Explanation:
The question asks about attributing messages to individuals, meaning providing proof that a specific person sent a message and cannot deny having sent it.

B. Non-repudiation is correct.
Non-repudiation is a cryptographic and legal concept that provides undeniable proof of the origin and integrity of a message. It ensures that the sender of a message cannot later deny having sent it. This is typically achieved through digital signatures, which use asymmetric cryptography to bind a message to a specific private key, and by extension, to its owner.

A. Adaptive identity is incorrect.
This is not a standard security term related to attribution. Identity adaptation might refer to dynamic access controls, but it does not provide proof of origin for messages.

C. Authentication is incorrect.
Authentication is the process of verifying a user's or system's identity (e.g., with a password or biometrics). It confirms who someone is at the time of login but does not, by itself, provide undeniable proof that a specific message came from them after the fact. Non-repudiation builds upon authentication.

D. Access logs are incorrect.
Access logs are records of who accessed what resource and when. They are a form of auditing and can provide evidence for investigation, but they are not a cryptographic mechanism that guarantees the origin and integrity of a specific message. Logs can be altered or disputed; non-repudiation provides much stronger, cryptographically verifiable evidence.

Reference:
CompTIA Security+ SY0-701 Objective 2.8: "Summarize cryptography concepts." Non-repudiation is a key service provided by digital signatures and public key infrastructure (PKI), ensuring that the sender of a message cannot deny their actions.

Explanation:
The key detail in the question is that the breach was caused by an "SOL infection." This is a clear typo or misstatement; the intended term is SQL injection. SQL injection is a code injection technique that exploits vulnerabilities in an application's software by manipulating SQL queries sent to a database.

B. Input sanitization (Correct):
This is the primary and most effective defense against SQL injection attacks. Input sanitization involves cleaning and validating any user-supplied input to ensure it does not contain malicious characters or code that could alter the structure of an SQL query. Techniques include:

Prepared Statements (with Parameterized Queries):
This is the strongest method, where SQL code and data are sent separately, preventing the data from being interpreted as executable code.

Escaping User Input:
Adding a backslash before potentially dangerous characters in the input.

Whitelist Validation:
Only allowing input that matches a strict set of approved patterns

Why the other options are incorrect:

A. Secure cookies (Incorrect):
Secure cookies (with the Secure and HttpOnly flags) protect session tokens from being intercepted over unencrypted connections or accessed via client-side scripts. This helps prevent session hijacking but does nothing to stop SQL injection, which exploits how the server processes input, not how cookies are handled.

C. Code signing (Incorrect):
Code signing is used to verify the integrity and authenticity of software code to ensure it has not been tampered with after being signed by the developer. It is a method for establishing trust in software distribution (e.g., ensuring a downloaded application is legitimate). It does not prevent SQL injection vulnerabilities within the application's code itself.

D. Blocklist (Incorrect):
A blocklist (or blacklist) approach involves creating a list of known bad SQL keywords or patterns to reject. This is an inferior and often ineffective defense because it is easy for attackers to bypass by obfuscating their input (e.g., using variations, encoding, or alternative keywords). Input sanitization using whitelisting and parameterized queries is a much more robust and recommended approach.

Reference:
This question falls under Domain 3.0: Security Architecture, specifically covering secure application development and deployment. Mitig SQL injection is a core application security objective, and input validation/sanitization is the primary mitigation technique as outlined by resources like OWASP (Open Web Application Security Project).

Explanation: The questions listed are part of a Risk Control Self-Assessment (RCSA), which is a process where teams evaluate the risks associated with their operations and assess the effectiveness of existing controls. The questions focus on aspects such as patch management, the use of open-source code, external access, and compliance with corporate standards, all of which are critical for identifying and mitigating risks.

Explanation:
A rainbow table attack is a precomputation attack where an attacker uses a large table (a rainbow table) of precomputed hash values for every possible password. They compare the stolen hash values against this table to quickly find a matching password.

Salting is the technique that directly defends against this attack. A salt is a unique, random string of characters that is generated and added to each password before it is hashed.

Why it works:
Even if two users have the same password, their unique salts will result in completely different hash values. This means an attacker cannot use a single precomputed rainbow table for all passwords. They would need to create a new rainbow table for every possible salt value, which is computationally infeasible due to the enormous number of potential salts. This effectively renders rainbow table attacks useless.

Why the other options are incorrect:

A. Digital signatures:
Digital signatures are used to verify the authenticity and integrity of a message, software, or digital document. They are not related to password storage or defending against rainbow table attacks.

C. Hashing:
Hashing is the one-way function used to convert a password into a fixed-length string of characters. While hashing alone protects passwords from being easily "decrypted," it is not sufficient to stop rainbow table attacks. Without a salt, identical passwords will produce identical hashes, making them vulnerable to precomputed tables. Salting enhances the security of hashing.

D. Perfect forward secrecy (PFS):
PFS is a feature of specific key-agreement protocols (like in TLS). It ensures that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. It is related to securing communication sessions, not password storage.

Exam Objective Reference:
This question relates to Domain 2.0: Architecture and Design, specifically the concepts of cryptography and its uses. It tests the understanding of techniques like hashing and salting and their specific purposes in securing passwords against common attacks.

Explanation:
Peer review and approval is a process where multiple developers examine and approve code changes before they are integrated into the main codebase. This practice is highly effective at preventing malicious code insertion by an insider because it introduces oversight and accountability. Other team members can detect suspicious or unauthorized changes, ensuring that only vetted and legitimate code is added. This collaborative scrutiny acts as a critical human-layer defense against insider threats.

Why the others are incorrect:
A. Code scanning for vulnerabilities:
This is an automated tool that checks for security flaws (e.g., SQL injection, buffer overflows) but is not designed to detect intentional malicious code inserted by an insider. It focuses on unintentional vulnerabilities, not malicious intent.

B. Open-source component usage:
While using open-source components can introduce risks (e.g., known vulnerabilities), it does not prevent an insider from adding malicious code. In fact, overreliance on open-source might increase attack surfaces if not properly vetted.

C. Quality assurance testing:
QA testing focuses on functionality, performance, and user experience, not necessarily on identifying malicious code. It is unlikely to catch intentionally hidden malicious logic unless specifically designed for security testing.

Reference:
This aligns with SY0-701 Objective 3.2 ("Given a scenario, implement host or application security solutions") and best practices in secure software development. Peer review is a cornerstone of DevSecOps, as emphasized in frameworks like NIST SSDF (Secure Software Development Framework), which recommends code review to mitigate risks, including insider threats.

Explanation: An NGFW (Next-Generation Firewall) utilizing application inspection could have identified and blocked the unusual use of HTTP over port 53. Application inspection allows NGFWs to analyze traffic at the application layer, identifying and blocking suspicious or non-standard protocol usage, such as HTTP traffic on DNS port 53. NGFW utilizing application inspection: Inspects traffic at the application layer and can block non-standard protocol usage, such as HTTP over port 53. WAF utilizing SSL decryption: Focuses on protecting web applications and decrypting SSL traffic but may not detect the use of HTTP over port 53. UTM utilizing a threat feed: Provides comprehensive security but may not focus specifically on application layer inspection. SD-WAN utilizing IPSec: Enhances secure WAN connections but is not primarily designed to inspect and block specific application traffic. Reference: CompTIA Security+ SY0-701 Exam Objectives, Domain 4.5 - Modify enterprise capabilities to enhance security (Next-generation firewall).

Explanation:

Why A is Correct:
An insider threat involves malicious or negligent actions taken by individuals who have authorized access to an organization's systems or data. In this scenario, the attack was performed using a legitimate domain user account, indicating the actor had authorized access. The encryption of files (consistent with ransomware or data sabotage) by this authorized user aligns perfectly with the definition of an insider threat.

Why B is Incorrect:
Social engineering is a technique used to manipulate people into divulging confidential information or performing actions (e.g., phishing). While social engineering might have been used to obtain the domain user's credentials, the scenario does not provide evidence of this. The logs show the attack was carried out directly by the domain user, pointing to the user as the threat, not an external actor using social engineering.

Why C is Incorrect:
A watering-hole attack involves compromising a website frequently visited by a target group to infect their systems. This is an external attack vector and does not involve authorized domain users directly accessing and encrypting files on a server.

Why D is Incorrect:
An unauthorized attacker typically refers to an external threat actor without legitimate access. Here, the security logs confirm the data was accessed by a domain user, meaning the attacker (or the account used) was authorized, making "unauthorized attacker" incorrect.

Reference:
This question falls under Domain 1.0: Threats, Attacks, and Vulnerabilities, specifically covering insider threats. The SY0-701 exam emphasizes the risk posed by authorized users and the importance of monitoring for malicious insider activity, as evidenced by legitimate credentials being used in attacks.

Explanation:
The chain of custody is a documented process that tracks the seizure, custody, control, transfer, analysis, and disposition of physical and electronic evidence. It ensures that evidence is handled in a secure, documented manner from the moment it is collected until it is presented in court. This includes recording who accessed the evidence, when, for what purpose, and any changes made. A proper chain of custody is critical for maintaining the integrity and admissibility of evidence in legal proceedings, as it proves the evidence has not been tampered with or altered.

Analysis of Incorrect Options:

A. E-discovery:
E-discovery (electronic discovery) is the process of identifying, collecting, and producing electronically stored information (ESI) in response to a legal request or investigation. While it involves handling evidence, it is a broader process and does not specifically focus on the detailed logging and control that the chain of custody provides.

C. Legal hold:
A legal hold (or litigation hold) is a notification sent to an organization instructing them to preserve all relevant information (including electronic data) because it may be needed for upcoming litigation or an investigation. It ensures evidence is not destroyed, but it does not dictate how the evidence is handled or tracked once collected.

D. Preservation:
Preservation refers to the steps taken to protect evidence from alteration or destruction. This is a critical first step in evidence handling (e.g., making a forensic image of a hard drive to preserve its state), but it does not encompass the ongoing documentation and tracking of who controls the evidence over time, which is the role of the chain of custody.

Reference:
This question falls under Domain 4.0: Security Operations, specifically related to digital forensics and incident response. The chain of custody is a fundamental concept in forensic procedures, ensuring evidence integrity for potential legal action. It is emphasized in frameworks like NIST SP 800-86 (Guide to Integrating Forensic Techniques into Incident Response).

Explanation:
An air gap is a physical security measure that isolates a system or network from unsecured networks (e.g., the internet or other parts of the corporate network). For an application server running unsupported software (which no longer receives security patches and is highly vulnerable), air gapping is the most effective way to protect it from network-based threats. By disconnecting it entirely from any network, attackers cannot reach it remotely, eliminating the risk of exploitation via vulnerabilities.

Why the others are incorrect:

B. Barricade:
This refers to a physical barrier (e.g., a fence or wall) to prevent unauthorized physical access. It does not protect against network threats.

C. Port security:
This is a network switch feature that restricts access based on MAC addresses. It is useful for preventing unauthorized devices from connecting to a network port but does not protect the server itself from attacks if it is still connected to the network.

D. Screen subnet:
Also known as a DMZ (Demilitarized Zone), this is a segmented network area that hosts public-facing services. It provides some isolation but still allows controlled network access. An unsupported server in a DMZ remains vulnerable to attacks that bypass the DMZ's controls.

Reference:
This aligns with SY0-701 Objective 3.4 ("Given a scenario, implement secure network designs"). Air gapping is a extreme but effective measure for protecting critical or vulnerable systems, as recommended in guidelines like NIST SP 800-82 ("Guide to Industrial Control Systems Security") for high-risk environments. It is the ultimate form of network isolation.

Explanation:
Server hardening is the process of securing a server by reducing its attack surface. This involves minimizing potential vulnerabilities that could be exploited. The steps chosen should be actions taken before deployment to achieve this goal.

Why A is Correct:
Default accounts (e.g., "admin," "guest") are well-known and are prime targets for attackers. Disabling or renaming them is a fundamental hardening step to prevent unauthorized access using these common credentials.

Why C is Correct:
Any running service or application represents a potential attack vector. Removing unnecessary services, software, and roles minimizes the number of ways an attacker can potentially compromise the server. This is a core principle of system hardening.

Why the Other Options Are Incorrect:

B. Add the server to the asset inventory:
This is a crucial step for asset management and will be done, but it is not a hardening technique. Hardening focuses on technical security configurations, not administrative tracking.

D. Document default passwords:
This is the opposite of hardening. Default passwords should be changed immediately and not documented in an insecure manner. Documenting them creates a security risk.

E. Send server logs to the SIEM:
This is an important step for monitoring and detection that should be configured after the server is deployed and on the network. It is not part of the pre-deployment hardening process.

F. Join the server to the corporate domain:
This is a configuration step for access and management that would be performed during or after deployment. It applies group policies (which may include security settings) but is not itself a specific hardening action taken on the server's base configuration.

Reference:
This question falls under Domain 2.0: Architecture and Design, specifically covering the concepts of secure systems design and deployment. Server hardening is a critical task within this domain, and the exam expects knowledge of its specific steps, such as disabling default accounts and removing unnecessary components.

Explanation:

The correct answer is A. Certification.
When a company hires an outside vendor to dispose of classified or sensitive equipment, the primary concern is ensuring that the data is completely and irrecoverably destroyed. The company must have verifiable proof that the vendor performed the task according to agreed-upon, stringent standards.

Certification in this context refers to a Certificate of Destruction or Certificate of Sanitization. This is a formal document provided by the vendor that serves as legal proof that the storage devices were destroyed using a method compliant with organizational policy, government regulations (like NIST SP 800-88), or industry standards (such as those for classified data).

This certificate protects the company by providing an audit trail and demonstrating due diligence in protecting sensitive information. It is the ultimate deliverable from the vendor that confirms the job was completed properly.

Why the other options are incorrect:

B. Inventory list:
While the company would absolutely provide the vendor with a detailed inventory list of the assets to be destroyed (and would likely reconcile it upon pickup), this is an input to the process, not the final proof the company requests from the vendor. The vendor's certification is the output that confirms the destruction of everything on that list.

C. Classification:
The data classification (e.g., Confidential, Secret, Top Secret) is determined by the company that owns the data. It is the reason the disposal must be handled with extreme care. The company informs the vendor of the classification level to ensure the vendor uses appropriate destruction methods. The vendor does not provide the classification; they receive it and must act according to its requirements.

D. Proof of ownership:
The company already owns the storage array and the data within it. The question is about discarding it, not acquiring it. Proof of ownership is irrelevant to the disposal process. The critical need is for proof of destruction.

Reference:
This process is directly tied to data sanitization and media destruction best practices as outlined in documents like NIST Special Publication 800-88 Revision 1, "Guidelines for Media Sanitization."

The NIST guide emphasizes the importance of verifying and documenting the sanitization process. It states that organizations should "Obtain a signed declaration of sanitization from the individual performing the sanitization" (which is the certification).

This is a core concept for the CompTIA Security+ exam, especially under Domain 2.4: "Explain the importance of data sovereignty, data protection, and data loss prevention." and Domain 4.4: "Explain the importance of policies to organizational security." A robust policy will require certification for any third-party data destruction service.

Explanation:
Input sanitization is a defensive coding practice that involves cleaning, filtering, or rejecting user input to ensure it is safe to process. Its primary purpose is to prevent injection attacks by removing or neutralizing malicious characters and code.

The example <script>alert ("Warning!") ,-</script> is a classic, simple example of a cross-site scripting (XSS) payload. If a web application accepts this input from a user (e.g., in a comment field, search bar, or form) and then displays it to other users without sanitizing it, the malicious script would execute in their browsers. Input sanitization would mitigate this by stripping out or escaping the HTML <script> tags, rendering the input harmless text instead of executable code.

Why the other options are incorrect:

B. nmap - 10.11.1.130:
This is a command for a network scanning tool (Nmap). This would be best mitigated by network-level security controls like firewalls, intrusion prevention systems (IPS), and proper network segmentation—not by sanitizing input on a single application.

C. Email message:
"Click this link to get your free gift card.": This is a classic phishing attempt. This is best mitigated by user security awareness training (to teach users not to click suspicious links) and email security gateways (which filter and block malicious emails)—not by input sanitization, as the attack vector is user deception, not malicious data input into a form.

D. Browser message:
"Your connection is not private.": This is a browser warning indicating an issue with a website's SSL/TLS certificate (e.g., it is expired, self-signed, or doesn't match the domain). This is best resolved by the website administrator fixing the certificate issue. It is not something an application would mitigate through input sanitization, as it's a problem with the transport layer security, not malicious user input.

Reference:
This question tests knowledge of secure coding practices and application security.

This falls under Domain 3.2: Given a scenario, implement security applications for enterprise infrastructure and Domain 1.4: Given a scenario, analyze potential indicators of malicious activity of the CompTIA Security+ SY0-701 exam objectives.

Input sanitization is a primary defense against injection attacks, especially XSS, as outlined in frameworks like the OWASP Top 10, where injection flaws are consistently a critical security risk.