CompTIA SY0-601 Practice Test - Questions Answers, Page 47

Archiving is the process of storing data for long-term preservation. In the context of IT security,

archiving logs is the process of collecting and storing log files from devices in a centralized location.

This allows organizations to access and analyze log data for troubleshooting, compliance, and security auditing purposes.

Log aggregation is the process of collecting log data from multiple sources and storing it in a single location. This can be done for performance or security reasons. However, log aggregation does not necessarily involve storing the logs in an off-site location.

DLP (Data Loss Prevention) is a set of technologies and processes that are used to protect sensitive data from unauthorized access, use, disclosure, alteration, or destruction. DLP can be used to prevent data from being exfiltrated from an organization's network, but it does not typically involve storing logs in an off-site location.

SCAP (Security Content Automation Protocol) is a set of standards and tools that are used to automate the assessment and remediation of security vulnerabilities. SCAP can be used to collect log data from devices, but it does not typically involve storing the logs in an off-site location.

Therefore, the best answer to the question is archiving.

Code signing is a cryptographic process that allows software developers to digitally sign their code.

This ensures that the code has not been tampered with since it was signed and that it came from a trusted source.

Testing input validation on the user input fields is important for preventing malicious code from being entered into a system. However, it does not address the authenticity of the code itself.

Performing static code analysis on the software can help to identify security vulnerabilities. However, it cannot guarantee that the code has not been tampered with.

Ensuring secure cookies are used is important for preventing unauthorized access to user data.

However, it does not address the authenticity of the code itself.

Therefore, the most appropriate option to ensure the authenticity of the code created by the company is to perform code signing on the software.

Here are some additional benefits of code signing:

It can help to prevent malware from being installed on users' computers.

It can help to protect intellectual property.

It can help to improve user trust.

Least privilege is a security principle that states that users should only be granted the permissions they need to do their job. This helps to protect against malware infections by preventing users from installing unauthorized software.

A host-based firewall can help to protect against malware infections by blocking malicious traffic from reaching a computer. However, it cannot prevent a user from installing malware if they have the necessary permissions.

System isolation is the practice of isolating systems from each other to prevent malware from spreading. T his can be done by using virtual machines or network segmentation. However, system isolation can be complex and expensive to implement.

An application allow list is a list of applications that are allowed to run on a computer. This can help to prevent malware infections by preventing users from running unauthorized applications. However,

an application allow list can be difficult to maintain and can block legitimate applications.

Therefore, the best way to protect against an employee inadvertently installing malware on a company system is to use the principle of least privilege. This will help to ensure that users only have the permissions they need to do their job, which will reduce the risk of malware infections.

Here are some additional benefits of least privilege:

It can help to improve security by reducing the attack surface.

It can help to simplify security management by reducing the number of permissions that need to be managed.

It can help to improve compliance by reducing the risk of data breaches.

A distributed denial-of-service (DDoS) attack is an attempt to make a computer or network resource unavailable to its intended users. This is accomplished by overwhelming the target with a flood of traffic from multiple sources.

In the scenario described, the security analyst identified a source IP address and blocked it from communicating with the network. However, the attack was still ongoing and coming from a large number of different source IP addresses. This indicates that the attack was a DDoS attack.

Privilege escalation is an attack that allows an attacker to gain unauthorized access to a system or network. DNS poisoning is an attack that modifies the DNS records for a domain name, causing users to be redirected to a malicious website. A buffer overflow is an attack that occurs when a program attempts to store more data in a buffer than it is designed to hold.

Therefore, the most likely type of attack in the scenario described is a DDoS attack.

Port 53 is the default port for DNS traffic. If the firewall is blocking port 53, then users will not be able to resolve domain names and will receive errors stating that the website could not be located.

The other options would not correct the issue. Setting an explicit deny to all traffic using port 80 instead of 443 would block all HTTP traffic, not just web traffic. Moving the implicit deny from the bottom of the rule set to the top would make the deny rule more restrictive, which would not solve the issue. Configuring the first line in the rule set to allow all traffic would allow all traffic, including malicious traffic, which is not a good security practice.

Therefore, the best way to correct the issue is to ensure that port 53 has been explicitly allowed in the rule set.

Here are some additional information about DNS traffic:

DNS traffic is used to resolve domain names to IP addresses.

DNS traffic is typically unencrypted, which makes it vulnerable to eavesdropping.

There are a number of ways to secure DNS traffic, such as using DNS over HTTPS (DoH) or DNS over

TLS (DoT).

The last incremental backup that was conducted 72 hours ago would be the best option to restore the services to a secure state, as it would contain the most recent data before the ransomware infection. Incremental backups only store the changes made since the last backup, so they are faster and use less storage space than full backups. Restoring from an incremental backup would also minimize the data loss and downtime caused by the ransomware attack.

Reference:

https://www.comptia.org/blog/mature-cybersecurity-response-to-ransomware

A zero-day vulnerability is a security flaw that is unknown to the vendor and the public, and therefore has no patch or fix available. A zero-day attack is an exploit that takes advantage of a zero-day vulnerability before the vendor or the security community becomes aware of it. A zero-day attack can cause serious damage to a system or network, as there is no defense against it until a patch is released.

Reference:

https://resources.infosecinstitute.com/certification/security-domain-1-threats-attacks-and-vulnerabilities/

https://www.linkedin.com/learning/comptia-security-plus-sy0-601-cert-prep-1-threats-attacks-and-vulnerabilities/zero-days-and-the-advanced-persistent-threat

MFA stands for multi-factor authentication, which is a method of verifying a user's identity using two or more factors, such as something you know (e.g., password), something you have (e.g., token), or something you are (e.g., biometrics). MFA can prevent someone from using the exfiltrated credentials, as they would need to provide another factor besides the username and password to access the system or application. MFA can also alert the legitimate user of an unauthorized login attempt, allowing them to change their credentials or report the incident.

Reference:

https://www.comptia.org/certifications/security

A full inventory of all hardware and software would help ensure a security analyst is able to accurately measure the overall risk to an organization when a new vulnerability is disclosed, as it would allow the analyst to identify which systems and applications are affected by the vulnerability and prioritize the remediation efforts accordingly. A full inventory would also help the analyst to determine the impact and likelihood of a successful exploit, as well as the potential loss of confidentiality, integrity and availability of the data and services.

Reference:

https://resources.infosecinstitute.com/certification/security-plus-risk-management-processes-and-concepts/

https://www.comptia.org/landing/securityplus/index.html

https://www.comptia.org/blog/complete-guide-to-risk-management