Cut Through the Noise: SY0-701 Security+ Prep That Actually Sticks

The best answer is C. EDR logs.

EDR (Endpoint Detection and Response) tools are designed to monitor endpoint activity in detail, including process execution, command-line usage, script activity, file changes, persistence attempts, and suspicious behavior. Since the incident involves a PowerShell script, EDR logs are the most useful source for identifying whether the script attempted to compromise the system.

PowerShell is commonly abused by attackers for fileless malware, persistence, lateral movement, downloading payloads, and privilege escalation. EDR can capture this kind of endpoint-level behavior much more effectively than general network logs.

Why the other options are incorrect:

A. SNMP logsSNMP is mainly used for network device monitoring and management, not detailed endpoint script execution analysis.

B. Firewall logsFirewall logs can show allowed or blocked traffic, but they usually do not provide deep visibility into local PowerShell execution or endpoint compromise attempts.

D. IPS logsAn IPS may detect known malicious traffic patterns, but it is focused on network-based activity. It is not the best source for detailed analysis of a PowerShell script running on a host.

From a Security+ standpoint, when analyzing suspicious scripts or endpoint behavior, EDR provides the strongest visibility into actual compromise attempts.

Secure Real-Time Transport Protocol (SRTP) is a security protocol used to encrypt and authenticate the streaming of audio and video over IP networks. It ensures that the video streams from the IP cameras are both encrypted to prevent unauthorized access and authenticated to verify the integrity of the stream, making it the ideal choice for securing video surveillance.

= SQL injection is a type of attack that enables the use of an input field to run commands that can view or manipulate data in a database. SQL stands for Structured Query Language, which is a language used to communicate with databases. By injecting malicious SQL statements into an input field, an attacker can bypass authentication, access sensitive information, modify or delete data, or execute commands on the server. SQL injection is one of the most common and dangerous web application vulnerabilities. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701, 9th Edition, Chapter 5, page 195. CompTIA Security+ SY0-701 Exam Objectives, Domain 1.1, page 8.

A hot site is a fully operational data center equipped with hardware, software, and network connectivity, ready for immediate use after a disaster. It allows near-zero downtime, making it ideal for critical systems needing continuous operations.

Warm sites (B) have some infrastructure but require additional setup time. Cold sites (D) provide space and power but no equipment, leading to longer recovery. Geolocation (C) is unrelated.

Hot sites are a key disaster recovery solution discussed in SY0-701 ' s Resilience and Recovery domain【6:Chapter 9†CompTIA Security+ Study Guide】.

Multifactor authentication (MFA) requires users to provide two or more of the following categories:

Something you know (password/PIN)

Something you have (token/smart card)

Something you are (biometrics)

Authentication tokens (A) qualify as something you have, such as hardware tokens, OTP apps, or smart cards.

Biometrics (C) qualify as something you are, such as fingerprint scans, facial recognition, or iris scans. Using these two together easily establishes MFA.

Least privilege (B) is an authorization principle, not an MFA factor. LDAP (D) is a directory service protocol, not an MFA mechanism. Password vaulting (E) assists with credential storage but does not implement MFA. SAML (F) is a federation protocol used for Single Sign-On (SSO), not inherently MFA.

Thus, the correct MFA components are A: Authentication tokens and C: Biometrics.

The best answer is B. Directory traversal.

The URLs show attempts to manipulate the filename parameter in order to access sensitive files and directories on the server, especially:

/etc/

/../etc/passwd

/etc/passwd

This is a classic directory traversal attack, also known as path traversal. The attacker is trying to move outside the intended directory structure and access protected operating system files. The reference to /etc/passwd is a common indicator of an attempt to read sensitive files on Unix/Linux systems.

Why the other options are incorrect:

A. Credential replayCredential replay involves reusing captured authentication credentials, which is not what these requests show.

C. Brute-force attackA brute-force attack involves repeated guessing, usually of passwords, keys, or codes. That is not the behavior shown here.

D. Resource exhaustionResource exhaustion involves overwhelming a system with requests or usage to reduce availability. These examples instead show attempts to access files through manipulated paths.

From a Security+ standpoint, attacks using ../ to escape directories are a well-known example of directory traversal, so B is the correct answer.

Detailed Explanation:Proper data sanitization ensures that sensitive data is securely erased from storage devices, preventing unauthorized access or recovery when the devices are disposed of or reused. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 5: Security Program Management, Section: " Data Sanitization and Disposal Methods " ​​.

Effective security governance requires clear assignment of roles and responsibilities, such as owners, controllers, and custodians, to ensure accountability for security-related tasks and data management within the organization. This establishes clear lines of responsibility and authority, which is fundamental to governance frameworks.

A legal hold (also known as a litigation hold) is a notification sent from an organization’s legal team to employees instructing them not to delete electronically stored information (ESI) or discard paper documents that may be relevant to a new or imminent legal case. A legal hold is intended to preserve evidence and prevent spoliation, which is the intentional or negligent destruction of evidence that could harm a party’s case. A legal hold can be triggered by various events, such as a lawsuit, a regulatory investigation, or a subpoena12

In this scenario, the company’s attorneys have requested that the security team initiate a legal hold in response to the lawsuit filed by the customers after the company was compromised. This means that the security team will most likely be required to retain any communications related to the security breach until further notice. This could include emails, instant messages, reports, logs, memos, or any other documents that could be relevant to the lawsuit. The security team should also inform the relevant custodians (the employees who have access to or control over the ESI) of their preservation obligations and monitor their compliance. The security team should also document the legal hold process and its scope, as well as take steps to protect the ESI from alteration, deletion, or loss34

Containmentis the phase wherean organization attempts to minimize the damage caused by a security incident. This may involve isolating affected systems, blocking malicious traffic, or temporarily shutting down compromised services to prevent further impact.

Recovery (A)focuses on restoring normal operations after an incident.

Preparation (C)involves planning and readiness before an incident occurs.

Analysis (D)involvesinvestigating the root causeand assessing the damage.

OSINT (Open Source Intelligence) involves collecting publicly available information, including data breaches, leaked credentials, and other exposed company data found online or on the dark web. OSINT tools can discover if a company’s information has been compromised publicly.

SIEM (Security Information and Event Management) monitors internal logs and events but does not collect external breach info. CVE (Common Vulnerabilities and Exposures) is a database of known software vulnerabilities, not breach data. CVSS (Common Vulnerability Scoring System) rates vulnerabilities ' severity.

OSINT is a key technique in the Threats and Vulnerabilities domain for external threat intelligence gathering【6:Chapter 2†CompTIA Security+ Study Guide】.

A reverse proxy is the best answer because it sits in front of a web application and brokers client access to the site. For a public website, a reverse proxy can enforce secure HTTPS access, hide the origin server, terminate TLS, apply filtering rules, and block traffic from known malicious networks before requests reach the web server. This is especially relevant after website defacement, which often involves weaknesses in exposed web services or poor control of public-facing access. A next-generation firewall can block traffic and inspect applications, but it is broader network infrastructure and not as directly suited to front-ending a public website. IPSec gateways are for encrypted tunnels, not broad public web access. An access control server handles authentication, not site shielding.

===============

When encrypting data, two fundamental drivers of cryptographic strength are the algorithm you choose and the key length you use (which affects brute-force feasibility and overall security margin). The Study Guide emphasizes algorithm selection as a best practice: “First, choose your encryption system wisely… Choose an encryption system with an algorithm in the public domain that has been thoroughly vetted by industry experts.” It then highlights key selection/size as another central decision: “You must also select your keys in an appropriate manner. Use a key length that balances your security requirements with performance considerations.”

These two choices directly affect whether encryption meaningfully protects confidentiality. By contrast, obfuscation, masking, and tokenization are different data-protection techniques (often used to reduce exposure or de-identify data) rather than core encryption-strength parameters. Salting is primarily associated with strengthening password hashing (defending against rainbow table attacks), not selecting encryption primitives/strength for general data encryption. Therefore, the best two considerations in the context of encryption itself are Algorithms and Key length.