateful firewalls only inspect headers and track connection state. Switches operate at Layer 2, and load balancers distribute traffic without deep security inspection.

Reference: Chapter 31 -- Network Security Architecture and NGFW

Correct Answer: B) Certificate Revocation List (CRL)

Explanation: A CRL is a list published by the Certificate Authority containing serial numbers of revoked certificates. Applications check the CRL (or use OCSP -- Online Certificate Status Protocol -- for real-time queries) before trusting a certificate. CSR is used to request a new certificate, Certificate Transparency logs record certificate issuance for auditing, and key escrow stores backup copies of encryption keys.

Reference: Chapter 32 -- PKI and Certificate Management

Correct Answer: B) Remote wipe of lost or stolen devices

Explanation: Mobile Device Management (MDM) provides device-level control including remote wipe, application management, policy enforcement, geofencing, and containerization of corporate data. VPNs only encrypt network traffic and authenticate users for network access -- they cannot manage the device itself, enforce application policies, or wipe data remotely.

Reference: Chapter 34 -- Mobile and IoT Security

Correct Answer: B) 3-2-1 backup rule

Explanation: The 3-2-1 rule is a data protection best practice: maintain 3 copies of data (primary + 2 backups), on 2 different media types (e.g., disk + tape or disk + cloud), with 1 copy stored offsite (geographically separate). RAID provides disk redundancy but is not a backup strategy, and differential/incremental describe backup scheduling methods rather than the overall strategy.

Reference: Chapter 15 -- Resilience and Business Continuity

Correct Answer: B) Misconfiguration

Explanation: Default credentials are a misconfiguration vulnerability -- the device is not properly secured out of the box, and users fail to change default settings. This is one of the most exploited vulnerability types in IoT devices, enabling botnets like Mirai. Zero-day refers to unknown/unpatched flaws, race conditions involve timing issues in concurrent processes, and buffer overflows are memory corruption bugs.

Reference: Chapter 34 -- IoT Security Challenges

Correct Answer: B) Verify explicitly

Explanation: "Verify explicitly" is a core Zero Trust principle (alongside "use least privilege access" and "assume breach"). It mandates that every access request must be authenticated and authorized based on all available data points -- identity, device health, location, data classification -- regardless of network location. Options A, C, and D describe the traditional perimeter security model that Zero Trust replaces.

Reference: Chapter 39 -- Zero Trust Implementation

Correct Answer: C) Containment, Eradication, and Recovery

Explanation: The NIST SP 800-61 Incident Response Lifecycle follows four phases: (1) Preparation, (2) Detection and Analysis, (3) Containment, Eradication, and Recovery, (4) Post-Incident Activity (Lessons Learned). After confirming a compromise during Detection and Analysis, the team must contain the threat to prevent lateral movement, eradicate the attacker's presence, and recover affected systems.

Reference: Chapter 9 -- Incident Response Lifecycle

Correct Answer: B) Volatile data collection

Explanation: Volatile data exists only in RAM and is lost when the system is powered off. It includes running processes, network connections, loaded DLLs, registry hives in memory, and encryption keys. The order of volatility (RFC 3227) dictates that volatile data must be collected before non-volatile evidence. Tools like WinPMEM, FTK Imager, and Magnet RAM Capture are used for memory acquisition.

Reference: Chapter 27 -- Digital Forensics and Evidence Collection

Correct Answer: B) Brute force authentication attack

Explanation: A brute force attack repeatedly tries passwords against a single account until one succeeds. The SIEM correlation pattern (multiple failures then success from the same IP against the same account) is the classic brute force signature. Password spraying tries one password across many accounts, credential stuffing uses breached credential pairs, and pass-the-hash uses stolen NTLM hashes rather than passwords.

Reference: Chapter 4 -- SIEM Correlation Rules

Correct Answer: B) Initial Access (TA0001)

Explanation: Initial Access (TA0001) describes how an adversary first gains a foothold in the target environment. Phishing with a malicious attachment (T1566.001) is one of the most common Initial Access techniques. While the macro executing is part of the Execution tactic, the question asks specifically about the initial access vector -- the phishing email that delivered the malicious document.

Reference: Chapter 5 -- Detection Engineering and MITRE ATT&CK

Correct Answer: B) SOAR

Explanation: Security Orchestration, Automation, and Response (SOAR) platforms orchestrate workflows across multiple security tools via API integrations. A SOAR playbook can automatically extract IOCs from SIEM alerts, query threat intelligence platforms, perform WHOIS lookups, and enrich the alert with contextual data -- all without manual analyst intervention. DLP prevents data loss, NAC controls network access, and WAFs protect web applications.

Reference: Chapter 8 -- SOAR and Automation Playbooks

Correct Answer: B) Cryptographic hash (MD5/SHA-256)

Explanation: A cryptographic hash of both the original drive and the forensic image verifies that the copy is an exact duplicate. If the hashes match, the image is a perfect copy. This hash is documented in the chain of custody and can be verified at any point to prove the evidence has not been tampered with. SHA-256 is preferred over MD5 for forensic work due to MD5's known collision vulnerabilities.

Reference: Chapter 27 -- Digital Forensics and Evidence Integrity

Correct Answer: B) Hypothesis-driven hunting

Explanation: Hypothesis-driven hunting starts with a theory about adversary behavior (based on threat intelligence, ATT&CK techniques, or risk assessment), then proactively searches for evidence supporting or refuting the hypothesis. This is distinct from reactive hunting (triggered by an alert), ML anomaly detection (automated statistical analysis), and IOC sweeping (searching for known indicators). The PEAK framework formalizes this approach.

Reference: Chapter 38 -- Advanced Threat Hunting Methodologies

Correct Answer: B) Verify whether the change was authorized through the change management system

Explanation: Before taking any action, the analyst must determine if the change is legitimate. Checking the change management system, contacting the IT admin team, and reviewing approval records prevents disrupting authorized administrative actions. Jumping to containment (removing the account, disabling it) without verification can cause unnecessary business disruption. However, if the change is confirmed unauthorized, immediate containment is warranted.

Reference: Chapter 6 -- Triage, Investigation, and Enrichment

Correct Answer: B) Pre-commit / build-time

Explanation: Secrets scanning in the CI/CD pipeline is a "shift left" control that catches credential exposure before code reaches production. Build-time security gates can include SAST (Static Application Security Testing), dependency scanning, secrets detection, IaC policy checks, and container image scanning. Catching secrets before deployment prevents the need for costly credential rotation and reduces breach risk.

Reference: Chapter 35 -- DevSecOps Pipeline Security

Correct Answer: B) Order of volatility

Explanation: The order of volatility (RFC 3227) dictates that evidence must be collected from most volatile to least volatile: (1) CPU registers/cache, (2) RAM, (3) network state, (4) running processes, (5) disk, (6) remote logging, (7) physical configuration, (8) archival media. Volatile data is lost when power is removed, so it must be captured first. Chain of custody tracks evidence handling, and Locard's principle relates to physical evidence exchange.

Reference: Chapter 27 -- Digital Forensics Methodology

Correct Answer: C) GDPR

Explanation: The EU General Data Protection Regulation (GDPR) requires data controllers to notify the supervisory authority within 72 hours of becoming aware of a personal data breach, and to notify affected individuals "without undue delay" if the breach is likely to result in high risk. HIPAA requires notification within 60 days, PCI-DSS mandates breach notification per card brand rules, and SOX focuses on financial reporting controls rather than breach notification.

Reference: Chapter 13 -- Compliance Frameworks and GDPR

Correct Answer: D) Risk transfer

Explanation: Risk transfer shifts the financial burden of a risk to a third party, typically through insurance or contractual agreements. Cyber insurance is the most common form of risk transfer. Mitigation reduces the likelihood or impact through controls, acceptance acknowledges the risk without additional action, and avoidance eliminates the risk by discontinuing the activity that creates it.

Reference: Chapter 13 -- Risk Management Strategies

Correct Answer: B) NIST Cybersecurity Framework (CSF)

Explanation: The NIST CSF organizes cybersecurity activities into five core functions: Identify (asset management, risk assessment), Protect (access control, awareness), Detect (monitoring, anomalies), Respond (incident response, communication), and Recover (recovery planning, improvements). Note: NIST CSF 2.0 added a sixth function, Govern, in 2024. ISO 27001 uses controls in Annex A, COBIT focuses on IT governance, and CIS Controls provides a prioritized set of security actions.

Reference: Chapter 13 -- Governance Frameworks

Correct Answer: B) Key Performance Indicator (KPI)

Explanation: MTTD is a Key Performance Indicator that measures the effectiveness of the detection capability. KPIs track operational performance and progress toward goals. A KRI would measure risk exposure (e.g., number of unpatched critical vulnerabilities), an SLO defines a target threshold (e.g., "MTTD must be under 12 hours"), and a lagging indicator measures outcomes after the fact rather than driving improvement.

Reference: Chapter 12 -- Evaluation Metrics and KPIs

Correct Answer: B) SOC 2 Type II audit report

Explanation: SOC 2 Type II reports provide an independent auditor's assessment of a service organization's controls over a period of time (typically 6-12 months) against the Trust Service Criteria (security, availability, processing integrity, confidentiality, privacy). Type II is preferred over Type I because it tests control effectiveness over time, not just design at a point in time. Vulnerability scans and pen tests assess technical security but not the broader control environment.

Reference: Chapter 40 -- Third-Party Risk Management

Correct Answer: B) Administrative

Explanation: Administrative controls (also called managerial controls) are policies, procedures, and guidelines that define how security is managed within an organization. Security awareness training requirements, acceptable use policies, and background check procedures are all administrative controls. Technical controls are implemented in hardware/software, physical controls protect tangible assets, and compensating controls substitute for primary controls.

Reference: Chapter 14 -- Operating Model and Security Policies

Correct Answer: B) The risk that remains after controls have been implemented

Explanation: Residual risk is the risk that persists after all selected security controls have been applied. It is impossible to eliminate all risk; the goal is to reduce residual risk to a level acceptable to the organization (risk appetite). Inherent risk is the total risk before controls, risk transfer shifts burden to a third party, and risk avoidance eliminates the activity creating the risk. The formula is: Residual Risk = Inherent Risk - Control Effectiveness.

Reference: Chapter 40 -- Security Program Leadership and Risk Communication

Correct Answer: B) Encrypt cardholder data at rest and in transit

Explanation: PCI-DSS Requirement 3 mandates protection of stored cardholder data (encryption at rest), and Requirement 4 requires encryption during transmission over open/public networks. The 72-hour notification and DPO appointment are GDPR requirements, and annual privacy impact assessments are not a PCI-DSS mandate (though risk assessments are required under Requirement 12).

Reference: Chapter 13 -- Compliance Frameworks and PCI-DSS

Correct Answer: B) Enhanced security awareness training with phishing simulations targeting the identified gaps

Explanation: Recurring incidents of the same type indicate a gap in the security program. Targeted security awareness training with realistic phishing simulations addresses the human element while improving technical controls (email filters, URL sandboxing). Post-incident lessons learned should drive measurable improvements. Blocking all email or accepting the risk are extreme and impractical responses, and replacing staff does not address the systemic gap.

Reference: Chapter 15 -- Lessons Learned and Continuous Improvement

Correct Answer: B) Service Level Agreement (SLA)

Explanation: An SLA is a binding contract that defines measurable service expectations: response times (e.g., critical alerts acknowledged within 15 minutes), uptime guarantees, escalation procedures, reporting requirements, and penalties for non-compliance. MOUs express mutual intent without legal enforcement, NDAs protect confidential information, and BIAs assess the impact of business disruptions on operations.

Reference: Chapter 14 -- SLA Design and Vendor Management