SY0-701 CompTIA Security+ Exam 2024 - Practice Questions

Question 4

Which of the following must be considered when designing a high-availability network? (Select two).

Select all that apply, then click Submit answer.

○
Ease of recovery
○
Ability to patch
○
Physical isolation
○
Responsiveness
○
Attack surface
○
Extensible authentication

Reference / correct answer:

Ease of recovery

Attack surface

A high-availability network is a network that is designed to minimize downtime and ensure continuous operation of critical services and applications. To achieve this goal, a high-availability network must consider two important factors: ease of recovery and attack surface.

Ease of recovery refers to the ability of a network to quickly restore normal functionality after a failure, disruption, or disaster. A high-availability network should have mechanisms such as redundancy, failover, backup, and restore to ensure that any single point of failure does not cause a complete network outage. A high-availability network should also have procedures and policies for incident response, disaster recovery, and business continuity to minimize the impact of any network issue on the organization?s operations and reputation.

Attack surface refers to the exposure of a network to potential threats and vulnerabilities. A highavailability network should have measures such as encryption, authentication, authorization,

firewall, intrusion detection and prevention, and patch management to protect the network from unauthorized access, data breaches, malware, denial-of-service attacks, and other cyberattacks. A high-availability network should also have processes and tools for risk assessment, threat intelligence, vulnerability scanning, and penetration testing to identify and mitigate any weaknesses or gaps in the network security.

Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 4: Architecture and Design, pages 164-1651. CompTIA Security+ Certification Kit: Exam SY0-701, 7th Edition, Chapter 4: Architecture and Design, pages 164-1652.

Question 5

A security engineer is implementing FDE for all laptops in an organization. Which of the following are the most important for the engineer to consider as part of the planning process? (Select two).

Select all that apply, then click Submit answer.

○
Key escrow
○
TPM presence
○
Digital signatures
○
Data tokenization
○
Public key management
○
Certificate authority linking

Question 6

While troubleshooting a firewall configuration, a technician determines that a ?deny any? policy should be added to the bottom of the ACL. The technician updates the policy, but the new policy causes several company servers to become unreachable. Which of the following actions would prevent this issue?

Select an option, then click Submit answer.

○
Documenting the new policy in a change request and submitting the request to change management
○
Testing the policy in a non-production environment before enabling the policy in the production network
○
Disabling any intrusion prevention signatures on the 'deny any* policy prior to enabling the new policy
○
Including an 'allow any1 policy above the 'deny any* policy

Reference / correct answer:

Testing the policy in a non-production environment before enabling the policy in the production network

A firewall policy is a set of rules that defines what traffic is allowed or denied on a network. A firewall policy should be carefully designed and tested before being implemented, as a misconfigured policy can cause network disruptions or security breaches. A common best practice is to test the policy in a non-production environment, such as a lab or a simulation, before enabling the policy in the production network. This way, the technician can verify the functionality and performance of the policy, and identify and resolve any issues or conflicts, without affecting the live network. Testing the policy in a non-production environment would prevent the issue of the ?deny any? policy causing several company servers to become unreachable, as the technician would be able to detect and correct the problem before applying the policy to the production network.

Documenting the new policy in a change request and submitting the request to change management is a good practice, but it would not prevent the issue by itself. Change management is a process that ensures that any changes to the network are authorized, documented, and communicated, but it does not guarantee that the changes are error-free or functional. The technician still needs to test the policy before implementing it.

Disabling any intrusion prevention signatures on the ?deny any? policy prior to enabling the new policy would not prevent the issue, and it could reduce the security of the network. Intrusion prevention signatures are patterns that identify malicious or unwanted traffic, and allow the firewall to block or alert on such traffic. Disabling these signatures would make the firewall less effective in detecting and preventing attacks, and it would not affect the reachability of the company servers. Including an ?allow any? policy above the ?deny any? policy would not prevent the issue, and it would render the ?deny any? policy useless. A firewall policy is processed from top to bottom, and the first matching rule is applied. An ?allow any? policy would match any traffic and allow it to pass through the firewall, regardless of the source, destination, or protocol. This would negate the purpose of the ?deny any? policy, which is to block any traffic that does not match any of the previous rules. Moreover, an ?allow any? policy would create a security risk, as it would allow any unauthorized or malicious traffic to enter or exit the network. Reference = CompTIA Security+ SY0-701 Certification Study Guide, page 204-205; Professor Messer?s CompTIA SY0-701 Security+ Training Course, video 2.1 - Network Security Devices, 8:00 - 10:00.

SY0-701 – CompTIA Security+ Exam 2024