Explanation: To detect an employee who is emailing a customer list to a personal account before leaving the company, a Data Loss Prevention (DLP) system would be used. DLP systems are designed to detect and prevent unauthorized transmission of sensitive data. DLP (Data Loss Prevention): Monitors and controls data transfers to ensure sensitive information is not sent to unauthorized recipients. FIM (File Integrity Monitoring): Monitors changes to files to detect unauthorized modifications. IDS (Intrusion Detection System): Monitors network traffic for suspicious activity but does not specifically prevent data leakage. EDR (Endpoint Detection and Response): Monitors and responds to threats on endpoints but is not specifically focused on data leakage. Reference: CompTIA Security+ SY0-701 Exam Objectives, Domain 4.5 - Modify enterprise capabilities to enhance security (Data Loss Prevention).

Explanation:
Salting is a technique where a unique, random string of characters (called a "salt") is generated and added to each password before it is hashed. This random string (36 characters in this question) is then stored alongside the hash in the database. The primary purpose of a salt is to defeat precomputation attacks, such as rainbow table attacks, by ensuring that even if two users have the same password, their stored hashes will be different because of the unique salt. This forces an attacker to crack each password individually, significantly increasing the time and computational resources required.

Analysis of Incorrect Options:

A. Key Stretching:
Key stretching (e.g., using algorithms like PBKDF2, bcrypt, or Argon2) is a technique designed to make a weak key (like a password) more secure by making the hashing process intentionally slow and computationally expensive. It involves applying the hash function multiple times. While salting and key stretching are often used together, they are distinct concepts. The question specifically describes adding a random string, which is the definition of salting.

B. Tokenization:
Tokenization is the process of replacing sensitive data (like a Primary Account Number - PAN) with a non-sensitive equivalent, called a token, which has no exploitable value. The token can be mapped back to the original data only through a secure tokenization system. This is commonly used in payment processing systems, not for password storage.

C. Data Masking:
Data masking is a method of creating a structurally similar but inauthentic version of an organization's data. The goal is to protect sensitive data while providing a functional alternative for use in software testing, user training, or analytics. It obfuscates data but is not used in the password hashing process.

Reference:
This question falls under Domain 3.0: Security Architecture, specifically concerning cryptographic concepts. Salting is a fundamental and critical practice for secure password storage, directly related to the proper implementation of hashing functions

Explanation:
The goal is to allow outbound DNS traffic (port 53) only from the specific IP address 10.50.10.25 and block all other outbound DNS traffic. Firewall ACLs are typically processed in order, and the first matching rule is applied.

Option D correctly:
Permits outbound DNS traffic from the source IP 10.50.10.25/32 (a single host) to any destination (0.0.0.0/0).

Denies all other outbound DNS traffic (from any source to any destination on port 53).

This ensures only the specified device can send DNS requests outward.

Why the others are incorrect:

A: This denies traffic from 10.50.10.25 and permits all others — the opposite of the requirement.

B: This permits traffic from any source to the destination 10.50.10.25 (inbound traffic to that IP), not outbound from it.

C: This permits all outbound DNS traffic but denies traffic destined for 10.50.10.25 (inbound to that IP), which does not restrict outbound requests by source.

Reference:
This question tests knowledge of Domain 3.3: Given a scenario, implement secure network designs (firewall rules and ACLs). Understanding how to write ACLs to enforce traffic filtering based on source/destination IP and port is critical for network security.

Explanation:
The core function of a Research and Development (R&D) department is to create new products, designs, formulas, processes, and proprietary technologies. The primary output of their work is Intellectual Property (IP).

Intellectual Property refers to creations of the mind, such as inventions (patents), literary and artistic works (copyrights), designs, and symbols, names, and images used in commerce (trademarks). For a company, this is often its most valuable and sensitive asset.

The question states that these employees receive "extensive training" on protecting data. This highlights the extreme sensitivity of the data they handle. The loss or theft of intellectual property can cripple a company's competitive advantage, making it a paramount security concern. Therefore, it is the data type they are most likely to use and are specifically trained to protect.

Why the other options are incorrect:

A. Encrypted:
Encryption is a state of data (a security control), not a type of data. While the intellectual property handled by R&D should absolutely be encrypted (both at rest and in transit), this is not a classification of the data itself. All types of sensitive data, including intellectual property, critical data, and personal data, should be encrypted.

C. Critical:
Critical data is a broad classification for data that is essential for the continued operation of the business. While R&D data may also be considered critical, this term is too general. For example, financial transaction data or active directory data is also "critical," but it is not the primary focus of an R&D department. "Intellectual property" is a more precise and specific description of the data generated by R&D.

D. Data in transit:
This describes data that is moving across a network, not a type of data. Again, intellectual property (and other data types) will often be in transit, but this is a state of transfer, not a classification of the data's content or purpose. The R&D unit is focused on the content (IP), not solely on its transmission.

Exam Objective Reference:
This question relates to Domain 5.0: Governance, Risk, and Compliance, specifically understanding data classifications such as Intellectual Property (IP). It also touches on security awareness training tailored to specific roles and the data they handle.

Explanation:
The correct answer is A. Contain the impacted hosts.

Following the NIST Incident Response Lifecycle (Preparation, Detection & Analysis, Containment, Eradication, Recovery, Post-Incident Activity), the immediate priority after confirming an incident is to prevent further damage or spread. This is the goal of the Containment phase.

Containment is the first strategic action. The team has identified specific compromised assets ("several corporate desktops"). The most direct and effective way to secure the environment is to immediately isolate these known-threats.

This can be done by:
Disconnecting them from the n

etwork (logically or physically).

Isolating them in a VLAN. Using endpoint detection and response (EDR) tools to quarantine the devices.

This action directly stops the malware from communicating with a command-and-control (C2) server, spreading to other systems, or exfiltrating data. It contains the known problem before addressing potential downstream effects.

Why the other options are incorrect:

B. Add the malware to the application blocklist.
This is an important eradication and preparation step, but it is not the first thing to do. The malware is already active on the endpoints. A blocklist prevents future execution but does nothing to stop the currently running malicious processes on the infected machines. Containment must come first.

C. Segment the core database server.
This is a valuable long-term preventative control (part of the Preparation and Recovery phases), but it is not the most direct incident response action. It is based on an assumption that the database is the next target, but there is no evidence yet that the malware has spread or what its objective is. The immediate priority is to contain the known compromised systems, not to reconfigure the network around potential targets.

D. Implement firewall rules to block outbound beaconing.
While this seems logical, it is a less precise and potentially disruptive action than direct containment.

It may not be effective:
The malware could be using encrypted channels (e.g., HTTPS, DNS tunneling) that are difficult to distinguish from legitimate traffic with simple firewall rules.

It could cause collateral damage:
Blocking outbound traffic could accidentally disrupt legitimate business operations.

It's a secondary action:
The most precise and guaranteed method to stop beaconing from the known infected hosts is to contain those hosts themselves. Once they are contained, the team can analyze the malware to determine its call-home signatures and then implement more precise network-level blocks.

Reference:
This aligns directly with the Containment, Eradication, and Recovery phase of the incident response lifecycle as defined in NIST Special Publication 800-61, Revision 2. The guide emphasizes that the immediate goal of containment is "stopping the incident before it can cause further damage." The strategy is to choose containment measures that "provide the most time for response while minimizing damage." Isolating the known compromised hosts is the most direct application of this principle.

Explanation: To prevent the issuance of an MFA bypass code to an attacker posing as an employee, implementing identity proofing would be most effective. Identity proofing involves verifying the identity of individuals before granting access or providing sensitive information. Identity proofing: Ensures that the person requesting the MFA bypass is who they claim to be, thereby preventing social engineering attacks where attackers pose as legitimate employees.

Explanation: Within an organization's Software Development Life Cycle (SDLC), an Information Security Policy is a vital component. It outlines the rules and procedures for ensuring that the organization’s IT assets and data are protected throughout the development process. Ensuring secure coding practices, access controls, and regular security testing is fundamental in preventing vulnerabilities in applications. Other options like service-level agreements and branch protection requirements are less likely to be integral to SDLC processes. Penetration testing methodology, while useful, is generally considered outside the scope of the SDLC.

Explanation:
Serverless architecture (e.g., AWS Lambda, Azure Functions) allows developers to deploy code without managing underlying servers or infrastructure. The cloud provider automatically handles scaling, patching, and maintenance. This significantly reduces the time and expense associated with code deployment because:

Developers focus solely on writing code, not configuring servers.

Costs are based on actual usage (execution time/resources), not idle server time.

Deployment is streamlined through integrated CI/CD pipelines, accelerating release cycles.

Why the others are incorrect:

B. Thin clients:
These are lightweight devices that rely on a central server for processing. They reduce endpoint costs but do not directly impact code deployment processes or expenses.

C. Private cloud:
This involves dedicated cloud infrastructure managed by the organization. While it offers control, it still requires significant time and expense for maintenance, scaling, and deployment compared to serverless.

D. Virtual machines (VMs):
VMs require managing entire guest OS instances, including updates, scaling, and provisioning. This adds overhead and cost compared to serverless, where the provider abstracts infrastructure management.

Reference:
This aligns with SY0-701 Objective 3.2 ("Given a scenario, implement host or application security solutions") and cloud cost optimization principles. Serverless computing is highlighted in modern DevOps practices for its agility and cost-efficiency, as it eliminates operational overhead and aligns with "pay-as-you-go" models.

Explanation: To ensure the integrity of compiled binaries in the production environment, the best security measure is code signing. Code signing uses digital signatures to verify the authenticity and integrity of the software, ensuring that the code has not been tampered with or altered after it was signed. Code signing: Involves signing code with a digital signature to verify its authenticity and integrity, ensuring the compiled binaries have not been altered. Input validation: Ensures that only properly formatted data enters an application but does not verify the integrity of compiled binaries. SQL injection: A type of attack, not a security measure. Static analysis: Analyzes code for vulnerabilities and errors but does not ensure the integrity of compiled binaries in production. Reference: CompTIA Security+ SY0-701 Exam Objectives, Domain 1.4 - Explain the importance of using appropriate cryptographic solutions (Code signing).

Explanation:
The installation of a RADIUS (Remote Authentication Dial-In User Service) server accomplishes AAA, which stands for Authentication, Authorization, and Accounting.

Authentication:
Verifies the identity of users or devices (e.g., through credentials).

Authorization:
Determines what resources or permissions the authenticated user has.

Accounting:
Tracks user activities and resource usage for auditing and billing.

RADIUS is a centralized protocol specifically designed to provide these three functions, often used for network access control (e.g., VPNs, Wi-Fi authentication).

Note:
The question likely has a typo ("AA" instead of "AAA"), but the intended answer is AAA, as RADIUS is a classic AAA protocol.

Analysis of Incorrect Options:

A. CIA (Confidentiality, Integrity, Availability):
This is the core triad of security goals. RADIUS supports these indirectly (e.g., by controlling access) but does not directly provide encryption (confidentiality) or data protection (integrity/availability).

C. ACL (Access Control List):
ACLs are rules that permit or deny traffic on network devices. RADIUS can dynamically assign ACLs based on user roles, but it is not synonymous with ACLs.

D. PEM (Privacy Enhanced Mail):
PEM is an outdated email encryption standard. It is unrelated to RADIUS.

Reference:
This aligns with Domain 3.0: Security Architecture, specifically identity and access management. RADIUS is defined in RFC 2865 and is widely used for AAA services in networks, as highlighted in CompTIA objectives and NIST guidelines.

Explanation:
An external examination (or external audit) is conducted by an independent, third-party auditor to assess an organization's compliance with regulatory requirements, industry standards, or legal obligations. This process provides an objective evaluation of how the company's security policies and practices measure up against external benchmarks (e.g., GDPR, HIPAA, PCI DSS). The CISO can use the findings to identify gaps, ensure alignment, and demonstrate due diligence to regulators.

Why the others are incorrect:

A. Penetration test:
This is a simulated attack to identify technical vulnerabilities in systems. It focuses on technical security flaws, not policy comparisons to regulatory requirements.

B. Internal audit:
This is performed by the organization's own staff to evaluate controls and compliance. While useful, it lacks the independence and authority of an external examination for validating adherence to external regulations.

C. Attestation:
This is a formal statement (often from the vendor or internal team) asserting compliance. It is not an objective examination and may not provide the detailed comparison the CISO needs.

Reference:
This aligns with SY0-701 Objective 5.3 ("Explain processes for third-party risk assessment and management"). External audits/examinations are critical for verifying regulatory compliance, as emphasized in frameworks like ISO 27001 (which requires external certification) and regulatory guidelines (e.g., PCI DSS assessments). They provide unbiased insights into policy effectiveness versus external demands.

Explanation:
Availability is the security principle that ensures systems and data are accessible and operational when needed by authorized users. A Distributed Denial-of-Service (DDoS) attack is specifically designed to overwhelm a system's resources (like bandwidth, CPU, or memory) to make it unavailable to its intended users. Therefore, implementing a product to protect against DDoS attacks is a direct measure to defend and uphold the availability of a service or resource.

Why the other options are incorrect:

B. Non-repudiation:
This concept prevents an individual from denying having taken a specific action (e.g., sending a message or approving a transaction). It is typically achieved through digital signatures and auditing. DDoS protection does not relate to proving someone's actions.

C. Integrity:
This principle ensures that data is accurate, trustworthy, and has not been altered in an unauthorized way. While some attacks might combine DDoS with other threats, the core goal of a DDoS attack is to make a service unavailable, not to corrupt its data. Therefore, the primary concept being protected is availability, not integrity.

D. Confidentiality:
This principle ensures that information is not disclosed to unauthorized individuals, devices, or processes. DDoS attacks do not typically aim to steal or expose data; their goal is to disrupt service. Protection against DDoS does not directly safeguard confidentiality.

Reference:
This question tests the understanding of the CIA triad (Confidentiality, Integrity, Availability) in the context of common threats. This falls under Domain 2.1: Explain the importance of security concepts in an enterprise environment of the CompTIA Security+ SY0-701 exam objectives. DDoS attacks are a quintessential threat to availability, and mitigating them is a core function of maintaining business continuity, as outlined in various security frameworks.